Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Hyperlane Starknet>Medium findings>Incorrect size for fetching branches of the Merkle tree
GeneralOverview
Findings
Critical (5)
High (4)
Medium (5)Modules cannot be removed from routing ISMRouting ISM with the fallback configuration does not show fallback behaviorOwner address is not initializedIncorrect size for fetching branches of the Merkle treeMessage can be sent multiple times to an untrusted recipient
Low (5)
Informational (2)
DiscussionSame message can be inserted into the Merkle tree hook multiple timesNonce may overflow
Threat ModelMessage
Audit ResultsAssessment Results
Category: Coding Mistakes

Incorrect size for fetching branches of the Merkle tree

Medium Severity
Medium Impact
Medium Likelihood

Description

The tree function in the merkle_tree_hook.cairo returns the branches of the stored incremental Merkle tree. Specifically, it returns the array that is returned from the function self._build_tree, which semantically returns array![ self.tree.read(0), self.tree.read(1), ..., self.tree.read(self.count.read() - 1) ].

However, it should be noted that the number of branches in this incremental Merkle tree is fixed to 32 in this contract and does not grow when the count variable, which represents the number of leaves, increases.

Impact

This could lead to unintended behavior and potential confusion for developers interacting with the contract.

Recommendations

Consider reading the correct number of elements when building the array of branches.

Remediation

This issue has been acknowledged by Pragma, and a fix was implemented in commit 343b3810.

Zellic © 2025Back to top ↑