Full Report
zkSync Era is one of the most popular l2 blockchains. It utilizes zero knowledge proofs to demonstrate knowledge of something without giving up said information. zk-SNARKs are a variant of ZK proofs that don't require any special interactions between users. The authors of this post found a substantial vulnerability in how this was done that is explained. ZK Circuits are similar to boolean circuits with computers that have both gates and wires. Instead of using boolean, these use polynomials. With the arithmetic gates, the boolean operations become things like addition or multiplication. To do the proof, inputs are provided to a system which produce a specific output. By doing this in a zero-knowledge way, we can create arbitrary logic within the system. In this ecosystem, they used it to build a zk EVM with some modifications to the opcode set and how the stuff functions. These circuits are incredibly complicated with a ton of stuff going on. The memory queue is where the bugs live at. This is all about reading and writing to memory. The main VM circuit cannot constrain the memory operations so its stored in a queue instead. When calling creating the constraints in this library, specific functions need to be called. This takes the circuits and ensures that the expected values are being outputted. When performing memory write operations, the constraint was NOT properly added on top of a linear combination. In particular, something like lc.enforce_zero(cs) was missing from the code. Practically, this meant that the upper 128 bits of the MemoryWriteQuery are unconstrained! To make this more clear, the upper 128 bits of any value in memory can be altered! Having the ability to edit the upper 128 bits of memory is a trivial game over. The authors decided to exploit the L2EthToken within the bridge functionality. By sending a little amount of ETH to this contract then modifying the 128 upper bits, a small amount can be transitioned into a large amount! Turning 0.00002 ETH into 100K ETH. Overall, it's a really interesting vulnerability with crazy impact. The creation of Circuits and constraints is very complicated with many footguns along the way. Good find by the chainlight people!
Analysis Summary
# Vulnerability: Unconstrained Upper 128 Bits in zkSync Era Memory Write Operations
## CVE Details
- CVE ID: Not explicitly provided in the source text. (Likely assigned internally or pending public disclosure via a standard channel following coordinate disclosure).
- CVSS Score: Not provided. (Impact suggests **Critical** severity due to financial exploitability).
- CWE: Missing or Improper Input Validation / Missing Authorization (In context of circuit constraints, likely related to logic flaws in constraint application).
## Affected Systems
- Products: zkSync Era (L2 blockchain utilizing custom ZK-circuits).
- Versions: Versions prior to the fix deployed by Matter Labs after September 19th, 2023.
- Configurations: Any configuration using the faulty constraint logic for memory write operations within the main VM circuit.
## Vulnerability Description
A critical soundness bug existed in the ZK-circuit implementation used by zkSync Era. Specifically, when performing memory write operations (`MemoryWriteQuery`), the circuit constraints failed to properly enforce the integrity of the entire value being written. The necessary constraint, identified as `lc.enforce_zero(cs)` (or similar constraint application), was missing during the creation of constraints on a linear combination.
This flaw meant that the **upper 128 bits of any value written to memory were completely unconstrained**. A malicious prover could generate a valid proof for a block execution where they manipulated these upper 128 bits, which the L1 verifier would accept as correctly executed.
## Exploitation
- Status: **Proof-of-Concept (PoC) available and successfully demonstrated** against the L2EthToken within the bridge functionality (as described by the authors).
- Complexity: Low (once the circuit flaw is understood, the specific exploitation target—the L2 ETH token balance stored in memory—is straightforward).
- Attack Vector: Network (via submitting a malicious transaction/state update package that results in an invalid block execution being proven validly).
## Impact
- Confidentiality: Low (The core issue is integrity/soundness, not disclosure of secrets).
- Integrity: **Critical** (Ability to arbitrarily alter stored values, leading to unauthorized value modification, demonstrated by turning small ETH amounts into large ones).
- Availability: Medium (The soundness failure could lead to consensus issues if not detected, but the primary impact is financial loss/integrity breach).
## Remediation
### Patches
- Patches were deployed by Matter Labs following the discovery and reporting on September 19th, 2023. The specific commit/version number containing the fix is not detailed in the source text.
### Workarounds
- No specific vendor-provided workarounds are detailed, as a full patch was issued. The primary implicit mitigation prior to the patch was relying on out-of-band security auditing, which failed in this case.
## Detection
- Indicators of Compromise (IoCs): Acceptance of proof submissions that correspond to state transitions where low-value deposits result in disproportionately high L2 balance increases (specifically targeting operations interacting with the L2 ETH token balance storage).
- Detection Methods and Tools: Rigorous formal verification and symbolic execution tools applied specifically to the constraint generation phase of ZK-circuits, focusing on memory operations (`MemoryWriteQuery` constraints).
## References
- Vendor Advisories: Matter Labs (Fix deployed promptly after disclosure on Sep 19, 2023).
- Relevant Links:
- ChainLight Blog Post: hxxps://blog[.]chainlight[.]io/uncovering-zk-evm-soundness-bug-in-zksync-era