Misleading behavior of encoding `string` into `Fr` #10331

Groxan · 2024-12-01T12:50:25Z

Hey! I've faced an issue with encodeArguments function - when it tries to encode string into Fr it uses Fr.fromString, which always treats the input as a hex string. Even though I understand the rationale, this behavior is quite arguable, because it can be dangerous in some scenarios.

Imagine, a dAPP is sending an execution request to a wallet via walletconnect or something, for example, to call transfer(to, amount) function with arguments ("0x12..34", "100"), and a user is asked for confirmation. So, the user will check the args of the call and will see "100", and will mistakenly think that he is approving a transfer of 100 tokens. But "100" will actually be treated as hex and will be encoded into 256, so actually 256 tokens will be transferred. So, this behavior can not only mislead users, but also be exploited by scammers.

It would be cool if either ArgumentEncoder.encodeArgument or Fr.fromString treated input strings as hex only if it started with 0x, so that "100" is encoded into 100 and "0x100" into 256. This would be more intuitive and will help to avoid bad UX.

The text was updated successfully, but these errors were encountered:

olehmisar · 2024-12-01T17:35:47Z

Related discussion. #7365 (comment)

@Maddiaa0 were you able to take a look at this? I hit this "feature" too many times already and I saw people get bitten by this issue multiple times.

Maddiaa0 · 2024-12-01T17:47:03Z

Related discussion. #7365 (comment)

@Maddiaa0 were you able to take a look at this? I hit this "feature" too many times already and I saw people get bitten by this issue multiple times.

Yep, I've discussed it and think it'll take higher priory to change now, imo fromString for buffer like types should change to fromHex and fromString as listed here should check encoding.

Maddiaa0 · 2024-12-11T19:35:22Z

#10622

Commenting to link the issues

Maddiaa0 · 2024-12-12T16:50:14Z

fixed by #10529

Groxan · 2025-01-29T11:16:09Z

@Maddiaa0 sorry, but the issue hasn't been fixed.
In order to fix it, this line:

else if (typeof arg === 'string') {
    this.flattened.push(Fr.fromHexString(arg));
}

should be changed to this:

else if (typeof arg === 'string') {
    this.flattened.push(Fr.fromString(arg));
}

That's it :)

sklppy88 · 2025-01-29T11:27:50Z

@Maddiaa0 sorry, but the issue hasn't been fixed.
In order to fix it, this line:
else if (typeof arg === 'string') {
    this.flattened.push(Fr.fromHexString(arg));
}
should be changed to this:
else if (typeof arg === 'string') {
    this.flattened.push(Fr.fromString(arg));
}
That's it :)

Ah yep, the native behavior has been changed, but it needs the encoder as well, good eye. Will push a fix asap. Thanks for the comment !

