Category: Coding Mistakes
Aggregation ISM misfunctions if more than 255 modules exist
Low Severity
Low Impact
Low Likelihood
Description
The following is the verify
function of Aggregation ISM:
fn verify(self: @ContractState, _metadata: Bytes, _message: Message,) -> bool {
let (isms, mut threshold) = self.modules_and_threshold(_message.clone());
assert(threshold != 0, Errors::THRESHOLD_NOT_SET);
let modules = self.build_modules_span();
let mut cur_idx: u8 = 0;
loop {
// ...
if (cur_idx.into() == isms.len()) {
break ();
}
// ...
cur_idx += 1;
};
// ...
}
The type of the cur_idx
variable is u8
, which can store up to 255. If Aggregation ISM contains more than 255 modules, the cur_idx
variable may overflow, which will cause this function to revert.
Impact
This could lead to unexpected behavior or function failure in cases with a large number of modules above 255.
Recommendations
Consider preventing Aggregation ISM from being created with more than 255 modules.
Remediation
This issue has been acknowledged by Pragma, and a fix was implemented in commit 484fe5e6↗.