[HackerOne-2300725] Limit the number of allowed constraints for deployments

circuit/environment/src/circuit.rs

@@ -22,6 +22,7 @@ use core::{
 type Field = <console::Testnet3 as console::Environment>::Field;
 
 thread_local! {
+    pub(super) static CONSTRAINT_LIMIT: Cell<Option<u64>> = Cell::new(None);
     pub(super) static CIRCUIT: RefCell<R1CS<Field>> = RefCell::new(R1CS::new());
     pub(super) static IN_WITNESS: Cell<bool> = Cell::new(false);
     pub(super) static ZERO: LinearCombination<Field> = LinearCombination::zero();
@@ -146,6 +147,15 @@ impl Environment for Circuit {
             // Ensure we are not in witness mode.
             if !in_witness.get() {
                 CIRCUIT.with(|circuit| {
+                    // Ensure that we do not surpass the constraint limit for the circuit.
+                    CONSTRAINT_LIMIT.with(|constraint_limit| {
+                        if let Some(limit) = constraint_limit.get() {
+                            if circuit.borrow().num_constraints() >= limit {
+                                Self::halt(format!("Surpassed the constraint limit ({limit})"))
+                            }
+                        }
+                    });
+
                     let (a, b, c) = constraint();
                     let (a, b, c) = (a.into(), b.into(), c.into());
 
@@ -248,8 +258,16 @@ impl Environment for Circuit {
         panic!("{}", &error)
     }
 
-    /// TODO (howardwu): Abstraction - Refactor this into an appropriate design.
-    ///  Circuits should not have easy access to this during synthesis.
+    /// Returns the constraint limit for the circuit, if one exists.
+    fn get_constraint_limit() -> Option<u64> {
+        CONSTRAINT_LIMIT.with(|current_limit| current_limit.get())
+    }
+
+    /// Sets the constraint limit for the circuit.
+    fn set_constraint_limit(limit: Option<u64>) {
+        CONSTRAINT_LIMIT.with(|current_limit| current_limit.replace(limit));
+    }
+
     /// Returns the R1CS circuit, resetting the circuit.
     fn inject_r1cs(r1cs: R1CS<Self::BaseField>) {
         CIRCUIT.with(|circuit| {
@@ -268,13 +286,13 @@ impl Environment for Circuit {
         })
     }
 
-    /// TODO (howardwu): Abstraction - Refactor this into an appropriate design.
-    ///  Circuits should not have easy access to this during synthesis.
     /// Returns the R1CS circuit, resetting the circuit.
     fn eject_r1cs_and_reset() -> R1CS<Self::BaseField> {
         CIRCUIT.with(|circuit| {
             // Reset the witness mode.
             IN_WITNESS.with(|in_witness| in_witness.replace(false));
+            // Reset the constraint limit.
+            Self::set_constraint_limit(None);
             // Eject the R1CS instance.
             let r1cs = circuit.replace(R1CS::<<Self as Environment>::BaseField>::new());
             // Ensure the circuit is now empty.
@@ -287,13 +305,13 @@ impl Environment for Circuit {
         })
     }
 
-    /// TODO (howardwu): Abstraction - Refactor this into an appropriate design.
-    ///  Circuits should not have easy access to this during synthesis.
     /// Returns the R1CS assignment of the circuit, resetting the circuit.
     fn eject_assignment_and_reset() -> Assignment<<Self::Network as console::Environment>::Field> {
         CIRCUIT.with(|circuit| {
             // Reset the witness mode.
             IN_WITNESS.with(|in_witness| in_witness.replace(false));
+            // Reset the constraint limit.
+            Self::set_constraint_limit(None);
             // Eject the R1CS instance.
             let r1cs = circuit.replace(R1CS::<<Self as Environment>::BaseField>::new());
             assert_eq!(0, circuit.borrow().num_constants());
@@ -310,6 +328,9 @@ impl Environment for Circuit {
         CIRCUIT.with(|circuit| {
             // Reset the witness mode.
             IN_WITNESS.with(|in_witness| in_witness.replace(false));
+            // Reset the constraint limit.
+            Self::set_constraint_limit(None);
+            // Reset the circuit.
             *circuit.borrow_mut() = R1CS::<<Self as Environment>::BaseField>::new();
             assert_eq!(0, circuit.borrow().num_constants());
             assert_eq!(1, circuit.borrow().num_public());

circuit/environment/src/environment.rs

@@ -160,6 +160,12 @@ pub trait Environment: 'static + Copy + Clone + fmt::Debug + fmt::Display + Eq +
         <Self::Network as console::Environment>::halt(message)
     }
 
