zkDaily - 2026-03-04

零知识证明 zkDaily

ZKP Frontier Tracker 🎯

Wed

03.04

2026

Unfaithful Claims: Breaking 6 zkVMs

Blog

https://osec.io/blog/2026-03-03-zkvms-unfaithful-claims/

Himanshu Sheoran Fiat-Shamir

Himanshu Sheoran and Valter Wik expose security flaws in six zkVM systems due to unbound claim data in Fiat-Shamir transcripts, enabling attackers to bypass cryptographic verification and prove impossible statements.

Notes

Flaws arise from unbound claim data in Fiat-Shamir transcripts, making challenges independent of values like claimed_sum.
Attackers can solve linear equations to adjust unbound values, passing verification for invalid executions.
Affected systems: Jolt, Nexus, Cairo-M, Ceno, Expander, Binius64.
In blockchain, this could create assets out of thin air.
Fix requires absorbing all verification-affecting values into transcript before challenge generation.
Jolt fixed via PR #981 on Oct 3, 2025; status of others unclear.

Collected by @icerdesign

零知识证明 zkDaily

Q&A Deep Dive 💬

Wed

03.04

2026

Why is transcript ordering critical in Fiat-Shamir?

If a value influences a later verification equation but is not hashed before the relevant challenge is sampled, the attacker can compute the challenge first and then choose the value to satisfy the equation, breaking soundness.

In sumcheck-based systems like Jolt, how does an unbound input claim reduce to a solvable linear equation?

Because compression makes the final verification equation linear in the initial claim, of the form a·H + b = expected, and the coefficients are independent of H, the attacker can directly solve for H.

Why does this bug class recur across independent zkVM implementations?

Academic descriptions focus on interactive protocols and omit full non-interactive Fiat-Shamir binding details. Modular architectures diffuse transcript responsibility, and optimization pressure encourages omission of seemingly redundant absorptions.

Prompted by @icerdesign