…ng` (#11585) Related #10331

🤖 I have created a release *beep* *boop* --- <details><summary>aztec-package: 0.74.0</summary> ## [0.74.0](aztec-package-v0.73.0...aztec-package-v0.74.0) (2025-02-04) ### Miscellaneous * Ensure new kv-store is used on the server ([#11662](#11662)) ([aee1420](aee1420)) </details> <details><summary>barretenberg.js: 0.74.0</summary> ## [0.74.0](barretenberg.js-v0.73.0...barretenberg.js-v0.74.0) (2025-02-04) ### Miscellaneous * **barretenberg.js:** Synchronize aztec-packages versions </details> <details><summary>aztec-packages: 0.74.0</summary> ## [0.74.0](aztec-packages-v0.73.0...aztec-packages-v0.74.0) (2025-02-04) ### ⚠ BREAKING CHANGES * time library ([#11542](#11542)) ### Features * `u128.ts` accepting string on input ([#11664](#11664)) ([bb25992](bb25992)) * Add network, better drawer performance ([#11694](#11694)) ([1f61822](1f61822)) * Skip calculation of partial sums when simulating blobs ([#11257](#11257)) ([aca66f7](aca66f7)) * Time library ([#11542](#11542)) ([3b463f9](3b463f9)), closes [#11520](#11520) * UltraHonkZK contract ([#11553](#11553)) ([a68369f](a68369f)) ### Bug Fixes * Add bootstrap.sh to rebuild_patterns ([#11683](#11683)) ([e84a81a](e84a81a)) * **archiver:** Do not attempt to decode blob before filtering ([#11668](#11668)) ([961cbdd](961cbdd)) * Barretenber/stdlib/logic bugs ([#11651](#11651)) ([dddab22](dddab22)) * Barretenberg/stdlib/logic bugs (redo) ([#11691](#11691)) ([6d0bad7](6d0bad7)) * **docs:** Keys docs update ([#11665](#11665)) ([ce3d92c](ce3d92c)) * Revert "barretenberg/stdlib/logic bugs" ([#11689](#11689)) ([b99570d](b99570d)) * Solidity verifier caching ([#11712](#11712)) ([2ba1e71](2ba1e71)) * Use eth-execution label ([#11713](#11713)) ([d3c31d8](d3c31d8)) ### Miscellaneous * Add tests for gov proposer ([#11633](#11633)) ([5c6a48a](5c6a48a)), closes [#11681](#11681) * **bb-prover:** Avm test skip and split ([#11717](#11717)) ([1778867](1778867)) * Benchmark sha256 number of instructions executed in AVM ([#11253](#11253)) ([aaf0d8c](aaf0d8c)) * Delete MerkleTrees implementation in JS ([#11697](#11697)) ([1db7b78](1db7b78)) * Ensure new kv-store is used on the server ([#11662](#11662)) ([aee1420](aee1420)) * Field encoding should use `fromString` instead of `fromHexString` ([#11585](#11585)) ([43fdbb1](43fdbb1)), closes [#10331](#10331) * Improve boxes ([#11656](#11656)) ([46a3e85](46a3e85)) * Increase node pool count and don't use a release channel ([#11687](#11687)) ([65a3f11](65a3f11)) * Mark contracts as pub ([#11241](#11241)) ([b168601](b168601)) * Reduce memory requests on prover node ([#11678](#11678)) ([a720151](a720151)) * Remove profiler cache fallback ([#11680](#11680)) ([a305aef](a305aef)) * Remove some templates in templates ([#11698](#11698)) ([61614b1](61614b1)) * Remove unused functions from public side effect trace ([#11600](#11600)) ([54e9602](54e9602)) * Replace relative paths to noir-protocol-circuits ([739151e](739151e)) * Replace relative paths to noir-protocol-circuits ([bbd526c](bbd526c)) * **sequencer:** Add InvalidArchive to canProposeAtNextEthBlock ignored errors ([#11682](#11682)) ([eea4bd3](eea4bd3)) * **spartan:** Remove hardcoded keys and addresses - derive all from mnemonic ([#11672](#11672)) ([65f0e48](65f0e48)) * Turn off auto-upgrade in node-pools ([#11679](#11679)) ([09f98a9](09f98a9)) * Turn on masking in ultra and mega zk + oink clean-up ([#11693](#11693)) ([08e96fe](08e96fe)) ### Documentation * Update mig notes release version ([#11685](#11685)) ([46a30b5](46a30b5)) </details> <details><summary>barretenberg: 0.74.0</summary> ## [0.74.0](barretenberg-v0.73.0...barretenberg-v0.74.0) (2025-02-04) ### Features * UltraHonkZK contract ([#11553](#11553)) ([a68369f](a68369f)) ### Bug Fixes * Barretenber/stdlib/logic bugs ([#11651](#11651)) ([dddab22](dddab22)) * Barretenberg/stdlib/logic bugs (redo) ([#11691](#11691)) ([6d0bad7](6d0bad7)) * Revert "barretenberg/stdlib/logic bugs" ([#11689](#11689)) ([b99570d](b99570d)) ### Miscellaneous * Ensure new kv-store is used on the server ([#11662](#11662)) ([aee1420](aee1420)) * Remove some templates in templates ([#11698](#11698)) ([61614b1](61614b1)) * Turn on masking in ultra and mega zk + oink clean-up ([#11693](#11693)) ([08e96fe](08e96fe)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).

