sebastiantf
commented
2 months ago I suppose this is kinda analogous / related to how SnarkVerifier loads exactly 0x0560 bytes from the vk contract
https://github.com/zBlock-2/summa-solvency/blob/fec83a747ead213261aecfaf4a01b43fff9731ee/contracts/src/SnarkVerifier.sol#L218
If the no. of commitments change, then the length of the bytecode loaded also changes, no? But I suppose extcodesize could be used while sacrificing some gas costs for this.
But I think the point I'm tryna make is maybe Summa.sol is justified (borrows the behavior in SnarkVerifier.sol) in using a hardcoded length in lieu of SnarkVerifier using hardcoded ptr location / lengths. But the latter the generated whereas the former is written. So I suppose there should some manual/automated verification that this pointer is correct on each iteration?
Although I did not notice any of the verifiers using pointers starting from the commitments. They all seem to only use the ptrs until neg_s_g2_y_2: https://github.com/zBlock-2/summa-solvency/blob/fec83a747ead213261aecfaf4a01b43fff9731ee/contracts/src/VerifyingKey.sol#L28
0xalizk
obatirou
sifnoc
The function
validateVKPermutationsLengthis used to validate the number of permutations in the verifying key contract corresponds to the circuit used to generate proof for the number of cryptocurrencies the custodian committed to. The Summa contract assumes that permutations commitments begins at bytes0x2e0in thevKContract(source) This can lead to wrongfully consider valid vkContracts with different permutation commitments from the circuit used by the custodian. A simple case would be a verifying contract with 2 fixed commitments but one permutation commitment less than the one being used. In this case, all others things being equals, the permutations commitments would not begin at bytes0x2e0but at0x0320. As the length of the bytes of the contracts are still equals due to one permutation in less,validateVKPermutationsLengthwould consider this vkcontract valid but in fact is not.