International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Exploiting Vulnerable Implementations of ZK-based Cryptographic Schemes Used in the Ethereum Ecosystem

Authors:
Oana Ciobotaru
Maxim Peter
Vesselin Velichkov
Sam Wong
Nikesh Nazareth
Download:
Search ePrint
Search Google
Presentation: Slides
Abstract: The Fiat-Shamir transform is a well-known and widely employed technique for converting sound public-coin interactive protocols into sound non-interactive protocols. Even though the transformation itself is relatively clear and simple, some implementations choose to deviate from the specifications, for example for performance reasons. In this work, we present a vulnerability arising from such a deviation in a KZG-based PLONK verifier implementation. This deviation stemmed from the incorrect computation of the last challenge of the PLONK protocol, where the KZG batching proof challenge was computed before, and, hence, independently from the KZG evaluation proofs. More generally, such a vulnerability may affect any KZG implementation where one uses batched KZG proof evaluations for at least two distinct evaluation points. We call an attack enabled by such a deviation a Last Challenge Attack. For concreteness, we show that when a PLONK verifier implementation presents such a deviation, a malicious PLONK prover can mount a Last Challenge Attack to construct verifiable proofs of false statements. The described vulnerability was initially discovered as part of an audit, and has been responsibly disclosed to the developers and fixed. A proof of concept of the vulnerability, in which a proof is forged for an arbitrary public input, was made available. Apart from the above attack, the talk will also describe other implementation vulnerabilities discovered while performing audits for ZK-based cryptographic systems used within the Ethereum ecosystem.
Video: https://youtu.be/ZwjGqYGfbN8
BibTeX
@misc{rwc-2025-35894,
  title={Exploiting Vulnerable Implementations of ZK-based Cryptographic Schemes Used in the Ethereum Ecosystem},
  note={Video at \url{https://youtu.be/ZwjGqYGfbN8}},
  howpublished={Talk given at RWC 2025},
  author={Oana Ciobotaru and Maxim Peter and Vesselin Velichkov and Sam Wong and Nikesh Nazareth},
  year=2025
}