Blockchain Security Firm Veridise Finds ZK Audits Are Twice as Likely to Uncover Critical Issues

Veridise, a blockchain security firm, reports that zero-knowledge （ZK） audits are twice as likely to uncover critical issues compared to other audit types. This article explores the findings and implications for blockchain security.

Points

• Veridise reports higher critical issue rates in ZK audits compared to other audits.
• ZK audits averaged 18 issues per audit, with a higher likelihood of severe vulnerabilities.
• Common vulnerabilities include logic errors, maintainability, and data validation issues.
• The complexity of ZK protocols poses unique security challenges.

Higher Critical Issue Rates in ZK Audits

Blockchain security firm Veridise analyzed 1,605 vulnerability findings from its last 100 audits and discovered that zero-knowledge （ZK） audits are twice as likely to uncover critical issues compared to other audit types. ZK audits averaged 18 issues per audit, slightly higher than the average of 16 issues in other audits.

Common Vulnerabilities in ZK Audits

Veridise found that 55% of ZK audits contained a critical issue, compared to 27.5% of other audits. The most common vulnerabilities discovered were logic errors, maintainability issues, and data validation problems, which comprised 65% of all issues found. Logic errors were the most prevalent, followed by maintainability and data validation issues.

While maintainability issues are not strictly security vulnerabilities, poor coding practices can lead to critical bugs. In ZK audits, “underconstrained circuits” were a significant concern, with a 90% likelihood of containing critical or high-level issues. These occur when the constraints of an arithmetic circuit do not sufficiently enforce necessary conditions, allowing malicious parties to create proofs that trick the verifier.

Implications for Blockchain Security

The complexity of ZK protocols makes their security challenging. Developing a ZK circuit requires precise reasoning about the operations in the witness generator. When these semantics are not correctly encoded, bugs can arise, posing significant risks to the integrity of the protocol.

Conclusion

Veridise’s findings highlight the critical importance of thorough ZK audits to uncover severe vulnerabilities. The unique challenges posed by ZK protocols require meticulous security measures to ensure the integrity and safety of blockchain systems. As the adoption of ZK technology grows, so does the need for robust security practices.