Back to rokso's contests

Canto Identity Subprotocols contest - rokso's results

Subprotocols for Canto Identity Protocol.

General Information

Platform: Code4rena

Start Date: 17/03/2023

Pot Size: $36,500 USDC

Total HM: 10

Participants: 98

Period: 3 days

Judge: leastwood

Total Solo HM: 5

Id: 223

League: ETH

Canto Identity Subprotocols

Findings Distribution

Researcher Performance

Rank: 77/98

Findings: 1

Award: $19.87

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCanto Identity Subprotocols

Findings Information

🌟 Selected for report: reassor

Also found by: Englave, Haipls, J4de, Jerry0x, Kek, MiniGlome, Parad0x, Respx, Viktor_Cortess, Wander, adriro, bin2chen, dingo2077, djxploit, jasonxiale, mjmoonwalker, reassor, rokso, ulqiorra

Awards

19.8705 USDC - $19.87

Labels

bug
2 (Med Risk)
satisfactory
edited-by-warden
duplicate-212

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-03-canto-identity/blob/main/canto-bio-protocol/src/Bio.sol#L121-L128

Vulnerability details

Impact

In Bio.sol, users can mint bio up to 200 characters and when user call tokenURI() then SVG will be generated using bio. There is no validation of contents of bio string at the time of mint() and this will results in generating invalid SVG if bio string has opening angle bracket (<) in it. For example, "This is invalid bio.< Angle bracket will break SVG".

Proof of Concept

Mint()=>Bio.sol#L121 Below test is minting a bio which has < in bio string.

    function testInvalidSVGInTokenURI() public {
        string
            memory text = unicode"This is invalid bio.< Angle bracket will break SVG";
        bio.mint(text);
        uint256 tokenId = bio.numMinted();
        string memory uri = bio.tokenURI(tokenId);
        console.log("tokenURI is", uri);
    }

Below is tokenURI of such bio, data:application/json;base64,eyJuYW1lIjogIkJpbyAjMSIsICJkZXNjcmlwdGlvbiI6ICJUaGlzIGlzIGludmFsaWQgYmlvLjwgQW5nbGUgYnJhY2tldCB3aWxsIGJyZWFrIFNWRy4iLCAiaW1hZ2UiOiAiZGF0YTppbWFnZS9zdmcreG1sO2Jhc2U2NCxQSE4yWnlCNGJXeHVjejBpYUhSMGNEb3ZMM2QzZHk1M015NXZjbWN2TWpBd01DOXpkbWNpSUhCeVpYTmxjblpsUVhOd1pXTjBVbUYwYVc4OUluaE5hVzVaVFdsdUlHMWxaWFFpSUhacFpYZENiM2c5SWpBZ01DQTBNREFnTVRBd0lqNDhjM1I1YkdVK2RHVjRkQ0I3SUdadmJuUXRabUZ0YVd4NU9pQnpZVzV6TFhObGNtbG1PeUJtYjI1MExYTnBlbVU2SURFeWNIZzdJSDA4TDNOMGVXeGxQangwWlhoMElIZzlJalV3SlNJZ2VUMGlOVEFsSWlCa2IyMXBibUZ1ZEMxaVlYTmxiR2x1WlQwaWJXbGtaR3hsSWlCMFpYaDBMV0Z1WTJodmNqMGliV2xrWkd4bElqNDhkSE53WVc0Z2VEMGlOVEFsSWlCa2VUMGlNakFpUGxSb2FYTWdhWE1nYVc1MllXeHBaQ0JpYVc4dVBDQkJibWRzWlNCaWNtRmphMlYwSUhkcGJHdzhMM1J6Y0dGdVBqeDBjM0JoYmlCNFBTSTFNQ1VpSUdSNVBTSXlNQ0krSUdKeVpXRnJJRk5XUnk0OEwzUnpjR0Z1UGp3dmRHVjRkRDQ4TDNOMlp6ND0ifQ==

Below is SVG parsed out of above tokenUri,

<svg xmlns="http://www.w3.org/2000/svg" preserveAspectRatio="xMinYMin meet" viewBox="0 0 400 100">
    <style>
        text {
            font-family: sans-serif;
            font-size: 12px;
        }
    </style><text x="50%" y="50%" dominant-baseline="middle" text-anchor="middle">
        <tspan x="50%" dy="20">This is invalid bio.< Angle bracket will</tspan>
                <tspan x="50%" dy="20"> break SVG.</tspan>
    </text>
</svg>

Above SVG is invalid and only render part of text which is before opening angle bracket <

https://gyazo.com/eae7acb7b21dda9c6d5e88ad3a747866

Tools Used

Manual

Consider checking for invalid characters in string bio during call to mint().

#0 - c4-judge

2023-03-28T03:58:10Z

0xleastwood marked the issue as duplicate of #212

#1 - c4-judge

2023-04-11T19:36:28Z

0xleastwood marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter