CVE-2023-46232

The CVE concerns era-compiler-vyper (EraVM Vyper compiler for zkSync Era). Before 1.3.10, a bug in initialization of the first immutable variable for Vyper contracts could occur when a String or Array allocates more 256‑bit words than are initialized; the second word’s index could be left unset (...

CVE-2023-46232 era-compiler-vyper First Immutable Variable Initialization vulnerability

era-compiler-vyper is the EraVM Vyper compiler for zkSync Era, a layer 2 rollup that uses zero-knowledge proofs to scale Ethereum. Prior to era-compiler-vype version 1.3.10, a bug prevented the initialization of the first immutable variable for Vyper contracts meeting certain criteria. The proble...

I’m Now a Full-Time Professional Open Source Maintainer

or, "Holy shit, it works!" Last May I left my job on the Go team at Google to experiment with more sustainable paths for open-source maintainers. I held on to my various maintainer hats Go cryptography, transparency tooling, age, mkcert, yubikey-agent…, iterated on the model since September, and ...

The Rise of the Rookie Hacker - A New Trend to Reckon With

More zero knowledge attacks, more leaked credentials, more Gen-Z cyber crimes - 2022 trends and 2023 predictions. Cybercrime remains a major threat to individuals, businesses, and governments around the world. Cybercriminals continue to take advantage of the prevalence of digital devices and the...

CVE-2022-29566

The Bulletproofs 2017/1066 paper mishandles Fiat-Shamir generation because the hash computation fails to include all of the public values from the Zero Knowledge proof statement as well as all of the public values computed in the proof, aka the Frozen Heart issue...

Design/Logic Flaw

The Bulletproofs 2017/1066 paper mishandles Fiat-Shamir generation because the hash computation fails to include all of the public values from the Zero Knowledge proof statement as well as all of the public values computed in the proof, aka the Frozen Heart issue...

CVE-2022-29566

CVE-2022-29566 concerns Bulletproofs (2017/1066) where the Fiat-Shamir transformation mishandles hash input, failing to include all public values from the ZK proof statement and those computed during the proof (the Frozen Heart issue). The connected documents identify the root cause as this defic...

PT-2022-19701 · Unknown · Bulletproofs

Name of the Vulnerable Software and Affected Versions: Bulletproofs affected versions not specified Description: The issue arises from the mishandling of Fiat-Shamir generation in the Bulletproofs 2017/1066 paper. Specifically, the hash computation fails to include all public values from the Zero...

What Are Zero-Knowledge Proofs?

How do you make blockchain and other transactions truly private? With mathematical models known as zero-knowledge proofs...

Critical Zcash Bug Could Have Allowed 'Infinite Counterfeit' Cryptocurrency

The developers behind the privacy-minded Zcash cryptocurrency have recently discovered and patched a highly dangerous vulnerability in the most secretive way that could have allowed an attacker to coin an infinite number of Zcash ZEC. Yes, infinite… like a never-ending source of money. Launched i...

Micali-Schnorr Generator (MS-DRBG) Part III - Zero Knowledge Proof Wanted!!

See also Part I and Part II of this series This is going to be a short blog post about the infamous Micali-Schnorr Random Number Generator MS-DRBG. See Part I and Part II of this series for more information about this topic. WHO: NIST published the specification for Micali-Schnorr Random Number...

Real World Crypto 2018 (RWC 2018) brain dump

The 2018 edition of Real World Crypto RWC was in Zurich you can find the conference full program here.. I live in Switzerland so I was extremely happy about it. RWC is basically the best conference I ever attended and it will probably be so for a while. I almost risked to skip it due to flu but I...

A Typo in Zerocoin's Source Code helped Hackers Steal ZCoins worth $585,000

Are you a programmer? If yes, then you would know the actual pain of... "forgetting a semicolon," the hide and seek champion since 1958. Typos annoy everyone. Remember how a hacker's typo stopped the biggest bank heist in the history, saved $1 billion of Bangladesh bank from getting stolen. But...

VPN daemon written in Go: GoVPN

GoVPN is simple secure virtual private network daemon. It uses Diffie-Hellman Encrypted Key Exchange DH-EKE for mutual zero-knowledge peers authentication and authenticated encrypted data transport. It is written entirely in Go programming language . All packets captured on a network interface ar...