`decodeLockTwTapDstMsg()` will revert because of incorrect decoding

[hats-bug-reporter[bot]]

Github username: -- Twitter username: -- Submission hash (on-chain): 0x5f340d0f6e5e63d1b3bf434be02bd56bb44d582ca64f05363a9dc00420307bf0 Severity: medium

Description: Description

The decoding in TapTokenCodec:decodeLockTwTapDstMsg will likely revert because there are several combination of bytes that would result in the same result.

Recommendation

To mitigate this change the folowing lines to prevent reading the wrong area: this will ensure that the bytes read uses the length of the message correctly.

Change uint96 duration = BytesLib.toUint96(BytesLib.slice(_msg, userOffset_, durationOffset_), 0); to uint256 amount = BytesLib.toUint256(BytesLib.slice(_msg, durationOffset_, 32), 0);

---

Change uint256 amount = BytesLib.toUint256(BytesLib.slice(_msg, durationOffset_, _msg.length - durationOffset_), 0); to uint256 amount = BytesLib.toUint256(BytesLib.slice(_msg, durationOffset_, 32), 0);

[0xRektora]

Invalid.

Change uint96 duration = BytesLib.toUint96(BytesLib.slice(msg, userOffset, durationOffset_), 0); to uint256 amount = BytesLib.toUint256(BytesLib.slice(msg, durationOffset, 32), 0);

This doesn't make sense

Change uint256 amount = BytesLib.toUint256(BytesLib.slice(msg, durationOffset, msg.length - durationOffset), 0); to uint256 amount = BytesLib.toUint256(BytesLib.slice(msg, durationOffset, 32), 0);

This is already like that.

[0xRektora]

You might've audited the wrong commit hash codebase. The default branch has been changed to dev to avoid further confusions.