—

RUSTSEC-2021-0156

Triton VM Soundness Vulnerability due to Missing Constraint

상세

The instruction `sponge_absorb_mem` Triton VM fails to verify that hashed values come from the claimed memory location. Malicious provers can substitute arbitrary data instead of actual memory contents.

Any application using instruction `sponge_absorb_mem` to hash memory data can be given a proof for a forged hash that doesn't correspond to the actual memory. This breaks the security of memory-based commitments.

The flaw was corrected in commits `17c7ba0a` and `ef9d9e72` by including the appropriate constraints.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

crates.io / triton-vm

최초 영향 버전: 0.42.0-alpha.4 수정 버전: 4.0.0

Upgrade triton-vm to 4.0.0 or newer (ecosystem crates.io).

참고

https://crates.io/crates/triton-vm [PACKAGE]
https://rustsec.org/advisories/RUSTSEC-2021-0156.html [ADVISORY]