🤖 I have created a release *beep* *boop* --- <details><summary>aztec-package: 0.74.0</summary> ## [0.74.0](AztecProtocol/aztec-packages@aztec-package-v0.73.0...aztec-package-v0.74.0) (2025-02-04) ### Miscellaneous * Ensure new kv-store is used on the server ([#11662](AztecProtocol/aztec-packages#11662)) ([aee1420](AztecProtocol/aztec-packages@aee1420)) </details> <details><summary>barretenberg.js: 0.74.0</summary> ## [0.74.0](AztecProtocol/aztec-packages@barretenberg.js-v0.73.0...barretenberg.js-v0.74.0) (2025-02-04) ### Miscellaneous * **barretenberg.js:** Synchronize aztec-packages versions </details> <details><summary>aztec-packages: 0.74.0</summary> ## [0.74.0](AztecProtocol/aztec-packages@aztec-packages-v0.73.0...aztec-packages-v0.74.0) (2025-02-04) ### ⚠ BREAKING CHANGES * time library ([#11542](AztecProtocol/aztec-packages#11542)) ### Features * `u128.ts` accepting string on input ([#11664](AztecProtocol/aztec-packages#11664)) ([bb25992](AztecProtocol/aztec-packages@bb25992)) * Add network, better drawer performance ([#11694](AztecProtocol/aztec-packages#11694)) ([1f61822](AztecProtocol/aztec-packages@1f61822)) * Skip calculation of partial sums when simulating blobs ([#11257](AztecProtocol/aztec-packages#11257)) ([aca66f7](AztecProtocol/aztec-packages@aca66f7)) * Time library ([#11542](AztecProtocol/aztec-packages#11542)) ([3b463f9](AztecProtocol/aztec-packages@3b463f9)), closes [#11520](AztecProtocol/aztec-packages#11520) * UltraHonkZK contract ([#11553](AztecProtocol/aztec-packages#11553)) ([a68369f](AztecProtocol/aztec-packages@a68369f)) ### Bug Fixes * Add bootstrap.sh to rebuild_patterns ([#11683](AztecProtocol/aztec-packages#11683)) ([e84a81a](AztecProtocol/aztec-packages@e84a81a)) * **archiver:** Do not attempt to decode blob before filtering ([#11668](AztecProtocol/aztec-packages#11668)) ([961cbdd](AztecProtocol/aztec-packages@961cbdd)) * Barretenber/stdlib/logic bugs ([#11651](AztecProtocol/aztec-packages#11651)) ([dddab22](AztecProtocol/aztec-packages@dddab22)) * Barretenberg/stdlib/logic bugs (redo) ([#11691](AztecProtocol/aztec-packages#11691)) ([6d0bad7](AztecProtocol/aztec-packages@6d0bad7)) * **docs:** Keys docs update ([#11665](AztecProtocol/aztec-packages#11665)) ([ce3d92c](AztecProtocol/aztec-packages@ce3d92c)) * Revert "barretenberg/stdlib/logic bugs" ([#11689](AztecProtocol/aztec-packages#11689)) ([b99570d](AztecProtocol/aztec-packages@b99570d)) * Solidity verifier caching ([#11712](AztecProtocol/aztec-packages#11712)) ([2ba1e71](AztecProtocol/aztec-packages@2ba1e71)) * Use eth-execution label ([#11713](AztecProtocol/aztec-packages#11713)) ([d3c31d8](AztecProtocol/aztec-packages@d3c31d8)) ### Miscellaneous * Add tests for gov proposer ([#11633](AztecProtocol/aztec-packages#11633)) ([5c6a48a](AztecProtocol/aztec-packages@5c6a48a)), closes [#11681](AztecProtocol/aztec-packages#11681) * **bb-prover:** Avm test skip and split ([#11717](AztecProtocol/aztec-packages#11717)) ([1778867](AztecProtocol/aztec-packages@1778867)) * Benchmark sha256 number of instructions executed in AVM ([#11253](AztecProtocol/aztec-packages#11253)) ([aaf0d8c](AztecProtocol/aztec-packages@aaf0d8c)) * Delete MerkleTrees implementation in JS ([#11697](AztecProtocol/aztec-packages#11697)) ([1db7b78](AztecProtocol/aztec-packages@1db7b78)) * Ensure new kv-store is used on the server ([#11662](AztecProtocol/aztec-packages#11662)) ([aee1420](AztecProtocol/aztec-packages@aee1420)) * Field encoding should use `fromString` instead of `fromHexString` ([#11585](AztecProtocol/aztec-packages#11585)) ([43fdbb1](AztecProtocol/aztec-packages@43fdbb1)), closes [#10331](AztecProtocol/aztec-packages#10331) * Improve boxes ([#11656](AztecProtocol/aztec-packages#11656)) ([46a3e85](AztecProtocol/aztec-packages@46a3e85)) * Increase node pool count and don't use a release channel ([#11687](AztecProtocol/aztec-packages#11687)) ([65a3f11](AztecProtocol/aztec-packages@65a3f11)) * Mark contracts as pub ([#11241](AztecProtocol/aztec-packages#11241)) ([b168601](AztecProtocol/aztec-packages@b168601)) * Reduce memory requests on prover node ([#11678](AztecProtocol/aztec-packages#11678)) ([a720151](AztecProtocol/aztec-packages@a720151)) * Remove profiler cache fallback ([#11680](AztecProtocol/aztec-packages#11680)) ([a305aef](AztecProtocol/aztec-packages@a305aef)) * Remove some templates in templates ([#11698](AztecProtocol/aztec-packages#11698)) ([61614b1](AztecProtocol/aztec-packages@61614b1)) * Remove unused functions from public side effect trace ([#11600](AztecProtocol/aztec-packages#11600)) ([54e9602](AztecProtocol/aztec-packages@54e9602)) * Replace relative paths to noir-protocol-circuits ([739151e](AztecProtocol/aztec-packages@739151e)) * Replace relative paths to noir-protocol-circuits ([bbd526c](AztecProtocol/aztec-packages@bbd526c)) * **sequencer:** Add InvalidArchive to canProposeAtNextEthBlock ignored errors ([#11682](AztecProtocol/aztec-packages#11682)) ([eea4bd3](AztecProtocol/aztec-packages@eea4bd3)) * **spartan:** Remove hardcoded keys and addresses - derive all from mnemonic ([#11672](AztecProtocol/aztec-packages#11672)) ([65f0e48](AztecProtocol/aztec-packages@65f0e48)) * Turn off auto-upgrade in node-pools ([#11679](AztecProtocol/aztec-packages#11679)) ([09f98a9](AztecProtocol/aztec-packages@09f98a9)) * Turn on masking in ultra and mega zk + oink clean-up ([#11693](AztecProtocol/aztec-packages#11693)) ([08e96fe](AztecProtocol/aztec-packages@08e96fe)) ### Documentation * Update mig notes release version ([#11685](AztecProtocol/aztec-packages#11685)) ([46a30b5](AztecProtocol/aztec-packages@46a30b5)) </details> <details><summary>barretenberg: 0.74.0</summary> ## [0.74.0](AztecProtocol/aztec-packages@barretenberg-v0.73.0...barretenberg-v0.74.0) (2025-02-04) ### Features * UltraHonkZK contract ([#11553](AztecProtocol/aztec-packages#11553)) ([a68369f](AztecProtocol/aztec-packages@a68369f)) ### Bug Fixes * Barretenber/stdlib/logic bugs ([#11651](AztecProtocol/aztec-packages#11651)) ([dddab22](AztecProtocol/aztec-packages@dddab22)) * Barretenberg/stdlib/logic bugs (redo) ([#11691](AztecProtocol/aztec-packages#11691)) ([6d0bad7](AztecProtocol/aztec-packages@6d0bad7)) * Revert "barretenberg/stdlib/logic bugs" ([#11689](AztecProtocol/aztec-packages#11689)) ([b99570d](AztecProtocol/aztec-packages@b99570d)) ### Miscellaneous * Ensure new kv-store is used on the server ([#11662](AztecProtocol/aztec-packages#11662)) ([aee1420](AztecProtocol/aztec-packages@aee1420)) * Remove some templates in templates ([#11698](AztecProtocol/aztec-packages#11698)) ([61614b1](AztecProtocol/aztec-packages@61614b1)) * Turn on masking in ultra and mega zk + oink clean-up ([#11693](AztecProtocol/aztec-packages#11693)) ([08e96fe](AztecProtocol/aztec-packages@08e96fe)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).

