Attackathon _ Fuel Network 32453 - [Smart Contract - Low] Unhandled Side Effect During AbstractInstr

Submitted on Sat Jun 22 2024 03:23:48 GMT-0400 (Atlantic Standard Time) by @anatomist for Attackathon | Fuel Network

Report ID: #32453

Report type: Smart Contract

Report severity: Low

Target: https://github.com/FuelLabs/sway/tree/7b56ec734d4a4fda550313d448f7f20dba818b59

Impacts:

Incorrect sway optimization leading to incorrect bytecode

Description

Brief/Intro

const_indexing_aggregates_function doesn't clear tracked registers modified through side effects.

Vulnerability Details

If an unknow instruction is encountered while constant folding, the tracked values of registers modified by it must be cleared. However, the current implementation only clears states for def_registers. This means that any Constant registers, such as hp, will not have it's state removed properly. This may result in incorrect tracking and cause incorrect immediate replacement in other instructions.

_ => {
    // For every Op that we don't know about,
    // forget everything we know about its def registers.
    for def_reg in op.def_registers() {
        reg_contents.remove(def_reg);
        record_new_def(&mut latest_version, def_reg);
    }
}

Impact Details

As usual, it is hard to come up with a precise impact estimation of incorrect code generation because it depends on what code the user writes. The best case scenario would be contracts that run into those bugs getting bricked, and the worst case scenario would be that incorrect program behaviors lead to loss of funds.

References

https://github.com/FuelLabs/sway/blob/9a52d74f4de90fb601d53d3210c57a714527c643/sway-core/src/asm_generation/fuel/optimizations.rs#L178

Proof of concept

Proof of Concept

This test would fail because lw a a i0 incorrectly uses the old hp values before the second aloc b

#[test]
fn side_effect_register_not_cleared() -> u64 {
    let a = asm(a, b) {
        movi b i16;     // b = 16
        aloc b;         // buf1 = [0;16]
        movi b i0;      // b = 0
        sw hp b i0;     // buf1[0:8] = b = 0
        movi a i0;      // a = 0
        add a hp a;     // a = &buf1
        movi b i16;     // b = 16
        aloc b;         // buf2 = [0;16]
        movi b i1;      // b = 1
        sw hp b i0;     // buf2[0:8] = b = 1
        lw a a i0;      // expected : a = buf1[0:8] = 0         real : a = buf2[0:8] = 1
        a
    };
    assert(a == 0);
    a
}

PreviousAttackathon _ Fuel Network 32439 - [Smart Contract - Low] Missing Alignment Check During AbstractIns NextAttackathon _ Fuel Network 32459 - [Websites and Applications - Low] URGENT WEB funds drained using

Last updated 14 days ago