-
Notifications
You must be signed in to change notification settings - Fork 116
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Entrypoint name encoding can violate Tezos specifications #265
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi! Doyensec has been engaged to perform a security assessment of this library. I will be opening issues to document our findings.
Description
Tezos transactions can define custom entrypoints starting from protocol version 5. According to the official documentation, custom entrypoints maximum length is 31 characters, but taquito does not enforce this limitation when encoding or decoding transactions.
This is an extract from the documentation:
This is the relevant code from codec.ts:
Observe that no checks are performed on the length of the entrypoint name being encoded or decoded. You might want to consider enforcing the size limit required by the specification.
<sales pitch>If you’re looking for an independent vendor to perform security testing or to develop security automation solutions, let us know! https://doyensec.com</sales pitch>
The text was updated successfully, but these errors were encountered: