Solidity Storage Array error message
This weblog publish discusses two bugs associated to storage arrays which might be in any other case unrelated. Each have been current within the compiler for a very long time and are solely now being found though a contract containing them ought to very possible present failures within the assessments.
Daenam Kim with the assistance of Nguyen Phameach from Curvegrid found a problem the place invalid information is saved in relation to signed integer strings.
This bug has been current since Solidity 0.4.7 and we contemplate it the extra severe of the 2. If these strings use unfavorable integers in a sure scenario, it will trigger information corruption and subsequently the error must be simple to detect.
Via the Ethereum bug bounty program, we obtained a report of a flaw throughout the new experimental ABI encoder (known as ABIEncoderV2). The brand new ABI encoder continues to be marked as experimental, however we nonetheless suppose it deserves a distinguished announcement because it’s already in use on the mainnet. Credit to Ming Chuan Lin (from https://www.secondstate.io) for each error detection and error correction!
The 0.5.10 launch incorporates bug fixes. We presently haven’t any plans to launch a repair for the legacy 0.4.x sequence of Solidity, however we might if there may be demand.
Each bugs must be simply seen in assessments that contact the related code paths.
Particulars of the 2 errors may be discovered under.
Signed integer array error
Who must be apprehensive
When you have applied contracts that use signed integer strings in storage and assign immediately
- string literal with at the very least one unfavorable worth in it (x = [-1, -2, -3];) or
- current string a totally different signed integer sort
it will result in information corruption within the storage array.
Contracts that assign solely particular person array parts (ie, with x[2] = -1;) should not affected.
The way to verify if a contract is weak
In the event you use signed integer arrays in storage, strive working assessments the place you employ unfavorable values. The impact must be that the precise worth saved is optimistic as an alternative of unfavorable.
When you have a contract that meets these situations and wish to verify if the contract is certainly weak, you’ll be able to contact us by way of safety@ethereum.org.
Technical particulars
Storage arrays may be assigned to arrays of various sorts. Throughout this copy and task operation, a sort conversion is carried out on every of the weather. With the conversion, particularly if the signed integer sort is lower than 256 bits, sure bits of the worth have to be zeroed in preparation for storing a number of values in the identical storage slot.
Which bits to reset are incorrectly decided from the supply moderately than the goal sort. This results in too many bits being reset. Particularly, the signal bit shall be zero which makes the worth optimistic.
ABIEncoderV2 area error
Who must be apprehensive
When you have deployed contracts that use the experimental ABI Encoder V2, they could be affected. Because of this solely contracts that use the next directive throughout the supply code may be affected:
pragma experimental ABIEncoderV2;
As well as, there are quite a few requests to run the bug. For extra info, see the technical particulars under.
The way to verify if a contract is weak
The error manifests itself solely when all the next situations are met:
- Storage information that features arrays or constructions is shipped on to the exterior operate name, to abi. to code or to occasion information with out prior task to an area (reminiscence) AND variable
- this information both incorporates an array of constructions or an array of arrays of static measurement (ie at the very least two-dimensional).
Moreover, within the following scenario, your code is NOT affected:
- if you happen to simply return such information and don’t use it in abi. to codeexterior calls or occasion information.
Doable penalties
After all, every error can have very totally different penalties relying on the management stream of this system, however we anticipate this to be extra more likely to result in failure than exploitability.
The bug, when triggered, will ship corrupted parameters to methodology calls to different contracts underneath sure circumstances.
Technical particulars
Throughout the encoding course of, the experimental ABI encoder doesn’t accurately advance to the following factor within the sequence in case the weather occupy multiple storage slot.
That is solely the case for parts which might be structs or arrays of static measurement. It doesn’t have an effect on arrays of dynamically sized arrays or elementary information sorts.
The particular impact you will note is that the info is “shifted” within the encoded array: When you have an array of sort uint[2][] and incorporates information
[[1, 2], [3, 4], [5, 6]]then will probably be coded as [[1, 2], [2, 3], [3, 4]] as a result of the encoder solely advances one slot between parts as an alternative of two.
This publish was collectively written by @axic, @chriseth, @holiman
