ZeroValues is an implicit group member

[cedoor]

Describe the bug

In the Semaphore protocol groups are backed by incremental Merkle trees. Unlike Merkle trees which are static, incremental Merkle trees allow the tree to be modified. This is done by manipulating the leaves of the tree with a special zeroValue that indicates a leaf is empty (since incremental Merkle trees are complete binary trees). In the Semaphore protocol, the zeroValue appears to be an implicit member of the group as one can prove they belong to the group if they know the identityNullifier and identityTrapdoor of the zeroValue. This implicit member, however, has a few properties that are not shared by others:

1. It cannot be removed from the group as removing a member replaces the leaf’s value with the zeroValue. This seems to violate an invariant that an added member should be removable;
2. A MemberAdded event is not emitted to indicate its membership in the group.

Impact

First, this value allows the creator of a group guaranteed access to the group. In certain circumstances this may be undesired (for example if the admin is not the group creator such as if the admin is a DAO that votes on who to add/remove or if an admin is changed) as the original creator has a permanent method of influencing the application that uses the groups. There are similar methods an admin (who might not be the group creator) can use without the zeroValue but these (1) are more visible as adding members is a matter of public record and (2) can be undone by removing the user.

Second, if common values such as 0 are repeatedly used and the identity commitment of this value is eventually compromised, such a user would be able to gain membership to all groups that use this value as the zeroValue.

Additional context

This bug was found by Veridise during their audit of Semaphore. If you acknowledge and fix this bug, can you please mention Veridise in the commit.