Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Initia>Low findings>Hex decode accepting invalid characters
GeneralOverview
Findings
Critical (2)
High (7)
Medium (5)
Low (12)Ability to bypass swap feesModule can be duplicated in module publish requestsHex decode accepting invalid charactersStablepools can be created with one or no assetsBad decimal-parsing function accepts multiple dotsPotential out-of-gas reversion when checking object permissionsIncorrect string-formatting helperIncorrect minimum-TVL module-parameter checkMove coin transfer can bypass blocked accountsError not checked when fetching starting infoMove coins are case-insensitive in cosmosIncorrect signer check for shorthand accounts
Informational (5)
DiscussionGeneral DiscussionImprove AMM testsBridge executor minting powerCharge before using valuesEmpty allowed_publishers array allows every address to publishERC20Keeper with custom contractsSuggestions for additional security checksTable handle overflow leads to abort
Threat ModelWhat are threat models?stdlib
Audit ResultsSummary
AppendixProof of concept: Reference safety verifier bypass
Category: Coding Mistakes

Hex decode accepting invalid characters

Low Impact
Low Severity
Low Likelihood

Description

The hex.move module provides helper functions that can be used to convert a bytes array to and from a hexadecimal representation.

The decode_string accepts characters that are not valid hexadecimals and decodes characters that are not in the range 0-9a-f. This causes the strings 1f and 0g to be decoded to the value 0x1f.

Impact

This issue is reported as low impact since we could not identify an exploitation path using only the in-scope code. However, the impact could be higher for third-party modules.

Recommendations

Validate the input to ensure it contains only valid hexadecimal characters.

Remediation

Zellic © 2025Back to top ↑