GHSA-5xgj-pmjj-gw49: 
Rust vulnerability analysis and mitigation

The RISC Zero zkVM, along with several other STARK implementations, has been identified with a vulnerability that affects its zero-knowledge property. This issue was discovered through research by Ulrich Habock and Al Kindi, published on July 15, 2024. The vulnerability affects all versions of risc0-zkvm up to and including version 1.0.2. The RISC Zero zkVM was originally designed to provide three main guarantees: computational integrity, succinctness, and zero-knowledge proofs. However, new research has revealed that the implementation may not fully meet the requirements for provable zero-knowledge properties (GitHub Advisory, Research Paper).

The vulnerability relates to the zero-knowledge aspect of FRI-based STARKs implementation in the RISC Zero zkVM. The research specifically focuses on the techniques used in practice, including randomization by polynomials over the basefield and decomposing the overall quotient into polynomials of smaller degree. The issue has been assigned a low severity rating, though no specific CVSS score has been provided (GitHub Advisory).

The impact primarily affects applications that critically depend on the privacy guarantees provided by zero-knowledge proofs. While the majority of real-world applications using RISC Zero zkVM or similar systems primarily rely on computational integrity and succinctness, those specifically requiring zero-knowledge properties may be at risk. As of the disclosure, no actual attacks exploiting this weakness have been reported (GitHub Advisory).

Currently, there are no patched versions available. The RISC Zero team is working to proactively address this discovery and has committed to providing periodic updates until the issue is fully resolved. Users whose applications critically depend on zero-knowledge properties are advised to understand the research and make informed decisions based on the outlined risks (GitHub Advisory).