zk.egold.dev — ZK Exploit Disclosure Protocol on Ethereum

ar1as1 — Wed, 03 Jun 2026 04:34:08 +0000

Smart contract bugs cost billions. In 2023 alone, over $1.8B was lost
to exploits. The problem? No standardized way for security researchers
to disclose vulnerabilities and get rewarded fairly.

zk.egold.dev solves this with a trustless ZK Exploit Disclosure
Protocol on Ethereum.

The Problem with Bug Bounties Today

Researchers disclose vulnerability → company ghosts them
No proof the researcher found it first
Payment disputes with no on-chain record
Centralized platforms take huge cuts

How zk.egold.dev Works

Step 1 — Commit
Researcher hashes the exploit details off-chain:
commitment = keccak256(exploitDetails + secret)
Submit commitment on-chain — timestamp proves discovery date.

Step 2 — Escrow
Protocol owner locks bounty in smart contract escrow.
Funds are trustlessly held — neither party can rug.

Step 3 — Reveal
Researcher reveals exploit details + secret.
ZK proof verifies commitment matches reveal — without exposing
details prematurely.

Step 4 — Payout
Smart contract releases escrow automatically upon valid proof.
Full audit trail on-chain. No disputes. No middlemen.

Zero-Knowledge Privacy

The ZK circuit guarantees:

Researcher proves knowledge WITHOUT revealing the exploit
Commitment is binding — cannot be faked retroactively
Payout is automatic — no human can block it

Live Deployment

🌐 Platform: https://zk.egold.dev
📦 GitHub: https://github.com/ar1as1/zkbounty
🔗 Network: Ethereum Sepolia Testnet

For Security Researchers

If you find a vulnerability in any Web3 protocol:

Generate your commitment locally
Submit on-chain — your timestamp is proof
Negotiate bounty with protocol owner
Reveal and get paid — trustlessly

No more getting ghosted. No more payment disputes.
The protocol enforces fairness mathematically.

Built with Circom, Groth16, Solidity, React, and Foundry.

ZK Session Keys: Fix MetaMask Popups in Web3 Games with ERC-4337 Account Abstraction

ar1as1 — Wed, 03 Jun 2026 04:03:40 +0000

Every Web3 game has the same problem — MetaMask keeps interrupting gameplay with popups. Shoot an enemy? Popup. Open a chest? Popup. Buy an item? Popup.

I built a solution: ZK Session Key Validator — sign once at the start, play the entire session without interruptions.

How It Works

Player signs once at game start
A temporary session key is created with strict rules:
- Valid for 2 hours only
- Max spend limit (e.g. 0.01 ETH)
- Whitelisted contracts only
All in-game actions auto-sign silently
Session expires automatically

Zero-Knowledge Proof Security

Every transaction is validated by a Groth16 ZK proof (Circom circuit) that verifies:

Session commitment = Poseidon(masterKey, sessionAddr, nonce)
Target contract is in the Merkle whitelist
currentTime < expiry
spentSoFar + txValue ≤ spendLimit

No trust required — math enforces the rules on-chain.

Live on Sepolia Testnet

Contract	Address
Groth16Verifier	`0x99e61B9dC9C6889Dd2e249CC6183B6fa7A8795E3`
SessionKeyValidator	`0xc5655348C4E6e77AFF2BBb03A5758CaC205347Cf`

Quick Start

import { Prover } from './prover.js';

const prover = await new Prover(RPC_URL, VALIDATOR_ADDRESS).init();

// Sign ONCE — 1 MetaMask popup
await prover.createSession(masterSigner, 7200, parseEther('0.01'), [gameContract], true);

// All actions — ZERO popup
const userOp = await prover.signAction(wallet, gameContract, callData);

GitHub

Full source code, ZK circuit, and deployment scripts:
👉 https://github.com/ar1as1/session-game

Built with: Circom, SnarkJS, Ethers.js v6, Foundry, ERC-4337

DEV Community: ar1as1