Context
From audits/chain-exploitability-analysis.md. Not exploitable today; a usage-conditioned soundness tripwire. Tracking umbrella: #64.
Finding
- #79709 — Poseidon2 circuit hashing diverges from native semantics. The generic
AlgebraicHasher circuit path for Poseidon2 uses overwrite-mode permute_swapped with no padding, which does not match native Poseidon2's padded/additive sponge.
Why it's safe today
The wormhole hashes via the Poseidon2-specific hash_n_to_hash_no_pad_p2 helper, and the proof system itself runs on Poseidon-v1 (PoseidonGoldilocksConfig). The broken generic path is never taken.
What would make it CRITICAL
If any circuit routes Poseidon2 hashing through the generic AlgebraicHasher / hash_n_to_hash_no_pad path (or selects Poseidon2Hash as the proof-system config hasher), in-circuit and native hashes diverge → completeness failures and/or a Merkle/public-input construction that differs from the native one.
Action / guardrail
- Always use
hash_n_to_hash_no_pad_p2 for in-circuit Poseidon2 hashing.
- Fix the generic Poseidon2
AlgebraicHasher path (padding + absorption) so the footgun goes away, or explicitly document/forbid its use for Poseidon2.
Related audit category: #58 (Gate & constraint soundness).
Context
From
audits/chain-exploitability-analysis.md. Not exploitable today; a usage-conditioned soundness tripwire. Tracking umbrella: #64.Finding
AlgebraicHashercircuit path for Poseidon2 uses overwrite-modepermute_swappedwith no padding, which does not match native Poseidon2's padded/additive sponge.Why it's safe today
The wormhole hashes via the Poseidon2-specific
hash_n_to_hash_no_pad_p2helper, and the proof system itself runs on Poseidon-v1 (PoseidonGoldilocksConfig). The broken generic path is never taken.What would make it CRITICAL
If any circuit routes Poseidon2 hashing through the generic
AlgebraicHasher/hash_n_to_hash_no_padpath (or selectsPoseidon2Hashas the proof-system config hasher), in-circuit and native hashes diverge → completeness failures and/or a Merkle/public-input construction that differs from the native one.Action / guardrail
hash_n_to_hash_no_pad_p2for in-circuit Poseidon2 hashing.AlgebraicHasherpath (padding + absorption) so the footgun goes away, or explicitly document/forbid its use for Poseidon2.Related audit category: #58 (Gate & constraint soundness).