Target
Smart contracts using Blake2b hashs
Solidity file Extension.sol contains a function that inputs a dynamic array and outputs a 32bit Blake2b hash.
Here is the abridged flow of this method:
File: Extension.sol
Method: blake2b256
input: bytes
output: bytes32
Method: ExtensionNative
input: bytes
output: bytes32
⇩
File: nativecalls.go Method: nativeblake2b256 input: []byte output: thor.Bytes32 (impl.)
⇩
File: extension.go Method: Blake2b256 input: []byte output: thor.Bytes32
It is logical for this function to have a dynamically-sized array as input and a fixed-size array as output because of the large upper bound of blake2b (i.e. the input array can have any size).
Given that the algorithm is isolated--via native calls--from the pure contractual logic and can be later modified, would it not be wiser to assert, in the contract, that the output of the hashing function is, indeed, a fixed-size 32 bit array?
Open /builtin/gen/Extension.sol
Very low and hypothetical.
Add an assert into function blake2b256(bytes _value) public view returns(bytes32) that checks that ExtensionNative(this).nativeblake2b256(value) returns a 32bit array?
I evaluate the severity level as None because I do not know how this lack of assertion could realistically become a vulnerability. This is more a FYI.
Thus, I understand and acknowledge that this report will not be unrewarded.