+    /// Returns the constraint limit for the circuit, if one exists.
+    fn get_constraint_limit() -> Option<u64>;
+
+    /// Sets the constraint limit for the circuit.
+    fn set_constraint_limit(limit: Option<u64>);
+
     /// Returns the R1CS circuit, resetting the circuit.
     fn inject_r1cs(r1cs: R1CS<Self::BaseField>);
 

circuit/network/src/v0.rs

@@ -466,6 +466,16 @@ impl Environment for AleoV0 {
         E::halt(message)
     }
 
+    /// Returns the constraint limit for the circuit, if one exists.
+    fn get_constraint_limit() -> Option<u64> {
+        E::get_constraint_limit()
+    }
+
+    /// Sets the constraint limit for the circuit.
+    fn set_constraint_limit(limit: Option<u64>) {
+        E::set_constraint_limit(limit)
+    }
+
     /// Returns the R1CS circuit, resetting the circuit.
     fn inject_r1cs(r1cs: R1CS<Self::BaseField>) {
         E::inject_r1cs(r1cs)

console/network/src/lib.rs

@@ -98,6 +98,10 @@ pub trait Network:
     const STARTING_SUPPLY: u64 = 1_500_000_000_000_000; // 1.5B credits
     /// The cost in microcredits per byte for the deployment transaction.
     const DEPLOYMENT_FEE_MULTIPLIER: u64 = 1_000; // 1 millicredit per byte
+    /// The cost in microcredits per constraint for the deployment transaction.
+    const SYNTHESIS_FEE_MULTIPLIER: u64 = 25; // 25 microcredits per constraint
+    /// The maximum number of constraints in a deployment.
+    const MAX_DEPLOYMENT_LIMIT: u64 = 1 << 20; // 1,048,576 constraints
     /// The maximum number of microcredits that can be spent as a fee.
     const MAX_FEE: u64 = 1_000_000_000_000_000;
 

ledger/block/src/transaction/deployment/mod.rs

@@ -124,6 +124,23 @@ impl<N: Network> Deployment<N> {
         &self.verifying_keys
     }
 
+    /// Returns the sum of the constraint counts for all functions in this deployment.
+    pub fn num_combined_constraints(&self) -> Result<u64> {
+        // Initialize the accumulator.
+        let mut num_combined_constraints = 0u64;
+        // Iterate over the functions.
+        for (_, (vk, _)) in &self.verifying_keys {
+            // Add the number of constraints.
+            // Note: This method must be *checked* because the claimed constraint count
+            // is from the user, not the synthesizer.
+            num_combined_constraints = num_combined_constraints
+                .checked_add(vk.circuit_info.num_constraints as u64)
+                .ok_or_else(|| anyhow!("Overflow when counting constraints for '{}'", self.program_id()))?;
+        }
+        // Return the number of combined constraints.
+        Ok(num_combined_constraints)
+    }
+
     /// Returns the deployment ID.
     pub fn to_deployment_id(&self) -> Result<Field<N>> {
         Ok(*Transaction::deployment_tree(self, None)?.root())

synthesizer/process/src/stack/call/mod.rs

@@ -351,6 +351,11 @@ impl<N: Network> CallTrait<N> for Call<N> {
             // Inject the existing circuit.
             A::inject_r1cs(r1cs);
 
+            // If in 'CheckDeployment' mode, set the expected constraint limit.
+            if let CallStack::CheckDeployment(_, _, _, constraint_limit) = &registers.call_stack() {
+                A::set_constraint_limit(*constraint_limit);
+            }
+
             use circuit::Inject;
 
             // Inject the network ID as `Mode::Constant`.

synthesizer/process/src/stack/deploy.rs

@@ -73,11 +73,21 @@ impl<N: Network> Stack<N> {
 
         let program_id = self.program.id();
 
+        // Check that the number of combined constraints does not exceed the deployment limit.
+        ensure!(deployment.num_combined_constraints()? <= N::MAX_DEPLOYMENT_LIMIT);
+
         // Construct the call stacks and assignments used to verify the certificates.
         let mut call_stacks = Vec::with_capacity(deployment.verifying_keys().len());
 
