Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Aztec Connect is a privacy zkRollup blockchain used for DeFi. One of the novel features is the ability to send funds between the contracts to the L1 privately.

At a high level, here's how the protocol works:

1. User submits a DeFi interaction deposit proof to the mempool. The proof keeps the identity private.
2. The sequencer groups these interactions from the same protocol together then rolls them up to be sent.
3. Once receiving the rollup proof, the smart contract on Ethereum will act on behalf of users to exchange and perform other operations.
4. On the next rollup the sequencer completes special claim proofs, splitting the newly received tokens between users.

The program is written using zero knowledge circuits. Because this runs over a finite field and not integers, this makes trivial math complicated to perform. Aztec Connect uses TurboPlonk to create the connected gates.

How do these circuits work? Simple math properties over a finite field must be discussed first:

• Addition: Add a value and wrap around if necessary.
• Multiplication: Multiply a value and wrap around if necessary.
• Negation: Finding a value that is 0 within the finite field. For instance, if the field is length 5 and the value I have is 2, then the negation would be 2+3.
• Inverse: The element becomes 1 when multiplied by the original. 4*4=1 mod 5.
• Subtraction: Add in the negated element.
• Division: Multiplication by the inverse.

There are two main parts to a gate: selectors and witness values. Selectors are choose by the circuit writer to define the logic of the circuit. The witness values are the intermediate states of the circuit. w values are connected together within the circuit. The gate turns into the following:

qm * wl * wr + q1 * wl + q2 * wr + q3 * w0 + qc = 0 mod p

If we wanted to show that y = 4x3 + 2, then we need two gates. First, wl * wr - w0 = 0 mod p and 4 * wl * wr - w0 + 2 = 0 mod p. All in all, we don't need to prove the computation - we need to prove the witness value.

The amount should be user_output = total_output * (user_input/total_input) for a given trade. The variable user_input will be floored in most cases. So, the circuit tries for find the division reminder to give to the user as well. While trying to do this, they divided up the number into limbs (sections?). By doing this, the 1 to 1 correspondence over module p was lost! This means that any multiple of p for a given value was valid.

On top of this, the constraints for the remainder did not exist. According to the authors of the post, this could have resulted in the sequencer to create proofs that would assign the depositor much less funds than they should receive.

Overall, a good description on ZK circuits (which I don't fully get yet) and on missing constraints causing problems. Math is hard enough when there's no millions of dollars at stake. Good find!