RISC Zero RiscZeroSetVerifier & Aggregation Security Review Report
December 2024
Scope
The analyzed resources are located on:
https://github.com/risc0/risc0-ethereuY
- /aggregation
- /contracts/src/IRiscZeroSetVerifier.sol
- /contracts/src/RiscZeroSetVerifier.sol
Commit: 3c1fd2a859e40ea009a580aac294191196968c60
The issues described in this report were fixed in the following commit:
https://github.com/risc0/risc0-ethereum/pull/406
Commit: 6c0a11d789442372aaa2f802da9d0f5b7dcbb135
Summary
Weaknesses
This section contains the list of discovered weaknesses.
RSCZD-1 | DISCREPANCY BETWEEN THE SELECTOR IMPLEMENTATION AND DOCUMENTATION
Severity:
Status:
Fixed
Path:
contracts/src/RiscZeroSetVerifier.sol
Description:
Risc0 verifiers have a SELECTOR parameter which differentiates verifier types. RiscZeroSetVerifier has a bytes4 public immutable SELECTOR; which is implemented using the image id as a parameter:
constructor(IRiscZeroVerifier verifier, bytes32 imageId, string memory _imageUrl) {
VERIFIER = verifier;
IMAGE_ID = imageId;
imageUrl = _imageUrl;
SELECTOR = RiscZeroSetVerifierLib.selector(imageId);
}
library RiscZeroSetVerifierLib {
function selector(bytes32 imageId) internal pure returns (bytes4) {
return bytes4(
sha256(
abi.encodePacked(
// tag
sha256("risc0.SetInclusionReceiptVerifierParameters"),
// down
imageId,
// down length
uint16(1) << 8
)
)
);
}
}
Documentation for the immutable SELECTOR variable:
/// @dev The selector is taken from the hash of the verifier parameters including the Groth16
/// verification key and the control IDs that commit to the RISC Zero circuits.
isn't aligned with the implementation.
Remediation:
Fix the comment to be aligned with the implementation.