feat: truncate SHA hashes inside circuits

l1-contracts/slither_output.md

@@ -1,7 +1,7 @@
 Summary
  - [pess-unprotected-setter](#pess-unprotected-setter) (1 results) (High)
  - [uninitialized-local](#uninitialized-local) (2 results) (Medium)
- - [pess-dubious-typecast](#pess-dubious-typecast) (3 results) (Medium)
+ - [pess-dubious-typecast](#pess-dubious-typecast) (4 results) (Medium)
  - [missing-zero-check](#missing-zero-check) (2 results) (Low)
  - [reentrancy-events](#reentrancy-events) (2 results) (Low)
  - [timestamp](#timestamp) (1 results) (Low)
@@ -40,20 +40,28 @@ src/core/libraries/decoders/TxsDecoder.sol#L78
 Impact: Medium
 Confidence: High
  - [ ] ID-3
-Dubious typecast in [TxsDecoder.read1(bytes,uint256)](src/core/libraries/decoders/TxsDecoder.sol#L333-L335):
-	bytes => bytes1 casting occurs in [uint256(uint8(bytes1(slice(_data,_offset,1))))](src/core/libraries/decoders/TxsDecoder.sol#L334)
+Dubious typecast in [Hash.sha256ToField(bytes)](src/core/libraries/Hash.sol#L42-L44):
+	bytes32 => bytes31 casting occurs in [bytes32(bytes.concat(new bytes(1),bytes31(sha256(bytes)(_data))))](src/core/libraries/Hash.sol#L43)
+	bytes => bytes32 casting occurs in [bytes32(bytes.concat(new bytes(1),bytes31(sha256(bytes)(_data))))](src/core/libraries/Hash.sol#L43)
 
-src/core/libraries/decoders/TxsDecoder.sol#L333-L335
+src/core/libraries/Hash.sol#L42-L44
 
 
  - [ ] ID-4
-Dubious typecast in [TxsDecoder.read4(bytes,uint256)](src/core/libraries/decoders/TxsDecoder.sol#L343-L345):
-	bytes => bytes4 casting occurs in [uint256(uint32(bytes4(slice(_data,_offset,4))))](src/core/libraries/decoders/TxsDecoder.sol#L344)
+Dubious typecast in [TxsDecoder.read1(bytes,uint256)](src/core/libraries/decoders/TxsDecoder.sol#L334-L336):
+	bytes => bytes1 casting occurs in [uint256(uint8(bytes1(slice(_data,_offset,1))))](src/core/libraries/decoders/TxsDecoder.sol#L335)
 
-src/core/libraries/decoders/TxsDecoder.sol#L343-L345
+src/core/libraries/decoders/TxsDecoder.sol#L334-L336
 
 
  - [ ] ID-5
+Dubious typecast in [TxsDecoder.read4(bytes,uint256)](src/core/libraries/decoders/TxsDecoder.sol#L344-L346):
+	bytes => bytes4 casting occurs in [uint256(uint32(bytes4(slice(_data,_offset,4))))](src/core/libraries/decoders/TxsDecoder.sol#L345)
+
+src/core/libraries/decoders/TxsDecoder.sol#L344-L346
+
+
+ - [ ] ID-6
 Dubious typecast in [HeaderLib.decode(bytes)](src/core/libraries/HeaderLib.sol#L143-L184):
 	bytes => bytes32 casting occurs in [header.lastArchive = AppendOnlyTreeSnapshot(bytes32(_header),uint32(bytes4(_header)))](src/core/libraries/HeaderLib.sol#L151-L153)
 	bytes => bytes4 casting occurs in [header.lastArchive = AppendOnlyTreeSnapshot(bytes32(_header),uint32(bytes4(_header)))](src/core/libraries/HeaderLib.sol#L151-L153)
@@ -82,14 +90,14 @@ src/core/libraries/HeaderLib.sol#L143-L184
 ## missing-zero-check
 Impact: Low
 Confidence: Medium
- - [ ] ID-6
+ - [ ] ID-7
 [Inbox.constructor(address,uint256)._rollup](src/core/messagebridge/Inbox.sol#L40) lacks a zero-check on :
 		- [ROLLUP = _rollup](src/core/messagebridge/Inbox.sol#L41)
 
