Omniscia Swisscoast Audit
KeysLib Manual Review Findings
KeysLib Manual Review Findings
KLB-01M: Inexistent Validation of Non-Zero Address
| Type | Severity | Location |
|---|---|---|
| Input Sanitization |  | KeysLib.sol:L33 |
Description:
The KeysLib::generateKey function will default to configuring the delegatableContractId member to the stableCoinProxyAddress input address, however, the stableCoinProxyAddress is never validated.
Impact:
As the KeysLib::generateKey implementation remains unused within the codebase, we cannot reliably assess the severity of this exhibit.
Example:
18/**19 * @dev Generates a IHederaTokenService.KeyValue depending on a public key20 *21 * @param publicKey The public key22 * @param stableCoinProxyAddress The stablecoin proxy address23 * @param isED25519 A flag that indicates if the public key is an Ed25519 key24 */25function generateKey(26 bytes memory publicKey,27 address stableCoinProxyAddress,28 bool isED2551929) internal pure returns (IHederaTokenService.KeyValue memory) {30 // If the Public Key is empty we assume the user has chosen the proxy31 IHederaTokenService.KeyValue memory key;32 if (publicKey.length == 0)33 key.delegatableContractId = stableCoinProxyAddress;34 else if (isED25519) key.ed25519 = publicKey;35 else key.ECDSA_secp256k1 = publicKey;36
37 return key;38}Recommendation:
We advise it to be validated as non-zero, preventing an all-zeroes KeyValue entry to be yielded by the KeysLib::generateKey function.
Alleviation (04618e407bddce5b22e9cadd787fd3334bd3afe6):
The file specified by the exhibit is no longer present in the codebase rendering it inapplicable.
KLB-02M: Insecure Offset of Key Bit
| Type | Severity | Location |
|---|---|---|
| Input Sanitization | | KeysLib.sol:L46-L51 |
Description:
The KeysLib::containsKey function will utilize the keyBitIndex offset without actually validating that it is less-than-or-equal-to 255, the maximum supported bit index for the uint256 data type.
Impact:
As the KeysLib::containsKey implementation remains unused within the codebase, we cannot reliably assess the severity of this exhibit.
Example:
40/**41 * @dev Checks if a token key existis depending on the key bit index and the key type42 *43 * @param keyBitIndex The key bit index44 * @param keyType The key type45 */46function containsKey(47 uint256 keyBitIndex,48 uint256 keyType49) internal pure returns (bool) {50 return (bytes32(keyType) & bytes32(1 << keyBitIndex)) != 0;51}Recommendation:
We advise a require check to be introduced, ensuring that the keyBitIndex is less-than-or-equal-to the maximum value of the uint8 data type (i.e. type(uint8).max).
Alleviation (04618e407bddce5b22e9cadd787fd3334bd3afe6):
The file specified by the exhibit is no longer present in the codebase rendering it inapplicable.