Plonky3: The sponge construction used to get a hash function from a cryptographic permutation is not collision resistant for inputs of different lengths
The impact of this vulnerability is a little difficult to estimate. It is important to note that, in circumstances where the number of elements to be hashed is known and fixed in advance, (as is the case for most STARKS), the method is collision resistant. This vulnerability only applies if a malicious user is able to manipulate the number of elements to be hashed. That being said, there are theoretically …