summary: In some situations, a variable can overwrite another variable in storage.
Solidity compiler versions affected: 0.1.6 to 0.4.3 (including pre-release version 0.4.4)
detailed description:
Storage variables smaller than 256 bits are packed together into the same 256-bit slot if they can fit. If the first variable is assigned a value larger than its type allows, that value overwrites the second variable.
This means that if an attacker can cause an overflow in the value of the first variable, the second variable can be modified. You can create an overflow in the first variable by using an operation or by passing the value of the call data directly (the value of the call data is 32 byte aligned and no padding is checked or applied).
Here’s a contract that uses only the types listed below for state variables: ~ no affected. Arrays, mappings, and structures (based on the following types) are also ~ no affected:
- Signed integer with size less than 256 bits
- bytesNN type with sizes less than 256 bits
- 256-bit unsigned integer (unit)
Contracts of types smaller than 256 bits that are not adjacent to each other (the state variables of the base contract are “pulled in”) ~ no affected.
The Ethereum multi-signature wallet contract is as follows: ~ no affected. An address takes up 160 bits, so a contract that uses only addresses and 256-bit types is safe. Additionally, since addresses and booleans are rarely manipulated through arithmetic operations in practice, contracts that only use addresses, booleans, and 256-bit types should be safe.
The following contracts may be affected: A contract that contains two or more consecutive state variables whose sizes sum less than 256 bits and where the first state variable is not a signed integer and is not of type bytesNN.
Types smaller than 256 bits include bool, enums, uint8, …, uint248, int8, …, int248, address, and all contract types.
Recommended Action:
- Recompile contracts that have not yet been deployed using at least Solidity release 0.4.4 (not a pre-release or Nightly version).
- Deactivate, remove funds from, or upgrade already deployed contracts.
This vulnerability was discovered in (github.com/catageek)(https://github.com/catageek): (https://github.com/ethereum/solidity/issues/1306)(https://github.com / Ethereum/SolidT/Problem/1306)