ChainLight, a blockchain security audit firm, has uncovered a vulnerability within the zkSync Era protocol that, if exploited, had the potential to result in a loss of $1.9 billion.
The flaw was detected within zkSync Era’s zk-circuits, which were designed to verify the accuracy of transaction data without revealing sensitive information about the parties involved.
In a blog post, ChainLight explained that this vulnerability could have allowed a malicious actor to manipulate transactions within a block while still having them validated as accurate. This could have resulted in layer-1 smart contracts accepting these proofs, unaware of the altered transaction values they contained.
Had the attack succeeded, the malicious actor could have siphoned off 100,000 ether (ETH), equivalent to an estimated $1.9 billion at the time of its disclosure.
Despite this potential threat, zkSync Era had multiple security layers in place, making it highly challenging for anyone to execute the exploit unless they were affiliated with Matter Labs, the infrastructure team behind zkSync Era.
Anton Astafiev, the head of security at Matter Labs, revealed that exploiting this vulnerability would have required the utmost level of security privilege across their infrastructure. An attacker would have had to access the protocol’s backend to directly inject the malicious code or obtain the validator private key used for signing blocks. Furthermore, they would have needed to endure a mandatory 21-hour waiting period before withdrawing any funds due to an execution delay.
Astafiev emphasized that the bug in question was related to their old prover and not the current Boojum, indicating that the code would soon become entirely obsolete and retired.
Upon being alerted to this critical bug, ChainLight reported that Matter Labs promptly addressed and resolved the issue. As a token of appreciation, the ChainLight team received 50,000 USDC for their discovery.
Astafiev clarified that this particular bug was not formally part of the existing bug bounty programs or public contests. They evaluate out-of-scope findings based on their real-world impact to determine their significance and the corresponding reward.
Matter Labs is enthusiastic about future collaborations with ChainLight and other security-focused organizations. Astafiev emphasized the importance of multi-layer defense architectures, such as the ones implemented by Matter Labs for zkSync, highlighting that no single layer of protection can ever be entirely secure, which is why there can be no single point of failure.