 src/core/messagebridge/Inbox.sol#L40
 
 
- - [ ] ID-7
+ - [ ] ID-8
 [Outbox.constructor(address)._rollup](src/core/messagebridge/Outbox.sol#L31) lacks a zero-check on :
 		- [ROLLUP_CONTRACT = _rollup](src/core/messagebridge/Outbox.sol#L32)
 
@@ -99,7 +107,7 @@ src/core/messagebridge/Outbox.sol#L31
 ## reentrancy-events
 Impact: Low
 Confidence: Medium
- - [ ] ID-8
+ - [ ] ID-9
 Reentrancy in [Rollup.process(bytes,bytes32,bytes)](src/core/Rollup.sol#L58-L96):
 	External calls:
 	- [inHash = INBOX.consume()](src/core/Rollup.sol#L83)
@@ -110,7 +118,7 @@ Reentrancy in [Rollup.process(bytes,bytes32,bytes)](src/core/Rollup.sol#L58-L96)
 src/core/Rollup.sol#L58-L96
 
 
- - [ ] ID-9
+ - [ ] ID-10
 Reentrancy in [Inbox.sendL2Message(DataStructures.L2Actor,bytes32,bytes32)](src/core/messagebridge/Inbox.sol#L61-L95):
 	External calls:
 	- [index = currentTree.insertLeaf(leaf)](src/core/messagebridge/Inbox.sol#L91)
@@ -123,7 +131,7 @@ src/core/messagebridge/Inbox.sol#L61-L95
 ## timestamp
 Impact: Low
 Confidence: Medium
- - [ ] ID-10
+ - [ ] ID-11
 [HeaderLib.validate(HeaderLib.Header,uint256,uint256,bytes32)](src/core/libraries/HeaderLib.sol#L106-L136) uses timestamp for comparisons
 	Dangerous comparisons:
 	- [_header.globalVariables.timestamp > block.timestamp](src/core/libraries/HeaderLib.sol#L120)
@@ -134,35 +142,35 @@ src/core/libraries/HeaderLib.sol#L106-L136
 ## pess-public-vs-external
 Impact: Low
 Confidence: Medium
- - [ ] ID-11
-The following public functions could be turned into external in [FrontierMerkle](src/core/messagebridge/frontier_tree/Frontier.sol#L7-L93) contract:
-	[FrontierMerkle.constructor(uint256)](src/core/messagebridge/frontier_tree/Frontier.sol#L19-L27)
+ - [ ] ID-12
+The following public functions could be turned into external in [FrontierMerkle](src/core/messagebridge/frontier_tree/Frontier.sol#L12-L98) contract:
+	[FrontierMerkle.constructor(uint256)](src/core/messagebridge/frontier_tree/Frontier.sol#L24-L32)
 
-src/core/messagebridge/frontier_tree/Frontier.sol#L7-L93
+src/core/messagebridge/frontier_tree/Frontier.sol#L12-L98
 
 
- - [ ] ID-12
+ - [ ] ID-13
 The following public functions could be turned into external in [Registry](src/core/messagebridge/Registry.sol#L22-L129) contract:
 	[Registry.constructor()](src/core/messagebridge/Registry.sol#L29-L33)
 
 src/core/messagebridge/Registry.sol#L22-L129
 
 
- - [ ] ID-13
+ - [ ] ID-14
 The following public functions could be turned into external in [Inbox](src/core/messagebridge/Inbox.sol#L24-L124) contract:
 	[Inbox.constructor(address,uint256)](src/core/messagebridge/Inbox.sol#L40-L51)
 
