Non-finalized dictionary in RIPEMD160 allows forging of output #54
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
H-04
primary issue
Highest quality submission among a set of duplicates
🤖_primary
AI based primary recommendation
selected for report
This submission will be included/highlighted in the audit report
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/kkrt-labs/kakarot/blob/7411a5520e8a00be6f5243a50c160e66ad285563/src/kakarot/precompiles/ripemd160.cairo#L427
Vulnerability details
When
ripemd160.finish()
does not enter theif (next_block == FALSE)
condition at L456, the dictionaryx
initialized at the beginning of the function is not finalized. Instead,x
is reassigned to reference a new dictionary at L470:Because the old dictionary is never finalized, it is possible to insert incorrect values for read operations on the old dictionary, which allows proving an incorrect output for any input of size > 55 (56 with the fix to our separate vulnerability on this value).
Read operations on the old dictionary are performed in
ripemd160::absorb_data
:Proof of Concept
The below test case can be added to
test_ripemd160.py
to demonstrate the vulnerability:The test requires adding the following "noop" hints below
ripemd160.cairo#L160
so we can insert the malicious hint:The patched hint modifies the in-memory dictionary of the prover, which results in the
dict_read
operation in the following line returning an incorrect fixed value. Because adict_read
call is really an append operation, and the new values aren't checked against the previous ones if the dictionary is not squashed, this results in a forged output that can be proven to be correct.Recommended Mitigation Steps
Call
default_dict_finalize(start, x, 0);
beforelet (x) = default_dict_new(0);
.Assessed type
Other
The text was updated successfully, but these errors were encountered: