Zellic - Audit Reports

Category: Coding Mistakes

Message incorrectly includes the size of body

Critical Severity

Critical Impact

High Likelihood

Description

The format_message function in message.cairo appends the size of the message body before the message body:

fn format_message(_message: Message) -> (u256, Message) {
    let sender: felt252 = _message.sender.into();
    let recipient: felt252 = _message.recipient.into();

    let mut input: Array<ByteData> = array![
        // ...
        ByteData {
            value: _message.body.size().into(),
            size: u64_word_size(_message.body.size().into()).into()
        },
    ];

    // ...
}

However, this does not match with the behavior of the Hyperlane protocol, which does not append the size of the body:

function formatMessage(
    uint8 _version,
    uint32 _nonce,
    uint32 _originDomain,
    bytes32 _sender,
    uint32 _destinationDomain,
    bytes32 _recipient,
    bytes calldata _messageBody
) internal pure returns (bytes memory) {
    return
        abi.encodePacked(
            _version,
            _nonce,
            _originDomain,
            _sender,
            _destinationDomain,
            _recipient,
            _messageBody
        );
}

Impact

This can lead to incompatibility issues with the Hyperlane protocol, potentially causing message interpretation errors across different chains and implementations.

Recommendations

Consider removing the size when formatting a message into bytes.

Remediation

This issue has been acknowledged by Pragma, and a fix was implemented in commit 055424fc↗.