zips icon indicating copy to clipboard operation
zips copied to clipboard
verified publisher icon zcash

[protocol spec] In the Orchard Action statement, the Merkle path should be from Extract_ℙ(cm^old)

Open daira opened this issue 8 months ago • 0 comments

In § 4.18.4 ‘Action Statement (Orchard)’,

Merkle path validity Either $\mathsf{v^{old}} = 0$; or $(\mathsf{path}, \mathsf{pos})$ is a valid Merkle path of depth $\mathsf{MerkleDepth^{Orchard}}$, as defined in § 4.9 ‘Merkle Path Validity’ on p. 47, from $\mathsf{cm^{old}}$ to the anchor $\mathsf{rt^{Orchard}}$.

should be

Merkle path validity Either $\mathsf{v^{old}} = 0$; or $(\mathsf{path}, \mathsf{pos})$ is a valid Merkle path of depth $\mathsf{MerkleDepth^{Orchard}}$, as defined in § 4.9 ‘Merkle Path Validity’ on p. 47, from $\mathsf{Extract}_{\mathbb{P}}(\mathsf{cm^{old}})$ to the anchor $\mathsf{rt^{Orchard}}$.

(i.e. the path is from $\mathsf{cm}_x^{\mathsf{old}}$).

This is a specification-only bug; it is implemented as intended in the orchard crate. There are no security consequences.

This bug was found during a review of the Namada airdrop protocol.

daira avatar Apr 30 '25 22:04 daira