medium
SHA3_64 Vulnerability in compile_ir.py
Contest
Reward
Total
10167.11 USDC
Selected
10167.11 USDC
Selected Submission
SHA3_64 Vulnerability in compile_ir.py
Severity
High Risk
Summary
There is an error in the calculation of SHA3_64, which will produce wrong hash results and may affect the access of HashMap objects.
Vulnerability Details
line 583 in compile_ir.py
# SHA3 a 64 byte value
elif code.value == "sha3_64":
o = _compile_to_assembly(code.args[0], withargs, existing_labels, break_dest, height)
o.extend(_compile_to_assembly(code.args[1], withargs, existing_labels, break_dest, height))
o.extend(
[
*PUSH(MemoryPositions.FREE_VAR_SPACE2),
"MSTORE",
*PUSH(MemoryPositions.FREE_VAR_SPACE),
"MSTORE",
*PUSH(64),
*PUSH(MemoryPositions.FREE_VAR_SPACE),
"SHA3",
]
)
return o
o.extend(_compile_to_assembly(code.args[1], withargs, existing_labels, break_dest, height)) should be on height+1. This code will affect the correct access of the withargs variable.
Impact
Because SHA3_64 is related to the reading and writing of HashMap objects, it has an important impact on the data on the contract chain. The overall impact should be high level.
POC Code:
(with _loc
(with val 1
(with key 2
(sha3_64 val key)))
(seq
(sstore _loc
(with x (sload _loc)
(with ans (add x 1) (seq (assert (ge ans x)) ans))))))
python -m vyper --vyper-ir bug.ir
the generated bytecode: 6001600281806020525f5260405f2090509050805460018101818110610026579050815550005b5f80fd
0000 60 PUSH1 0x01
0002 60 PUSH1 0x02
0004 81 DUP2
0005 80 DUP1 *********** bad code here!!!!!!
0006 60 PUSH1 0x20
0008 52 MSTORE