In the evolving world of blockchain technology, ensuring the security of protocols is paramount. Veridise, a blockchain security firm, has highlighted a crucial aspect of this through its recent findings on zero-knowledge (ZK) project audits. These audits, crucial for projects that prioritize privacy and scalability, are revealing critical vulnerabilities at an alarmingly high rate.
Veridise conducted 100 audits, uncovering an average of 16 issues per audit, with ZK audits slightly higher at 18 issues. However, the startling revelation is that 55% of ZK audits contained critical issues, compared to 27.5% for other types of decentralized finance (DeFi) audits. This indicates that ZK projects, while promising, are also more susceptible to serious security flaws.
ZK protocols, which allow one party to prove to another that a statement is true without revealing any other information, are complex and often push the boundaries of current cryptographic techniques. Veridise CEO, Jon Stephens, explained that developing a ZK circuit requires precise reasoning about the operations involved. When these operations are not correctly encoded, it leads to bugs and vulnerabilities.
The most common issues found across all audits include logic errors, maintainability problems, and data validation issues. Specifically, in ZK audits, the “underconstrained circuit” vulnerability stood out, having a 90% likelihood of being critical. This particular issue means that the constraints of an arithmetic circuit do not enforce all necessary conditions, allowing a malicious party to deceive the system.
Veridise’s audits highlight that over $10 billion has been hacked from various blockchain and DeFi platforms since 2018. Understanding the nature and frequency of these vulnerabilities is essential for improving the security of these technologies. As more projects adopt ZK protocols, the importance of thorough and meticulous security audits becomes ever more critical to safeguard the integrity of the decentralized ecosystem.
