ZK Cryptocurrency Attack Surface Analysis — Structured Report
Authorized Security Research | Generated 2026-06-05
SECTION 1: Privacy Coins Using ZK Circuits (zk-SNARKs, Bulletproofs, etc.)
Projects with shielded transaction pools using zero-knowledge proofs. Primary risks: under-constrained circuits enabling counterfeit coins, supply-integrity violations, and privacy-set deanonymization.
1A. Direct Zcash Forks (Inherit Zcash Circuit Design)
These projects forked Zcash source code at various upgrade milestones. They directly inherit Zcash's zk-SNARK proving system (Groth16, Sprout/Sapling/Orchard circuits) and carry the same structural risk profile for under-constrained circuit bugs.
| # | Project | Ticker | Fork Lineage | ZK Tech | Shielded Pool | GitHub / Source | Audits / Formal Verification | MC Tier | Launched | Known Vulns / Notes |
|---|---|---|---|---|---|---|---|---|---|---|
| 1 | Zcash | ZEC | Bitcoin-core (original) | zk-SNARKs (Groth16, Halo 2, Orchard) | Shielded pool (z-addr), opt-in | github.com/zcash/zcash | NCC, Least Authority, Trail of Bits; Formal spec (Zcash Protocol Spec) | Top 20 (~$6.6B) | 2016 | 2019 "Infinite Counterfeit" bug — under-constrained Sprout circuit allowed counterfeit ZEC. Fixed. Orchard Halo 2 circuit formally verified. |
| 2 | Horizen (ex-ZenCash) | ZEN | Zcash fork | zk-SNARKs (Groth16, Sprout/Sapling) | Shielded pool (z-addr) | github.com/HorizenOfficial/zen | Horizen audits (partially documented); zkVerify sidechain launched 2024 | Top 100 (~$89M) | 2017 | Pivoted from privacy coin to ZK-proof verification L1 (zkVerify). Shielded pool still present but deprioritized. NEARLY EMPTY shielded pool = low anonymity set. |
| 3 | Komodo | KMD | Zcash fork (via ZClassic) | zk-SNARKs (Groth16, Sapling) | Shielded pool (z-addr), opt-in | github.com/KomodoPlatform/komodo | Limited public audits | Micro (~$694K) | 2016 (ICO) | dPoW security model. Shielded pool nearly unused. AtomicDEX-focused. |
| 4 | Pirate Chain | ARRR | Komodo/Zcash fork | zk-SNARKs (Groth16, Sapling) | Shielded-only (z-addr mandatory) | github.com/PirateNetwork/pirate | Community-reviewed; no major firm audits | Top 500 (~$69M) | 2018 | HIGH PRIORITY: Shielded-only means ALL supply is in shielded pool. Any counterfeit coins are un-auditable by design. Largest anonymity set among Zcash forks. |
| 5 | ZClassic | ZCL | Zcash fork (pre-Sapling, pre-dev-fund) | zk-SNARKs (Groth16, Sprout only?) | Shielded pool (z-addr) | github.com/zclassicdev/zclassic | No modern audits | Sub-2000 (~$3.5M) | 2016 | Forked BEFORE Sapling upgrade. May not have Orchard circuit fixes. Stale codebase — last major update years ago. AT RISK of known circuit bugs. |
| 6 | Ycash | YEC | Zcash fork (post-Sapling, pre-Canopy) | zk-SNARKs (Groth16, Sapling) | Shielded pool (z-addr) | github.com/ycashfoundation/ycash | Inherits Zcash audits; no independent audits | Sub-2000 (~$3.9M) | 2019 | Forked to preserve 90% mining reward. May lag upstream Orchard/Halo updates. |
| 7 | Hush | HUSH | Zcash fork | zk-SNARKs (Groth16, Sapling) | Shielded pool (z-addr) | github.com/MyHush/hush | Community audited | Sub-3000 (~$519K) | 2017 | Multi-chain clone (HUSH, HSC, SDL). VERY low usage. |
| 8 | BitcoinZ | BTCZ | Zcash fork | zk-SNARKs (Groth16, Sprout) | Shielded pool (z-addr) | github.com/btcz/bitcoinz | No known professional audits | Sub-3000 (~$352K) | 2017 | GPU-mining focused. Sprout-era circuits likely. AT RISK of known Sprout bugs. |
