DeFi

Developers don’t know enough about zero-knowledge security – and it’s a ticking time bomb – DL News

Published

8 months ago

on

Brian Pak is CEO and co-founder of ChainLight, a blockchain security company specializing in smart contract audits and on-chain monitoring.

Zero-knowledge words, once relegated to academic articles and crypto forums, have become commonplace.

ZK technology allows one party, like a blockchain protocol, to prove to another party that something is true, such as a person’s age, while keeping that information completely confidential.

ZK crypto succeeds in scaling the Ethereum smart contract network. More than a dozen ZK-based networks, commonly known as ZK rollups, run on Ethereum, with a 4 billion dollars value of deposits.

But despite all the hype, there’s one big problem. Lack of knowledge about ZK is a ticking time bomb.

Most crypto developers still know very little about this complex topic.

And as more developers begin experimenting with ZK technology, it creates major security risks, and even prevents the technology from reaching its true potential.

At the same time, ZK technology promises to revolutionize the crypto industry, so getting developers and the broader user community up to speed is imperative.

Join the community to receive our latest stories and updates

ZK developers are “out of date”

In 2022, co-founder of Ethereum Vitalik Buterin pointed out security risks of ZK stacks, such as bugs in the circuit’s constraint code.

These codes are essential in ZK rollups because they define and enforce rules for cryptographic proofs ensuring the validity of transactions.

Bugs in these codes can lead to serious security vulnerabilities, such as incorrect proofs or unauthorized access to funds.

Since Buterin’s warning, developers have identified several other vulnerabilities in projects using ZK technology.

In November, ChainLight discovered a bug in ZK Sync Era’s ZK circuits, which could have allowed a hacker to steal $1.9 billion.

Also in 2018, a Zcash cryptographer discovered a vulnerability in zero-knowledge proofs underlying the protocol. If not fixed, the bug could have allowed an attacker to create fake Zcash tokens without being detected.

Such vulnerabilities are a sad indictment of a new form of technology that is clearly not understood by enough people.

Many developers who write the code and the security professionals who must sign off on its security are simply overwhelmed.

And it’s no surprise: everyone will tell you that a PhD level in mathematics is necessary to understand the security aspects of ZK technology.

This means that the number of people qualified to audit ZK code is limited, as are the resources needed to train them.

And the lack of experts to properly audit ZK code is not the only problem.

ZK rollups, such as zkSync Era and StarkNet, are developed in-house and therefore peer review processes are not as thorough as the standards seen in academia.

I will remain skeptical of the security of ZK technology until the peer review process is more standardized.

ZK not reaching his potential

Lack of understanding of ZK technology also prevents it from realizing its full potential.

This is due to a lack of trust in the technology which leads manufacturers to choose more familiar frameworks.

For example, one of the main touted benefits of ZK stacks is instant finality.

This means that as soon as proof of a block is verified on the Ethereum mainnet, the results are final. This notably allows for instant asset withdrawals and also improves security.

Optimistic rollups, the main rival to ZK rollups, require a seven-day waiting period to withdraw assets.

There is a growing consensus that ZK rollups are the best solution for scaling Ethereum beyond optimistic rollups.

Some go so far as to describe them as “Holy Grail» of scaling solutions.

Co-founder of Immutable Robbie Ferguson described ZK rollups as “by far the easiest way to scale high-throughput transactions.”

But, in reality, most developers are still not using the technology to its true potential because they are simply not comfortable with using some of its unique features due to its complexity.

For example, none of the existing ZK accumulations really have the instantaneous purpose announced.

The coding is so technical that developers might be afraid of making a mistake, leading them to choose not to implement the instant finality.

Instead, protocols have what’s called a lead time, in which there is a window of about a day to detect an exploit and roll back changes before they are finalized.

With this, the security of ZK rollups comes with a major compromise and giving up one of its most important advantages.

Only a better understanding of ZK technology will allow manufacturers to maximize its potential without compromising safety.

Security by design

Across Web3 – not just the ZK sphere – projects aren’t taking audits seriously enough.

Many projects view audits simply as stamps of approval to give themselves a reputable appearance, rather than the rigorous security exercises they should be.

There are several cases where known bugs have crept into new DeFi protocols, costing investors millions.

For example, several protocols that derived code from the Compound v2 lending protocol, such as Hundred Finance and Onyx Protocol, did so blindly and did not consider known attack vectors in the code.

Instead, developers should strive to create protocols that are secure by design, meaning they are built in a way that protects against attacks first and foremost.

Building by design starts with staying abreast of threats to the ecosystem.

If a project does not have the resources to perform a thorough audit, it should still track hacks that occur on other projects so that they are not victims themselves.

While failing to create secure protocols by design would be a problem for any project, it is particularly detrimental in the case of ZK technology.

For example, let’s take a look at existing ZKEVMs – ZK rollups that perfectly replicate Ethereum’s operating system.

Many ZKEVMs rely on manually defined circuits, which require human involvement and use young and untested libraries.

The likelihood of developers making errors in this environment is high, making ZK rollups more vulnerable to the risk of attacks.

As investors pile into ZK rollups, incentivized by possible token airdrops, they become lucrative targets for the next major crypto heist.

Solutions

Implementing security early in the development cycle and on an ongoing basis, for example through bug bounties, can help solve this problem.

There is no doubt that ZK technology is a game changer for Ethereum, and constant development is fundamental to scaling the blockchain.

However, the solutions offered by ZK rollups live up to their potential to cause security issues.

Startups must first be honest about whether they are using ZK technology because it is necessary or because they are jumping on the bandwagon.

If they are certain to be first, then they need to be aware of the risks and building with security by design is absolutely fundamental.



Fuente

Related Topics:

Leave a Reply

Your email address will not be published. Required fields are marked *

Información básica sobre protección de datos Ver más

  • Responsable: Miguel Mamador.
  • Finalidad:  Moderar los comentarios.
  • Legitimación:  Por consentimiento del interesado.
  • Destinatarios y encargados de tratamiento:  No se ceden o comunican datos a terceros para prestar este servicio. El Titular ha contratado los servicios de alojamiento web a Banahosting que actúa como encargado de tratamiento.
  • Derechos: Acceder, rectificar y suprimir los datos.
  • Información Adicional: Puede consultar la información detallada en la Política de Privacidad.

Trending

Exit mobile version