NoBey/openzeppelin-contracts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request from GHSA-wprv-93r4-jj2p

Browse Source
This commit is contained in:
Hadrien Croubois
2023-06-16 22:17:41 +02:00
committed by GitHub
parent f03420b5c7
commit 4d2383e171
3 changed files with 35 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
test/utils/cryptography/MerkleProof.test.js
View File

@ -1,11 +1,8 @@
require('@openzeppelin/test-helpers');
const { expectRevert } = require('@openzeppelin/test-helpers');
const { expect } = require('chai');
const { MerkleTree } = require('merkletreejs');
const keccak256 = require('keccak256');
const { expect } = require('chai');
const MerkleProof = artifacts.require('$MerkleProof');
contract('MerkleProof', function () {
@ -176,5 +173,28 @@ contract('MerkleProof', function () {
expect(await this.merkleProof.$multiProofVerify([root], [], root, [])).to.equal(true);
expect(await this.merkleProof.$multiProofVerifyCalldata([root], [], root, [])).to.equal(true);
});
it('reverts processing manipulated proofs with a zero-value node at depth 1', async function () {
// Create a merkle tree that contains a zero leaf at depth 1
const leaves = [keccak256('real leaf'), Buffer.alloc(32, 0)];
const merkleTree = new MerkleTree(leaves, keccak256, { sortPairs: true });
const root = merkleTree.getRoot();
// Now we can pass any ** malicious ** fake leaves as valid!
const maliciousLeaves = ['some', 'malicious', 'leaves'].map(keccak256).sort(Buffer.compare);
const maliciousProof = [leaves[0], leaves[0]];
const maliciousProofFlags = [true, true, false];
await expectRevert(
this.merkleProof.$multiProofVerify(maliciousProof, maliciousProofFlags, root, maliciousLeaves),
'MerkleProof: invalid multiproof',
);
await expectRevert(
this.merkleProof.$multiProofVerifyCalldata(maliciousProof, maliciousProofFlags, root, maliciousLeaves),
'MerkleProof: invalid multiproof',
);
});
});
});