zk-bug-tracker More ZK bugs

Great project, thank you!

I dont think these are listed (found while preparing my talks on ZKP security by asking friends and "doing my own research"):

Missing overflow check of a nullifier https://github.com/a16z/zkp-merkle-airdrop-contracts/pull/2

Overflow again https://github.com/eea-oasis/baseline/issues/34

Field element inverse property not enforced https://github.com/arkworks-rs/r1cs-std/pull/70

Missing public input -> replay https://starli.medium.com/filecoin-one-porep-vulnerability-found-by-trapdoor-tech-7fc7beb4557b

Timing attacks https://eprint.iacr.org/2020/627.pdf

Missing (randomized) blinding to hide private inputs – not clear if really exploitable though https://github.com/dusk-network/plonk/pull/651

This one turned out to be non-exploitable (as clarified privately by the StarkWare team), but a similar behavior may be a problem in some cases https://github.com/starkware-libs/cairo-lang/issues/39

There are some other interesting ZK circuit bug types I've seen (concrete cases cant be disclosed yet):

Failing to enforce that a given constant is effectively the said constant value.
Failing to enforce constraints of correct padding in hash functions.
Failing to enforce soundness of a tree's structure or size.
Leakage on the witness from the proof's size.

Hope this helps, feel free to only include what you think is the most relevant/original.

Mar 22 '23 07:03 veorq

This is great, thank you!! Will go through and add them once I get a chance.

Mar 22 '23 19:03 kcharbo3

Took a dive into the Timing attacks paper, but after some research it looks like they may not be that serious? https://forum.zcashcommunity.com/t/churning-zcash-for-maximum-anonymity-and-privacy/40705/2

Likely going to add the EEA-OASIS and Arkworks bugs. Still need to take a look into the remaining 3.

Apr 10 '23 20:04 kcharbo3

Please also add Tornado Cash which was a classical missing constraint but the problem is https://crypto.stackexchange.com/q/103262

Jun 27 '23 12:06 ytrezq

Below are a few that I found. Don't know if they qualify for this project because they are bugs in the EC libraries rather than in circuits.

blst: Modular inverse incorrect result
blst: Inverse modulo hangs on i386 if input is 0 or multiple of modulo
blst Using non-standard 'dst' parameter branches on uninitialized memory
blst: NULL pointer dereference if msg is empty and aug is non-empty
blst: NULL pointer dereference if point multiplier is zero-stripped
blst: Branching on uninitialize memory
blst: blst_fr_eucl_inverse incorrect result
blst: blst_fp_is_square incorrect result on ARM
Herumi mcl: Incorrect results with dst larger than 255 bytes
Herumi mcl: map-to-curve incorrect result if both inputs are equivalent
Herumi mcl: Incorrect result for G1 multiplication by Fp
kilic-bls12-381: Fr FromBytes does not reduce value if value is modulus
arkworks-algebra: multi_scalar_mul incorrect result if scalar exceeds curve order
Constantine: Incorrect reduction of BigInt
Constantine: BLS12-381 HashToCurve G1 incorrect result

Sep 27 '23 21:09 guidovranken

Here are other zk bugs other security researchers found, I want to list here, please merge it if you think they are awesome:

zksync zkevm: https://medium.com/chainlight/uncovering-a-zk-evm-soundness-bug-in-zksync-era-f3bc1b2a66d8 (Underconstrained)
aztec connector: https://hackmd.io/@aztec-network/claim-proof-bug & https://medium.com/immunefi/aztec-multiple-spend-error-bugfix-review-20074581d224 (underconstrained)

Jan 11 '24 03:01 yuliyu123