Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Barretenberg Bigfield>Medium findings>Equation checks not enforced
GeneralOverview
Findings
Critical (7)
Medium (2)Equation checks not enforcedLarge limbs for constant inputs to conditional_negate
Low (6)
Informational (2)
DiscussionMaturity of the codebase and lack of specificationsConcrete examples for assumptions for bounds and how to document themUndocumented assumption regarding meaning of bigfield fieldsFunctioning of evaluate_non_native_field_multiplicationAssumptions regarding bit width of the modulusBehavior in simulator modeHandling of too large ranges in uint256_t::sliceMissing maximum-bit number checks in constructorFix for decompose_into_bitsOverflow checks for unreduced elementsPrime limb witness indexes equality check in operator- and operator+Inefficient loopsPossible shaper boundsUnnecessary assert in mul_product_overflows_crt_modulusUnnecessary reductons in operator+Unreachable codeMisleading names of functions or variablesImprovements for comments/documentation
Audit ResultsAssessment Results
Category: Coding Mistakes

Equation checks not enforced

Medium Severity
Low Impact
Low Likelihood

Description

The function evaluate_linear_identity is used to check the linear identity . In the bigfield constructor, this function is used to constrain the construction of the low bits of the argument to be equal to limb_0 + limb_1 << 68. The function is used similarly for the highest bits of the argument. However, in case all the arguments of evaluate_linear_identity are marked as constant, the check is not enforced:

void field_t<Builder>::evaluate_linear_identity(const field_t& a, const field_t& b, const field_t& c, const field_t& d)
{
    Builder* ctx = a.context == nullptr
                       ? (b.context == nullptr ? (c.context == nullptr ? d.context : c.context) : b.context)
                       : a.context;

    if (a.witness_index == IS_CONSTANT && b.witness_index == IS_CONSTANT && c.witness_index == IS_CONSTANT &&
        d.witness_index == IS_CONSTANT) {
        return;
    }

In fact, nothing further is done, and the function returns.

The problem is also present in the function evaluate_polynomial_identity, but in this case, the relation to be checked is . Again, if the arguments are constants, then the function simply returns.

Impact

The previous identity could be wrong for some constants and still pass the check. In the bigfield component, the two functions are likely only called in branches in which at least one of the arguments will not be constant, so this case is not hit. Impact for other callers depends on usage.

Recommendations

In case the arguments are constant, assert the equality of the identity for the values.

Remediation

This issue has been acknowledged by Aztec, and a fix was implemented in commit dad2c05e.

Zellic © 2025Back to top ↑