Assessment reportsPublic findings
Back to Zellic site
Assessment reports>GotSui>Low findings>Denial of service
GeneralOverview
Findings
Low (1)Denial of service
DiscussionLink-based transferEnhancing the `get_salt` interface
Audit ResultsSummary
Category: Coding Mistakes

Denial of service

Low Severity
Low Impact
High Likelihood

Description

The endpoint /callback is intended to get session information from window.location.hash. The page will try to apply the given session on the local storage when it hits. However, the page contains no validation logic for a given session.

const callbackSession = useSessionStore((state) => state.callbackSession);
const { mutate, error } = useMutation(
  async () => {
    const params = new URLSearchParams(window.location.hash.slice(1));
    return callbackSession(params);
  },
  {
    onSuccess(data) {
      router.replace(data || "/account");
    },
  }
);

The result is that the pages will produce errors when a user navigates with the wrong session. The errors are related to JWT, and the log of the root cause will be like below.

Uncaught JWTInvalid: Invalid JWT

For the JWT validation, the project uses the useDecodedJWT function defined in lib/session.ts. 

export function useDecodedJWT() {
  const jwt = useSessionStore((state) => state.jwt);
  return useMemo(() => (jwt ? jose.decodeJwt(jwt) : null), [jwt]);
}

As a result, the jose library will fail to decode jwt, and it will break page rendering due to error.

Impact

The user will be unable to use any page functions until they clear the browser local storage.

Recommendations

Check the given session before it applies on the local storage. Also, guide the user to sign in again if the page produces errors with JWT validation.

Remediation

This issue has been acknowledged by Mysten Labs Ltd., and a fix was implemented in commit 305c01e0.

Zellic © 2024Back to top ↑