zkDaily - 2026-03-01

零知识证明 zkDaily

ZKP Frontier Tracker 🎯

Sun

03.01

2026

The First ZK Exploits Happened, and They Weren't What We Expected

Blog

https://blog.zksecurity.xyz/posts/groth16-setup-exploit/

zkSecurity snarkjs Trusted Setup

@zkSecurity analyzes recent ZK circuit exploits in a blog post, attributing them to Groth16 verifier setup errors where missing Phase 2 contributions cause identical γ and δ parameters, enabling proof forgery.

Notes

Both exploits stem from Groth16 verifier setup errors in snarkjs, where missing Phase 2 contributions leave γ and δ parameters identical.
Losses: ~$1.5M and 5 ETH, discovered by white-hat hackers to prevent malicious attacks.
Root cause: snarkjs sets γ and δ to the same generator point when initializing zkey
Phase 2 contribution is required to randomize δ
Developers often overlook simple mistakes while focusing on complex parts
ZK DSLs are easy to misuse and lack foundational tooling support

Collected by @icerdesign

零知识证明 zkDaily

Q&A Deep Dive 💬

Sun

03.01

2026

Why must γ and δ be independent random group elements?

They randomize the public input term and the proof element C respectively. If they are equal, an attacker can engineer cancellations that collapse the pairing equation into a tautology.

What exactly does snarkjs do during zkey initialization if Phase 2 is skipped?

It initializes both γ₂ and δ₂ to the BN254 generator as placeholders. Without a contribution step, they remain identical.

Why is this vulnerability not an underconstrained circuit bug but a systemic soundness collapse?

The circuit may be perfectly correct, but the verification key violates Groth16’s independence assumptions. The pairing equation loses its knowledge-binding property, breaking the trusted setup soundness at the system level.

Prompted by @icerdesign