Vulnerable File: circuits/key_expansion.circom
commit: 4984d68467b87ddf14c2e725dcfb753be3c92528
For nk = 4, effectiveRounds is hard-coded to 10, but totalWords = 4*(nr+1) depends on the caller-provided nr.
- If nr < 10: the loop will write beyond keyExpanded’s bounds (compile-time failure).
- If nr > 10: keyExpanded is larger than the indices written, leaving some outputs unconstrained/unassigned, which is a correctness/security issue in a ZK context (prover could set those outputs arbitrarily).
For nk ∈ {6, 8}, effectiveRounds is derived from nr via totalWords/nk. Unless nr matches the AES standard (12 for nk=6, 14 for nk=8), you can also get out-of-bounds writes. Concretely:
- nk=6 requires 4*(nr+1) mod 6 = 4 (i.e., nr ≡ 0 mod 3). Otherwise the final round’s indices exceed keyExpanded[totalWords].
- nk=8 requires 4*(nr+1) mod 8 = 4 (i.e., nr+1 odd). Otherwise final indices exceed bounds.
Vulnerable File:
circuits/key_expansion.circomcommit:
4984d68467b87ddf14c2e725dcfb753be3c92528For nk = 4, effectiveRounds is hard-coded to 10, but totalWords = 4*(nr+1) depends on the caller-provided nr.
For nk ∈ {6, 8}, effectiveRounds is derived from nr via totalWords/nk. Unless nr matches the AES standard (12 for nk=6, 14 for nk=8), you can also get out-of-bounds writes. Concretely: