panic in merkle's verify_batch
themighty1 opened this issue · comments
As is currently implemented, if a malicious prover lies about the depth of their Merkle tree, it will cause the verifier to panic.
The panic can be reproduced by replacing this line in the test (
winterfell/crypto/src/merkle/tests.rs
Line 219 in 0acb2a1
with
let mut proof = tree.prove_batch(&[1, 2]).unwrap();
proof.depth = proof.depth + 100;
is this an inherent limitation or can this be worked around?
Thank you for catching this! This shouldn't be too difficult to fix. Basically, we should detect an invalid depth (probably during deserialization) and just return an error.