Smart contracts using Blake2b hashs
Solidity file Extension.sol contains a function that inputs a dynamic array and outputs a 32bit Blake2b hash.
Here is the abridged flow of this method:
output: bytes32 Method: ExtensionNative input: bytes
File: nativecalls.go Method: nativeblake2b256 input: byte output: thor.Bytes32 (impl.)
File: extension.go Method: Blake2b256 input: byte output: thor.Bytes32
It is logical for this function to have a dynamically-sized array as input and a fixed-size array as output because of the large upper bound of blake2b (i.e. the input array can have any size).
Given that the algorithm is isolated--via native calls--from the pure contractual logic and can be later modified, would it not be wiser to assert, in the contract, that the output of the hashing function is, indeed, a fixed-size 32 bit array?
Very low and hypothetical.
Add an assert into function blake2b256(bytes _value) public view returns(bytes32) that checks that ExtensionNative(this).nativeblake2b256(value) returns a 32bit array?
I evaluate the severity level as None because I do not know how this lack of assertion could realistically become a vulnerability. This is more a FYI.
Thus, I understand and acknowledge that this report will not be unrewarded.