Submission Details
Severity:
Incorrect parameter passed to `g2JacobianDouble` function in `ECPairing.yul`
Summary
In ECPairing.yul precompile contract, it mistakenly passes yp1 instead of zp1 for g2JacobianDouble argument.
Vulnerability Details
function g2ScalarMul(xp0, xp1, yp0, yp1, zp0, zp1, scalar) -> xr0, xr1, yr0, yr1, zr0, zr1 {
let scalarBitIndex := bitLen(scalar)
switch scalar
case 0x02 {
-> xr0, xr1, yr0, yr1, zr0, zr1 := g2JacobianDouble(xp0, xp1, yp0, yp1, zp0, yp1)
}
default {
xr0 := 0
xr1 := 0
yr0 := MONTGOMERY_ONE()
yr1 := 0
zr0 := 0
zr1 := 0
for {} scalarBitIndex {} {
scalarBitIndex := sub(scalarBitIndex, 1)
xr0, xr1, yr0, yr1, zr0, zr1 := g2JacobianDouble(xr0, xr1, yr0, yr1, zr0, zr1)
let bitindex := checkBit(scalarBitIndex, scalar)
if bitindex {
xr0, xr1, yr0, yr1, zr0, zr1 := g2JacobianAdd(xp0, xp1, yp0, yp1, zp0, zp1, xr0, xr1, yr0, yr1, zr0, zr1)
}
}
}
}
In g2ScalarMul implementation, it calls g2JacobianDouble, but there exists a mistake in passing parameters.
On the highlighted line, it should pass zp1 instead of yp1 as last argument.
Impact
Failure in proof verification
Tools Used
Manual Review
Recommendations
Pass zp1 instead of yp1 as last argument.
Updates
Lead Judging Commences
inallhonesty 10 months ago
Submission Judgement Published Assigned finding tags:
Valid proof will be rejected once `case 0x02` code is triggered
Prize pool breakdown
Total prize
500,000 USDC
nSLOC
15,74132 USDC / LOC
475,000 USDC
25,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.