Zero-knowledge proofs (ZK-proofs) have gained significant traction in the fields of cryptography and blockchain due to their potential for improved transaction privacy and scalability. ZK technology allows two parties to verify the truth of a claim without revealing any details about it, hence the term “zero knowledge.”
However, there are drawbacks to ZK-proofs. In November 2023, cybersecurity firm ChainLight uncovered a soundness bug in the implementation of zkSync Era mainnet, which could have resulted in a loss of $1.9 billion. To gain a deeper understanding of the security risks associated with ZK-proofs, Cointelegraph interviewed ChainLight researcher Tim Becker.
Becker highlighted that one of the main challenges with ZK technology is its relative novelty. While many people acknowledge its newness, few truly grasp just how new it is. Becker explained, “Even just a few years ago, most people believed that something like a ZK EVM [Ethereum Virtual Machine] was at least a decade away. But we ended up having it within just two or three years.”
The rapid advancement of ZK-proof technology has contributed to its risks. The decentralized development of ZK-proofs has accelerated the process but also introduced additional complexities that the industry is currently grappling with. Becker stated, “The developer tools are still in their infancy, and all projects are building their own tech stacks independently. This lack of communitywide developer-friendly tools increases the likelihood of introducing vulnerabilities.”
While previous issues with ZK-proofs have been identified by projects themselves or security firms like ChainLight, actual instances of exploits remain rare. This has led to a potential sense of complacency. However, Becker cautioned against disregarding the risks, explaining that relying on temporary security layers compromises the long-term objectives of decentralization and other technological capabilities.
One of the friction points highlighted by Becker is the execution delays in ZK-proof transactions, which provide networks with time to detect erroneous transactions. However, these delays negate the potential speed and scalability benefits of using ZK-proofs.
Despite the challenges, Becker sees a bright future for ZK technology once the necessary improvements are made. However, predicting a specific timeline is difficult due to the ongoing evolution of the technology. Becker believes it may take up to a decade for the technology to mature fully. Therefore, security experts and developers must remain vigilant for the foreseeable future.
Aleph Zero, a layer-1 solution for decentralized apps, incorporates ZK-proof technology in its tech stack. Co-founder Matthew Niemerg acknowledges the challenges associated with ZK-proofs, such as identifying vulnerabilities in circuit design, random number generation, and cryptographic implementations. Niemerg emphasizes that even minor errors can compromise key properties and cites previous cases of vulnerabilities in ZK-proof technology, like the counterfeiting vulnerability in Zcash.
The fear within the blockchain industry lies in the unknown vulnerabilities that are yet to be discovered. As understanding of ZK-proof technology improves, more issues are likely to surface. The question remains whether developers or hackers will be the first to uncover them.