DEV Community

Cover image for ZkPatternMatcher: A Practical Security Scanner for ZK Circuits
Teycir Ben Soltane
Teycir Ben Soltane

Posted on

ZkPatternMatcher: A Practical Security Scanner for ZK Circuits

#zkp #cryptography #cybersecurity #opensource

GitHub: https://github.com/Teycir/ZkPatternMatcher

The Problem

Zero-Knowledge proof circuits (like Circom) can have subtle vulnerabilities that break cryptographic soundness. A single underconstrained signal can allow proof forgery.

The Solution: Pattern Matching

I built ZkPatternMatcher - a Rust-based scanner that detects vulnerabilities using YAML-defined patterns.

Quick Example

Detect underconstrained assignments:

patterns:
  - id: underconstrained_assignment
    kind: regex
    pattern: '<--'
    message: 'Unconstrained assignment detected'
    severity: critical
Enter fullscreen mode Exit fullscreen mode

Run the scanner:

zkpm patterns/vulnerabilities.yaml circuit.circom
Enter fullscreen mode Exit fullscreen mode

Output:

🔴 [Critical] Unconstrained assignment operator (<--) detected
   Location: line 15, column 7
Enter fullscreen mode Exit fullscreen mode

Key Features

✅ Validated - Tested against 16 real-world vulnerable circuits
✅ Easy patterns - 3-step YAML contribution process
✅ CI/CD ready - JSON output for automation
✅ Library + CLI - Use standalone or integrate into Rust projects

Usage as Library 

use zk_pattern_matcher::{load_pattern_library, PatternMatcher};

let library = load_pattern_library("patterns/vulnerabilities.yaml")?;
let matcher = PatternMatcher::new(library)?;
let matches = matcher.scan_file("circuit.circom")?;
Enter fullscreen mode Exit fullscreen mode 
for m in matches {
    println!("{:?}: {}", m.severity, m.message);
}
Enter fullscreen mode Exit fullscreen mode

CI/CD Integration 

.github/workflows/security.yml
- run: cargo install zkpm --version 0.1.0
- run: zkpm --format json patterns/production.yaml circuits/
Enter fullscreen mode Exit fullscreen mode

Contributing Patterns

(Super Easy!)
Copy template:

cp patterns/TEMPLATE.yaml patterns/your_pattern.yaml
Enter fullscreen mode Exit fullscreen mode

Fill in vulnerability details

Test: zkpm validate patterns/your_pattern.yaml

Pattern sources:

zkBugs, audit reports, CVE databases.

Tech Stack

Rust 1.80+ (uses LazyLock for semantic analysis)
regex/fancyregex engines
serde for YAML parsing
clap for CLI

Current Status

✅ 5 baseline patterns (3 vulnerability detectors + 2 developer markers)

✅ 16 vulnerable fixtures + 10 safe controls validated

✅ 0 high/critical false positives on safe controls

Top comments (0)