0xparc / zk-bug-tracker Goto Github PK

facebook/winterfell#160

Great project, thank you!

I dont think these are listed (found while preparing my talks on ZKP security by asking friends and "doing my own research"):

Missing overflow check of a nullifier
a16z/zkdrops#2

Overflow again
ethereum-oasis-op/baseline#34

Field element inverse property not enforced
arkworks-rs/r1cs-std#70

Missing public input -> replay
https://starli.medium.com/filecoin-one-porep-vulnerability-found-by-trapdoor-tech-7fc7beb4557b

Timing attacks
https://eprint.iacr.org/2020/627.pdf

Missing (randomized) blinding to hide private inputs – not clear if really exploitable though
dusk-network/plonk#651

This one turned out to be non-exploitable (as clarified privately by the StarkWare team), but a similar behavior may be a problem in some cases
starkware-libs/cairo-lang#39

There are some other interesting ZK circuit bug types I've seen (concrete cases cant be disclosed yet):

• Failing to enforce that a given constant is effectively the said constant value.

• Failing to enforce constraints of correct padding in hash functions.

• Failing to enforce soundness of a tree's structure or size.

• Leakage on the witness from the proof's size.

Hope this helps, feel free to only include what you think is the most relevant/original.

Hi, thanks for making this resource!

I noticed one of the explanations ends in the middle of the sentence at the word 'prevent'

https://medium.com/veridise/circom-pairing-a-million-dollar-zk-bug-caught-early-c5624b278f25

should be in the category of under-constrained circuits

Just came across this bug tracker, very cool :)

I found a bug in the Polygon zkEVM which allows a malicious prover to return "0" when reading any storage slot (and possibly also exploit other CRUD operations). Sounds like it fits in well here! All the details are in the blog post.

https://github.com/cryptosubtlety/00/blob/main/00.pdf

The original Plonk paper's implementation section was missing randomization for some of the polynomials.

The detailed description of the bug can be found here - https://twitter.com/rel_Aztec/status/1542474186664210432