Incorrect ByteArray can be deserialized #86
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
grade-b
primary issue
Highest quality submission among a set of duplicates
Q-06
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
🤖_07_group
AI based duplicate group recommendation
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/kkrt-labs/kakarot-lib/blob/c2c7cb400f85c3699a6902946bcf4428d5b4fc61/src/CairoLib.sol#L220
https://github.com/kkrt-labs/kakarot-lib/blob/c2c7cb400f85c3699a6902946bcf4428d5b4fc61/src/CairoLib.sol#L230-L236
Vulnerability details
Proof of Concept
Validation of
pendingWordLen
The assertion
pendingWordLen <= 31
is not strict enough. Pending word must not be of length 31, because in this case it must be a full word.This is also mentioned in the documentation: https://docs.starknet.io/architecture-and-concepts/smart-contracts/serialization-of-cairo-types/#serialization_of_byte_arrays
Validation of
fullWordsLength
The number of full words is not validated, but used as a limit for iteration. If the number is higher then the actual number of full words, the full words are repeated and the output is corrupted. If the number is lower, execution reverts but with wrong error.
Test cases
Add to
kakarot-lib/test/CairoLib.t.sol
:Recommended Mitigation Steps
Validation of
pendingWordLen
Replace the assertion on line 220:
with:
Validation of
fullWordsLength
Remove this assertion on the line 204:
Instead, add this snippet after the
fullWordsLength
is known, e.g. on line 221:Assessed type
en/de-code
The text was updated successfully, but these errors were encountered: