Context
From audits/chain-exploitability-analysis.md. Not exploitable today; usage-conditioned. Tracking umbrella: #64.
Findings
- #79706 — Zero-width range decompositions leave values unconstrained.
range_check(x, 0) is a no-op (empty split_le), adding no constraint.
- #79719 — Decomposition helpers permit modulus-aliasing witnesses. When a decomposed width reaches ~64 bits (>= field modulus), distinct witnesses can alias mod p.
Why it's safe today
All wormhole range checks use fixed, nonzero widths <= 48 bits (2 / 14 / 32 / 48), which are strictly injective mod p, and none call range_check(x, 0) or a zero-width split_low_high side.
What would make it CRITICAL
- A new constraint that range-checks near 64 bits → modulus aliasing (#79719).
- Any
range_check(x, 0) or zero-width split_low_high side → unconstrained value (#79706).
Action / guardrail
- Keep range-check widths fixed and well below the field bit-width.
- Consider asserting
0 < bits < 64 inside range_check / split_le so a zero or oversized width fails loudly instead of silently dropping the constraint.
Related audit category: #58 (Gate & constraint soundness).
Context
From
audits/chain-exploitability-analysis.md. Not exploitable today; usage-conditioned. Tracking umbrella: #64.Findings
range_check(x, 0)is a no-op (emptysplit_le), adding no constraint.Why it's safe today
All wormhole range checks use fixed, nonzero widths <= 48 bits (2 / 14 / 32 / 48), which are strictly injective mod p, and none call
range_check(x, 0)or a zero-widthsplit_low_highside.What would make it CRITICAL
range_check(x, 0)or zero-widthsplit_low_highside → unconstrained value (#79706).Action / guardrail
0 < bits < 64insiderange_check/split_leso a zero or oversized width fails loudly instead of silently dropping the constraint.Related audit category: #58 (Gate & constraint soundness).