test: add test to showcase kernel exploit

[LHerskind]

Figured that the msg_sender that can be passed in during simulation is actually not constrained and blindly used. So if you bypass the account contract (where it does not really matter in most cases) and instead call private functions directly, you can use them as an entry point, but at the same time convince them that you called from some other contract.

This essentially allow you to set msg_sender at will, and is extremely dangerous, since you can use to to impersonate whoever you want.

In my case, I use it to impersonate a minter and mint some nice tokens for the attacker. In there, I'm minting 10K tokens to him, but he could really do whatever he want.

I don't think we are able to impersonate on public calls right now, but might just be because it is a little impractical to do atm. Nevertheless, this have to be fixed.

[LHerskind]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• test: add test to showcase kernel exploit #7190 👈
• refactor: simplify lookup validity for account builders #7184
• master

This stack of pull requests is managed by Graphite. Learn more about stacking.

Join @LHerskind and the rest of your teammates on Graphite

[AztecBot]

Benchmark results

Metrics with a significant change:

• proof_construction_time_poseidon_hash_ms (4): 45.0 (+32%)
• avm_simulation_time_ms (Token:mint_public): 608 (+868%)
• avm_simulation_time_ms (Token:assert_minter_and_mint): 71.6 (-65%)
• avm_simulation_time_ms (Token:transfer_public): 34.7 (-47%)
• protocol_circuit_witness_generation_time_in_ms (private-kernel-tail-to-public): 9,203 (+34%)

Detailed results

All benchmarks are run on txs on the Benchmarking contract on the repository. Each tx consists of a batch call to create_note and increment_balance, which guarantees that each tx has a private call, a nested private call, a public call, and a nested public call, as well as an emitted private note, an unencrypted log, and public storage read and write.

This benchmark source data is available in JSON format on S3 here.

Proof generation

Each column represents the number of threads used in proof generation.

Metric	1 threads	4 threads	16 threads	32 threads	64 threads
proof_construction_time_sha256_30_ms	11,774	3,174 (+1%)	1,493 (+3%)	1,644 (-1%)	1,555 (-1%)
proof_construction_time_sha256_100_ms	43,960 (-2%)	11,839 (+1%)	5,500 (+1%)	5,510 (+1%)	5,399 (+1%)
proof_construction_time_poseidon_hash_ms	78.0	⚠️ 45.0 (+32%)	34.0	57.0	89.0 (+2%)
proof_construction_time_poseidon_hash_30_ms	1,517	416	201 (+1%)	230 (+4%)	266
proof_construction_time_poseidon_hash_100_ms	5,758 (+1%)	1,576	725	777 (-1%)	792

L2 block published to L1

Each column represents the number of txs on an L2 block published to L1.

Metric	4 txs	8 txs	16 txs
l1_rollup_calldata_size_in_bytes	1,412	1,412	1,412
l1_rollup_calldata_gas	9,476	9,466	9,476
l1_rollup_execution_gas	610,297	610,287	610,297
l2_block_processing_time_in_ms	753	1,414	2,695 (-2%)
l2_block_building_time_in_ms	25,532	51,534 (-1%)	100,337
l2_block_rollup_simulation_time_in_ms	25,437	51,231 (-1%)	99,982
l2_block_public_tx_process_time_in_ms	21,865	47,439 (-1%)	96,247

L2 chain processing

Each column represents the number of blocks on the L2 chain where each block has 8 txs.

Metric	3 blocks	5 blocks
node_history_sync_time_in_ms	7,044 (+1%)	9,905
node_database_size_in_bytes	12,128,336	16,035,920
pxe_database_size_in_bytes	16,254	26,813

Circuits stats

Stats on running time and I/O sizes collected for every kernel circuit run across all benchmarks.

Circuit	simulation_time_in_ms	witness_generation_time_in_ms	proving_time_in_ms	input_size_in_bytes	output_size_in_bytes	proof_size_in_bytes	num_public_inputs	size_in_gates
private-kernel-init	130	467 (-3%)	12,993 (+3%)	20,634	67,190	92,352	2,819	524,288
private-kernel-inner	394	970 (+2%)	48,894 (-3%)	94,902	67,190	92,352	2,819	2,097,152
private-kernel-tail	373	1,820 (+3%)	51,549 (+3%)	99,121	71,733	14,912	399	2,097,152
base-parity	6.16 (-1%)	1,891 (+1%)	2,705	128	64.0	2,208	2.00	131,072
root-parity	48.8	76.1 (+1%)	40,209	27,100	64.0	2,720	18.0	2,097,152
base-rollup	7,952	4,796 (-3%)	85,050 (-1%)	170,330	756	3,648	47.0	4,194,304
root-rollup	110 (+1%)	88.4 (+3%)	23,160 (+1%)	25,309	620	3,456	41.0	1,048,576
public-kernel-setup	717 (+1%)	3,659 (+1%)	45,778 (+2%)	116,905	93,334	125,344	3,850	2,097,152
public-kernel-app-logic	617	4,740 (+3%)	44,803 (-1%)	116,905	93,334	125,344	3,850	2,097,152
public-kernel-tail	1,417	37,322 (-5%)	186,416 (-2%)	511,910	10,014	14,912	399	8,388,608
private-kernel-reset-small	598	1,966 (-5%)	46,085 (+1%)	123,313	67,190	92,352	2,819	2,097,152
public-kernel-teardown	614 (+1%)	4,654 (-1%)	47,264 (+6%)	116,905	93,334	125,344	3,850	2,097,152
merge-rollup	29.0 (+1%)	N/A	N/A	16,542	756	N/A	N/A	N/A
private-kernel-tail-to-public	N/A	⚠️ 9,203 (+34%)	99,077 (+3%)	N/A	N/A	125,344	3,850	4,194,304

Stats on running time collected for app circuits

Function	input_size_in_bytes	output_size_in_bytes	witness_generation_time_in_ms	proof_size_in_bytes	proving_time_in_ms	size_in_gates	num_public_inputs
ContractClassRegisterer:register	1,344	9,944	418 (-1%)	N/A	N/A	N/A	N/A
ContractInstanceDeployer:deploy	1,408	9,944	39.5	N/A	N/A	N/A	N/A
MultiCallEntrypoint:entrypoint	1,920	9,944	1,767 (-1%)	N/A	N/A	N/A	N/A
GasToken:deploy	1,376	9,944	976 (+2%)	N/A	N/A	N/A	N/A
SchnorrAccount:constructor	1,312	9,944	1,409 (+1%)	N/A	N/A	N/A	N/A
SchnorrAccount:entrypoint	2,304	9,944	2,846 (+1%)	16,768	54,259 (-2%)	2,097,152	457
Token:privately_mint_private_note	1,280	9,944	1,742 (+7%)	N/A	N/A	N/A	N/A
FPC:fee_entrypoint_public	1,344	9,944	349	16,768	11,196 (-1%)	524,288	457
Token:transfer	1,312	9,944	4,529 (+2%)	16,768	46,910 (-4%)	2,097,152	457
AuthRegistry:set_authorized (avm)	21,043	N/A	N/A	87,200	1,330	N/A	N/A
FPC:prepare_fee (avm)	28,841	N/A	N/A	88,032	5,828 (+5%)	N/A	N/A
Token:transfer_public (avm)	44,971	N/A	N/A	87,865	4,692	N/A	N/A
AuthRegistry:consume (avm)	34,973	N/A	N/A	87,616	2,949 (-1%)	N/A	N/A
FPC:pay_refund (avm)	33,573	N/A	N/A	88,448	11,061 (-3%)	N/A	N/A
Benchmarking:create_note	1,344	9,944	1,419 (+1%)	N/A	N/A	N/A	N/A
SchnorrAccount:verify_private_authwit	1,280	9,944	75.7 (-2%)	N/A	N/A	N/A	N/A
Token:unshield	1,376	9,944	3,901 (+6%)	N/A	N/A	N/A	N/A
FPC:fee_entrypoint_private	1,376	9,944	4,859 (+5%)	N/A	N/A	N/A	N/A

AVM Simulation

Time to simulate various public functions in the AVM.

