Trail of Bits
Audit Open Original ↗

Axiom Halo2 Libraries

Type

Security review

Client

Axiom

Date

2023-06

Domain

Crypto

Effort

14 wks

Section

Cryptography Reviews

Trail of Bits's security review of Axiom (Jun 2023) identified 29 issues: 3 high, 6 medium, 7 low, 12 informational, and 1 undetermined.

Findings · 29

  1. 1 Incorrect limb decomposition due to bit-shifts larger than integer size Low
  2. 2 Risk of unconstrained inner product in release builds Medium
  3. 3 idx_to_indicator circuit is underconstrained High
  4. 4 ecdsa_verify_no_pubkey_check can fail on signatures from crafted public keys Medium
  5. 5 log2_ceil function miscomputes its result when x input is zero Low
  6. 6 GateChip::num_to_bits depends on implementation-specific details of the underlying field Low
  7. 7 RangeChip::get_last_bit returns the wrong value Low
  8. 8 Validations missing in release builds Medium
  9. 9 Keccak implementation cannot hash arbitrarily large inputs Informational
  10. 10 Field division of zero by zero is unconstrained Medium
  11. 11 Incorrect point-at-infinity handling in elliptic curve operations Medium
  12. 12 FpChip::load_private allows non-reduced field elements Informational
  13. 13 scalar_multiply can return underconstrained results High
  14. 14 Witness may be underconstrained if two gates overlap with more than one cell Informational
  15. 15 EccChip::load_private does not enforce that witness values are on-curve Informational
  16. 16 Native KZG accumulation decider accepts an empty vector Medium
  17. 17 Polynomial addition and subtraction assume polynomials have the same degree Informational
  18. 18 FpChip::enforce_less_than_p incorrectly allows certain values above 2t Informational
  19. 19 FpChip::assert_equal does not assert equality High
  20. 20 Scalar rotation misbehaves on i32::MIN Low
  21. 21 Several functions assume that arguments are non-empty Low
  22. 22 EVM verifier does not validate the deployment code Informational
  23. 23 Values from load_random_point are used without strict checks Informational
  24. 24 query_cell_at_pos assumes that the column index is valid Informational
  25. 25 Unchecked uses of zip could bypass checks on parse_account_proof_phase0 and parse_storage_proof_phase0 Undetermined
  26. 26 The hex_prefix_encode and hex_prefix_encode_first functions assume that the is_odd parameter is a bit Informational
  27. 27 batch_invert_and_mul ignores zero elements and panics on empty arrays Low
  28. 28 Proof caching occurs before proof validation Informational
  29. 29 Merkle root computation does not differentiate leaf data hashing and inner node hashing Informational

Findings extracted from the published report PDF. See the full report below for details and remediation.

Related