Context: provekit/verifier/src/whir_r1cs.rs
Description
The verifier uses try_into().unwrap() on prover-controlled hint vectors to convert them into fixed-size arrays (e.g., [FieldElement; 3]). If a maliciously crafted proof provides hint vectors of incorrect length, these unwrap calls will panic, crashing the verifier.
Affected code paths:
- Dual-commitment mode: lines 100–103
- Single-commitment mode: lines 148–150
A malicious prover can exploit this to perform a denial-of-service attack by sending malformed proofs that trigger the unwrap panics.
let whir_sums_1: ([FieldElement; 3], [FieldElement; 3]) = (sums_1.0.try_into().unwrap(), sums_1.1.try_into().unwrap());
...
let whir_sums: ([FieldElement; 3], [FieldElement; 3]) = (sums.0.try_into().unwrap(), sums.1.try_into().unwrap());
Recommendation
Replace try_into().unwrap() with fallible conversions that return an error (for example, using try_into().context(...) or ensure!) so that malformed proofs produce a controlled verification error rather than a panic.
Context:
provekit/verifier/src/whir_r1cs.rsDescription
The verifier uses
try_into().unwrap()on prover-controlled hint vectors to convert them into fixed-size arrays (e.g.,[FieldElement; 3]). If a maliciously crafted proof provides hint vectors of incorrect length, these unwrap calls will panic, crashing the verifier.Affected code paths:
A malicious prover can exploit this to perform a denial-of-service attack by sending malformed proofs that trigger the unwrap panics.
Recommendation
Replace
try_into().unwrap()with fallible conversions that return an error (for example, usingtry_into().context(...)orensure!) so that malformed proofs produce a controlled verification error rather than a panic.