{"id":"RUSTSEC-2021-0075","summary":"Flaw in `FieldVar::mul_by_inverse` allows unsound R1CS constraint systems","details":"Versions `0.2.0` to `0.3.0` of ark-r1cs-std did not enforce any constraints in the `FieldVar::mul_by_inverse` method, allowing a malicious prover to produce an unsound proof that passes all verifier checks.\nThis method was used primarily in scalar multiplication for [`short_weierstrass::ProjectiveVar`](https://docs.rs/ark-r1cs-std/0.3.0/ark_r1cs_std/groups/curves/short_weierstrass/struct.ProjectiveVar.html).\n\nThis bug was fixed in commit `47ddbaa`, and was released as part of version `0.3.1` on `crates.io`.","aliases":["CVE-2021-38194","GHSA-qj3v-q2vj-4c8h"],"modified":"2023-11-08T04:06:26.167178Z","published":"2021-07-08T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/ark-r1cs-std"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2021-0075.html"},{"type":"WEB","url":"https://github.com/arkworks-rs/r1cs-std/pull/70"}],"affected":[{"package":{"name":"ark-r1cs-std","ecosystem":"crates.io","purl":"pkg:cargo/ark-r1cs-std"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.3.1"}]}],"ecosystem_specific":{"affects":{"os":[],"arch":[],"functions":["ark_r1cs_std::FieldVar::mul_by_inverse"]},"affected_functions":null},"database_specific":{"categories":["crypto-failure"],"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2021-0075.json","informational":null,"cvss":null}}],"schema_version":"1.7.3"}