 src/core/messagebridge/Inbox.sol#L24-L124
 
 
- - [ ] ID-14
+ - [ ] ID-15
 The following public functions could be turned into external in [Rollup](src/core/Rollup.sol#L29-L105) contract:
 	[Rollup.constructor(IRegistry,IAvailabilityOracle)](src/core/Rollup.sol#L43-L50)
 
 src/core/Rollup.sol#L29-L105
 
 
- - [ ] ID-15
+ - [ ] ID-16
 The following public functions could be turned into external in [Outbox](src/core/messagebridge/Outbox.sol#L18-L132) contract:
 	[Outbox.constructor(address)](src/core/messagebridge/Outbox.sol#L31-L33)
 
@@ -172,41 +180,41 @@ src/core/messagebridge/Outbox.sol#L18-L132
 ## assembly
 Impact: Informational
 Confidence: High
- - [ ] ID-16
-[TxsDecoder.computeRoot(bytes32[])](src/core/libraries/decoders/TxsDecoder.sol#L257-L276) uses assembly
-	- [INLINE ASM](src/core/libraries/decoders/TxsDecoder.sol#L264-L266)
+ - [ ] ID-17
+[TxsDecoder.computeRoot(bytes32[])](src/core/libraries/decoders/TxsDecoder.sol#L258-L277) uses assembly
+	- [INLINE ASM](src/core/libraries/decoders/TxsDecoder.sol#L265-L267)
 
-src/core/libraries/decoders/TxsDecoder.sol#L257-L276
+src/core/libraries/decoders/TxsDecoder.sol#L258-L277
 
 
 ## dead-code
 Impact: Informational
 Confidence: Medium
- - [ ] ID-17
+ - [ ] ID-18
 [MessageBox.consume(mapping(bytes32 => DataStructures.Entry),bytes32,function(bytes32))](src/core/libraries/MessageBox.sol#L71-L79) is never used and should be removed
 
 src/core/libraries/MessageBox.sol#L71-L79
 
 
- - [ ] ID-18
+ - [ ] ID-19
 [MessageBox.contains(mapping(bytes32 => DataStructures.Entry),bytes32)](src/core/libraries/MessageBox.sol#L87-L92) is never used and should be removed
 
 src/core/libraries/MessageBox.sol#L87-L92
 
 
- - [ ] ID-19
+ - [ ] ID-20
 [MessageBox.get(mapping(bytes32 => DataStructures.Entry),bytes32,function(bytes32))](src/core/libraries/MessageBox.sol#L104-L112) is never used and should be removed
 
 src/core/libraries/MessageBox.sol#L104-L112
 
 
- - [ ] ID-20
+ - [ ] ID-21
 [MessageBox.insert(mapping(bytes32 => DataStructures.Entry),bytes32,uint64,uint32,uint32,function(bytes32,uint64,uint64,uint32,uint32,uint32,uint32))](src/core/libraries/MessageBox.sol#L30-L60) is never used and should be removed
 
 src/core/libraries/MessageBox.sol#L30-L60
 
 
- - [ ] ID-21
+ - [ ] ID-22
 [Hash.sha256ToField(bytes32)](src/core/libraries/Hash.sol#L52-L54) is never used and should be removed
 
 src/core/libraries/Hash.sol#L52-L54
@@ -215,25 +223,25 @@ src/core/libraries/Hash.sol#L52-L54
 ## solc-version
 Impact: Informational
 Confidence: High
- - [ ] ID-22
+ - [ ] ID-23
 solc-0.8.23 is not recommended for deployment
 
