Several years ago, there was an unenforced constraint on verification in the cirmcomlib library : a tool for building projects using ZsNarks. The error allowed to forge cryptographic nullifiers/proofs without having a prior commitment.
Tornado Cash, using Groth16 was the most well‑known affected case : the protocol had to be safely exploited in order to avoid loss of funds.
On the blog post, there were :
Later, we will release a step by step guide on how to use this exploit to educate interested security professionals.
4 years later, such blog post still don’t exist. And with the ofac sanctions resulting in contributing to any code related to the project banned to ᴜꜱ citizens or peoples living in the ᴜꜱ, is unlikely to ever exists.
Neverless, instead of potential step by step Zokrates commands on the alt_bn128 curve, would it be possible at least to have this question containing the detailed required computations in mathematical notation to fake the witness despite not having prior commitments to the root ?
