OpenVM is affected by the Plonky3 CVE GHSA-f69f-5fx9-w9r9

Vulnerability

The following vulnerabilities were found in the Plonky3 native (Rust) FRI verifier.

• When rolling in polynomials of lower degree, the FRI prover and verifier were just adding in the low degree polynomials without any randomness. A malicious prover could potentially abuse this to make high degree parts of polynomials "cancel out".
• The native FRI verifier was missing a final polynomial degree. This means that the prover could just pass in a high than expected degree polynomial and it wouldn't be caught.

The OpenVM recursive verifier in the openvm-recursion crate was not affected by the second vulnerability because the recursive verifier fixed the final polynomial degree to be 0 (constant).
However the recursive verifier did match the behavior of the native verifier for rolling in polynomials of lower degree, so the recursive verifier suffered from the same vulnerability as reported in the native FRI verifier in adding low degree polynomials without any randomness in multi-FRI verification.

Impact

Projects that use the OpenVM native verification SDK or CLI functions (e.g., such as verify_app_proof) are affected by both vulnerabilities in Plonky3.

Projects that use the recursive verifier, including the EVM smart contract verifier, are affected by the first vulnerability in the recursive verifier.

Patches

In v1.2.0 of OpenVM, the Plonky3 commit has been updated to a commit that fixes the native FRI verifier and hence fixes native verification functions in the SDK and CLI. Additionally in v1.2.0, the recursive verifier has been updated to fix the above vulnerabilities. The EVM and Solidity smart contract verifier for v1.2 uses the new recursive verifier and have fixed the vulnerability.