Rate-Limiting-Nullifier
Upgrade snarkjs to >0.6.11
What's wrong?
https://github.com/iden3/snarkjs/issues/358 suggested a vulnerability of the groth16 verifier in the latest snarkjs (v0.6.11). A fix https://github.com/iden3/snarkjs/pull/359 was proposed but has yet to be merged. The issue is not related to circom so it's safe to stay as is, as discussed with @curryrasul offline.
How to fix it?
Upgrade snarkjs to the latest version as long as the fix is released.
Hey @mhchia , would one need to recompile/ redeploy all Verifier contracts due to this bug or is it further down the line?
@themandalore I'm not sure about this, and I would also like to know the answer too 😃
Reopened to remind us that our dependency circom_tester stills has this issue and hasn't fixed it. We should upgrade circom_tester as long as it upgrades snarkjs to >=0.7.0.
- Our
circom_testerusessnarkjs==0.5.0https://github.com/Rate-Limiting-Nullifier/circom-rln/blob/18f6e0acd0d2a8ec0d9e19da24ab0dbb1c911647/package-lock.json#L396
An issue has been opened in circom_tester too (https://github.com/iden3/circom_tester/issues/16).
- It seems like it won't be fixed soon in
circom_teser, and we only use it for testing, so we decided to reopen this issue and dismiss the alert from dependabot.
Hey @mhchia , would one need to recompile/ redeploy all Verifier contracts due to this bug or is it further down the line?
@themandalore In general I would say yes, you should update snarkjs and generate contracts with new snarkjs version. Though I don't think there are bugs in big and well audited projects, as it's common practice to do range/field checks on public inputs.