Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Barretenberg Bigfield>Critical findings>Missing ,field_t, normalization in constructor
GeneralOverview
Findings
Critical (7)Range check in unsafe_evaluate_multiply_add may be ineffectiveUnderflow possible in evaluate_non_native_field_multiplicationOverflow possible in evaluate_non_native_field_multiplicationMissing field_t normalization in constructorMissing range check in constructorsMissing consistency check for prime limb in constructorProving that multiples of L!$p$ are unequal to L!$0$ modulo L!$p$ possible
Medium (2)
Low (6)
Informational (2)
DiscussionMaturity of the codebase and lack of specificationsConcrete examples for assumptions for bounds and how to document themUndocumented assumption regarding meaning of bigfield fieldsFunctioning of evaluate_non_native_field_multiplicationAssumptions regarding bit width of the modulusBehavior in simulator modeHandling of too large ranges in uint256_t::sliceMissing maximum-bit number checks in constructorFix for decompose_into_bitsOverflow checks for unreduced elementsPrime limb witness indexes equality check in operator- and operator+Inefficient loopsPossible shaper boundsUnnecessary assert in mul_product_overflows_crt_modulusUnnecessary reductons in operator+Unreachable codeMisleading names of functions or variablesImprovements for comments/documentation
Audit ResultsAssessment Results
Category: Coding Mistakes

Missing field_t normalization in constructor

Critical Severity
Critical Impact
High Likelihood

Description

This finding concerns the following constructor for bigfield:

template <typename Builder, typename T>
bigfield<Builder, T>::bigfield(const field_t<Builder>& low_bits_in,
                               const field_t<Builder>& high_bits_in,
                               const bool can_overflow,
                               const size_t maximum_bitlength)

After the if check on HasPlookup<Builder>, in the else branches, the method decompose_into_base4_accumulators of the class StandardCircuitBuilder_<FF> is called. This function takes raw witness indexes as input, but the arguments are not normalized in the bigfield constructor beforehand, as can be seen here in the case of the lower bits:

low_accumulator = context->decompose_into_base4_accumulators(
    low_bits_in.witness_index, static_cast<size_t>(NUM_LIMB_BITS * 2), "bigfield: low_bits_in too large.");

This applies also for the higher bits.

Impact

If the additive or multiplicative constant of the field_t values low_bits_in or high_bits_in are different from 1 and 0, respectively, the constructor will construct a bigfield element with incorrect values.

Recommendations

Normalize the witness before passing the witness index as an argument to decompose_into_base4_accumulators, for example in the lower-bits case,

low_accumulator = context->decompose_into_base4_accumulators(
-   low_bits_in.witness_index, static_cast<size_t>(NUM_LIMB_BITS * 2), "bigfield: low_bits_in too large.");
+   low_bits_in.normalize().witness_index, static_cast<size_t>(NUM_LIMB_BITS * 2), "bigfield: low_bits_in too large.");

and similarly for the higher-bits case.

Remediation

Zellic © 2025Back to top ↑