Function	time_ms	bytecode_size_in_bytes
GasToken:_increase_public_balance	69.8 (+2%)	13,873
GasToken:set_portal	16.6 (-2%)	3,495
Token:constructor	91.2 (-1%)	24,207
FPC:constructor	61.6 (-2%)	13,893
GasToken:mint_public	51.4 (+1%)	10,241
Token:mint_public	⚠️ 608 (+868%)	19,216
Token:assert_minter_and_mint	⚠️ 71.6 (-65%)	13,034
AuthRegistry:set_authorized	32.0 (+7%)	7,869
FPC:prepare_fee	189 (-1%)	15,187
Token:transfer_public	⚠️ 34.7 (-47%)	31,425
FPC:pay_refund	128 (+13%)	20,080
Benchmarking:increment_balance	2,705	15,465
Token:_increase_public_balance	60.7 (+9%)	15,089
FPC:pay_refund_with_shielded_rebate	154 (+8%)	21,167

Public DB Access

Time to access various public DBs.

Function	time_ms
get-nullifier-index	0.154 (+1%)

Tree insertion stats

The duration to insert a fixed batch of leaves into each tree type.

Metric	1 leaves	16 leaves	64 leaves	128 leaves	256 leaves	512 leaves	1024 leaves
batch_insert_into_append_only_tree_16_depth_ms	10.3 (-5%)	16.6 (-4%)	N/A	N/A	N/A	N/A	N/A
batch_insert_into_append_only_tree_16_depth_hash_count	16.8	31.7	N/A	N/A	N/A	N/A	N/A
batch_insert_into_append_only_tree_16_depth_hash_ms	0.595 (-6%)	0.511 (-4%)	N/A	N/A	N/A	N/A	N/A
batch_insert_into_append_only_tree_32_depth_ms	N/A	N/A	47.8 (-1%)	76.0 (-12%)	131	244 (-1%)	469 (-10%)
batch_insert_into_append_only_tree_32_depth_hash_count	N/A	N/A	95.9	159	287	543	1,055
batch_insert_into_append_only_tree_32_depth_hash_ms	N/A	N/A	0.489 (-1%)	0.467 (-12%)	0.449	0.442 (-1%)	0.438 (-10%)
batch_insert_into_indexed_tree_20_depth_ms	N/A	N/A	59.1 (-1%)	111 (-11%)	182 (-2%)	352 (-1%)	692
batch_insert_into_indexed_tree_20_depth_hash_count	N/A	N/A	109	207	355	691	1,363
batch_insert_into_indexed_tree_20_depth_hash_ms	N/A	N/A	0.499 (-1%)	0.500 (-11%)	0.482 (-2%)	0.476 (-1%)	0.475
batch_insert_into_indexed_tree_40_depth_ms	N/A	N/A	72.4 (-2%)	N/A	N/A	N/A	N/A
batch_insert_into_indexed_tree_40_depth_hash_count	N/A	N/A	133	N/A	N/A	N/A	N/A
batch_insert_into_indexed_tree_40_depth_hash_ms	N/A	N/A	0.515 (-3%)	N/A	N/A	N/A	N/A

Miscellaneous

Transaction sizes based on how many contract classes are registered in the tx.

Metric	0 registered classes	1 registered classes
tx_size_in_bytes	85,672	670,983

Transaction size based on fee payment method

| Metric | |
| - | |

[LHerskind]

A fix is fairly easy, simply need to assert that the msg_sender == max_value in the first call. We want to use max_value instead of 0, to avoid cases of using Address(0).

However, some of the tests gets kinda rekt with it, because many of the private_execution tests are calling functions directly and abusing the msg_sender in there.

[LHerskind]

@sirasistant or @LeilaWang, might make sense for one of you to look at this? Not fully sure what you guys think is the best way to do it and update all of the tests that it will break.

[LHerskind]

This should be fixed in #7404 so closing this.