Submission Details
Severity:
ContractFunctionT.from_abi fails to gracefully handle a valid JSON ABI interface that represents `__default__` and/or `__init__` function
Summary
ContractFunctionT.from_abi can't handle code with default and/or init methods provided with the object from a valid JSON ABI interface representing a function.
Vulnerability Details
Both `__init__` and `__default__` methods are missing `name` and `inputs` items respectively (although due to valid reasons) in their ABIs which leads to `ContractFunctionT.from_abi` method failure to generate a `ContractFunctionT` object.
Steps to reproduce:
1 - add sample `.vy` code to a standalone file
2 - produce abi by running `vyper -f abi <path-to-the-file>`:
root@06f545b1d4b9:/workspaces/vyper# vyper -f abi tests/sample_code_from_abi.vy
[{"stateMutability": "nonpayable", "type": "constructor", "inputs": [], "outputs": []}, {"stateMutability": "nonpayable", "type": "fallback"}]
3 - pass ABI payload to `ContractFunctionT.from_abi` method
4 - confirm asserts fail with KeyError for both cases
Add a new test test_init_and_default_fail_to_create_from_abi.py:
import pytest
from vyper.semantics.types.function import ContractFunctionT
@pytest.mark.xfail(raises=KeyError)
def test_init_and_default_fail_to_create_from_abi():
# content of tests/sample_code_from_abi.vy
code = """
owner: address
last_sender: address
@external
def __init__():
self.owner = msg.sender
@external
def __default__():
self.last_sender = msg.sender
"""
abi_payload = [{"stateMutability": "nonpayable", "type": "constructor", "inputs": [], "outputs": []}, {"stateMutability": "nonpayable", "type": "fallback"}]
init_fn_from_abi=abi_payload[0]
#Fails with KeyError: 'name'
init_fn_t = ContractFunctionT.from_abi(abi=init_fn_from_abi)
default_fn_from_abi=abi_payload[1]
#Fails with KeyError: 'inputs'
default_fn_t = ContractFunctionT.from_abi(abi=default_fn_from_abi)
Impact
Leaving unhandled exceptions can often lead to debugging challenges, unclear behavior, and broken client code.
Tools Used
pytest, manual review
Recommendations
Introduce graceful handling of missing items for these 2 built-in methods to ContractFunctionT.from_abi
Updates
Lead Judging Commences
patrickalphac over 1 year ago
Submission Judgement Published Assigned finding tags:
ContractFunctionT.from_abi fails to gracefully handle a valid JSON ABI interface that represents `__default__` and/or `__init__` function
Prize pool breakdown
Total prize
160,000 USDC
nSLOC
14,64411 USDC / LOC
150,000 USDC
10,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.