storage dynamic array oob in slice()
Summary
There is a storage dynamic array oob vulnerability in the slice() code.
Vulnerability Details
POC:
d: public(Bytes[256])
@external
def test():
x : uint256 = 115792089237316195423570985008687907853269984665640564039457584007913129639935 # 2**256-1
self.d = b"\x01\x02\x03\x04\x05\x06"
s : Bytes[256] = slice(self.d, x, 1)
This code will access the data of slot (3618502788666131106986593281521497120414687020801267626233049500247285301247+1).
Since x is a variable, during the parameter verification process of slice, there is no check that start is a variable process, which can cause x to exceed the length of the dynamic array. In addition, slice has an integer overflow problem, which ultimately leads to the existence of a storage dynamic array OOB access vulnerability.
ROOT CAUSE:
1.slice() does not check whether the start parameter exceeds the access of dynamic array.
2.The slice() function has an integer overflow, which can bypass the bounds check.
Impact
Medium Level
Recommendations
Fix integer overflow and add out-of-bounds check for start parameter.
Lead Judging Commences
integer slice overflow
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.