Assessment reportsPublic findings
Back to Zellic site
Assessment reports>SP1
GeneralOverview
DiscussionThe question at hand
Audit ResultsConclusion
Succinct Labs
December 4, 2024
SP1
Prepared by
Luna TongCEO[email protected]
About

Succinct is the developer of SP1. SP1 is a zkVM built on Plonky3 that implements the RV32IM (RISC-V 32-bit base with multiplication extensions) instruction set.

Rather than implement RV32IM exactly, SP1 implements a subset RV32I for proving efficiency. The limitations are documented here, which we reproduce below:

  • LW/SW memory access must be word aligned.

  • LH/LHU/SH memory access must be half-word aligned.

  • Memory access is only valid for addresses 0x20 through 0x78000000. Accessing addresses outside of this range will result in undefined behavior.

  • The ECALL instruction is used for system calls and precompiles.

The limitation and undefined behavior we are particularly interested in is the invalid memory from address 0x0 to 0x1F. As an implementation detail, in SP1 each of these memory addresses is memory mapped to one of the 32 RISC-V registers. For instance, a write to memory at 0x5 would write to the register x5. The same goes for memory reads. Furthermore, writing values to memory at 0x0 would allow the program to set the value of the x0, which according to the RISC-V specification is supposed to be "hardwired to the constant 0". This functionality is undefined behavior according to Succinct.

Executive Summary

Zellic was approached by Succinct on November 31, 2024 to investigate the potential impact of some reserved memory in SP1 and the accompanying undefined behavior.

Zellic © 2025Back to top ↑