Privacy and security concern: library relies on external WebAssembly modules fetched from hardcoded clearnet URLs without integrity checks

[degenrocket]

I'm considering adding Semaphore to a Spasm-powered forum, but some functions like generateProof() require fetching a WebAssembly module from hardcoded external URLs like https://snark-artifacts.pse.dev/semaphore/4.0.0/semaphore-1.wasm or https://snark-artifacts.pse.dev/semaphore/4.0.0/semaphore-1.zkey. This practice poses several privacy and security risks, including the potential for supply chain attacks if the content at this URL is tampered with. Current implementation of a generateProof() function has an option to include SNARK artifacts, but it doesn't provide a clear logic for self-hosting these modules, it's not mentioned in the documentation, and modules are not being verified by the community.

Privacy concerns:

• Fetching modules online may expose the user's IP address and other network information to the server hosting the module, to its ISP, and to other network traffic observers. This can be used to track users or gather data for analytics, meaning that using Semaphore can actually decrease privacy rather than increase it, especially when used on onion services.

Potential security risks:

• Malicious actors could alter the WebAssembly module, injecting malicious code into applications.
• The integrity of the module cannot be guaranteed if the URL is compromised.

Proposed actions:

• Make the URL configurable so that devs can host the WebAssembly modules themselves or use a different trusted source. This provides more control and flexibility in securing the supply chain. This functionality can be achieved by passing the BASE_URL to each Semaphore's function that relies on external modules. The feature will require a small change to maybeGetSnarkArtifacts() in @zk-kit/artifacts to receive and use custom BASE_URL when passed.
  • If custom base URL is implemented, then it makes sense to create a repo with a simple node template that relies on @zk-kit/semaphore-artifacts npm library and add a guide explaining how to run that on a subdomain, e.g. https://snark-artifacts.spasm.network/, so devs can easily install it on the backend and serve it via API. For example, a user of a Spasm-powered forum already uses its API to fetch events, so downloading WebAssembly modules from forum's server won't significantly compromise his privacy.
• Clearly state in the documentation that certain functions like generateProof() rely on external modules with hardcoded clearnet URLs, which is a major privacy and security concern.
• Add integrity checks by hardcoding hashes of WebAssembly modules into the library to prevent man-in-the-middle attacks. Hashes can be added either to Semaphore or to zk-kit library.
  • Documentation: add links to snark-artifacts repo to encourage the community to review and verify the WebAssembly module's source code, binary, and hashes.

Feel free to propose other solutions.