Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test: add test to showcase private token exploits #7297

Closed
wants to merge 1 commit into from
Closed

test: add test to showcase private token exploits #7297

wants to merge 1 commit into from

Conversation

LHerskind
Copy link
Contributor

@LHerskind LHerskind commented Jul 3, 2024
edited
Loading

The PrivateToken that was introduced in #7226 have critical vulnerabilities:

  1. It does not take into account key rotation, so if you rotate your keys your entire balance is lost.
  2. It does not actually require the signing key to be used to be spend notes, meaning that if the PXE is compromised your funds are gone and it does not matter that your account contract is using a key only on a hardware wallet etc.

This pr showcase how to exploit the two weaknesses.

@LHerskind Graphite App
Copy link
Contributor Author

This stack of pull requests is managed by Graphite. Learn more about stacking.

Join @LHerskind and the rest of your teammates on Graphite Graphite

@AztecBot
Copy link
Collaborator

AztecBot commented Jul 3, 2024

Benchmark results

Metrics with a significant change:

  • proof_construction_time_sha256_100_ms (16): 5,434 (-18%)
  • proof_construction_time_sha256_30_ms (16): 1,411 (-20%)
  • avm_simulation_time_ms (Token:mint_public): 491 (+1045%)
  • avm_simulation_time_ms (Token:assert_minter_and_mint): 58.1 (-67%)
Detailed results

All benchmarks are run on txs on the Benchmarking contract on the repository. Each tx consists of a batch call to create_note and increment_balance, which guarantees that each tx has a private call, a nested private call, a public call, and a nested public call, as well as an emitted private note, an unencrypted log, and public storage read and write.

This benchmark source data is available in JSON format on S3 here.

Proof generation

Each column represents the number of threads used in proof generation.

Metric 1 threads 4 threads 16 threads 32 threads 64 threads
proof_construction_time_sha256_ms 5,709 1,544 706 747 (-1%) 771 (-1%)
proof_construction_time_sha256_30_ms 11,715 (-2%) 3,131 (-2%) ⚠️ 1,411 (-20%) 1,426 (-11%) 1,463 (-7%)
proof_construction_time_sha256_100_ms 43,665 (-1%) 11,788 (-1%) ⚠️ 5,434 (-18%) 5,402 (-7%) 5,356 (-5%)
proof_construction_time_poseidon_hash_ms 78.0 34.0 34.0 (-23%) 58.0 (-11%) 87.0 (-4%)
proof_construction_time_poseidon_hash_30_ms 1,516 413 (-1%) 200 (-1%) 222 (-4%) 269 (+1%)
proof_construction_time_poseidon_hash_100_ms 5,730 (-2%) 1,562 720 (-1%) 794 (+2%) 787 (-1%)

L2 block published to L1

Each column represents the number of txs on an L2 block published to L1.

Metric 4 txs 8 txs 16 txs
l1_rollup_calldata_size_in_bytes 1,412 1,412 1,412
l1_rollup_calldata_gas 9,476 9,468 9,476
l1_rollup_execution_gas 611,215 611,358 611,517
l2_block_processing_time_in_ms 760 (-2%) 1,424 (+1%) 2,692 (-1%)
l2_block_building_time_in_ms 20,812 (-1%) 41,813 (-1%) 81,579 (-1%)
l2_block_rollup_simulation_time_in_ms 20,812 (-1%) 41,812 (-1%) 81,579 (-1%)
l2_block_public_tx_process_time_in_ms 17,807 (-1%) 38,584 78,408 (-1%)

L2 chain processing

Each column represents the number of blocks on the L2 chain where each block has 8 txs.

Metric 3 blocks 5 blocks
node_history_sync_time_in_ms 7,043 10,003 (+1%)
node_database_size_in_bytes 12,259,408 16,207,952
pxe_database_size_in_bytes 16,254 26,813

Circuits stats

Stats on running time and I/O sizes collected for every kernel circuit run across all benchmarks.

