Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Brevis>Low findings>Raw data may be overwritten by index reuse
GeneralOverview
Findings
Critical (4)
High (5)
Medium (5)
Low (12)Conversion from Uint248 to Uint521 fails for values wider than 96 bitsProver assignment will fail for custom inputsFunction to export Groth16 proofs only works for proofs with exactly one commitmentIncorrect constant used in twosComplementUnexpected behavior for decompose-related functions on negative inputMismatch between Uint521 type and its documentationRaw data may be overwritten by index reuseData might be arranged incorrectly by rawData[T].listInvalid receipts with empty LogField entries may be assignedParsing errors ignored in GetHexArrayIncorrect elliptic curveProof submission calls callback even if submission fails
Informational (9)
DiscussionVarious possible simplifications and optimizationsAdditional validationLack of documentation or commentsMinor recommendationsCode duplicationConsistent usage of named constantsLists and tuples' ambiguous behavior when used recursivelyBehavior of bits2Bytes and addOutput for circuit variablesIncorrect hex string and parsing errors canceling each other outReferences to MiMC instead of PoseidonUnallocated inputs slots not constrainedKeccak padding function pad10*1Confusing function GroupBySetupVerification of Poseidon constantsTest suite
Audit ResultsAssessment Results
Category: Coding Mistakes

Raw data may be overwritten by index reuse

Low Severity
Low Impact
Low Likelihood

Description

The rawData type in sdk/app.go is used to hold receipt, storage, and transaction data. There are two fields, a list ordered and a map special. The idea is that generally, data will be added to ordered, but in order to be able to pin certain data points to a specific index, they may be added to special instead. When converting a rawData to a list, the data in special will occur at their respective index, and the remaining unclaimed entries will be filled by the entries of ordered, in order.

The add function used to add data to a rawData is implemented as follows:

func (q *rawData[T]) add(data T, index ...int) {
	if len(index) > 1 {
		panic("no more than one index should be supplied")
	}
	if q.special == nil {
		q.special = make(map[int]T)
	}
	if len(index) == 1 {
		q.special[index[0]] = data
	} else {
		q.ordered = append(q.ordered, data)
	}
}

If an index is given, then data is inserted into the map at that index. However, it is not checked whether a value at that key might already exist. Thus, it can happen that a previous entry is overwritten.

Impact

Entries of q.special may be overwritten by add. The function add is an internal function, used by the public wrappers AddReceipt, AddStorage, and AddTransaction. The intention of the special map is to pin receipts, storage, and transaction data to a specific index. Because of this, reusing the same index would be a mistake.

Currently this mistake will not be caught. It could thus happen that a user of the sdk intends to pin two data points A and B but accidentally uses the same index. Only the last added of the two will then be available at that index (say B), but in circuit they will use this single data point for the use case of both A and B.

It appears likely that such mistakes would be detected during proper testing.

Recommendations

We recommend to check in add whether q.special already has a value at key index[0]. If this is the case, the function should panic with an error message warning about index reuse.

Remediation

This issue has been acknowledged by Brevis, and a fix was implemented in commit 7b2df59a.

Zellic © 2025Back to top ↑