Summary
If an excessively large value is specified as the starting index for an array in _abi_decode
, it can cause the read position to overflow. This results in the decoding of values outside the intended array bounds, potentially leading to bugs in contracts that use arrays within _abi_decode
. The advisory has been assigned low severity, because it is only observable if there is a memory write between two invocations of abi_decode
on the same input.
Proof of Concept
event Pwn:
pass
@external
def f(x: Bytes[32 * 3]):
a: Bytes[32] = b"foo"
y: Bytes[32 * 3] = x
decoded_y1: Bytes[32] = _abi_decode(y, Bytes[32])
a = b"bar"
decoded_y2: Bytes[32] = _abi_decode(y, Bytes[32])
if decoded_y1 != decoded_y2:
log Pwn()
Sending the following calldata results in Pwn
being emitted.
0xd45754f8
0000000000000000000000000000000000000000000000000000000000000020
0000000000000000000000000000000000000000000000000000000000000060
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa0
Patches
Patched in #3925, #4091, #4144, #4060.
Summary
If an excessively large value is specified as the starting index for an array in
_abi_decode
, it can cause the read position to overflow. This results in the decoding of values outside the intended array bounds, potentially leading to bugs in contracts that use arrays within_abi_decode
. The advisory has been assigned low severity, because it is only observable if there is a memory write between two invocations ofabi_decode
on the same input.Proof of Concept
Sending the following calldata results in
Pwn
being emitted.Patches
Patched in #3925, #4091, #4144, #4060.