Skip to content

Incorrect string length validation in derive_string_concat() in aggregator_v2.move module. #335

@supra-yoga

Description

@supra-yoga

The derive_string_concat function is intended to enforce a 256-byte limit on the combined prefix and
suffix length, as documented in the Move interface.

/// aggregator_v2/aggregator_v2.move
/// Arguments passed to concat exceed the max limit of 256 bytes (for prefix and suffix together).
const ECONCAT_STRING_LENGTH_TOO_LARGE: u64 = 8;

/// Concatenates ‘before‘, ‘snapshot‘ and ‘after‘ into a single string.
/// snapshot passed needs to have integer type - currently supported types are u64 and u128.
/// Raises EUNSUPPORTED_AGGREGATOR_SNAPSHOT_TYPE if called with another type.
/// If length of prefix and suffix together exceed 256 bytes,
/// ECONCAT_STRING_LENGTH_TOO_LARGE is raised.
/// Parallelism info: This operation enables parallelism.
public native fun derive_string_concat<IntElement>(before: String,
snapshot: &AggregatorSnapshot<IntElement>, after: String): DerivedStringSnapshot;

However, the native implementation incorrectly uses DERIVED_STRING_INPUT_MAX_LENGTH = 1024,
allowing inputs up to 1024 bytes instead of the intended 256 bytes. This means the function accepts
inputs that are 4x larger than the design specification, creating a significant gap between intended
and actual behavior.

/// aggregator_natives/aggregator_v2.rs
/// The maximum length of the input string for derived string snapshot.
/// If we want to increase this, we need to modify BITS_FOR_SIZE in types/src/delayed_fields.rs
pub const DERIVED_STRING_INPUT_MAX_LENGTH: usize = 1024;

When users provide inputs between 256-1024 bytes, these pass validation but can break application
logic designed around the 256-byte specification. Systems expecting the intended 256-byte limit
may experience buffer overflows or resource exhaustion when processing unexpectedly large
1024-byte inputs.

Recommendation

Fix the native Rust constant to 256 in aggregator_natives/aggregator_v2.rs
pub const DERIVED_STRING_INPUT_MAX_LENGTH: usize = 256;

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions