Veridise Report: Zero-Knowledge Project Audits Reveal Higher Rates of Critical Issues
Veridise, a blockchain security firm, has reported that audits of zero-knowledge (ZK) projects are twice as likely to uncover critical issues compared to other types of audits.
Audit Analysis and Findings
In its last 100 audits, Veridise analyzed 1,605 vulnerability findings. They discovered an average of 16 issues per audit. Zero-knowledge audits had a slightly higher average of 18 issues per audit, as shared in a report with The Block.
Critical Vulnerabilities in Zero-Knowledge Audits
Focusing on critical vulnerabilities, Veridise found that 55% of zero-knowledge audits (11 out of 20) contained a critical issue. In contrast, only 27.5% of other audits (22 out of 80), including those of smart contracts, wallet integrations, blockchain implementations, and relayers, had critical vulnerabilities.
Zero-Knowledge Protocols in the Crypto Space
Zero-knowledge protocols are gaining traction in the crypto space due to their potential to enhance privacy and scalability in blockchain transactions. These protocols enable one party to prove the truth of a statement to another without revealing any additional information.
However, the security of zero-knowledge protocols is more challenging. Veridise’s audits often uncover more critical vulnerabilities due to the complex cryptographic constructs and the innovative nature of zero-knowledge protocols, which push the boundaries of existing cryptographic techniques.
Complexities in Developing Zero-Knowledge Circuits
According to Jon Stephens, Veridise’s CEO and co-founder, developing a zero-knowledge circuit requires precise reasoning about the semantics of the operations in the witness generator. Bugs arise when these semantics are not correctly encoded into constraints. This complexity explains the higher frequency of bugs in zero-knowledge circuits compared to typical programming paradigms.
Common DeFi Vulnerabilities
Veridise’s audits commonly discover vulnerabilities such as logic errors (385), maintainability issues (355), and data validation errors (304), making up 65% of all issues found. These issues are also prevalent among the 360 zero-knowledge audit-specific vulnerabilities.
Maintainability issues, while not strictly security vulnerabilities, can lead to critical bugs due to poor coding practices. Among the 223 severe issues discovered, logic errors (91) and data validation issues (35) were most common, followed by “underconstrained circuits” (19), Denial of Service (16), and access control vulnerabilities (13). These five types account for 78% of high-severity issues, totaling 174 vulnerabilities.
Specific Vulnerabilities in Zero-Knowledge Audits
While severe issues typically represent 10% to 30% of most vulnerability types, “underconstrained circuits” have a 90% likelihood of containing critical or high-level issues. These issues occur when the constraints of an arithmetic circuit do not sufficiently enforce all necessary conditions for correct computation, which does not happen in traditional smart contracts.
Impact of Vulnerabilities on Protocol Integrity
Such vulnerabilities can allow a malicious party to create a proof that tricks the verifier into accepting a false statement as true, seriously undermining protocol integrity. Zero-knowledge technology is often used in critical infrastructure protocols like L2 ZK-rollups, ZK-VMs, and circom libraries, where Veridise previously identified a significant ZK bug. The security of these protocols is crucial as it impacts all decentralized applications built on them.
Detailed Breakdown of Issue Types
- Logic Errors: Occur when the code does not perform its intended functionality due to a logical flow mistake. An example is a smart contract allowing users to withdraw funds exceeding their balance.
- Data Validation Issues: Relate to the failure to verify the correctness, integrity, and authenticity of data before processing.
- Denial of Service: Involves attacks that disrupt normal protocol functioning, such as consuming all available gas in a smart contract.
- Access Control Issues: Allow unauthorized users to gain access to restricted areas or functions.
Financial Impact of Vulnerabilities
Veridise claims that over $10 billion has been hacked from various blockchain and DeFi platforms since 2018. Greater visibility into vulnerability types is needed to help web3 projects focus on the most severe bugs and proactively prevent them.