Summary

In the Cairo programming language, the type we want to deserialize into is specified by using a conversion method where we explicitly state the desired output type. The try_into() function from SpanFeltTryIntoByteArray in byte_array_extra.cairo contains a deserialize() function without ensuring its output type.

Vulnerability Details

In Cairo, the type we want to deserialize into must be explicitly specified using a conversion method. This is crucial because Cairo is a statically typed language, requiring the types of all variables to be known at compile time. While the compiler often infers the desired type based on the value and its usage, explicitly specifying the type ensures that the compiler understands the intended type of the variable. This helps prevent errors and ensures that the data is handled correctly according to its type, especially when dealing with serialized data that must be converted back into its original form.

The following code snippet contains the deserailization function used in https://github.com/Cyfrin/2024-07-ark-project/blob/main/apps/blockchain/starknet/src/byte_array_extra.cairo#L30 with a comment presenting the proposed change:

By the logic used in the function if the type is specified, in this case <Option> as noted, the unwrap() function should be also invoked.

Impact

Without explicitly specifying the type, the deserialize() function can misinterpret data at compile time, potentially compromising data integrity.

Tools Used

Manual review

Recommendations

Specify the type when using the deserialize() function. As highlighted in the comment within the code block, this can be done with the following statement:

Serde::<Option````>::deserialize(ref self).unwrap()