Fix the bugs in RLP/Tx/PI circuit which are reported by Zellic & KALOS auditors #572

kunxian-xia · 2023-06-28T14:38:37Z

Description

This PR aims to fix all the bugs found by Zellic auditors in RLP & Tx & PI circuits.

Issue Link

The bug report can be found here.

Type of change

Bug fix (non-breaking change which fixes an issue)

impl<F: Field, const N_BYTES: usize> ComparatorChip<F, N_BYTES> {
    /// Configure the comparator chip. Returns the config.
    pub fn configure(
        meta: &mut ConstraintSystem<F>,
        q_enable: impl FnOnce(&mut VirtualCells<F>) -> Expression<F> + Clone,
        lhs: impl FnOnce(&mut VirtualCells<F>) -> Expression<F> + Clone,
        rhs: impl FnOnce(&mut VirtualCells<F>) -> Expression<F> + Clone,
        u8_table: TableColumn,
    ) -> ComparatorConfig<F, N_BYTES> {

* fix: use tag_bytes_rlc and tag_length to copy tag's bytes around * fix lookup input for Len & RLC & GasCost fields in tx circuit * refactor * fix * refactor * fix col phase issue

…612) * lookup chain_id to RLP table * fix finding 22 (#614) * fix finding 21 (#613) * fix finding 23 (#618) * fix finding 26 (#622) * fix finding 28 (#624) Co-authored-by: Rohit Narurkar <rohit.narurkar@protonmail.com> * fix finding 29 (#623) Co-authored-by: Rohit Narurkar <rohit.narurkar@protonmail.com> * enforce is_final is true at the last row and fix RLC related vul (#735) * Fix finding 30 (#733) * enforce all txs in a block are included in the tx table * clippy --------- Co-authored-by: Rohit Narurkar <rohit.narurkar@protonmail.com> * Fix Zellic / Kalos finding25 (#619) * fix finding 25 * add comment --------- Co-authored-by: Rohit Narurkar <rohit.narurkar@protonmail.com> * fix conflicts --------- Co-authored-by: Rohit Narurkar <rohit.narurkar@protonmail.com> Co-authored-by: Zhang Zhuo <mycinbrin@gmail.com>

lispc · 2023-08-16T08:39:38Z

great. we can mark the asana board to mark them all done

lispc

let us merge it after CI passes

…S auditors (#572) * fix finding 3 (#575) * Fix zellic finding 4 (#576) * fix finding 3 (#575) * fix finding 4 --------- Co-authored-by: Rohit Narurkar <rohit.narurkar@protonmail.com> * add range check on diffs (#586) * Fix finding 10 (#578) * fix finding 3 (#575) * fix finding 10 * Fix finding 13 (#579) * fix finding 3 (#575) * fix finding 13 * Fix zellic finding 14 (#580) * fix finding 3 (#575) * fix finding 14 * Fix zellic finding 5 (#584) * fix finding 3 (#575) * fix finding 5 * refine comments * fmt * Fix finding 17 (#602) * add q_last * fix * add more diff range check * fix finding 7 (#625) * tx_id = 1 when sm starts * Fix finding 11 : use length for rlc in rlp table (#719) * fix: use tag_bytes_rlc and tag_length to copy tag's bytes around * fix lookup input for Len & RLC & GasCost fields in tx circuit * refactor * fix * refactor * fix col phase issue * refactor bytes_rlc type * Fix the bugs in Tx & PI circuits reported by Zellic & KALOS auditors (#612) * lookup chain_id to RLP table * fix finding 22 (#614) * fix finding 21 (#613) * fix finding 23 (#618) * fix finding 26 (#622) * fix finding 28 (#624) Co-authored-by: Rohit Narurkar <rohit.narurkar@protonmail.com> * fix finding 29 (#623) Co-authored-by: Rohit Narurkar <rohit.narurkar@protonmail.com> * enforce is_final is true at the last row and fix RLC related vul (#735) * Fix finding 30 (#733) * enforce all txs in a block are included in the tx table * clippy --------- Co-authored-by: Rohit Narurkar <rohit.narurkar@protonmail.com> * Fix Zellic / Kalos finding25 (#619) * fix finding 25 * add comment --------- Co-authored-by: Rohit Narurkar <rohit.narurkar@protonmail.com> * fix conflicts --------- Co-authored-by: Rohit Narurkar <rohit.narurkar@protonmail.com> Co-authored-by: Zhang Zhuo <mycinbrin@gmail.com> * use q_first instead * fmt --------- Co-authored-by: Rohit Narurkar <rohit.narurkar@protonmail.com> Co-authored-by: Zhang Zhuo <mycinbrin@gmail.com>

