Smart contract bugs cost billions. In 2023 alone, over $1.8B was lost
to exploits. The problem? No standardized way for security researchers
to disclose vulnerabilities and get rewarded fairly.
zk.egold.dev solves this with a trustless ZK Exploit Disclosure
Protocol on Ethereum.
The Problem with Bug Bounties Today
- Researchers disclose vulnerability → company ghosts them
- No proof the researcher found it first
- Payment disputes with no on-chain record
- Centralized platforms take huge cuts
How zk.egold.dev Works
Step 1 — Commit
Researcher hashes the exploit details off-chain:
commitment = keccak256(exploitDetails + secret)
Submit commitment on-chain — timestamp proves discovery date.
Step 2 — Escrow
Protocol owner locks bounty in smart contract escrow.
Funds are trustlessly held — neither party can rug.
Step 3 — Reveal
Researcher reveals exploit details + secret.
ZK proof verifies commitment matches reveal — without exposing
details prematurely.
Step 4 — Payout
Smart contract releases escrow automatically upon valid proof.
Full audit trail on-chain. No disputes. No middlemen.
Zero-Knowledge Privacy
The ZK circuit guarantees:
- Researcher proves knowledge WITHOUT revealing the exploit
- Commitment is binding — cannot be faked retroactively
- Payout is automatic — no human can block it
Live Deployment
🌐 Platform: https://zk.egold.dev
📦 GitHub: https://github.com/ar1as1/zkbounty
🔗 Network: Ethereum Sepolia Testnet
For Security Researchers
If you find a vulnerability in any Web3 protocol:
- Generate your commitment locally
- Submit on-chain — your timestamp is proof
- Negotiate bounty with protocol owner
- Reveal and get paid — trustlessly
No more getting ghosted. No more payment disputes.
The protocol enforces fairness mathematically.
Built with Circom, Groth16, Solidity, React, and Foundry.

Top comments (2)
Interesting design—this is essentially a commit–reveal bounty escrow system with ZK used to separate “proof of knowledge” from premature disclosure. In practice, the hardest part won’t be the Groth16 verification, but the social and economic layer: defining what counts as a valid exploit without opening it to ambiguous disputes or gaming around partial disclosures.
yeah right actualy im still find out to solve....