Zero-Knowledge Security Workshop by Veridise

Veridise's Mikko Ikola reached out to me to ask if I could list Veridise, the company, to my published list of audit firms. Which of course, I did. When I browsed their website, I stumbled upon this magnificient zero-knowledge ("ZK") security workshop they organised together with Secureum in October-November 2023 👇

ZK Security Workshop recap: Winners and presentations

Especially helpful are the lecture slides, all provided by Veridise:

• An Intro to ZK languages and Frameworks (Kostas Ferles, CRO)
• Abstracting ZK Circuits with Graphs (Daniel Dominguez, Security Engineer)
• Static Analysis for ZK Circuits (Kostas Ferles, CRO)
• Underconstrained circuits and the Picus tool (Shankara Pailoor, Research Scientist)

As well as the guest presentation recordings:

• Lessons Learned from Securing Scroll zkEVM (Haichen Shen, Scroll co-founder)
• Circuit Techniques for Scaling Data Access on Ethereum (Yi Sun, Axiom co-founder)
• Tips for safe Circom circuits (Blockdev, Ethereum Foundation’s PSE team, software engineer)

Curious about zero-knowledge technology?

Before diving into the security implications of zero-knowledge tech, I suggest you start with the basics. The Ethereum Foundation has a nice introduction on zero-knowledge proofs, as well as Binance Academy (don't shoot me for linking to Binance, it is an informative article, written by Kenny Li, co-founder of Manta Network).

For more resources on zk tech feel free to check-out:

• zkintro (introduction and practical programming course)
• zk-learning (MOOC, spring 2023 - but the resources are still available online)
• ZKSECURITY (⚠️ watch out, this seems to be pretty advanced stuff)
• Awesome zero knowledge proofs by Matter Labs (yet another curated list 😅)
• Rareskills zk-book & zk-bootcamp (⚠️ watch out, these are not free)

Additional reading by Veridise

There are more gems on the Veridise blog, for example Breakdown of 100 security audits: Key insights from 1605 vulnerability findings.

I think the views from the article align with my perception that, more recently, the larger losses stem from a) "old school" hacks (e.g. private key theft through social engineering attacks), b) business logic errors. I don't always closely follow the latest news with regards to exploits, but I have the impression that reentrancy attacks and so forth are not as popular as they were before. I guess due to projects improving their smart contract security game (higher code quality, more code audit(s) before go-live, ...)