Skip to content

Commit

Permalink
hotfix: workaround gnark 0.10.0 unsoundness bug
Browse files Browse the repository at this point in the history 
A lot of time passed since gnark v0.10.0 unsoundness bug[0] was reported
and fixed. We posponed the upgrade because the fixed release, v0.11.0,
contains another vulnerability, an OOM[1], for which a fix has been in
main since last November but no release appeared until now.

Our options here are limited, and none quite happy:
- We can `redirect` to a commit in `main`;
- We can disable groth16 verifiers from the network, which we currently
  use; or
- We can enforce that proofs have only one commitment, as the
  unsoundness can only be triggered with multiple commitments per proof.

This implements the latter option, being the least invasive one.

[0]: https://www.zellic.io/blog/gnark-bug-groth16-commitments
[1]: GHSA-cph5-3pgr-c82g
  • Loading branch information
@Oppen
Oppen committed Jan 20, 2025
1 parent eabda9c commit 9d92813
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 0 deletions.
12 changes: 12 additions & 0 deletions batcher/aligned-batcher/gnark/verifier.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ import (

"github.com/consensys/gnark-crypto/ecc"
"github.com/consensys/gnark/backend/groth16"
bn254 "github.com/consensys/gnark/backend/groth16/bn254"
"github.com/consensys/gnark/backend/plonk"
"github.com/consensys/gnark/backend/witness"
)
Expand Down Expand Up @@ -98,6 +99,17 @@ func verifyGroth16Proof(proofBytesRef C.ListRef, pubInputBytesRef C.ListRef, ver
return false
}

bn254Proof, ok := proof.(*bn254.Proof)
if !ok {
log.Printf("groth16 proof is not bn254")
return false
}
numCommitments := len(bn254Proof.Commitments)
if numCommitments > 1 {
log.Printf("too many commitments (%v) for groth16 proof (unsound for v0.10.0)", numCommitments)
return false
}

pubInputReader := bytes.NewReader(pubInputBytes)
pubInput, err := witness.New(curve.ScalarField())
if err != nil {
Expand Down
13 changes: 13 additions & 0 deletions operator/pkg/operator.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ import (
eigentypes "github.com/Layr-Labs/eigensdk-go/types"
"github.com/consensys/gnark-crypto/ecc"
"github.com/consensys/gnark/backend/groth16"
bn254 "github.com/consensys/gnark/backend/groth16/bn254"
"github.com/consensys/gnark/backend/plonk"
"github.com/consensys/gnark/backend/witness"
ethcommon "github.com/ethereum/go-ethereum/common"
Expand Down Expand Up @@ -598,6 +599,18 @@ func (o *Operator) verifyGroth16Proof(proofBytes []byte, pubInputBytes []byte, v
return false
}

bn254Proof, ok := proof.(*bn254.Proof)
if !ok {
o.Logger.Warn("groth16 proof is not bn254")
return false
}
numCommitments := len(bn254Proof.Commitments)
if numCommitments > 1 {
o.Logger.Warn("too many commitments for groth16 proof (unsound for v0.10.0)",
"numCommitments", numCommitments)
return false
}

pubInputReader := bytes.NewReader(pubInputBytes)
pubInput, err := witness.New(curve.ScalarField())
if err != nil {
Expand Down

0 comments on commit 9d92813

Please sign in to comment.