maci icon indicating copy to clipboard operation
maci copied to clipboard

Published 20 hours ago verified publisher icon privacy-scaling-explorations

How to exploit the "Initial Conditions Are Not Properly Enforced" vulnerability to generate false proofs.

Open Subway2023 opened this issue 4 months ago • 0 comments

Bug report says that in ResultCommitmentVerifier, the verification of currentTallyCommitment is skipped when processing the first batch. Pull 277 also mentioned this bug.

So my question is: how to exploit this bug to forge a proof. Here are my failed attempts:

According to the bug report, 4bc21did not fix the bug, while 4892a did, which is why I chose these two versions of the files for comparison.

My test script are 4892a and 4bc21

My goal is to find an input.json that causes script 4892a to fail (after the bug fix) and allows scrip 4bc21 to succeed (before the bug fix).

My input.json is as follows, but no matter how I change the input values, both scripts execute successfully. Therefore, I am unable to forge an input.json based on this bug, and I am seeking your help.

input.json

{
    "stateRoot": "3358824444508638759310814809457313289959680237664010313192416000149458294558",
    "ballotRoot": "441413126409514555955725531489171398983441558816175226640132860488719935906",
    "sbSalt": "11782930910937153856695176969157800156138519974025259805266070236161183849201",
    "sbCommitment": "5471536197657000950797919108148666628218165761849432896080962695563581570000",
    "currentTallyCommitment": "0",
    "newTallyCommitment": "13625735214118553785274225824569447804355241683932271453922705917164529113783",
    "packedVals": "1125899906842624",
    "inputHash": "21447290512843187552535385851572961059116494960414493559153804603252366004902",
    "ballots": [
      [
        "0",
        "19261153649140605024552417994922546473530072875902678653210025980873274131905"
      ],
      [
        "1",
        "21537449872599948843438062503338235089441146888201228352467796408604548476098"
      ],
      [
        "0",
        "19261153649140605024552417994922546473530072875902678653210025980873274131905"
      ],
      [
        "0",
        "19261153649140605024552417994922546473530072875902678653210025980873274131905"
      ],
      [
        "0",
        "19261153649140605024552417994922546473530072875902678653210025980873274131905"
      ]
    ],
    "ballotPathElements": [
      [
        "12041659224647436013473767500489753343785740033037924110958797456446050033440",
        "12041659224647436013473767500489753343785740033037924110958797456446050033440",
        "12041659224647436013473767500489753343785740033037924110958797456446050033440",
        "12041659224647436013473767500489753343785740033037924110958797456446050033440"
      ],
      [
        "16334572099445814755399763597707660176205626043171377690797296695513301667646",
        "16334572099445814755399763597707660176205626043171377690797296695513301667646",
        "16334572099445814755399763597707660176205626043171377690797296695513301667646",
        "16334572099445814755399763597707660176205626043171377690797296695513301667646"
      ],
      [
        "16860909303983861319743874485244423423525067824479760582419993392716259939796",
        "16860909303983861319743874485244423423525067824479760582419993392716259939796",
        "16860909303983861319743874485244423423525067824479760582419993392716259939796",
        "16860909303983861319743874485244423423525067824479760582419993392716259939796"
      ],
      [
        "2247942235568610258990454563169189190361617594905047602234015741510118002501",
        "2247942235568610258990454563169189190361617594905047602234015741510118002501",
        "2247942235568610258990454563169189190361617594905047602234015741510118002501",
        "2247942235568610258990454563169189190361617594905047602234015741510118002501"
      ],
      [
        "20239231141972210173835090302392873068035637673491050730272989294625677423652",
        "20239231141972210173835090302392873068035637673491050730272989294625677423652",
        "20239231141972210173835090302392873068035637673491050730272989294625677423652",
        "20239231141972210173835090302392873068035637673491050730272989294625677423652"
      ],
      [
        "344732312350052944041104345325295111408747975338908491763817872057138864163",
        "344732312350052944041104345325295111408747975338908491763817872057138864163",
        "344732312350052944041104345325295111408747975338908491763817872057138864163",
        "344732312350052944041104345325295111408747975338908491763817872057138864163"
      ],
      [
        "12631797014605841658454845021986240477173811264748333940915817181845171875873",
        "12631797014605841658454845021986240477173811264748333940915817181845171875873",
        "12631797014605841658454845021986240477173811264748333940915817181845171875873",
        "12631797014605841658454845021986240477173811264748333940915817181845171875873"
      ],
      [
        "6363818543409459297181400199558272216622730650426167696249664458633657968601",
        "6363818543409459297181400199558272216622730650426167696249664458633657968601",
        "6363818543409459297181400199558272216622730650426167696249664458633657968601",
        "6363818543409459297181400199558272216622730650426167696249664458633657968601"
      ],
      [
        "10261261801296436956888927991155151996379388385567675556960209472686280054764",
        "10261261801296436956888927991155151996379388385567675556960209472686280054764",
        "10261261801296436956888927991155151996379388385567675556960209472686280054764",
        "10261261801296436956888927991155151996379388385567675556960209472686280054764"
      ]
    ],
    "votes": [
      [
        "0", "0", "0", "0", "0", "0",
        "0", "0", "0", "0", "0", "0",
        "0", "0", "0", "0", "0", "0",
        "0", "0", "0", "0", "0", "0",
        "0"
      ],
      [
        "9", "0", "0", "0", "0", "0",
        "0", "0", "0", "0", "0", "0",
        "0", "0", "0", "0", "0", "0",
        "0", "0", "0", "0", "0", "0",
        "0"
      ],
      [
        "0", "0", "0", "0", "0", "0",
        "0", "0", "0", "0", "0", "0",
        "0", "0", "0", "0", "0", "0",
        "0", "0", "0", "0", "0", "0",
        "0"
      ],
      [
        "0", "0", "0", "0", "0", "0",
        "0", "0", "0", "0", "0", "0",
        "0", "0", "0", "0", "0", "0",
        "0", "0", "0", "0", "0", "0",
        "0"
      ],
      [
        "0", "0", "0", "0", "0", "0",
        "0", "0", "0", "0", "0", "0",
        "0", "0", "0", "0", "0", "0",
        "0", "0", "0", "0", "0", "0",
        "0"
      ]
    ],
    "currentResults": [
      "0", "0", "0", "0", "0", "0",
      "0", "0", "0", "0", "0", "0",
      "0", "0", "0", "0", "0", "0",
      "0", "0", "0", "0", "0", "0",
      "0"
    ],
    "currentResultsRootSalt": "0",
    "currentSpentVoiceCreditSubtotal": "0",
    "currentSpentVoiceCreditSubtotalSalt": "0",
    "currentPerVOSpentVoiceCredits": [
      "0", "0", "0", "0", "0", "0",
      "0", "0", "0", "0", "0", "0",
      "0", "0", "0", "0", "0", "0",
      "0", "0", "0", "0", "0", "0",
      "0"
    ],
    "currentPerVOSpentVoiceCreditsRootSalt": "0",
    "newResultsRootSalt": "8943573451393339090698007661032673318095675461887202904510797071665965067642",
    "newPerVOSpentVoiceCreditsRootSalt": "13477351866834168219645724035042278217899699308468601055181494837692978955958",
    "newSpentVoiceCreditSubtotalSalt": "2622000413866313334230901487458260242365536080659462527248883613885228308688"
  }

Subway2023 avatar Oct 08 '24 15:10 Subway2023