Freeze Bridge via Non-UTF8/long Token Name/Symbol/Denom

[facundomedica]

I haven't personally checked this one. I don't understand if the fix needs to be made on the contract or on the peggo side.

Refs:

• Freeze The Bridge Via Large ERC20 Names/Symbols/Denoms code-423n4/2021-08-gravitybridge-findings#5
• Freeze Bridge via Non-UTF8 Token Name/Symbol/Denom code-423n4/2021-08-gravitybridge-findings#4

---

For Admin Use

• Not duplicate issue
• Appropriate labels applied
• Appropriate contributors tagged
• Contributor assigned/self-assigned

[facundomedica]

I've tested code-423n4/2021-08-gravitybridge-findings#4 and couldn't replicate it with the data provided. (https://goerli.etherscan.io/tx/0xd2dd31ca4821d4e4e8205dc3e6a83cf5078350e0e02707eedc33752f39b25dbb)

I've tested code-423n4/2021-08-gravitybridge-findings#5 and couldn't replicate it with adding a ton of characters. (https://goerli.etherscan.io/tx/0xc8939370c557c798a8bfcb737bd486278c173a0469878623850cbb3e32c99835)

I think that if this issue happens then the problem is not with the contract but with Peggo or/and Peggy; so I'll remove the label

[alexanderbez]

@facundomedica what's the latest here? Can we close this or is it still a vulnerability?

[facundomedica]

I'm not sure. I couldn't replicate it, but reading through the linked issues, this is still valid. There are some solutions being discussed:

• Freeze Bridge via Non-UTF8 Token Name/Symbol/Denom PeggyJV/gravity-bridge#295
• Freeze Bridge via Non-UTF8 Token Name/Symbol/Denom code-423n4/2021-08-gravitybridge-findings#4 (comment)

I just thought about testing it by sending random bytes, would that be enough to close this? 🤔