| 9 | Zero | ZER | Zcash fork | zk-SNARKs (Groth16) | Shielded pool (z-addr) | github.com/zerocurrencycoin/zero | No known audits | Sub-4000 (~$289K) | 2017 | Dead/minimal activity. |
| 10 | Ghost | GHOST | Zcash codebase (via PIVX?) | zk-SNARKs (Sapling) | Shielded pool | github.com/ghostbypivx/ghost | No known audits | Sub-3000 (~$587K) | 2020 | John McAfee-linked project. Disputed legitimacy. |
1B. Other Privacy Coins Using ZK Circuits (Non-Zcash Fork)
| # | Project | Ticker | Chain Lineage | ZK Tech | Shielded Pool | GitHub / Source | Audits / Formal Verification | MC Tier | Launched | Known Vulns / Notes |
|---|---|---|---|---|---|---|---|---|---|---|
| 11 | Monero | XMR | CryptoNote (Bytecoin fork) | Bulletproofs + RingCT + stealth addresses | Mandatory privacy (ring signatures + RingCT + stealth addresses) | github.com/monero-project/monero | Multiple academic audits; Kudelski, Quarkslab, Trail of Bits | Top 20 (~$6.15B) | 2014 | Not zk-SNARK — Bulletproofs are range proofs, not circuit-based. No counterfeit coin risk from circuit bugs. Risk is deanonymization via ring signature analysis (FloodXMR, EAE attacks). |
| 12 | Firo (ex-Zcoin) | FIRO | Own chain (Zerocoin -> Sigma -> Lelantus -> Lelantus Spark) | Sigma protocol (ZK proofs, no trusted setup); Lelantus Spark | Lelantus Spark shielded pool | github.com/firoorg/firo | Trail of Bits (Lelantus Spark audit 2022); Least Authority; | Sub-1000 (~$14M) | 2016 | 2017 Zerocoin bug — typo allowed minting 370K fake XZC ($440K stolen). 2018 Zerocoin cryptographic flaw (RSA accumulator attack). Switched from Zerocoin to Sigma (2019) to Lelantus Spark. |
| 13 | PIVX | PIVX | Dash fork (hybrid: Dash MN + Zcash Sapling zk-SNARKs) | zk-SNARKs (Groth16, Sapling circuit) | SHIELD (Sapling z-addr) | github.com/PIVX-Project/PIVX | Least Authority (Sapling integration audit) | Sub-1500 (~$5.5M) | 2016 | Hybrid transparent/shielded. Backported Zcash Sapling circuits. Inherits Zcash circuit risks. |
| 14 | Dusk Network | DUSK | Own L1 | zk-SNARKs (PLONK — self-designed "PlonKup") | Phoenix shielded TX | github.com/dusk-network | Multiple audits (ABDK, etc.) | Top 500 (~$57M) | 2019 (testnet) | Custom ZK circuit (PlonKup). HIGH PRIORITY: Novel self-designed circuits = higher under-constraint risk than battle-tested Groth16/Sapling. |
| 15 | Mina Protocol | MINA | Own L1 | Recursive zk-SNARKs (Kimchi/Pickles — O(1) blockchain) | All transactions ZK by default | github.com/MinaProtocol/mina | Multiple audits (O(1) Labs); Formal verification (Kimchi circuit) | Top 500 (~$59M) | 2021 | SUPPLY INTEGRITY RISK: Entire chain is a single recursive ZK proof. Bug in recursive circuit = undetectable state corruption. No historical tracking like Bitcoin. |
| 16 | Aleo | ALEO | Own L1 | zk-SNARKs (Varuna/Marlin — R1CS-based) | All TX private by default (Leo programs) | github.com/AleoHQ/snarkOS | Trail of Bits, NCC Group, Zellic (2023-2024) | Top 500 (~$40M) | 2024 (mainnet) | Leo language for private smart contracts. CUSTOM CIRCUIT RISK — each Leo program generates new R1CS constraints. |
| 17 | Midnight | NIGHT | Cardano sidechain | zk-SNARKs (specific scheme TBD) | Private smart contracts | Not yet open source (testnet 2024-2025) | Unknown; IOG-developed | Top 100 (~$558M) | 2025 (anticipated) | IOG/Cardano ecosystem. Circuit design not yet public. |
