Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,334
- Points
- 113
Audits of DeFi projects based on zero-knowledge proof (ZK) technology were twice as likely to detect critical errors than in general cases. This is reported by The Block with reference to the Veridise report.
The company's specialists analyzed 1,605 vulnerabilities identified during 100 checks. They found an average of 16 problems per audit, while the ZK-project indicator was slightly higher and amounted to 18 errors.
However, in terms of critical vulnerabilities, 55% (11 out of 20) of the latter had similar problems, compared to 27.5% (22 out of 80) of the remaining checks.
According to experts, the security of ZK solutions is "simply more complex" due to the complex cryptographic designs and innovative nature of the protocols.
"The development of the ZK schema requires a precise justification of the semantics of operations in the witness generator. When these constructs are incorrectly coded due to constraints, you get errors. It is logical that there are more of them in [these] schemes, since they are very different from the typical programming paradigm," explained Veridise co-founder and CEO John Stevens.
Overall, the most common vulnerabilities found during audits were logical errors (385), ease of maintenance (355), and data validation (304). These categories accounted for 65% of all identified problems.
Veridise noted that insufficient usability, strictly speaking, does not apply to security vulnerabilities. But bad code-writing practices "are one step away from creating critical vulnerabilities," the team emphasized.
For ZK protocols, "insufficiently restricted contours" became a specific problem, which with a 90% probability led to a serious error.
"[ ... ] when the constraints of an arithmetic scheme do not sufficiently provide all the necessary conditions to verify that some calculations were performed correctly. They are not found in traditional smart contracts," the firm noted.
This means that an attacker can create a proof that tricks the verifier into accepting a false statement as true, which seriously undermines the integrity of the protocol.
The company's specialists analyzed 1,605 vulnerabilities identified during 100 checks. They found an average of 16 problems per audit, while the ZK-project indicator was slightly higher and amounted to 18 errors.
However, in terms of critical vulnerabilities, 55% (11 out of 20) of the latter had similar problems, compared to 27.5% (22 out of 80) of the remaining checks.
According to experts, the security of ZK solutions is "simply more complex" due to the complex cryptographic designs and innovative nature of the protocols.
"The development of the ZK schema requires a precise justification of the semantics of operations in the witness generator. When these constructs are incorrectly coded due to constraints, you get errors. It is logical that there are more of them in [these] schemes, since they are very different from the typical programming paradigm," explained Veridise co-founder and CEO John Stevens.
Overall, the most common vulnerabilities found during audits were logical errors (385), ease of maintenance (355), and data validation (304). These categories accounted for 65% of all identified problems.
Veridise noted that insufficient usability, strictly speaking, does not apply to security vulnerabilities. But bad code-writing practices "are one step away from creating critical vulnerabilities," the team emphasized.
For ZK protocols, "insufficiently restricted contours" became a specific problem, which with a 90% probability led to a serious error.
"[ ... ] when the constraints of an arithmetic scheme do not sufficiently provide all the necessary conditions to verify that some calculations were performed correctly. They are not found in traditional smart contracts," the firm noted.
This means that an attacker can create a proof that tricks the verifier into accepting a false statement as true, which seriously undermines the integrity of the protocol.
