September Newsletter
Hello and welcome to your September update.
It’s been another fast-moving month in our corner of the industry. The world of zero-knowledge proofs continues to mature at a remarkable pace, with developments ranging from formal verification strengthening security guarantees to hardware acceleration making the technology more efficient.
Meanwhile, the security landscape remains as dynamic as ever, and we break down recent events that highlight the evolving risks to protocols, people, and infrastructure.
On that note, we’re very excited to launch a new resource for those navigating one of crypto’s most complex frontiers. Our new course, Advanced MEV: Navigating the Dark Forest, is now live!
Check it out here: https://academy.extropy.io
Recent Developments in Zero-Knowledge Technology
1. Formal Verification of On-Chain Verifiers
A significant milestone has been achieved in bolstering the security of zero-knowledge systems with the formal verification of an on-chain verifier. The work, completed by security firm Nethermind for the ZKsync ecosystem, involved using the Lean proof assistant to create a machine-checkable mathematical proof of the verifier’s correctness. This process translates the verifier’s complex code into formal logic, allowing for a rigorous demonstration that the implementation precisely matches its intended mathematical specification.
This development is crucial as it addresses the foundational risk of bugs or errors in the verifier component, which is responsible for confirming the validity of all proofs submitted to the network. By providing a formal guarantee of correctness, this work establishes a higher standard for security and trust in ZK-Rollup systems. It mitigates the potential for catastrophic failures due to implementation flaws and sets a precedent for other protocols to adopt similar verification methods, enhancing the robustness of the entire ecosystem.
2. Progress in Hardware Acceleration for ZK Proofs
Efforts to make zero-knowledge proofs more efficient and cost-effective have seen notable progress through hardware acceleration initiatives. The ZK-Rollup provider ZKsync has announced collaborations with hardware firms, including Cysic, to develop and implement specialised hardware, such as Application-Specific Integrated Circuits (ASICs) and Graphics Processing Units (GPUs), for ZK proof generation. The primary goal is to offload the computationally intensive task of proof creation from general-purpose CPUs to dedicated processors designed for this purpose.
The anticipated impact of this specialisation is a substantial reduction in both the time and cost required to generate proofs. This optimisation is critical for the scalability of Layer 2 solutions, as lower operational costs can translate into lower transaction fees for end-users. By making proof generation faster and cheaper, hardware acceleration aims to improve the viability of ZK technology for a wider range of high-throughput applications.
3. Emergence of Post-Quantum Zero-Knowledge Systems
In response to the future threat posed by quantum computing, development has begun on integrating ZKPs with post-quantum cryptography (PQC). The firm 01 Quantum recently announced a “Quantum Crypto Wrapper,” a technology designed to combine the privacy features of zero-knowledge proofs with cryptographic algorithms resistant to attacks from quantum computers. This approach aims to provide a dual layer of security, safeguarding data and transactions against both current and future threats.
This forward-looking research addresses a long-term vulnerability for cryptographic systems. By proactively developing hybrid solutions that are “crypto-agile,” developers can ensure that blockchain networks and other sensitive communication systems can transition to quantum-resistant standards without compromising the privacy-preserving benefits that zero-knowledge proofs offer today.
4. ZKP Applications in Digital Identity and Age Verification
The application of zero-knowledge proofs for privacy-preserving digital identity has gained traction, highlighted by Google’s recent open-sourcing of a ZKP-based tool for age verification. The system is designed to allow a user to prove they are over a certain age to an online service without revealing their date of birth or any other personal information. The service receives only a cryptographic proof of the age claim, not the underlying data.
This development represents a practical solution to a widespread online challenge: verifying age requirements without forcing users to share sensitive personal data, thereby enhancing user privacy and security. The open-sourcing of such a tool is intended to encourage broader adoption and standardisation of ZKP techniques for various digital identity use cases, such as verifying credentials or qualifications in a secure and private manner.
5. Steps Towards Decentralisation of ZK-Rollup Sequencers
The architecture of ZK-Rollups has taken a material step towards decentralisation with Starknet’s “Grinta” network upgrade. This update initiated the transition from a single, centrally operated sequencer to a decentralised model managed by multiple independent parties. A sequencer is a critical network component responsible for receiving user transactions, ordering them, and creating blocks to be proven on the main chain.
