Today we're announcing that as a result of Aztec Labs' full investigation into a vulnerability in Aztec Connect, we have paid $450,000 to a whitehat independent security researcher through our Immunefi bug bounty program.
On September 12th, independent security researcher lucash-dev discovered a vulnerability in Aztec Connect, Aztec Labs’ zkRollup system designed to enhance privacy in DeFi operations.
Recognizing the gravity of the situation, Aztec's team moved swiftly to mitigate any potential damage, temporarily restricting public access to the affected workflow.
The team has conducted a full technical postmortem, the result of which you can view here:
https://hackmd.io/@aztec-network/claim-proof-bug
We remain extremely committed to open-source software development, and see the treatment of this vulnerability as further evidence of the robustness of the open source community.
As a reminder, Aztec Labs will no longer support its first-party front-end zk.money after March, 2024. Users are reminded and urged to withdraw funds as soon as possible by navigating to zk.money.
Full withdrawal documentation can be found here.
{{blog_divider}}
Summary
At the heart of the issue was the computation related to determining a user's output from an intended DeFi interaction–in other words, the funds a user gets back after initiating a transaction within Aztec Connect. Due to this oversight, a malicious sequencer–and only a malicious sequencer–could exploit this computation via Aztec Connect’s escape hatch, a mechanism for individuals to exit funds directly to L1 Ethereum.
The primary challenge emanated from the inherent complexities of executing integer arithmetic within ZK circuits. These circuits are designed to operate over finite fields, making integer operations particularly tricky.
The crux of the problem was tied to the system's handling of integer division and the subsequent remainders. In the absence of proper constraints, a sequencer could manipulate the `user_output` value, adjusting the remainder to ensure the primary equation still held true. This opened up avenues for multiple valid decompositions for a single value, making it a target for exploitation.
The remedy involved introducing stringent constraints to ensure a consistent and direct mapping between the original values and their decomposed counterparts. Furthermore, to prevent any undue advantage to the sequencer, the remainder value was also carefully constrained.
This incident with Aztec Connect serves as a poignant reminder of the complexities and potential pitfalls inherent in developing large-scale projects, even with extensive auditing. It underscores the necessity for continuous scrutiny, highlighting the invaluable role of bug bounty programs in maintaining the security and reliability of such systems.
{{blog_divider}}
Conclusion
Our $450,000 bug bounty payment to lucash-dev is our largest ever, and a reiteration of our commitment to open source software development.
We appreciate him and the broader ZK community for maintaining a high degree of vigilance over complex crypto systems.
We strongly encourage all users of zk.money and third party Aztec Connect products to withdraw funds as soon as possible. Support for zk.money will be sunset in March 2024, after which individuals will have to withdraw funds by running their own sequencers.