SHA3_64 Vulnerability in compile_ir.py
Summary
There is an error in the calculation of SHA3_64, which will produce wrong hash results and may affect the access of HashMap objects.
Vulnerability Details
line 583 in compile_ir.py
# SHA3 a 64 byte value
elif code.value == "sha3_64":
o = _compile_to_assembly(code.args[0], withargs, existing_labels, break_dest, height)
o.extend(_compile_to_assembly(code.args[1], withargs, existing_labels, break_dest, height))
o.extend(
[
*PUSH(MemoryPositions.FREE_VAR_SPACE2),
"MSTORE",
*PUSH(MemoryPositions.FREE_VAR_SPACE),
"MSTORE",
*PUSH(64),
*PUSH(MemoryPositions.FREE_VAR_SPACE),
"SHA3",
]
)
return o
o.extend(_compile_to_assembly(code.args[1], withargs, existing_labels, break_dest, height)) should be on height+1. This code will affect the correct access of the withargs variable.
Impact
Because SHA3_64 is related to the reading and writing of HashMap objects, it has an important impact on the data on the contract chain. The overall impact should be high level.
POC Code:
(with _loc
(with val 1
(with key 2
(sha3_64 val key)))
(seq
(sstore _loc
(with x (sload _loc)
(with ans (add x 1) (seq (assert (ge ans x)) ans))))))
python -m vyper --vyper-ir bug.ir
the generated bytecode: 6001600281806020525f5260405f2090509050805460018101818110610026579050815550005b5f80fd
0000 60 PUSH1 0x01
0002 60 PUSH1 0x02
0004 81 DUP2
0005 80 DUP1 *********** bad code here!!!!!!
0006 60 PUSH1 0x20
0008 52 MSTORE
Lead Judging Commences
sha3 vulnerability in com
Impact: Low. Can't get here from Vyper. Likelihood: High This is incorrect.
sha3 vulnerability in com
Impact: Low. Can't get here from Vyper. Likelihood: High This is incorrect.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.