Solidity Storage Array Bug Announcement
This weblog put up is about two bugs linked to storage arrays that are in any other case unrelated. Each have been current within the compiler for a very long time and have solely been found now regardless that a contract containing them ought to very possible present malfunctions in assessments.
Daenam Kim with assist from Nguyen Pham, each from Curvegrid found a problem the place invalid information is saved in reference to arrays of signed integers.
This bug has been current since Solidity 0.4.7 and we think about it the extra critical of the 2. If these arrays use destructive integers in a sure scenario, it would trigger information corruption and thus the bug ought to be simple to detect.
By way of the Ethereum bug bounty program, we obtained a report a few flaw inside the new experimental ABI encoder (known as ABIEncoderV2). The brand new ABI encoder remains to be marked as experimental, however we however assume that this deserves a distinguished announcement since it’s already used on mainnet.
Credit to Ming Chuan Lin (of https://www.secondstate.io) for each discovering and fixing the bug!
The 0.5.10 release comprises the fixes to the bugs.
For the time being, we don’t plan to publish a repair to the legacy 0.4.x sequence of Solidity, however we’d if there may be widespread demand.
Each bugs ought to be simply seen in assessments that contact the related code paths.
Particulars concerning the two bugs may be discovered under.
Signed Integer Array Bug
Who ought to be involved
When you’ve got deployed contracts which use signed integer arrays in storage and both immediately assign
- a literal array with not less than one destructive worth in it (x = [-1, -2, -3];) or
- an current array of a completely different signed integer kind
to it, it will result in information corruption within the storage array.
Contracts that solely assign particular person array components (i.e. with x[2] = -1;) will not be affected.
Find out how to test if contract is weak
In case you use signed integer arrays in storage, attempt to run assessments the place you utilize destructive values. The impact ought to be that the precise worth saved is constructive as an alternative of destructive.
When you’ve got a contract that meets these circumstances, and need to confirm whether or not the contract is certainly weak, you’ll be able to attain out to us by way of security@ethereum.org.
Technical particulars
Storage arrays may be assigned from arrays of various kind. Throughout this copy and project operation, a sort conversion is carried out on every of the weather. Along with the conversion, particularly if the signed integer kind is shorter than 256 bits, sure bits of the worth must be zeroed out in preparation for storing a number of values in the identical storage slot.
Which bits to zero out was incorrectly decided from the supply and never the goal kind. This results in too many bits being zeroed out. Particularly, the signal bit shall be zero which makes the worth constructive.
ABIEncoderV2 Array Bug
Who ought to be involved
When you’ve got deployed contracts which use the experimental ABI encoder V2, then these is likely to be affected. Which means solely contracts which use the next directive inside the supply code may be affected:
pragma experimental ABIEncoderV2;
Moreover, there are a selection of necessities for the bug to set off. See technical particulars additional under for extra data.
Find out how to test if contract is weak
The bug solely manifests itself when all the following circumstances are met:
- Storage information involving arrays or structs is distributed on to an exterior operate name, to abi.encode or to occasion information with out prior project to a neighborhood (reminiscence) variable AND
- this information both comprises an array of structs or an array of statically-sized arrays (i.e. not less than two-dimensional).
Along with that, within the following scenario, your code is NOT affected:
- if you happen to solely return such information and don’t use it in abi.encode, exterior calls or occasion information.
Doable penalties
Naturally, any bug can have wildly various penalties relying on this system management stream, however we count on that that is extra more likely to result in malfunction than exploitability.
The bug, when triggered, will below sure circumstances ship corrupt parameters on technique invocations to different contracts.
Technical particulars
In the course of the encoding course of, the experimental ABI encoder doesn’t correctly advance to the following aspect in an array in case the weather occupy greater than a single slot in storage.
That is solely the case for components which are structs or statically-sized arrays. Arrays of dynamically-sized arrays or of elementary datatypes will not be affected.
The precise impact you will notice is that information is “shifted” within the encoded array: When you’ve got an array of kind uint[2][] and it comprises the info
[[1, 2], [3, 4], [5, 6]], then it will likely be encoded as [[1, 2], [2, 3], [3, 4]] as a result of the encoder solely advances by a single slot between components as an alternative of two.
This put up was collectively composed by @axic, @chriseth, @holiman
Source link