CVE-2023-44378: 
vulnerability analysis and mitigation

gnark, a zk-SNARK library that offers a high-level API for designing circuits, contained a vulnerability in versions prior to 0.9.0 that allowed for non-unique binary decomposition of in-circuit values. For certain values, it was possible to construct two valid decompositions: the canonical decomposition of a and a second decomposition for a+r (where r is the modulus the values are being reduced by). This second decomposition was possible due to overflowing the field where the values are defined (GitHub Advisory).

The vulnerability affects users using API.Cmp or API.IsLess methods, as well as those using bits.ToBinary or API.ToBinary methods when full-width decomposition is requested (the default behavior if no options are given). The issue does not impact comparison methods in field emulation (package std/math/emulated) and dedicated comparison package (std/math/cmp). The vulnerability has been assigned a CVSS v3.1 base score of 7.1 HIGH with vector CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N (GitHub Advisory).

The vulnerability could lead to incorrect circuit behavior when comparing values or performing binary decomposition operations. This could potentially compromise the integrity of zero-knowledge proofs generated using the affected methods (GitHub Advisory).

Users should upgrade to version 0.9.0 or later, which includes the fix that adds additional comparison of the decomposed bit-vector to the modulus of the in-circuit values. Alternatively, users can use the std/math/cmp gadget, which allows bounding the number of bits being compared, making comparisons more efficient when the bound on the absolute difference of the values is known (GitHub Advisory).