Lines of code
https://github.com/code-423n4/2023-03-canto-identity/blob/main/canto-bio-protocol/src/Bio.sol#L121-L123
https://github.com/code-423n4/2023-03-canto-identity/blob/main/canto-bio-protocol/src/Bio.sol#L43-L44
Vulnerability details
Impact
The special character filtering was not applied to the input _bio, resulting in tokenURI returning data that cannot be correctly parsed into JSON and SVG formats. For example, the input: ΝΊg�mqU�^
Proof of Concept
_bio = ΝΊg�mqU�^
function mint(string calldata _bio) external {
// We check the length in bytes, so will be higher for UTF-8 characters. But sufficient for this check
if (bytes(_bio).length == 0 || bytes(_bio).length > 200) revert InvalidBioLength(bytes(_bio).length);
uint256 tokenId = ++numMinted;
bio[tokenId] = _bio;
_mint(msg.sender, tokenId);
emit BioAdded(msg.sender, tokenId, _bio);
}
function tokenURI(uint256 _id) public view override returns (string memory) {
if (_ownerOf[_id] == address(0)) revert TokenNotMinted(_id);
string memory bioText = bio[_id];
bytes memory bioTextBytes = bytes(bioText);
uint lengthInBytes = bioTextBytes.length;
// Insert a new line after 40 characters, taking into account unicode character
uint lines = (lengthInBytes - 1) / 40 + 1;
string[] memory strLines = new string[](lines);
bool prevByteWasContinuation;
uint256 insertedLines;
// Because we do not split on zero-width joiners, line in bytes can technically be much longer. Will be shortened to the needed length afterwards
bytes memory bytesLines = new bytes(80);
uint bytesOffset;
for (uint i; i < lengthInBytes; ++i) {
bytes1 character = bioTextBytes[i];
bytesLines[bytesOffset] = character;
bytesOffset++;
if ((i > 0 && (i + 1) % 40 == 0) || prevByteWasContinuation || i == lengthInBytes - 1) {
bytes1 nextCharacter;
if (i != lengthInBytes - 1) {
nextCharacter = bioTextBytes[i + 1];
}
if (nextCharacter & 0xC0 == 0x80) {
// Unicode continuation byte, top two bits are 10
prevByteWasContinuation = true;
} else {
// Do not split when the prev. or next character is a zero width joiner. Otherwise, π¨βπ§βπ¦ could become π¨>βπ§βπ¦
// Furthermore, do not split when next character is skin tone modifier to avoid π€¦ββοΈ\nπ»
if (
// Note that we do not need to check i < lengthInBytes - 4, because we assume that it's a valid UTF8 string and these prefixes imply that another byte follows
(nextCharacter == 0xE2 && bioTextBytes[i + 2] == 0x80 && bioTextBytes[i + 3] == 0x8D) ||
(nextCharacter == 0xF0 &&
bioTextBytes[i + 2] == 0x9F &&
bioTextBytes[i + 3] == 0x8F &&
uint8(bioTextBytes[i + 4]) >= 187 &&
uint8(bioTextBytes[i + 4]) <= 191) ||
(i >= 2 &&
bioTextBytes[i - 2] == 0xE2 &&
bioTextBytes[i - 1] == 0x80 &&
bioTextBytes[i] == 0x8D)
) {
prevByteWasContinuation = true;
continue;
}
assembly {
mstore(bytesLines, bytesOffset)
}
strLines[insertedLines++] = string(bytesLines);
bytesLines = new bytes(80);
prevByteWasContinuation = false;
bytesOffset = 0;
}
}
}
string
memory svg = '<svg xmlns="http://www.w3.org/2000/svg" preserveAspectRatio="xMinYMin meet" viewBox="0 0 400 100"><style>text { font-family: sans-serif; font-size: 12px; }</style>';
string memory text = '<text x="50%" y="50%" dominant-baseline="middle" text-anchor="middle">';
for (uint i; i < lines; ++i) {
text = string.concat(text, '<tspan x="50%" dy="20">', strLines[i], "</tspan>");
}
string memory json = Base64.encode(
bytes(
string.concat(
'{"name": "Bio #',
LibString.toString(_id),
'", "description": "',
bioText,
'", "image": "data:image/svg+xml;base64,',
Base64.encode(bytes(string.concat(svg, text, "</text></svg>"))),
'"}'
)
)
);
return string(abi.encodePacked("data:application/json;base64,", json));
}
decode tokenURI
{"name": "Bio #1", "description": "ΝΊg�mqU�^", "image": "data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHByZXNlcnZlQXNwZWN0UmF0aW89InhNaW5ZTWluIG1lZXQiIHZpZXdCb3g9IjAgMCA0MDAgMTAwIj48c3R5bGU+dGV4dCB7IGZvbnQtZmFtaWx5OiBzYW5zLXNlcmlmOyBmb250LXNpemU6IDEycHg7IH08L3N0eWxlPjx0ZXh0IHg9IjUwJSIgeT0iNTAlIiBkb21pbmFudC1iYXNlbGluZT0ibWlkZGxlIiB0ZXh0LWFuY2hvcj0ibWlkZGxlIj48dHNwYW4geD0iNTAlIiBkeT0iMjAiPs36m5BntRRtcb9VBl72oo08L3RzcGFuPjwvdGV4dD48L3N2Zz4="}
Foundry
Recommended Mitigation Steps
Filter or process special characters.