Beanstalk Part 3
Beanstalk
DeFiHardhat
21,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Fix Required for `toHexString(uint256, uint256)` to Correctly Handle Leading Zeros in Hexadecimal Conversion

rhaydden

Summary

The function toHexString(uint256 value, uint256 length) in the LibStrings.sol does not correctly handle leading zeros in hexadecimal string representations. This can result in strings that are shorter than expected, potentially leading to incorrect data representations when these strings are used to represent addresses or fixed-length hexadecimal data.

Vulnerability Details

The function is designed to convert a uint256 value into a hexadecimal string of a specified length. But the current implementation constructs this string by filling a buffer from the end to the beginning, based on the least significant to the most significant digit of the value. Albeit, if the value has leading zeros (i.e., the most significant digits are zero), these are not represented in the resulting string, as the buffer initialization does not account for them.

Take a look at this part of the code:

https://github.com/Cyfrin/2024-05-Beanstalk-3/blob/662d26f12ee219ee92dc485c06e01a4cb5ee8dfb/protocol/contracts/libraries/LibStrings.sol#L39-L49

function toHexString(uint256 value, uint256 length) internal pure returns (string memory) {
bytes memory buffer = new bytes(2 * length + 2);
buffer[0] = "0";
buffer[1] = "x";
for (uint256 i = 2 * length + 1; i > 1; --i) {
buffer[i] = _SYMBOLS[value & 0xf];
value >>= 4;
}
require(value == 0, "Strings: hex length insufficient");
return string(buffer);
}

The loop fills the buffer with hexadecimal characters corresponding to the value, but does not pre-fill the buffer with '0' characters. This results in uninitialized spaces in the buffer if value does not have enough significant hexadecimal digits to fill the specified length.

Impact

  • Likelihood: Medium

  • Impact: Medium

The impact of this issue is multifaceted and can lead to several significant problems. Firstly, there is data integrity issue, as the function may not accurately represent data that requires a fixed-length hexadecimal format, such as blockchain addresses. This misrepresentation can lead to security risks, including the possibility of transactions being mistakenly sent to the wrong addresses due to incorrect formatting. Additionally, protocols that rely on a strict length format for processing or validation might either reject the improperly formatted data or malfunction, causing interoperability issues.

Tools Used

Manual review

Recommended Mitigation Steps:

The function should be modified to ensure that the buffer is correctly initialized with '0' characters for the entire length of the expected hexadecimal string. We can do this by adding a loop to initialize the buffer before filling it with the hexadecimal digits of the value. Like this:

function toHexString(uint256 value, uint256 length) internal pure returns (string memory) {
bytes memory buffer = new bytes(2 * length + 2);
buffer[0] = "0";
buffer[1] = "x";
+ // Initialize buffer with '0' characters
+ for (uint256 i = 2; i < 2 * length + 2; i++) {
+ buffer[i] = '0';
}
for (uint256 i = 2 * length + 1; i > 1; --i) {
buffer[i] = _SYMBOLS[value & 0xf];
value >>= 4;
}
require(value == 0, "Strings: hex length insufficient");
return string(buffer);
}
Updates

Lead Judging Commences

giovannidisiena Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.