The ZK-ZKVM project Ola discovered a vulnerability in the privacy network Aleo Record verification, which has now been fixed
ChainCatcher news, Ola team developer Payne tweeted that a logical vulnerability was discovered in Aleo, and a bug bounty was received from Aleo. Payne found a logical error in the validity check of the record spent by users while studying Aleo's code.
When the spent record is generated during the execution of a contract from the previous transaction, the commitment of the record should be used to construct the leaf node of the transition tree, but Aleo used the serial number of the record to construct the leaf node, which would cause the transaction to fail verification in the circuit. After communication, it was confirmed that the Aleo team has fixed this vulnerability.
It is reported that Ola is a Layer2 high-performance ZK-ZKVM project incubated by Sin7y Labs, focusing on programmable privacy, programmable scalability, and multi-language compatibility. It is expected to launch an internal testnet in the third quarter of 2023 and a public testnet by the end of the year. (source link)