# zkSecurity zkSecurity is a leading security research and development firm focusing on advanced cryptography -- not just zero-knowledge proofs (ZKP), but also multi-party computation (MPC), fully homomorphic encryption (FHE), lattice-based cryptography, post-quantum cryptography, and general protocol security. We provide security audits, development, tooling, and educational resources for advanced cryptographic systems. Team members publish peer-reviewed research at top-tier venues including CRYPTO, EUROCRYPT, ASIACRYPT, CCS, USENIX Security, POPL, ICSE, ISSTA, PoPETs, and FC. Clients include: Solana Foundation, Aztec, StarkWare, Aleo, Mysten Labs, NEAR, Ethereum Foundation, RISC Zero, Mina, Celo, Matter Labs, Lighter. ## Contact - Email: hello@zksecurity.xyz - Telegram: - Twitter: - LinkedIn: - GitHub: ## Services - [Security Audits](https://reports.zksecurity.xyz): Security audits of ZK circuits, proving systems, cryptographic protocols, TEEs, and smart contracts - [Development](https://zksecurity.xyz): Custom implementation of advanced cryptographic systems, from ZK circuits to MPC protocols - [ZKAO](https://zkao.io/): AI-powered continuous bug detection for Circom circuits ## Research - [Blog](https://blog.zksecurity.xyz): ZK/SEC Quarterly - technical blog on ZK, MPC, FHE security - [ZK Bug Tracker](https://bugs.zksecurity.xyz/): Knowledge base of reproducible ZK vulnerabilities - [News](https://news.zksecurity.xyz): zkSecurity news ## Learning - [Halo2 Course](https://halo2.zksecurity.xyz/): Online course on Halo2 circuit development - [PLONK Tutorial](https://plonk.zksecurity.xyz/): Interactive guide to the PLONK proving system - [Sumcheck Protocol](https://sumcheck.zksecurity.xyz/): Deep dive into the Sumcheck protocol with SageMath - [S-two Book](https://docs.starknet.io/learn/S-two-book/introduction): Comprehensive guide to STARK proving systems - [Challenges](https://challenges.zksecurity.xyz/): Ongoing capture the flag / wargame for testing cryptographic skills ## Highlights Notable bug bounties and vulnerability disclosures: - [Discovered an infinite-money inflation bug in Aleo's protocol](https://blog.zksecurity.xyz/posts/aleo-bug/) - [Found a soundness bug in Solana's ZK ElGamal Proof Program](https://blog.zksecurity.xyz/posts/solana-phantom-challenge-bug/) - [Uncovered a query collision soundness bug in Halo2](https://blog.zksecurity.xyz/posts/halo2-query-collision/) Selected audits across DSLs and systems: - Circom: [Penumbra](https://reports.zksecurity.xyz/reports/penumbra/), [Reclaim ChaCha20](https://reports.zksecurity.xyz/reports/reclaim/), [Celo zkPassport](https://reports.zksecurity.xyz/reports/celo-self-audit/) - R1CS/Arkworks: [Aleo Synthesizer](https://reports.zksecurity.xyz/reports/aleo-synthesizer/) (Marlin), [Penumbra](https://reports.zksecurity.xyz/reports/penumbra/) - Gnark: [zkLighter](https://reports.zksecurity.xyz/reports/zklighter/) (recursive ZKPs) - Consensus: [Aleo Bullshark](https://reports.zksecurity.xyz/reports/aleo-consensus/) (BFT) - MPC: [Renegade](https://blog.zksecurity.xyz/posts/renegade-audit/) (ZK+MPC) - TEE: [Phala dStack](https://reports.zksecurity.xyz/reports/phala-dstack/) (Intel TDX) - zkVM: [Jolt](https://blog.zksecurity.xyz/posts/jolt-findings/) (RISC-V) - Identity: [Sui zkLogin](https://blog.zksecurity.xyz/posts/zklogin/) Selected research: - FRIDA: Data Availability Sampling from FRI (CRYPTO 2024) - Extractable Witness Encryption for KZG Commitments (ASIACRYPT 2024) - SoK: Understanding Security Vulnerabilities in SNARKs (USENIX Security 2024) - Towards a Formal Foundation for Blockchain ZK Rollups (CCS 2025) ## Blog Posts: Vulnerability Research - [The zero-knowledge attack of the year: how Nova got broken](https://blog.zksecurity.xyz/posts/nova-attack/): Discovery and analysis of a critical soundness bug in Nova - [Uncovering and Fixing an Inflation Bug in Aleo](https://blog.zksecurity.xyz/posts/aleo-bug/): Finding and responsibly disclosing an inflation vulnerability in Aleo - [Uncovering the Query Collision Bug in Halo2](https://blog.zksecurity.xyz/posts/halo2-query-collision/): How a single extra query breaks soundness in Halo2 - [Uncovering the Phantom Challenge Soundness Bug in Solana's ZK ElGamal Proof Program](https://blog.zksecurity.xyz/posts/solana-phantom-challenge-bug/): Soundness bug in Solana's zero-knowledge proof program - [Improving the Security of the Jolt zkVM](https://blog.zksecurity.xyz/posts/jolt-findings/): Security