Zion Boggan

In-depth vulnerability research, detection engineering & applied cryptography.

● Open to security-research & detection roles
GitHub · LinkedIn · Email
← Research notebook
Memory safety / crypto

Finding 05: Integer Overflow in Quadratic ZKP Deserialization

Zion Boggan · April 11, 2026 · coordinated disclosure

Severity: P3 (Medium), Size check bypass via integer overflow (CWE-190)

Summary

paillier_large_factors_quadratic_proof_size_from_dsize() computes sizeof(uint32_t) + 9*d_size + 2*z_size in uint32_t arithmetic. Attacker-controlled d_size from serialized proof causes 9*d_size to overflow, producing a small result that passes the bounds check. The function proceeds to read d_size (~477MB) from a tiny buffer.

Location

  • File: src/common/crypto/zero_knowledge_proof/range_proofs.c, lines 2042-2085

PoC Verified

d_size = 0x1C71C71D: 9*d_size overflows uint32_t to 5
True required: 4.3 GB → overflows to 273 bytes
proof_len(373) >= expected(273)? YES - BYPASSED!
Function returned -1 (BN_bin2bn alloc fails gracefully for 477MB)

On systems with memory overcommit, BN_bin2bn would succeed and read 477MB of adjacent heap memory.

Remediation

if (d_size > 4096) return NULL; // No legitimate d exceeds 4096 bytes

Source · github.com/zionsworking/security-research-notebook · writeups/fireblocks/05-integer-overflow-quadratic-zkp-deser-P3.md