Skip to content

Guard constructor argSize against codesize underflow#494

Merged
rodrigogribeiro merged 2 commits into
argotorg:mainfrom
axic:deployer-codesize-check
Jun 24, 2026
Merged

Guard constructor argSize against codesize underflow#494
rodrigogribeiro merged 2 commits into
argotorg:mainfrom
axic:deployer-codesize-check

Conversation

@axic

@axic axic commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

In copy_arguments_for_constructor, argSize = sub(codesize(), programSize) underflows to ~2^256 when init-code is truncated (codesize() < programSize), corrupting the free-memory pointer and codecopy length. Add an explicit lt(codesize(), programSize) check that reverts before the subtraction.

// (codesize() < programSize) would make sub() wrap to ~2^256,
// corrupting the free-memory pointer and codecopy length.
// TODO: use require with proper error
if lt(codesize(), programSize) { revert(0, 0) }

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the case a truncated bytecode is sent, the codeCopy below would try to write into infinitely large memory pointer, effectively causing and out-of-gas error.

There's no easy way to test this, as testrunner sends the entire code.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does make me wonder, this check probably should go into startBody before copy_arguments_for_constructor, so it is run even if no arguments.

In copy_arguments_for_constructor, argSize = sub(codesize(), programSize)
underflows to ~2^256 when init-code is truncated (codesize() < programSize),
corrupting the free-memory pointer and codecopy length. Add an explicit
lt(codesize(), programSize) check that reverts before the subtraction.

Co-Authored-By: Alex Beregszaszi <alex@rtfs.hu>
@axic axic force-pushed the deployer-codesize-check branch from 5adecda to 94b0167 Compare June 24, 2026 11:55
@axic axic force-pushed the deployer-codesize-check branch from 86588f3 to 0711cf1 Compare June 24, 2026 12:09

@rodrigogribeiro rodrigogribeiro left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rodrigogribeiro rodrigogribeiro merged commit 7094548 into argotorg:main Jun 24, 2026
4 checks passed
@axic axic deleted the deployer-codesize-check branch June 24, 2026 22:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants