2022年4月7日John Toman上报改漏洞。Hunter的心路历程Link here
影响范围 0.5.8 ≤ version < 0.8.14,低危。
若function中使用了abi.encode,或者调用了其他external function,或者emit event。且参数中包含array。
那么通过精心构造参数内容,可非预期清空部分array。
contract Test {
function outer(uint[][] calldata foo) public returns (uint) {
return this.doIt(foo);
}
function doIt(uint[][] memory bar) public returns (uint) {
return bar[0][1];
}
function ext() public returns (uint) {
bytes memory buffer = abi.encodeWithSignature("outer(uint256[][])", uint256(32), uint256(1), uint256(32), uint256(2), uint256(12));
(bool succ, bytes memory ret) = address(this).call(buffer);
require(succ);
uint a = abi.decode(ret, (uint));
return a;
}
}
该合约 0.8.13编译后,ext函数调用成功。0.8.14编译后,ext函数调用失败。
0x17c44462
0000000000000000000000000000000000000000000000000000000000000020
0000000000000000000000000000000000000000000000000000000000000001
0000000000000000000000000000000000000000000000000000000000000020
0000000000000000000000000000000000000000000000000000000000000001
000000000000000000000000000000000000000000000000000000000000000c
[[12]]
0000000000000000000000000000000000000000000000000000000000000020
0000000000000000000000000000000000000000000000000000000000000001