CVE-2023-44378

Name of the Vulnerable Software and Affected Versions gnark versions prior to 0.9.0

Description The issue concerns the construction of two valid decompositions to bits for some in-circuit values, due to overflowing the field where the values are defined. This allows a malicious prover to construct a valid proof for a statement a < b even if a > b. The problem impacts users using API.Cmp or API.IsLess methods, as well as those using bits.ToBinary or API.ToBinary methods with full-width decomposition.

Recommendations Upgrading to version 0.9.0 should fix the issue without needing to change the calls to value comparison methods. Alternatively, users can use the std/math/cmp gadget, which allows bounding the number of bits being compared, making comparisons more efficient if the bound on the absolute difference of the values is known.