Audits of DeFi projects using zero-knowledge proof (ZK) technology are twice as likely to uncover critical errors compared to other projects, reports The Block, citing a Veridise report.
Veridise specialists analyzed 1605 vulnerabilities discovered in 100 audits. On average, there were 16 issues per audit, but for ZK projects, this figure was higher at 18 errors.
In the analysis of critical vulnerabilities, it was found that 55% (11 out of 20) of the audited ZK projects had such issues, whereas, for other projects, this figure was 27.5% (22 out of 80).
According to experts, the security of ZK solutions is more complex due to intricate cryptographic constructions and the innovative nature of the protocols.
“Developing a ZK scheme requires a precise understanding of the semantics of operations in the witness generator. When these constructions are incorrectly coded due to limitations, errors arise. This is logical since these schemes are significantly different from the typical programming paradigm,” explained Veridise co-founder and CEO John Stevens.
The most common vulnerabilities identified during the audits were logical errors (385), maintainability issues (355), and data verification errors (304). These categories accounted for 65% of all identified problems.
Veridise noted that maintainability issues are not strictly related to security vulnerabilities. However, poor coding practices “are one step away from creating critical vulnerabilities,” the team emphasized.
A specific problem for ZK protocols was “insufficiently constrained circuits,” which led to serious errors in 90% of cases.
“When the constraints of the arithmetic circuit do not adequately ensure all necessary conditions for verifying that some computations were performed correctly, attackers can create a proof that deceives the verifier into accepting a false statement as true, seriously undermining the integrity of the protocol,” the firm explained.