Circuit simulation_time_in_ms witness_generation_time_in_ms proving_time_in_ms input_size_in_bytes output_size_in_bytes proof_size_in_bytes num_public_inputs size_in_gates
private-kernel-init 102 390 (+2%) 12,791 (+1%) 19,482 54,134 73,920 2,243 524,288
private-kernel-inner 308 769 (-2%) 52,186 (+6%) 80,694 54,134 73,920 2,243 2,097,152
private-kernel-tail 1,086 2,605 (+2%) 48,607 61,457 62,057 14,912 399 2,097,152
base-parity 6.15 1,550 (+2%) 2,720 (+4%) 128 64.0 2,208 2.00 131,072
root-parity 49.0 (+1%) 74.0 (+11%) 40,025 (-2%) 27,100 64.0 2,720 18.0 2,097,152
base-rollup 6,573 4,870 92,372 (+2%) 170,330 728 3,648 47.0 4,194,304
root-rollup 112 (+3%) 83.0 (+7%) 23,938 (-3%) 25,253 620 3,456 41.0 1,048,576
public-kernel-setup 545 (+1%) 2,444 (+3%) 43,606 (+2%) 102,121 80,278 106,912 3,274 2,097,152
public-kernel-app-logic 502 3,412 (+2%) 44,890 (+3%) 102,121 80,278 106,912 3,274 2,097,152
public-kernel-tail 1,147 26,959 184,627 (+4%) 399,014 10,014 14,912 399 8,388,608
private-kernel-reset-small 467 1,081 (+1%) 31,378 (+2%) 109,233 54,134 73,920 2,243 1,048,576
public-kernel-teardown 494 (+1%) 3,422 (+3%) 44,215 (+2%) 102,121 80,278 106,912 3,274 2,097,152
merge-rollup 29.2 (-1%) N/A N/A 16,486 728 N/A N/A N/A
private-kernel-tail-to-public N/A 8,802 (+4%) 53,028 (+4%) N/A N/A 106,912 3,274 2,097,152

Stats on running time collected for app circuits

Function input_size_in_bytes output_size_in_bytes witness_generation_time_in_ms proof_size_in_bytes proving_time_in_ms size_in_gates num_public_inputs
ContractClassRegisterer:register 1,344 8,792 407 (+1%) N/A N/A N/A N/A
ContractInstanceDeployer:deploy 1,408 8,792 38.8 (+1%) N/A N/A N/A N/A
MultiCallEntrypoint:entrypoint 1,920 8,792 1,195 (+1%) N/A N/A N/A N/A
GasToken:deploy 1,376 8,792 910 (+2%) N/A N/A N/A N/A
SchnorrAccount:constructor 1,312 8,792 489 (+1%) N/A N/A N/A N/A
SchnorrAccount:entrypoint 2,304 8,792 1,628 (+1%) 14,720 54,020 (-1%) 2,097,152 393
Token:privately_mint_private_note 1,280 8,792 628 (+1%) N/A N/A N/A N/A
FPC:fee_entrypoint_public 1,344 8,792 268 (+1%) 14,720 11,870 (+3%) 524,288 393
Token:transfer 1,312 8,792 1,804 (+2%) 14,720 13,526 (+7%) 524,288 393
AuthRegistry:set_authorized (avm) 19,226 N/A N/A 91,264 1,357 (+2%) N/A N/A
FPC:prepare_fee (avm) 26,668 N/A N/A 91,328 3,059 (+3%) N/A N/A
Token:transfer_public (avm) 42,918 N/A N/A 91,328 4,107 (+5%) N/A N/A
AuthRegistry:consume (avm) 33,104 N/A N/A 91,264 3,017 (+5%) N/A N/A
FPC:pay_refund (avm) 36,833 N/A N/A 91,296 23,577 N/A N/A
Benchmarking:create_note 1,344 8,792 480 N/A N/A N/A N/A
SchnorrAccount:verify_private_authwit 1,280 8,792 72.8 (+2%) N/A N/A N/A N/A
Token:unshield 1,376 8,792 1,541 (+1%) N/A N/A N/A N/A
FPC:fee_entrypoint_private 1,376 8,792 2,132 (+1%) N/A N/A N/A N/A

AVM Simulation

Time to simulate various public functions in the AVM.

