Solidity Storage Array Bug Announced
This blog post is about two bugs linked to completely unrelated storage arrays. Both have existed in compilers for a long time and are only now being discovered, even though the contracts containing them are very likely to malfunction in testing.
Daenam Kim get help Nguyen Farmin both curve grid We discovered an issue with signed integer arrays that resulted in incorrect data being stored.
This bug has existed since Solidity 0.4.7, and we consider this the more serious of the two. If these arrays use negative numbers in certain situations, data corruption will occur, making bugs easier to detect.
Through the Ethereum bug bounty program, we have received reports of a flaw in a new experimental ABI encoder (called ABIEncoderV2). The new ABI encoder is still marked as experimental, but since it’s already in use on mainnet, we think it’s worth announcing prominently. Credit to Ming Chuan Lin (of https://www.secondstate.io) Thank you for finding and fixing the bug!
that much 0.5.10 release Contains bug fixes. There are currently no plans to publish fixes for the legacy 0.4.x Solidity series, but we may do so if there is public demand.
Both bugs should be easily visible in tests that cover the relevant code path.
More details about both bugs can be found below.
Signed integer array bug
Who should worry?
When deploying a contract that uses an array of signed integers in a repository and assigning them directly
- A literal array containing at least one negative value (x = (-1, -2, -3);) or
- existing array different signed integer type
Doing so may corrupt data on the storage array.
Contracts that only assign individual array elements, e.g. x(2) = -1;) has no effect.
How to tell if a contract is vulnerable
If your storage uses signed integer arrays, try running tests using negative values. As a result, the actual value stored should be positive rather than negative.
If you have a contract that meets these conditions and would like to determine whether it is in fact vulnerable, you can contact us via: security@ethereum.org.
technical details
Storage arrays can be allocated from many different types of arrays. During this copy and assignment operation, a type conversion is performed on each element. In addition to conversions, certain bits of the value must be zeroed to prepare for storing multiple values in the same storage slot, especially if the signed integer type is shorter than 256 bits.
The bit to be zeroed was incorrectly determined from a source other than the target type. This causes too many bits to be set to 0. In particular, the sign bit becomes 0, making the value positive.
ABIEncoderV2 array bug
Who should worry?
If you have deployed contracts that use the experimental ABI Encoder V2, those contracts may be affected. This means that only contracts that use the following directives within their source code can be affected:
pragma experimental ABIEncoderV2;
Additionally, there are several requirements for a bug to occur. See technical details below for more information.
How to tell if a contract is vulnerable
The bug only appears if all of the following conditions are met:
- Storage data associated with an array or structure is transferred directly to an external function call. abi.encode OR AND to event data without pre-assignment to a local (memory) variable
- This data includes arrays of structures or statically sized (that is, at least two-dimensional) arrays.
Additionally, your code will not be affected in the following situations:
- If you just return that data and don’t use that data abi.encodeExternal call or event data.
possible outcome
Naturally, any bug can have very different consequences depending on the program control flow, but this is expected to be more likely to lead to malfunction than exploitability.
The bug occurs when, under certain circumstances, a method call sends corrupted parameters to another contract.
technical details
During the encoding process, the experimental ABI encoder does not properly advance to the next element in the array if the element occupies more than a single slot in the storage.
This is only true for elements that are structures or statically sized arrays. Dynamically sized arrays or arrays of primitive data types are not affected.
The specific effect you will see is that the data is “moved” around the encoded array. Unit(2)() And it contains data.
((1, 2), (3, 4), (5, 6))it is encoded as follows: ((1, 2), (2, 3), (3, 4)) This is because the encoder only advances a single slot between elements rather than two.
This post was co-written by @axic, @chriseth, and @holiman.