Closed c4-submissions closed 10 months ago
141345 marked the issue as low quality report
For cases when those could happen we bias entering the next segment of such code by requiring a witness variable from that section to be resolved. There is a comment over it in the corresponding files.
miladpiri (sponsor) disputed
GalloDaSballo marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/matter-labs/era-zkevm_circuits/blob/main/src/storage_application/mod.rs#L128-L138
Vulnerability details
Summary
The methods in
ConditionalWitnessAllocator
such asconditionally_allocate_with_default
andconditionally_allocate_with_default_biased
use a sharedArc<RwLock<VecDeque<EL::Witness>>>
to manage witnesses. However, the code seems to be vulnerable to race conditions that could lead to unexpected behavior if two or more threads attempt to allocate a witness at the same time.Vulnerability Detail
When a thread attempts to allocate a witness, it acquires a write lock on the
witness_source
and pops the front element. If two or more threads attempt to do this simultaneously, there's a chance that they may pop the same witness or encounter a race condition. Even though Rust's memory safety guarantees would prevent data races, logical race conditions are still possible.The specific code in question is:
This snippet is problematic because, while acquiring the write lock guarantees that the actual mutation of the
witness_source
is thread-safe, the decision to pop the element from the queue (based onshould_allocate
) is not atomic with the actual popping.Impact
This issue can lead to unexpected behavior where multiple threads could eventually retrieve the same witness or overwrite each other's changes, leading to unpredictable outcomes in the application's state.
Proof of Concept
Reproducing this vulnerability would require creating multiple threads that simultaneously attempt to allocate witnesses. In a real-world scenario, a high throughput of requests could trigger this race condition, thus leading to inconsistent state in the CA.
Tools Used
Manual review + GPT for further text enhancements.
Recommended Mitigation Steps
should_allocate
check inside the write lock, ensuring atomicity:crossbeam::queue::ArrayQueue
or other concurrent data structures that handle concurrent pushes/pops safely without the need for manual locking.Assessed type
Context