LambdaClass revealed a security flaw in Succinct SP1 ZKVM’s proof generation. Version 3 of SP1 was discovered by 3Mi Labs in conjunction with Aligned. The vulnerability in this version stemmed from two different security flaws.
Succinct has already informed customers of this potential vulnerability via Github.
What happened?
- Missing Verification Step — The system relied on a list to track key proof components but didn’t properly verify that the list was accurate. A malicious prover may be able to manipulate this list in order to generate invalid proofs. To fix this oversight, new checks have been added.
- Incomplete Proof Flag — A key part of SP1’s proof-checking system included a flag meant to confirm that a proof was fully executed. This flag was not always enforced properly, which could have led to a loophole. The checks were tightened.
- Polynomial Evaluation Issue — An issue found in Plonky3 (a dependency of SP1), meant that it didn’t fully verify all calculations before confirming a proof was valid. After the post-patch all components of proof are verified.
The vulnerability, while quickly fixed prior to disclosure, has led to concerns regarding the transparency of security practices in zero-knowledge virtual machine (ZKVM)s. SP1 technology underpins high-profile upgrades to rollup infrastructure currently in development.
- Mantle Network incorporated SP1 for a transition to zero-knowledge validity (ZK), aiming to increase transaction finality and support institution-grade asset settlements.
- AggLayer uses SP1 for pessimistic verifications to ensure the security of their cross-chain solutions.
- Taiko adopted SP1 for layer-2 execution which utilizes a multi-prover systems.
- The Eclipse project uses RISC-Zero instead of RISC.
Transparency, implications and the impact
LambdaClass said that the impact of the bug would need to be assessed further. The exploit was dependent on how the issues interacted, so fixing just one issue might not prevent the exploitation.
LambdaClass Developer Fede highlighted in social media how his team felt obliged to reveal the problem after they perceived a lack urgency with Succinct’s communication.
Succinct’s leadership acted responsibly in fixing the issue, according to Avail’s Anurag Arjun, but he agreed better public disclosure practices are needed.
“ZKVM systems are very new and are constantly being updated, so you’d expect vulnerabilities,” Arjun told Blockworks. “In an open-source setting, anyone can run the prover, and if vulnerabilities aren’t disclosed properly, that’s definitely a risk.”
Arjun confirmed that Avail, who uses SP1 as proof generation for its consensus mechanism used the information privately before public disclosure.
Arjun explained that Avail’s implementation did not pose any risk because it relies on Succinct’s proprietary prover which is still permitted. Avail’s clients who use its bridge contracts powered by SP1 have not used it yet, either.
Succinct defenders also point out that responsible reporting usually involves private statements before public ones to avoid unnecessary anxiety and potential exploitation.
Succinct’s updated version 4 of SP1 — dubbed Turbo — resolves the identified vulnerability, and downstream projects have begun integrating these fixes.
Even well-tested code contains bugs. As Succinct put it, “while auditors provide valuable insights, they are not infallible, and we remain committed to continuously improving and working hard to ensure our systems are safe and secure for everyone.”
Succinct was applauded for its more direct, though belated, transparency. It remains to be seen how best security, user protection, and transparency can all coexist. It is also important to find the balance between proper criticism and toxic intra-fighting.
Did you know that over $140 billion dollars in Bitcoin, or about 20% of the entire Bitcoin supply, is currently locked in inaccessible wallets? Or maybe you have lost access to your Bitcoin wallet? Don’t let those funds remain out of reach! AI Seed Phrase Finder is here to help you regain access effortlessly. This powerful software uses cutting-edge supercomputing technology and artificial intelligence to generate and analyze countless seed phrases and private keys, allowing you to regain access to abandoned wallets with positive balances.
