Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Singularity>Informational findings>Wrong nullifier computation
GeneralOverview
Findings
Critical (8)
High (3)
Medium (5)
Low (3)
Informational (5)Second preimage attack in Merkle circuitThe two Curve exchange proofs are interchangablePoolAddress uses incorrect constantUniswap liquidity provision deadlineWrong nullifier computation
DiscussionSome specifications are inaccurateMiMC hash-length extension attackBN254 security levelReturn value of `uniswapLiquidityProvision`Assumption on non-fungible position identifiersRemoved Uniswap positions are keptGas saving in MerkleTreeOperatorGas savings and specification of Mimc254Confusing argument orderCentralization risks
Audit ResultsSummary
Category: Coding Mistakes

Wrong nullifier computation

Informational Severity
Informational Impact
N/A Likelihood

Description

In the generateCurveAddLiquidityProof function, if the value of rho happens to be null, then the nullifier is also set to zero:

const nullifier1 = param.note1.rho === 0n ? 0n : calcNullifier(param.note1.rho, fuzkPubKey);
const nullifier2 = param.note2.rho === 0n ? 0n : calcNullifier(param.note2.rho, fuzkPubKey);
const nullifier3 = param.note3.rho === 0n ? 0n : calcNullifier(param.note3.rho, fuzkPubKey);
const nullifier4 = param.note4.rho === 0n ? 0n : calcNullifier(param.note4.rho, fuzkPubKey);

A zero nullifier will not be verified properly by the verifier.

Impact

In the unlikely case where rho is zero, the nullifier is set to zero and will not verify, later making the corresponding note unspendable.

Recommendations

The nullifier should be computed such that the verifier is able to verify it correctly.

Remediation

This issue has been acknowledged by Singularity, and a fix was implemented in commit 2b464a25. The verification has been to change to check the amount value instead of rho.

Zellic © 2024Back to top ↑