findings from auditing the Jolt RISC-V zkVM - [Reproducing and Exploiting ZK Circuit Vulnerabilities](https://blog.zksecurity.xyz/posts/zkbugs/): Hands-on reproduction of real-world ZK bugs - [SoK: Understanding Security Vulnerabilities in SNARKs](https://blog.zksecurity.xyz/posts/zkpaper/): Systematization of knowledge on SNARK vulnerability classes - [zkVM Security: What Could Go Wrong?](https://blog.zksecurity.xyz/posts/zkvm-security/): Security considerations for zero-knowledge virtual machines - [Detecting boomerang values in zero-knowledge circuits using tag analysis](https://blog.zksecurity.xyz/posts/boomerang/): Novel technique for detecting under-constrained circuits - [Under-constrained bugs in ZK programs](https://blog.zksecurity.xyz/posts/underconstrain-bugs/): Common under-constraint patterns and how to avoid them ## Blog Posts: Public Audit Reports - [Penumbra circuits audit](https://blog.zksecurity.xyz/posts/penumbra/): Public report of auditing Penumbra's ZK circuits - [Darkfi circuits and crypto audit](https://blog.zksecurity.xyz/posts/darkfi/): Public report of Darkfi circuits and cryptography - [Lighter ZK circuits audit](https://blog.zksecurity.xyz/posts/lighter-xyz/): Public report of Lighter's ZK circuit audit - [Aleo synthesizer audit](https://blog.zksecurity.xyz/posts/aleo-synthesizer/): Public report of Aleo's synthesizer - [Aleo consensus (Bullshark) audit](https://blog.zksecurity.xyz/posts/aleo-consensus/): Public report of Aleo's consensus protocol - [Sui zkLogin audit](https://blog.zksecurity.xyz/posts/zklogin/): Public report of Sui's zkLogin - [Reclaim protocol ChaCha20 circuit audit](https://blog.zksecurity.xyz/posts/reclaim/): Public report of Reclaim's ChaCha20 circuit - [Renegade audit: When ZK meets MPC](https://blog.zksecurity.xyz/posts/renegade-audit/): Public report of Renegade's ZK+MPC system - [Auditing Self: Collaborating with Celo](https://blog.zksecurity.xyz/posts/self-audit/): Privacy and identity infrastructure audit for Celo ## Blog Posts: Proof Systems and Cryptography - [Circle STARKs: Part I, Mersenne](https://blog.zksecurity.xyz/posts/circle-starks-1/): Four-part series on Circle STARKs - [Circle STARKs: Part II, Circles](https://blog.zksecurity.xyz/posts/circle-starks-2/) - [Circle STARKs: Part III, Circle FFT](https://blog.zksecurity.xyz/posts/circle-starks-3/) - [Circle STARKs: Part IV, Arithmetizing Circles](https://blog.zksecurity.xyz/posts/circle-starks-4/) - [Breaking Down Bulletproofs: No Pairings, No Trusted Setup](https://blog.zksecurity.xyz/posts/bulletproofs-intuitions/): Three-part series on Bulletproofs - [Unfolding the Bulletproofs Magic: A SageMath Deep Dive](https://blog.zksecurity.xyz/posts/bulletproofs-sage/) - [Stay in Range: Deeper Into Bulletproofs](https://blog.zksecurity.xyz/posts/bulletproofs-range-proofs/) - [Variants of KZG: Part I, Univariate](https://blog.zksecurity.xyz/posts/kzg-1/): KZG polynomial commitment schemes - [WE-KZG: Encrypt to KZG](https://blog.zksecurity.xyz/posts/kzg-we/): Witness encryption from KZG commitments - [Playing with LaBRADOR: Lattice-based Proofs with Recursion](https://blog.zksecurity.xyz/posts/labrador/): Post-quantum lattice-based proof systems - [Proofs On A Leash: Post-Quantum Lattice SNARK With Greyhound](https://blog.zksecurity.xyz/posts/greyhound/): Post-quantum SNARKs from lattice assumptions - [Sigma dance: commit, challenge, respond](https://blog.zksecurity.xyz/posts/sigma/): Introduction to Sigma protocols - [A Gentle Introduction to the MPC-in-the-Head Transformation](https://blog.zksecurity.xyz/posts/mpcith-intro/): Building ZK proofs from MPC protocols - [ZNARKs: SNARKs for The Integers](https://blog.zksecurity.xyz/posts/znarks/): SNARK constructions over the integers - [A Technical Dive into Jolt: The RISC-V zkVM](https://blog.zksecurity.xyz/posts/how-jolt-works/): Deep technical explanation of the Jolt zkVM - [Projects That Shaped Modern zkVMs](https://blog.zksecurity.xyz/posts/zkvm-projects-1/): History and evolution of zero-knowledge virtual machines - [BitVM: Arbitrary Computation on Bitcoin Through Circuit Abstractions](https://blog.zksecurity.xyz/posts/bitvm/): How BitVM enables computation verification on Bitcoin ## Blog Posts: FRI and Soundness Analysis - [Why does FRI work?](https://blog.zksecurity.xyz/posts/fri-security/): Intuition and security analysis of the FRI protocol - [How Many FRI Queries Do You Need?](https://blog.zksecurity.xyz/posts/security-of-fri/): Concrete security bounds for FRI - [Proximity Gaps: What Happened and How Does It Affect our SNARKs](https://blog.zksecurity.xyz/posts/proximity-conjecture/): Impact of the proximity gap conjecture on SNARK security - [FRIDA: Data-Availability Sampling from FRI](https://blog.zksecurity.xyz/posts/frida/): Using FRI for data availability sampling - [Lean4 formalization of "A Simplified Round-by-round Soundness Proof of FRI"](https://blog.zksecurity.xyz/posts/simple-rbr-fri/): Formal verification of FRI soundness in Lean 4 - [Faster Sumchecks: Part I](https://blog.zksecurity.xyz/posts/faster-sumchecks/): Optimizing the sumcheck protocol ## Blog Posts: Formal Verification - [Comparison of formal verification frameworks for arithmetic circuits](https://blog.zksecurity.xyz/posts/formal-verification-arithmetic-circuits/): Survey of tools for formally verifying ZK circuits - [An Introduction to Interactive Theorem Provers](https://blog.zksecurity.xyz/posts/introduction-to-interactive-theorem-provers/): Foundations of formal verification for cryptography - [Introducing clean: formal verification DSL for ZK circuits in Lean4](https://blog.zksecurity.xyz/posts/clean/): A DSL for building formally verified ZK circuits - [Beyond L2s Maturity: A Formal Approach to Building Secure Blockchain Rollups](https://blog.zksecurity.xyz/posts/l2_formal_paper/): Formal methods applied to rollup security ## Blog Posts: Developer Education - [Common Circom Pitfalls and How to Dodge Them -- Part 1](https://blog.zksecurity.xyz/posts/circom-pitfalls-1/): Common mistakes in Circom circuit development - [Common Circom Pitfalls and How to Dodge Them -- Part 2](https://blog.zksecurity.xyz/posts/circom-pitfalls-2/) - [Exploring Leo: A Primer on Aleo Program Security](https://blog.zksecurity.xyz/posts/aleo-program-security/): Security guide for Aleo/Leo developers - [Halo2's Elegant Transcript As Proof](https://blog.zksecurity.xyz/posts/halo2-elegant-transcript/): Understanding Halo2's transcript mechanism - [Optimizing Barrett Reduction: Tighter Bounds](https://blog.zksecurity.xyz/posts/barrett-tighter-bound/): Optimization technique for modular arithmetic - [Kocher's Timing Attack: A Journey from Theory to Practice](https://blog.zksecurity.xyz/posts/timing-kocher/): Implementing timing side-channel attacks - [Accelerating ZK Proving with WebGPU](https://blog.zksecurity.xyz/posts/webgpu/): GPU acceleration techniques for ZK proving ## Blog Posts: Trusted Execution Environments - [Trust, But Measure: A Friendly Intro to TEEs with Intel TDX](https://blog.zksecurity.xyz/posts/tees/): Introduction to trusted execution environments - [Proof is in the Pudding: Introduction to Data Availability Sampling](https://blog.zksecurity.xyz/posts/pudding-6-DA/): Data availability in the context of TEEs - [Proof is in the Pudding: Privacy in Payment Networks](https://blog.zksecurity.xyz/posts/pudding-8-privacy/): Privacy considerations for TEE-based systems ## Blog Posts: Tools - [zkao: Security That Compounds](https://blog.zksecurity.xyz/posts/zkao-launch/): Launch of AI-powered continuous bug detection for Circom circuits - [noname: see down to the constraints](https://blog.zksecurity.xyz/posts/noname/): A programming language for writing ZK circuits - [noname 2.0: Numeric Generics, Folding Schemes, and a Playground](https://blog.zksecurity.xyz/posts/noname-v2/) - [noname 3.0: Native Hints, Standard Library, Compiler Visualizer](https://blog.zksecurity.xyz/posts/noname-stdlib/) - [Circomscribe: making Circom less confusing](https://blog.zksecurity.xyz/posts/circomscribe/): Developer tooling for Circom - [wasmati: Write your WebAssembly in TypeScript](https://blog.zksecurity.xyz/posts/wasmati/): TypeScript-to-WebAssembly compiler - [Verifying Cairo proofs on Ethereum](https://blog.zksecurity.xyz/posts/stark-evm-adapter/): Bridge for verifying STARK proofs on-chain - [zkBitcoin: Zero-Knowledge Applications on Bitcoin](https://blog.zksecurity.xyz/posts/zkbitcoin/): Framework for zkapps on Bitcoin ## Open Source - [ZK Bug Tracker](https://bugs.zksecurity.xyz/): Knowledge base of reproducible ZK vulnerabilities - [clean](https://github.com/Verified-zkEVM/clean): Formally verified zkEVM in Lean 4 - [mina-attestations](https://github.com/zksecurity/mina-attestations): Privacy-preserving credential verification on Mina ## Careers - [Jobs](https://zksecurity.xyz/jobs/)