Two issues were found: For some inputs to signed integer division, the circuit allowed two outputs, only one of which was valid. Additionally, the result of division by zero was underconstrained. This vulnerability was identified using the Picus tool from Veridise.
Due to a missing constraint in the rv32im circuit, any 3-register RISC-V instruction (including remu and divu) in risc0-zkvm 2.0.0, 2.0.1, and 2.0.2 are vulnerable to an attack by a malicious prover. The main idea for the attack is to confuse the RISC-V virtual machine into treating the value of the rs1 register as the same as the rs2 register due to a lack of constraints in the rv32im circuit. …
RISC Zero zkVM was designed from its inception to provide three main guarantees: Computational integrity: that a given software program executed correctly. Succinctness: that the proof of execution does not grow in relation to the program being executed. Zero Knowledge: that details of the program execution are not visible within the proof of program execution. Ulrich Habock and Al Kindi have released new research that indicates that several STARK implementations …