Abstract: In some instances, variables can overwrite different variables in storage.
Affected Solidity compiler variations: 0.1.6 to 0.4.3 (together with 0.4.4 pre-release model)
detailed description:
Storage variables smaller than 256 bits are packed collectively in the identical 256 bit slot if they will match. If a worth higher than that allowed by the sort is assigned to the primary variable, that worth will overwrite the second variable.
Because of this if an attacker could cause the primary variable’s worth to overflow, the second variable may be modified. Creating an overflow within the first variable is feasible both by utilizing arithmetic or by passing a worth instantly from the decision information (values within the name information are aligned to 32 bytes, and padding is neither verified nor utilized).
Contracts that solely use the categories listed under for state variables No Affected There are additionally Array, Mapping and Construction (primarily based on the next varieties) No Affected:
- signed integer with dimension lower than 256 bits
- BytesNN kind, which comprises sizes smaller than 256 bits
- Unsigned integer (uint) of 256 bits.
contracts with varieties smaller than 256 bits which are by no means subsequent to one another (be aware that the state variables of the bottom contracts are “pulled in”) No Affected
Ethereum is multisignature pockets contract No Affected Be aware that addresses take up 160 bits, so solely addresses and contracts utilizing 256-bit varieties are protected. Moreover, in observe addresses and booleans are nearly by no means manipulated by way of arithmetic operations, so even contracts utilizing solely deal with, boolean and 256 bit varieties needs to be protected.
The next contracts could also be affected: Contracts with two or extra contiguous state variables the place the sum of their sizes is lower than 256 bits and the primary state variable will not be a signed integer and isn’t of kind BytesNN.
Sorts smaller than 256 bits embrace: bool, enums, uint8, …, uint248, int8, …, int248, deal with, any contract kind
advisable Motion:
- Recompile contracts that haven’t but been deployed utilizing at the least Solidity launch 0.4.4 (not pre-release or nightly variations).
- Deactivate, take away funds from, or improve already deployed contracts.
This vulnerability was discovered by (github.com/catageeek)(https://github.com/catageeek): (https://github.com/ewhereum/solidity/points/1306)(https://github.com/ ethereum/solidity/points/1306)