May 30, 2023
Beosin has discovered a vulnerability in the Circom verification library, identified as CVE-2023–332
Beosin has discovered a vulnerability in the Circom verification library, identified as CVE-2023–33252, and warns the ZK project team to be mindful of the associated risks.
Circom is a Rust-based compiler for zero-knowledge proof circuits. The team behind it also developed the SnarkJS library, which enables the implementation of proof systems, including trusted setups, proof generation, and verification, supporting algorithms such as Groth16, PLONK, and FFLONK.
Previously, Beosin security researchers discovered a severe vulnerability in versions of the SnarkJS library up to and including 0.6.11. This vulnerability allowed attackers to forge multiple proofs that would pass verification, enabling double-spending attacks. Beosin promptly reported the vulnerability, contacted the project team, and assisted in fixing it. The vulnerability has now been patched. Beosin advises all ZK projects using the SnarkJS library to update to version 0.7.0 to ensure security.
Furthermore, Beosin’s security team advises ZK project teams to thoroughly consider the algorithm design and the security risks that may arise from language-specific code implementation when conducting proof verification. Beosin has submitted the vulnerability to the Common Vulnerabilities and Exposures (CVE) disclosure platform and received recognition. (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33252)
Contact
If you have need any blockchain security services, please contact us:
Related Project
Related Project Secure Score
Guess you like
Beosin launched the Move Lint static detection tool to secure Sui smart contract development
May 30, 2023
A New Regime for Hong Kong's Virtual Asset Service Providers is coming. Beosin will be supporting.
May 30, 2023
Learn about Hong Kong's VASP licence application details and get ready for the new regime
May 30, 2023
Blockchain Security Monthly Recap of May: $19.69M lost in total
June 01, 2023