Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

QA Report #376

Open
code423n4 opened this issue Sep 25, 2022 · 0 comments
Open

QA Report #376

code423n4 opened this issue Sep 25, 2022 · 0 comments
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax

Comments

@code423n4
Copy link
Contributor

code423n4 commented Sep 25, 2022
edited
Loading

Quality Assurance Report

Issues

Issue Instances
1 abi.encodePacked() should not be used with dynamic types when passing the result to a hash function such as keccack256() 1
2 Minor oversight - Internal Function is named as if it was public Function is internal not prefixed with _ 4

1. abi.encodePacked() should not be used with dynamic types when passing the result to a hash function such as keccack256()

Uses abi.encode and then inconsitently uses abi.encodePacked below
Use abi.encode() instead which will pad items to 32 bytes, which will prevent hash collisions (e.g. abi.encodePacked(0x123,0x456) => 0x123456 => abi.encodePacked(0x1,0x23456) , but abi.encode(0x123,0x456) => 0x0...1230...456 ).

POC

https://github.com/code-423n4/2022-09-frax/blob/55ea6b1ef3857a277e2f47d42029bc0f3d6f9173/src/Utils/SigUtils.sol#L32

    function getTypedDataHash(Permit memory _permit)
        public
        view
        returns (bytes32)
    {
        return
            keccak256(
                abi.encodePacked(
                    "\x19\x01",
                    DOMAIN_SEPARATOR,
                    getStructHash(_permit)
                )
            );
    }
}

Mitigation

“Unless there is a compelling reason, abi.encode should be preferred”. If there is only one argument to abi.encodePacked() it can often be cast to bytes() or bytes32() instead.

2. Minor oversight - Internal Function is named as if it was public Function is internal not prefixed with _

Function getNextValidator() is internal but not prefixed with _

POC

    function getNextValidator()
        internal
        returns (
            bytes memory pubKey,
            bytes memory withdrawalCredentials,
            bytes memory signature,
            bytes32 depositDataRoot
        )
    {

Instances

2022-09-frax/src/sfrxETH.sol Line #48
2022-09-frax/src/Utils/SigUtils.sol Line #25
2022-09-frax/src/OperatorRegistry.sol Line #126
2022-09-frax/src/DepositContract.sol Line #165

Mitigation: Naming convetion as _getNextValidator()
@code423n4 code423n4 added bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels Sep 25, 2022
code423n4 added a commit that referenced this issue Sep 25, 2022
@code423n4
bharg4v issue #376
a8a9302
code423n4 added a commit that referenced this issue Sep 25, 2022
@code423n4
bharg4v data for issue #376
9357006
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@code423n4