Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

eth/harness: Uncomment init overflow test. #1722

Merged
merged 1 commit into from Jul 31, 2022
Merged

eth/harness: Uncomment init overflow test. #1722

merged 1 commit into from Jul 31, 2022

Conversation

JoeGruffins
Copy link
Member

closes #1720

So, there was already a test! I guess @buck54321 or @martonp noticed the possible vulnerability before me. The commented out test just never registered for me....

Anyway, I tried this with a contract build with 0.7.5 and can confirm the init succeeds and test fails.

@buck54321
Copy link
Member

buck54321 commented Jul 20, 2022
edited

I think @martonp wrote the test, and I commented it out, because it was failing after a refactor, and I though there was no way to actually overflow with the new architecture. I'm not fully caught up on this convo, but from what I gather, I was wrong? Anyway, more tests and better security is always welcome.

@chappjc
Copy link
Member

chappjc commented Jul 20, 2022

Yah, good to check these things anyway. But why is the contract bin changing?

chappjc
chappjc reviewed Jul 20, 2022
View reviewed changes
dex/networks/eth/contracts/ETHSwapV0.sol Outdated
Comment on lines 2 to 6

// pragma should be as specific as possible to allow easier validation.
//
// WARNING: pragma MUST be above v0.8.0 so that addition overflow will cause
// transactions to be reverted.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If changing the comments really changes the bin, let's just skip this. I don't think we'll ever consider downgrading to before 0.8.0.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So comments really change the output? That's kinda nuts

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess there's a hash of the entire thing and a checksum somewhere. I'm guessing it's only a checksum changing. Can check how much changes because that's good info to have.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At the end of the hex, this part changed:
9c8d8d137b7639af24fe8215dd5976b16323176cb4b9be076c90eeb32eaf7446 -> ef281bf04bfe702e408f8eba5336858e62259885e954f238248ad567172b2764

So, a 32 byte hash, probably of the entire contract including comments.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably. Geeze it should be a hash of a language preprocessor's output (or optionally omitted), not the file contents. Oh well

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed warning https://github.com/decred/dcrdex/compare/c158bd437e5a1e7d821444f449eac232641e5ae3..15e4e83718b35379398615078cba21e48729e006

@JoeGruffins
Copy link
Member Author

I'm not fully caught up on this convo, but from what I gather, I was wrong?

No, just wanted to make sure. The contract is fine afaik.

martonp
martonp approved these changes Jul 21, 2022
View reviewed changes
Copy link
Contributor

@martonp martonp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess the point of test is to make sure no one reduces the solidity version below 8.0 and to make sure the solidity overflow check is working properly.

@JoeGruffins
Copy link
Member Author

I guess the point of test

There could also be a change reverting the behavior in the future. However unlikely that may be.

@chappjc chappjc merged commit 4cf409b into decred:master Jul 31, 2022
@chappjc chappjc added this to the 0.5 milestone Aug 26, 2022
@chappjc chappjc added the ETH label Aug 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@martonp martonp martonp approved these changes

@chappjc chappjc chappjc approved these changes

Assignees
No one assigned
Labels
ETH
Projects
None yet
Milestone
0.5
Development

Successfully merging this pull request may close these issues.

eth/harness: Add test for contract overflow in init.
4 participants
@JoeGruffins @buck54321 @chappjc @martonp