* add row counting interface for keccak * add class level capacity calculator for keccak * remove f capacity from core * remove capacity calculator in aggregator util * remove unnecessary imports * replace max keccak round in core * replace reference for max keccak * remove unnecessary keccak imports and constants * remove max keccak constant * remove constants in hash cell parsing * remove constant column sanity check * add state column usage log * adjust input bytes column * add long column padding * correct fmt * fix fmt * minor fixes * fix * Fix: allow skipping of L1Msg tx part 2 (calculate num_all_txs in tx circuit) (#778) * calculate num_l1_msgs and num_l2_txs in tx circuit * fix * fmt and clippy * fix: non-last tx requires next is calldata * add NumAllTxs in block table and copy it from pi to block table * add lookup for NumAllTxs in tx circuit * clippy * add block num diff check to avoid two real block have same num * clippy * address comments * Fix the bugs in RLP/Tx/PI circuit which are reported by Zellic & KALOS auditors (#572) * fix finding 3 (#575) * Fix zellic finding 4 (#576) * fix finding 3 (#575) * fix finding 4 --------- Co-authored-by: Rohit Narurkar <rohit.narurkar@protonmail.com> * add range check on diffs (#586) * Fix finding 10 (#578) * fix finding 3 (#575) * fix finding 10 * Fix finding 13 (#579) * fix finding 3 (#575) * fix finding 13 * Fix zellic finding 14 (#580) * fix finding 3 (#575) * fix finding 14 * Fix zellic finding 5 (#584) * fix finding 3 (#575) * fix finding 5 * refine comments * fmt * Fix finding 17 (#602) * add q_last * fix * add more diff range check * fix finding 7 (#625) * tx_id = 1 when sm starts * Fix finding 11 : use length for rlc in rlp table (#719) * fix: use tag_bytes_rlc and tag_length to copy tag's bytes around * fix lookup input for Len & RLC & GasCost fields in tx circuit * refactor * fix * refactor * fix col phase issue * refactor bytes_rlc type * Fix the bugs in Tx & PI circuits reported by Zellic & KALOS auditors (#612) * lookup chain_id to RLP table * fix finding 22 (#614) * fix finding 21 (#613) * fix finding 23 (#618) * fix finding 26 (#622) * fix finding 28 (#624) Co-authored-by: Rohit Narurkar <rohit.narurkar@protonmail.com> * fix finding 29 (#623) Co-authored-by: Rohit Narurkar <rohit.narurkar@protonmail.com> * enforce is_final is true at the last row and fix RLC related vul (#735) * Fix finding 30 (#733) * enforce all txs in a block are included in the tx table * clippy --------- Co-authored-by: Rohit Narurkar <rohit.narurkar@protonmail.com> * Fix Zellic / Kalos finding25 (#619) * fix finding 25 * add comment --------- Co-authored-by: Rohit Narurkar <rohit.narurkar@protonmail.com> * fix conflicts --------- Co-authored-by: Rohit Narurkar <rohit.narurkar@protonmail.com> Co-authored-by: Zhang Zhuo <mycinbrin@gmail.com> * use q_first instead * fmt --------- Co-authored-by: Rohit Narurkar <rohit.narurkar@protonmail.com> Co-authored-by: Zhang Zhuo <mycinbrin@gmail.com> * add pi comments * rename preimage col idx * add keccak rows check * rename input bytes col finder fn * modify keccak row env constaint * modify keccak row env constaint * add named constant setup vars * modify keccak row check * clippy advised * add comments on chunk hash * fmt * avoid constant lookup table * avoid repetitive computation of input_bytes_col_idx --------- Co-authored-by: Zhuo Zhang <mycinbrin@gmail.com> Co-authored-by: xkx <xiakunxian130@gmail.com> Co-authored-by: Rohit Narurkar <rohit.narurkar@protonmail.com>

github-actions bot added the crate-zkevm-circuits label Jun 28, 2023

kunxian-xia marked this pull request as draft June 28, 2023 15:08

kunxian-xia closed this Jun 29, 2023

kunxian-xia force-pushed the fix/rlp-audit-wave1 branch from 1e89930 to 196db5e Compare June 29, 2023 06:58

github-actions bot removed the crate-zkevm-circuits label Jun 29, 2023

kunxian-xia reopened this Jun 29, 2023

github-actions bot added crate-zkevm-circuits labels Jun 29, 2023

fix finding 3 (#575)

8de5a6d

kunxian-xia force-pushed the fix/rlp-audit-wave1 branch from ba5f76a to 8de5a6d Compare July 3, 2023 12:20

kunxian-xia requested a review from roynalnaruto July 4, 2023 01:50

kunxian-xia and others added 5 commits July 6, 2023 10:17

Fix zellic finding 4 (#576)