Centralised sequencers present a potential single point of failure and a risk for censorship, as a single entity controls the ordering of transactions. By distributing this role, the network becomes more resilient and credibly neutral, reducing the ability of any one party to censor or prioritise specific transactions. This move is a fundamental step in the maturation of Layer 2 networks, aligning their operational reality more closely with the decentralised ethos of their underlying blockchains.
6. Growing Integration of ZKPs with Machine Learning (ZKML)
Research into Zero-Knowledge Machine Learning (ZKML) has accelerated, focusing on providing verifiable integrity for artificial intelligence models. ZKML enables a model owner to generate a proof that an inference (a prediction or output) was produced correctly by a specific model, without needing to reveal the model’s proprietary weights or parameters. This allows for the verification of AI computations while preserving intellectual property.
This technology has significant implications for building trust in AI systems. For instance, a user could verify that a service is using a specific, unbiased algorithm without the service needing to expose its inner workings. Furthermore, it enables users to provide sensitive input data to a model and receive a verifiably correct output, all while keeping the input data private. This enhances security and confidentiality in applications where AI models process sensitive information.
Security and Risk Analysis
Venus Protocol Exploit: $12M Drained, Then Returned
What happened:
Venus Protocol on BNB Chain suffered a $12M exploit that drained liquidity in minutes. Panic spread as fears of another lending collapse grew. In a surprising twist, the attacker later engaged the team via on-chain messages and returned the funds after negotiating a resolution.
Why it matters:
The incident reignited debate about DeFi’s reliance on attacker goodwill and blurred lines between “white-hat” testing and soft extortion. While Venus avoided lasting damage, the event exposed how fragile trust and liquidity can be in decentralized finance.
Takeaway:
Protocols need more than audits, they need robust bug bounty programs and proactive monitoring to prevent researchers from choosing exploits over disclosures.
North Korean Hackers Lure Crypto Workers With Fake Jobs
What happened:
Reuters uncovered a large-scale operation dubbed “Contagious Interview”, where North Korean hackers posed as recruiters on LinkedIn and Telegram. Victims were tricked into downloading malicious “skills tests” or video software that compromised their systems.
Why it matters:
More than 230 crypto professionals were targeted between January and March, from developers to executives. Stolen funds were funneled into North Korea’s weapons program, proving this isn’t just cybercrime but a geopolitical threat vector.
Takeaway:
Not all attacks exploit code, many target people. Companies must invest in employee awareness training and device-level defenses, especially against sophisticated, nation-state-backed campaigns.
Ethereum Smart Contracts Used in NPM Supply Chain Attack
What happened:
Researchers discovered malicious NPM packages that queried Ethereum smart contracts to fetch hidden malware payloads. This novel twist allowed attackers to bypass conventional security tools, since blockchain calls are rarely flagged as suspicious.
Why it matters:
This represents a dangerous evolution in software supply chain attacks. Developers trust NPM libraries and GitHub activity, but adversaries are now blending open-source deception with blockchain obfuscation to spread malware undetected.
Takeaway:
The open-source ecosystem faces rising risks. Teams should adopt dependency vetting, code signing, and real-time package monitoring to defend against this new attack surface.
Final Thoughts
These last few weeks revealed three pillars of crypto risk:
- Protocol vulnerabilities can drain millions in minutes.
- Human targets remain the weakest link for nation-state attackers.
- Supply chain threats are evolving, with blockchain itself weaponized for malware delivery.
Security in crypto is no longer just about protecting smart contracts. It’s about defending the entire stack: code, people, and infrastructure.
Learn More with Extropy Academy
Built by security researchers and developers, Extropy Academy is the learning hub for smart contract security, zero-knowledge proofs, and MEV. Our hands-on courses and expert-guided workshops help developers master the key risks and technologies shaping blockchain today. From zero-knowledge fundamentals to advanced MEV strategies, we combine theory with practical implementation to help you build with confidence.
Explore the full course catalog at academy.extropy.io.
