RISC Zero zk-STARKs RISC-V Instructions Underconstrained Vulnerability Allowing Register Value Confusion

A vulnerability exists in RISC Zero's general computing platform, specifically within the zk-STARKs implementation and the RISC-V microarchitecture. This issue affects versions 2.0.0, 2.0.1, and 2.0.2 of the risc0-zkvm crate. The vulnerability arises from a missing constraint in the rv32im circuit, allowing a malicious prover to manipulate the RISC-V virtual machine into misinterpreting the values of the rs1 and rs2 registers. This confusion can be exploited with any 3-register RISC-V instruction, including 'remu' and 'divu'.

Impact

Exploitation of this vulnerability allows for register value manipulation, where the RISC-V virtual machine incorrectly treats the rs1 register value as identical to that of the rs2 register. This can lead to erroneous program behavior, particularly with instructions that rely on accurate register values, such as 'divu' and 'remu'.

Reproduction

To reproduce this vulnerability, use a RISC-V instruction that involves three registers, such as 'divu' or 'remu', within a Rust application that includes the risc0-zkvm crate versions 2.0.0, 2.0.1, or 2.0.2'. The instruction will be processed by the RISC-V virtual machine, which will incorrectly handle the register values due to the missing constraint in the rv32im circuit. This can be verified by checking the behavior of the instruction, which will reflect the incorrect register value handling.

Remediation

Users should upgrade to RISC Zero zkVM version 2.1.0. For Rust applications using the official RISC Zero Verifier Router, no action is needed as version 2.1 is already active on all official routers and version 2.0 has been disabled. However, smart contract applications not using the verifier router should update their contracts to send verification calls to the 2.1 version of the verifier.