Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to exploit the "Initial Conditions Are Not Properly Enforced" vulnerability to generate false proofs. #1852

Open
Subway2023 opened this issue Oct 8, 2024 · 0 comments
Open

How to exploit the "Initial Conditions Are Not Properly Enforced" vulnerability to generate false proofs. #1852

Subway2023 opened this issue Oct 8, 2024 · 0 comments

Comments

@Subway2023
Copy link

Bug report says that in ResultCommitmentVerifier, the verification of currentTallyCommitment is skipped when processing the first batch. Pull 277 also mentioned this bug.

So my question is: how to exploit this bug to forge a proof. Here are my failed attempts:

According to the bug report, 4bc21did not fix the bug, while 4892a did, which is why I chose these two versions of the files for comparison.

My test script are 4892a and 4bc21

My goal is to find an input.json that causes script 4892a to fail (after the bug fix) and allows scrip 4bc21 to succeed (before the bug fix).

My input.json is as follows, but no matter how I change the input values, both scripts execute successfully. Therefore, I am unable to forge an input.json based on this bug, and I am seeking your help.

input.json

{
    "stateRoot": "3358824444508638759310814809457313289959680237664010313192416000149458294558",
    "ballotRoot": "441413126409514555955725531489171398983441558816175226640132860488719935906",
    "sbSalt": "11782930910937153856695176969157800156138519974025259805266070236161183849201",
    "sbCommitment": "5471536197657000950797919108148666628218165761849432896080962695563581570000",
    "currentTallyCommitment": "0",
    "newTallyCommitment": "13625735214118553785274225824569447804355241683932271453922705917164529113783",
    "packedVals": "1125899906842624",
    "inputHash": "21447290512843187552535385851572961059116494960414493559153804603252366004902",
    "ballots": [
      [
        "0",
        "19261153649140605024552417994922546473530072875902678653210025980873274131905"
      ],
      [
        "1",
        "21537449872599948843438062503338235089441146888201228352467796408604548476098"
      ],
      [
        "0",
        "19261153649140605024552417994922546473530072875902678653210025980873274131905"
      ],
      [
        "0",
        "19261153649140605024552417994922546473530072875902678653210025980873274131905"
      ],
      [
        "0",
        "19261153649140605024552417994922546473530072875902678653210025980873274131905"
      ]
    ],
    "ballotPathElements": [
      [
        "12041659224647436013473767500489753343785740033037924110958797456446050033440",
        "12041659224647436013473767500489753343785740033037924110958797456446050033440",
        "12041659224647436013473767500489753343785740033037924110958797456446050033440",
        "12041659224647436013473767500489753343785740033037924110958797456446050033440"
      ],
      [
        "16334572099445814755399763597707660176205626043171377690797296695513301667646",
        "16334572099445814755399763597707660176205626043171377690797296695513301667646",
        "16334572099445814755399763597707660176205626043171377690797296695513301667646",
        "16334572099445814755399763597707660176205626043171377690797296695513301667646"
      ],
      [
        "16860909303983861319743874485244423423525067824479760582419993392716259939796",
        "16860909303983861319743874485244423423525067824479760582419993392716259939796",
        "16860909303983861319743874485244423423525067824479760582419993392716259939796",
        "16860909303983861319743874485244423423525067824479760582419993392716259939796"
      ],
      [
        "2247942235568610258990454563169189190361617594905047602234015741510118002501",
        "2247942235568610258990454563169189190361617594905047602234015741510118002501",
        "2247942235568610258990454563169189190361617594905047602234015741510118002501",
        "2247942235568610258990454563169189190361617594905047602234015741510118002501"
      ],
      [
        "20239231141972210173835090302392873068035637673491050730272989294625677423652",
        "20239231141972210173835090302392873068035637673491050730272989294625677423652",
        "20239231141972210173835090302392873068035637673491050730272989294625677423652",
        "20239231141972210173835090302392873068035637673491050730272989294625677423652"
      ],
      [
        "344732312350052944041104345325295111408747975338908491763817872057138864163",
        "344732312350052944041104345325295111408747975338908491763817872057138864163",
        "344732312350052944041104345325295111408747975338908491763817872057138864163",
        "344732312350052944041104345325295111408747975338908491763817872057138864163"
      ],
      [
        "12631797014605841658454845021986240477173811264748333940915817181845171875873",
        "12631797014605841658454845021986240477173811264748333940915817181845171875873",
        "12631797014605841658454845021986240477173811264748333940915817181845171875873",
        "12631797014605841658454845021986240477173811264748333940915817181845171875873"
      ],
      [
        "6363818543409459297181400199558272216622730650426167696249664458633657968601",
        "6363818543409459297181400199558272216622730650426167696249664458633657968601",
        "6363818543409459297181400199558272216622730650426167696249664458633657968601",
        "6363818543409459297181400199558272216622730650426167696249664458633657968601"
      ],
      [
        "10261261801296436956888927991155151996379388385567675556960209472686280054764",
        "10261261801296436956888927991155151996379388385567675556960209472686280054764",
        "10261261801296436956888927991155151996379388385567675556960209472686280054764",
        "10261261801296436956888927991155151996379388385567675556960209472686280054764"
      ]
    ],
    "votes": [
      [
        "0", "0", "0", "0", "0", "0",
        "0", "0", "0", "0", "0", "0",
        "0", "0", "0", "0", "0", "0",
        "0", "0", "0", "0", "0", "0",
        "0"
      ],
      [
        "9", "0", "0", "0", "0", "0",
        "0", "0", "0", "0", "0", "0",
        "0", "0", "0", "0", "0", "0",
        "0", "0", "0", "0", "0", "0",
        "0"
      ],
      [
        "0", "0", "0", "0", "0", "0",
        "0", "0", "0", "0", "0", "0",
        "0", "0", "0", "0", "0", "0",
        "0", "0", "0", "0", "0", "0",
        "0"
      ],
      [
        "0", "0", "0", "0", "0", "0",
        "0", "0", "0", "0", "0", "0",
        "0", "0", "0", "0", "0", "0",
        "0", "0", "0", "0", "0", "0",
        "0"
      ],
      [
        "0", "0", "0", "0", "0", "0",
        "0", "0", "0", "0", "0", "0",
        "0", "0", "0", "0", "0", "0",
        "0", "0", "0", "0", "0", "0",
        "0"
      ]
    ],
    "currentResults": [
      "0", "0", "0", "0", "0", "0",
      "0", "0", "0", "0", "0", "0",
      "0", "0", "0", "0", "0", "0",
      "0", "0", "0", "0", "0", "0",
      "0"
    ],
    "currentResultsRootSalt": "0",
    "currentSpentVoiceCreditSubtotal": "0",
    "currentSpentVoiceCreditSubtotalSalt": "0",
    "currentPerVOSpentVoiceCredits": [
      "0", "0", "0", "0", "0", "0",
      "0", "0", "0", "0", "0", "0",
      "0", "0", "0", "0", "0", "0",
      "0", "0", "0", "0", "0", "0",
      "0"
    ],
    "currentPerVOSpentVoiceCreditsRootSalt": "0",
    "newResultsRootSalt": "8943573451393339090698007661032673318095675461887202904510797071665965067642",
    "newPerVOSpentVoiceCreditsRootSalt": "13477351866834168219645724035042278217899699308468601055181494837692978955958",
    "newSpentVoiceCreditSubtotalSalt": "2622000413866313334230901487458260242365536080659462527248883613885228308688"
  }
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Subway2023 and others