Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(security): verifier contract range limit checks #43

Merged
merged 6 commits into from
Apr 3, 2020
Merged

fix(security): verifier contract range limit checks #43

merged 6 commits into from
Apr 3, 2020

Conversation

skarred14
Copy link
Collaborator

@skarred14 skarred14 commented Mar 25, 2020
edited
Loading

Description

Following an issue raised by @weijiekoh this PR checks for the range limits for proof and public inputs to the verify() in Verifier.sol. Although there are parameter in the radish34/api/src/utils/crypto/ecc/babyjubjubparams.js that are utilized in signature verification, there is currently no additional check against the inputs that any user could enter while interacting directly with the deployed Verifier contract

Related Issue

#34

Motivation and Context

Test data for the Verifier.test.js is based on running/debugging the integration test

semaphore-protocol/semaphore#16
https://github.com/appliedzkp/semaphore/blob/master/contracts/sol/verifier.sol#L199

How Has This Been Tested

All tests at the root level as indicated in npm run test pass. New tests at radish34/contracts/ level also pass.

Screenshots (if appropriate)

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist

  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes.
  • All new and existing tests passed.

bitwiseguy
bitwiseguy previously approved these changes Mar 25, 2020
View reviewed changes
brian-lc
brian-lc suggested changes Mar 27, 2020
View reviewed changes
Copy link
Collaborator

@brian-lc brian-lc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the fix! Glad to see the boundary checking in place. Could you add some tests to make sure we don't loose this in some refactoring/regression?

@skarred14 skarred14 force-pushed the snark-rangelimit-check branch 5 times, most recently from a3aadcf to 2c60575 Compare March 31, 2020 04:01
@skarred14
Copy link
Collaborator Author

test cases updated

@bitwiseguy bitwiseguy self-requested a review April 1, 2020 16:40
bitwiseguy
bitwiseguy approved these changes Apr 1, 2020
View reviewed changes
Copy link
Collaborator

@bitwiseguy bitwiseguy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All tests pass for me

@skarred14 skarred14 linked an issue Apr 1, 2020 that may be closed by this pull request
Potential security bug with the zk-SNARK verifier #34
Closed
@bitwiseguy bitwiseguy requested a review from brian-lc April 2, 2020 17:04
@skarred14 skarred14 requested a review from kthomas April 3, 2020 11:57
@skarred14 skarred14 merged commit 86bebb7 into master Apr 3, 2020
@skarred14 skarred14 deleted the snark-rangelimit-check branch April 3, 2020 20:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@weijiekoh weijiekoh weijiekoh left review comments

@brian-lc brian-lc brian-lc approved these changes

@pmacom pmacom pmacom approved these changes

@bitwiseguy bitwiseguy bitwiseguy approved these changes

@ChaitanyaKonda ChaitanyaKonda Awaiting requested review from ChaitanyaKonda

@kthomas kthomas Awaiting requested review from kthomas

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Potential security bug with the zk-SNARK verifier
5 participants
@skarred14 @brian-lc @pmacom @weijiekoh @bitwiseguy