Researchers identify key circuit layer vulnerabilities in SNARK systems

According to researchers at Imperial College London, vulnerabilities at the circuit layer pose the most significant threat to systems based on Succinct Non-Interactive Arguments of Knowledge, or SNARKs. 

The investigation examined 141 vulnerabilities from 107 audit reports, 16 vulnerability disclosures, and various bug trackers associated with popular SNARK projects. The findings were presented on Aug. 7 at the Science of Blockchain Conference held at Columbia University.

SNARKs are a type of zero-knowledge (ZK) proof that allows one to demonstrate that a statement is true without revealing any information about the statement.

According to Stefanos Chaliasos, a PhD candidate at Imperial College London, the research team identified three main types of vulnerabilities in circuit layers — under-constrained, over-constrained and computational/hints error:

“The majority of vulnerabilities are in the circuit layer, and the majority is also soundness response, which is the worst part that can happen when you use Zkps because basically, in the context of a ZK-rollup, if there is such a bug and someone wants to exploit it, then all the funds could be drained from the circuit layer.”

The most frequent vulnerability found on zero knowledge circuits arises from insufficient constraints, which cause a verifier to accept invalid proofs, compromising a system’s soundness or completeness. Per the research, 95 of the identified issues on SNARK-based systems affected soundness and four affected completeness.

“The primary challenge for developers lies in adapting to a different level of abstraction and optimizing circuits for efficiency, which directly impacts the cost of using SNARKs,” notes the paper.

Root causes for vulnerabilities on ZK circuits include distinguishing between assignments and constraints, missing input constraints, and unsafe reuse of circuits, among others.

Weighted VRFs

The first day of the conference also featured the Aptos team presenting their recently implemented weighted verifiable random functions, or weighted VRFs — a mechanism designed to enhance the randomness in the consensus process.

The approach extends the concept of VRFs by incorporating weights into the random selection process of verifying inputs and outputs onchain. With weights, participants in the consensus mechanism have different probabilities of being chosen based on their stake (weights).

Aptos deployed the mechanism on its mainnet in June. “As far as you can tell, this is the first time you see a previously granular script that is unbiaseable, unpredictable, and operates as fast as the network,” noted Alin Tomescu, head of cryptography at Aptos.

According to Tomescu, Aptos has processed half a million calls through the new randomness API, with the distributed key generation (DKG) lasting about 20 seconds.

“Our randomness latency, which is the latency measured from the time a block is committed to the time the randomness for that block is available, was initially 160 milliseconds. But we were able to bring this down to 25 milliseconds using some optimizations.”