According to The Block: Veridise reports that security audits of ZK projects are twice as likely to find critical issues as other audit types.

55% of the company’s ZK audits found critical issues, while only 27.5% of other DeFi audits found critical issues.

Blockchain security firm Veridise reports that audits of zero-knowledge projects are twice as likely to uncover critical issues as other audit types.

Veridise analyzed 1,605 vulnerability findings from its most recent 100 audits, averaging about 16 findings per audit, with the ZK audit average being slightly higher at 18 findings.

However, when focusing on critical vulnerabilities, Veridise found that 55% (11 out of 20) of ZK audits contained critical issues, while only 27.5% (22 out of 80) of other audits (including smart contracts, wallet integrations, blockchain implementations, and relayers) contained critical issues.

ZK protocols are becoming increasingly popular in the cryptocurrency space for their potential to enhance privacy and scalability in blockchain transactions. They enable one party to prove to another that a statement is true without revealing any information other than the validity of that statement.

However, Veridise said ZK security is “more challenging” and that the audit found more critical vulnerabilities due to complex cryptographic constructions and the innovative nature of the ZK protocol, which often pushes the boundaries of existing cryptographic techniques.

Jon Stephens, CEO and co-founder of Veridise, told The Block, “Developing ZK circuits requires reasoning precisely about the semantics of the operations in the witness generator. If those semantics are not correctly encoded as constraints, bugs will appear. You will literally have more bugs in the circuits because this is so different from the typical programming paradigm.”

Overall, the most common vulnerabilities found by Veridise audits were logic errors (385), maintainability (355), and data validation (304), accounting for 65% of all issues found. These three categories of issues also dominated the vulnerabilities found by the 360 ​​ZK audits.

While maintainability issues are not strictly security vulnerabilities, including, for example, poor coding practices, they are sometimes just one step away from becoming critical bugs.

Of the 223 severe (critical or high-level) issue types found, logic errors (91) and data validation (35) issues dominated, followed by "unconstrained circuits" (19), denial of service (16), and access control (13) vulnerabilities. These five types accounted for 78% of all high-severity issues in the audit, with a total of 174 vulnerabilities found.

Among the vulnerabilities found by the ZK audit project, while severe issues accounted for 10% to 30% of most vulnerability types, "unconstrained circuits" had a 90% chance of containing critical or high-level issues.

Veridise explained that "unconstrained circuits" are a typical problem in zero-knowledge related audits, where the constraints of an arithmetic circuit do not adequately enforce all the necessary conditions to check whether certain calculations are performed correctly. This situation does not occur in traditional smart contracts.

This means that a malicious party can craft a proof that tricks a validator into accepting a false claim as true, severely compromising the integrity of the protocol.

In Veridise’s audits, zero-knowledge techniques are often applied to critical infrastructure protocols such as L2 ZK-rollups, ZK-VMs, and the circom library - where Veridise previously discovered a “million-dollar” ZK bug. The security of these protocols is extremely important because it affects all decentralized applications built on top of them.

In addition, logic errors are the failure to perform the intended function due to errors in the logical flow of the code. A typical example is a smart contract that mistakenly allows users to withdraw funds that exceed their balance. Data verification issues involve the failure to properly verify the correctness, completeness, and authenticity of data.

Denial of service issues involve attacks intended to disrupt the normal operation of the protocol, for example a smart contract may be incorrectly designed to allow an attacker to consume all available gas.

Finally, access control issues concern users' ability to access restricted areas or functions.

Veridise claims that more than $10 billion has been hacked from various blockchain and DeFi platforms since 2018. A better understanding of these types of vulnerabilities can help guide Web3 projects to focus on the most serious vulnerabilities and proactively protect against them.