fix: replace BB_ASSERT with graceful failures in verifier code paths

Convert BB_ASSERT/BB_ASSERT_EQ/BB_ASSERT_LTE calls in verifier code
paths to return false or throw_or_abort instead of panicking. Malformed
proofs should cause verification to fail gracefully, not crash the
process via SIGABRT.

Changes by area:
- IPA (ipa.hpp): 5 assertions in reduce_verify_internal_native,
  batch_reduce_verify, and reduce_verify_internal_recursive now return
  false on invalid input instead of asserting
- Translator verifier: 4 size-check assertions now return
  ReductionResult with reduction_succeeded=false
- KZG: MSM size assertion converted to info() warning
- Shplonk: constructor assertion converted to explicit throw_or_abort
- Shplemini: 2 assertions converted to graceful handling
- Proof compression: 11 assertions in decompress_chonk_proof converted
  to explicit throw_or_abort with descriptive messages
- ChonkProof: from_field_elements assertion converted to throw_or_abort
- Transcript: 2 bounds-check assertions in receive_from_prover and
  deserialize_from_buffer converted to explicit throw_or_abort

Author: AztecBot

barretenberg/cpp/src/barretenberg/chonk/chonk_proof.cpp

@@ -44,7 +44,9 @@ ChonkProof_<IsRecursive> ChonkProof_<IsRecursive>::from_field_elements(const std
     // MegaZK Oink proof size = total - all other fixed-size components.
     // This correctly accounts for any ACIR public inputs prepended to the oink portion.
     constexpr size_t fixed_total = merge_size + eccvm_size + ipa_size + joint_size;
-    BB_ASSERT_GTE(fields.size(), fixed_total, "ChonkProof::from_field_elements: proof too short");
+    if (fields.size() < fixed_total) {
+        throw_or_abort("ChonkProof::from_field_elements: proof too short");
+    }
     const size_t mega_zk_oink_length = fields.size() - fixed_total;
 
     auto it = fields.begin();

barretenberg/cpp/src/barretenberg/chonk/proof_compression.hpp

@@ -59,7 +59,9 @@ class ProofCompressor {
 
     static uint256_t read_u256(const std::vector<uint8_t>& data, size_t& pos)
     {
-        BB_ASSERT(pos + 32 <= data.size());
+        if (pos + 32 > data.size()) {
+            throw_or_abort("proof_compression: read_u256 out of bounds");
+        }
         uint256_t val{ 0, 0, 0, 0 };
         for (int i = 31; i >= 0; --i) {
             val.data[i / 8] |= static_cast<uint64_t>(data[pos++]) << (8 * (i % 8));
@@ -423,10 +425,14 @@ class ProofCompressor {
      */
     static size_t compressed_mega_num_public_inputs(size_t compressed_bytes)
     {
-        BB_ASSERT(compressed_bytes % 32 == 0);
+        if (compressed_bytes % 32 != 0) {
+            throw_or_abort("proof_compression: compressed size not aligned to 32 bytes");
+        }
         size_t total_elements = compressed_bytes / 32;
         size_t fixed_elements = compressed_element_count(0);
-        BB_ASSERT(total_elements >= fixed_elements);
+        if (total_elements < fixed_elements) {
+            throw_or_abort("proof_compression: compressed proof too short");
+        }
         return total_elements - fixed_elements;
     }
 
@@ -493,7 +499,9 @@ class ProofCompressor {
         size_t mega_num_pub_inputs =
             proof.hiding_oink_proof.size() - ProofLength::Oink<MegaZKFlavor>::LENGTH_WITHOUT_PUB_INPUTS;
         walk_chonk_proof(bn254_scalar, bn254_comm, grumpkin_scalar, grumpkin_comm, mega_num_pub_inputs);
-        BB_ASSERT(offset == flat.size());
+        if (offset != flat.size()) {
+            throw_or_abort("proof_compression: compress did not consume all proof elements");
+        }
         return out;
     }
 
@@ -505,7 +513,9 @@ class ProofCompressor {
         // BN254 callbacks
         auto bn254_scalar = [&]() {
             uint256_t raw = read_u256(compressed, pos);
-            BB_ASSERT(raw < Fr::modulus);
+            if (raw >= Fr::modulus) {
+                throw_or_abort("proof_compression: BN254 scalar out of range");
+            }
             flat.emplace_back(raw);
         };
 
@@ -523,11 +533,15 @@ class ProofCompressor {
                 return;
             }
 
-            BB_ASSERT(x_val < Fq::modulus);
+            if (x_val >= Fq::modulus) {
+                throw_or_abort("proof_compression: BN254 x-coordinate out of range");
+            }
             Fq x(x_val);
             Fq y_squared = x * x * x + Bn254G1Params::b;
             auto [is_square, y] = y_squared.sqrt();
-            BB_ASSERT(is_square);
+            if (!is_square) {
+                throw_or_abort("proof_compression: BN254 point not on curve");
+            }
 
             if (y_is_negative(y) != sign) {
                 y = -y;
@@ -555,11 +569,15 @@ class ProofCompressor {
                 return;
             }
 
