Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Barretenberg Bigfield>Medium findings>Large limbs for constant inputs to ,conditional_negate
GeneralOverview
Findings
Critical (7)
Medium (2)Equation checks not enforcedLarge limbs for constant inputs to conditional_negate
Low (6)
Informational (2)
DiscussionMaturity of the codebase and lack of specificationsConcrete examples for assumptions for bounds and how to document themUndocumented assumption regarding meaning of bigfield fieldsFunctioning of evaluate_non_native_field_multiplicationAssumptions regarding bit width of the modulusBehavior in simulator modeHandling of too large ranges in uint256_t::sliceMissing maximum-bit number checks in constructorFix for decompose_into_bitsOverflow checks for unreduced elementsPrime limb witness indexes equality check in operator- and operator+Inefficient loopsPossible shaper boundsUnnecessary assert in mul_product_overflows_crt_modulusUnnecessary reductons in operator+Unreachable codeMisleading names of functions or variablesImprovements for comments/documentation
Audit ResultsAssessment Results
Category: Coding Mistakes

Large limbs for constant inputs to conditional_negate

Medium Severity
Low Impact
Low Likelihood

Description

The function bigfield::conditional_negate is implemented as follows for constant arguments:

template <typename Builder, typename T>
bigfield<Builder, T> bigfield<Builder, T>::conditional_negate(const bool_t<Builder>& predicate) const
{
    Builder* ctx = context ? context : predicate.context;

    if (is_constant() && predicate.is_constant()) {
        if (predicate.get_value()) {
            uint512_t out_val = (modulus_u512 - get_value()) % modulus_u512;
            return bigfield(ctx, out_val.lo);
        }
        return *this;
    }
    
    // ...
}

The calculation of the return value will involve an underflow and wraparound modulo the native circuit prime modulus if get_value() returns an unsigned integer that is bigger than the emulated prime modulus . This would make the result incorrect.

Impact

Should conditional_negate be used for constant arguments, with the value to be negated being bigger than , then the return value will be incorrect. Most operations for constant bigfield elements will reduce modulo , so their results will not have vulnerable form. It is possible to construct such constants with the usual bigfield constructors, however.

Recommendations

Reduce get_value() modulo modulus_u512 before subtracting it.

Remediation

This issue has been acknowledged by Aztec, and a fix was implemented in commit 718d5b7c.

Zellic © 2025Back to top ↑