# Attackathon \_ Fuel Network 33172 - \[Smart Contract - Insight] OOB in type\_check\_analyze of ImplTrait Submitted on Sat Jul 13 2024 12:01:36 GMT-0400 (Atlantic Standard Time) by @InquisitorScythe for [Attackathon | Fuel Network](https://immunefi.com/bounty/fuel-network-attackathon/) Report ID: #33172 Report type: Smart Contract Report severity: Insight Target: Impacts: * Compiler bug ## Description ## Brief/Intro The identified bug is a panic in the Sway compiler's semantic analysis module, specifically in the implementation of trait declarations. This occurs due to an index out of bounds error, suggesting a failure to properly handle empty collections or unexpected data structures in trait implementations. If exploited in production, this bug could lead to compiler crashes when processing certain trait implementations, potentially preventing developers from compiling valid Sway code. This could result in deployment failures, introduce inconsistencies in smart contract behavior, and potentially create vulnerabilities if incomplete or incorrectly compiled code makes it to the blockchain due to compiler errors. ## Vulnerability Details The bug is in In some cases, `impl_trait.items` is not synced with `ctx.items_node_stack`, It cause OOB panic like: ``` thread 'main' panicked at sway-core/src/semantic_analysis/ast_node/declaration/impl_trait.rs:1554:45: index out of bounds: the len is 0 but the index is 1 note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace ``` ### Possible Fix A quick fix is like: ```rust impl TypeCheckAnalysis for ty::ImplTrait { fn type_check_analyze( &self, handler: &Handler, ctx: &mut TypeCheckAnalysisContext, ) -> Result<(), ErrorEmitted> { let decl_engine = ctx.engines.de(); let impl_trait = decl_engine.get_impl_trait(&self.decl_id); // Lets create a graph node for the impl trait and for every item in the trait. ctx.push_nodes_for_impl_trait(self); // Now lets analyze each impl trait item. for (i, item) in impl_trait.items.iter().enumerate() { if i >= ctx.items_node_stack.len() { return Err(handler.emit_err(CompileError::Internal( "impl trait type check failed", impl_trait.span(), ))); } let _node = ctx.items_node_stack[i]; item.type_check_analyze(handler, ctx)?; } // Clear the work-in-progress node stack. ctx.items_node_stack.clear(); Ok(()) } } ``` This fix check the index before getting node from `ctx.items_node_stack`, it prevents compiler panics and return a error. Alternatively, you can refactor the logic in `push_nodes_for_impl_trait` to enforce `impl_trait.items` is synced with `ctx.items_node_stack`. ## Impact Details While this bug doesn't directly put funds at risk, its potential to introduce vulnerabilities and disrupt the development process makes it a severe issue. The compiler is a critical component of the blockchain development stack, and its reliability is paramount for the security and success of the entire ecosystem. Addressing this vulnerability is crucial to maintain the integrity and trustworthiness of the Fuel platform. ## References None ## Proof of concept ### Step1 ``` forc new poc ``` ### Step2 write minimized code to main.sw ``` contract; struct Struct{x:u} impl Struct{ fn w()->f{{(()}}trait Supertrait{} impl Supertrait for Struct{) } fn s(b:B) where A:t{}fn n(){} ``` ### Step3 ``` forc build ``` It return panic like: ``` thread 'main' panicked at sway-core/src/semantic_analysis/ast_node/declaration/impl_trait.rs:1554:45: index out of bounds: the len is 0 but the index is 1 note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/fuel-network-or-attackathon/attackathon-_-fuel-network-33172-smart-contract-insight-oob-in-type_check_analyze-of-impltrait.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.