Submission Details
Severity:
Free Memory Pointer Overwritten
Summary
The Free Memory Pointer is overwritten on lines 40 and 53, when 0xbac65e5b is stored into memory slot 0x40.
Vulnerability Details
function mulWad(uint256 x, uint256 y) internal pure returns (uint256 z) {
// @solidity memory-safe-assembly
assembly {
// Equivalent to `require(y == 0 || x <= type(uint256).max / y)`.
if mul(y, gt(x, div(not(0), y))) {
mstore(0x40, 0xbac65e5b) // `MathMasters__MulWadFailed()`.
revert(0x1c, 0x04)
}
z := div(mul(x, y), WAD)
}
}
We use mstore to overwrite the Free Memory Pointer which is stored at slot 0x40.
Impact
The program thinks the next available space in memory is 0xbac65e5b now. However, doesn't have a huge impact because we revert in the following line.
Tools Used
Foundry
Recommendations
Use scratch space memory slot instead of the Free Memory Pointer slot. Make sure the revert is pointing to the correct location in memory as well.
function mulWad(uint256 x, uint256 y) internal pure returns (uint256 z) {
// @solidity memory-safe-assembly
bytes32 hash_of_error = keccak256("MathMasters__MulWadFailed()");
bytes4 error_selector = bytes4(hash_of_error);
assembly {
// Equivalent to `require(y == 0 || x <= type(uint256).max / y)`.
if mul(y, gt(x, div(not(0), y))) {
mstore(0x00, error_selector) // `MathMasters__MulWadFailed()`.
revert(0x00, 0x4)
}
z := div(mul(x, y), WAD)
}
}
Updates
Lead Judging Commences
inallhonesty over 1 year ago
Submission Judgement Published Assigned finding tags:
Wrong error selector
Wrong error storage
Rewards breakdown
nSLOC
46This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.