Introduction
We express our gratitude to the Neo X team for the collaborative engagement that enabled the execution of this Blockchain Protocol Security Assessment.
Neo X implements a zero-knowledge Distributed Key Generation (DKG) protocol for Anti-MEV protection using a multi-curve architecture. The protocol enables validators to collaboratively generate threshold public-private key pairs without exposing individual secret shares.
Document | |
---|---|
Name | Blockchain Protocol Review and Security Analysis Report for Neo X |
Audited By | Reshma Fareed |
Approved By | Nino Lipartiia |
Website | https://neo.org/→ |
Changelog | 17/07/2025 - Preliminary Report |
Changelog | 04/08/2025 - Final Report |
Platform | Neo X |
Language | Golang |
Tags | Zero Knowledge Circuit, Gnark |
Methodology | https://hackenio.cc/blockchain_methodology→ |
Document
- Name
- Blockchain Protocol Review and Security Analysis Report for Neo X
- Audited By
- Reshma Fareed
- Approved By
- Nino Lipartiia
- Website
- https://neo.org/→
- Changelog
- 17/07/2025 - Preliminary Report
- Changelog
- 04/08/2025 - Final Report
- Platform
- Neo X
- Language
- Golang
- Tags
- Zero Knowledge Circuit, Gnark
- Methodology
- https://hackenio.cc/blockchain_methodology→
Review Scope | |
---|---|
Repository | https://github.com/bane-labs/zk-dkg/tree/recursion_plonk_groth16→ |
Commit | c79294eb21c030a2dce7b67ad11e0391f350e81a |
Review Scope
- Commit
- c79294eb21c030a2dce7b67ad11e0391f350e81a
Audit Summary
The system users should acknowledge all the risks summed up in the risks section of the report
Documentation quality
Protocol specification and operational guides are missing.
Integration guides and deployment documentation are insufficient for production use.
Threat model documentation needs development to explain attack vectors and mitigation strategies.
Code quality
The code structure remains clear and well-organized.
Clean separation of concerns and appropriate use of industry-standard libraries demonstrate sound engineering practices.
Input validation, error handling, and secure memory practices require substantial improvement.
Defensive programming patterns are inconsistent throughout the codebase.
Architecture quality
Sound multi-curve design (secp256k1, BLS12-381, BN254) follows established cryptographic principles.
Elegant recursive proof system supports flexible batch processing with scalable validator configurations.
Well-structured component separation enables future protocol extensions while maintaining clean abstractions.
Industry-standard libraries (gnark, go-ethereum) provide solid cryptographic foundations.
Test coverage
Integration tests for end-to-end DKG ceremony workflow are missing, limiting confidence in system behavior.
Negative test cases and security-focused scenarios need development to validate edge conditions.
Performance and stress testing remain necessary for production deployment readiness.
System Overview
Neo X implements a zero-knowledge Distributed Key Generation (DKG) protocol for Anti-MEV protection using a multi-curve architecture. The protocol enables validators to collaboratively generate threshold public-private key pairs without exposing individual secret shares.
Architecture Components
secp256k1: Validator identity keys and ECIES encryption
BLS12-381: Key share commitments and polynomial commitments
BN254: Zero-knowledge proof generation and verification
DKG Process:
Each validator generates a polynomial and computes commitments
Validators encrypt key shares using ECIES and distribute to peers
Zero-knowledge proofs verify encryption correctness without revealing shares
Validators aggregate received shares to compute final secret shares
Global public key is computed from polynomial commitments
Risks
Cross-Chain Integration Risks: External blockchain bridges and cross-chain communication protocols introduce additional attack surfaces for encrypted transaction exposure, as the Neo X Anti-MEV system must interface with external systems that may have different security assumptions. Compromise of bridge infrastructure could potentially expose encrypted transaction data before decryption or enable manipulation of the transaction ordering process.
Smart Contract Vulnerabilities: The Neo X DKG protocol's smart contract acts as a critical single point of failure, managing validator governance, proof verification, curve point attack prevention, PVSS validation, BLS12-381 operations, and global public key calculations. Any vulnerability in access controls, input validation, cryptographic implementations, or governance could allow attackers to inject malicious validators, bypass security checks, or corrupt key generation. Unlike typical blockchain protocols where individual node compromises have limited impact, any successful attack against this centralized DKG contract immediately undermines the cryptographic foundations of the entire Anti-MEV system. This centralization means a single contract compromise could expose all encrypted transactions and enable unlimited MEV extraction across the network.
Gnark Framework Soundness: The system depends on gnark v0.13 for zero-knowledge proof generation and verification, which is a relatively recent framework with evolving constraint system implementations and circuit compilation processes. Any soundness vulnerabilities in gnark's Plonkish constraint generation, witness assignment, or proof serialization could enable the creation of false proofs that pass verification, allowing malicious validators to prove incorrect ECIES encryption statements and inject invalid key shares into the DKG process without cryptographic detection.
Findings
Code ― | Title | Status | Severity | |
---|---|---|---|---|
F-2025-1170 | Non-Standard ECIES KDF Implementation | fixed | High | |
F-2025-1170 | Missing Subgroup Validation for Elliptic Curve Points | accepted | High | |
F-2025-1170 | Hardcoded Beacon Challenge in SRS Sealing | fixed | Medium | |
F-2025-1170 | Missing Authentication Tag Verification in AES-GCM Circuit | accepted | Medium | |
F-2025-1170 | Array Bounds Vulnerability in variableToU8s Function | fixed | Medium | |
F-2025-1171 | No Input Validation on srsSize Parameter | fixed | Low | |
F-2025-1171 | Ungraceful Panic Handling in AES-GCM Decryption | fixed | Low | |
F-2025-1171 | Theoretical Side-Channel Vulnerability in AES S-Box Implementation | accepted | Low | |
F-2025-1171 | Missing Input Array Validation in Main DKG Proof Generation | fixed | Low | |
F-2025-1171 | Missing Secure File Handling and Cleanup | fixed | Low |
Findings like these can secure your blockchain.
Appendix 1. Severity Definitions
Severity | Description |
---|---|
Critical | Vulnerabilities that can lead to a complete breakdown of the blockchain network's security, privacy, integrity, or availability fall under this category. They can disrupt the consensus mechanism, enabling a malicious entity to take control of the majority of nodes or facilitate 51% attacks. In addition, issues that could lead to widespread crashing of nodes, leading to a complete breakdown or significant halt of the network, are also considered critical along with issues that can lead to a massive theft of assets. Immediate attention and mitigation are required. |
High | High severity vulnerabilities are those that do not immediately risk the complete security or integrity of the network but can cause substantial harm. These are issues that could cause the crashing of several nodes, leading to temporary disruption of the network, or could manipulate the consensus mechanism to a certain extent, but not enough to execute a 51% attack. Partial breaches of privacy, unauthorized but limited access to sensitive information, and affecting the reliable execution of smart contracts also fall under this category. |
Medium | Medium severity vulnerabilities could negatively affect the blockchain protocol but are usually not capable of causing catastrophic damage. These could include vulnerabilities that allow minor breaches of user privacy, can slow down transaction processing, or can lead to relatively small financial losses. It may be possible to exploit these vulnerabilities under specific circumstances, or they may require a high level of access to exploit effectively. |
Low | Low severity vulnerabilities are minor flaws in the blockchain protocol that might not have a direct impact on security but could cause minor inefficiencies in transaction processing or slight delays in block propagation. They might include vulnerabilities that allow attackers to cause nuisance-level disruptions or are only exploitable under extremely rare and specific conditions. These vulnerabilities should be corrected but do not represent an immediate threat to the system. |
Severity
- Critical
Description
- Vulnerabilities that can lead to a complete breakdown of the blockchain network's security, privacy, integrity, or availability fall under this category. They can disrupt the consensus mechanism, enabling a malicious entity to take control of the majority of nodes or facilitate 51% attacks. In addition, issues that could lead to widespread crashing of nodes, leading to a complete breakdown or significant halt of the network, are also considered critical along with issues that can lead to a massive theft of assets. Immediate attention and mitigation are required.
Severity
- High
Description
- High severity vulnerabilities are those that do not immediately risk the complete security or integrity of the network but can cause substantial harm. These are issues that could cause the crashing of several nodes, leading to temporary disruption of the network, or could manipulate the consensus mechanism to a certain extent, but not enough to execute a 51% attack. Partial breaches of privacy, unauthorized but limited access to sensitive information, and affecting the reliable execution of smart contracts also fall under this category.
Severity
- Medium
Description
- Medium severity vulnerabilities could negatively affect the blockchain protocol but are usually not capable of causing catastrophic damage. These could include vulnerabilities that allow minor breaches of user privacy, can slow down transaction processing, or can lead to relatively small financial losses. It may be possible to exploit these vulnerabilities under specific circumstances, or they may require a high level of access to exploit effectively.
Severity
- Low
Description
- Low severity vulnerabilities are minor flaws in the blockchain protocol that might not have a direct impact on security but could cause minor inefficiencies in transaction processing or slight delays in block propagation. They might include vulnerabilities that allow attackers to cause nuisance-level disruptions or are only exploitable under extremely rare and specific conditions. These vulnerabilities should be corrected but do not represent an immediate threat to the system.
Appendix 2. Scope
The scope of the project includes the following components from the provided repository:
Scope Details | |
---|---|
Repository | https://github.com/bane-labs/zk-dkg/tree/recursion_plonk_groth16→ |
Commit | c79294eb21c030a2dce7b67ad11e0391f350e81a |
Scope Details
- Commit
- c79294eb21c030a2dce7b67ad11e0391f350e81a
Components in Scope
This audit covers all production code in:
circuit/
- Zero-knowledge circuit implementationsencryption/
- Cryptographic primitives (AES-GCM, ECIES)helper/
- Proof generation and utilitiesmpc/
- Multi-party computation setupzk_dkg.go
- Main DKG entry point
Test files and documentation were excluded from scope.