#ChainLight , a #blockchain security audit firm, discovered a critical vulnerability in the #zkSyncEra protocol, potentially risking a $1.9 billion loss if exploited. The vulnerability was located in zkSync Era's zk-circuits, designed to validate transaction data securely. A malicious actor could manipulate transactions within a block and have them falsely verified, causing layer-1 smart contracts to accept these fraudulent proofs.
However, the protocol had robust security measures in place, making it challenging to exploit unless the attacker had privileged access to Matter Labs, the infrastructure team behind zkSync Era. The attacker would need access to the protocol's backend or validator private key, and endure a 21-hour waiting period for fund extraction due to an execution delay.
#MatterLabs quickly addressed the issue after ChainLight's report, and the security firm was rewarded with 50,000 #usdc for discovering the bug. The bug was not part of existing bug bounty programs, but its impact warranted recognition. Matter Labs expressed a commitment to collaborating with ChainLight and other security-focused organizations, emphasizing the importance of multi-layer defense architectures to prevent single points of failure in security.