Winterfell STARK, Padding Collision, CVE-None (Medium)

Listen to this Post

How the mentioned CVE works (technical details):

The vulnerability exists in `PaddingFreeSponge` hashing when input length is not a multiple of the rate (4). Instead of proper padding, it pads by copying elements from the current state. For a width-8, rate-4 sponge: start zero state [0,0,0,0,0,0,0,0]. Absorb first 4 elements → [h0,h1,h2,h3,0,0,0,0], then permute → [p00,p10,p20,p30,p40,p50,p60,p70]. Absorb next 4 → [h4,h5,h6,h7,p40,p50,p60,p70], permute → [p01,p11,p21,p31,p41,p51,p61,p71]. If 10 elements remain, final round overwrites first 2: [h8,h9,p21,p31,p41,p51,p61,p71]. No padding distinguishes length. Thus iterators over `[h0..h9]` and `[h0..h9, p21]` produce identical final state. Collision occurs because the hasher cannot tell if extra state element was input or leftover state. Attackers manipulating element count can force same hash for different data lengths, breaking collision resistance.

dailycve form:

Platform: Winterfell STARK
Version: pre-patch (2023)
Vulnerability: Padding-free collision
Severity: Medium
date: 2023-08-??

Prediction: Patch within 30d

What Undercode Say:

Simulate collision: two different-length iterators produce same state
STATE1=$(echo -n "h0 h1 h2 h3 h4 h5 h6 h7 h8 h9" | sponge_hash --rate 4)
STATE2=$(echo -n "h0 h1 h2 h3 h4 h5 h6 h7 h8 h9 p21" | sponge_hash --rate 4)
[ "$STATE1" == "$STATE2" ] && echo "Collision found"
Proof-of-concept using PaddingFreeSponge
from hashlib import shake_128
def bad_pad(data, rate=4):
Missing 10 padding
return data + [bash] ((rate - len(data)%rate)%rate)

Exploit:

Attacker feeds iterators of different lengths (e.g., 10 vs 11 elements) where extra element equals a previous state word (p21). Both yield identical final sponge state, allowing hash collisions. In STARK proofs, adversary can manipulate prover to reuse same hash across multiple proofs, amortizing grinding costs.

Protection from this CVE:

Use `Pad10Sponge` instead of PaddingFreeSponge. It applies 10 padding: if length % rate != 0, append `1` then zeros; if multiple, add `1` to first secret state element. Example for rate=4, lengths 9-12 produce final states [h8,1,0,0,p41,...], [h8,h9,1,0,p41,...], [h8,h9,h10,1,p41,...], `[h8,h9,h10,h11,p41+1,…]` – unique per length.

Impact:

Collision only if attacker controls number of hashed elements. Fixed-length hashing (e.g., most STARKS) remains safe. But variable-length scenarios allow state collisions, enabling proof grinding attacks and undermining integrity of Merkle trees or accumulators built on vulnerable sponge.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top