ArkProject: NFT Bridge

ArkProject

NFTBridge

60,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Incorrect Serialization Logic in Test Case Leads to Incorrect ByteArray Testing (`byte_array_extra.cairo::tests::from_span_felt252_bytearray_shortstring`)

4gontuk

Summary

Vulnerability Detail

The from_span_felt252_bytearray_shortstring test case in the starknet/src/byte_array_extra.cairo contract is responsible for testing the serialization of a ByteArray object. This test case is crucial for ensuring that the serialization logic works correctly. However, the test case uses the serialize method incorrectly. Specifically, the test case does not ensure that the ByteArray object is correctly converted from a string and then serialized properly. This can lead to incorrect serialization of the ByteArray object, resulting in incorrect test results and not properly testing the serialization logic.

Impact

The incorrect use of the serialize method in the test case can lead to incorrect test results, giving a false sense of security about the correctness of the serialization logic.

Proof of Concept

The from_span_felt252_bytearray_shortstring test case uses the serialize method incorrectly to serialize a ByteArray object.
The test case attempts to convert the serialized data back to a ByteArray.
The serialization logic is not properly tested because the serialize method is used incorrectly.
The test case may pass or fail incorrectly, leading to undetected bugs in the serialization logic.

Tools Used

Manual review

Recommendation

The test case should be updated to use the serialize method correctly and ensure that the ByteArray object is serialized properly. The following code provides a corrected implementation:

#[cfg(test)]

mod tests {

use core::serde::Serde;

use super::{FeltTryIntoByteArray, SpanFeltTryIntoByteArray};

#[test]

fn from_span_felt252_bytearray_shortstring() {

let orig: ByteArray = "I'm here".into(); // Ensure correct conversion to ByteArray

let mut a = ArrayTrait::new();

orig.serialize(&mut a); // Correctly serialize the ByteArray

let b: Option<ByteArray> = a.span().try_into();

match b {

Option::Some(e) => assert_eq!(e, orig, "String mismatch"),

Option::None => panic!("Should not be None"),

}

// ... other test cases ...

}

Updates

Lead Judging Commences

n0kto Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,301

26 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.