Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Hyperlane Starknet>Low findings>Aggregation ISM misfunctions if more than 255 modules exist
GeneralOverview
Findings
Critical (5)
High (4)
Medium (5)
Low (5)Announcing a new storage location overwrites the previous storage locationAggregation ISM misfunctions if more than 255 modules existISM configuration of MailboxComponent is disregardedUnclear behavior of the function set_modulesIncorrect size of StoreFelt252Array
Informational (2)
DiscussionSame message can be inserted into the Merkle tree hook multiple timesNonce may overflow
Threat ModelMessage
Audit ResultsAssessment Results
Category: Coding Mistakes

Aggregation ISM misfunctions if more than 255 modules exist

Low Severity
Low Impact
Low Likelihood

Description

The following is the verify function of Aggregation ISM:

fn verify(self: @ContractState, _metadata: Bytes, _message: Message,) -> bool {
    let (isms, mut threshold) = self.modules_and_threshold(_message.clone());

    assert(threshold != 0, Errors::THRESHOLD_NOT_SET);
    let modules = self.build_modules_span();
    let mut cur_idx: u8 = 0;
    loop {
        // ...
        if (cur_idx.into() == isms.len()) {
            break ();
        }
        // ...
        cur_idx += 1;
    };
    // ...
}

The type of the cur_idx variable is u8, which can store up to 255. If Aggregation ISM contains more than 255 modules, the cur_idx variable may overflow, which will cause this function to revert.

Impact

This could lead to unexpected behavior or function failure in cases with a large number of modules above 255.

Recommendations

Consider preventing Aggregation ISM from being created with more than 255 modules.

Remediation

This issue has been acknowledged by Pragma, and a fix was implemented in commit 484fe5e6.

Zellic © 2025Back to top ↑