Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Entrypoint name encoding can violate Tezos specifications #265
Hi! Doyensec has been engaged to perform a security assessment of this library. I will be opening issues to document our findings.
Tezos transactions can define custom entrypoints starting from protocol version 5. According to the official documentation, custom entrypoints maximum length is 31 characters, but taquito does not enforce this limitation when encoding or decoding transactions.
This is an extract from the documentation:
This is the relevant code from codec.ts:
Observe that no checks are performed on the length of the entrypoint name being encoded or decoded. You might want to consider enforcing the size limit required by the specification.
<sales pitch>If you’re looking for an independent vendor to perform security testing or to develop security automation solutions, let us know! https://doyensec.com</sales pitch>