We would like to bring to your attention a critical issue regarding the handling of ContractAddress type on Starknet, which we have unfortunately experienced firsthand, resulting in the loss of STRK tokens.

We have identified several problems related to the management of contract addresses on Starknet, which deserve immediate attention to ensure the security and reliability of the network.

Below is a summary of the key issues:

1. Lack of strict input validation

Currently, it is possible to input arbitrary ASCII strings as a ContractAddress, even though characters like #&?^ will never be part of a valid address. A strict validation mechanism should be implemented upfront to prevent such scenarios.

2. No validation of address validity (size and format)

It seems that the Cairo VM adjusts itself the validity of addresses by adding zeros as prefixes if the size is not correct. This approach is problematic as it delegates an essential validation task to the VM without any prior verification.

3. Absence of controls in various ecosystem components

Neither the Braavos wallet, Cairo VM, RPC, nor the Sequencer performs stringent checks on the validity of addresses. This could creates a significant risk surface that could be exploited and many loss of capital from users or developers.

Primary Concern: Why was the call accepted?

This behaviour is unusual and diverges from the security standards upheld by other networks.

Recommendation

For the benefit of the entire Starknet Community, it is imperative to address these issues promptly by introducing robust address validation mechanisms at all levels (wallet, RPC, VM, and Sequencer). These measures would enhance user trust and align Starknet with the industry’s best practices.

We trust this feedback will assist in prioritizing these corrections to safeguard the ecosystem for all users.

As a community member, I also believe that strict address validation is crucial. The lack of validation right now makes it too easy to lose tokens, which creates unnecessary risks for users.

It’s important to implement checks for address format (length, characters) and add validation when sending transactions in wallets and RPC. This would make Starknet safer and more reliable for everyone. I hope the team considers addressing this issue!

I’m sure the team is reading this and working on it.

There’s SNIP-23 that tries to standardize a checksum approach (similar to Ethereum) for the ContractAddress type.

For the lacking of address validation mechanisms, many users send the tokens to the wrong address, especially in some public domain addresses, for example:

StarkGate: ETH Token with 15.33 eth
0x049d36570d4e46f48e99674bd3fcc84644ddd6b96f7c741b1562b82f9e004dc7

Universal Deployer Contract with 108.25 eth

0x041a78e741e5af2fec34b695679bc6891742439f7afb8484ecd7766661ad02bf

Recommendation
For the benefit of the entire Starknet Community, I suggest to send the eth tokens back to the deposit address by the team of StarkGate,