Attackathon _ Fuel Network 33140 - [Smart Contract - Insight] Sway compiler crash when compile malic

Submitted on Fri Jul 12 2024 07:01:52 GMT-0400 (Atlantic Standard Time) by @ret2happy for Attackathon | Fuel Network

Report ID: #33140

Report type: Smart Contract

Report severity: Insight

Target: https://github.com/FuelLabs/sway/tree/v0.61.2

Impacts:

• Compiler bug

Description

Brief/Intro

Sway compiler crash when compile malicious contract with error const.

Vulnerability Details

When the constant block is processed by const_eval_codeblock function, it doesn't handle the error block properly in [1]:

fn const_eval_codeblock(
    lookup: &mut LookupEnv,
    known_consts: &mut MappedStack<Ident, Constant>,
    codeblock: &ty::TyCodeBlock,
) -> Result<Option<Constant>, ConstEvalError> {
    // the current result
    let mut result: Result<Option<Constant>, ConstEvalError> = Ok(None);
    // keep track of new bindings for this codeblock
    let mut bindings: Vec<_> = vec![];

    for ast_node in &codeblock.contents {
        result = match &ast_node.content {
            ...
            ty::TyAstNodeContent::Error(_, _) => {
                unreachable!("error node found when generating IR"); // [1] unhandled error cause unreachable panic
            }
        };
    
    ...
            

This could trigger unreachable panic using the PoC contract with malicious const declaration.

Impact Details

Online verification service or sway playground which accept sw contract could be crashed by the malicous sw contract.

References

[1] https://github.com/FuelLabs/sway/blob/250666d3de43439dd4026ef844616c448b6ffde7/sway-core/src/ir_generation/const_eval.rs#L774-L776

Proof of concept

Proof of Concept

Compile the following contract using forc build:

This would get the unreachable panic: