Attackathon _ Fuel Network 32439 - [Smart Contract - Low] Missing Alignment Check During AbstractIns
Last updated
Was this helpful?
Last updated
Was this helpful?
Submitted on Fri Jun 21 2024 18:33:22 GMT-0400 (Atlantic Standard Time) by @anatomist for
Report ID: #32439
Report type: Smart Contract
Report severity: Low
Target: https://github.com/FuelLabs/sway/tree/7b56ec734d4a4fda550313d448f7f20dba818b59
Impacts:
Incorrect sway optimization leading to incorrect bytecode
const_indexing_aggregates_function
process VirtualOp::SW
without checking the offset in addr_reg
is aligned to 8, cause the wrong constant being calculated and leads to incorrect program behavior.
const_indexing_aggregates_function
is an optimization pass of AbstractInstructionSet
, it is used to propagate constants in the function. During the handling of VirtualOp::SW
instruction, the function does not properly validate the offset of BaseOffset
. Since the imm
argument of VirtualOp::SW
representing an offset equals to imm * 8
, the conversion (divide by 8) here will truncate offset which isn't aligned to 8 bytes, causing SW
instruction to write to incorrect address.
As usual, it is hard to come up with a precise impact estimation of incorrect code generation because it depends on what code the user writes. The best case scenario would be contracts that run into those bugs getting bricked, and the worst case scenario would be that incorrect program behaviors lead to loss of funds.
https://github.com/FuelLabs/sway/blob/7b56ec734d4a4fda550313d448f7f20dba818b59/sway-core/src/asm_generation/fuel/optimizations.rs#L169
This test would fail because buf[16]
is not overwritten by sw b a i1
.