Attackathon _ Fuel Network 32548 - [Smart Contract - Low] Uncaught Integer Overflow During AbstractI

Submitted on Wed Jun 26 2024 06:02:05 GMT-0400 (Atlantic Standard Time) by @anatomist for Attackathon | Fuel Network

Report ID: #32548

Report type: Smart Contract

Report severity: Low

Target: https://github.com/FuelLabs/sway/tree/7b56ec734d4a4fda550313d448f7f20dba818b59

Impacts:

Incorrect sway optimization leading to incorrect bytecode

Description

Brief/Intro

const_indexing_aggregates_function multiplies Constants without checking whether the result overflows. This might incorrectly optimize away overflowing operations.

Vulnerability Details

const_indexing_aggregates_function() constant folds the MUL instruction if both operands are Constant values. However, it does not check whether the result overflows, and can incorrectly optimize overflowing multiplications.

VirtualOp::MUL(dest, opd1, opd2) => {
    match (reg_contents.get(opd1), reg_contents.get(opd2)) {
        (Some(RegContents::Constant(c1)), Some(RegContents::Constant(c2))) => {
            reg_contents.insert(dest.clone(), RegContents::Constant(c1 * c2));
            record_new_def(&mut latest_version, dest);
        }
        _ => {
            reg_contents.remove(dest);
            record_new_def(&mut latest_version, dest);
        }
    }
}

Compilation of the code would replace the load with a direct read from hp, where all the overflowing intermediate calculations on a are constant folded away.

fn constant_folding_overflow() -> u64 {
    let a = asm(a, b, c) {
        movi a i16;
        aloc a;
        move c hp;
        addi b c i0;    // base_reg = c, offset = 0
        movi a i65536;  // a = 1 << 16
        mul a a a;  // a = a * a = 1 << 32
        mul a a a;  // a = a * a = 1 << 64 = 0
        add b b a;  // base_reg = c, offset = 0
        lw a b i0;
        a: u64
    };
    a
}

.program:
.2                                      ; --- start of function: constant_folding_overflow ---
move $$locbase $sp                      ; save locals base register for constant_folding_overflow
cfei i8                                 ; allocate 8 bytes for locals and 0 slots for call arguments.
.5
movi $r0 i16                            ; movi a i16
aloc $r0                                ; aloc a
move $r0 $hp                            ; move c hp
lw   $r0 $r0 i0                         ; lw a b i0
sw   $$locbase $r0 i0                   ; store value
lw   $r0 $$locbase i0                   ; load value
ret  $r0

Impact Details

As usual, it is hard to come up with a precise impact estimation of incorrect code generation because it depends on what code the user writes. The best case scenario would be contracts that run into those bugs getting bricked, and the worst case scenario would be that incorrect program behaviors lead to loss of funds.

References

https://github.com/FuelLabs/sway/blob/2cbc24dc2e4ecab1e2b65fb8542d4650e313db99/sway-core/src/asm_generation/fuel/optimizations.rs#L115

Proof of concept

Proof of Concept

This test would fail because the overflowing multiplications on a is constant folded away and not included in the generated bytecode.

The PoC should be run with release build of forc because rust debug build includes arithmetic overflow checks.

#[test(should_revert)]
fn constant_folding_overflow() -> u64 {
    let a = asm(a, b, c) {
        movi a i16;
        aloc a;
        move c hp;
        addi b c i0;	// base_reg = c, offset = 0
        movi a i65536;	// a = 1 << 16
        mul a a a;	// a = a * a = 1 << 32
        mul a a a;	// a = a * a = 1 << 64 = 0
        add b b a;	// base_reg = c, offset = 0
        lw a b i0;
        a: u64
    };
    a
}

PreviousAttackathon _ Fuel Network 32537 - [Smart Contract - Low] Different data types can be used when init NextAttackathon _ Fuel Network 32612 - [Smart Contract - Low] Lack of slot hashing at adminsw can cause

Last updated 14 days ago