Zero-knowledge proofs (ZK-proofs) are an emerging success story for cryptography and blockchain with multiple use cases, including improved transaction privacy and scalability. ZK technology allows two parties to agree that a claim is true, without any details of the claim being revealed or discussed — hence, the use of the term “zero knowledge.”
There are potential drawbacks to ZK-proofs, however. In November 2023, cybersecurity firm ChainLight publicized the discovery of a soundness bug in the implementation of zkSync Era mainnet. The exploit of that bug could have resulted in the loss of $1.9 billion in funds.
Cointelegraph spoke with ChainLight researcher Tim Becker to better understand the security risks of implementing ZK-proofs.
Becker said that a major part of the trouble with ZK technology is simply how new it is.
“I think everyone knows that ZK technology is relatively new, but not many understand exactly how new it is,” said Becker. “I would say even just a few years ago, most people thought that something like a ZK EVM [Ethereum Virtual Machine] was at least a decade away. But we ended up getting it within just two or three years.”
The huge advances in ZK-proof technology are a huge part of what makes it risky. As Becker explained, the development of ZK-proofs was highly decentralized, which sped up the process considerably but also created some additional complications the industry is now grappling with.
“So, it’s very new, and the developer tools are still in their infancy, and all of the projects have their own tech stacks that they’re each building on independently. There’s a lack of communitywide developer-friendly tools for ZK, and that increases the likelihood of vulnerabilities being introduced.”
How to fix a problem like ZK-proofs
While issues with ZK-proofs have been discovered in the past and continue to be identified by the projects themselves or security firms such as ChainLight, actual examples of exploits remain very low.
For this reason, the potential for complacency is real. Becker understands this tendency all too well.
“Some people will challenge the idea that ZK is especially risky. They’ll point to the fact that no major ZK protocols have been exploited yet. But I think that this fundamentally misunderstands the reason for that,” he said.
“I would say that the primary reason that’s the case is because all of these ZK-rollups have so-called training wheels, which basically are additional security layers beyond the ZK-proof system that make exploiting the protocol impractical for an attacker and instead incentivize attackers to report.”
Becker said that these training wheels are not something that can be relied upon in perpetuity because they compromise a protocol and its ambitions in other ways.
“These security layers are necessarily short-term temporary solutions while the technology is being secured and derisked. That’s because they fundamentally sacrifice some very important properties that these networks want to have in the long run, such as decentralization and other technological capabilities,” he said.
Recent: Visa and Mastercard: A boon for wallet holders, a threat to crypto exchanges?
One friction point Becker pointed to is execution delays built into ZK-proof transactions. These delays allow networks time before they finalize commands, giving them time to spot erroneous transactions. Of course, this confounds any potential speed or scalability benefits from using ZK-proofs.
Eventually, the limitations caused by training wheels will mean that they are necessarily cast aside. The trick will be in doing so only when ZK-proofs have matured enough to do so without exposing the protocols themselves.
Looking to the future
One of the biggest tasks of examining blockchain technology is predicting where the industry will move next. But whatever follows, Becker sees a bright future for ZK technology once the wrinkles are ironed out.
“It’s just going to be a matter of time before the technology matures and the security around it is a little more stable,” Becker said.
As for a timetable, Becker said that’s difficult to predict, owing to the fact that the rapid development of ZK-proofs has outpaced expectations in the past.
“It’s hard to say because the technology is still evolving. Although we have ZK-rollups and EVMs today, the underlying proof systems are still changing and being iterated on and improving. The networks are being upgraded as a result. It’s hard to say exactly when everything is going to stabilize and allow all of these tools to mature,” he stated.
Ultimately, it may be the better part of a decade before the technology can be considered mature. This will mean security experts and developers alike will need to remain on increased alert for some time to come.
The view from the development side
Aleph Zero, a layer-1 solution for decentralized apps, incorporates ZK-proof technology in its tech stack. As such, the company is aware of the challenges that ZK-proofs introduce.
Matthew Niemerg, co-founder and president of Aleph Zero, told Cointelegraph: “Zero-knowledge proofs show immense promise, but the technology remains in its early stages. Like with any new innovation, challenges exist around identifying vulnerabilities in areas like circuit design, random number generation and cryptographic implementations.”
The co-founder added that even the most minor errors often lead to significant difficulties.
“Even small oversights can compromise key properties around completeness, soundness and privacy. Real-world examples have shown flaws enabling token counterfeiting, smart contract attacks and broken anonymity,” added Niemerg. “The fact is, code is written by humans, who are fallible, even if the theoretical underpinnings of the mathematics are provably correct. Particularly in an open-source paradigm, your problem can quickly become everyone’s problem.”
Niemerg noted that one of the earliest notable cases of ZK-proof vulnerability came from the well-known privacy coin Zcash (ZEC). In March 2018, Zcash discovered an issue with its code that would allow a hacker to counterfeit its native token.
In October 2018, Zcash patched the vulnerability with its Sapling network upgrade. In total, the counterfeiting vulnerability was an ever-present part of the Zcash network for two whole years. It was never exploited.
Recent: CBDCs: User privacy problem or currency of the future?
“We believe that no one else was aware of the vulnerability and that no counterfeiting occurred,” Zcash said in a statement in February 2019. “Discovery of the vulnerability would have required a high level of technical and cryptographic sophistication that very few people possess.”
The fear factor for the blockchain industry lies in what other vulnerabilities are out there, still undiscovered. At some point, as knowledge and understanding of ZK-proof technology improves, more of these issues will be discovered.
The question is, who will discover them first — the developers themselves or the hackers?