New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unexpected runcode fail #386

dynamicAna opened this Issue Nov 10, 2018 · 4 comments


None yet
4 participants

dynamicAna commented Nov 10, 2018

  • I am using ethereumjs-vm vm.runCode function to run my contract bytecode, and I use the step event for trace output.

  • When I set the runcode attribute code: Buffer.from(my_code, 'hex'), and tried to run it, I got the output of REVERT opcode, It means runcode was failed.

  • REVERT output


This comment has been minimized.


holgerd77 commented Nov 16, 2018

REVERT is just a normal bytecode which can be triggered from the high-level source code itself (e.g. from Solidity), so I would very much assume that this is the normal programmatic execution result and not a bug.

With the extensive code example you provide this is not really possible to recreate. Will close this for now, if you really think this is a bug please try extract a more straight forward and simpler code example which can then be traced and analyzed. Thanks!

@holgerd77 holgerd77 closed this Nov 16, 2018


This comment has been minimized.

TylerAP commented Nov 21, 2018

@holgerd77 This is about to get a lot hotter.
GitHub just sent out a panic due to;

ethereumjs-vm 2.4.0 allows attackers to cause a denial of service (vm.runCode failure and REVERT) via a "code: Buffer.from(my_code, 'hex')" attribute.

Does this even make sense?


This comment has been minimized.


jwasinger commented Nov 22, 2018

This library is not consensus-critical so it's not a big issue.


This comment has been minimized.


holgerd77 commented Nov 22, 2018

For giving some context for people coming from the outside and reading this:

This library is not used to run the Ethereum network. Its current purpose is to serve as a developer simulation tool, it e.g. runs within the online IDE Remix and library execution is triggered when developers test their code.

Even on assuming for a moment that the above filed issue is an exploitable bug, the worst "denial-of-service" attack which could be done in this context is to disturb a single separately-targeted developer in his/her online developer experience.

That said: one can very confidently say after first analysis that the described behavior is not a bug (see also comment above) but just normal runtime behavior.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment