DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-RJR4-V43M-PXQ6: The Lie in the Sponge: Breaking Triton VM's STARKs

#security #cve #cybersecurity #ghsa

The Lie in the Sponge: Breaking Triton VM's STARKs

Vulnerability ID: GHSA-RJR4-V43M-PXQ6
CVSS Score: 1.7
Published: 2026-01-21

A critical soundness vulnerability in Triton VM's STARK proof system allowed malicious provers to forge proofs by exploiting a flaw in the Fiat-Shamir heuristic implementation. By failing to commit specific protocol elements to the transcript, the verifier could be tricked into accepting invalid state transitions.

TL;DR

Triton VM, a Rust-based Zero-Knowledge Virtual Machine, failed to hash the FriPolynomial and Log2PaddedHeight into its Fiat-Shamir transcript. This broke the causality of the proof system, allowing an attacker to choose proof parameters after seeing the verifier's challenges, effectively allowing them to forge proofs for false statements. Additionally, a missing bounds check allowed for a trivial Denial of Service.

⚠️ Exploit Status: POC

Technical Details

  • CWE-358: Improperly Implemented Security Check (Fiat-Shamir)
  • CWE-400: Uncontrolled Resource Consumption (DoS)
  • CVSS v4.0: AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
  • Language: Rust
  • Component: FRI Protocol / Fiat-Shamir Sponge
  • Impact: Soundness Break (Proof Forgery)

Affected Systems

  • triton-vm < 2.0.0
  • triton-vm: < 2.0.0 (Fixed in: 2.0.0)

Code Analysis

Commit: 3a045d6

Fix soundness bug by including omitted fields in Fiat-Shamir transcript

- Log2PaddedHeight(u32) => false
+ Log2PaddedHeight(u32) => true
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Research Analysis: Exploitation involves modifying the prover to observe challenges before selecting FRI parameters.

Mitigation Strategies

  • Ensure all prover-supplied data is hashed into the Fiat-Shamir transcript immediately upon receipt.
  • Implement strict bounds checking on all inputs determining memory allocation (e.g., domain height).
  • Use protocol versioning to invalidate proofs generated by vulnerable implementations.

Remediation Steps:

  1. Update triton-vm crate to version >= 2.0.0.
  2. Re-generate any existing proofs that need to be verified, as version 0 proofs are now invalid.
  3. Audit any custom verifier implementations for similar Fiat-Shamir omissions.

References

Read the full report for GHSA-RJR4-V43M-PXQ6 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)