You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi! Doyensec has been engaged to perform a security assessment of this library. I will be opening issues to document our findings.
Description
Tezos transactions can define custom entrypoints starting from protocol version 5. According to the official documentation, custom entrypoints maximum length is 31 characters, but taquito does not enforce this limitation when encoding or decoding transactions.
This is an extract from the documentation:
The entrypoint format is as follows:
one byte 0 for entrypoint %default
one byte 1 for entrypoint %root
[...]
one byte 255 for a named entrypoint, then one byte of entrypoint name size (limited to 31), and the name itself
Observe that no checks are performed on the length of the entrypoint name being encoded or decoded. You might want to consider enforcing the size limit required by the specification.
<sales pitch>If you’re looking for an independent vendor to perform security testing or to develop security automation solutions, let us know! https://doyensec.com</sales pitch>
The text was updated successfully, but these errors were encountered:
Hi! Doyensec has been engaged to perform a security assessment of this library. I will be opening issues to document our findings.
Description
Tezos transactions can define custom entrypoints starting from protocol version 5. According to the official documentation, custom entrypoints maximum length is 31 characters, but taquito does not enforce this limitation when encoding or decoding transactions.
This is an extract from the documentation:
This is the relevant code from codec.ts:
Observe that no checks are performed on the length of the entrypoint name being encoded or decoded. You might want to consider enforcing the size limit required by the specification.
<sales pitch>If you’re looking for an independent vendor to perform security testing or to develop security automation solutions, let us know! https://doyensec.com</sales pitch>
The text was updated successfully, but these errors were encountered: