More ZK bugs

[veorq]

Great project, thank you!

I dont think these are listed (found while preparing my talks on ZKP security by asking friends and "doing my own research"):

Missing overflow check of a nullifier https://github.com/a16z/zkp-merkle-airdrop-contracts/pull/2

Overflow again https://github.com/eea-oasis/baseline/issues/34

Field element inverse property not enforced https://github.com/arkworks-rs/r1cs-std/pull/70

Missing public input -> replay https://starli.medium.com/filecoin-one-porep-vulnerability-found-by-trapdoor-tech-7fc7beb4557b

Timing attacks https://eprint.iacr.org/2020/627.pdf

Missing (randomized) blinding to hide private inputs – not clear if really exploitable though https://github.com/dusk-network/plonk/pull/651

This one turned out to be non-exploitable (as clarified privately by the StarkWare team), but a similar behavior may be a problem in some cases https://github.com/starkware-libs/cairo-lang/issues/39

There are some other interesting ZK circuit bug types I've seen (concrete cases cant be disclosed yet):

• Failing to enforce that a given constant is effectively the said constant value.

• Failing to enforce constraints of correct padding in hash functions.

• Failing to enforce soundness of a tree's structure or size.

• Leakage on the witness from the proof's size.

Hope this helps, feel free to only include what you think is the most relevant/original.

[kcharbo3]

This is great, thank you!! Will go through and add them once I get a chance.

[kcharbo3]

Took a dive into the Timing attacks paper, but after some research it looks like they may not be that serious? https://forum.zcashcommunity.com/t/churning-zcash-for-maximum-anonymity-and-privacy/40705/2

Likely going to add the EEA-OASIS and Arkworks bugs. Still need to take a look into the remaining 3.

[ytrezq]

Please also add Tornado Cash which was a classical missing constraint but the problem is https://crypto.stackexchange.com/q/103262

[guidovranken]

Below are a few that I found. Don't know if they qualify for this project because they are bugs in the EC libraries rather than in circuits.

• blst: Modular inverse incorrect result
• blst: Inverse modulo hangs on i386 if input is 0 or multiple of modulo
• blst Using non-standard 'dst' parameter branches on uninitialized memory
• blst: NULL pointer dereference if msg is empty and aug is non-empty
• blst: NULL pointer dereference if point multiplier is zero-stripped
• blst: Branching on uninitialize memory
• blst: blst_fr_eucl_inverse incorrect result
• blst: blst_fp_is_square incorrect result on ARM
• Herumi mcl: Incorrect results with dst larger than 255 bytes
  • Herumi mcl: map-to-curve incorrect result if both inputs are equivalent
• Herumi mcl: Incorrect result for G1 multiplication by Fp
• kilic-bls12-381: Fr FromBytes does not reduce value if value is modulus
• arkworks-algebra: multi_scalar_mul incorrect result if scalar exceeds curve order
• Constantine: Incorrect reduction of BigInt
• Constantine: BLS12-381 HashToCurve G1 incorrect result

[yuliyu123]

Here are other zk bugs other security researchers found, I want to list here, please merge it if you think they are awesome:

• zksync zkevm: https://medium.com/chainlight/uncovering-a-zk-evm-soundness-bug-in-zksync-era-f3bc1b2a66d8 (Underconstrained)
• aztec connector: https://hackmd.io/@aztec-network/claim-proof-bug & https://medium.com/immunefi/aztec-multiple-spend-error-bugfix-review-20074581d224 (underconstrained)