Canto Identity Subprotocols contest - dingo2077's results

Lines of code

https://github.com/code-423n4/2023-03-canto-identity/blob/main/canto-bio-protocol/src/Bio.sol#L121 https://github.com/code-423n4/2023-03-canto-identity/blob/main/canto-bio-protocol/src/Bio.sol#L43

Vulnerability details

Impact

In Bio.sol contract there is ability to mint NFT with special poison strings. After minting if user call tokenURI(id) he will get en error [FAIL. Reason: Index out of bounds] Impact: USER can't use his NFT if it minted with some special characters mentioned below. For example:

1. String:ð Poison bytes string: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0
2. String:â 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000e2

Proof of Concept

1. You can just fuzz run ~2048 and see an error
2. You can use custom foundry test:

bytes public posion = hex"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0";

    function testCustom() public {
        string memory text = string(posion);  
        bio.mint(text);
        uint256 tokenId = bio.numMinted();
        string memory uri = bio.tokenURI(tokenId); //here is the error;
    }   

https://i.imgur.com/i5EkCnE.png

Tools Used

VScode + foundry;

Recommended Mitigation Steps

There is high probability that function tokenURI() can't handling appropriately many poison characters. It is necessary to fuzz test it and may be avoid poison characters using posionArray.