Summary
RLP scalar/data decoders accept inputs that contain a valid first RLP data item followed by trailing bytes. For example, decodeUint256(0x0102) returns 1, and decodeBytes(0x83646f6780) returns 0x646f67 (dog) while silently ignoring the trailing byte.
Expected behavior
The top-level scalar/data decoders should reject inputs that are not exactly one complete RLP data item, matching the behavior already enforced by decodeList.
Actual behavior
readUint256 checks only that _decodeLength returns ItemType.Data, and readBytes does the same. Neither checks that the decoded item consumes the full provided slice, so decodeBool, decodeUint256, decodeBytes32, decodeBytes, and decodeString can accept malformed input with trailing data.
Reproduction
await mock.$decodeUint256("0x0102") // returns 1
await mock.$decodeBytes("0x83646f6780") // returns 0x646f67
await mock.$decodeString("0x83646f6780") // returns dogImpact
This is a correctness issue for consumers validating untrusted RLP payloads through these typed helpers. Malformed payloads can be accepted as if they were canonical single-item inputs.
Summary
RLPscalar/data decoders accept inputs that contain a valid first RLP data item followed by trailing bytes. For example,decodeUint256(0x0102)returns1, anddecodeBytes(0x83646f6780)returns0x646f67(dog) while silently ignoring the trailing byte.Expected behavior
The top-level scalar/data decoders should reject inputs that are not exactly one complete RLP data item, matching the behavior already enforced by
decodeList.Actual behavior
readUint256checks only that_decodeLengthreturnsItemType.Data, andreadBytesdoes the same. Neither checks that the decoded item consumes the full provided slice, sodecodeBool,decodeUint256,decodeBytes32,decodeBytes, anddecodeStringcan accept malformed input with trailing data.Reproduction
Impact
This is a correctness issue for consumers validating untrusted RLP payloads through these typed helpers. Malformed payloads can be accepted as if they were canonical single-item inputs.