Glad to have contributed to the security of the Solana ecosystem! Thanks to the @anza_xyz team for the swift response and timely mitigation. The bug involves a subtle Fiat-Shamir issue we call the Phantom Challenge. A full technical write-up will be published soon.

Bitcoin is an unstoppable agent that rewards those who help secure it.

Very interesting product. Just created my Circles profile! Looking to get trusted by someone who’s already in the network. @aboutcircles https://t.co/F6g2w9t6Ml

This is cool! LLM is changing how we review code.

This will be the best PlonK tutorial!

Trying to learn about the latest stuff in STARK-land? Come check out our new write up: Circle STARKs: Part III, Circle FFT https://t.co/nUTurQIcaM

当前区块链最成功的应用，不是 ToC 或 ToB，而是 ToA（To Asset）。

We reported this bug to a number of projects (including semaphore) after finding it with our internal AI tooling (SnarkSentinel). The bug would have allowed proving that arbitrary leaves were part of a Merkle tree! Read more about how SnarkSentinel helps us find bugs 👇🏼

🧵 Over the last few months, we’ve published a range of blog posts exploring the technical challenges and ideas shaping zero-knowledge proofs, cryptography, and security. This thread rounds up the latest, from finding bugs using AI to post-quantum SNARKs 👇

This is another interesting ZK bug found recently. Read our blogpost to learn the query collision bug of Halo2.

Bug Hunt: Zero-Knowledge, Full-Paranoia, and the AI That Stares Back https://t.co/Bimbis4q6J

Just staked my selfie at @everstake_pool — 100+ chains, 0 downtime #EthCC8

Trust, But Measure: A Friendly Intro to TEEs with Intel TDX https://t.co/TVeeIV4blg For the 5th session of Proof is in the Pudding, we teamed up with Archetype to whiteboard an introduction to Trusted Execution Environments (TEEs).

We'll be in Cannes on Tuesday! Come meet the zkSecurity team and come talk about zero-knowledge proof, cheese, and wine over a ZK picnic! https://t.co/SdU2vnF1tP

@anza_xyz Here is our technical writeup about the vulnerability: https://t.co/83abzu16NM

@anza_xyz This bug started as a weekend curiosity and became a real-world disclosure. Thanks to the Anza and Solana teams for their fast response.

@anza_xyz We've published a full writeup explaining how sigma OR proofs work, what went wrong, and how to avoid similar bugs in zero knowledge systems: https://t.co/hefTV2m7yg

@anza_xyz This bug highlights a tricky part of sigma OR proofs: Some "challenges" come from the prover, not the verifier. If these are not included in the transcript, the protocol can be forged. That’s why we call it the Phantom Challenge.

With this gap, a malicious prover could manipulate encrypted fee values to mint or burn tokens without revealing the actual transfer amount. We reported it to @anza_xyz through GitHub Security Advisory. They responded quickly and mitigated the issue across all Solana clusters.

The root cause was a subtle mistake in the Fiat-Shamir transformation. A prover-generated challenge wasn’t absorbed into the transcript. This broke the soundness of the sigma OR proof.

We found a critical soundness bug in Solana’s ZK ElGamal Proof Program. We call it the Phantom Challenge bug. It allowed attackers to forge sigma OR proofs and bypass fee checks in confidential transfers. Here’s how it works: