Skip to content

fix: ERC1155 safeBatchTransferFrom parser trusts unvalidated dynamic offsets and can spoof the review UI#1007

Merged
cedelavergne-ledger merged 1 commit into
developfrom
security/merlin-0e9211a
May 11, 2026
Merged

fix: ERC1155 safeBatchTransferFrom parser trusts unvalidated dynamic offsets and can spoof the review UI#1007
cedelavergne-ledger merged 1 commit into
developfrom
security/merlin-0e9211a

Conversation

@cerberus-production
Copy link
Copy Markdown
Contributor

@cerberus-production cerberus-production Bot commented Apr 28, 2026
edited by cedelavergne-ledger
Loading

Summary

Automated security fix for ERC1155 safeBatchTransferFrom parser trusts unvalidated dynamic offsets and can spoof the review UI (High).

CWE: CWE-20
OWASP: A04:2021-Insecure Design
Fix Confidence: high

What Changed

Hardened the ERC1155 batch-transfer parser against spoofed calldata layouts. For both TOKEN_IDS_LENGTH and VALUE_LENGTH: if the current sequential parameterOffset has not yet reached the declared offset, keep waiting; if it has passed/does not match exactly, abort with ETH_PLUGIN_RESULT_ERROR. This prevents attacker-chosen ids_offset/values_offset values that point backwards, overlap, or are non-32-byte-aligned from being used to misinterpret an unrelated calldata word as the array length. Additionally, a mismatch between ids[] and values[] lengths now aborts the transfer instead of merely logging, so the UI summary (context->value / context->array_index) can no longer be desynchronized from what the contract will execute.

Caveats

  • Canonical ABI encoders always place dynamic tails in declaration order with 32-byte-aligned offsets, so legitimate batch transfers remain unaffected. Any dapp relying on a non-canonical ABI layout for safeBatchTransferFrom would now be rejected by the plugin, forcing a blind-signing path, which is the intended security outcome.

Verification Checklist

  • Review the code change
  • Run tests to verify no regression
  • Verify the vulnerability is addressed — already verified by Cerberus Sentinel

Created by Cerberus Merlin

@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Apr 28, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 56.10%. Comparing base (9373cce) to head (4ddcc8a).

Additional details and impacted files 
@@           Coverage Diff            @@
##           develop    #1007   +/-   ##
========================================
  Coverage    56.10%   56.10%           
========================================
  Files           26       26           
  Lines         2417     2417           
  Branches       322      312   -10     
========================================
  Hits          1356     1356           
+ Misses        1057      979   -78     
- Partials         4       82   +78
Flag Coverage Δ
unittests 56.10% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@cedelavergne-ledger cedelavergne-ledger force-pushed the security/merlin-0e9211a branch from 60d6391 to 4ddcc8a Compare May 11, 2026 06:49
@cedelavergne-ledger cedelavergne-ledger requested a review from a team as a code owner May 11, 2026 06:49
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 11, 2026
edited
Loading

elf sizes
source = source branch security/merlin-0e9211a
target = target branch develop

Device .text source .text target .text delta .bss source .bss target .bss delta max stack size source max stack size target max stack size delta
apex_p 159897 159897 0 21794 21794 0 19160 19160 0
nanos2 114275 114275 0 20492 20492 0 20464 20464 0
nanox 114003 114003 0 20520 20520 0 8192 8192 0
stax 179966 179966 0 21794 21794 0 15064 15064 0
flex 180045 180045 0 21794 21794 0 15064 15064 0

Stack consumption summary (clone_app_stack_consumption)

⚠️ This summary is for informative purpose only. It may not give the application actual worst case, for example if the test coverage is low.

Device Worst case (bytes) Remaining stack (bytes) Test
apex_p 1753 38603 test_clone.py::test_clone_thundercore[apex_p]
flex 1801 34459 test_clone.py::test_clone_thundercore[flex]
nanosp 1705 38651 test_clone.py::test_clone_thundercore[nanosp]
nanox 1697 6495 test_clone.py::test_clone_thundercore[nanox]
stax 1801 34459 test_clone.py::test_clone_thundercore[stax]

Full details

Stack consumption summary

⚠️ This summary is for informative purpose only. It may not give the application actual worst case, for example if the test coverage is low.

Device Worst case (bytes) Remaining stack (bytes) Test
apex_p 3193 15967 test_eip712.py::test_eip712_batch[apex_p]
flex 3193 11871 test_eip712.py::test_eip712_batch[flex]
nanosp 3193 17271 test_eip712.py::test_eip712_batch[nanosp]
nanox 3193 4999 test_eip712.py::test_eip712_batch[nanox]
stax 3193 11871 test_eip712.py::test_eip712_batch[stax]

Full details

@cedelavergne-ledger cedelavergne-ledger merged commit db1a3d9 into develop May 11, 2026
293 checks passed
@cedelavergne-ledger cedelavergne-ledger deleted the security/merlin-0e9211a branch May 11, 2026 08:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@apaillier-ledger apaillier-ledger apaillier-ledger approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@codecov-commenter @apaillier-ledger @cedelavergne-ledger