recent Solidity version 0.4.25 released Fixed two important bugs. Another important bug has already been fixed in version 0.4.22, but its existence was only discovered recently.
The Ethereum Foundation runs: bounty program This is the code generator part of Solidity.
The exponent theorem of exponentiation
- Likelihood of Occurrence: Very Low
- Exploitability: High
- Likelihood of discovery through testing: low
- Version revision: 0.4.25
Summary: Using short types for exponents in exponentiation operations can lead to incorrect results.
The Solidity language allows integer types shorter than 256 bits, even though the Ethereum Virtual Machine only knows exactly 256-bit types. That’s why sometimes we need to set the high-order bit to 0. For many operations, it is irrelevant whether that bit is set to 0 (addition is one example). Therefore, the Solidity compiler delays this cleanup until necessary to save gas.
In very special circumstances, the exponent ** If the type of the operator is shorter than 256 bits but not shorter than the base type and contains dirty high-order bits, incorrect results may occur. Note the following literal exponents: x ** 2 The same applies if the base type is: Unit256 or integer256 Not affected.
Function parameters can have dirty high-order bits if called by a malicious entity, and the same goes for data returned from contract functions deployed by a malicious entity.
After examining a large number of contracts, we consider this bug to only affect a very small number of smart contracts. Because if you use the exponential operator regularly you won’t get bugs.
This bug was discovered by: weller.
Memory corruption in multidimensional array decoder
- Likelihood of Occurrence: Low
- Exploitability: Medium
- Likelihood of discovery through testing: High
- Introduced in version: 0.1.4
- Version revision: 0.4.22
Summary: Calling a function in another contract that returns a multidimensional fixed-size array will result in memory corruption.
If your Solidity code calls a function that returns a multidimensional fixed-size array, the returned ABI-encoded data must be converted to Solidity’s internal array representation. In Solidity, multidimensional arrays are implemented as arrays of memory pointers, whereas in ABI the data is encoded inline. The decoder did not take this difference into account, with the result that the returned element was interpreted as a memory pointer, which could cause memory corruption if the return value was accessed. Calling a function with a multidimensional fixed-size array argument is unaffected, as is returning a fixed-size array from a function call if it is not used in the Solidity contract. The bug is only in the component that decodes the multidimensional fixed-size array returned from a function call in Solidity.
This bug was discovered by: lol.
The struct encoding of the event is incorrect.
- Likelihood of Occurrence: Low
- Exploitability: Low
- Likelihood of discovery through testing: High
- Introduced in version: 0.4.17
- Version revision: 0.4.25
Summary: Structures as event parameters are not handled properly.
Structures were not supported as event parameters without the new ABI encoder. Nonetheless, the compiler allowed this, but encoded the memory address instead of the actual value. Even with the new ABI encoder, the structure is indexed Event parameters.
Structs are now not properly accepted if they are also indexed for the old and new encoders.