Cointime

Download App
iOS & Android

ZKP Series: Pseudonym Input Vulnerability in Circom’s Verification Contract Has Been Replicated

Overview

Earlier, a double-spending vulnerability in a zero-knowledge proof verification contract on Semaphore was uncovered by the Russian developer, Poma. As a matter of curiosity, my intention is to replicate the vulnerability’s PoC initially. However, due to the vulnerability code being old and the project being relatively complex, I opted to create a straightforward PoC to replicate the vulnerability.

Introduction

The foundation of Zero Knowledge Proof (ZKP) technology lies in an algorithm called a “proof system”. By performing a series of computations on the message, the algorithm produces a proof to demonstrate the genuineness of the message. The recipient can confirm the message’s authenticity by verifying the proof alone, without requiring additional information.

There are various implementation schemes for ZKP technology, which we discussed in our earlier article “Technical Features of ZKP Mainstream Implementation Schemes”. In this experiment, the Circom platform is employed, which utilizes Groth16 and PlonK as its proof system. During development, developers can select either system. The development framework generates proof parameters and verification contracts automatically without circuit modification.

In simpler terms, Circom creates witness data and attestation data on the client side and submits them to the contract. The verifier.sol contract verifies the submitted data to confirm whether the proof adheres to the specified rules. This approach enables rapid, efficient, and secure verification while safeguarding the message’s content and privacy.

Vulnerability Analysis

1. There isn’t much to discuss, so let’s proceed straight to the problematic code. Please refer to the “verifyHash” function in the image below. The code enclosed in the red box indicates whether specific witness data has been utilized. This method is commonly employed to prevent double spending. However, the vulnerability has arisen in the witness data “hash1”. Normally, a particular set of proof data should only correspond to a set of “hash1” values for verification purposes.

2. The “verify” function in the “verifier.sol” contract carries out elliptic curve computation verification on the input value via the “scalar_mul()” function. This function conducts calculations on elliptic curves utilizing the input parameters and matches the resulting value against the value specified in the provided proof. The function thereby confirms whether the input value is legitimate or not.

3. In a Solidity smart contract, encoding Fq necessitates the usage of the uint256 type. However, as the maximum value of uint256 is larger than the q value, several distinct integers may correspond to the same Fq value following the modulo operation. For example, “s” and “s+q” indicate the same point, namely the “sth” point. Similarly, “s+2q” and so on are also aliases for point “s”. This phenomenon is known as “Input Aliasing”, whereby these integers serve as pseudonyms for one another.

The “q” value mentioned here pertains to the cyclic group’s order, which signifies the number of values within the same Fq that can be input with numerous large integers. In essence, even if a q value is added to the hash, it can still satisfy the verification criterion. Within the uint256 type’s scope, a maximum of uint256_max/q distinct integers can indicate the same point. This signifies that a set of proofs can have up to 5 hash1 values that match and can pass the contract’s verification.

Vulnerability Recurrence

1. Develop a basic circuit that inputs two data sets and produces a witness data, i.e., “hash1,” utilized in the contract.

2. Compile the circuit to create “circuit_final.zkey”, “circuit.wasm”, and “verifier.sol”. Afterward, generate a collection of proofs, a standard hash, and a corrupted hash.

3. Subsequently, deploy the contract and employ the “checkHash” generated earlier to conduct a verification process. The verification successfully passes.

4. Next, apply the identical witness data and the previously generated “attackHash”. It is discovered that the verification is also successful. This demonstrates that a set of proofs can feature several matching hashes that meet the contract’s verification criteria. Thus, the Circom verification contract input pseudonym vulnerability has been effectively replicated.

Solutions to Vulnerabilities

The vulnerability arises from a set of proofs that can have at most 5 hash values that match and meet the contract’s verification requirements. Thus, the bug fix is straightforward: restricting all input hashes to a value less than “q”.

Summary

Input pseudonym vulnerability is a frequently encountered vulnerability in zero-knowledge proof and cryptography implementation. Its fundamental cause lies in the value being equivalent to the remainder within the finite field. Therefore, developers must focus on the verification group’s order when creating cryptography.

Get the latest news here: Cointime channel — https://t.me/cointime_en

Comments

All Comments

Recommended for you

  • A Total of 37,212.18 DMD Permanently Burned Over the Past 7 Days

    July 9, 2026 — According to the latest on-chain data released by DMDAO, a total of 37,212.18 DMD has been permanently burned over the past seven calendar days through the protocol's predefined trading and wealth management burn mechanisms.

