Many Zero-knowledge proving systems, including Groth16, require something called a 'trusted setup ceremony', where one or more people (usually a commonly trusted set of third parties) create some secret data and some corresponding public data. The public data from this ceremony can then be used to create and verify zero knowledge proofs. The important part of the ceremony is that the secret data (often called 'toxic waste') must be deleted unrecoverably.
If that toxic waste isn't deleted, it can be used to create fraudulent proofs indistinguishable from valid proofs.
There are more powerful ZKP systems like STARKs available these days, which do not require trusted third parties, but their proofs are much larger and slower to verify. Most blockchain applications prefer SNARKs for performance.
Also, could you explain a little what the difference is between a multisig escrow instead of an on-chain ZKP verifier?
Sovryn's on-chain ZKP verifier is basically a BitVM smart contract holding a user's BTC in escrow, which says: "release these coins to whomever can provide a proof that X tokens were burned on Y other blockchain". How that proof is constructed I don't know... But if such a proof can be verified on Bitcoin (using their flavor of BitVM) then the prover is entitled to get their escrowed bitcoin back.
A multisig escrow is much simpler, faster, and more efficient on-chain, but requires more trust. A user deposits money into a 2-of-2 multisig, where the first key belongs to the user, and the second key is a FROST threshold key belonging to some group of independent auditors. Those auditors watch the other blockchain and promise to sign a refund transaction when the user burns their wrapped BTC tokens.
Naturally the auditors could withhold that signature, or go offline, and the user doesn't get their money back. Hence the higher trust level. But with a diverse enough group, that risk can be mitigated, and there's zero risk of the user's Bitcoins being stolen because the user holds one of the necessary signing keys.
X
tokens were burned on Y other blockchain". How that proof is constructed I don't know... But if such a proof can be verified on Bitcoin (using their flavor of BitVM) then the prover is entitled to get their escrowed bitcoin back.