The latest version of Solidity, version 0.4.25, includes fixes for two major bugs. The first bug was discovered in version 0.4.22, while the second one was only recently discovered.
It is important to note that the Ethereum Foundation operates a rewards program for bug reports. The code generator is part of the Solidity package.
Cleaning Exponent in Exponentiation Operation
- Probability of Occurrence: Very Low
- Exploitability: High
- Test Visibility: Low
- Fixed Version: 0.4.25
Summary: Use of a shorter type than 256 bits for the exponent in an exponentiation operation can lead to invalid results.
The Solidity language allows for the use of integer types shorter than 256 bits. The Ethereum Virtual Machine can only process types with exactly 256 bits, which is why higher-order bits must be reset to zero periodically. Since most operations do not require this resetting (like addition, for instance), the Solidity compiler defers this process until it is absolutely necessary in order to save on costs.
Under certain special conditions, in which the exponent of the ** operator is shorter than 256 bits but not less than the base type, higher-order dirty bits can cause an error. This is true even if literal exponents are used, like in x**2 or uint256/int256.
It’s also worth noting that function parameters may contain higher-order dirty bits when called by malicious entities. This is true for any data returned by functions created by malicious entities too.
A large number of contracts have been inspected, and it is believed that the bug only affects a small number of smart contracts. This is because the exponentiation operator is not used often enough to cause the bug.
This by newweller.
Memory Corruption in Multidimensional Array Decoder
- Probability of Occurrence: Low
- Exploitability: Medium
- Test Visibility: High
- Introduced Version: 0.1.4
- Fixed Version: 0.4.22
Summary: Memory corruption can occur when functions are used in conjunction with other contracts to return fixed-size multidimensional arrays.
When Solidity code calls a function that returns a multidimensional array with a fixed size, the ABI-encoded returned data must be converted to Solidity’s internal array representation. In ABI encoding, data is in-line encoded, but the decoder did not consider this difference, so the returned items were interpreted as memory pointers, potentially corrupting memory if the returned values were accessed. Functions with multidimensional fixed size array arguments were not affected. If these were not used, a function call would return a fixed-size array. Only the component of a Solidity contract that returns a fixed-size multidimensional array is affected by this bug.
This by jmahhh.