Vulnerability Report: GO-2023-2119

GHSA-7p92-x423-vwj6
Affects: github.com/consensys/gnark
Published: Oct 24, 2023
Modified: May 20, 2024

A a third party may derive a valid proof from a valid initial tuple {proof, public_inputs}, corresponding to the same public inputs as the initial proof. This vulnerability is due to randomness being generated using a small part of the scratch memory describing the state, allowing for degrees of freedom in the transcript. Note that the impact is limited to the PlonK verifier smart contract.

For detailed information about this vulnerability, visit https://github.com/Consensys/gnark/security/advisories/GHSA-7p92-x423-vwj6.

Affected Packages

Path

Go Versions

Symbols
github.com/consensys/gnark/backend/plonk/bls12-377

before v0.9.1
- Prove
- Verify
github.com/consensys/gnark/backend/plonk/bls12-381

before v0.9.1
- Prove
- Verify
github.com/consensys/gnark/backend/plonk/bls24-315

before v0.9.1
- Prove
- Verify
github.com/consensys/gnark/backend/plonk/bls24-317

before v0.9.1
- Prove
- Verify
github.com/consensys/gnark/backend/plonk/bn254

before v0.9.1
- Prove
- Verify
github.com/consensys/gnark/backend/plonk/bw6-633

before v0.9.1
- Prove
- Verify
github.com/consensys/gnark/backend/plonk/bw6-761

before v0.9.1
- Prove
- Verify

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL

Vulnerability Report: GO-2023-2119

Affected Packages

Aliases

References

Feedback