Impact
The storage allocator does not guard against allocation overflows. This can result in vulnerabilities like the following:
owner: public(address)
take_up_some_space: public(uint256[10])
buffer: public(uint256[max_value(uint256)])
@external
def initialize():
self.owner = msg.sender
@external
def foo(idx: uint256, data: uint256):
self.buffer[idx] = dataPer @ToonVanHove, "An attacker can overwrite the owner variable by calling this contract with calldata: 0x04bc52f8 fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff5 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff (spaces inserted for readability)
0x04bc52f8 is the selector for foo(uint256, uint256), and the last argument fff...fff is the new value for the owner variable."
Patches
patched in 0bb7203
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
Are there any links users can visit to find out more?
ToonVanHove Analyst
trocher Analyst
Impact
The storage allocator does not guard against allocation overflows. This can result in vulnerabilities like the following:
Per @ToonVanHove, "An attacker can overwrite the owner variable by calling this contract with calldata:
0x04bc52f8 fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff5 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff(spaces inserted for readability)0x04bc52f8is the selector forfoo(uint256, uint256), and the last argumentfff...fffis the new value for the owner variable."Patches
patched in 0bb7203
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
Are there any links users can visit to find out more?