Soroban-Poseidon Cryptographic Hash Function Collision Vulnerability

A vulnerability in the Soroban-Poseidon library's Poseidon V1 hash function allows for hash collisions due to improper handling of variable-length inputs. When fewer inputs are provided than the sponge rate, the missing positions are automatically filled with zeros. This behavior can be exploited to create identical hash outputs for different input vectors, leading to trivial collisions. The issue arises in any scenario where the number of inputs is less than the sponge rate minus one, such as hashing a single input with a rate of three.

Impact

The vulnerability allows for hash collisions in the Poseidon V1 hash function, undermining the integrity of the hashing process by producing identical hash values for different input vectors.

Reproduction

To reproduce this vulnerability, use the Poseidon V1 hash function (PoseidonSponge) and provide an input vector with fewer elements than the sponge rate minus one. For example, hashing one input with a sponge rate of three will trigger the collision, as the function will zero-fill the unused rate position, creating a duplicate hash for the modified input vector.

Remediation

Users should upgrade to Soroban-Poseidon version 25.0.1, which fixes the collision vulnerability by enforcing that the number of inputs equals the sponge rate. Alternatively, if an upgrade is not possible, ensure that the number of inputs matches the sponge rate requirements or migrate to Poseidon2, which safely handles variable-length inputs.