bug: unsoundness risk in gnark 0.10

[Oppen]

Reported in cantina#5. Transcript:

The Batcher accepts invalid proof in gnark groth16 proving system whenever at least two commitments are used in the circuit.

This breaks the soundness of the protocol whenever the circuit uses at least two commitments. Although using more than 1 commitment is relatively rare, malicious applications can intentionally add redundant commitments and inputs to their circuits without affecting the main logic of the circuit (as shown in PoC circuit below) and exploit this bug at any time.

The problem itself was known but slipped. PR #1471 attempted to fix it by upgrading to the recommended version, 0.11.0, but while testing it we found an OOM that lead to DoS. The fix was accepted upstream but hasn't yet been released. We closed the PR expecting a release soon after, but that didn't happen.

This is a critical bug: it's allegedly easy to exploit and compromises soundness of the network.

Possible solutions:

1. Disable (at least temporarily) the groth16 verifier;
2. Use a replace directive to point to (at least) the fix commit;
3. Push for a release upstream;
4. Possibly restrict the number of commitments to 1 (at least temporarily) so the error can't be triggered.

The solutions aren't necessarily mutually exclusive.

[uri-99]

Closing, Gnark released a new version, as mentioned in related PR #1756