Security Finding
Description
This logic_error stems from how BytesMemory::unwrap() handles short slices. The function allocates a new bytes object and then branches by length. For slices longer than 32 bytes it delegates the copy to the identity precompile, but for length <= 32 it copies a single word with no masking.
[Truncated - see PR for full details]
Location
BytesMemory.sol:L54-L68 in unwrap (BytesMemory)
Impact
Any consumer that relies on slices to hide part of a bytes object (e.g., redacting signatures, keeping upcoming order details private, or truncating authentication payloads) cannot enforce that boundary. Attackers can read up to 31 bytes of unintended data per call, which may disclose sensitive information or undermine higher-level protocols.
Recommendation
Copy exactly length bytes for every slice so that padding never contains live data. The simplest fix is to reuse the identity precompile for all non-zero lengths, guaranteeing that only the requested bytes are written.
[Truncated - see PR for full details]
Created by CARA Security Audit via Cygent
Security Finding
Description
This logic_error stems from how
BytesMemory::unwrap()handles short slices. The function allocates a newbytesobject and then branches by length. For slices longer than 32 bytes it delegates the copy to the identity precompile, but forlength <= 32it copies a single word with no masking.[Truncated - see PR for full details]
Location
BytesMemory.sol:L54-L68inunwrap(BytesMemory)Impact
Any consumer that relies on slices to hide part of a
bytesobject (e.g., redacting signatures, keeping upcoming order details private, or truncating authentication payloads) cannot enforce that boundary. Attackers can read up to 31 bytes of unintended data per call, which may disclose sensitive information or undermine higher-level protocols.Recommendation
Copy exactly
lengthbytes for every slice so that padding never contains live data. The simplest fix is to reuse the identity precompile for all non-zero lengths, guaranteeing that only the requested bytes are written.[Truncated - see PR for full details]
Created by CARA Security Audit via Cygent