Submission Details
Impact:
Likelihood:
JSON Injection
Root + Impact
Description
-
Addresses and amounts are concatenated into JSON strings.
-
Unescaped user inputs allow JSON structure manipulation via special characters.
Root Cause
json = string.concat(
'"0": { "0": "',
whitelist[0], // @> Unescaped address
'", "1": "',
vm.toString(snowAmountAlice), // @> Unescaped numeric
'" },'
);
Likelihood:
Guaranteed if addresses contain
"or\High when using vanity addresses
Certain during fuzz testingImpact:
-
Impact:
Corrupted JSON output breaking dependent systems
Silent test data misinterpretation
False positive test results
Proof of Concept
address alice = address(0x22); // Hex 0x22 = ASCII double quote (")
// Generates malformed JSON:
// "0": { "0": """, ... } → Syntax error
Recommended Mitigation
+ import {Strings} from "@openzeppelin/utils/Strings.sol";
function _createJSON() internal returns (string memory) {
+ function _escape(string memory s) private pure returns (string memory) {
+ return Strings.toHexString(bytes(s)); // JSON-safe encoding
+ }
json = string.concat(
'"0": { "0": "',
- whitelist[0],
+ _escape(whitelist[0]),
// ... repeats for all fields
);
}
Rewards breakdown
nSLOC
215This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.