Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

zkFuzz: Foundation and Framework for Effective Fuzzing of Zero-Knowledge Circuits

Hideaki Takahashi, Jihwan Kim, Suman Jana, Junfeng Yang

TL;DR

This work introduces Trace-Constraint Consistency Test (TCCT), a language-agnostic model that captures under- and over-constrained bugs in zero-knowledge circuits by unifying execution traces with circuit constraints. Building on TCCT, zkFuzz jointly mutates ZK witness-generation programs and inputs to disclose TCCT violations, guided by a novel min-sum fitness and target selectors. Evaluated on 452 Circom circuits, zkFuzz finds 85 bugs (including 59 zero-days) with zero false positives, with 39 confirmed and 14 fixed by developers, and demonstrates a scalable Noir prototype. The results underscore the practical value of a semantics-aware fuzzing approach that generalizes across DSLs and improves bug detection beyond static analyzers and formal methods.

Abstract

Zero-knowledge (ZK) circuits enable privacy-preserving computations and are central to many cryptographic protocols. Systems like Circom simplify ZK development by combining witness computation and circuit constraints in one program. However, even small errors can compromise security of ZK programs -- under-constrained circuits may accept invalid witnesses, while over-constrained ones may reject valid ones. Static analyzers are often imprecise with high false positives, and formal tools struggle with real-world circuit scale. Additionally, existing tools overlook several critical behaviors, such as intermediate computations and program aborts, and thus miss many vulnerabilities. Our theoretical contribution is the Trace-Constraint Consistency Test (TCCT), a foundational, language-independent formulation of ZK circuit bugs. TCCT provides a unified semantics that subsumes prior definitions and captures both under- and over-constrained vulnerabilities, exposing the full space of ZK bugs that elude prior tools. Our systems contribution is zkFuzz, a novel program mutation-based fuzzing framework for detecting TCCT violations. zkFuzz systematically mutates the computational logic of Zk programs guided by a novel fitness function, and injects carefully crafted inputs using tailored heuristics to expose bugs. We evaluated zkFuzz on 452 real-world ZK circuits written in Circom, a leading programming system for ZK development. zkFuzz successfully identified 85 bugs, including 59 zero-days-39 of which were confirmed by developers and \nfixed fixed, including bugs undetectable by prior works due to their fundamentally limited formulations, earning thousands of bug bounties. Our preliminary research on Noir, another emerging DSL for ZK circuit, also demonstrates the feasibility of zkFuzz to support multiple DSLs.

zkFuzz: Foundation and Framework for Effective Fuzzing of Zero-Knowledge Circuits

TL;DR

This work introduces Trace-Constraint Consistency Test (TCCT), a language-agnostic model that captures under- and over-constrained bugs in zero-knowledge circuits by unifying execution traces with circuit constraints. Building on TCCT, zkFuzz jointly mutates ZK witness-generation programs and inputs to disclose TCCT violations, guided by a novel min-sum fitness and target selectors. Evaluated on 452 Circom circuits, zkFuzz finds 85 bugs (including 59 zero-days) with zero false positives, with 39 confirmed and 14 fixed by developers, and demonstrates a scalable Noir prototype. The results underscore the practical value of a semantics-aware fuzzing approach that generalizes across DSLs and improves bug detection beyond static analyzers and formal methods.

Abstract

Zero-knowledge (ZK) circuits enable privacy-preserving computations and are central to many cryptographic protocols. Systems like Circom simplify ZK development by combining witness computation and circuit constraints in one program. However, even small errors can compromise security of ZK programs -- under-constrained circuits may accept invalid witnesses, while over-constrained ones may reject valid ones. Static analyzers are often imprecise with high false positives, and formal tools struggle with real-world circuit scale. Additionally, existing tools overlook several critical behaviors, such as intermediate computations and program aborts, and thus miss many vulnerabilities. Our theoretical contribution is the Trace-Constraint Consistency Test (TCCT), a foundational, language-independent formulation of ZK circuit bugs. TCCT provides a unified semantics that subsumes prior definitions and captures both under- and over-constrained vulnerabilities, exposing the full space of ZK bugs that elude prior tools. Our systems contribution is zkFuzz, a novel program mutation-based fuzzing framework for detecting TCCT violations. zkFuzz systematically mutates the computational logic of Zk programs guided by a novel fitness function, and injects carefully crafted inputs using tailored heuristics to expose bugs. We evaluated zkFuzz on 452 real-world ZK circuits written in Circom, a leading programming system for ZK development. zkFuzz successfully identified 85 bugs, including 59 zero-days-39 of which were confirmed by developers and \nfixed fixed, including bugs undetectable by prior works due to their fundamentally limited formulations, earning thousands of bug bounties. Our preliminary research on Noir, another emerging DSL for ZK circuit, also demonstrates the feasibility of zkFuzz to support multiple DSLs.

Paper Structure

This paper contains 35 sections, 3 theorems, 8 equations, 6 figures, 9 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background
  3. ZK Proof Systems
  4. Overview of Vulnerabilities in ZK Programs
  5. Circom Primer
  6. Definitions of ZK Program Vulnerabilities
  7. Incompleteness of Prior Definitions
  8. Trace-Constraint Consistency Test
  9. Vulnerable and Benign Examples
  10. zkFuzz: Design
  11. Joint Program Mutation & Input Generation
  12. Guided Search
  13. zkFuzz: Implementation
  14. zkFuzz: Core Implementation
  15. zkFuzz++: Optimization with Target Selection via Static Analyzers
  16. ...and 20 more sections

Key Result

Theorem 1

Let $\langle \mathcal{P}, \mathcal{C} \rangle$ denote a TCCT instance. a) Deciding if $\mathcal{C}$ is under-constrained for $\mathcal{P}$ is NP-complete. b) Deciding if $\mathcal{C}$ is over-constrained for $\mathcal{P}$ is NP-complete. c) TCCT is co-NP-complete.

Figures (6)

  • Figure 1: Overview of ZK proof systems. The circuit compiler processes a ZK program into a witness computation program and circuit constraints. Prover executes the witness program to obtain a trace (witness and public values) and creates a proof using the proving system. The verifier validates the proof using the verification system with the public output, the constraint, and the proof. Our fuzzer checks the inconsistencies between the computation logic and the circuit constraints in the ZK program.
  • Figure 2: Basic workflow of zkFuzz. This fuzzing framework systematically mutates program logic and feeds artificially generated input data to the original and mutated programs to catch inconsistencies between the program and the constraint. The error-based fitness function is utilized to steer the selection and crossover of mutants. Several target selectors are also applied for input generation and program mutation to guide the search.
  • Figure 3: Detection Time Analysis. Both modes of zkFuzz are superior to other methods.
  • Figure 4: Relative execution time for discovering each unique bug compared to the default setting. Removing each heuristic degrades detection performance by over 100x.
  • Figure 5: Impact of mutation strength and population size on zkFuzz++. zkFuzz++ consistently maintains strong bug detection performance across various hyperparameter settings.
  • ...and 1 more figures

Theorems & Definitions (14)

  • Definition 1: ZK Program
  • Definition 2: Execution Trace
  • Definition 3: Trace Set
  • Definition 4: Constraint Satisfaction Set
  • Definition 5: Projection
  • Definition 6: Under-Constrained Circuit
  • Definition 7: Over-Constrained Circuit
  • Definition 8: Trace-Constraint Consistency Test
  • Theorem 1
  • proof : Proof of Theorem \ref{['thm:under-constrained-detection-np-complete']}
  • ...and 4 more