c4-sponsor
commented
1 year ago OpenCoreCH marked the issue as disagree with severity
Closed code423n4 closed 1 year ago
c4-sponsor
commented
1 year ago OpenCoreCH marked the issue as disagree with severity
OpenCoreCH
commented
1 year ago Not really an issue for us, but imo a good QA suggestion, but no medium finding
c4-judge
commented
1 year ago 0xleastwood changed the severity to QA (Quality Assurance)
c4-judge
commented
1 year ago 0xleastwood marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2023-03-canto-identity/blob/077372297fc419ea7688ab62cc3fd4e8f4e24e66/canto-bio-protocol/src/Bio.sol#L23 https://github.com/code-423n4/2023-03-canto-identity/blob/077372297fc419ea7688ab62cc3fd4e8f4e24e66/canto-namespace-protocol/src/Namespace.sol#L54
Vulnerability details
Impact
If the protocol consider to parse events from the blockchain, it wouldn't be possible to extract a real (unhashed) value from indexed strings. And the filter option could be somehow used only for NamespaceFused:name argument, exactly not for BioAdded:bio.
Proof of Concept
At Solidity keccak256 of indexed string is stored when emitting an event.
(https://docs.soliditylang.org/en/v0.8.19/abi-spec.html#encoding-of-indexed-event-parameters)
Tools Used
Manually
Recommended Mitigation Steps
Remove
indexedkeyword