+        // Check that the number of functions matches the number of verifying keys.
+        ensure!(
+            deployment.program().functions().len() == deployment.verifying_keys().len(),
+            "The number of functions in the program does not match the number of verifying keys"
+        );
         // Iterate through the program functions and construct the callstacks and corresponding assignments.
-        for function in deployment.program().functions().values() {
+        for (function, (_, (verifying_key, _))) in
+            deployment.program().functions().values().zip_eq(deployment.verifying_keys())
+        {
             // Initialize a burner private key.
             let burner_private_key = PrivateKey::new(rng)?;
             // Compute the burner address.
@@ -114,18 +124,31 @@ impl<N: Network> Stack<N> {
             lap!(timer, "Compute the request for {}", function.name());
             // Initialize the assignments.
             let assignments = Assignments::<N>::default();
+            // Initialize the constraint limit. Account for the constraint added after synthesis that randomizes vars.
+            let constraint_limit = match verifying_key.circuit_info.num_constraints.checked_sub(1) {
+                // Since a deployment must always pay non-zero fee, it must always have at least one constraint.
+                None => {
+                    bail!("The constraint limit of 0 for function '{}' is invalid", function.name());
+                }
+                Some(limit) => limit,
+            };
             // Initialize the call stack.
-            let call_stack = CallStack::CheckDeployment(vec![request], burner_private_key, assignments.clone());
+            let call_stack = CallStack::CheckDeployment(
+                vec![request],
+                burner_private_key,
+                assignments.clone(),
+                Some(constraint_limit as u64),
+            );
             // Append the function name, callstack, and assignments.
             call_stacks.push((function.name(), call_stack, assignments));
         }
 
         // Verify the certificates.
         let rngs = (0..call_stacks.len()).map(|_| StdRng::from_seed(rng.gen())).collect::<Vec<_>>();
-        cfg_iter!(call_stacks).zip_eq(deployment.verifying_keys()).zip_eq(rngs).try_for_each(
+        cfg_into_iter!(call_stacks).zip_eq(deployment.verifying_keys()).zip_eq(rngs).try_for_each(
             |(((function_name, call_stack, assignments), (_, (verifying_key, certificate))), mut rng)| {
                 // Synthesize the circuit.
-                if let Err(err) = self.execute_function::<A, _>(call_stack.clone(), None, &mut rng) {
+                if let Err(err) = self.execute_function::<A, _>(call_stack, None, &mut rng) {
                     bail!("Failed to synthesize the circuit for '{function_name}': {err}")
                 }
                 // Check the certificate.

synthesizer/process/src/stack/execute.rs

@@ -142,6 +142,11 @@ impl<N: Network> StackExecute<N> for Stack<N> {
         // Ensure the circuit environment is clean.
         A::reset();
 
+        // If in 'CheckDeployment' mode, set the constraint limit.
+        if let CallStack::CheckDeployment(_, _, _, constraint_limit) = &call_stack {
+            A::set_constraint_limit(*constraint_limit);
+        }
+
         // Retrieve the next request.
         let console_request = call_stack.pop()?;
 
@@ -416,7 +421,7 @@ impl<N: Network> StackExecute<N> for Stack<N> {
             lap!(timer, "Save the transition");
         }
         // If the circuit is in `CheckDeployment` mode, then save the assignment.
-        else if let CallStack::CheckDeployment(_, _, ref assignments) = registers.call_stack() {
+        else if let CallStack::CheckDeployment(_, _, ref assignments, _) = registers.call_stack() {
             // Construct the call metrics.
             let metrics = CallMetrics {
                 program_id: *self.program_id(),

synthesizer/process/src/stack/mod.rs

@@ -81,7 +81,7 @@ pub type Assignments<N> = Arc<RwLock<Vec<(circuit::Assignment<<N as Environment>
 pub enum CallStack<N: Network> {
     Authorize(Vec<Request<N>>, PrivateKey<N>, Authorization<N>),
     Synthesize(Vec<Request<N>>, PrivateKey<N>, Authorization<N>),
-    CheckDeployment(Vec<Request<N>>, PrivateKey<N>, Assignments<N>),
+    CheckDeployment(Vec<Request<N>>, PrivateKey<N>, Assignments<N>, Option<u64>),
     Evaluate(Authorization<N>),
     Execute(Authorization<N>, Arc<RwLock<Trace<N>>>),
     PackageRun(Vec<Request<N>>, PrivateKey<N>, Assignments<N>),
@@ -109,11 +109,14 @@ impl<N: Network> CallStack<N> {
             CallStack::Synthesize(requests, private_key, authorization) => {
                 CallStack::Synthesize(requests.clone(), *private_key, authorization.replicate())
             }
-            CallStack::CheckDeployment(requests, private_key, assignments) => CallStack::CheckDeployment(
-                requests.clone(),
-                *private_key,
-                Arc::new(RwLock::new(assignments.read().clone())),
-            ),
+            CallStack::CheckDeployment(requests, private_key, assignments, constraint_limit) => {
+                CallStack::CheckDeployment(
+                    requests.clone(),
+                    *private_key,
+                    Arc::new(RwLock::new(assignments.read().clone())),
+                    *constraint_limit,
+                )
+            }
             CallStack::Evaluate(authorization) => CallStack::Evaluate(authorization.replicate()),
             CallStack::Execute(authorization, trace) => {
                 CallStack::Execute(authorization.replicate(), Arc::new(RwLock::new(trace.read().clone())))

