-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wrong verifying key contract permutation length can be considered valid by validateVKPermutationsLength #10
Comments
I suppose this is kinda analogous / related to how
If the no. of commitments change, then the length of the bytecode loaded also changes, no? But I suppose But I think the point I'm tryna make is maybe Although I did not notice any of the verifiers using pointers starting from the commitments. They all seem to only use the ptrs until
|
I don't understand this part:
|
Sure, it is a follow up of this discussion https://discord.com/channels/877252171983360072/1230201530582568962/1230453113199263777
Hence, if a different summa-solvency/contracts/src/Summa.sol Line 151 in fec83a7
In the current one, https://github.com/zBlock-2/summa-solvency/blob/fec83a747ead213261aecfaf4a01b43fff9731ee/contracts/src/VerifyingKey.sol there are 1 fixed commitments and 10 permutation commitments. |
The permutation commitments are utilized during the verification process in
|
To further clarify the example, let's consider how manipulation could occur in the current Summa implementation. summa-solvency/contracts/src/Summa.sol Line 147 in fec83a7
This demonstrates that adjustments can be made by altering the circuit configuration. Subsequently, the prover would need to send the commitment transaction with more public inputs. Here, I assume the Summa contract has been modified to accommodate two public inputs by adjusting the arguments here: summa-solvency/contracts/src/Summa.sol Line 239 in fec83a7
It's important to note that the prover would need to modify other hardcoded numbers to achieve a valid result from the Furthermore, another variable, summa-solvency/contracts/src/Summa.sol Lines 154 to 156 in fec83a7
It can also produce a valid result with an incorrect number of currencies and a different balanceByteRange.
This outcome follows the formula: summa-solvency/contracts/src/Summa.sol Lines 147 to 149 in fec83a7
However, such discrepancies are typically obvious to users when they attempt to verify their proofs. |
The function
validateVKPermutationsLength
is used to validate the number of permutations in the verifying key contract corresponds to the circuit used to generate proof for the number of cryptocurrencies the custodian committed to. The Summa contract assumes that permutations commitments begins at bytes0x2e0
in thevKContract
(source)This can lead to wrongfully consider valid vkContracts with different permutation commitments from the circuit used by the custodian. A simple case would be a verifying contract with 2 fixed commitments but one permutation commitment less than the one being used. In this case, all others things being equals, the permutations commitments would not begin at bytes
0x2e0
but at0x0320
. As the length of the bytes of the contracts are still equals due to one permutation in less,validateVKPermutationsLength
would consider this vkcontract valid but in fact is not.The text was updated successfully, but these errors were encountered: