Even though range_get_triedb_async is a safe function, a caller can provide a prefix_key that is too short for prefix_key_len_nibbles, which can lead to an out-of-bounds read when the C++ side constructs the prefix NibblesView.
We checked the current monad-bft usage and did not find an attacker-controlled path to supply such malformed inputs today, but it seems worth flagging as a latent soundness risk that could become reachable under future changes.
One mitigation approach would be to add a bounds check at the Rust entry point before crossing the FFI boundary.
lib.rs#L361-L411
triedb.cpp#L349-L358
Even though
range_get_triedb_asyncis a safe function, a caller can provide aprefix_keythat is too short forprefix_key_len_nibbles, which can lead to an out-of-bounds read when the C++ side constructs the prefixNibblesView.We checked the current
monad-bftusage and did not find an attacker-controlled path to supply such malformed inputs today, but it seems worth flagging as a latent soundness risk that could become reachable under future changes.One mitigation approach would be to add a bounds check at the Rust entry point before crossing the FFI boundary.
lib.rs#L361-L411
triedb.cpp#L349-L358