ZK/SEC Quarterly

Back to all posts

On ZK Security, ZK Summit, and a Decade of Progress

ZK/SEC May 06, 2026 4 min read
announcement zk security event

zkSummit14 Rome

This Thursday, May 7th, we're sponsoring zkSummit14 in Rome.

zkSummit is one of the very few events where the people actually building zero-knowledge systems all end up in the same room, and it's the reason we keep showing up year after year. Honestly, ZK as a field, and zkSecurity as a company, wouldn't be where it is today without zkSummit and the team behind it. The conversations there have a way of outlasting the day by a few months, so this time around we wanted to back it more directly. We're sponsoring, a good chunk of the team will be there, and if you're going to be in Rome on Thursday please come find us. It's by far the easiest way to talk to us about ZK security in person, and we'd much rather meet you there than over a contact form.

It also feels like the right moment for it. Ten years ago, ZK was mostly papers and toy implementations (this year is, fittingly, the 10th anniversary of Groth16, the proof system that quietly powers a huge chunk of what's deployed today). Today, hundreds of millions of dollars in value already move through zero-knowledge protocols every day. Mainnets settle with it, browsers verify it, zkVMs compile real programs into it. The libraries are reusable, the protocols are deployed, and the bugs cost real money. And that maturity is now starting to spill outside of crypto too: Google has been publishing on zero-knowledge and is shipping ZK into product for things like age verification, which means ZK is now protecting personal data in flows that touch ordinary users, not just value between wallets.

From where we sit, after 100+ ZK audits across circuits, zkVMs, and full protocols, the clearest signal that this is no longer theoretical happened just a few months ago. In February, a privacy pool called Veil became the first known blackhat exploit against a live ZK protocol: it got drained for around \$5K (small as far as crypto exploits go, and notably we are still waiting to see the first million-dollar blackhat exploit against a live ZK protocol) because its Groth16 verifier had skipped the second phase of its trusted setup ceremony, leaving γ and δ equal and turning the verifier into a rubber stamp (see the post for more detail). Anyone who noticed could forge proofs without a witness. A few days later the exact same bug surfaced in Foom, a much larger lottery dApp on Base and Ethereum, and this time one of our team members, @duha_real, spotted it first and led the whitehat rescue, recovering around \$500K on the Base side before a malicious actor could touch it (an anonymous whitehat independently drained the Ethereum side).

First real-world blackhat exploit, first whitehat rescue, same week.

What's striking is that neither of those bugs was a subtle underconstrained circuit or a deep cryptographic flaw. Both were a single missing step in a deployment script, and that keeps being the pattern for the bugs that surface publicly. Classics like Fiat-Shamir misuse, despite being well understood in theory, simply refuse to die. Everyone "knows" the rule. Almost nobody implements it correctly the first time. The bugs we find inside paid audits are a different story. They're deeper, harder to spot, and almost never the kind of thing a careful skim of the repo would catch. The catastrophic things hiding in production ZK code rarely look like the ones that end up on Twitter.

The encouraging part is that this is finally a domain where automation is starting to pull its weight. Our continuous auditing system zkao has already caught real bugs in production code that got fixed before they cost anyone money, the kind of findings that, left alone, would have been very expensive. The million-dollar bugs so far still come out of human audits, which is exactly why we keep doing them. The way we think about zkao is less "a scanner you run once" and more "a tireless researcher embedded in your codebase": you connect it once, and as our agents and the underlying models keep getting better, they keep coming back to your circuits months later. A bug that wasn't detectable in January might surface in June, without you re-engaging anyone.

So if you're working on a new proof system, a zkVM, or a protocol that handles real money, come say hi at zkSummit14 in Rome this Thursday. And if you'd rather keep talking afterwards, hello@zksecurity.xyz is still the easiest way to reach us.

zkSecurity offers auditing, research, and development services for cryptographic systems including zero-knowledge proofs, MPCs, FHE, consensus protocols and more.

Learn More →

Latest Posts

Powers-of-funbenius

Mathias Hall-Andersen May 05, 2026
cryptography algebra soundness zk

A one-character repeated-squaring bug in Inferno's Limbo implementation turns the intended random polynomial check into a linearized Frobenius check over a binary extension field. This post walks through why the usual Schwartz-Zippel argument disappears, how periodicity of the Frobenius map makes collisions immediate after 64 multiplication gates, and how even smaller circuits can cheat with noticeably higher probability.

