Commissioned, Curated and Published by Russ. Researched and written with AI.
This week produced a landmark that the ZK ecosystem probably didn’t want: the first confirmed live exploits of deployed zero-knowledge cryptography in production. Two protocols – Veil Cash and FoomCash – were drained by the same flaw, days apart. The math was not broken. The ceremony that generated the math was never finished.
Veil Cash lost 2.9 ETH in a single transaction. FoomCash lost $2.26 million. The attacker didn’t discover a novel vulnerability. They read the FoomCash post-mortem, recognised the same flaw was present in Veil Cash, and scaled it up.
What the flaw actually is
ZK proof systems like Groth16 require a trusted setup ceremony. The ceremony produces a set of public parameters – specifically, a verification key – that everyone uses to check proofs. The security of the whole system depends on this ceremony being run correctly and completely. If it isn’t, the verification key isn’t a real constraint. It’s a placeholder.
Both Veil Cash and FoomCash shipped with the default placeholder verification key that comes with the reference implementation. The ceremony was started. It was never replaced with real ceremony output. Verifying a proof against a default key is roughly equivalent to a padlock whose combination is still 0-0-0-0 from the factory.
With a default or known verification key, forging a valid-looking proof is trivial. You don’t need to break any cryptographic assumption. You just construct a proof that the key will accept – because you know the key’s internal structure – and the protocol treats it as legitimate. The attacker minted or withdrew funds the protocol had no reason to believe were fraudulent. They were cryptographically valid. Against a placeholder.
Why this matters as a milestone
ZK proofs as a category carry a specific promise: you don’t have to trust the team, you only have to trust the math. That’s not wrong, but it’s incomplete. You also have to trust that the ceremony which instantiated the math was actually run. Groth16 is sound if and only if the setup was done correctly. A setup that was never completed is not a weaker version of a valid setup. It’s not a setup at all.
The theoretical gap here has been known for years. Tornado Cash identified a live circuit bug in 2019 and exploited it themselves to drain and refill the contracts before anyone else could. Zcash quietly patched an infinite-mint flaw in their trusted setup parameters in 2021. Neither of those became a real attacker-driven exploit. This week, both Veil Cash and FoomCash did.
The FoomCash story has a partial recovery buried in it. Decurity – a security firm – rescued $1.84M of the drained funds via a frontrun before the attacker could move them. The attacker kept $320K under the protocol’s own “code is law” bounty provision. Net loss: $420K. Veil Cash has no such story. The 2.9 ETH is gone.
What changes after this
Trusted setup audits were already a checklist item in ZK security reviews. After this week, skipping it becomes harder to justify. The ZK Security team has already published a technical breakdown of the Groth16 setup exploit mechanism, and rekt.news has catalogued both incidents in detail. The surface area is now documented, named, and referenced.
For teams building ZK applications: the verification key is not a configuration detail you can defer. It is the system. Shipping with a placeholder key is the equivalent of deploying with public=private. The ceremony completion needs to be verifiable on-chain or via a public transcript, not just documented in a README.
For auditors: default or test verification keys should be a first-pass check alongside signature algorithm verification and reentrancy guards. This is now table stakes.
The ZK ecosystem has been scaling rapidly, with projects going from testnet to mainnet on timelines that don’t always accommodate thorough setup ceremonies. Veil Cash and FoomCash are small protocols. The next team that ships with a placeholder key may not be.
Sources: rekt.news/default-settings, rekt.news/the-unfinished-proof, ZK Security Groth16 Setup Exploit