Submission Details
Severity:
Overwriting on free-memory-pointer
Summary
Overwriting on free-memory-pointer
Vulnerability Details
We can observe that the free memory pointer location is occupied by 0x80 value with this simple addings into library code;
function mulWad(uint256 x, uint256 y) internal pure returns (uint256 z) {
// @solidity memory-safe-assembly
//changing for test purposes of free-memory-pointer manupilation..
bytes32 fm_pointer_before;
assembly {
// Equivalent to `require(y == 0 || x <= type(uint256).max / y)`.
if mul(y, gt(x, div(not(0), y))) {
mstore(0x40, 0xbac65e5b) // `MathMasters__MulWadFailed()`.
revert(0x1c, 0x04)
}
fm_pointer_before:=mload(0x40)
z := div(mul(x, y), WAD)
}
console2.logBytes32(fm_pointer_before);
}
[PASS] testMulWad() (gas: 3232)
Logs:
0x0000000000000000000000000000000000000000000000000000000000000080
Impact
Writing on free memory pointer may leads unpredicable effects on library while being used in contracts
Tools Used
Foundry test suite
Recommendations
changing the location of memory store
Updates
Lead Judging Commences
inallhonesty over 1 year ago
Submission Judgement Published Assigned finding tags:
Wrong error storage
Rewards breakdown
nSLOC
46This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.