Blockchain security firm Veridise finds ZK audits are twice as likely to uncover critical issues

Blockchain security firm Veridise reported that audits of zero-knowledge projects are twice as likely to uncover critical issues as other audit types.

Analyzing 1,605 vulnerability findings from its last 100 audits, Veridise found around 16 issues, on average, per audit, with ZK audit averages slightly higher at 18 issues discovered, according to a report shared with The Block.

However, when focusing on critical vulnerabilities, Veridise found that 55% (11 out of 20) ZK audits contained a critical issue compared to 27.5% (22 out of 80) of its other audits, including smart contracts, wallet integrations, blockchain implementations and relayers.

ZK protocols have been gaining traction in the crypto space due to their potential to enhance privacy and scalability in blockchain transactions. They enable one party to prove to another that a statement is true without revealing any information beyond the validity of the statement itself.

However, ZK security is “simply more challenging,” according to Veridise, with audits uncovering more critical vulnerabilities due to the complex cryptographic constructs and the innovative nature of ZK protocols, which often push the boundaries of existing cryptographic techniques.

“Developing a ZK circuit requires precise reasoning about the semantics of the operations in the witness generator,” Veridise CEO and co-founder Jon Stephens told The Block. “When those semantics are not correctly encoded into constraints, you get bugs. It makes sense that there are more bugs in circuits since this is very different from the typical programming paradigm.”

Most common DeFi vulnerabilities

Overall, the most common vulnerabilities discovered by Veridise audits are logic errors (385), maintainability (355) and data validation (304), the firm said, comprising 65% of all issues found in its audits. These three issues also dominated among the 360 ZK audit-specific vulnerabilities discovered.

While maintainability issues are not strictly security vulnerabilities, including, for example, poor coding practices, they are sometimes “one epsilon away from turning into critical bugs,” the team said.

Of the 223 severe (critical or high level) issue types discovered, logic errors (91) and data validation (35) issues dominated, followed by “underconstrained circuit” (19), Denial of Service (16) and access control (13) vulnerabilities, among others. Some 78% of high-severity issues across all audits trace to just these five types, accounting for 174 vulnerabilities discovered.

ZK audit-specific vulnerabilities

While severe issues represent around 10% to 30% of most vulnerability types, “underconstrained circuits” had a 90% likelihood of containing critical or high-level issues, according to Veridise.

“Underconstrained circuits are typical issues specifically in zero-knowledge related audits … when the constraints of an arithmetic circuit do not sufficiently enforce all necessary conditions to check that some computation was performed correctly,” the firm explained. “They do not occur in traditional smart contracts.”

This means that a malicious party could create a proof that tricks the verifier into accepting a false statement as true, seriously undermining the integrity of the protocol.

In Veridise's audits, zero-knowledge technology is frequently utilized in crucial infrastructure protocols like L2 ZK-rollups, ZK-VMs and circom libraries — where Veridise identified a “million-dollar” ZK bug for Succinct Labs in January. The security of these protocols is critical because it impacts all decentralized applications built on them.

Breaking down the other issue types, logic errors occur when the code does not perform its intended functionality due to a mistake in the logical flow, Veradise explained, with a typical example being a smart contract that mistakenly allows users to withdraw funds exceeding their balance.

Data validation issues relate to the failure to properly verify the correctness, integrity and authenticity of data before it is processed.

Denial of Service issues involve attacks that aim to disrupt the normal functioning of a protocol. For example, smart contracts could be mistakenly designed to allow an attacker to consume all available gas, the firm said.

Finally, access control issues are problems where unauthorized users can gain access to restricted areas or functions.

Veridise claims that more than $10 billion has been hacked from various blockchain and DeFi platforms since 2018, with greater visibility into the types of vulnerabilities needed to help direct the attention of web3 projects toward the most severe bugs and proactively prevent them.

Manta Network, Scroll and Ankr are among the firms’ audit clients, according to its website.