NFTBridge
60,000 USDC
View results
Submission Details
Severity: low
Valid

Improper Range Validation in snaddressWrap Function could lead to incorrectly wrap a invalid value

Summary

The maximum value for an snaddress is 2^251 - 1, which is smaller than the felt252 maximum value. The current check in snaddressWrap only ensures the value fits within a felt252 (which is less than SN_MODULUS), but doesn't directly check if it's within the valid range for an snaddress.

Vulnerability Details

In the Cairo.t.sol file, the snaddressWrap function is designed to wrap a uint256 value into a StarkNet address (snaddress). The function currently checks whether the provided value can fit into a felt252, the basic unit of data in Cairo, by verifying that the value is less than SN_MODULUS, a constant representing 2^(251) + 17.2^(192) + 1. If the value exceeds this limit, the function reverts with a CairoWrapError.

function snaddressWrap(
uint256 val
)
internal
pure
returns (snaddress)
{
if (!isFelt252(val)) {
revert CairoWrapError();
}
return snaddress.wrap(val);
}

The core issue lies in the assumption that the same validation used for a felt252 is sufficient for a snaddress. However, the maximum valid value for a snaddress in StarkNet is 2^(251) - 1, which is significantly smaller than the maximum felt252 value.

  • felt252 Range: 0 <= value < 2^(251) + 17.2^(192) + 1

  • snaddress Range: 0 <= value < 2^251

The current implementation fails to account for this difference, meaning that values between 2^251 and the maximum felt252 value could be incorrectly accepted as valid snaddress values. This could lead to undefined behavior or errors when these addresses are used within the StarkNet ecosystem, where addresses exceeding 2^251 - 1 are invalid.

Impact

Wrapping an invalid snaddress exceeding 2^251 - 1 could result in the use of an incorrect address, leading to undefined behavior or errors within the StarkNet contract.

Tools Used

Manual Review

Recommendations

To mitigate this, the snaddressWrap fn should explicity check that the value does not excess 2^251 - 1 value

uint256 constant SNADDRESS_MAX = 2**251 - 1;
function snaddressWrap(
uint256 val
)
internal
pure
returns (snaddress)
{
if (val > SNADDRESS_MAX) {
revert CairoWrapError();
}
return snaddress.wrap(val);
}
Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Appeal created

0xnilesh Submitter
10 months ago
n0kto Lead Judge
9 months ago
n0kto Lead Judge 9 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-felt252-to-big-for-snaddress

Impact: function is incorrect and the protection miss a bunch of adresses. According the doc, it deserves a Low.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.