Function time_ms bytecode_size_in_bytes
GasToken:_increase_public_balance 67.1 (-2%) 13,790
GasToken:set_portal 16.8 (-4%) 3,339
Token:constructor 92.8 23,692
FPC:constructor 64.4 (+3%) 13,592
GasToken:mint_public 52.0 (-1%) 10,158
Token:mint_public ⚠️ 491 (+1045%) 19,034
Token:assert_minter_and_mint ⚠️ 58.1 (-67%) 12,925
AuthRegistry:set_authorized 33.1 7,812
FPC:prepare_fee 108 (-6%) 15,062
Token:transfer_public 43.3 (-17%) 31,218
FPC:pay_refund 129 (-7%) 25,260
Benchmarking:increment_balance 2,196 15,267
Token:_increase_public_balance 56.2 (+1%) 15,006
FPC:pay_refund_with_shielded_rebate 120 (+3%) 26,347

Public DB Access

Time to access various public DBs.

Function time_ms
get-nullifier-index 0.161 (+2%)

Tree insertion stats

The duration to insert a fixed batch of leaves into each tree type.

Metric 1 leaves 16 leaves 64 leaves 128 leaves 256 leaves 512 leaves 1024 leaves
batch_insert_into_append_only_tree_16_depth_ms 10.3 (-1%) 16.8 N/A N/A N/A N/A N/A
batch_insert_into_append_only_tree_16_depth_hash_count 16.8 31.7 N/A N/A N/A N/A N/A
batch_insert_into_append_only_tree_16_depth_hash_ms 0.598 (-1%) 0.517 N/A N/A N/A N/A N/A
batch_insert_into_append_only_tree_32_depth_ms N/A N/A 48.3 75.7 (-1%) 136 (+3%) 245 470 (-1%)
batch_insert_into_append_only_tree_32_depth_hash_count N/A N/A 95.9 159 287 543 1,055
batch_insert_into_append_only_tree_32_depth_hash_ms N/A N/A 0.494 0.465 (-1%) 0.468 (+3%) 0.444 0.439 (-1%)
batch_insert_into_indexed_tree_20_depth_ms N/A N/A 59.5 (-1%) 112 183 (-1%) 354 693 (-1%)
batch_insert_into_indexed_tree_20_depth_hash_count N/A N/A 109 207 355 691 1,363
batch_insert_into_indexed_tree_20_depth_hash_ms N/A N/A 0.502 (-1%) 0.501 0.484 (-1%) 0.479 0.476 (-1%)
batch_insert_into_indexed_tree_40_depth_ms N/A N/A 73.0 N/A N/A N/A N/A
batch_insert_into_indexed_tree_40_depth_hash_count N/A N/A 133 N/A N/A N/A N/A
batch_insert_into_indexed_tree_40_depth_hash_ms N/A N/A 0.519 N/A N/A N/A N/A

Miscellaneous

Transaction sizes based on how many contract classes are registered in the tx.

Metric 0 registered classes 1 registered classes
tx_size_in_bytes 74,057 667,850

Transaction size based on fee payment method

| Metric | |
| - | |

@just-mitch just-mitch mentioned this pull request Jul 3, 2024
Closed
@just-mitch
Copy link
Collaborator

Beautiful illustrations @LHerskind ! I think we should merge this. I created #7324 and #7323 which should be able to get these tests to fail when they are working.

@LHerskind LHerskind added T-bug Type: Bug. Something is broken. A-security Area: Relates to security. Something is insecure. labels Jul 3, 2024
@nventuro nventuro mentioned this pull request Jul 26, 2024
Closed
@LHerskind
Copy link
Contributor Author

Closed as this was just done to showcase issues that could then be addressed separately. Those issues should be addressed by now in #7319.

@LHerskind LHerskind closed this Aug 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
A-security Area: Relates to security. Something is insecure. T-bug Type: Bug. Something is broken.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@LHerskind @AztecBot @just-mitch