Skip to content

fix: prevent ZK proof replay in ZkAuditVerifier#8

Closed
murd3r17 wants to merge 109 commits into
ZhangJinHaHaHa:mainfrom
murd3r17:fix/issue-4-zk-proof-replay
Closed

fix: prevent ZK proof replay in ZkAuditVerifier#8
murd3r17 wants to merge 109 commits into
ZhangJinHaHaHa:mainfrom
murd3r17:fix/issue-4-zk-proof-replay

Conversation

@murd3r17

@murd3r17 murd3r17 commented May 27, 2026

Copy link
Copy Markdown

Summary

  • Add global _usedProofHashes mapping to prevent Groth16 proof replay in verifyAuditScore and verifyFingerprint
  • Split Groth16 internal call helpers for 8- and 3-input verifiers; fix NatSpec
  • Add MockGroth16Verifier and regression tests

Fixes #4

Test plan

  • npm run test:zk (4 tests passing)

AI assistance

Used Cursor AI to analyze issue #4, implement the fix, and write regression tests.

ZhangJinHaHaHa and others added 27 commits April 22, 2026 18:49
- Replace 'Discover Verified AI Agents' with 'Before You Hire an AI Agent, Know Exactly What You're Getting'
- Update badge from 'Trusted Agent Infrastructure' to 'Trusted Agent Marketplace'
- Rewrite subtitle from feature list to value proposition
- Replace empty-state registry message with market-first narrative
- Add Buyers / Developers / Auditors role guidance cards
- Update nav tagline to 'Verify Before You Buy'
- Add meta description to index.html
- Add CSS for marketplace-hero__roles and marketplace-hero__role
- Replace MPL-2.0 with GNU Affero General Public License v3.0 (AGPL-3.0)
- Update README.md: AGPL badge, commercial license notice, official platform teaser
- Update README_CN.md: same changes in Simplified Chinese
- Add CLA.md: Contributor License Agreement enabling dual-license commercialization
- Remove redundant _CN variant files (CONTRIBUTING_CN, SECURITY_CN, CODE_OF_CONDUCT_CN)
- Add 'About the Author & Collaboration' section to README.md and README_CN.md
- Highlight student background and open call for collaborators in Web3/AI Agent/ZK/TEE/Audit
…, and access history

- SearchFilterBar: add Task Type (DeFi/Chatbot/DevOps/Data/Automation) and Price Range filters
- SearchFilterBar: add Sort Order dropdown (score, reputation, popular, price, freshness)
- LeaderboardSection: new component with 4 tabs (Top Scored / Best Reputation / Most Popular / Recently Audited)
- AccessHistoryCard: new component showing on-chain rental/purchase transaction history
- useAccessHistory: new hook to fetch access records from MarketplaceClient
- marketplaceClient: add getAccessRecords() method
- HomePage: wire up all new filters, sort, and leaderboard
- AgentDetailPage: integrate AccessHistoryCard below audit history
- styles.css: add CSS for sort-select, leaderboard, and access-history components
- All changes verified: tsc zero errors, vite build successful
- Rewrite README.md with badge strip, Mermaid architecture diagram and value-first narrative
- Add README_CN.md (Simplified Chinese version)
- Add LICENSE (Mozilla Public License 2.0)
- Add CONTRIBUTING.md / CONTRIBUTING_CN.md
- Add SECURITY.md / SECURITY_CN.md
- Add CODE_OF_CONDUCT.md / CODE_OF_CONDUCT_CN.md (Contributor Covenant 2.1)
…date mascot image (remove blue bg, beige inner)
…eport

- Add 'Platform Walkthrough & Live Demo' section walking buyers through
  the marketplace homepage, agent profile, 6-dimensional radar chart,
  scene suitability, trust guarantee flow, TEE attestation, audit
  history and on-chain gated reviews, with 8 live screenshots.
- Add 'Benchmark Audit Report — Mainstream LLM Agents' section grouping
  the live agents into three categories (Tier-1 general-purpose models,
  Agent-native & vertical models, failure cases) and reporting their
  audit verdicts under the same pipeline.
- Synchronize the same content into README_CN.md.
- Add docs/screenshots/ assets (8 PNGs).
- Update popo-mascot.png: remove the ping-pong table/net/legs from
  the mascot illustration; keep only Popo (the ping-pong ball with
  the verification shield) on a soft halo background. Also sync the
  same asset to frontend/public/popo-mascot.png so the marketplace
  uses the new artwork everywhere.
- README.md / README_CN.md: replace 'sits atop a table tennis table'
  wording, and add a 'Where you'll meet Popo on the platform' table
  documenting Popo's three real touchpoints in the marketplace
  (NavHeader brand mark, first-visit welcome toast, EmptyState
  illustration with popo-float animation), so the mascot section
  reflects the actual product.
…e racket emoji in author section

- Revert popo-mascot.png (top of README) and frontend/public/popo-mascot.png
  back to the original artwork (Popo on a ping-pong table). The previous
  table-removal change was made by mistake.
- Add docs/popo-icon.png — the cleaned ball-only Popo — as a small inline
  asset.
- Replace the trailing ping-pong-racket emoji (🏓) in the
  'About the Author & Meet Popo' section heading of README.md and
  README_CN.md with this small Popo icon, so the section now ends with the
  actual mascot rather than an unrelated emoji.
…reference

Removes the three-row touchpoint table (NavHeader / first-visit toast /
EmptyState) and the trailing 'trust signal' line from the
'About the Author & Meet Popo' section in both README.md and
README_CN.md. The section is now back to its original single-paragraph
mascot story.
…sion logs

- sandbox: add LLM-backed test agent (llmAgent.ts, Dockerfile.llm), update cdkConfig and testAgent server
- contracts: update env examples for edge deployments
- infra: add run-llm-ab-test.sh script, update Dockerfile and e2e scripts
- docs: update agent-integration-guide, verification-methods, and status docs
- security: remove regression-20260416-175024 directory (contained sensitive env/key data)
- frontend: no changes (preserved as-is)
Add global _usedProofHashes dedup to block re-submission of the same Groth16 proof across verifyAuditScore and verifyFingerprint. Split the Groth16 internal call helpers for 8- and 3-input verifiers, fix NatSpec, and add MockGroth16Verifier plus regression tests (Fixes ZhangJinHaHaHa#4).

Co-authored-by: Cursor <cursoragent@cursor.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

ZK proof replay attack in ZkAuditVerifier.verifyAuditScoreProof

2 participants