H1 2025 Web3 Security Report$3.1B in losses, DeFi hit hardest, AI threats on the rise
Read the full report
  • Hacken
  • Audits
  • neo-x
  • [L1] Neo X | zk-dkg Functionality | Jun2025

Audit name:

[L1] Neo X | zk-dkg Functionality | Jun2025

Date:

Aug 4, 2025

Table of Content

Introduction
Audit Summary
System Overview
Risks
Findings
Appendix 1. Severity Definitions
Appendix 2. Scope
Disclaimer

Want a comprehensive audit report like this?

Introduction

We express our gratitude to the Neo X team for the collaborative engagement that enabled the execution of this Blockchain Protocol Security Assessment.

Neo X implements a zero-knowledge Distributed Key Generation (DKG) protocol for Anti-MEV protection using a multi-curve architecture. The protocol enables validators to collaboratively generate threshold public-private key pairs without exposing individual secret shares.

Document

NameBlockchain Protocol Review and Security Analysis Report for Neo X
Audited ByReshma Fareed
Approved ByNino Lipartiia
Websitehttps://neo.org/
Changelog17/07/2025 - Preliminary Report
Changelog04/08/2025 - Final Report
PlatformNeo X
LanguageGolang
TagsZero Knowledge Circuit, Gnark
Methodologyhttps://hackenio.cc/blockchain_methodology
  • Document

    Name
    Blockchain Protocol Review and Security Analysis Report for Neo X
    Audited By
    Reshma Fareed
    Approved By
    Nino Lipartiia
    Changelog
    17/07/2025 - Preliminary Report
    Changelog
    04/08/2025 - Final Report
    Platform
    Neo X
    Language
    Golang
    Tags
    Zero Knowledge Circuit, Gnark

Review Scope

Repositoryhttps://github.com/bane-labs/zk-dkg/tree/recursion_plonk_groth16
Commitc79294eb21c030a2dce7b67ad11e0391f350e81a

Audit Summary

15Total Findings
11Resolved
4Accepted
0Mitigated

The system users should acknowledge all the risks summed up in the risks section of the report

Documentation quality

  • Protocol specification and operational guides are missing.

  • Integration guides and deployment documentation are insufficient for production use.

  • Threat model documentation needs development to explain attack vectors and mitigation strategies.

Code quality

  • The code structure remains clear and well-organized.

  • Clean separation of concerns and appropriate use of industry-standard libraries demonstrate sound engineering practices.

  • Input validation, error handling, and secure memory practices require substantial improvement.

  • Defensive programming patterns are inconsistent throughout the codebase.

Architecture quality

  • Sound multi-curve design (secp256k1, BLS12-381, BN254) follows established cryptographic principles.

  • Elegant recursive proof system supports flexible batch processing with scalable validator configurations.

  • Well-structured component separation enables future protocol extensions while maintaining clean abstractions.

  • Industry-standard libraries (gnark, go-ethereum) provide solid cryptographic foundations.

Test coverage

  • Integration tests for end-to-end DKG ceremony workflow are missing, limiting confidence in system behavior.

  • Negative test cases and security-focused scenarios need development to validate edge conditions.

  • Performance and stress testing remain necessary for production deployment readiness.

System Overview

Neo X implements a zero-knowledge Distributed Key Generation (DKG) protocol for Anti-MEV protection using a multi-curve architecture. The protocol enables validators to collaboratively generate threshold public-private key pairs without exposing individual secret shares.

Architecture Components

  • secp256k1: Validator identity keys and ECIES encryption

  • BLS12-381: Key share commitments and polynomial commitments

  • BN254: Zero-knowledge proof generation and verification

DKG Process:

  1. Each validator generates a polynomial and computes commitments

  2. Validators encrypt key shares using ECIES and distribute to peers

  3. Zero-knowledge proofs verify encryption correctness without revealing shares

  4. Validators aggregate received shares to compute final secret shares

  5. Global public key is computed from polynomial commitments

Risks

Cross-Chain Integration Risks: External blockchain bridges and cross-chain communication protocols introduce additional attack surfaces for encrypted transaction exposure, as the Neo X Anti-MEV system must interface with external systems that may have different security assumptions. Compromise of bridge infrastructure could potentially expose encrypted transaction data before decryption or enable manipulation of the transaction ordering process.

Smart Contract Vulnerabilities: The Neo X DKG protocol's smart contract acts as a critical single point of failure, managing validator governance, proof verification, curve point attack prevention, PVSS validation, BLS12-381 operations, and global public key calculations. Any vulnerability in access controls, input validation, cryptographic implementations, or governance could allow attackers to inject malicious validators, bypass security checks, or corrupt key generation. Unlike typical blockchain protocols where individual node compromises have limited impact, any successful attack against this centralized DKG contract immediately undermines the cryptographic foundations of the entire Anti-MEV system. This centralization means a single contract compromise could expose all encrypted transactions and enable unlimited MEV extraction across the network.

Gnark Framework Soundness: The system depends on gnark v0.13 for zero-knowledge proof generation and verification, which is a relatively recent framework with evolving constraint system implementations and circuit compilation processes. Any soundness vulnerabilities in gnark's Plonkish constraint generation, witness assignment, or proof serialization could enable the creation of false proofs that pass verification, allowing malicious validators to prove incorrect ECIES encryption statements and inject invalid key shares into the DKG process without cryptographic detection.

