Closed sherlock-admin2 closed 1 week ago
This isn't a real issue or related to ARC-41. authorize
is only called by someone initiating a transaction, not by the validators verifying the transaction. If it panics, a user will have to try to generate a transaction again. Since validators don't call this function (unless they're also making transactions as part of some script), we shouldn't have to worry about a panic here.
pwning_dev
High
Error Handling in
authorize
Function could lead to dos attackSummary
The
authorize
function usesimpl TryInto<ProgramID<N>>
andimpl TryInto<Identifier<N>>
forprogram_id
andfunction_name
parameters respectively. This conversion may fail, leading to a potential panic if not properly handled. The absence of explicit error handling for these conversions can cause the entire function to panic, resulting in a crash and potential denial of service (DoS)Vulnerability Detail
Impact
Denial of Service (DoS): If the
TryInto
conversion fails, it can cause the application to panic, leading to a service interruption.POC
Code Snippet
https://github.com/sherlock-audit/2024-05-aleo/blob/main/snarkVM/synthesizer/process/src/authorize.rs#L20
Tool used
Manual Review
Recommendation
Add explicit error handling for
TryInto
conversions in the authorize function: