This repository serves as a community-driven catalog of bugs, vulnerabilities, and exploits found in zero-knowledge (ZK) cryptography applications. It aims to provide a valuable reference for developers, auditors, and security tool creators by detailing common ZK vulnerability patterns and specific instances found in real-world projects.

How It Works

The tracker categorizes vulnerabilities into two main sections: "Bugs in the Wild" and "Common Vulnerabilities." The former lists concrete examples of security flaws discovered in ZK codebases, while the latter outlines recurring categories of ZK-related bugs, such as under-constrained circuits, arithmetic overflows, and mismatching bit lengths. Each entry in "Bugs in the Wild" provides a summary, related vulnerability types, the identifier, background context, the vulnerability's technical details, and the fix implemented.

Quick Start & Requirements

This is a curated list of security findings and does not require installation or execution. The content is presented in Markdown format within the repository.

Highlighted Details

• Comprehensive list of 26 identified vulnerabilities with detailed explanations.
• Covers a wide range of ZK-specific security issues, including under-constrained circuits, nondeterministic circuits, arithmetic overflows, and trusted setup leaks.
• Provides specific code examples and fixes for each vulnerability.
• Includes links to relevant research papers, commits, and external resources for deeper understanding.

Maintenance & Community

The repository is community-maintained, encouraging contributions via Pull Requests or Issues. It is associated with 0xPARC.

Licensing & Compatibility

The repository is licensed under the MIT License, allowing for broad use and modification.

Limitations & Caveats

The repository is a static collection of past vulnerabilities and does not offer active security scanning or real-time analysis of ZK circuits. Its effectiveness relies on community contributions to stay updated with emerging threats.