Skip to main content

Underconstrained Outputs

Detector Type:Constrain Only

Summary and Usage

The Underconstrained Output (UCO) detector identifies underconstrained output vulnerabilities in ZK circuits where signals are not sufficiently constrained. The UCO detector checks whether a component's output is constrained by either an input signal or a constant value. If neither condition holds, the output is underconstrained, creating a vulnerability that may allow malicious actors to generate valid proofs for bogus statements.

Usage

info

Coming soon.

Example and Explanation

info

Coming soon.

Usage Example

info

Coming soon.

Limitations

  • This detector may produce false positives if an output is intended to be constant-constrained, but the constant is computed within the circuit (e.g., the output is a hash of a fixed value).
  • This detector will miss cases where an output is constrained by some inputs, but should actually be constrained by multiple inputs.

How to Assess Severity

Findings from the UCO detector are generally considered severe. It is rare for output signals not to be derived from input signals or constants, so underconstrained outputs usually indicate that key computations or constraints have been accidentally omitted. These findings are therefore highly likely to represent critical issues.