First Flight #8: Math Master

First Flight #8

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Unsecure Handling of Free Memory Pointer in `mulWad` and `mulWadUp` Functions

0xlouistsai

Summary

Introduction:
Custom error handling was introduced in Solidity version 0.8.4, allowing developers to showcase different error events. However, a vulnerability has been identified in the handling of free memory pointers in the mulWad and mulWadUp functions.

Error Event:
Consider the following error event declaration in Solidity:

error Unauthorized();

This error event is used in the code to revert a transaction with an Unauthorized error:

revert Unauthorized();

The equivalent Yul code for this operation is as follows:

let freeMemPtr := mload(0x40)

mstore(freeMemPtr, Unauthorized.selector)

revert(freeMemPtr, 0x04)

Vulnerability Details

The vulnerability lies in the direct manipulation of memory offset 0x40 without first loading the free memory pointer. This could lead to unpredictable behavior and memory corruption issues.

Impact

The impact of this vulnerability includes potential memory corruption and unexpected behavior during the execution of the mulWad and mulWadUp functions. An attacker could potentially exploit this vulnerability to compromise the integrity of the contract.

Tools Used

Manual Review

Recommendations

Always load the free memory pointer (freeMemPtr) before manipulating memory at the offset 0x40. This ensures proper handling of memory allocation and prevents unintended consequences.

mulWad

function mulWad(uint256 x, uint256 y) internal pure returns (uint256 z) {

// @solidity memory-safe-assembly

assembly {

// Equivalent to `require(y == 0 || x <= type(uint256).max / y)`.

if mul(y, gt(x, div(not(0), y))) {

- mstore(0x40, 0xbac65e5b)

- revert(0x1c, 0x04)

+ let freeMemPtr = mload(0x40)

+ mstore(freeMemPtr, selector)

+ revert(freeMemPtr, 4)

}

z := div(mul(x, y), WAD)

}

It should be modified in mulWadUp as well.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Wrong error storage

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.