We’re proud to announce that EZKL, a library for creating zero-knowledge proofs of ML model inference, is now production ready. Developers can utilize our end-to-end tooling with a single line of code. Click here to learn more.

Beginning in January 2025, Trail of Bits conducted a security assessment of EZKL, a library for creating zero-knowledge proofs of ML model inference. The assessment spanned 11 engineer-weeks, focusing on circuit soundness, potential backdoors in ML model quantization, and proof verification security.

Key Findings

Circuit Soundness Issues

The assessment uncovered several high-severity soundness issues in the core circuit constraints:

1. The shuffle argument implementation was missing a single constraint relative to the original specification. The spec correctly required that the input be a permutation of the reference tensor, but the implementation only enforced that each element in the input tensor was present in the reference tensor, without checking multiplicities. This allowed a malicious prover to claim that [5,5,5,5,5] was a valid shuffle of [1,2,3,4,5]. This was not an issue with the use of dynamic lookups (which are perfectly valid when properly constrained), but rather a case of the implementation not fully matching the sound specification.
2. The decomposition argument for converting field elements to signed integers did not enforce a canonical sign for zeros. This affected greater/less comparisons and rounding operations, allowing a prover to assign arbitrary signs to zero values and potentially manipulate circuit outputs.
3. Division and reciprocal arguments lacked range checks on prover-provided advice, making them susceptible to modulus wraparound attacks. A malicious prover could supply large field elements that cause overflows when multiplied with inputs, producing incorrect results that still satisfy the constraints but are nonsensical for machine learning systems.

Data Attestation Vulnerabilities

Multiple vulnerabilities were found in the data attestation (DA) contracts, which are crucial for verifying that model inputs match on-chain data. A malicious prover could bypass data attestation checks through:

• Arbitrary instance data acceptance
• Missing KZG commitment validation
• Non-canonical ABI encodings
• Field modulus overflow exploitation

Our core verifiers, which the DA contracts wrap were found to be sound.

Model Backdoor Risk

The assessment confirmed that model backdoors can be activated during EZKL’s quantization process. This means a backdoor could lie dormant in a full-precision model but become active after quantization. The feasibility depends on model size and quantization scale - larger models and smaller scales increase the attack surface.

This is a threat model that is more broadly relevant to ML models; and we’ve started to document ML specific threat vectors for developers in our main repository.

Security Improvements

Trail of Bits provided several key recommendations:

1. Add the missing multiplicity constraint to the shuffle argument to match the specification
2. Implement proper range checks for division and reciprocal arguments
3. Add constraints ensuring canonical sign representation for zeros
4. Add domain separation padding for Poseidon hashing
5. Improve input validation and error handling across the codebase
6. Document risks around model backdoors and quantization

Which have all been remedied in EZKL version v21.0.0.

Looking Forward

The identified vulnerabilities highlight the inherent complexity of building secure zero-knowledge systems for ML. However, with clear remediation paths and straightforward fixes needed, EZKL is well-positioned for its next phase. Most findings relate to missing constraints or validations and Trail of Bits uncovered 8 high-severity issues that needed immediate attention. With these issues resolved, EZKL will provide a more robust foundation for privacy-preserving ML applications that strengthens confidence in its underlying design principles.

As a result of this, we’re the first audited and production ready ZK-SNARK library for ML model inference. Find out more about EZKL and how you can start using it today here.

Note: For detailed technical information and specific vulnerability details, please refer to the full Trail of Bits assessment report.