More ZK bugs
veorq opened this issue · 5 comments
Great project, thank you!
I dont think these are listed (found while preparing my talks on ZKP security by asking friends and "doing my own research"):
Missing overflow check of a nullifier
a16z/zkdrops#2
Overflow again
ethereum-oasis-op/baseline#34
Field element inverse property not enforced
arkworks-rs/r1cs-std#70
Missing public input -> replay
https://starli.medium.com/filecoin-one-porep-vulnerability-found-by-trapdoor-tech-7fc7beb4557b
Timing attacks
https://eprint.iacr.org/2020/627.pdf
Missing (randomized) blinding to hide private inputs – not clear if really exploitable though
dusk-network/plonk#651
This one turned out to be non-exploitable (as clarified privately by the StarkWare team), but a similar behavior may be a problem in some cases
starkware-libs/cairo-lang#39
There are some other interesting ZK circuit bug types I've seen (concrete cases cant be disclosed yet):
-
Failing to enforce that a given constant is effectively the said constant value.
-
Failing to enforce constraints of correct padding in hash functions.
-
Failing to enforce soundness of a tree's structure or size.
-
Leakage on the witness from the proof's size.
Hope this helps, feel free to only include what you think is the most relevant/original.
This is great, thank you!! Will go through and add them once I get a chance.
Took a dive into the Timing attacks paper, but after some research it looks like they may not be that serious?
https://forum.zcashcommunity.com/t/churning-zcash-for-maximum-anonymity-and-privacy/40705/2
Likely going to add the EEA-OASIS and Arkworks bugs. Still need to take a look into the remaining 3.
Please also add Tornado Cash which was a classical missing constraint but the problem is https://crypto.stackexchange.com/q/103262
Below are a few that I found. Don't know if they qualify for this project because they are bugs in the EC libraries rather than in circuits.
- blst: Modular inverse incorrect result
- blst: Inverse modulo hangs on i386 if input is 0 or multiple of modulo
- blst Using non-standard 'dst' parameter branches on uninitialized memory
- blst: NULL pointer dereference if msg is empty and aug is non-empty
- blst: NULL pointer dereference if point multiplier is zero-stripped
- blst: Branching on uninitialize memory
- blst: blst_fr_eucl_inverse incorrect result
- blst: blst_fp_is_square incorrect result on ARM
- Herumi mcl: Incorrect results with dst larger than 255 bytes
- Herumi mcl: map-to-curve incorrect result if both inputs are equivalent
- Herumi mcl: Incorrect result for G1 multiplication by Fp
- kilic-bls12-381: Fr FromBytes does not reduce value if value is modulus
- arkworks-algebra: multi_scalar_mul incorrect result if scalar exceeds curve order
- Constantine: Incorrect reduction of BigInt
- Constantine: BLS12-381 HashToCurve G1 incorrect result
Here are other zk bugs other security researchers found, I want to list here, please merge it if you think they are awesome:
- zksync zkevm: https://medium.com/chainlight/uncovering-a-zk-evm-soundness-bug-in-zksync-era-f3bc1b2a66d8 (Underconstrained)
- aztec connector: https://hackmd.io/@aztec-network/claim-proof-bug & https://medium.com/immunefi/aztec-multiple-spend-error-bugfix-review-20074581d224 (underconstrained)