Submission Details
Severity:
lack of validation of the proof length in `_verify_proof` function
Summary
lack of validation of the proof length in _verify_proof function
Vulnerability Details
The _verify_proof function does not validate the length of the proof array. If the proof array is empty, the function will still compute a hash and compare it to the merkle_root.
This can lead to false positives where an empty proof is accepted as valid for certain leaves.
def _verify_proof(proof: DynArray[bytes32, 20], leaf: bytes32) -> bool:
"""
@notice This function is used to verify the merkle proof
@param proof: DynArray[bytes32, 20], the merkle proof
@param leaf: bytes32, the leaf node
@return bool: True if the proof is valid
"""
computed_hash: bytes32 = leaf
for proof_element: bytes32 in proof:
computed_hash = self._hash_pair(computed_hash, proof_element)
return computed_hash == self.merkle_root
Impact
An attacker could submit an empty proof and potentially claim tokens they are not entitled to, depending on the structure of the Merkle tree.
Tools Used
Manual analysis
Recommendations
Add a check to reject empty proofs
Rewards breakdown
nSLOC
127This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.