Upgrade snarkjs to >0.6.11

[mhchia]

What's wrong?

iden3/snarkjs#358 suggested a vulnerability of the groth16 verifier in the latest snarkjs (v0.6.11). A fix iden3/snarkjs#359 was proposed but has yet to be merged. The issue is not related to circom so it's safe to stay as is, as discussed with @curryrasul offline.

How to fix it?

Upgrade snarkjs to the latest version as long as the fix is released.

[curryrasul]

Thanks a lot. Yes, we should update after the fix:)

[themandalore]

Hey @mhchia , would one need to recompile/ redeploy all Verifier contracts due to this bug or is it further down the line?

[mhchia]

@themandalore I'm not sure about this, and I would also like to know the answer too 😃

[mhchia]

Reopened to remind us that our dependency circom_tester stills has this issue and hasn't fixed it. We should upgrade circom_tester as long as it upgrades snarkjs to >=0.7.0.

1. Our circom_tester uses snarkjs==0.5.0
   

   circom-rln/package-lock.json

   Line 396 in 18f6e0a

   "version": "0.5.0",

An issue has been opened in circom_tester too (iden3/circom_tester#16).

2. It seems like it won't be fixed soon in circom_teser, and we only use it for testing, so we decided to reopen this issue and dismiss the alert from dependabot.

[curryrasul]

Hey @mhchia , would one need to recompile/ redeploy all Verifier contracts due to this bug or is it further down the line?

@themandalore In general I would say yes, you should update snarkjs and generate contracts with new snarkjs version. Though I don't think there are bugs in big and well audited projects, as it's common practice to do range/field checks on public inputs.