Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Initia>Discussion>Table handle overflow leads to abort
GeneralOverview
Findings
Critical (3)
High (12)
Medium (4)
Low (9)
Informational (3)
DiscussionGeneral DiscussionImprove AMM testsBridge executor minting powerCharge before using valuesEmpty allowed_publishers array allows every address to publishERC20Keeper with custom contractsSuggestions for additional security checksTable handle overflow leads to abort
Threat ModelWhat are threat models?stdlib
Audit ResultsSummary
AppendixProof of concept: Reference safety verifier bypass

Table handle overflow leads to abort

Note that it is feasible for the table_len to overflow if enough table iterators are created over many transactions, leading to an abort.

!let table_len = table_data.new_tables.len() as u32; // cast usize to u32 to ensure same length
Digest::update(&mut digest, UID_PREFIX);
Digest::update(&mut digest, table_context.session_id);
Digest::update(&mut digest, table_len.to_be_bytes());
let bytes = digest.finalize().to_vec();
let handle = AccountAddress::from_bytes(&bytes[0..AccountAddress::LENGTH])
    .map_err(|_| partial_extension_error("Unable to create table handle"))?;
let key_type = context.type_to_type_tag(&ty_args[0])?;
let value_type = context.type_to_type_tag(&ty_args[1])?;
!assert!(table_data
!    .new_tables
!    .insert(TableHandle(handle), TableInfo::new(key_type, value_type))
!    .is_none());

However, this has no security impact as the abort would be handled properly and simply revert the transaction.

Zellic © 2024Back to top ↑