zkPoEX (zk proof of exploit) is a Proof-of-Concept developed at ETH Denver Hackathon with the aim to facilitate communication and collaboration between security experts and teams in the decentralized finance (DeFi) space by enabling white hat hackers to report live vulnerabilities in smart contracts while maintaining the confidentiality of the exploit.
Bug bounty programs in the DeFi space can be hard to run and maintain, not always honored, and may not always offer sufficient compensation for white hats. This can lead to a lack of incentive for hackers to report vulnerabilities, which can ultimately result in a less secure DeFi ecosystem.
Our tooling allows auditors to safely generate a zero-knowledge proof of exploit without revealing the actual exploit. With zero-knowledge proofs, the auditor can prove that they know of a transaction that can produce an undesirable change of state in certain contracts, without revealing the specifics of the exploit.
Since the auditor is not giving away the exploit, the project is incentivized to work with the auditor to fix the vulnerability. This facilitates communication and collaboration between hackers and project owners for a more secure DeFi ecosystem.
The project utilizes the following technologies:
- Risc0: A General Purpose Zero-Knowledge VM that allows to prove and verify any computation. The RISC Zero ZKVM is a verifiable computer that works like a real embedded RISC-V microprocessor, enabling programmers to write ZK proofs like they write any other code.
- SputnikVM: A high-performance, modular virtual machine for executing Ethereum smart contracts.
- Zero-Knowledge Proofs: A cryptographic technique that allows one party to prove to another party that a statement is true, without revealing any additional information beyond the fact that the statement is true.
To use the project, you will need to have the following installed on your system:
To test the evm :
$ just test-evm
To generate proof (and verify) :
$ just prove
Please note that this particular example requires at least 16gb of RAM and may take a long time depending on your hardware.
We would like to thank Maciej Zieliński for providing an example in his blog post of how to run Solidity code inside SputnikVM inside Risc0. We would also like to thank Daniel Lumi for advising us in this project.
Contributions to the project are welcome and encouraged. To contribute, fork the project on GitHub, make your changes, and submit a pull request.
zkPoEX is provided "as is" without any warranties.
The purpose of zkPoEX is to promote responsible disclosure and encourage organizations to address security vulnerabilities in a timely and effective manner, thereby enhancing overall security.
The developers and maintainers of the Tool disclaim all liability for any damages, losses, or harm resulting from the use or misuse of the Tool.
For more information, read the Disclaimer