| 18 | Iron Fish | IRON | Own L1 | zk-SNARKs (Groth16) | All TX shielded by default | github.com/iron-fish/ironfish | Trail of Bits (2023) | Sub-1400 (~$6.4M) | 2023 | Full-privacy L1. Uses Groth16 circuits for shielded TX. |
| 19 | MobileCoin | MOB | Stellar fork | zk-SNARKs (Bulletproofs + RingCT adapted) | Shielded TX via Fog ledger | github.com/mobilecoinfoundation/mobilecoin | NCC Group, Trail of Bits | No data | 2020 | Signal integration. Fog architecture for private payments. |
| 20 | Beam | BEAM | Own chain (MimbleWimble + Lelantus-MW) | MimbleWimble + Lelantus-MW (Bulletproofs+) | Lelantus-MW shielded pool | github.com/BeamMW/beam | Trail of Bits, Least Authority | Sub-1800 (~$3.2M) | 2019 | MW is not circuit-based in ZK sense. Lelantus-MW adds ZK layer. |
| 21 | Grin | GRIN | Own chain (MimbleWimble) | MimbleWimble (Pedersen commitments + Bulletproofs) | Cut-through transactions (not pool-based) | github.com/mimblewimble/grin | Coinspect, Quarkslab | Sub-1300 (~$6.7M) | 2019 | No shielded pool — MW aggregates TX, doesn't pool them. Coinbase halted GRIN transfers after 51% attacks. |
SECTION 2: ZK-Rollup L2 Projects (Ethereum & Beyond)
These projects use ZK validity proofs to batch L2 state transitions on L1. Under-constrained ZK circuits could enable invalid state transitions, fund theft, or counterfeit asset minting on the rollup.
2A. General-Purpose zkEVMs (Validity Proofs)
| # | Project | Ticker | Chain | ZK Tech | Proof System | GitHub / Source | Audits / Formal Verification | MC Tier | Launched | Known Vulns / Notes |
|---|---|---|---|---|---|---|---|---|---|---|
| 22 | Polygon zkEVM | POL (ex-MATIC) | Ethereum L2 | zk-SNARKs (STARK-to-SNARK wrapper: PIL + eSTARK -> Groth16) | zkEVM circuit (full EVM opcode ZK) | github.com/0xPolygonHermez/zkevm-prover | Hexens, Spearbit; Formal verification ongoing | Top 100 (~$894M) | 2023 | HIGH PRIORITY: Full EVM equivalence in ZK is extremely complex. Over 100+ EVM opcodes each with ZK constraints. Polygon zkEVM has an adversarial testing program. |
| 23 | zkSync Era | ZK | Ethereum L2 | zk-SNARKs (PLONK-based, Boojum proof system) | zkEVM circuit (custom zkVM) | github.com/matter-labs/zksync-era | OpenZeppelin, Certora (formal verification of core circuits) | Top 500 (~$106M) | 2023 | Custom zkVM (not EVM bytecode compatible at circuit level). Boojum is a STARK-based prover with PLONK wrapping. |
| 24 | Linea | LINEA | Ethereum L2 | zk-SNARKs (PLONK-based, Vortex prover) | zkEVM circuit (Consensys) | github.com/Consensys/linea-monorepo | Internal Consensys audits; public audit reports partial | Top 500 (~$80M) | 2023 | Consensys-built. Closed-source prover initially; opening gradually. |
| 25 | Scroll | (no token at time of data) | Ethereum L2 | zk-SNARKs (Halo 2 — same as Zcash Orchard) | zkEVM circuit | github.com/scroll-tech/scroll-prover | Trail of Bits, OpenZeppelin; Formal verification of critical paths | N/A | 2023 | USES HALO 2 (Zcash Orchard proof system!). Directly inherits Halo 2 circuit design patterns. Scroll team contributes to Halo 2 upstream. |
| 26 | Taiko | TAIKO | Ethereum L2 | zk-SNARKs (multi-proof: RISC Zero STARK + SGX TEE) | Based ZK-rollup (Ethereum sequencing) | github.com/taikoxyz/taiko-mono | Trail of Bits, Quantstamp, Code4rena | Sub-900 (~$17M) | 2024 | Multi-proof architecture (ZK + SGX). "Based" rollup — uses Ethereum validators for sequencing. |
