Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Echelon>High findings>Incorrect assertion in deposit_manager
GeneralOverview
Findings
High (2)Incorrect integer parsingIncorrect assertion in deposit_manager
Medium (1)
Low (1)
Informational (1)
DiscussionMinor issues with DUST_THRESHOLDShare amount could be zero
DesignComponents: echelon_oracle and initia_deploy
Audit ResultsAssessment Results
Category: Coding Mistakes

Incorrect assertion in deposit_manager

High Impact
High Severity
High Likelihood

Description

In the process of validating the message, there is an assertion that always fails.

While the message length is always greater than 65 bytes, taking the modulo of the length by 32 will always result in a value less than 32, making it impossible to equal 65.

fun parse_deposit_payload(received_asset_metadata: Object<Metadata>, received_asset_amount: u64, message: vector<u8>): DepositPayload acquires DepositManagerController {
    // [...]
    assert!(vector::length(&message) % 32 == 65, ERR_DEPOSIT_MANAGER_MALFORMED_PAYLOAD);
    // [...]
}

Impact

Regardless of the validity of the message, parse_deposit_payload will always cause a revert.

Recommendations

Make a different assertion to properly validate the message.

Remediation

This issue has been acknowledged by Echelon, and a fix was implemented in commit c368b175.

Zellic © 2025Back to top ↑