Forging ZK proofs to mint arbitrary DUSK tokens
3 days ago
- #Smart Contract Security
- #ZK-SNARKs
- #Blockchain Vulnerabilities
- A critical soundness vulnerability was found in Dusk Network's PLONK implementation, allowing a malicious prover to forge verifying proofs for arbitrary false statements.
- The bug occurred because the verifier consumed four public selector evaluations (q_arith_eval, q_c_eval, q_l_eval, q_r_eval) without validating them against trusted commitments, making them attacker-controlled.
- This vulnerability would have enabled minting arbitrary amounts of DUSK and moving forged shielded funds through the Phoenix path on the live Rusk network.
- The fix involved adding the four selector evaluations to the KZG batch opening check to verify them against selector commitments in the verifier key.
- A similar vulnerability was discovered in Espresso Systems' Jellyfish (jf-plonk) due to missing evaluations in the Fiat-Shamir transcript, allowing prover manipulation.
- The incident highlights the need for standardization in PLONK verification to prevent such bugs through mechanical checks and shared specifications.