| 27 | Loopring | LRC | Ethereum L2 (app-specific) | zk-SNARKs (Groth16) | DEX circuit (order-book matching) | github.com/Loopring/protocols | Least Authority, Trail of Bits | Sub-900 (~$17M) | 2019 | Oldest production ZK-rollup DEX. Battle-tested circuits but older Groth16 setup. |
| 28 | Aztec | AZTEC | Ethereum L2 (privacy) | zk-SNARKs (UltraPLONK/Honk, custom Noir DSL) | Private L2 (UTXO model with ZK) | github.com/AztecProtocol/aztec-packages | Trail of Bits, NCC Group; Multiple Zellic audits | Top 500 (~$54M) | 2025 (testnet) | HIGH PRIORITY: Noir DSL for private smart contracts. Each Noir program compiles to ZK constraints. User-written circuits = massive untested attack surface. UTXO privacy model. |
| 29 | Manta Network | MANTA | Polkadot + Ethereum L2 | zk-SNARKs (Groth16) | MantaPay (shielded pool on Polkadot); Manta Pacific (Celestia DA) | github.com/Manta-Network | Veridise, Trail of Bits | Top 500 (~$38M) | 2023 | Forked Zcash Sapling circuits for MantaPay. Inherits Zcash circuit risks. |
| 30 | Hermez Network | HEZ | Ethereum L2 (acquired by Polygon) | zk-SNARKs (original Hermez prover -> Polygon zkEVM) | Payment network | github.com/hermeznetwork | Pre-acquisition audits | Top 600 (~$34M) | 2021 | Acquired by Polygon to form Polygon zkEVM. Legacy token. |
2B. StarkNet / STARK-Based Projects
| # | Project | Ticker | Chain | ZK Tech | Proof System | GitHub / Source | Audits / Formal Verification | MC Tier | Launched | Known Vulns / Notes |
|---|---|---|---|---|---|---|---|---|---|---|
| 31 | StarkNet | STRK | Ethereum L2 | zk-STARKs (Cairo VM) | STARK prover/verifier (Stone/Stwo) | github.com/starkware-libs/cairo | Multiple audits; Formal verification of Cairo core; Ethereum Foundation grants | Top 200 (~$219M) | 2022 | STARKs are quantum-resistant but larger proofs. Cairo VM is a custom non-EVM architecture. Different bug class than SNARKs (no trusted setup, different constraint risks). |
| 32 | Immutable X | IMX | Ethereum L2 (app-specific NFT) | zk-STARKs (StarkEx) | StarkEx Validium | github.com/immutable/imx-contracts | Least Authority, Consensys Diligence | Top 250 (~$117M) | 2021 | StarkEx-based. App-specific (NFT/gaming), not general purpose. |
| 33 | dYdX v3 | DYDX (v3) | Ethereum L2 (app-specific) | zk-STARKs (StarkEx) | StarkEx for perpetuals | github.com/dydxprotocol | Multiple audits | Top 200 (pre-v4) | 2021 | Migrated to Cosmos (dYdX v4). StarkEx is still securing v3. Largest perp DEX. |
2C. Additional ZK-Rollup & Infra Projects
| # | Project | Ticker | Chain | ZK Tech | Notes | MC Tier |
|---|---|---|---|---|---|---|
| 34 | zkLink Nova | ZKL | Aggregation L3 | Multi-chain ZK aggregation | Links multiple L2s via ZK proofs | Top 600 |
| 35 | Mina Protocol | MINA | L1 (ZK-recursive) | Kimchi/Pickles recursive SNARKs | Also listed in Section 1B | Top 500 |
| 36 | Cartesi | CTSI | Ethereum L2 | Optimistic + ZK (Cartesi Machine) | Linux VM on-chain — RISC-V ZK | Sub-800 |
SECTION 3: Privacy Protocols & Mixers on Other Chains (Tornado Cash Successors)
Mixers and privacy protocols using ZK proofs on existing L1s (Ethereum, BSC, etc.). Under-constrained circuits here = fake deposit notes enabling theft from the anonymity pool.
