Insufficient Verification of Data Authenticity in sp1-stark

Q: How to fix?

Upgrade sp1-stark to version 4.0.0 or higher.

Threat Intelligence

Not Defined

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-RUST-SP1STARK-8631671
published16 Jan 2025
disclosed15 Jan 2025
creditUnknown

Report a new vulnerability Found a mistake?

Introduced: 15 Jan 2025

CWE-345 (opens in a new tab)

How to fix?

Upgrade sp1-stark to version 4.0.0 or higher.

Overview

sp1-stark is a zero-knowledge virtual machine (zkVM)

Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity due to multiple vulnerabilities in the verification mechanisms.

Chip indices used as input to chip_ordering are insufficiently checked.
The is_complete flag returned while verifying compressed proofs may be returned incorrectly.
In the Plonky3 implementation, polynomial evaluation claims are checked by sampling before observing each individual claim.

References

CVSS Scores

version 4.0

version 3.1

Attack Vector (AV)
Local
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
High
Availability (VA)
None

Confidentiality (SC)
High
Integrity (SI)
High
Availability (SA)
None

Insufficient Verification of Data Authenticity Affecting sp1-stark package, versions <4.0.0

Severity