Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Brevis>Low findings>Parsing errors ignored in ,GetHexArray
GeneralOverview
Findings
Critical (4)
High (5)
Medium (5)
Low (12)Conversion from Uint248 to Uint521 fails for values wider than 96 bitsProver assignment will fail for custom inputsFunction to export Groth16 proofs only works for proofs with exactly one commitmentIncorrect constant used in twosComplementUnexpected behavior for decompose-related functions on negative inputMismatch between Uint521 type and its documentationRaw data may be overwritten by index reuseData might be arranged incorrectly by rawData[T].listInvalid receipts with empty LogField entries may be assignedParsing errors ignored in GetHexArrayIncorrect elliptic curveProof submission calls callback even if submission fails
Informational (9)
DiscussionVarious possible simplifications and optimizationsAdditional validationLack of documentation or commentsMinor recommendationsCode duplicationConsistent usage of named constantsLists and tuples' ambiguous behavior when used recursivelyBehavior of bits2Bytes and addOutput for circuit variablesIncorrect hex string and parsing errors canceling each other outReferences to MiMC instead of PoseidonUnallocated inputs slots not constrainedKeccak padding function pad10*1Confusing function GroupBySetupVerification of Poseidon constantsTest suite
Audit ResultsAssessment Results
Category: Coding Mistakes

Parsing errors ignored in GetHexArray

Low Severity
Low Impact
Low Likelihood

Description

The public GetHexArray function is implemented in common/utils/hex.go as follows:

func GetHexArray(hexStr string, maxLen int) (res []frontend.Variable) {
	for i := 0; i < maxLen; i++ {
		if i < len(hexStr) {
			intValue, _ := strconv.ParseInt(string(hexStr[i]), 16, 64)
			res = append(res, intValue)
		} else {
			res = append(res, 0)
		}
	}
	return
}

When the character being parsed with strconv.ParseInt is not a valid hexadecimal character, an error will be returned, and the value returned will be zero. However, GetHexArray ignores the error and uses the zero value anyway.

Impact

The GetHexArray function will use zero for characters that were not parsable as hexadecimal characters. Users calling GetHexArray likely do not intend this behavior, so this can lead to unintended results.

Recommendations

We recommend to check the returned error and panic if it is not nil.

Remediation

This issue has been acknowledged by Brevis, and a fix was implemented in commit 4b5029f4.

Zellic © 2025Back to top ↑