# A Problem in the Poseidon Implementations in Zerokit and Some IDEN3 Repositories The current implementations of Poseidon in zerokit and by iden3 contain one significant incorrect detail: the 0th element of the final state vector is returned as the hash, while both the [Poseidon paper](https://eprint.iacr.org/2019/458.pdf) and [sponge construction](https://en.wikipedia.org/wiki/Sponge_function) in general forbid returning it and imply returning the 1st element instead. "The capacity of the sponge construction refers to the section of the state that is not revealed to the adversary." ([source](https://crypto.stackexchange.com/a/54865)). Returning the 0th element in the current case leads to revealing the entire "capacity"! Ekaterina mentioned that she had to implement the wrong variant in order to achieve compatibility with iden3 software. Thus, I recommend to contact iden3 regarding this problem and change the corresponding fragment in the zerokit code, if iden3 fixes the problem on their side. The fix is trivial: replacing 0 with 1. Here are the references to the lines associated with the problems: for [zerokit](https://github.com/vacp2p/zerokit/blob/e39f156fff2b2e7be64b075ad5e794585887569d/utils/src/poseidon/poseidon_hash.rs#L129), for the [iden3 Go code](https://github.com/iden3/go-iden3-crypto/blob/625bf563ffc57f02e666d6979c4432e32f0b8059/poseidon/poseidon.go#L70) and the [iden3 Circom code](https://github.com/iden3/circomlib/blob/master/circuits/poseidon.circom#L207).