Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Brevis>Low findings>Incorrect constant used in ,twosComplement
GeneralOverview
Findings
Critical (4)
High (3)
Medium (3)
Low (15)Native Keccak padding and round-index functions incorrectAssumptions made regarding log topics are not correct in full generalitySelector not constrained to be Boolean for SelectConversion from Uint248 to Uint521 fails for values wider than 96 bitsProver assignment will fail for custom inputsFunction to export Groth16 proofs only works for proofs with exactly one commitmentIncorrect constant used in twosComplementUnexpected behavior for decompose-related functions on negative inputMismatch between Uint521 type and its documentationRaw data may be overwritten by index reuseData might be arranged incorrectly by rawData[T].listInvalid receipts with empty LogField entries may be assignedParsing errors ignored in GetHexArrayIncorrect elliptic curveProof submission calls callback even if submission fails
Informational (10)
DiscussionVarious possible simplifications and optimizationsAdditional validationLack of documentation or commentsMinor recommendationsCode duplicationConsistent usage of named constantsLists and tuples' ambiguous behavior when used recursivelyBehavior of bits2Bytes and addOutput for circuit variablesIncorrect hex string and parsing errors canceling each other outReferences to MiMC instead of PoseidonUnallocated inputs slots not constrainedKeccak padding function pad10*1Confusing function GroupBySetupVerification of Poseidon constantsTest suite
Audit ResultsAssessment Results
Category: Coding Mistakes

Incorrect constant used in twosComplement

Low Impact
Low Severity
Low Likelihood

Description

In sdk/utils.go, the function twosComplement is implemented as follows:

func twosComplement(bits []uint, n int) []uint {
	padded := padBitsRight(bits, n, 0)
	flipped := flipBits(padded)
	a := recompose(flipped, 1)
	a.Add(a, big.NewInt(1))
!	d := decomposeAndSlice(a, 1, 248)
	ret := make([]uint, len(d))
	for i, b := range d {
		ret[i] = uint(b.Uint64())
	}
	return ret
}

During the call to decomposeAndSlice, the constant 248 is used where it should be n.

Impact

Whenever n is different than 248, twosComplement will return a result of incorrect length and possibly lose information when n > 248.

There are only two places where twosComplement is called within brevis-sdk. Both are in sdk/api_int248.go, and in those calls n is actually 248, so this bug is not hit in the current codebase.

Recommendations

We recommend to use n instead of 248 in the decomposeAndSlice call:

func twosComplement(bits []uint, n int) []uint {
	padded := padBitsRight(bits, n, 0)
	flipped := flipBits(padded)
	a := recompose(flipped, 1)
	a.Add(a, big.NewInt(1))
- 	d := decomposeAndSlice(a, 1, 248)
+ 	d := decomposeAndSlice(a, 1, n)
	ret := make([]uint, len(d))
	for i, b := range d {
		ret[i] = uint(b.Uint64())
	}
	return ret
}

Remediation

This issue has been acknowledged by Brevis, and a fix was implemented in commit 4deade11.

Zellic © 2025Back to top ↑