Size Check Bug in Nested Calldata Array ABI-Reencoding

2022年4月7日John Toman上报改漏洞。Hunter的心路历程Link here

影响范围 0.5.8 ≤ version < 0.8.14，低危。

简述

若function中使用了abi.encode，或者调用了其他external function，或者emit event。且参数中包含array。

那么通过精心构造参数内容，可非预期清空部分array。

contract Test {
	function outer(uint[][] calldata foo) public returns (uint) {
		return this.doIt(foo);
	}

	function doIt(uint[][] memory bar) public returns (uint) {
		return bar[0][1];
	}

	function ext() public returns (uint) {
		bytes memory buffer = abi.encodeWithSignature("outer(uint256[][])", uint256(32), uint256(1), uint256(32), uint256(2), uint256(12));
		(bool succ, bytes memory ret) =  address(this).call(buffer);
		require(succ);
		uint a = abi.decode(ret, (uint));
		return a;
	}
}

该合约 0.8.13编译后，ext函数调用成功。0.8.14编译后，ext函数调用失败。

Untitled

TEST

0x17c44462

0000000000000000000000000000000000000000000000000000000000000020

0000000000000000000000000000000000000000000000000000000000000001

0000000000000000000000000000000000000000000000000000000000000020

0000000000000000000000000000000000000000000000000000000000000001

000000000000000000000000000000000000000000000000000000000000000c

[[12]]

0000000000000000000000000000000000000000000000000000000000000020

0000000000000000000000000000000000000000000000000000000000000001