https://github.com/vyperlang/vyper/issues/3141
Pure functions are allowed to emit logs.
While pure functions are expected to be fully equivalent at any time, this is a false assumption that has been uncovered in the ChainSecurity review, because blockhash
can be used. A built-in that has been forgotten is raw_log
, which emits logs thanks to the LOG<N>
opcode. For instance, this compiles just fine:
This is a write operation, while pure functions should only allow read access, thus breaking assumptions with pure functions.
This could be used maliciously for instance for implementors of pure functions. They should be called with the STATICCALL
opcode which should throw an exception for any executed operation including CREATE
, CREATE2
, LOG0
, LOG1
, LOG2
, LOG3
, LOG4
SSTORE
SELFDESTRUCT
, and CALL
with a non-zero value as described in the EIP-214 (did they missed delegatecall ?). In this case, STATICCALL
will be used and when log is going to be emitted, the call will revert, which could freeze a contract.
Manual review
Ban raw_log
from pure functions.
Hi Patrick! Thanks a lot for the judging, but why is this finding marked as "known issues" ?
I haven't found any public instance saying that logs in pure functions are allowed. If you reference this issue https://github.com/vyperlang/vyper/issues/3141 (that I attached in the report), it mentions being able to write blockhash
in a pure function. So my submissions is clearing a leftover of the Chainsecurity review. The other one https://github.com/vyperlang/vyper/issues/3093 is that we are able to do invoke a STATICCALL in a pure function, but mine is the only one that will make implementors using a STATICCALL having their execution reverted by default, which might be a source of DOS, especially coupled with the fact that STATICCALL is allowed (which shouldn't).
Thanks again and have a nice day!
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.