Solidity Storage Array Bug Announcement
This weblog submit is about two bugs linked to storage arrays that are in any other case unrelated. Each have been current within the compiler for a very long time and have solely been found now although a contract containing them ought to very doubtless present malfunctions in exams.
Daenam Kim with assist from Nguyen Pham, each from Curvegrid found a difficulty the place invalid information is saved in reference to arrays of signed integers.
This bug has been current since Solidity 0.4.7 and we take into account it the extra critical of the 2. If these arrays use damaging integers in a sure scenario, it is going to trigger information corruption and thus the bug needs to be simple to detect.
By means of the Ethereum bug bounty program, we acquired a report a few flaw inside the new experimental ABI encoder (known as ABIEncoderV2). The brand new ABI encoder continues to be marked as experimental, however we however suppose that this deserves a distinguished announcement since it’s already used on mainnet.
Credit to Ming Chuan Lin (of https://ift.tt/b2u3H51) for each discovering and fixing the bug!
The 0.5.10 launch comprises the fixes to the bugs.
For the time being, we don’t plan to publish a repair to the legacy 0.4.x collection of Solidity, however we’d if there may be widespread demand.
Each bugs needs to be simply seen in exams that contact the related code paths.
Particulars in regards to the two bugs might be discovered under.
Signed Integer Array Bug
Who needs to be involved
If in case you have deployed contracts which use signed integer arrays in storage and both immediately assign
- a literal array with at the least one damaging worth in it (x = [-1, -2, -3];) or
- an current array of a completely different signed integer sort
to it, it will result in information corruption within the storage array.
Contracts that solely assign particular person array components (i.e. with x[2] = -1;) aren’t affected.
Methods to examine if contract is weak
For those who use signed integer arrays in storage, attempt to run exams the place you utilize damaging values. The impact needs to be that the precise worth saved is optimistic as a substitute of damaging.
If in case you have a contract that meets these circumstances, and wish to confirm whether or not the contract is certainly weak, you may attain out to us by way of safety@ethereum.org.
Technical particulars
Storage arrays might be assigned from arrays of various sort. Throughout this copy and task operation, a sort conversion is carried out on every of the weather. Along with the conversion, particularly if the signed integer sort is shorter than 256 bits, sure bits of the worth must be zeroed out in preparation for storing a number of values in the identical storage slot.
Which bits to zero out was incorrectly decided from the supply and never the goal sort. This results in too many bits being zeroed out. Specifically, the signal bit shall be zero which makes the worth optimistic.
ABIEncoderV2 Array Bug
Who needs to be involved
If in case you have deployed contracts which use the experimental ABI encoder V2, then these is perhaps affected. Which means solely contracts which use the next directive inside the supply code might be affected:
pragma experimental ABIEncoderV2;
Moreover, there are a variety of necessities for the bug to set off. See technical particulars additional under for extra data.
Methods to examine if contract is weak
The bug solely manifests itself when the entire following circumstances are met:
- Storage information involving arrays or structs is shipped on to an exterior perform name, to abi.encode or to occasion information with out prior task to an area (reminiscence) variable AND
- this information both comprises an array of structs or an array of statically-sized arrays (i.e. at the least two-dimensional).
Along with that, within the following scenario, your code is NOT affected:
- when you solely return such information and don’t use it in abi.encode, exterior calls or occasion information.
Attainable penalties
Naturally, any bug can have wildly various penalties relying on this system management movement, however we anticipate that that is extra more likely to result in malfunction than exploitability.
The bug, when triggered, will below sure circumstances ship corrupt parameters on technique invocations to different contracts.
Technical particulars
Throughout the encoding course of, the experimental ABI encoder doesn’t correctly advance to the subsequent component in an array in case the weather occupy greater than a single slot in storage.
That is solely the case for components which can be structs or statically-sized arrays. Arrays of dynamically-sized arrays or of elementary datatypes aren’t affected.
The precise impact you will note is that information is “shifted” within the encoded array: If in case you have an array of sort uint[2][] and it comprises the info
[[1, 2], [3, 4], [5, 6]], then it is going to be encoded as [[1, 2], [2, 3], [3, 4]] as a result of the encoder solely advances by a single slot between components as a substitute of two.
This submit was collectively composed by @axic, @chriseth, @holiman
from Ethereum – My Blog https://ift.tt/fJ3Ah08
via IFTTT
No comments:
Post a Comment