Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Initia>Threat Model>Module hex.move
GeneralOverview
Findings
Critical (3)
High (12)
Medium (4)
Low (9)
Informational (3)
DiscussionGeneral DiscussionImprove AMM testsBridge executor minting powerCharge before using valuesEmpty allowed_publishers array allows every address to publishERC20Keeper with custom contractsSuggestions for additional security checksTable handle overflow leads to abort
Threat ModelWhat are threat models?
stdlibModule block.moveModule table.moveModule event.moveModule type_info.moveModules any.move and copyable_any.moveModule address.moveModule cosmos.moveModule multisig.moveModule object.moveModule transaction_context.moveModule debug.moveModule table_key.moveModule account.moveModule base64.moveModule hex.moveModule from_bcs.moveModule json.moveModule oracle.moveModule code.moveModule zapping.moveModule dex.moveModule reward.moveModule comparator.moveModule managed_coin.moveModules decimal128.move and decimal256.moveModule string_utils.move
Audit ResultsSummary
AppendixProof of concept: Reference safety verifier bypass

Module hex.move

This module exposes functions encode_to_string and decode_string that can be used to encode and decode a vector of bytes to/from hexadecimal. An issue with decode_string accepting invalid hexadecimal characters is discussed in Finding ref.

Zellic © 2025Back to top ↑