Skip to content

fix(nitro-verifier): add Unknown sentinel to VerificationResult for fail-closed default#243

Merged
leopoldjoy merged 1 commit intomainfrom
fix/verification-result-fail-closed-default
Apr 8, 2026
Merged

fix(nitro-verifier): add Unknown sentinel to VerificationResult for fail-closed default#243
leopoldjoy merged 1 commit intomainfrom
fix/verification-result-fail-closed-default

Conversation

@leopoldjoy
Copy link
Copy Markdown
Contributor

@leopoldjoy leopoldjoy commented Apr 7, 2026

Summary

  • Adds Unknown as index 0 in the VerificationResult enum so that uninitialized enum variables default to a failure state instead of Success
  • Follows the defensive design principle that the zero/default value should be the most restrictive state (fail-closed), preventing any future code path from accidentally treating an uninitialized verification result as a successful attestation

Details

In Solidity, the default value for any uninitialized enum is 0. Previously, Success was at index 0, meaning an uninitialized VerificationResult would silently equal "success" — a classic fail-open anti-pattern in security-sensitive code.

While no live vulnerability exists today (all current code paths fully initialize the result before checking it), the enum ordering is fragile against future modifications. For example:

  • A VerifierJournal allocated via new VerifierJournal[](n) would have result default to Success before assignment
  • A partially decoded struct or forgotten assignment could silently pass != VerificationResult.Success checks

The new enum ordering:

enum VerificationResult {
    Unknown,                      // 0 — default, treated as failure
    Success,                      // 1
    RootCertNotTrusted,           // 2
    IntermediateCertsNotTrusted,  // 3
    InvalidTimestamp              // 4
}

No call-site changes are needed — all existing checks use the pattern journal.result != VerificationResult.Success, which naturally treats Unknown as a failure.

Testing

  • All 72 NitroEnclaveVerifierTest tests pass
  • All 31 TEEProverRegistryTest tests pass
  • Lint/fmt passes
  • Snapshots regenerated with --force

Note

This is an ABI-breaking change for the VerificationResult enum (numeric values shift by +1). Off-chain systems that produce or consume VerificationResult values (e.g., ZK prover programs) will need coordinated updates.

@leopoldjoy
fix(nitro-verifier): add Unknown sentinel to VerificationResult for f…
e2b6918 
…ail-closed default

Add Unknown as index 0 in the VerificationResult enum so that
uninitialized enum variables default to a failure state rather than
Success. This follows the defensive design principle that the
zero/default value should be the most restrictive state, preventing
any future code path from accidentally treating an uninitialized
verification result as a successful attestation.
@cb-heimdall
Copy link
Copy Markdown
Collaborator

cb-heimdall commented Apr 7, 2026
edited
Loading

✅ Heimdall Review Status

Requirement Status More Info
Reviews 1/1
Denominator calculation
Show calculation
1 if user is bot 0
1 if user is external 0
2 if repo is sensitive 0
From .codeflow.yml 1
Additional review requirements
Show calculation
Max 0
0
From CODEOWNERS 0
Global minimum 0
Max 1
1
1 if commit is unverified 0
Sum 1

@leopoldjoy leopoldjoy merged commit c0d4ea6 into main Apr 8, 2026
8 checks passed
@leopoldjoy leopoldjoy deleted the fix/verification-result-fail-closed-default branch April 8, 2026 00:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jackchuma jackchuma jackchuma approved these changes

@roger-bai-coinbase roger-bai-coinbase Awaiting requested review from roger-bai-coinbase

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@leopoldjoy @cb-heimdall @jackchuma