 ## similar-names
 Impact: Informational
 Confidence: Medium
- - [ ] ID-23
+ - [ ] ID-24
 Variable [Constants.LOGS_HASHES_NUM_BYTES_PER_BASE_ROLLUP](src/core/libraries/ConstantsGen.sol#L130) is too similar to [Constants.NOTE_HASHES_NUM_BYTES_PER_BASE_ROLLUP](src/core/libraries/ConstantsGen.sol#L123)
 
 src/core/libraries/ConstantsGen.sol#L130
 
 
- - [ ] ID-24
+ - [ ] ID-25
 Variable [Constants.L1_TO_L2_MESSAGE_LENGTH](src/core/libraries/ConstantsGen.sol#L110) is too similar to [Constants.L2_TO_L1_MESSAGE_LENGTH](src/core/libraries/ConstantsGen.sol#L111)
 
 src/core/libraries/ConstantsGen.sol#L110
 
 
- - [ ] ID-25
+ - [ ] ID-26
 Variable [Rollup.AVAILABILITY_ORACLE](src/core/Rollup.sol#L32) is too similar to [Rollup.constructor(IRegistry,IAvailabilityOracle)._availabilityOracle](src/core/Rollup.sol#L43)
 
 src/core/Rollup.sol#L32
@@ -242,7 +250,7 @@ src/core/Rollup.sol#L32
 ## constable-states
 Impact: Optimization
 Confidence: High
- - [ ] ID-26
+ - [ ] ID-27
 [Rollup.lastWarpedBlockTs](src/core/Rollup.sol#L41) should be constant 
 
 src/core/Rollup.sol#L41
@@ -251,39 +259,39 @@ src/core/Rollup.sol#L41
 ## pess-multiple-storage-read
 Impact: Optimization
 Confidence: High
- - [ ] ID-27
+ - [ ] ID-28
 In a function [Outbox.insert(uint256,bytes32,uint256)](src/core/messagebridge/Outbox.sol#L44-L64) variable [Outbox.roots](src/core/messagebridge/Outbox.sol#L29) is read multiple times
 
 src/core/messagebridge/Outbox.sol#L44-L64
 
 
- - [ ] ID-28
+ - [ ] ID-29
 In a function [Inbox.consume()](src/core/messagebridge/Inbox.sol#L104-L123) variable [Inbox.toConsume](src/core/messagebridge/Inbox.sol#L34) is read multiple times
 
 src/core/messagebridge/Inbox.sol#L104-L123
 
 
- - [ ] ID-29
+ - [ ] ID-30
 In a function [Inbox.consume()](src/core/messagebridge/Inbox.sol#L104-L123) variable [Inbox.inProgress](src/core/messagebridge/Inbox.sol#L36) is read multiple times
 
 src/core/messagebridge/Inbox.sol#L104-L123
 
 
- - [ ] ID-30
-In a function [FrontierMerkle.root()](src/core/messagebridge/frontier_tree/Frontier.sol#L43-L76) variable [FrontierMerkle.HEIGHT](src/core/messagebridge/frontier_tree/Frontier.sol#L8) is read multiple times
+ - [ ] ID-31
+In a function [FrontierMerkle.root()](src/core/messagebridge/frontier_tree/Frontier.sol#L48-L81) variable [FrontierMerkle.HEIGHT](src/core/messagebridge/frontier_tree/Frontier.sol#L13) is read multiple times
 
-src/core/messagebridge/frontier_tree/Frontier.sol#L43-L76
+src/core/messagebridge/frontier_tree/Frontier.sol#L48-L81
 
 
- - [ ] ID-31
+ - [ ] ID-32
 In a function [Inbox.sendL2Message(DataStructures.L2Actor,bytes32,bytes32)](src/core/messagebridge/Inbox.sol#L61-L95) variable [Inbox.inProgress](src/core/messagebridge/Inbox.sol#L36) is read multiple times
 
 src/core/messagebridge/Inbox.sol#L61-L95
 
 
- - [ ] ID-32
-In a function [FrontierMerkle.root()](src/core/messagebridge/frontier_tree/Frontier.sol#L43-L76) variable [FrontierMerkle.frontier](src/core/messagebridge/frontier_tree/Frontier.sol#L13) is read multiple times
+ - [ ] ID-33
+In a function [FrontierMerkle.root()](src/core/messagebridge/frontier_tree/Frontier.sol#L48-L81) variable [FrontierMerkle.frontier](src/core/messagebridge/frontier_tree/Frontier.sol#L18) is read multiple times
 
