# Circomspect

### Intro

"In October 2019, a security researcher found a devastating vulnerability in Tornado.cash, a decentralized, non-custodial mixer on the Ethereum network... because of an issue in one of the ZKPs, anyone could forge a proof of deposit and withdraw funds from the system... This bug would have been caught using Circomspect, a new static analyzer for ZKPs."

This excerpt is taken from [*It Pays to be Circomspect*](https://blog.trailofbits.com/2022/09/15/it-pays-to-be-circomspect/) by the tool's creators. Read more about the bug and how Circomspect addresses it in the blog post.

### Static Analysis Capabilities

This information is lifted word-for-word from the [Circomspect rust crate](https://crates.io/crates/circomspect). As time progresses, Trail of Bits (Circomspect creator) plans to add more checks to the static analysis.

#### Warning Messages

<details>

<summary><strong>Side-effect free assignments</strong></summary>

An assigned value which does not contribute either directly or indirectly to a constraint, or a function return value, typically indicates a mistake in the implementation of the circuit. For example, consider the following `BinSum` template from circomlib where we've changed the final constraint to introduce a bug.

```
  template BinSum(n, ops) {
      var nout = nbits((2 ** n - 1) * ops);
      var lin = 0;
      var lout = 0;

      signal input in[ops][n];
      signal output out[nout];

      var e2 = 1;
      for (var k = 0; k < n; k++) {
          for (var j = 0; j < ops; j++) {
              lin += in[j][k] * e2;
          }
          e2 = e2 + e2;
      }

      e2 = 1;
      for (var k = 0; k < nout; k++) {
          out[k] <-- (lin >> k) & 1;
          out[k] * (out[k] - 1) === 0;

          lout += out[k] * e2;  // The value assigned here is not used.
          e2 = e2 + e2;
      }

      lin === nout;  // Should use `lout`, but uses `nout` by mistake.
  }
```

Here, `lout` no longer influences the generated circuit, which is detected by Circomspect.

</details>

<details>

<summary><strong>Shadowing variable declarations</strong></summary>

A shadowing variable declaration is a declaration of a variable with the same name as a previously declared variable. This does not have to be a problem, but if a variable declared in an outer scope is shadowed by mistake, this could change the semantics of the program which would be an issue.

For example, consider this function which is supposed to compute the number of bits needed to represent `a`.

```
  function numberOfBits(a) {
      var n = 1;
      var r = 0;  // Shadowed variable is declared here.
      while (n - 1 < a) {
          var r = r + 1;  // Shadowing declaration here.
          n *= 2;
      }
      return r;
  }
```

Since a new variable `r` is declared in the while-statement body, the outer variable is never updated and the return value is always 0.

</details>

<details>

<summary>S<strong>ignal assignments using the signal assignment operator</strong></summary>

Signals should typically be assigned using the constraint assignment operator `<==`. This ensures that the circuit and witness generation stay in sync. If `<--` is used it is up to the developer to ensure that the signal is properly constrained. Circomspect will try to detect if the right-hand side of the assignment is a quadratic expression. If it is, the signal assignment can be rewritten using the constraint assignment operator `<==`.

However, sometimes it is not possible to express the assignment using a quadratic expression. In this case Circomspect will try to list all constraints containing the assigned signal to make it easier for the developer (or reviewer) to ensure that the variable is properly constrained.

The Tornado Cash codebase was originally affected by an issue of this type. For details see the Tornado Cash disclosure [here](https://tornado-cash.medium.com/tornado-cash-got-hacked-by-us-b1e012a3c9a8).

</details>

<details>

<summary><strong>Branching statement conditions that evaluate to a constant value</strong></summary>

If a branching statement condition always evaluates to either `true` or `false`, this means that the branch is either always taken, or never taken. This typically indicates a mistake in the code which should be fixed.

</details>

<details>

<summary><strong>Use of the non-strict versions of <code>Num2Bits</code> and <code>Bits2Num</code> from Circomlib</strong> </summary>

Using `Num2Bits` and `Bits2Num` from [Circomlib](https://github.com/iden3/circomlib) to convert a field element to and from binary form is only safe if the input size is smaller than the size of the prime. If not, there may be multiple correct representations of the input which could cause issues, since we typically expect the circuit output to be uniquely determined by the input.

For example, Suppose that we create a component `n2b` given by `Num2Bits(254)` and set the input to `1`. Now, both the binary representation of `1` *and* the representation of `p + 1` will satisfy the circuit over BN128, since both are 254-bit numbers. If you cannot restrict the input size below the prime size you should use the strict versions `Num2Bits_strict` and `Bits2Num_strict` to convert to and from binary representation. Circomspect will generate a warning if it cannot prove (using constant propagation) that the input size passed to `Num2Bits` or `Bits2Num` is less than the size of the prime in bits.

</details>

<details>

<summary><strong>Overly complex functions or templates</strong></summary>

As functions and templates grow in complexity they become more difficult to review and maintain. This typically indicates that the code should be refactored into smaller, more easily understandable, components. Circomspect uses cyclomatic complexity to estimate the complexity of each function and template, and will generate a warning if the code is considered too complex. Circomspect will also generate a warning if a function or template takes too many arguments, as this also impacts the readability of the code.

</details>

#### Informational Messages

<details>

<summary><strong>Bitwise complement of field elements</strong></summary>

Circom supports taking the 256-bit complement `~x` of a field element `x`. Since the result is reduced modulo `p`, it will typically not satisfy the expected relations `(~x)ᵢ == ~(xᵢ)` for each bit `i`, which could lead to surprising results.

</details>

<details>

<summary><strong>Field element arithmetic</strong></summary>

Circom supports a large number of arithmetic expressions. Since arithmetic expressions can overflow or underflow in Circom it is worth paying extra attention to field arithmetic to ensure that elements are constrained to the correct range.

</details>

<details>

<summary><strong>Field element comparisons</strong></summary>

Field elements are normalized to the interval `(-p/2, p/2]` before they are compared, by first reducing them modulo `p` and then mapping them to the correct interval by subtracting `p` from the value `x`, if `x` is greater than `p/2`. In particular, this means that `p/2 + 1 < 0 < p/2 - 1`. This can be surprising if you are used to thinking of elements in `GF(p)` as unsigned integers.

</details>

### Links

* [Introductory Blog Post by Trail of Bits](https://blog.trailofbits.com/2022/09/15/it-pays-to-be-circomspect/)
* [Source on GitHub](https://github.com/trailofbits/circomspect)
* [Rust Crate](https://crates.io/crates/circomspect)