VeChain
Contractual Blake2b: from dynamically sized bit array to fixed-size 32bit array

Created May 27, 2018

Target

Smart contracts using Blake2b hashs

Solidity file Extension.sol contains a function that inputs a dynamic array and outputs a 32bit Blake2b hash.

Here is the abridged flow of this method:

File: Extension.sol Method: blake2b256 input: bytes
output: bytes32 Method: ExtensionNative input: bytes
output: bytes32

File: nativecalls.go Method: nativeblake2b256 input: []byte output: thor.Bytes32 (impl.)

File: extension.go Method: Blake2b256 input: []byte output: thor.Bytes32

It is logical for this function to have a dynamically-sized array as input and a fixed-size array as output because of the large upper bound of blake2b (i.e. the input array can have any size).

Given that the algorithm is isolated--via native calls--from the pure contractual logic and can be later modified, would it not be wiser to assert, in the contract, that the output of the hashing function is, indeed, a fixed-size 32 bit array?

Open /builtin/gen/Extension.sol

Very low and hypothetical.

I evaluate the severity level as None because I do not know how this lack of assertion could realistically become a vulnerability. This is more a FYI.

Thus, I understand and acknowledge that this report will not be unrewarded.