solidity storage array bug announcement
This weblog submit is about two bugs involving storage arrays which might be in any other case unrelated. Each have been current in compilers for a very long time and have solely now been found, despite the fact that assessments present defects of their contracts.
danam kim with the assistance of Nguyen Phamfrom each curvegrid Fastened a difficulty the place invalid knowledge is saved with respect to arrays of signed integers.
This bug has been current since Solidity 0.4.7 and we think about it the extra severe of the 2. If these arrays use damaging integers in a sure place, it’ll result in knowledge corruption and thus the bug needs to be straightforward to detect.
Via the Ethereum bug bounty program, we obtained a report a couple of flaw inside the new experimental ABI Encoder (referred to as ABIEncoderV2). The brand new ABI encoder remains to be marked as experimental, however we nonetheless assume it deserves a serious announcement because it’s already in use on the mainnet. Credit score(s) to Ming Chuan Lin https://www.secondstate.io) to each discover and repair bugs!
0.5.10 launch This consists of the decision of bugs. In the mean time, we don’t plan to publish enhancements to the legacy 0.4.x sequence of Solidity, however we might achieve this if there may be standard demand.
Each bugs needs to be simply seen in assessments that contact the related code paths.
Particulars about each bugs may be discovered beneath.
signed integer array bug
who ought to care
You probably have deployed contracts that use signed integer arrays in storage and immediately assign both
- A literal array containing at the least one damaging worth (x = (-1, -2, -3);) Or
- present desk of a Separate signed integer sort
Therefor, it will result in knowledge corruption within the storage array.
contracts that specify solely particular person array components (ie x(2) = -1;) usually are not affected.
How one can examine if contract is unsafe
If you happen to use signed integer arrays in storage, strive operating assessments the place you utilize damaging values. This could have the impact that the precise worth saved is constructive quite than damaging.
You probably have a contract that meets these situations, and want to confirm whether or not the contract is certainly susceptible, you possibly can contact us safety@ethereum.org,
technical particulars
Storage arrays may be specified with a wide range of array varieties. Throughout this copy and task operation, a sort conversion is carried out on every ingredient. Along with conversion, particularly if the signed integer sort is smaller than 256 bits, some bits of the worth should be zeroed out in preparation for storing a number of values in the identical storage slot.
Which bits to zero was incorrectly decided by the supply and never the goal sort. This leaves quite a lot of bits zero. Particularly, the signal bit will probably be zero which makes the worth constructive.
ABIEncoderV2 array bug
who ought to care
You probably have deployed contracts that use the experimental ABI Encoder V2, they could be affected. Which means that the one contracts that could be affected are people who use the next directive inside the supply code:
pragma experimental ABIEncoderV2;
Moreover, there are a number of necessities for triggering a bug. See technical description beneath for extra particulars.
How one can examine if contract is unsafe
The bug seems solely when the entire following situations are met:
- storing knowledge consisting of arrays or constructions handed on to an exterior perform name abi.encode or to occasion knowledge with out prior task to a neighborhood (reminiscence) variable and
- This knowledge consists of both an array of constructions or an array of fixed-size arrays (i.e. at the least two-dimensional).
Moreover, within the following case, your code won’t be affected:
- If you happen to solely return such knowledge and don’t use abi.encodeExterior name or occasion knowledge.
potential penalties
Naturally, any given bug can have vastly totally different penalties relying on program management circulate, however we count on this to be extra of a bug than an exploit.
The bug, when triggered, will beneath sure circumstances ship corrupted parameters on technique invocations to different contracts.
technical particulars
In the course of the encoding course of, the experimental ABI encoder doesn’t advance correctly to the following ingredient in an array if the weather occupy multiple slot in storage.
That is solely the case for components which might be structs or arrays of mounted dimension. Dynamically sized arrays or arrays of primitive datatypes usually are not affected.
The standard impact you will see is that the info is “shifted” into the encoded array: if in case you have an array of sort uint(2)() and incorporates knowledge
((1, 2), (3, 4), (5, 6))so it could be encoded as ((1, 2), (2, 3), (3, 4)) As a result of the encoder strikes by way of just one slot between components as an alternative of two.
This submit was collectively created by @axic, @chriseth, @holiman