Use of Solidity version 0.8.13 which has two known issues applicable to PuttyV2 #348
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
old-submission-method
resolved
Finding has been patched by sponsor (sponsor pls link to PR containing fix)
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Comments
code423n4
added
2 (Med Risk)
|
great catch. |
|
Report: Use of solidity 0.8.13 with known issues in ABI encoding and memory side effects |
outdoteth
added
the
sponsor confirmed
|
PR with fix: outdoteth/putty-v2#6 |
outdoteth
added
the
resolved
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2022-06-putty/blob/3b6b844bc39e897bd0bbb69897f2deff12dc3893/contracts/src/PuttyV2.sol#L2
Vulnerability details
The solidity version 0.8.13 has below two issues applicable to PuttyV2
Vulnerability related to ABI-encoding.
ref : https://blog.soliditylang.org/2022/05/18/solidity-0.8.14-release-announcement/
This vulnerability can be misused since the function hashOrder() and hashOppositeOrder() has applicable conditions.
"...pass a nested array directly to another external function call or use abi.encode on it."
Vulnerability related to 'Optimizer Bug Regarding Memory Side Effects of Inline Assembly'
ref : https://blog.soliditylang.org/2022/06/15/solidity-0.8.15-release-announcement/
PuttyV2 inherits solidity contracts from openzeppelin and solmate, and both these uses inline assembly, and optimization is enabled while compiling.
Recommended Mitigation Steps
Use recent Solidity version 0.8.15 which has the fix for these issues
The text was updated successfully, but these errors were encountered: