Rumata888 retweetledi
Rumata888
261 posts
Rumata888
@rumata888
Security Team Lead at @aztecnetwork. @CTFZone organizer. Love cryptography, fuzzing, breaking systems. Views are my own.
Katılım Mart 2012
504 Takip Edilen358 Takipçiler
Rumata888 retweetledi
The secret weapon for lightning-fast authentication with Aztec is the ingeniously optimized ecdsa verification in barretenberg.
This isn't a theoretical optimization: we're talking <1s proving time & 30ms verification. Lets do a deep dive 🧵
(Source: ethproofs.org/csp-benchmarks)
Mike Connor@mike_connor
Aztec can do exactly this. All of it. I’m so happy. I can’t stress how exactly Aztec can do this. Fast client-side proving on desktop and mobile, well under 1GB RAM. Native, private account abstraction is already built into Aztec. Think of a way to authenticate a user… Eth signature / Safe multisig / Sign in with google / email / password=Hunter2 / a live video of your cat / a signature from Vitalik telling you he’s proud of you? You can build Aztec smart contracts that can do this today. You’ll be able to provide your users with familiar and private access to Ethereum.
English
Rumata888 retweetledi
[POC2025] SPEAKER UPDATE
👤 Innokentii Sennovskii(@Rumata888) - "Zero Knowledge, Full Coverage: A Fuzzing Paradox"
#POC2025
English
Rumata888 retweetledi
token 2022 passed six audits, used one of the simpler and more conservative zk systems - bulletproofs for confidential transactions.
And still had a fatal money printing zk bug. Moreover, a "not including all inputs in Fiat Shamir" bug, you'd think people would know to look for.
Zk is hard. We need to think of soundness verifiability more than prover speed.
In particular, it should be totally doable to come up with ways for the compiler to warn (or just not compile!) code with missing Fiat-Shamir inputs.
English
POV of a crypto privacy lawyer attending their next 1:1 with founders after OFAC delisted tornado cash
English
English
I am thrilled that our fuzzer uncovered another critical bug in the Noir infrastructure, compromising both soundness and completeness (see github.com/noir-lang/noir…). 🔥 If you're interested in fuzzing your ZK infrastructure, let's talk! @NoirLang Kudos for the swift fix! 👏
English
@levs57 Yes, the cost will be the same (I'm assuming you put the cost of writing module representations of A and B into O(1)). If using sumcheck + plonkish arithmetization + lookups you can easily disable unused relations so you are not paying for what you're calling "stack interactions"
English
@rumata888 differentiator - what is the cost of running
`let y = if condition {A(x)} else {B(x)}`
for two static circuits A, B?
for us it will be max(|A|, |B|) + O(1)
note that cost of |A|, |B| is without overhead compared to circuit model
English
1./ Our new paper, Morgana. We have found a way to add control flow to circuits (or, from VM perspective, turn everything into precompiles) 🧵
eprint.iacr.org/2025/65
English
@rumata888 it is a bit hard to understand what exactly are you describing - do you mean that in plonkish arithmetization you are able to lookup the selectors and achieve similar behavior to what we suggest?
English
@rumata888 likely very different, but I'd like to get a reference on this method, not sure to what this refers to
if you mean fetching opcodes using vectorized lookups, then answer is yes, different - you will not be able to obviate stack interactions of the opcodes that were fetched
English
5./ But most important part is that it unlocks a totally new approach to branching: we can build a small VM which unrolls the loops dynamically and build the circuit, which then is executed by our circuit proof system.
English
Rumata888 retweetledi
@weikengchen Yes, and there is a difference between a vulnerability discovered externally and sequential lapses in security
English
@rumata888 you know a lot of people got into troubles during that FTX incident right? underperforming is okay, but betting incorrectly too many times does ruin a fund, and there are so many examples
English
Here is my advice: talk to the management team to report a security bug, don’t talk to the security team. So many people in Kraken will lose jobs this time.
CertiK@CertiK
CertiK recently identified a series of critical vulnerabilities in @krakenfx exchange which could potentially lead to hundreds of millions of dollars in losses. Starting from a finding in @krakenfx's deposit system where it may fail to differentiate between different internal transfer statuses, we conducted a thorough investigation with three key questions: 1/ Can a malicious actor fabricate a deposit transaction to a Kraken account? 2/ Can a malicious actor withdraw fabricated funds? 3/ What risk controls and asset protection might be triggered by a large withdrawal request? According to our testing result: The Kraken exchange failed all these tests, indicating that Kraken’s defense in-depth-system is compromised on multiple fronts. Millions of dollars can be deposited to ANY Kraken account. A huge amount of fabricated crypto (worth more than 1M+ USD) can be withdrawn from the account and converted into valid cryptos. Worse yet, no alerts were triggered during the multi-day testing period. Kraken only responded and locked the test accounts days after we officially reported the incident. Upon discovery, we informed Kraken, whose security team classified it as Critical: the most serious classification level at Kraken. After initial successful conversions on identifying and fixing the vulnerability, Kraken’s security operation team has THREATENED individual CertiK employees to repay a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses. In the spirit of transparency and our commitment to the Web3 community, we are going public to protect all users' security. We urge @krakenfx to cease any threats against whitehat hackers. Together, we can face risks and safeguard the future of Web3. #Web3 #Security #Transparency
English
@weikengchen And investor job security should be directly related to their investments. They should be fired after one underperforming investment even if others are doing great.
English
@rumata888 The way it works for security team is that they need to be aware that their job security is directly related to the platform security.
English
Rumata888 retweetledi
@mike_connor Yes, that's a wonderful way to demotivate deep work. Just spam typo PRs
English
Also, further distinguishing airdrop amounts based on "number of commits" isn't benefiting me anymore, so please stop doing that too. :P
English
Airdropping based on GitHub commits is lazy and divisive.
Not everything needs to be automated. Reach out to teams. Ask them who contributes.
E.g. there are so many amazing non-devs at Aztec Labs whose invaluable contributions are overlooked due to this. It's a real shame.
English