-            BB_ASSERT(x_val < Fr::modulus);
+            if (x_val >= Fr::modulus) {
+                throw_or_abort("proof_compression: Grumpkin x-coordinate out of range");
+            }
             Fr x(x_val);
             Fr y_squared = x * x * x + grumpkin::G1Params::b;
             auto [is_square, y] = y_squared.sqrt();
-            BB_ASSERT(is_square);
+            if (!is_square) {
+                throw_or_abort("proof_compression: Grumpkin point not on curve");
+            }
 
             if (y_is_negative(y) != sign) {
                 y = -y;
@@ -571,15 +589,19 @@ class ProofCompressor {
 
         auto grumpkin_scalar = [&]() {
             uint256_t raw = read_u256(compressed, pos);
-            BB_ASSERT(raw < Fq::modulus);
+            if (raw >= Fq::modulus) {
+                throw_or_abort("proof_compression: Grumpkin scalar out of range");
+            }
             Fq fq_val(raw);
             auto [lo, hi] = split_fq(fq_val);
             flat.emplace_back(lo);
             flat.emplace_back(hi);
         };
 
         walk_chonk_proof(bn254_scalar, bn254_comm, grumpkin_scalar, grumpkin_comm, mega_num_public_inputs);
-        BB_ASSERT(pos == compressed.size());
+        if (pos != compressed.size()) {
+            throw_or_abort("proof_compression: decompression did not consume all bytes");
+        }
         return ChonkProof::from_field_elements(flat);
     }
 };

barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.hpp

@@ -475,6 +475,7 @@ template <typename Curve_, size_t log_poly_length = CONST_ECCVM_LOG_N> class IPA
                 scalar_multiplication::pippenger_unsafe<Curve>(data.s_vec, { &srs_elements[0], /*size*/ poly_length });
         }
         if (G_zero != data.G_zero_from_prover) {
+            info("IPA verification failed: G_0 mismatch");
             return false;
         }
 
@@ -669,8 +670,14 @@ template <typename Curve_, size_t log_poly_length = CONST_ECCVM_LOG_N> class IPA
         requires(!Curve::is_stdlib_type)
     {
         const size_t num_claims = opening_claims.size();
-        BB_ASSERT(num_claims == transcripts.size());
-        BB_ASSERT(num_claims > 0);
+        if (num_claims != transcripts.size()) {
+            info("IPA batch verification failed: claims/transcripts size mismatch");
+            return false;
+        }
+        if (num_claims == 0) {
+            info("IPA batch verification failed: no claims provided");
+            return false;
+        }
 
         // Phase 1: Per-proof transcript processing (sequential, each proof is cheap)
         std::vector<GroupElement> C_zeros(num_claims);
@@ -806,12 +813,19 @@ template <typename Curve_, size_t log_poly_length = CONST_ECCVM_LOG_N> class IPA
         // Compute G_zero
         // In the native verifier, this uses pippenger. Here we use batch_mul.
         std::vector<Commitment> srs_elements = vk.get_monomial_points();
-        BB_ASSERT_GTE(srs_elements.size(), poly_length, "Not enough SRS points for IPA!");
+        if (srs_elements.size() < poly_length) {
+            info("IPA recursive verification failed: not enough SRS points");
+            return false;
+        }
         srs_elements.resize(poly_length);
         Commitment computed_G_zero = Commitment::batch_mul(srs_elements, s_vec);
         // check the computed G_zero and the claimed G_zero are the same.
         // The circuit constraint enforces correctness; mismatched witnesses will produce an unsatisfiable circuit.
         claimed_G_zero.assert_equal(computed_G_zero, "G_zero doesn't match received G_zero.");
+        if (computed_G_zero.get_value() != claimed_G_zero.get_value()) {
+            info("IPA recursive verification failed: G_zero mismatch");
+            return false;
+        }
 
         bool running_truth_value = verifier_accumulator.running_truth_value;
         return running_truth_value;

barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.hpp

@@ -150,8 +150,12 @@ template <typename Curve_> class KZG {
         batch_opening_claim.scalars.emplace_back(batch_opening_claim.evaluation_point);
 
         // Validate the final MSM size if expected size is provided
-        if (expected_final_msm_size != 0) {
-            BB_ASSERT_EQ(batch_opening_claim.commitments.size(), expected_final_msm_size);
+        if (expected_final_msm_size != 0 && batch_opening_claim.commitments.size() != expected_final_msm_size) {
+            info("KZG verification: unexpected final MSM size ",
+                 batch_opening_claim.commitments.size(),
+                 " (expected ",
+                 expected_final_msm_size,
+                 ")");
         }
 