| # | Project | Ticker | Host Chain | ZK Tech | Privacy Mechanism | GitHub / Source | Audits | MC Tier | Launched | Known Vulns / Notes |
|---|---|---|---|---|---|---|---|---|---|---|
| 37 | Tornado Cash | TORN | Ethereum, BNB, Polygon, Arbitrum, Optimism, Avalanche, Gnosis | zk-SNARKs (Groth16, circom circuits) | Mixer — fixed-denomination deposit/withdraw (0.1, 1, 10, 100 ETH) | github.com/tornadocash/tornado-core | ABDK (original circuits); Formal verification of MiMC hash | Top 800 (~$21M) | 2019 | OFAC-SANCTIONED (2022). Original circuits are well-audited. Groth16 proving key was compromised via trusted setup ceremony concern. Contract still operational (immutable). Huge anonymity set. |
| 38 | Railgun | RAIL | Ethereum, BNB, Polygon, Arbitrum | zk-SNARKs (Groth16) | Privacy pool (not fixed-denomination mixer). Users shield/unshield any token. | github.com/Railgun-Privacy | Trail of Bits, ABDK (v2/v3 circuits) | Top 250 (~$133M) | 2021 | HIGH PRIORITY: "Private Proof of Innocence" — users prove deposits aren't from known-bad addresses. Complex circuits combining ZK + membership proofs. |
| 39 | Aztec Connect (deprecated) | — | Ethereum | zk-SNARKs (UltraPLONK) | Cross-shielded-pool DeFi bridge | github.com/AztecProtocol/aztec-connect-bridges | Multiple audits | N/A (sunset 2024) | 2022 | Sunset in 2024 — Aztec pivoting to full L2. Connect bridges had 2023 vulnerability: missing ZK constraint in bridge contract. |
| 40 | Panther Protocol | ZKP | Ethereum, Polygon, multi-chain | zk-SNARKs | zAsset shielded pool (cross-chain privacy) | github.com/pantherprotocol | Zellic, Hacken | Sub-2000 (~$2.2M) | 2023 | Cross-chain privacy using ZK. zAssets = shielded representations of any token. |
| 41 | Privacy Pools (Ameen Soleimani) | N/A | Ethereum | zk-SNARKs | Tornado Cash successor with "association sets" | github.com/ameensol/privacy-pools | Under development | N/A (no token) | 2024 | Tornado Cash spiritual successor by ex-Tornado dev. Proof-of-Innocence concept. Actively developed. |
| 42 | Cyclone Protocol | CYC | IoTeX, Ethereum, BNB | zk-SNARKs (Groth16) | Mixer (fixed denominations) | github.com/cycloneprotocol | CertiK | Micro (~$0) | 2021 | Multi-chain mixer. Low adoption. |
| 43 | Semaphore (protocol) | N/A (infra) | Ethereum | zk-SNARKs (Groth16, circom) | ZK identity/group membership (basis for many mixers) | github.com/semaphore-protocol/semaphore | PSE-audited; used by Worldcoin, etc. | N/A | 2020 | Foundational ZK protocol used by many privacy apps. CIRCUIT IS CRITICAL INFRA — bugs here propagate to all dependents. |
| 44 | Elixir (privacy) | (various) | Ethereum | zk-SNARKs (circom) | Privacy mixer | Unclear | Unknown | Micro | 2022 | Low-activity mixer. |
| 45 | Manta Atlantic | MANTA | Polkadot | zk-SNARKs (Groth16) | MantaPay (shielded pool, Zcash Sapling fork) | github.com/Manta-Network | Veridise, Trail of Bits | Top 500 | 2023 | Zcash Sapling fork on Polkadot. Same risk profile as Zcash forks. |
SECTION 4: Priority Testing Targets
TIER 1 — HIGHEST VALUE FOR AI-ASSISTED CIRCUIT AUDIT
| Priority | Project | Rationale |
|---|---|---|
| CRITICAL | Zcash (ZEC) | Original circuit. Orchard Halo 2 circuits are public. $6.6B at stake. Formal spec exists = perfect for AI-assisted audit. Known precedent of under-constrained circuit bug (2019). |