synthesizer/process/src/tests/test_credits.rs

@@ -1528,7 +1528,7 @@ mod sanity_checks {
         // Initialize the assignments.
         let assignments = Assignments::<N>::default();
         // Initialize the call stack.
-        let call_stack = CallStack::CheckDeployment(vec![request], *private_key, assignments.clone());
+        let call_stack = CallStack::CheckDeployment(vec![request], *private_key, assignments.clone(), None);
         // Synthesize the circuit.
         let _response = stack.execute_function::<A, _>(call_stack, None, rng).unwrap();
         // Retrieve the assignment.

synthesizer/src/vm/deploy.rs

@@ -40,7 +40,7 @@ impl<N: Network, C: ConsensusStorage<N>> VM<N, C> {
         let owner = ProgramOwner::new(private_key, deployment_id, rng)?;
 
         // Compute the minimum deployment cost.
-        let (minimum_deployment_cost, (_, _)) = deployment_cost(&deployment)?;
+        let (minimum_deployment_cost, _) = deployment_cost(&deployment)?;
         // Authorize the fee.
         let fee_authorization = match fee_record {
             Some(record) => self.authorize_fee_private(

synthesizer/src/vm/helpers/cost.rs

@@ -23,20 +23,25 @@ use synthesizer_program::{Command, Finalize, Instruction};
 
 use std::collections::HashMap;
 
-/// Returns the *minimum* cost in microcredits to publish the given deployment (total cost, (storage cost, namespace cost)).
-pub fn deployment_cost<N: Network>(deployment: &Deployment<N>) -> Result<(u64, (u64, u64))> {
+/// Returns the *minimum* cost in microcredits to publish the given deployment (total cost, (storage cost, synthesis cost, namespace cost)).
+pub fn deployment_cost<N: Network>(deployment: &Deployment<N>) -> Result<(u64, (u64, u64, u64))> {
     // Determine the number of bytes in the deployment.
     let size_in_bytes = deployment.size_in_bytes()?;
     // Retrieve the program ID.
     let program_id = deployment.program_id();
     // Determine the number of characters in the program ID.
     let num_characters = u32::try_from(program_id.name().to_string().len())?;
+    // Compute the number of combined constraints in the program.
+    let num_combined_constraints = deployment.num_combined_constraints()?;
 
     // Compute the storage cost in microcredits.
     let storage_cost = size_in_bytes
         .checked_mul(N::DEPLOYMENT_FEE_MULTIPLIER)
         .ok_or(anyhow!("The storage cost computation overflowed for a deployment"))?;
 
+    // Compute the synthesis cost in microcredits.
+    let synthesis_cost = num_combined_constraints * N::SYNTHESIS_FEE_MULTIPLIER;
+
     // Compute the namespace cost in credits: 10^(10 - num_characters).
     let namespace_cost = 10u64
         .checked_pow(10u32.saturating_sub(num_characters))
@@ -45,13 +50,14 @@ pub fn deployment_cost<N: Network>(deployment: &Deployment<N>) -> Result<(u64, (
 
     // Compute the total cost in microcredits.
     let total_cost = storage_cost
-        .checked_add(namespace_cost)
+        .checked_add(synthesis_cost)
+        .and_then(|x| x.checked_add(namespace_cost))
         .ok_or(anyhow!("The total cost computation overflowed for a deployment"))?;
 
-    Ok((total_cost, (storage_cost, namespace_cost)))
+    Ok((total_cost, (storage_cost, synthesis_cost, namespace_cost)))
 }
 
-/// Returns the *minimum* cost in microcredits to publish the given execution (total cost, (storage cost, namespace cost)).
+/// Returns the *minimum* cost in microcredits to publish the given execution (total cost, (storage cost, finalize cost)).
 pub fn execution_cost<N: Network, C: ConsensusStorage<N>>(
     vm: &VM<N, C>,
     execution: &Execution<N>,