How the mimc bug from circomlib was safely exploited to fake the merkle root in the witness in practice?

user2284570

12/14/23, 3:23 AM

Several years ago, there was an unenforced constraint on verification in the cirmcomlib library : a tool for building projects using ZsNarks. The error allowed to forge cryptographic nullifiers/proofs without having a prior commitment. Tornado Cash, using Groth16 was the most well‑known affected case : the protocol had to be safely exploited in order to avoid loss of funds.

On the blog post, there were :

Later, we will release a step by step guide on how to use this exploit to educate interested security professionals.

4 years later, such blog post still don’t exist. And with the ofac sanctions resulting in contributing to any code related to the project banned to ᴜꜱ citizens or peoples living in the ᴜꜱ, is unlikely to ever exists.

Neverless, instead of potential step by step Zokrates commands on the alt_bn128 curve, would it be possible at least to have this question containing the detailed required computations in mathematical notation to fake the witness despite not having prior commitments to the root ?

544

0 + 3

cryptanalysis

elliptic-curves

zero-knowledge-proofs

collision-attack

fgrieu

1/1/24, 6:32 PM

Crypto-SE is more about theory than implementation of crypto; not much about mistakes in implementations, even less about exploiting them, and we could not care less about the consequences for a cryptocurrency. Combined with the highly technical nature of the subject, and the lack of a reference description of what the mistake exactly does, this is enough to explain the current lack of answer so far. I'm confident whatever "ofac sanctions" may be, they have played no role. From my perspective, [web3 is going just great](https://web3isgoinggreat.com/)…

user2284570

1/2/24, 12:01 AM

@fgrieu `Neverless, instead of potential step by step Zokrates commands, would it be possible to have this question containing the detailed required computations to generate proofs along nullifiers that verify a root despite not having prior commitments to the root ?` This means in mathematical notation of course.

user2284570

1/2/24, 12:16 AM

@fgrieu the persons who found the bug and are still free were told by there lawyers to not say anything about it. So I suppose they are other cases like this were this doesn t help.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How the mimc bug from circomlib was safely exploited to fake the merkle root in the witness in practice?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.