014bdd3

* fix finding 3 (#575) * fix finding 4 --------- Co-authored-by: Rohit Narurkar <rohit.narurkar@protonmail.com>

add range check on diffs (#586)

cea4a87

Fix finding 10 (#578)

37b273d

* fix finding 3 (#575) * fix finding 10

Fix finding 13 (#579)

a4d784b

* fix finding 3 (#575) * fix finding 13

Fix zellic finding 14 (#580)

c48b94a

* fix finding 3 (#575) * fix finding 14

kunxian-xia marked this pull request as ready for review July 6, 2023 02:54

kunxian-xia added 2 commits July 6, 2023 10:54

Merge branch 'develop' into fix/rlp-audit-wave1

6ee948c

Fix zellic finding 5 (#584)

1243ef4

* fix finding 3 (#575) * fix finding 5 * refine comments * fmt

kunxian-xia changed the title ~~Fix the bugs in RLP circuit which are reported by Zellic auditors~~ Fix the bugs in RLP circuit which are reported by Zellic & KALOS auditors Jul 10, 2023

sampritipanda reviewed Jul 12, 2023

View reviewed changes

zkevm-circuits/src/rlp_circuit_fsm.rs Outdated Show resolved Hide resolved

sampritipanda reviewed Jul 12, 2023

View reviewed changes

zkevm-circuits/src/rlp_circuit_fsm.rs Show resolved Hide resolved

kunxian-xia added 4 commits July 13, 2023 11:21

Fix finding 17 (#602)

3fd8977

* add q_last * fix

Merge branch 'develop' into fix/rlp-audit-wave1

3426d30

add more diff range check

baa4a7b

Merge branch 'develop' into fix/rlp-audit-wave1

9934b8e

kunxian-xia requested a review from sampritipanda July 19, 2023 01:57

kunxian-xia added 4 commits July 26, 2023 20:11

fix finding 7 (#625)

1586943

tx_id = 1 when sm starts

e22aba5

Merge branch 'develop' into fix/rlp-audit-wave1

1c3e106

Merge branch 'develop' into fix/rlp-audit-wave1

203043a

Fix finding 11 : use length for rlc in rlp table (#719)

2ad2e75

* fix: use tag_bytes_rlc and tag_length to copy tag's bytes around * fix lookup input for Len & RLC & GasCost fields in tx circuit * refactor * fix * refactor * fix col phase issue

kunxian-xia changed the base branch from develop to fix/allow-skip-l1msg-p2 August 16, 2023 06:07

kunxian-xia added 2 commits August 16, 2023 14:19

refactor bytes_rlc type

9767879

Merge branch 'develop' into fix/rlp-audit-wave

29f0ffb

Base automatically changed from fix/allow-skip-l1msg-p2 to develop August 16, 2023 07:06

github-actions bot added the crate-eth-types label Aug 16, 2023

kunxian-xia changed the title ~~Fix the bugs in RLP circuit which are reported by Zellic & KALOS auditors~~ Fix the bugs in RLP/Tx/PI circuit which are reported by Zellic & KALOS auditors Aug 16, 2023

kunxian-xia added the audit-fix label Aug 16, 2023

kunxian-xia added 2 commits August 16, 2023 17:11

Merge remote-tracking branch 'scroll/develop' into fix/rlp-audit-wave1

57a0ae0

use q_first instead

622039c

lispc approved these changes Aug 16, 2023

View reviewed changes

fmt

b192508

lispc merged commit 2e42287 into develop Aug 16, 2023

lispc deleted the fix/rlp-audit-wave1 branch August 16, 2023 10:18

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix the bugs in RLP/Tx/PI circuit which are reported by Zellic & KALOS auditors #572

Fix the bugs in RLP/Tx/PI circuit which are reported by Zellic & KALOS auditors #572

kunxian-xia commented Jun 28, 2023 •

edited

Loading

icemelon commented Jun 28, 2023

kunxian-xia commented Jun 29, 2023

icemelon commented Jun 29, 2023

lispc commented Aug 14, 2023

lispc commented Aug 16, 2023

lispc left a comment

Fix the bugs in RLP/Tx/PI circuit which are reported by Zellic & KALOS auditors #572

Fix the bugs in RLP/Tx/PI circuit which are reported by Zellic & KALOS auditors #572

Conversation

kunxian-xia commented Jun 28, 2023 • edited Loading

Description

Issue Link

Type of change

Contents

icemelon commented Jun 28, 2023

kunxian-xia commented Jun 29, 2023

icemelon commented Jun 29, 2023

lispc commented Aug 14, 2023

lispc commented Aug 16, 2023

lispc left a comment

Choose a reason for hiding this comment

kunxian-xia commented Jun 28, 2023 •

edited

Loading