The toHexString function from the LibString library is being used to convert the panopticPool address to a hexadecimal string representation. However, the second argument passed to toHexString is 20, which specifies the desired length of the resulting string. FactoryNFT contract (@contracts\base\FactoryNFT.sol:79)
The problem is that an Ethereum address is 20 bytes long, which corresponds to 40 hexadecimal characters (each byte is represented by 2 hexadecimal digits). By passing 20 as the second argument, the function is requesting a string of only 20 characters, which is insufficient to represent the full address.
As shown in the code, the toHexString function is called with 20 as the second argument, which is insufficient to represent the full Ethereum address.
Let's consider an example:
Suppose the panopticPool address is 0x1234567890123456789012345678901234567890. When passed to the toHexString function with a length of 20, the resulting string will be truncated to 0x1234567890123456789, which is only half of the actual address.
This truncated address will be included in the metadata URI, leading to the above mentioned issues. Any external systems or tools relying on the metadata may encounter difficulties in correctly identifying or interacting with the Panoptic Pool based on the incomplete address information.
Tools Used
Vs Code
Recommended Mitigation Steps
Change the second argument to 40 to ensure the entire address is properly represented as a hexadecimal string. By making this change, the toHexString function will return the full 40-character hexadecimal representation of the panopticPool address, avoiding any truncation or loss of information.
Lines of code
https://github.com/code-423n4/2024-06-panoptic/blob/153f0d82440b7e63075d55b0659706531431145f/contracts/base/FactoryNFT.sol#L79 https://github.com/code-423n4/2024-06-panoptic/blob/153f0d82440b7e63075d55b0659706531431145f/contracts/base/FactoryNFT.sol#L58-L112
Vulnerability details
Impact
The
toHexString
function from theLibString
library is being used to convert thepanopticPool
address to a hexadecimal string representation. However, the second argument passed totoHexString
is20
, which specifies the desired length of the resulting string. FactoryNFT contract (@contracts\base\FactoryNFT.sol:79)The problem is that an Ethereum address is 20 bytes long, which corresponds to 40 hexadecimal characters (each byte is represented by 2 hexadecimal digits). By passing 20 as the second argument, the function is requesting a string of only 20 characters, which is insufficient to represent the full address.
Proof of Concept
A relevant code snippet that illustrates the issue: FactoryNFT contract (@contracts\base\FactoryNFT.sol:58-112)
As shown in the code, the
toHexString
function is called with20
as the second argument, which is insufficient to represent the full Ethereum address.Let's consider an example:
Suppose the
panopticPool
address is0x1234567890123456789012345678901234567890
. When passed to thetoHexString
function with a length of 20, the resulting string will be truncated to0x1234567890123456789
, which is only half of the actual address.This truncated address will be included in the metadata URI, leading to the above mentioned issues. Any external systems or tools relying on the metadata may encounter difficulties in correctly identifying or interacting with the Panoptic Pool based on the incomplete address information.
Tools Used
Vs Code
Recommended Mitigation Steps
Change the second argument to 40 to ensure the entire address is properly represented as a hexadecimal string. By making this change, the
toHexString
function will return the full 40-character hexadecimal representation of thepanopticPool
address, avoiding any truncation or loss of information.Assessed type
Other