# Bulletproofs Paper: Frozen Heart {% hint style="info" %} [**Book an audit with Zokyo**](https://www.zokyo.io/) {% endhint %} **Summary** Related Vulnerabilities: 6. [Frozen Heart](/zokyo-tutorials/tutorial-16-zero-knowledge-zk/common-vulnerabilities-in-zk-code/frozen-heart-forging-of-zero-knowledge-proofs.md) Identified By: [TrailOfBits Team](https://www.trailofbits.com/) The bulletproof paper, which outlines the bulletproof zero knowledge proof protocol, outlines how to use the [Fiat-Shamir transformation](/zokyo-tutorials/tutorial-16-zero-knowledge-zk/definitions-and-essentials/fiat-shamir-transformation-or-fiat-shamir-heuristic.md) to make the proof non-interactive. However, their recommended implementation of the Fiat-Shamir transformation left out a crucial component. This missing component in the non-interactive version of the protocol allowed malicious provers to forge proofs. **Background** Many zero knowledge proof protocols are first designed in an interactive way where the prover and verifier must communicate with each other for multiple rounds in order for the proof to be created and subsequently verified. This often takes the form of: 1. The prover creates a random value known as the commitment 2. The verifier replies with a random value known as the challenge 3. The prover uses the commitment, challenge, and their secret data to create a proof For the proof to be secure, the verifier’s challenge must be entirely unpredictable and uncontrollable by the prover. The Fiat-Shamir transformation allows the zero-knowledge proof protocol to become non-interactive by having the prover compute the challenge instead of the verifier. The prover should have no control in the challenge’s value, so the prover must use a hash of all public values, including the commitments. This way the prover cannot easily manipulate the proof to be accepted for invalid inputs. Bulletproofs use [Pedersen commitments](/zokyo-tutorials/tutorial-16-zero-knowledge-zk/definitions-and-essentials/pedersen-commitment.md), which are of the form: ``` commitment = (g^v)(h^gamma) ``` Here *g* and *h* are elliptic curve points and *v* is a secret number. The bulletproof is meant to prove that *v* falls within a certain range. Since this commitment is public, it should be included in the Fiat-Shamir transformation used in the protocol. **The Vulnerability** The bulletproof paper provided insecure details on how to implement the Fiat-Shamir transformation for the protocol. Their implementation did not include the Pedersen commitment in the Fiat-Shamir transformation. This means that the challenge value is independent of the Pedersen commitment and so the prover can keep trying random values for the commitment until they get a proof that succeeds for *v* outside of the desired range. For more details on how exactly this allows a malicious prover to forge a proof, please see the TrailOfBits’ explanation in the references section. **The Fix** In order to prevent this Frozen Heart vulnerability, the Pedersen commitment should be added to the Fiat-Shamir transformation hash. This will make the challenge directly dependent on the commitment and restrict the prover’s freedom when making the proof. The new restriction is enough to prevent the prover from forging proofs. **References** 1. [TrailOfBits Explanation](https://blog.trailofbits.com/2022/04/15/the-frozen-heart-vulnerability-in-bulletproofs/) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://zokyo-auditing-tutorials.gitbook.io/zokyo-tutorials/tutorial-16-zero-knowledge-zk/bugs-in-the-wild/bulletproofs-paper-frozen-heart.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.