GHSA-7p92-x423-vwj6: 
vulnerability analysis and mitigation

A critical vulnerability (GHSA-7p92-x423-vwj6) was discovered in the Consensys/gnark library affecting versions <= v0.9.0, specifically impacting the PlonK verifier smart contract. The vulnerability was disclosed on October 16, 2023, and was patched in version v0.9.1 (GitHub Advisory).

The vulnerability stems from insufficient randomness generation in the batch_verify_multi_points function. The issue arose from using only a small portion of the scratch memory (first 32 bytes of the state) for generating randomness through keccak256, which left degrees of freedom in the transcript. The fix involves implementing a more comprehensive hashing approach that includes the entire state, incorporating multiple parameters such as STATE_FOLDED_DIGESTS, PROOF_BATCH_OPENING_AT_ZETA, PROOF_GRAND_PRODUCT_COMMITMENT, and other critical state variables (GitHub Advisory).

The vulnerability enables third parties to derive valid proofs from an initial valid tuple {proof, public_inputs} that correspond to the same public inputs as the initial proof. The impact is specifically limited to the PlonK verifier smart contract implementation (GitHub Advisory).

The issue has been patched in version v0.9.1. The fix involves modifying the random value generation to depend on multiple state variables including state_folded_digests_x, state_folded_digests_y, proof_grand_product_commitment_x, proof_grand_product_commitment_y, and state_zeta. Users should upgrade to version v0.9.1 or implement the recommended workaround of ensuring the random variable in batch_verify_multi_points depends on all these state variables (GitHub Advisory).