In our previous video, we discussed Advanced Formal Verification of ZKP: Verifying a ZK Instruction. By formally verifying each zkWasm instruction, we were able to completely verify the technical security and correctness of the entire zkWasm circuit. In this video, we will focus on the bug discovery aspect, examining specific bugs encountered during the process and the lessons learned.

In December 2023, we shared an Aptos-related bug report with the Wormhole Bug Bounty Program. We were impressed at Wormhole’s quick and effective resolution of the issue. A patch resolved the issue within 3.5 hours of the initial report.

In 2023, the Web3 security landscape experienced significant changes, as detailed in CertiK's Annual Report. The year saw a notable decrease in financial losses due to hacks, scams, and exploits, down to $1.8 billion, which is 51% less than in 2022 and 65% lower than in 2021. Despite this positive trend, the number of incidents rose to 751, indicating ongoing vulnerabilities. November emerged as the costliest month, with losses totaling $363 million. Private key compromises were identified as a primary cause, responsible for half of the year's losses. The report also explores intriguing cases like KyberSwap and analyzes the correlation between DeFi’s Total Value Locked (TVL) and the losses incurred. CertiK's achievements in 2023 included launching the SkyInsights platform, earning accolades for mobile security, and receiving a significant bug bounty from SUI. This highlights the company’s proactive approach in the evolving field of Web3 security.