Incorrect string length validation in derive_string_concat() in aggregator_v2.move module. #335
Description
The derive_string_concat function is intended to enforce a 256-byte limit on the combined prefix and
suffix length, as documented in the Move interface.
/// aggregator_v2/aggregator_v2.move
/// Arguments passed to concat exceed the max limit of 256 bytes (for prefix and suffix together).
const ECONCAT_STRING_LENGTH_TOO_LARGE: u64 = 8;
/// Concatenates ‘before‘, ‘snapshot‘ and ‘after‘ into a single string.
/// snapshot passed needs to have integer type - currently supported types are u64 and u128.
/// Raises EUNSUPPORTED_AGGREGATOR_SNAPSHOT_TYPE if called with another type.
/// If length of prefix and suffix together exceed 256 bytes,
/// ECONCAT_STRING_LENGTH_TOO_LARGE is raised.
/// Parallelism info: This operation enables parallelism.
public native fun derive_string_concat<IntElement>(before: String,
snapshot: &AggregatorSnapshot<IntElement>, after: String): DerivedStringSnapshot;
However, the native implementation incorrectly uses DERIVED_STRING_INPUT_MAX_LENGTH = 1024,
allowing inputs up to 1024 bytes instead of the intended 256 bytes. This means the function accepts
inputs that are 4x larger than the design specification, creating a significant gap between intended
and actual behavior.
/// aggregator_natives/aggregator_v2.rs
/// The maximum length of the input string for derived string snapshot.
/// If we want to increase this, we need to modify BITS_FOR_SIZE in types/src/delayed_fields.rs
pub const DERIVED_STRING_INPUT_MAX_LENGTH: usize = 1024;
When users provide inputs between 256-1024 bytes, these pass validation but can break application
logic designed around the 256-byte specification. Systems expecting the intended 256-byte limit
may experience buffer overflows or resource exhaustion when processing unexpectedly large
1024-byte inputs.
Recommendation
Fix the native Rust constant to 256 in aggregator_natives/aggregator_v2.rs
pub const DERIVED_STRING_INPUT_MAX_LENGTH: usize = 256;