π₯οΈ
Best Viewed on Desktop
The technical documentation and app previews are optimized for desktop viewing.
β Back to Homeπ
Threat Model
Four adversary classes (A1βA4) with increasing capabilities. Six formal security properties. Based on Section 3 of the ZK-Sentinel paper.
Adversary Hierarchy (Definition 3)
A1Passive Observer
Can observe all public blockchain data, transactions, balances, contract state
Block explorers, curious individuals
A2Professional Analyst
Sophisticated blockchain analysis tools, exchange data, law enforcement resources
Chainalysis, Elliptic, tax authorities
A3Active Attacker
Dust attacks, phishing, social engineering, smart contract exploitation
Hackers, scammers
A4Physical Adversary
Physical access to victim, can apply coercion, observe system use in real-time, read contract source code, demand credentials, apply escalating pressure
Criminals, kidnappers
β οΈ Key Insight (Paper Β§3.2)
Against A4 (Physical Adversary), the defense must be undetectable β the attacker cannot know whether defenses exist or were activated. A4 can force revelation of all passwords, observe system use in real-time, read contract source code, analyze transaction patterns, and demand proof that no hidden funds exist.
Security Properties (Definition 4)
Transaction UnlinkabilityDeposits and withdrawals cannot be correlated with advantage better than 1/|A|, where |A| is the anonymity set size
Balance ConfidentialityUser balance is computationally hidden from all adversary classes
Coercion ResistanceUnder physical coercion, the user can trigger decoy behavior mathematically indistinguishable from normal behavior
Gas IndependenceUsers can withdraw without prior ETH holdings (relayer network)
Front-Running ResistanceRelayers cannot redirect withdrawals β proof cryptographically binds recipient, relayer, and fee
Double-Spend PreventionEach nullifier can only be used once (nullifierHashes mapping)
Attack Vectors & Mitigations
Physical coercion ($5 wrench attack)
189+ documented attacks, $84M+ losses. KYC leak β Identity β Target β Coercion β Theft
Dual nullifier + Shadow Passphrase + ZKML β mathematically indistinguishable decoy path
criticalOn-chain link analysis
Tracing depositβwithdrawal via timing, amount, or gas patterns
Anonymity sets (2Β²β° per pool), batch ops, configurable time delay, relayers, multi-denomination
highDetectable anti-coercion logic
Attacker reads contract source, identifies duress branches, demands both passwords
Decision logic inside ZK circuit β no branching visible on-chain. Arithmetic selector a=iaΓfrase, same R1CS constraints for all aβ{0,1}
criticalRelayer front-running
Relayer redirects funds to own address or increases fee
Groth16 proof cryptographically binds relayer address + fee as public inputs. Theorem 1: requires breaking q-SDH assumption.
highRegulatory compliance request
Court order to reveal transaction origin
Selective Disclosure (22,457 constraints) β prove amount range, time range, ASP membership without revealing specific deposit. Audit nonce prevents replay.
highSmart contract exploit
Reentrancy, overflow, logic bugs
OpenZeppelin (ReentrancyGuard, Pausable, Ownable). Zentinel-Audit (28 tools): 63 alerts β 1 low-severity finding
criticalMerkle forgery / Poseidon collision
Produce valid path for non-existent leaf or find commitment collision
Reduces to breaking Poseidon collision resistance on BN254. Merkle depth 20, ROOT_HISTORY_SIZE=100.
highSide-channel (gas/timing)
Proof generation time or gas cost reveals circuit path taken
Constant R1CS constraints (Lemma 2). Same gas for real/decoy. Privacy Infrastructure: TimingService (0.1s base + 0.05s jitter), ResponseNormalizer (4096 bytes fixed)
lowβ
Zentinel-Audit Security Validation
ZK-Sentinel's contracts validated using Zentinel-Audit (28 security analysis tools). Results: 63 initial alerts β 1 low-severity finding. Continuous hardening through the companion platform including GAEV v2 exploit generation and multi-LLM agents for cross-contract vulnerability detection.