  • Whale Transfers 1,133 BTC to Coinbase Prime, Valued at $71.48 Million

    According to Onchain Lens monitoring, a whale transferred 1,133 BTC from Coinbase to Coinbase Prime through an intermediary wallet, valued at $71.48 million.

  • U.S. AI Chip Stocks Decline Before Market Open, Intel Falls Over 3%

    On July 7, U.S. AI chip stocks experienced widespread declines before the market opened. Intel dropped over 3%, while AMD, Qualcomm, and NXP fell more than 2%. TSMC, Broadcom, and Tesla decreased by over 1%, and NVIDIA declined by 0.7%.

  • China's Central Bank Increases Gold Reserves for the 20th Consecutive Month

    As of the end of June, China's gold reserves stood at 75.44 million ounces (approximately 2,346.446 tons), an increase of 480,000 ounces (about 14.93 tons) from the end of May, which reported 74.96 million ounces (approximately 2,331.52 tons). This marks the 20th consecutive month of gold accumulation.

  • China's Foreign Exchange Reserves in June at $341.6262 Billion

    On July 7, China's foreign exchange reserves for June stood at $341.6262 billion, a decrease of $26 billion from the end of May, representing a decline of 0.75%, with expectations set at $343.2 billion.

  • U.S. Storage Stocks Drop Pre-Market, SanDisk and Micron Down Over 4%

    On July 7, U.S. storage concept stocks collectively fell in pre-market trading. Western Digital dropped over 5%, SanDisk and Micron Technology fell over 4%, Seagate Technology declined over 3%, Rambus fell over 2%, and SMI fell over 1%.

  • U.S. Stocks in Optical Communication Sector Drop Pre-Market

    On July 7, stocks in the optical communication sector of the U.S. market collectively fell pre-market. Astera Labs dropped over 4%, while Marvell Technology, Credo Technology, and AXT Inc. fell more than 3%. Tower Semiconductor, MaxLinear, Corning, Applied Optoelectronics, GlobalFoundries, Lumentum, and Qorvo all declined by more than 2%. Coherent, Nokia, Amphenol, and Broadcom dropped over 1%.

  • Pre-market Decline in U.S. Storage Stocks

    In pre-market trading, U.S. storage concept stocks experienced a widespread decline, with Micron Technology falling by 4.8%, SanDisk dropping over 4%, Corning down more than 2%, and Intel decreasing by over 3%.

  • Two Departments: Support for Reinsurance Institutions to Increase Capital and Issue Supplementary Capital Tools

    On July 7, the National Financial Supervision and Administration Bureau and the Shanghai Municipal Government released several measures to accelerate the construction of the Shanghai International Reinsurance Center. Among these measures, they proposed to enhance the quality and efficiency of the reinsurance industry, support reinsurance institutions in increasing capital and expanding shares, and issuing supplementary capital tools to improve the capacity for internal capital accumulation and external capital supplementation, thereby strengthening the reinsurance industry's capabilities. The initiative aims to guide the insurance industry to focus on major national projects, strategic emerging industries, and livelihood security, consolidating insurance and reinsurance underwriting capabilities to enhance risk protection levels. It also supports reinsurance institutions in leveraging their professional technical advantages to assist the insurance industry in reducing risk.

  • Sources: Saudi Arabia Plans to Expand Oil Pipeline to Red Sea, Increasing Capacity by 2 Million Barrels Daily to Bypass Strait of Hormuz

    On July 7, five informed sources revealed that Saudi Arabia is considering expanding the crude oil pipeline capacity to its western coast on the Red Sea, allowing Saudi Arabia and its neighbors to transport more oil without passing through the Strait of Hormuz. This east-west pipeline, built in the early 1980s, has gained strategic importance since the outbreak of the Iran war in February and the disruption of shipping in the Strait of Hormuz. The pipeline can deliver up to 7 million barrels of crude oil per day to the Red Sea port. The CEO of Saudi Aramco stated in May that approximately 2 million barrels are supplied to west coast refineries, while about 5 million barrels are for export. Sources indicate that Saudi Arabia is in preliminary discussions with some neighboring countries regarding the pipeline expansion, aiming to add about 2 million barrels of pipeline capacity per day. It remains unclear whether Aramco's planned expansion involves upgrading existing infrastructure or constructing new pipelines. One source mentioned that the expansion plan also includes a smaller refined oil pipeline. Two sources indicated that the expansion scale could range from 1 million to 2 million barrels per day, with refined oil also being considered. Another source stated that the project would take several years and cost billions of dollars, requiring adjustments to Saudi crude pricing mechanisms.