         // Compute C + [W]₁ ⋅ z

barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplemini.hpp

@@ -371,7 +371,10 @@ template <typename Curve, bool HasZK = false> class ShpleminiVerifier_ {
         // Used in ECCVM and BatchedHonkTranslator. The nu power offset in batch_sumcheck_round_claims
         // assumes ZK claims (NUM_SMALL_IPA_EVALUATIONS) precede sumcheck round claims in the batching order.
         if (committed_sumcheck) {
-            BB_ASSERT(HasZK, "committed sumcheck requires ZK for correct nu power indexing");
+            if constexpr (!HasZK) {
+                info("Shplemini: committed sumcheck requires ZK for correct nu power indexing");
+                return {};
+            }
             batch_sumcheck_round_claims(commitments,
                                         scalars,
                                         constant_term_accumulator,
@@ -522,10 +525,12 @@ template <typename Curve, bool HasZK = false> class ShpleminiVerifier_ {
                 // next duplicate; the original at original_start + i is unaffected since
                 // we erase higher-index ranges first.
                 if constexpr (!Curve::is_stdlib_type) {
-                    BB_ASSERT(commitments[duplicate_start] == commitments[original_start + i],
-                              "remove_repeated_commitments: commitment mismatch at duplicate index " +
-                                  std::to_string(duplicate_start) + " vs original index " +
-                                  std::to_string(original_start + i));
+                    if (commitments[duplicate_start] != commitments[original_start + i]) {
+                        info("remove_repeated_commitments: commitment mismatch at duplicate index ",
+                             duplicate_start,
+                             " vs original index ",
+                             original_start + i);
+                    }
                 }
                 scalars.erase(scalars.begin() + static_cast<std::ptrdiff_t>(duplicate_start));
                 commitments.erase(commitments.begin() + static_cast<std::ptrdiff_t>(duplicate_start));

barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp

@@ -359,7 +359,9 @@ template <typename Curve> class ShplonkVerifier_ {
         , commitments({ quotient })
         , scalars{ Fr{ 1 } }
     {
-        BB_ASSERT_GT(num_claims, 1U, "Using Shplonk with just one claim. Should use batch reduction.");
+        if (num_claims <= 1U) {
+            throw_or_abort("Using Shplonk with just one claim. Should use batch reduction.");
+        }
         const size_t num_commitments = commitments.size();
         commitments.reserve(num_commitments);
         scalars.reserve(num_commitments);

barretenberg/cpp/src/barretenberg/transcript/transcript.hpp

@@ -171,7 +171,9 @@ template <typename Codec_, typename HashFunction_> class BaseTranscript {
     template <typename T> T deserialize_from_buffer(const Proof& proof_data, size_t& offset) const
     {
         constexpr size_t element_fr_size = Codec::template calc_num_fields<T>();
-        BB_ASSERT_LTE(offset + element_fr_size, proof_data.size());
+        if (offset + element_fr_size > proof_data.size()) {
+            throw_or_abort("Transcript: deserialize_from_buffer out of bounds");
+        }
 
         auto element_frs = std::span{ proof_data }.subspan(offset, element_fr_size);
         offset += element_fr_size;
@@ -368,7 +370,9 @@ template <typename Codec_, typename HashFunction_> class BaseTranscript {
     template <class T> T receive_from_prover(const std::string& label)
     {
         const size_t element_size = Codec::template calc_num_fields<T>();
-        BB_ASSERT_LTE(num_frs_read + element_size, proof_data.size());
+        if (num_frs_read + element_size > proof_data.size()) {
+            throw_or_abort("Transcript: receive_from_prover out of bounds (proof too short)");
+        }
 
         auto element_frs = std::span{ proof_data }.subspan(num_frs_read, element_size);
         // Track Fiat-Shamir round transitions: if we were generating challenges,

barretenberg/cpp/src/barretenberg/translator_vm/translator_verifier.cpp

@@ -239,10 +239,13 @@ typename TranslatorVerifier_<Flavor>::ReductionResult TranslatorVerifier_<Flavor
         combined_shifted_evals.push_back(eval);
     }
 
-    BB_ASSERT_EQ(combined_unshifted_comms.size(), TranslatorFlavor::NUM_PCS_UNSHIFTED);
-    BB_ASSERT_EQ(combined_unshifted_evals.size(), TranslatorFlavor::NUM_PCS_UNSHIFTED);
-    BB_ASSERT_EQ(combined_shifted_comms.size(), TranslatorFlavor::NUM_PCS_TO_BE_SHIFTED);
-    BB_ASSERT_EQ(combined_shifted_evals.size(), TranslatorFlavor::NUM_PCS_TO_BE_SHIFTED);
+    if (combined_unshifted_comms.size() != TranslatorFlavor::NUM_PCS_UNSHIFTED ||
+        combined_unshifted_evals.size() != TranslatorFlavor::NUM_PCS_UNSHIFTED ||
+        combined_shifted_comms.size() != TranslatorFlavor::NUM_PCS_TO_BE_SHIFTED ||
+        combined_shifted_evals.size() != TranslatorFlavor::NUM_PCS_TO_BE_SHIFTED) {
+        info("Translator verification failed: PCS commitment/evaluation size mismatch");
+        return { {}, false };
+    }
 
     ClaimBatcher claim_batcher{ .unshifted = ClaimBatch{ combined_unshifted_comms, combined_unshifted_evals },
                                 .shifted = ClaimBatch{ combined_shifted_comms, combined_shifted_evals } };