#37186 [BC-Insight] Missing Validation for Fixed-Size bytes Types in ABI Parsing

Submitted on Nov 27th 2024 at 22:43:54 UTC by @CertiK for Attackathon | Ethereum Protocol

• Report ID: #37186

• Report Type: Blockchain/DLT

• Report severity: Insight

• Target: https://github.com/ledgerwatch/erigon

• Impacts:

  • (Specifications) A bug in specifications with no direct impact on client implementations

Description

Brief/Intro

In the NewType function within type.go, there is a lack of validation for the size of fixed-length bytes types.

Vulnerability Details

According to the argument encoding for the solidity, the bytes should limited to 32 bytes: https://docs.soliditylang.org/en/v0.8.23/abi-spec.html

| bytes: binary type of M bytes, 0 < M <= 32.

However, such limitation is missing in the accounts/abi/type.go:

   case "bytes":
       if varSize == 0 {
           typ.T = BytesTy
       } else {
           typ.T = FixedBytesTy
           typ.Size = varSize
       }

Also, it should be noted the validation has been added in Geth: https://github.com/ethereum/go-ethereum/pull/26075

Impact Details

Without validation, the code might accept invalid bytes types with sizes outside the allowed range and break the spec.

References

• https://docs.soliditylang.org/en/v0.8.23/abi-spec.html

• https://github.com/ethereum/go-ethereum/pull/26075

Proof of Concept

Proof of Concept

func TestNewFixedBytesOver32(t *testing.T) {
   _, err := NewType("bytes64", "", nil)
   if err == nil {
       t.Errorf("fixed bytes with size over 32 is mistakenly allowed")
   }
}

--- FAIL: TestNewFixedBytesOver32 (0.00s)
   /Users/xxx/erigon/accounts/abi/type_test.go:376: fixed bytes with size over 32 is mistakenly allowed
FAIL
FAIL    github.com/erigontech/erigon/accounts/abi   0.321s
FAIL