Description

The note ciphertexts included as part of the joinsplit operation are unconstrained inputs into the circuit. This means that the note decrypted by the receiver may not correspond properly to the note added to the commitment tree.

Impact

The encrypted note ciphertext is responsible for communicating the value of the note to the receiver. Since in order to spend a note, the owner needs to know the value in the note, having a note where the real value in the commitment is unknown to the owner can make the note unspendable, causing the funds to become locked.

However, incorrectly computed ciphertexts can be identified by the receiver immediately upon the completion of the transaction by computing a commitment from the decrypted note and checking it against the Merkle tree entry.

This reduces the impact as the receiver can simply refuse to acknowledge transactions with malformed note ciphertexts and locked sender funds, eliminating the incentive for malformed ciphertexts as an attack.

Recommendations

We recommend client-side or on-chain checks for receivers to be able to verify note ciphertexts against note commitments.

Remediation