Findings

Code
Title
Status
Severity
F-2025-1170Non-Standard ECIES KDF Implementation
fixed

High
F-2025-1170Missing Subgroup Validation for Elliptic Curve Points
accepted

High
F-2025-1170Hardcoded Beacon Challenge in SRS Sealing
fixed

Medium
F-2025-1170Missing Authentication Tag Verification in AES-GCM Circuit
accepted

Medium
F-2025-1170Array Bounds Vulnerability in variableToU8s Function
fixed

Medium
F-2025-1171No Input Validation on srsSize Parameter
fixed

Low
F-2025-1171Ungraceful Panic Handling in AES-GCM Decryption
fixed

Low
F-2025-1171Theoretical Side-Channel Vulnerability in AES S-Box Implementation
accepted

Low
F-2025-1171Missing Input Array Validation in Main DKG Proof Generation
fixed

Low
F-2025-1171Missing Secure File Handling and Cleanup
fixed

Low
1-10 of 15 findings

Findings like these can secure your blockchain.

Appendix 1. Severity Definitions

Severity

Description

Critical
Vulnerabilities that can lead to a complete breakdown of the blockchain network's security, privacy, integrity, or availability fall under this category. They can disrupt the consensus mechanism, enabling a malicious entity to take control of the majority of nodes or facilitate 51% attacks. In addition, issues that could lead to widespread crashing of nodes, leading to a complete breakdown or significant halt of the network, are also considered critical along with issues that can lead to a massive theft of assets. Immediate attention and mitigation are required.

High
High severity vulnerabilities are those that do not immediately risk the complete security or integrity of the network but can cause substantial harm. These are issues that could cause the crashing of several nodes, leading to temporary disruption of the network, or could manipulate the consensus mechanism to a certain extent, but not enough to execute a 51% attack. Partial breaches of privacy, unauthorized but limited access to sensitive information, and affecting the reliable execution of smart contracts also fall under this category.

Medium
Medium severity vulnerabilities could negatively affect the blockchain protocol but are usually not capable of causing catastrophic damage. These could include vulnerabilities that allow minor breaches of user privacy, can slow down transaction processing, or can lead to relatively small financial losses. It may be possible to exploit these vulnerabilities under specific circumstances, or they may require a high level of access to exploit effectively.

Low
Low severity vulnerabilities are minor flaws in the blockchain protocol that might not have a direct impact on security but could cause minor inefficiencies in transaction processing or slight delays in block propagation. They might include vulnerabilities that allow attackers to cause nuisance-level disruptions or are only exploitable under extremely rare and specific conditions. These vulnerabilities should be corrected but do not represent an immediate threat to the system.
  • Severity

    Critical

    Description

    Vulnerabilities that can lead to a complete breakdown of the blockchain network's security, privacy, integrity, or availability fall under this category. They can disrupt the consensus mechanism, enabling a malicious entity to take control of the majority of nodes or facilitate 51% attacks. In addition, issues that could lead to widespread crashing of nodes, leading to a complete breakdown or significant halt of the network, are also considered critical along with issues that can lead to a massive theft of assets. Immediate attention and mitigation are required.

    Severity

    High

    Description

    High severity vulnerabilities are those that do not immediately risk the complete security or integrity of the network but can cause substantial harm. These are issues that could cause the crashing of several nodes, leading to temporary disruption of the network, or could manipulate the consensus mechanism to a certain extent, but not enough to execute a 51% attack. Partial breaches of privacy, unauthorized but limited access to sensitive information, and affecting the reliable execution of smart contracts also fall under this category.

    Severity

    Medium

    Description

    Medium severity vulnerabilities could negatively affect the blockchain protocol but are usually not capable of causing catastrophic damage. These could include vulnerabilities that allow minor breaches of user privacy, can slow down transaction processing, or can lead to relatively small financial losses. It may be possible to exploit these vulnerabilities under specific circumstances, or they may require a high level of access to exploit effectively.

    Severity

    Low

    Description

    Low severity vulnerabilities are minor flaws in the blockchain protocol that might not have a direct impact on security but could cause minor inefficiencies in transaction processing or slight delays in block propagation. They might include vulnerabilities that allow attackers to cause nuisance-level disruptions or are only exploitable under extremely rare and specific conditions. These vulnerabilities should be corrected but do not represent an immediate threat to the system.

Appendix 2. Scope

The scope of the project includes the following components from the provided repository:

Scope Details

Repositoryhttps://github.com/bane-labs/zk-dkg/tree/recursion_plonk_groth16
Commitc79294eb21c030a2dce7b67ad11e0391f350e81a

Components in Scope

This audit covers all production code in:

  • circuit/ - Zero-knowledge circuit implementations

  • encryption/ - Cryptographic primitives (AES-GCM, ECIES)

  • helper/ - Proof generation and utilities

  • mpc/ - Multi-party computation setup

  • zk_dkg.go - Main DKG entry point

Test files and documentation were excluded from scope.

Assets in Scope

.
circuit
aes256.go - . › circuit › aes256.go
aes256_gcm.go - . › circuit › aes256_gcm.go
aes256_gcm_test.go - . › circuit › aes256_gcm_test.go
batch_encryption.go - . › circuit › batch_encryption.go
batch_encryption_test.go - . › circuit › batch_encryption_test.go
circuit.go - . › circuit › circuit.go
ecies.go - . › circuit › ecies.go
ecies_test.go - . › circuit › ecies_test.go
helper.go - . › circuit › helper.go
recursion_encryption.go - . › circuit › recursion_encryption.go
recursion_encryption_test.go - . › circuit › recursion_encryption_test.go
encryption
aes.go - . › encryption › aes.go
ecies.go - . › encryption › ecies.go
helper
helper.go - . › helper › helper.go
mpc
plonk.go - . › mpc › plonk.go
zk_dkg.go - . › zk_dkg.go

Disclaimer