search

code-423n4 / 2022-02-aave-lens-findings

0 stars 0 forks source link

Handles consisting only of `.` can be created #29

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-02-aave-lens/blob/aaf6c116345f3647e11a35010f28e3b90e7b4862/contracts/libraries/PublishingLogic.sol#L407

Vulnerability details

Impact

A handle consisting only of dots . can be created in PublishingLogic._validateHandle. I believe the intention was to have at least 1 alpha-numeric character in the handle and only use the . as a separator.

for (uint256 i = 0; i < byteHandle.length; ++i) {
    if (
        (byteHandle[i] < '0' ||
            byteHandle[i] > 'z' ||
            (byteHandle[i] > '9' && byteHandle[i] < 'a')) && byteHandle[i] != '.'
    ) revert Errors.HandleContainsInvalidCharacters();
}

Recommended Mitigation Steps

Check that the handle does not consist of only ..

oneski commented 2 years ago

declined, duplicate. This is by design. handles of "." are valid.

0xleastwood commented 2 years ago

As per the sponsor's comment, handles containing of only . are valid.