Open hats-bug-reporter[bot] opened 1 week ago
I appreciate highlighting the possible code check, but I can't acknowledge this as an issue
On 4th consideration, I do want to thank and reward a solid effort to find a solid code improvement. So on the argument that it breaks an invariant (in the reverse map) I'll agree with you on a low issue.
Github username: @yixxas Twitter username: yixxas Submission hash (on-chain): 0xb503fb513a63e8fc3139d03c71a2528c8f1e0ab859d2083c7e0598074474b3b1 Severity: low
Description: Description\ A
shortName
is psuedo randomly created by calculating the keccak256 hash of the concatenation of_avatar
andnonce
. This value is restricted in the space of ~72 bytes (closer to 70 bytes due toMAX_SHORT_NAME
). There is no check for which the calculated value is not 0.Considering that the search space of 72 bytes is relatively small compared to the typical 256 bytes used, the probability of this happening is not statistically insignifcant.
Attack Scenario\ When a calculated short name happens to be 0, it will break some invariants of the protocol, creating confusions for users.
shortNames[]
is not 0. Hence, a user who created a short name with the 0 value will be considered to have not created one, despite the call toregisterShortName()
being successful. They can create a newshortName
by making another call. This particular user will have the eventRegisterShortName()
created twice on the sameavatar
address, possibly creating confusions for offchain bots seaching for events.shortNameToAvatar[0]
will be set to the first avatar's address whose value is created whereshortName == 0
. This value will never be changed as future creation ofshortName == 0
will no longer be possible. The invariant whereshortNameToAvatar[0] = 0
is broken.Recommendation A simple fix can be implemented by adding a check to ensure that calculated
shortName
is not 0 in both_registerShortName()
and_registerShortNameWithNonce()
.