Vulnerable File: packages/circuits/src/proofs/DrawHand.circom
commit: cdf532078ff3dad9ba392f36c5db87194e196147
In the for-loop you set drawCards[I]. candidateIndex <== randomness.outs[0] for every i. That means all removals use the same random field element. Even if RemoveCard reduces it modulo (lastIndex − i + 1), the successive indices are all derived from the same base value.
This is not equivalent to Fisher–Yates with independent draws and induces correlations; the distribution over hands/permutations is not uniform. It also reduces the effective entropy the prover must “hit” when grindin
Vulnerable File:
packages/circuits/src/proofs/DrawHand.circomcommit:
cdf532078ff3dad9ba392f36c5db87194e196147In the for-loop you set drawCards[I]. candidateIndex <== randomness.outs[0] for every i. That means all removals use the same random field element. Even if RemoveCard reduces it modulo (lastIndex − i + 1), the successive indices are all derived from the same base value.
This is not equivalent to Fisher–Yates with independent draws and induces correlations; the distribution over hands/permutations is not uniform. It also reduces the effective entropy the prover must “hit” when grindin