First Flight #8: Math Master
First Flight #8
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Overriding free memory pointer and incorrect use of the function selector

4th05

Summary

An incorrect use of a function selector which overwrites the free memory pointer.

Vulnerability Details

There is a wrong use of function selector at line 40 which is used to overwrite the free memory pointer.

function mulWad(uint256 x, uint256 y) internal pure returns (uint256 z) {
// @solidity memory-safe-assembly
assembly {
// Equivalent to `require(y == 0 || x <= type(uint256).max / y)`.
if mul(y, gt(x, div(not(0), y))) {
mstore(0x40, 0xbac65e5b) // `MathMasters__MulWadFailed()`.
revert(0x1c, 0x04)
}
z := div(mul(x, y), WAD)
}
}

Impact

Functions start write the slot returned by mload(0x40) and overwrite your data. Therefore, overriding the free memory pointer could cause to overwrite some data and an increase in gas spent due to increase of memory allocation.

Tools Used

Manual review

Recommendations

Remove line 40 from the code.
In this case, there is no need to store anything in memory.Then the revert has to be changed from revert (0x1c, 0x04) to a call revert(0,0).

function mulWad(uint256 x, uint256 y) internal pure returns (uint256 z) {
// @solidity memory-safe-assembly
assembly {
// Equivalent to `require(y == 0 || x <= type(uint256).max / y)`.
if mul(y, gt(x, div(not(0), y))) {
- mstore(0x40, 0xbac65e5b) // `MathMasters__MulWadFailed()`.
- revert(0x1c, 0x04)
+ revert(0,0)
}
z := div(mul(x, y), WAD)
}
}
Updates

Lead Judging Commences

inallhonesty Lead Judge
over 1 year ago
inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.