GHSA-GJV3-89HH-9XQ2

Vulnerability from github – Published: 2025-06-25 21:27 – Updated: 2025-06-25 21:28
VLAI
Summary
RISC Zero Ethereum invalid commitment with digest value of zero accepted by Steel.validateCommitment
Details

Impact

Prior to 2.1.1 and 2.2.0, the Steel.validateCommitment Solidity library function will return true for a crafted commitment with a digest value of zero.

This violates the semantics of validateCommitment, as this does not commitment to a block that is in the current chain. Because the digest is zero, it does not correspond to any block and there exist no known openings. As a result, this commitment will never be produced by a correct zkVM guest using Steel. Leveraging this bug to compromise the soundness of an application using Steel would require a separate bug or misuse of the Steel library, which is expected to be used to validate the root of state opening proofs (e.g. having the guest commit to a digest of zero, or failing to check the zkVM proof).

Because this bug does not risk application integrity, correctly written applications are not at risk.

Fix

Please see #605 for a full description of the bug, and the fix. This fix has been released as part of risc0-ethereum 2.1.1 and 2.2.0.

Recommended actions

Users for the Steel Solidity library versions 2.1.0 or earlier should ensure they are using Steel.validateCommitment in tandem with zkVM proof verification of a Steel program, as shown in the ERC-20 counter example, and documentation. This is the correct usage of Steel, and users following this pattern are not at risk, and do not need to take action.

Users not verifying a zkVM proof of a Steel program should update their application to do so, as this is incorrect usage of Steel.

Credit

A thank you to Daniel526 on HackenProof for reporting this issue

Severity
1.7 (Low)
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "risc0-ethereum-contracts"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-52884"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-159"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-25T21:27:59Z",
    "nvd_published_at": "2025-06-24T21:15:26Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nPrior to 2.1.1 and 2.2.0, the `Steel.validateCommitment` Solidity library function will return `true` for a crafted commitment with a digest value of zero.\n\nThis violates the semantics of `validateCommitment`, as this does not commitment to a block that is in the current chain. Because the digest is zero, it does not correspond to any block and there exist no known openings. As a result, this commitment will never be produced by a correct zkVM guest using Steel. Leveraging this bug to compromise the soundness of an application using Steel would require a separate bug or misuse of the Steel library, which is expected to be used to validate the root of state opening proofs (e.g. having the guest commit to a digest of zero, or failing to check the zkVM proof).\n\nBecause this bug does not risk application integrity, correctly written applications are not at risk.\n\n### Fix\n\nPlease see [#605] for a full description of the bug, and the fix. This fix has been released as part of `risc0-ethereum` [2.1.1] and [2.2.0].\n\n### Recommended actions\n\nUsers for the `Steel` Solidity library versions 2.1.0 or earlier should ensure they are using `Steel.validateCommitment` in tandem with zkVM proof verification of a Steel program, as shown in the [ERC-20 counter example][example], and [documentation]. This is the correct usage of Steel, and users following this pattern are not at risk, and do not need to take action.\n\nUsers not verifying a zkVM proof of a Steel program should update their application to do so, as this is incorrect usage of Steel.\n\n### Credit\n\nA thank you to Daniel526 on HackenProof for reporting this issue\n\n[#605]: https://github.com/risc0/risc0-ethereum/pull/605\n[example]: https://github.com/risc0/risc0-ethereum/blob/ff0cb9253a87945b653b825711b8b5075f8b7545/examples/erc20-counter/contracts/src/Counter.sol#L56-L63\n[documentation]: https://docs.beboundless.xyz/developers/steel/how-it-works#verifying-the-proof-onchain\n[2.1.1]: https://github.com/risc0/risc0-ethereum/releases/tag/v2.1.1\n[2.2.0]: https://github.com/risc0/risc0-ethereum/releases/tag/v2.2.0",
  "id": "GHSA-gjv3-89hh-9xq2",
  "modified": "2025-06-25T21:28:00Z",
  "published": "2025-06-25T21:27:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/risc0/risc0-ethereum/security/advisories/GHSA-gjv3-89hh-9xq2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52884"
    },
    {
      "type": "WEB",
      "url": "https://github.com/risc0/risc0-ethereum/pull/605"
    },
    {
      "type": "WEB",
      "url": "https://github.com/risc0/risc0-ethereum/commit/3bbac859c7132b21ba5fdf2d47f1dd52e7e73d98"
    },
    {
      "type": "WEB",
      "url": "https://docs.beboundless.xyz/developers/steel/how-it-works#verifying-the-proof-onchain"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/risc0/risc0-ethereum"
    },
    {
      "type": "WEB",
      "url": "https://github.com/risc0/risc0-ethereum/blob/ff0cb9253a87945b653b825711b8b5075f8b7545/examples/erc20-counter/contracts/src/Counter.sol#L56-L63"
    },
    {
      "type": "WEB",
      "url": "https://github.com/risc0/risc0-ethereum/releases/tag/v2.1.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/risc0/risc0-ethereum/releases/tag/v2.2.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "RISC Zero Ethereum invalid commitment with digest value of zero accepted by Steel.validateCommitment"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.