Updates
160,000 USDC
Ended
View results
Submission Details
Severity: low
Valid

Pure functions can emit logs

https://github.com/vyperlang/vyper/issues/3141

Summary

Pure functions are allowed to emit logs.

Vulnerability Details

While pure functions are expected to be fully equivalent at any time, this is a false assumption that has been uncovered in the ChainSecurity review, because blockhash can be used. A built-in that has been forgotten is raw_log, which emits logs thanks to the LOG<N> opcode. For instance, this compiles just fine:

@external
@pure
def loggg(_topic: bytes32, _data: Bytes[100]):
raw_log([_topic], _data)

This is a write operation, while pure functions should only allow read access, thus breaking assumptions with pure functions.

Impact

This could be used maliciously for instance for implementors of pure functions. They should be called with the STATICCALL opcode which should throw an exception for any executed operation including CREATE, CREATE2, LOG0, LOG1, LOG2, LOG3, LOG4 SSTORE SELFDESTRUCT, and CALL with a non-zero value as described in the EIP-214 (did they missed delegatecall ?). In this case, STATICCALL will be used and when log is going to be emitted, the call will revert, which could freeze a contract.

Tools Used

Manual review

Recommendations

Ban raw_log from pure functions.

Updates

Lead Judging Commences

patrickalphac Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issues
Assigned finding tags:

pure functions can emit logs

franfran Submitter
about 1 year ago

Hi Patrick! Thanks a lot for the judging, but why is this finding marked as "known issues" ?

I haven't found any public instance saying that logs in pure functions are allowed. If you reference this issue https://github.com/vyperlang/vyper/issues/3141 (that I attached in the report), it mentions being able to write blockhash in a pure function. So my submissions is clearing a leftover of the Chainsecurity review. The other one https://github.com/vyperlang/vyper/issues/3093 is that we are able to do invoke a STATICCALL in a pure function, but mine is the only one that will make implementors using a STATICCALL having their execution reverted by default, which might be a source of DOS, especially coupled with the fact that STATICCALL is allowed (which shouldn't).

Thanks again and have a nice day!

patrickalphac Auditor
about 1 year ago

Bumping to low. We considered this known due to the issues mentioned, but they technically don't explicitly mention raw_log so we are going to give this credit.

patrickalphac Lead Judge 12 months ago
Submission Judgement Published
Validated
Assigned finding tags:

pure functions can emit logs

Support

FAQs

Can’t find an answer? Join our Discord or follow us on Twitter.

Cyfrin
Updraft
CodeHawks
Solodit
Resources