-src/core/messagebridge/frontier_tree/Frontier.sol#L43-L76
+src/core/messagebridge/frontier_tree/Frontier.sol#L48-L81
 
 

l1-contracts/src/core/libraries/ConstantsGen.sol

@@ -72,7 +72,7 @@ library Constants {
   uint256 internal constant L1_TO_L2_MSG_SUBTREE_HEIGHT = 4;
   uint256 internal constant L1_TO_L2_MSG_SUBTREE_SIBLING_PATH_LENGTH = 12;
   uint256 internal constant FUNCTION_SELECTOR_NUM_BYTES = 4;
-  uint256 internal constant NUM_FIELDS_PER_SHA256 = 2;
+  uint256 internal constant NUM_FIELDS_PER_SHA256 = 1;
   uint256 internal constant ARGS_HASH_CHUNK_LENGTH = 32;
   uint256 internal constant ARGS_HASH_CHUNK_COUNT = 32;
   uint256 internal constant INITIALIZATION_SLOT_SEPARATOR = 1000_000_000;
@@ -98,23 +98,23 @@ library Constants {
   uint256 internal constant VIEW_NOTE_ORACLE_RETURN_LENGTH = 212;
   uint256 internal constant AZTEC_ADDRESS_LENGTH = 1;
   uint256 internal constant CALL_CONTEXT_LENGTH = 7;
-  uint256 internal constant CONTENT_COMMITMENT_LENGTH = 7;
+  uint256 internal constant CONTENT_COMMITMENT_LENGTH = 4;
   uint256 internal constant CONTRACT_INSTANCE_LENGTH = 6;
   uint256 internal constant CONTRACT_STORAGE_READ_LENGTH = 2;
   uint256 internal constant CONTRACT_STORAGE_UPDATE_REQUEST_LENGTH = 2;
   uint256 internal constant ETH_ADDRESS_LENGTH = 1;
   uint256 internal constant FUNCTION_DATA_LENGTH = 2;
   uint256 internal constant FUNCTION_LEAF_PREIMAGE_LENGTH = 5;
   uint256 internal constant GLOBAL_VARIABLES_LENGTH = 6;
-  uint256 internal constant HEADER_LENGTH = 23;
+  uint256 internal constant HEADER_LENGTH = 20;
   uint256 internal constant L1_TO_L2_MESSAGE_LENGTH = 6;
   uint256 internal constant L2_TO_L1_MESSAGE_LENGTH = 2;
   uint256 internal constant NULLIFIER_KEY_VALIDATION_REQUEST_LENGTH = 4;
   uint256 internal constant NULLIFIER_KEY_VALIDATION_REQUEST_CONTEXT_LENGTH = 5;
   uint256 internal constant PARTIAL_STATE_REFERENCE_LENGTH = 6;
-  uint256 internal constant PRIVATE_CALL_STACK_ITEM_LENGTH = 213;
-  uint256 internal constant PRIVATE_CIRCUIT_PUBLIC_INPUTS_LENGTH = 210;
-  uint256 internal constant PUBLIC_CIRCUIT_PUBLIC_INPUTS_LENGTH = 202;
+  uint256 internal constant PRIVATE_CALL_STACK_ITEM_LENGTH = 208;
+  uint256 internal constant PRIVATE_CIRCUIT_PUBLIC_INPUTS_LENGTH = 205;
+  uint256 internal constant PUBLIC_CIRCUIT_PUBLIC_INPUTS_LENGTH = 198;
   uint256 internal constant STATE_REFERENCE_LENGTH = 8;
   uint256 internal constant TX_CONTEXT_DATA_LENGTH = 4;
   uint256 internal constant TX_REQUEST_LENGTH = 8;

