GHSA-63X8-X938-VX33

Vulnerability from github – Published: 2026-04-14 00:05 – Updated: 2026-04-17 22:58
VLAI?
Summary
SP1 V6 Recursion Circuit Row-Count Binding Gap
Details

Summary

A soundness vulnerability in the SP1 V6 recursive shard verifier allows a malicious prover to construct a recursive proof from a shard proof that the native verifier would reject.

  • Affected versions: >= 6.0.0, <= 6.0.2
  • Not affected: SP1 V5 (all versions)
  • Severity: High

Details

Background

The recursive shard verifier circuit verifies shard proofs inside a recursive proof. Each shard proof includes a jagged PCS opening, which binds trace-shape metadata into a modified commitment and uses that same shape to evaluate the committed polynomials. These two operations must agree on the committed table heights.

The Bug

In the V6 recursion circuit's jagged verifier, the two checks above are served by separate witnesses: a vector of row counts hashed into the modified commitment (commitment side), and a separate witness of prefix sums derived from row and column counts that drives the jagged polynomial evaluator (evaluation side). The prefix sums are observed within the shard verifier.

The consistency check between these two witnesses was missing in the recursion sub-circuit describing the jagged PCS verifier. A malicious prover can therefore supply one trace shape for commitment binding and a different shape for polynomial evaluation.

Potential Impact

The vulnerability applies to both main trace and preprocessed trace metadata. Because preprocessed traces encode circuit structure (selectors, fixed columns, permutation layout), the potential impact extends beyond data forgery to misrepresentation of the circuit itself.

While a demonstration of a full exploit proving arbitrary statements has not been created — since modifying one table's layout incidentally constrains changes to related tables — this barrier is not by design and should not be relied upon. This is considered a soundness violation that is unacceptable regardless of current exploitability.

Why the Native Verifier Is Not Affected

The native shard verifier uses a single jagged PCS verifier object where row counts and evaluation layout are derived from the same data, so the split-witness divergence cannot occur. The recursion circuit's shard-level checks (prefix-sum and total-area assertions) only constrain the evaluation-side parameters, not the commitment-side row counts, so they do not catch the gap.

Mitigation

The fix adds a post-evaluation consistency constraint in the recursive jagged verifier. After the jagged evaluation returns the prefix-sum values derived from the evaluation layout, the circuit reconstructs expected prefix sums from the commitment-side row counts (repeating each row count by its corresponding column count and accumulating). It then asserts element-wise equality between the reconstructed and returned prefix sums, and verifies that the final accumulated area matches the total area from the evaluation parameters.

This forces both witnesses to describe the same trace geometry. Any divergence is now a constraint failure.

Credit

This vulnerability was identified through the SP1 bug bounty program on Code4rena.

Severity ?
8.9 (High)
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.0.2"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "sp1_sdk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.0.2"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "sp1_recursion_circuit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.0.2"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "sp1_prover"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40323"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345",
      "CWE-354"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-14T00:05:19Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nA soundness vulnerability in the SP1 V6 recursive shard verifier allows a malicious prover to construct a recursive proof from a shard proof that the native verifier would reject.\n\n- **Affected versions:** `\u003e= 6.0.0, \u003c= 6.0.2`\n- **Not affected:** SP1 V5 (all versions)\n- **Severity:** High\n\n## Details\n\n### Background\n\nThe recursive shard verifier circuit verifies shard proofs inside a recursive proof. Each shard proof includes a jagged PCS opening, which binds trace-shape metadata into a modified commitment and uses that same shape to evaluate the committed polynomials. These two operations must agree on the committed table heights.\n\n### The Bug\n\nIn the V6 recursion circuit\u0027s jagged verifier, the two checks above are served by separate witnesses: a vector of row counts hashed into the modified commitment (commitment side), and a separate witness of prefix sums derived from row and column counts that drives the jagged polynomial evaluator (evaluation side). The prefix sums are observed within the shard verifier.\n\nThe consistency check between these two witnesses was missing in the recursion sub-circuit describing the jagged PCS verifier. A malicious prover can therefore supply one trace shape for commitment binding and a different shape for polynomial evaluation.\n\n### Potential Impact\n\nThe vulnerability applies to both main trace and preprocessed trace metadata. Because preprocessed traces encode circuit structure (selectors, fixed columns, permutation layout), the potential impact extends beyond data forgery to misrepresentation of the circuit itself.\n\nWhile a demonstration of a full exploit proving arbitrary statements has not been created \u2014 since modifying one table\u0027s layout incidentally constrains changes to related tables \u2014 this barrier is not by design and should not be relied upon. This is considered a soundness violation that is unacceptable regardless of current exploitability.\n\n### Why the Native Verifier Is Not Affected\n\nThe native shard verifier uses a single jagged PCS verifier object where row counts and evaluation layout are derived from the same data, so the split-witness divergence cannot occur. The recursion circuit\u0027s shard-level checks (prefix-sum and total-area assertions) only constrain the evaluation-side parameters, not the commitment-side row counts, so they do not catch the gap.\n\n## Mitigation\n\nThe fix adds a post-evaluation consistency constraint in the recursive jagged verifier. After the jagged evaluation returns the prefix-sum values derived from the evaluation layout, the circuit reconstructs expected prefix sums from the commitment-side row counts (repeating each row count by its corresponding column count and accumulating). It then asserts element-wise equality between the reconstructed and returned prefix sums, and verifies that the final accumulated area matches the total area from the evaluation parameters.\n\nThis forces both witnesses to describe the same trace geometry. Any divergence is now a constraint failure.\n\n## Credit\n\nThis vulnerability was identified through the SP1 bug bounty program on Code4rena.",
  "id": "GHSA-63x8-x938-vx33",
  "modified": "2026-04-17T22:58:19Z",
  "published": "2026-04-14T00:05:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/succinctlabs/sp1/security/advisories/GHSA-63x8-x938-vx33"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/succinctlabs/sp1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/succinctlabs/sp1/releases/tag/v6.1.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "SP1 V6 Recursion Circuit Row-Count Binding Gap"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.