New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Double spending threat if no range check is done on public inputs in verifier #38
Comments
Looks like zeth is vulnerable, the check should be added here
|
I propose to check the nullifiers inside BaseMixer.sol so that it is not proof dependent. zeth/zeth-contracts/contracts/BaseMixer.sol Line 113 in e0b4ed4
Also why do we add the nullifiers before checking the proof passes ( "nullifiers[current_nullifier] = true;" ) ? This could lead to a DoS attack. I do not think there are attacks on the range of the other primary inputs. That being said, I would rather have a dedicated function to assemble and check all inputs before doing any verification (since the assemble values are used in several places). |
A state transition is atomic, so if the verifier rejects the proof, then all previous changes made to the contract's state are reversed. Theoretically it doesn't change anything to do the check before or after.
It is clear that the proof verification is the most expensive of these 2 checks (you do a pairing check with 3 pairings - in the case of Groth16 - and a linear (in the nb of pub inputs) number of scalar multiplications). Hence, you'd rather check the nullifiers before the proof since it aborts the execution faster than if you checked the proof first. |
I think only the nullifier needs to be checked indeed. |
Thanks @poma ! |
There is indeed only one function which re-assemble any input, what I meant is how we use this function.
|
Why not check all the inputs in Groth16Verifier.sol? Like this https://github.com/iden3/snarkjs/blob/master/templates/verifier_groth.sol#L191 |
@poma I proposed to do it outside of Groth16Verifier.sol simply because we have another proof verifiier (PGHR13Verifier.sol) and this check will be done regardless of the proof verifier used. :) |
This issue was fixed in #74 (btw: Thanks @poma :) ) |
We need to make sure that we constrain the public inputs to be <p in the verifier contract.
See: semaphore-protocol/semaphore#16
The text was updated successfully, but these errors were encountered: