First Flight #8: Math Master
First Flight #8
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

The custom error handling in mulWad() overwrites the free memory pointer

happyformerlawyer

Summary

The error in mulWad() is not placed in the correct place in memory. It is stored at 0x40 which is where the free memory pointer is. It should be stored in the scratch space if it fits within 64 bytes (which this custom error does). By doing it this way, you are overwriting the free memory pointer.

Vulnerability Details

Here is the mulWad() function - the problem is in the assembly. It stores the function selector for the custom error at 0x40 which is where the free memory pointer is supposed to be:

function mulWad(uint256 x, uint256 y) internal pure returns (uint256 z) {
// @solidity memory-safe-assembly
assembly {
// Equivalent to `require(y == 0 || x <= type(uint256).max / y)`.
if mul(y, gt(x, div(not(0), y))) {
mstore(0x40, 0xbac65e5b) // `MathMasters__MulWadFailed()`.
revert(0x1c, 0x04)
}
z := div(mul(x, y), WAD)
}
}

Impact

You are overwriting where the free memory pointer points, and the next time there is a new object that needs to be stored where the free memory pointer points, it may overwrite something else that is already stored there.

Also, the free memory pointer initially points to 0x80 and you will change it to point at a slot much further away (since your custom error is 0xbac65e5b) so you are needlessly being inefficient.

Tools Used

Manual review

Recommendations

The function selector for the error should be stored in the scratch space which begins at 0 since it fits within 64 bytes.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Wrong error storage

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.