`symbol()` will return wrong bytes32 in some cases
Summary
The issue arises in the implementation of the symbol() function in some ERC20 contracts. In the provided code snippet:
Here, the symbol() function of the _collateralTokenContract is called, and its return value is used as part of the argument to the string constructor after being encoded using abi.encodePacked(). If _collateralTokenContract.symbol() returns a bytes32 instead of a string, the result may contain unexpected data, such as null characters or improperly decoded bytes.
Vulnerability Details
The symbol() function is expected to return a string as per the modern ERC20 standard. However, some contracts, especially older or non-standard implementations, return a bytes32.
When abi.encodePacked() is used on a bytes32 result, the null-padded characters are included in the encoded value, which can result in an improperly formatted string.
Impact
Users interacting with the WToken contract may see an unintelligible or malformed token name due to corrupted symbol data.
Tools Used
Manual review
Recommendations
-
Check if _collateralTokenContract.symbol() returns bytes32 or string and handle appropriately.
-
Use a helper function to safely convert bytes32 to string, removing null characters.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.