Groxan changed the title ~~Misleading behavior of Fr.fromString~~ Misleading behavior of encoding string into Fr Dec 1, 2024

sklppy88 self-assigned this Dec 9, 2024

Maddiaa0 added P-high 🔥 Priority: high. Do this task next. C-aztec.js Component: aztec.js client library labels Dec 10, 2024

Maddiaa0 closed this as completed Dec 12, 2024

sklppy88 mentioned this issue Jan 29, 2025

chore: field encoding should use fromString instead of fromHexString #11585

Merged

sklppy88 added a commit that referenced this issue Feb 3, 2025

chore: field encoding should use fromString instead of `fromHexStri…

43fdbb1

…ng` (#11585) Related #10331

AztecBot mentioned this issue Feb 3, 2025

chore(master): Release 0.74.0 #11676

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Misleading behavior of encoding `string` into `Fr` #10331

Misleading behavior of encoding `string` into `Fr` #10331

Groxan commented Dec 1, 2024

olehmisar commented Dec 1, 2024

Maddiaa0 commented Dec 1, 2024

Maddiaa0 commented Dec 11, 2024

Maddiaa0 commented Dec 12, 2024 •

edited

Loading

Groxan commented Jan 29, 2025

sklppy88 commented Jan 29, 2025

Misleading behavior of encoding string into Fr #10331

Misleading behavior of encoding string into Fr #10331

Comments

Groxan commented Dec 1, 2024

olehmisar commented Dec 1, 2024

Maddiaa0 commented Dec 1, 2024

Maddiaa0 commented Dec 11, 2024

Maddiaa0 commented Dec 12, 2024 • edited Loading

Groxan commented Jan 29, 2025

sklppy88 commented Jan 29, 2025

Misleading behavior of encoding `string` into `Fr` #10331

Misleading behavior of encoding `string` into `Fr` #10331

Maddiaa0 commented Dec 12, 2024 •

edited

Loading