Verifier Contracts
To utilize the results generated by a zkVM program in your on-chain application, it’s essential to verify the receipt on-chain.
You can verify a RISC Zero Groth16Receipt using a verify() call to an IRiscZeroVerifier contract.
Using a Verifier
Use verifier contract in your application by calling the verify method with the expected journal and other fields of the receipt.
Below is an example from the EvenNumber.sol contract in the Foundry Template:
contract EvenNumber {
// ...
/// @notice Set the even number stored on the contract. Requires a RISC Zero proof that the number is even.
function set(uint256 x, bytes calldata seal) public {
// Construct the expected journal data. Verify will fail if journal does not match.
bytes memory journal = abi.encode(x);
// The verify call will revert if ther given seal is not a verifying zero-knowledge proof.
verifier.verify(seal, IS_EVEN_ID, sha256(journal));
number = x;
}
// ...
}
In this example, the IS_EVEN zkVM program verifies that the number, x, is even.
By verifying a receipt with the image ID of that program, it is guaranteed that the stored number will always be even.
RISC Zero's zkVM and the IS_EVEN program guarantee that it's computationally impossible to produce a verifying receipt for an odd number.
Deployed verifiers
All of our deployed verifier contracts implement the IRiscZeroVerifier interface. It is recommended that you use the RiscZeroVerifierRouter, described below.
Verifier Router
Calls to RiscZeroVerifierRouter.verify() will be routed to the appropriate base verifier contract depending on which version of the zkVM was used to generate the receipt.
By using the RiscZeroVerifierRouter, your contract can accept multiple types of receipts, including batch-verified receipts and receipts generated with future improvements to the zkVM and proofs system.
RISC Zero deploys and manages the RiscZeroVerifierRouter contract listed below.
This contract will have verifiers added for each release of the zkVM, and will have verifiers removed in the case of security vulnerabilities.
You can find detailed information in the version management design, including information about how to manage your own copy of the smart contracts, if your application requires it.
Contract Addresses
You can find detailed information about all the contracts in this table in the risc0-ethereum repo. For your convenience, here is a quick recap:
- RISC Zero provides official deployments on the chains listed below.
- Each officially supported chain has a router contract. This contract implements IRiscZeroVerifier and can be used to verify proofs from any supported version of zkVM. New versions can only be added by RISC Zero via the timelock governance mechanism. These governance features provide forward-compatibility and safety. Addresses for the router and timelocks are given below. For most use cases, we recommend using the router to verify proofs.
- In addition to the router and timelock, each of the supported chains also has a fixed-version verifier contract for each supported versions of zkVM. Each fixed-version verifier is wrapped by an emergency-stop mechanism (which implement IRiscZeroVerifier). RISC Zero can use the emergency-stop to permanently disable the verifier in the event that a soundness bug is ever discovered in that particular version. Addresses for the emergency-stop contracts can be fetched by querying the router (using one of the "selector" values listed below); addresses for the underlying fixed-version verifiers can be fetched by querying the respective emergency-stop. You should only use these contracts if you wish to pin to a specific version of zkVM or wish to bypass the emergency-stop mechanism.
The addresses for the router, timelock governance contract, and RISC Zero's public keys (used when interacting with the timelock or emergency-stop contracts) are listed below.
| Chain | Network | RISC Zero Admin Address | Timelock | Router |
|---|---|---|---|---|
| Ethereum | Mainnet | address | contract | contract |
| Sepolia | address | contract | contract | |
| Arbitrum | Mainnet | address | contract | contract |
| Sepolia | address | contract | contract | |
| Avalance (C-Chain) | Mainnet | address | contract | contract |
| Fuji | address | contract | contract | |
| Base | Mainnet | address | contract | contract |
| Sepolia | address | contract | contract | |
| Linea | Mainnet | address | contract | contract |
| Optimism | Mainnet | address | contract | contract |
| Polygon zkEVM | Mainnet | address | contract | contract |
Users seeking to pin to a specific version of zkVM can use the following table to determine which contract version ("selector") to use:
| zkVM version | Verifier contract version ("selector") |
|---|---|
| 1.0.0 - Latest | 0x310fe598 |