| CRITICAL | Scroll | Uses Halo 2 (Zcash Orchard) directly. zkEVM complexity. Massive bridge TVL. |
| CRITICAL | Aztec (Noir DSL) | User-written ZK circuits via Noir DSL = nearly infinite untested attack surface. Billions in potential bridge volume. |
| HIGH | Pirate Chain (ARRR) | Shielded-only = supply integrity un-auditable. If counterfeit coins exist, nobody can detect them. $69M MC. |
| HIGH | Mina Protocol (MINA) | Entire state is one recursive proof. Counterfeit supply is mathematically undetectable without full state reconstruction. |
| HIGH | Aleo (ALEO) | New L1 with custom circuits. Leo programs can be audited individually. |
| HIGH | Railgun (RAIL) | Complex "Proof of Innocence" circuits. Large TVL across multiple chains. |
| HIGH | Polygon zkEVM (POL) | Most complex zkEVM circuit in production. Full EVM equivalence. |
| HIGH | Dusk Network (DUSK) | Self-designed PlonKup circuit (not battle-tested Groth16). |
TIER 2 — SIGNIFICANT BUT LOWER URGENCY
| Priority | Project | Rationale |
|---|---|---|
| MEDIUM | Tornado Cash (TORN) | Very well audited. Groth16 circuits are simple (fixed denominations). OFAC sanctions complicate testing. |
| MEDIUM | zkSync Era (ZK) | Boojum STARK prover is novel. Large TVL. |
| MEDIUM | Firo (FIRO) | History of critical ZK bugs (2017 Zerocoin counterfeit, 2018 RSA flaw). Lelantus Spark is new. |
| MEDIUM | Manta Network (MANTA) | Zcash Sapling fork. Lower complexity but inherits upstream risk. |
| MEDIUM | StarkNet (STRK) | Different bug class (STARKs). No trusted setup risk. Cairo 2.0 migration. |
| MEDIUM | Midnight (NIGHT) | IOG-developed. Circuit design not yet public. |
| LOW | Dormant Zcash forks (ZCL, YEC, BTCZ, HUSH, ZER, GHOST) | Stale code. Known to lack Orchard fixes. Nearly zero economic value but useful for testing circuit bugs on dead coins. |
SECTION 5: Methodology Notes for AI-Assisted Circuit Auditing
Under-Constrained Circuit Detection Strategy
Static analysis of circom/R1CS/Halo 2 circuits: Look for missing constraints in signal assignments. Pattern: a signal is computed but never equality-checked against expected value in the constraint system.
Differential circuit analysis: Compare Zcash forks against upstream to identify which circuit fixes they've missed.
Adversarial proof generation: Using a modified prover to generate "valid" proofs for invalid state transitions (supply inflation).
Privacy-pool supply audit: For shielded-only chains (ARRR), reconstruct total supply bounds by analyzing transparent coinbase + shielded pool in-flow/out-flow delta. If
coinbase - transparent_out !== shielded_pool_balance, counterfeit coins exist.
Key Questions Per Project
- Which Zcash circuit milestone does this fork include? (Sprout / Sapling / Orchard / NU5?)
- Does the project use a publicly audited trusted setup? (Groth16 requires MPC ceremony)
- Has the proving/verification key been independently verified?
- Are there any custom circuit modifications beyond stock Zcash?
- What is the shielded pool anonymity set size over time?
Report compiled from: CoinGecko API (privacy coins, ZK category, rollup category, L2 category), Wikipedia (Zcash, Zerocoin, Monero), L2Beat, project GitHub repositories, and known audit/trail reports. Market data as of 2026-06-05. This analysis is for authorized security research purposes only.