l1-contracts/src/core/libraries/Hash.sol

@@ -35,17 +35,17 @@ library Hash {
 
   /**
    * @notice Computes the sha256 hash of the provided data and converts it to a field element
-   * @dev Using modulo to convert the hash to a field element.
+   * @dev Truncating one byte to convert the hash to a field element. We prepend a byte rather than cast bytes31(bytes32) to match Noir's to_be_bytes.
    * @param _data - The bytes to hash
    * @return The hash of the provided data as a field element
    */
   function sha256ToField(bytes memory _data) internal pure returns (bytes32) {
-    return bytes32(uint256(sha256(_data)) % Constants.P);
+    return bytes32(bytes.concat(new bytes(1), bytes31(sha256(_data))));
   }
 
   /**
    * @notice Computes the sha256 hash of the provided data and converts it to a field element
-   * @dev Using modulo to convert the hash to a field element.
+   * @dev Truncating one byte to convert the hash to a field element.
    * @param _data - A bytes32 value to hash
    * @return The hash of the provided data as a field element
    */

l1-contracts/src/core/libraries/MerkleLib.sol

@@ -3,6 +3,7 @@
 pragma solidity >=0.8.18;
 
 import {Errors} from "../libraries/Errors.sol";
+import {Hash} from "../libraries/Hash.sol";
 
 /**
  * @title Merkle Library
@@ -40,8 +41,8 @@ library MerkleLib {
       bool isRight = (indexAtHeight & 1) == 1;
 
       subtreeRoot = isRight
-        ? sha256(bytes.concat(_path[height], subtreeRoot))
-        : sha256(bytes.concat(subtreeRoot, _path[height]));
+        ? Hash.sha256ToField(bytes.concat(_path[height], subtreeRoot))
+        : Hash.sha256ToField(bytes.concat(subtreeRoot, _path[height]));
       /// @notice - We divide by two here to get the index of the parent of the current subtreeRoot in its own layer
       indexAtHeight >>= 1;
     }

l1-contracts/src/core/libraries/decoders/TxsDecoder.sol

@@ -177,7 +177,7 @@ library TxsDecoder {
           bytes.concat(vars.encryptedLogsHash, vars.unencryptedLogsHash)
         );
 
-        vars.baseLeaves[i] = sha256(vars.baseLeaf);
+        vars.baseLeaves[i] = Hash.sha256ToField(vars.baseLeaf);
       }
     }
 
@@ -235,14 +235,15 @@ library TxsDecoder {
 
       // Hash the logs of this iteration's function call
       bytes32 privateCircuitPublicInputsLogsHash =
-        sha256(slice(_body, offset, privateCircuitPublicInputLogsLength));
+        Hash.sha256ToField(slice(_body, offset, privateCircuitPublicInputLogsLength));
       offset += privateCircuitPublicInputLogsLength;
 
       // Decrease remaining logs length by this privateCircuitPublicInputsLogs's length (len(I?_LOGS)) and 4 bytes for I?_LOGS_LEN
       remainingLogsLength -= (privateCircuitPublicInputLogsLength + 0x4);
 
-      kernelPublicInputsLogsHash =
-        sha256(bytes.concat(kernelPublicInputsLogsHash, privateCircuitPublicInputsLogsHash));
+      kernelPublicInputsLogsHash = Hash.sha256ToField(
+        bytes.concat(kernelPublicInputsLogsHash, privateCircuitPublicInputsLogsHash)
+      );
     }
 
     return (kernelPublicInputsLogsHash, offset);
@@ -267,7 +268,7 @@ library TxsDecoder {
 
     for (uint256 i = 0; i < treeDepth; i++) {
       for (uint256 j = 0; j < treeSize; j += 2) {
-        _leafs[j / 2] = sha256(bytes.concat(_leafs[j], _leafs[j + 1]));
+        _leafs[j / 2] = Hash.sha256ToField(bytes.concat(_leafs[j], _leafs[j + 1]));
       }
       treeSize /= 2;
     }