Verifying Poseidon in Clean: Why the Last 'Sorry' Is About Primality

Martin Ochoa May 04, 2026
formal-verification zk poseidon lean clean

We walk through a Lean 4 proof of correctness for a Clean model of circomlib's optimized Poseidon hash circuit at arity 1. The theorem says the modeled constraints are sound and complete with respect to the optimized Poseidon spec. After weeks of work, the only remaining `sorry` was a primality proof for the BN254 scalar field: a 254-bit number that no proof assistant can decide by trial division. Closing it requires a Pratt certificate, a recursive proof structure based on a theorem Lucas published in 1876.

Groth16, Intuitively

David Wong May 01, 2026
educative zk groth16

Groth16 is still the gold standard for succinct SNARKs: 128-byte proofs, constant-size verification, and a decade of real-world deployment. But despite its ubiquity, almost nobody explains *why* it works the way it does. In this post, we build Groth16 from the ground up, starting from R1CS and QAPs, then layer in pairings, trusted setup parameters, and the separator tricks (α, β, γ, δ) that make the scheme sound. By the end, you should have an intuitive grasp of every term in the final verifier equation.

Recommended Reading

The First ZK Exploits Happened, and They Weren't What We Expected

Stefanos Chaliasos, Hao Pham February 27, 2026
security zk circom groth16

The first two known exploits against live ZK circuits happened in the past week. Both stem from the same root cause. They were not subtle underconstrained bugs, but rather Groth16 verifiers (generated by snarkjs) with an incorrect setup (just missing the last step). One was exploited by white-hat hackers for ~$1.5M, the other was drained for 5 ETH.

Zkao: Security That Compounds

ZK/SEC February 07, 2026
zkao security zk AI

Today we're launching zkao, a product by zkSecurity that makes AI security research work the way fuzzing works: not as a one-shot event, but as something you run continuously until coverage compounds.

ZK Programmability Adds a Whole New Layer to Worry About

David Wong May 31, 2023
announcement security zk

Zero-knowledge (ZK) programs are revolutionizing how developers can build secure systems by proving execution without exposing data, making them incredibly useful for privacy and security. However, they come with their own set of challenges. In this blog, we delve into these security implications and offer practical strategies to help developers navigate the risks. From understanding private inputs to the intricacies of proof systems and trusted setups, we unpack the complexities and provide insights on how to address potential pitfalls, ensuring you're well-prepared to harness the power of ZK programs effectively.

More to Explore

Beyond L2s Maturity: a Formal Approach to Building Secure Blockchain Rollups

Stefanos Chaliasos February 18, 2025
educative security zk formal-verification

In our latest blog post, we dig into the fascinating world of blockchain rollups, focusing on their security and how they help Ethereum scale while maintaining its core values of decentralization. We'll break down the concepts of Optimistic and ZK-Rollups, discuss the importance of projects like L2BEAT in assessing rollup maturity, and introduce our formal model for ensuring rollup security. If you're curious about how forced transactions, safe blacklisting, and upgradeability are shaping the future of Ethereum, this is a read you won't want to miss.

𝒫𝔩𝔬𝔫𝒦: a Hands-on Deep Dive

Martín Ochoa August 05, 2025
educative zk plonk

𝒫𝔩𝔬𝔫𝒦’s many layers (selector polynomials, wiring permutations, quotient tests, random challenges and KZG commitments) can be overwhelming. Our zkSecurity tutorial uses a single running example to demystify them all. Build tables and interpolate low-degree BN254 polynomials, encode gate and wiring constraints, run deterministic and probabilistic zero-tests, then layer in randomness and KZG commitments to produce a full Fiat–Shamir proof. Grab the Jupyter Notebook (Sage or Cocalc), or work in your favorite language with our guided test cases.

Noname 2.0: Unlocking Numeric Generics, Folding Schemes, and a Playground

ZK/SEC August 08, 2024
announcement tools zk

We're excited to introduce the preview of noname 2.0, packed with features that make developing advanced ZK circuits easier than ever. This update includes flexible generic-sized arrays, seamless integration with folding schemes for IVC, and an interactive online playground to test and share code. We've also optimized R1CS constraint generation to boost performance. Plus, there are numerous community-driven enhancements and bug fixes that make the language more robust and user-friendly. Dive in to explore the specifics of our journey, learn from the contributions of our vibrant open-source community, and see how noname is evolving into a more versatile tool for developers.
View all articles