Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Low level calls with solidity version 0.8.14 can result in optimiser bug. #260

Closed
code423n4 opened this issue Jun 19, 2022 · 6 comments
Closed

Low level calls with solidity version 0.8.14 can result in optimiser bug. #260

code423n4 opened this issue Jun 19, 2022 · 6 comments
Labels
bug Something isn't working duplicate This issue or pull request already exists QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax resolved Finding has been patched by sponsor (sponsor pls link to PR containing fix) sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-06-connext/blob/b4532655071566b33c41eac46e75be29b4a381ed/contracts/contracts/core/connext/helpers/TokenRegistry.sol#L2
https://github.com/code-423n4/2022-06-connext/blob/b4532655071566b33c41eac46e75be29b4a381ed/contracts/contracts/core/connext/libraries/LibDiamond.sol#L2
https://github.com/code-423n4/2022-06-connext/blob/b4532655071566b33c41eac46e75be29b4a381ed/contracts/contracts/core/connext/libraries/LibConnextStorage.sol#L2
https://github.com/code-423n4/2022-06-connext/blob/b4532655071566b33c41eac46e75be29b4a381ed/contracts/contracts/test/Connext.sol#L2

Vulnerability details

Impact

The protocol is using low level calls with solidity version 0.8.14 which can result in optimizer bug.

Proof of Concept

See POC from Certora

Recommended Mitigation Steps

Consider upgrading to solidity 0.8.15
@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Jun 19, 2022
code423n4 added a commit that referenced this issue Jun 19, 2022
@code423n4
BowTiedWardens issue #260
c6b08d0
@ecmendenhall
Copy link

ecmendenhall commented Jun 20, 2022
edited
Loading

This is indeed a gnarly optimizer bug in Solidity 0.8.13 and 0.8.14, but it only occurs under very specific conditions. In order to trigger the bug, the legacy optimizer must be enabled (true for the current project configuration), and the affected assembly blocks must not refer to any local Solidity variables.

The second condition does not appear true for the examples here: every inline assembly block in the linked files for this finding references an outside variable.

@ecmendenhall
Copy link

ecmendenhall commented Jun 20, 2022
edited
Loading

Trying to keep my comments factual, but I would also note that 1) I think this is still worth reporting, and 2) I have reported this myself as an informational finding in other contests, even when there was no evidence of vulnerable assembly blocks.

@LayneHaber LayneHaber added the disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) label Jun 24, 2022
@LayneHaber
Copy link
Collaborator

Agree that this is worth reporting, and we will adopt the suggestions. Think we can lower the severity since it doesn't seem to fit all of the conditions. Perhaps this is more of a QA issue?

@LayneHaber
Copy link
Collaborator

connext/monorepo@900de7a

@LayneHaber LayneHaber added the resolved Finding has been patched by sponsor (sponsor pls link to PR containing fix) label Jun 27, 2022
@jakekidd jakekidd added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Jul 1, 2022
@0xleastwood
Copy link
Collaborator

This bug is definitely an interesting one to breakdown. It only affects self-contained assembly code when the yul optimiser is enabled. As a result, memory operations are removed from the block, leading to unexpected handling of memory later in the function. This can introduce some unintended behaviour later on, but this does not affect the connext codebase. Downgrading to QA and merging with #263.

@0xleastwood 0xleastwood added duplicate This issue or pull request already exists QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 3 (High Risk) Assets can be stolen/lost/compromised directly disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) labels Aug 2, 2022
@0xleastwood
Copy link
Collaborator

Here is some more context https://blog.soliditylang.org/2022/06/15/inline-assembly-memory-side-effects-bug/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working duplicate This issue or pull request already exists QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax resolved Finding has been patched by sponsor (sponsor pls link to PR containing fix) sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@ecmendenhall @LayneHaber @jakekidd @0xleastwood @code423n4