logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2023-44378 github.com/consensys/gnark

Package

Manager: go
Name: github.com/consensys/gnark
Vulnerable Version: >=0 <0.9.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00035 pctl0.08699

Details

gnark unsoundness in variable comparison / non-unique binary decomposition ### Impact For some in-circuit values, it is possible to construct two valid decomposition to bits. In addition to the canonical decomposition of `a`, for small values there exists a second decomposition for `a+r` (where `r` is the modulus the values are being reduced by). The second decomposition was possible due to overflowing the field where the values are defined. Internally, the comparison methods `frontend.API.Cmp` and `frontend.API.IsLess` used binary decomposition and checked the bitwise differences. This allows a malicious prover to construct a valid proof for a statement `a < b` even if `a > b`. The issue impacts all users using `API.Cmp` or `API.IsLess` methods. Additionally, it impacts the users using `bits.ToBinary` or `API.ToBinary` methods if full-width decomposition is requested (the default behaviour if no options are given). The issues does not impact comparison methods in field emulation (package `std/math/emulated`) and dedicated comparison package (`std/math/cmp`). ### Patches Fix has been implemented in pull request #835 and merged in commit 59a4087261a6c73f13e80d695c17b398c3d0934f to master branch. The release v0.9.0 and onwards include the fix. The fix added additional comparison of the decomposed bit-vector to the modulus of the in-circuit values. ### Workarounds Upgrading to version v0.9.0 should fix the issue without needing to change the calls to value comparison methods. Alternatively, users can use the `std/math/cmp` gadget, which additionally allows to bound the number of bits being compared, making the comparisons more efficient if the bound on the absolute difference of the values is known. ### References * https://github.com/Consensys/gnark/pull/835 * https://github.com/zkopru-network/zkopru/issues/116 * https://github.com/iden3/circomlib/pull/48 ### Acknowledgement The vulnerability was reported by [Marcin Kostrzewa](https://github.com/kustosz) @ [Reilabs](https://reilabs.io/).

Metadata

Created: 2023-10-04T14:44:08Z
Modified: 2023-10-13T23:13:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-498w-5j49-vqjg/GHSA-498w-5j49-vqjg.json
CWE IDs: ["CWE-191", "CWE-697"]
Alternative ID: GHSA-498w-5j49-vqjg
Finding: F111
Auto approve: 1