Home/Posts/ [Hack] Missing Constraint in zkEmail's Email Verification Circom Circuit

[Hack] Missing Constraint in zkEmail's Email Verification Circom Circuit

A critical severity vulnerability found in zkEmail’s Circuit

February 1, 2024

Severity: Critical

Impact Range: The zkEmail circuit and all projects built on top that, including ZKP2P in production. Fix Link: https://github.com/zkemail/zk-email-verify/pull/168

The zkEmail circuit missed checking the data padding while verifying the DKIM signature. This introduces a soundness issue and would allow a malicious prover to prove any forged email.

I reported this bug immediately after finding it. We informed the projects that rely on it. ZKP2P immediately paused their service and performed the fix: https://x.com/zkp2p/status/1754581830357958848

←

[Hack] Incorrect User Operation Hash Vulnerability in ERC4337

[Hack] Uncovering and Fixing an Inflation Bug in Aleo

→