-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proof verification can be forged #33
Comments
I believe this is fixed by #36, as I rewrote that entire part of the lib. |
Hey, thanks for the response! This is great timing actually, as I have just finished my implementation of this in cairo0. I think I have a good understanding of this now. Maybe we can take a look at each others code and give some feedback? Probably doesnt hurt to have someone else look over it. Wdyt? My implementation is here: https://github.com/HerodotusDev/hdp-cairo/blob/feat/starknet-memorizer/src/verifiers/starknet/storage_verifier.cairo#L156 Notes:
|
@petscheit |
Ahh, I see. Well thats of the table then I guess! I saw the multi proofs, wanted to take a look how you did that later. My implementation is compatible with For Madaras use case, the bonsai-trie proofs should eventually be verifiable on Starknet right? Is this currently the case with the Alexandria verifier? |
Hello hello @petscheit does Alexandria have a verifier impl? Or are you talking about the integrity verifier from Herodotus? Our getProof endpoint will respect v0.8.0 official specs. I'm wondering what are you working on exactly?? |
here is the link to the v0.8.0 specs starkware-libs/starknet-specs#232 if you want to look at it |
Hey @antiyro alexandria has an implementation for verifying the storage proofs, but it turned out that its incomplete actually. So it can reject valid proofs as incompatible. I am working on a cairo0 implementation of the starknet mpt verification algo. I played around with the "native" mpt verifier that is part of cairo-lang, but its quite inefficient if you just want to verify a single proof. |
@petscheit hi! are you in the #starknet-json-rpc slack channel? I tried to ping you there to have your advice for the new storage proof endpoint, but I don't think you're in it |
@cchudant I am not. Feel free to invite me there, email is in my profile. |
In the current proof verification implementation, it is never asserted, that the tree was traversed all the way down to the leaf nodes.
The tree is fully traversed, if the entire key/path has been processed, so all 251 bits. Not traversing all the way until the end of the key, allows an attacker to verify arbitrary edge nodes that are in the original path of the key.
This behaviour can be prevented, by ensuring the
remaining_key
parameter is 0 after all proof nodes have been processed. Otherwise it is possible to truncate the proof path, verifying an incorrect value as a result.I have added a PoC of this behaviour here: a935126
The text was updated successfully, but these errors were encountered: