The Lie in the Sponge: Breaking Triton VM's STARKs
Jan 22, 2026·6 min read·3 visits
Executive Summary (TL;DR)
Triton VM, a Rust-based Zero-Knowledge Virtual Machine, failed to hash the `FriPolynomial` and `Log2PaddedHeight` into its Fiat-Shamir transcript. This broke the causality of the proof system, allowing an attacker to choose proof parameters *after* seeing the verifier's challenges, effectively allowing them to forge proofs for false statements. Additionally, a missing bounds check allowed for a trivial Denial of Service.
A critical soundness vulnerability in Triton VM's STARK proof system allowed malicious provers to forge proofs by exploiting a flaw in the Fiat-Shamir heuristic implementation. By failing to commit specific protocol elements to the transcript, the verifier could be tricked into accepting invalid state transitions.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:UAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
triton-vm TritonVM | < 2.0.0 | 2.0.0 |
| Attribute | Detail |
|---|---|
| CWE-358 | Improperly Implemented Security Check (Fiat-Shamir) |
| CWE-400 | Uncontrolled Resource Consumption (DoS) |
| CVSS v4.0 | AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U |
| Language | Rust |
| Component | FRI Protocol / Fiat-Shamir Sponge |
| Impact | Soundness Break (Proof Forgery) |
MITRE ATT&CK Mapping
Improperly Implemented Security Check for Standard
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.