Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Singularity>Medium findings>Low-entropy note generation
GeneralOverview
Findings
Critical (8)
High (3)
Medium (5)Uniswap liquidity fee manipulationNo slippage limits in UniswapLiquidityAssetManagerRelayers can drain Curve asset managersTransfer and approval done by `_transferERC20`Low-entropy note generation
Low (3)
Informational (5)
DiscussionSome specifications are inaccurateMiMC hash-length extension attackBN254 security levelReturn value of `uniswapLiquidityProvision`Assumption on non-fungible position identifiersRemoved Uniswap positions are keptGas saving in MerkleTreeOperatorGas savings and specification of Mimc254Confusing argument orderCentralization risks
Audit ResultsSummary
Category: Coding Mistakes

Low-entropy note generation

Medium Severity
Low Impact
Low Likelihood

Description

If there are multiple notes for the same public key with identical rho, only one of those notes will be spendable. The function generateRho generates this value only with 64 bits of entropy according to its implementation:

export const generateRho = () => {
  let ab = new ArrayBuffer(32);
  return bn_to_0xhex(crypto.getRandomValues(Buffer.from(ab)).readBigUInt64BE() % p);
};

`

Impact

If a note is generated by calling this function, as it is done by the createNote function, then the entropy for such value is not sufficient to avoid a situation similar to the Faerie Gold Attack. Then, if a note is created with the same value of rho as a previous one, then it would not be usable even though it is valid.

Recommendations

The value of rho should be generated uniformly over the range .

Remediation

This issue has been acknowledged by Singularity, and a fix was implemented in commit 0972c4dd. The note is generated over 47 bytes and then reduced modulo to avoid modular bias.

Zellic © 2024Back to top ↑