@@ -865,6 +865,11 @@ async function verifyAccountUpdate(
865865
866866 let verificationKey = account . zkapp ?. verificationKey ?. data ! ;
867867 isValidProof = await verify ( proof . toJSON ( ) , verificationKey ) ;
868+ if ( ! isValidProof ) {
869+ throw Error (
870+ `Invalid proof for account update\n${ JSON . stringify ( update ) }
871+ ) ;
872+ }
868873 } catch ( error ) {
869874 errorTrace += '\n\n' + ( error as Error ) . message ;
870875 isValidProof = false ;
@@ -888,6 +893,8 @@ async function verifyAccountUpdate(
888893 }
889894 }
890895
896+ let verified = false ;
897+
891898 function checkPermission ( p : Types . Json . AuthRequired , field : string ) {
892899 if ( p == 'None' ) return ;
893900
@@ -897,7 +904,6 @@ async function verifyAccountUpdate(
897904 ) ;
898905 }
899906
900- let verified = false ;
901907 if ( p == 'Signature' || p == 'Either' ) {
902908 verified ||= isValidSignature ;
903909 }
@@ -932,4 +938,14 @@ async function verifyAccountUpdate(
932938 let p = permissionForUpdate ( 'incrementNonce' ) ;
933939 checkPermission ( p , 'incrementNonce' ) ;
934940 }
941+
942+ // this checks for an edge case where an account update can be authorized using proofs but
943+ // a) the proof is invalid (bad verification key)
944+ // and b) there are no state changes initiate so no permissions will be checked
945+ // however, if the verification key changes, the proof should still be invalid
946+ if ( errorTrace && ! verified ) {
947+ throw Error (
948+ `One or more proofs were invalid and no other form of authorization was provided.\n${ errorTrace }
949+ ) ;
950+ }
935951}
0 commit comments