Critical Vulnerability in Dusk Network's PLONK Implementation Enables Arbitrary Token Minting

Summary

Security researchers discovered a critical soundness vulnerability in dusk-plonk, the PLONK zero-knowledge proof implementation securing Dusk Network's privacy layer and approximately $60 million in DUSK tokens. The vulnerability allows a malicious prover to forge valid-appearing proofs for completely false statements by exploiting unvalidated polynomial commitment evaluations in the verification step.

The root cause: the PLONK verifier never validated four public selector evaluations that the prover could insert into the proof structure. The verifier would consume these values in its final equation without checking them against the trusted commitments in the verifier key. A malicious actor could set these evaluations to any values needed to make the equation pass, completely bypassing every constraint in the transaction circuit.

On the live Rusk network, exploitation would enable attackers to mint arbitrary amounts of DUSK from nothing and forge shielded fund transfers that appear legitimate to all network participants. The discovery highlights the extreme precision required in zero-knowledge proof implementations, where even small verification gaps can compromise an entire financial system.

• This underscores why zero-knowledge proof implementations require exhaustive, line-by-line verification against formal specifications

Editorial Opinion

Zero-knowledge proofs are foundational to privacy-preserving blockchain systems, but this vulnerability in a widely-used PLONK library demonstrates how easily subtle gaps in verification logic can create catastrophic security failures. The discovery is a stark reminder that cryptographic code—no matter how mathematically sound the underlying protocol—requires meticulous implementation review. As ZK proofs become central to Web3 infrastructure securing billions in assets, the bar for implementation rigor cannot be too high.