Skip to content

Sherlock audit fixes#61

Merged
eason1981 merged 42 commits intomainfrom
sherlock-audit-fixes
Dec 9, 2025
Merged

Sherlock audit fixes#61
eason1981 merged 42 commits intomainfrom
sherlock-audit-fixes

Conversation

@will-brevis
Copy link
Contributor

@will-brevis will-brevis commented Nov 3, 2025

Temporary PR for an alternative web-view of changes made to the auditing branch.

@will-brevis
Copy link
Contributor Author

will-brevis commented Nov 3, 2025
edited
Loading

For any auditors visiting this PR, the fix commit for 204 has a typo and is addressed in the fix for 233 (a similar issue).

The VM also no longer works, as we need to pull in some P3 updates for the updated FRI code and changed some lookups.

will-brevis and others added 25 commits November 10, 2025 12:52
@will-brevis
fix #88 - Field Arithmetic Bug in SepticExtension SubAssign Implement…
78c7d3b 
…ation
@will-brevis
fix #144 - Silent truncation in verify() causes incomplete proof veri…
fc24d89 
…fication
@will-brevis
fix #142 - First chunk having cpu chip is incorrectly checked in conv…
12ac001 
…ert circuit
@will-brevis
fix #124,148,186,215 - Remainder is not range checked correctly in re…
b552412 
…duceWithMaxBits for koalabear field

adjusts the hint for koalabear (2^31 - 2^24 + 1) by constraining the
lower 24 bits to 0 when the upper 7 bits are all set, as well as
adjusting the corresponding range checks and other constants
@will-brevis
fix #79 - Scalar multiplication reduces by 2^n instead of the group o…
53ce9d1 
…rder r
@will-brevis
fix #126 - Malicious prover will generate invalid proofs due to under…
f62f6f9 
…constrained REM/REMU operations when divisor is 0
@will-brevis
fix #197 - is_real never checked for boolean inside syscall chip
956959c
@kaiwei-0 @will-brevis
fix #133,137 - two completeness checks issue
0c01976
@will-brevis
fix #199,200 - Quotient domain is completely controlled by prover
c36ca74
@will-brevis
fix #204 - Chip ordering is used to fetch all chips instead of prepro…
366bed7 
…cessed ones
@will-brevis
fix #206 - No check that the lookup multiplicities do not overflow
9c2800a
@kaiwei-0 @will-brevis
fix #137 - completeness checks must be added to every circuit that ne…
f620c30 
…eds to guarantee the VM execution trace is complete (#844)
@will-brevis
fix #219 - op_a_0 is not constrained inside MemoryReadWriteChip
becb4f0
@will-brevis
fix #226 - Polynomial evaluations are never observed by recursive ver…
28fa55c 
…ifier
@will-brevis
fix #228 - ro[config.log_blowup] is not checked to be zero in recursi…
2355c9b 
…ve verifier
@will-brevis
fix #230 - Recursive verifier does not check for overflow of the look…
e9d1613 
…up multiplicities
@will-brevis
fix #233 - Recursive verifier does not validate chip used for preproc…
149bf5d 
…essed traces
@will-brevis
fix #69 - Word range check uses unconstrained upper_all_one local var…
90ec0bb 
…iable when field prime is Mersenne31
@will-brevis
fix #108 - Inconsistent Multiplicity Increment in read_ghost_addr
ce9ed40
@will-brevis
fix #78 - wrong sign handling when x == 0 produces non-canonical / ou…
f3d6f85 
…t-of-range x = p
@will-brevis
fix #75 - Missing offset check will cause integer overflow violating …
e90ac03 
…ELF specification
@will-brevis
fix #62 - read_write chip does not enforce constraints on opcode sele…
d79c321 
…ctors
@liuxiaobleach @will-brevis
fix #128 - Malicious verifier will recover private witness values bre…
26a9685 
…aking zero-knowledge property
@will-brevis
unfix #200
66fabbe
@will-brevis
disable m31 and add a comment explaining why
6315d47
@CergyK
Copy link

CergyK commented Nov 20, 2025
edited
Loading

Here are my comments on some of the fixes (please consider the others LGTM):

#144 -> Fix ok, here are some potentially similar issues (input length mismatch) which could be fixed with zip_eq?

https://github.com/brevis-network/pico/blob/sherlock-audit-fixes/vm/src/compiler/recursion/circuit/fri.rs#L271
https://github.com/brevis-network/pico/blob/sherlock-audit-fixes/vm/src/compiler/recursion/circuit/merkle_tree.rs#L150
https://github.com/brevis-network/pico/blob/sherlock-audit-fixes/vm/src/instances/compiler/riscv_circuit/convert/builder.rs#L274
https://github.com/brevis-network/pico/blob/sherlock-audit-fixes/vm/src/machine/verifier.rs#L93

#124 -> Outdated comment
https://github.com/brevis-network/pico/blob/sherlock-audit-fixes/gnark/koalabear/koalabear.go#L377-L378

#230 -> The assert is stripped out from the recursion program;
https://github.com/brevis-network/pico/blob/sherlock-audit-fixes/vm/src/compiler/recursion/circuit/stark.rs#L142

#233 -> Same here. Assert would be stripped out, so it brings no additional security guarantees

#226 -> Would need to update Cargo.lock in perf/bench_apps

@will-brevis
Copy link
Contributor Author

will-brevis commented Nov 20, 2025

Regarding #230 and #233, these are meant to be sanity checks to be performed by our official proof verifier, or anyone using our recursion machine builder. We do not want to encode these into any constraints since they are already satisfied by proof shape constraints or execution completeness checks, nor was the original issue asking us to.

For #226, sure, we can trigger a rebuild for bench_apps which will cause the resolver to update the P3 dependency.

#124, this comment will be updated

#144, I will add additional zip_eq invocations.

@will-brevis will-brevis changed the base branch from audit to main November 25, 2025 03:07
eason1981
eason1981 approved these changes Dec 9, 2025
View reviewed changes
Copy link
Contributor

@eason1981 eason1981 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@eason1981 eason1981 merged commit 76a3214 into main Dec 9, 2025
7 checks passed
@eason1981 eason1981 deleted the sherlock-audit-fixes branch December 9, 2025 06:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eason1981 eason1981 eason1981 approved these changes

@succinctli succinctli Awaiting requested review from succinctli

@kaiwei-0 kaiwei-0 Awaiting requested review from kaiwei-0

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@will-brevis @CergyK @eason1981 @succinctli @kaiwei-0 @liuxiaobleach @benhuang2025