logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-c873-wfhp-wx5m sp1-stark

Package

Manager: cargo
Name: sp1-stark
Vulnerable Version: >=0 <4.0.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

SP1 has missing verifier checks and fiat-shamir observations In SP1’s STARK verifier, the prover provided `chip_ordering` is used to fetch the index of the chips that have preprocessed columns. Prior to v4.0.0, the validation that this `chip_ordering` correctly provides these indexes was missing. In v4.0.0, this was fixed by adding a check that the indexed chip’s name is equal to the name stored in the verifying key’s chip information. In the recursive verifier, every verifier program is generated beforehand and later checked for correctness by requiring a merkle proof to the precomputed merkle root of valid verifier keys. Therefore, the recursive verifier and the on-chain verifier were not affected by this vulnerability. This code was audited twice, once as a part of the audit by KALOS and once by Cantina for v1.0.0. This bug was found by the Succinct team during preparation of v4.0.0. Out of abundance of caution, we will be deprecating all previous versions and freeze the corresponding verifiers. Furthermore, in the recursive verifier, the `is_complete` boolean flag is used to flag a proof of complete execution. Prior to v4.0.0, this flag was underconstrained in parts of our recursive verifier, such as the first layer of the recursion. In v4.0.0, this bug was fixed by adding appropriate calls to the `assert_complete` function, which constrains the correctness of the `is_complete` flag. This code was a part of the audit for v3.0.0. This bug affects the soundness of the Rust SDK for verifying compressed proofs, and the soundness of on-chain verifier for deferred proofs. This issue was found by a combined effort from Aligned, LambdaClass and 3MI Labs, and was also independently found by Succinct during the preparation of v4.0.0. Lastly, SP1’s STARK verifier relied on logic inside Plonky3, one SP1's core dependencies, to check that the polynomial evaluation claims are correct using a FRI-based polynomial commitment scheme. To batch this check, multiple polynomial evaluation claims are combined using a random linear combination. Prior to v4.0.0, the individual evaluation claims were not observed into the challenger before sampling the coefficient for the random linear combination. In v4.0.0, this was fixed by observing all the evaluation claims into the challenger correctly inside of Plonky3. This bug was found by Lev Soukhanov and Onur Kilic, and we have worked closely with the Plonky3 team to mitigate this vulnerability. We will be deprecating all previous versions and freezing their verifiers to ensure that versions with the vulnerability will not be used in production.

Metadata

Created: 2025-01-15T21:25:54Z
Modified: 2025-01-28T02:03:05Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-c873-wfhp-wx5m/GHSA-c873-wfhp-wx5m.json
CWE IDs: []
Alternative ID: N/A
Finding: F204
Auto approve: 1