A bug within the Solidity optimizer was reported by way of Ethereum Basis Bounty Program, Christoph Jentzsch. This bug has been patched as of Might 3, 2017 with the Solidity 0.4.11 launch.
Background
The bug in query associated to how the optimizer optimizes constants in bytecode. By “bytecode constants” we imply the whole lot that’s PUSHed on the stack (to not be confused with power constants). For instance, if the worth 0xffffffffffffffffffffffffffffffffffffffffffffff is PUSHed, then the optimizer can do both PUSH32 0xffffffffffffffffffffffffffffffffffffffffffffffor select to code this as PUSH1 1; NOT;.
A bug within the optimizer induced optimizations of bytecode constants to fail in sure circumstances by producing a routine that didn’t correctly recreate the unique fixed.
The habits described within the reported bug was present in a contract the place one technique stopped working when one other – utterly unrelated – technique was added to the contract. Upon evaluation, it was decided that a number of situations should exist without delay for the bug to activate. Any mixture of situations that will set off the bug would constantly have the next two situations:
- It is best to begin with a continuing 0xFF… and finish with an extended string of zeros (or vice versa).
- The identical fixed should be utilized in a number of places for the optimizer to decide on to optimize this specific fixed. Alternatively, it ought to be used within the constructor, which optimizes dimension, not gasoline.
Along with the 2 situations above, further, extra difficult situations are required.
Evaluation
This bug is current in all launched variations of Solidity from not less than summer time 2015 till at the moment. Though the bug has been round since 2015, it seems to be very tough to set off with “random” code:
We carried out a static evaluation of all contract codes deployed on the blockchain and didn’t discover the incidence of such an improperly generated routine. Please word that the truth that we didn’t discover an error in your complete code of the contract doesn’t assure that such occurrences don’t happen.
Enhancements
To supply higher transparency and enhance consciousness of Solidity bugs, we have began exporting details about Solidity-related vulnerabilities as JSON information to the Solidity code repository (1,2). Hopefully block explorers will combine this info together with different info associated to the contract.
Etherscan has already carried out this, as will be seen right here and right here.
As for the bug itself, we added a mini-EVM to the optimizer that checks the correctness of every generated routine throughout compilation.
Moreover, work has already begun on a totally specified higher-level intermediate language. Future optimizer routines on this language will probably be a lot simpler to know and revise and can exchange the present optimizer.
