A Pull Request from the Movement Aptos Core repository (PR #330) introduces two essential security hardening fixes to the `aptos_experimental::confidential_asset` module, addressing vulnerabilities in cryptographic balance operations and public key validation.
Balance Subtraction Bug Fixed
The first fix corrects a critical logic error in `confidential_balance::sub_balances_mut`. The function was incorrectly calling `twisted_elgamal::ciphertext_add_assign` instead of `ciphertext_sub_assign`, causing balance deductions to perform additions instead. Although no in-tree callers currently use the public function, any future caller attempting to debit accounts via `sub_balances_mut` would silently credit them instead. The function has been deleted to prevent misuse. A comprehensive test confirms that subtracting a balance from itself now correctly decrypts to zero.
Identity Point Public Key Rejection
The second fix prevents `ristretto255_twisted_elgamal::new_pubkey_from_bytes` from accepting the identity point as a valid public key. The identity point has no corresponding keypair, and accepting it creates two dangerous degenerate states: registration sigma proofs become forgeable (allowing unpaired accounts), and auditor channels can be silently disabled by substituting identity keys. The fix adds validation to reject identity-encoded keys (32 zero bytes) at the deserializer level, covering all entry paths including `register`, `set_asset_auditor`, `set_chain_auditor`, and `deserialize_auditor_eks`. A new public helper function `is_identity_pubkey` provides additional validation for callers obtaining compressed public keys through other means.
Testing and Validation
The PR includes a new test module with six comprehensive tests validating both fixes: balance subtraction correctness, identity key rejection, non-canonical encoding rejection, and downstream compatibility. All 64 tests (58 existing + 6 new) pass in the confidential asset suite. The fixes maintain backward compatibility—no state schema or proof-format changes affect existing accounts or ciphertexts.