Skip to content

fix: add asset_id validation to FungibleAssetDelta::validate#3138

Open
Sertug17 wants to merge 2 commits into
0xMiden:nextfrom
Sertug17:fix/fungible-delta-validation
Open

fix: add asset_id validation to FungibleAssetDelta::validate#3138
Sertug17 wants to merge 2 commits into
0xMiden:nextfrom
Sertug17:fix/fungible-delta-validation

Conversation

@Sertug17

@Sertug17 Sertug17 commented Jun 24, 2026

Copy link
Copy Markdown

The validate() function checked that vault keys have fungible composition but didn't verify that the asset_id component is empty. Per AssetVaultKey semantics, fungible assets must have a zero asset ID. A crafted key with a non-zero asset ID would pass validation but produce a different SMT key, potentially corrupting vault state on delta application.

Closes #3134

Sertug17 added 2 commits June 24, 2026 23:11
@Sertug17
fix: replace expect with safe Option handling in storage patch tracker
f0d1838 
The expect() on missing init_map entry could panic if a map slot entry
was added to the patch without a corresponding tracked key. Changed to
gracefully skip unrecognized keys via let-else.

Closes 0xMiden#3132
@Sertug17
fix: add asset_id validation to FungibleAssetDelta::validate
6cb87f0 
The validate() function checked that vault keys have fungible composition
but didn't verify that the asset_id component is empty. Per AssetVaultKey
semantics, fungible assets must have a zero asset ID. A crafted key with
a non-zero asset ID would pass validation but produce a different SMT key,
potentially corrupting vault state on delta application.

Closes 0xMiden#3134
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Missing range and asset_id validation in FungibleAssetDelta serialization

1 participant

@Sertug17