Security

Patched: DoS vulnerability on alloy_dyn_abi::TypedData hashing

An uncaught panic triggered by malformed input to alloy_dyn_abi::TypedData could lead to a denial-of-service (DoS) via eip712_signing_hash().

Software with high availability requirements such as network services may be particularly impacted. If in use, external auto-restarting mechanisms can partially mitigate the availability issues unless repeated attacks are possible.

The vulnerability was patched by adding a check to ensure the element is not empty before accessing its first element; an error is returned if it is empty. The fix is included in version v1.4.1 and backported to v0.8.26.

See: GHSA-pgp9-98jm-wwq2

What's Changed

• chore: remove feature(doc_auto_cfg) by @DaniPopes in #1019
• feat(primitives): Add Borsh support for TxKind by @mablr in #1022
• feat: Add Sqlx Traits for Bytes Type by @Arvmor in #1020
• chore: fix docs, typos by @DaniPopes in #1023
• feat(sol-macro): add transient storage keyword support by @AurelienFT in #1026
• feat: gate 60 tuple impls behind 'more-tuple-impls' feature flag by @DaniPopes in #1027
• chore: remove some inlines by @DaniPopes in #1028
• refactor(dyn-abi): clean up Resolver by @DaniPopes in #1030

New Contributors

• @AurelienFT made their first contribution in #1026

Full Changelog: v1.4.0...v1.4.1

Security

Patched: DoS vulnerability on alloy_dyn_abi::TypedData hashing

An uncaught panic triggered by malformed input to alloy_dyn_abi::TypedData could lead to a denial-of-service (DoS) via eip712_signing_hash().

Software with high availability requirements such as network services may be particularly impacted. If in use, external auto-restarting mechanisms can partially mitigate the availability issues unless repeated attacks are possible.

The vulnerability was patched by adding a check to ensure the element is not empty before accessing its first element; an error is returned if it is empty. The fix is included in version v1.4.1 and backported to v0.8.26.

See: GHSA-pgp9-98jm-wwq2

Full Changelog: v0.8.25...v0.8.26

What's Changed

• feat(primitives): add borsh support by @mablr in #993
• feat(sol-macro-expander): add name_by_selector method for enum variant retrieval by @mablr in #995
• chore: typo rollup by @onbjerg in #997
• feat(primitives): extend implementation of diesel's ToSql to Sqlite for FixedBytes and Address by @xavierm02 in #977
• feat(sol-macro-expander): add Clone trait to enum contracts containers by @fd0r in #1003
• fix(sol-types): Fix encode_topic_bytes for byte slices whose length is a non-zero multiple of 32 by @davidsemakula in #1000
• feat(primitives): bump map deps, wrap DefaultHashBuilder by @DaniPopes in #1001
• feat(sol-macro): inherit attributes from contract by @DaniPopes in #1004
• perf(sol-macro): improve abi expansion by @DaniPopes in #1005
• doc(primitives): inline doc for uint! macro by @0xdapper in #1007
• feat: Add Sqlx Traits for Signed Type by @Arvmor in #1008
• fix(sol-macro): remove #[automatically_derived] from non-trait impls by @DaniPopes in #1012
• feat: rkyv support by @lightsing in #990
• chore(deps): bumpies by @DaniPopes in #1014
• fix(sol-macro-expander): propagate all_derives and extra_derives to periphery SC structs by @squadgazzz in #1011
• chore(sol-types): sync panic reasons from geth by @jsvisa in #1015
• fix(sol-macro): internal SC derives by @squadgazzz in #1017
• chore: tweak postgres.rs by @DaniPopes in #1018

New Contributors

• @mablr made their first contribution in #993
• @xavierm02 made their first contribution in #977
• @fd0r made their first contribution in #1003
• @davidsemakula made their first contribution in #1000
• @0xdapper made their first contribution in #1007
• @Arvmor made their first contribution in #1008
• @squadgazzz made their first contribution in #1011
• @jsvisa made their first contribution in #1015

Full Changelog: v1.3.1...v1.4.0

What's Changed

• Implement conversion from Word for DynSolValue by @zemse in #983
• fix(rpc): check reserved function names by @mattsse in #987
• fix(primitives): re-export correct Entry types by @DaniPopes in #989
• chore: add typos by @DaniPopes in #991

New Contributors

• @zemse made their first contribution in #983

Full Changelog: v1.3.0...v1.3.1

What's Changed

• chore: add helper to find function by selector by @mattsse in #971
• feat: add is_dynamic method to DynSolType by @dantop114 in #974
• feat: add native sqlx support for Address (MySQL/Postgres/SQLite) with feature gating and tests by @Rollp0x in #970
• feat(primitives): serialize Signed with a compact binary representation by @stalkopat in #953
• chore: fix warning in generated code by @sander2 in #976
• Add EIP-712 usage example to README by @GarmashAlex in #975
• fix(sol-types): overflow in abi decoder by @DaniPopes in #982

New Contributors

• @Rollp0x made their first contribution in #970
• @stalkopat made their first contribution in #953
• @sander2 made their first contribution in #976
• @GarmashAlex made their first contribution in #975

Full Changelog: v1.2.1...v1.3.0

What's Changed

• chore: re-enable clippy::missing-const-for-fn by @DaniPopes in #961
• fix: colon 712 identifiers by @mattsse in #963

Full Changelog: v1.2.0...v1.2.1

What's Changed

• chore: bump MSRV to 1.85 by @DaniPopes in #959
• chore: bump to edition 2024 by @DaniPopes in #960

Full Changelog: v1.1.3...v1.2.0

What's Changed

• fix: eip712 string interface prefix by @zjesko in #954
• feat: added decode_log_validate method by @frolvanya in #957

New Contributors

• @zjesko made their first contribution in #954
• @frolvanya made their first contribution in #957

Full Changelog: v1.1.2...v1.1.3

What's Changed

• chore: enhance eip712 string parser to canonicalize inputs by @0xrusowsky in #950

New Contributors

• @0xrusowsky made their first contribution in #950

Full Changelog: v1.1.1...v1.1.2

What's Changed

• feat: added standalone format_units_with by @Rimeeeeee in #947
• remove unnecessary bound on sol_data::Array by @makcandrov in #951
• chore: re-use alloy_primitives::hex by @DaniPopes in #952

Full Changelog: v1.1.0...v1.1.1