GMS-2020-566: Undefined Behavior in zencashjs
Versions of zencashjs
may cause loss of funds when used with cryptocurrency wallets. The package relies on a string comparison of the first two characters of a Horizen address to determine the destination address type of a transaction (P2PKH or P2SH). Due to the base58 address prefixes chosen in Horizen there exists the possibility of a clash of address prefixes for testnet P2PKH and mainnet P2SH addresses, testnet P2PKH addresses start with “zt” while a subset of mainnet P2SH addresses can also start with “zt”. The package interprets transactions sent to a “zt” P2SH address on mainnet as P2PKH transactions erroneously. Any funds sent to a mainnet P2SH multisignature address starting with “zt” will be sent to the wrong address and be lost.
References
Detect and mitigate GMS-2020-566 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →