Summary: In certain situations, the variables can crush other storage variables.
Affected solidity compiler versions: 0.1.6 to 0.4.3 (including 0.4.4 pre-liberated versions)
Detailed description:
The storage variables which are smaller by 256 bits are packed in the same location at 256 bits if they can adapt. If a value greater than what is authorized by the type is attributed to the first variable, this value will crush the second variable.
This means that if an attacker can cause overflow in the value of the first variable, the second variable can be modified. The creation of an overflow in the first variable is possible using Arithmetics or by directly transmitting a value from the call data (the values in the call data are aligned on 32 bytes, and the padding is neither verified nor applied).
Contracts that only use the types listed below for state variables are not affected. Tables, mappings and structures (based on the following types) are also not affected:
- signed whole, including sizes less than 256 bits
- Bytesnn types, including sizes less than 256 bits
- Uninfer (UINT) of 256 bits
Contracts with types less than 256 bits which are never close to each other (note that the state variables of the basic contracts are “drawn”) not affected.
Ethereum Multisignature Portfolio Contract is not affected. Note that addresses take 160 bits, so contracts that use only addresses and 256 -bit types are safe. In addition, addresses and Booleans are almost never handled via arithmetic operations in practice, so contracts using only addresses, Booleans and 256 -bit types should also be safe.
The following contracts can be assigned: the contracts containing two or more adjoining state variables where the sum of their sizes is less than 256 bits and the first state variable is not a signed integer and not by Bytesnn.
The types of less than 256 bits include: Bool, Enums, Uint8, …, Uint248, int8, …, int248, address, any type of
Recommended action:
- Recomplile the contracts which have not yet been deployed using at least the 0.4.4 version of the solidity (not the pre-liberation or nocturnal version).
- Disable, delete funds or upgrade contracts already deployed.
This vulnerability was found by (github.com/catageek) (((