Token-0x

First Flight #54

Beginner FriendlyDeFi

100 EXP

View all submissions

Previous Next

Submission Details

Impact: high

Likelihood: low

ERC20Internals: Multiple Functions Fail to Update the Free Memory Pointer, Leading to Memory Overwrites in the Future

Author Revealed upon completion

ERC20Internals: Multiple Functions Fail to Update the Free Memory Pointer, Leading to Memory Overwrites in the Future

Description

In multiple core functions including _balanceOf, _approve, _allowance, transfer, _mint, _burn, and _spendAllowance, the inline assembly code uses the free memory pointer (mload(0x40)) but fails to update the pointer after operations are completed.
These functions directly read the current memory pointer position and use the memory space, but do not mark the allocated memory as occupied. This causes subsequent operations to potentially overwrite the already used memory regions.
While this issue may not manifest immediately in current simple function calls, it will trigger unpredictable memory conflicts as the contract functionality evolves and more complex memory operations are introduced.

// Example code demonstrating the failure to update the free memory pointer

function _balanceOf(address owner) internal view returns (uint256) {

assembly {

// ... Validation code omitted

let baseSlot := _balances.slot

@> let ptr := mload(0x40) // Get current free memory pointer

mstore(ptr, owner) // Use memory pointed to by ptr

mstore(add(ptr, 0x20), baseSlot)

let dataSlot := keccak256(ptr, 0x40)

let amount := sload(dataSlot)

mstore(ptr, amount)

mstore(add(ptr, 0x20), 0)

return(ptr, 0x20)

// Issue: Missing update of free memory pointer via mstore(0x40, add(ptr, 0x40)) or similar

}

// .... and so on

Risk

Likelihood:

Certain: As long as these functions are called and memory is allocated, subsequent operations (whether within the same transaction or in future added contract functionalities) that continue to use the default memory region will trigger memory overwrites.
Reproducibility: When the contract is upgraded or new features are added, any operation involving memory usage may trigger this issue—especially in complex transaction flows or multi-function call scenarios.
Development Environment Neglect: Since inline assembly bypasses Solidity's memory safety checks, the issue may not be exposed immediately during testing but will gradually manifest in the production environment.

Impact:

Data Corruption: Memory overwrites may corrupt critical calculation data (e.g., addresses, amounts, hash values), leading to fund losses or authorization errors.
Unpredictable Behavior: Memory conflicts may result in random contract behavior, causing the contract to produce unexpected state changes under specific conditions.
Upgrade Risk: Any future functional extensions or optimizations to the contract may fail or introduce vulnerabilities due to memory conflicts, limiting the contract's maintainability.
Increased Gas Costs: Unmanaged memory usage may lead to unnecessary memory expansion, increasing transaction execution costs.

Proof of Concept

None

Recommended Mitigation

Each function that uses mload(0x40) should update the free memory pointer via mstore(0x40, add(ptr, allocated_size)) after completing memory operations, where allocated_size is the actual memory size used by the function.

Rewards breakdown

nSLOC

222

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!