Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The assignment of immutable variables in the constructor is affected by the subsequent bytecode #14049

Closed
slendermaan opened this issue Mar 14, 2023 · 2 comments
Closed

The assignment of immutable variables in the constructor is affected by the subsequent bytecode #14049

slendermaan opened this issue Mar 14, 2023 · 2 comments
Projects
Solidity

Comments

@slendermaan
Copy link

slendermaan commented Mar 14, 2023
edited

Description

The assignment of Immutable Variable in the constructor function may be incorrectly assigned under the influence of subsequent inline assembly code (for example msotre).

Environment

  • Compiler version:
  • Target EVM version (as per compiler settings): <=0.8.19
  • Framework/IDE (e.g. Truffle or Remix): Remix
  • EVM execution environment / backend / blockchain client: EVM execution environment
  • Operating system: Windows

Steps to Reproduce

The expected behavior of the following code is that a is 0x4B20993Bc481177ec7E8f571, but is eventually assigned the value msg.sender.

pragma solidity ^0.8.19;
contract C {
    address public immutable a;
    constructor() public {
        a = 0x4B20993Bc481177ec7E8f571ceCaE8A9e22C02db;
        F(msg.sender);
    }
    function F(address witnessAddress) view public returns(address){
        assembly{
            mstore(0x80,witnessAddress)
        }
        return a;
    }
}

image

Reasons

The reason for the above problem is that, unlike other source code compilation results, the assignment of an immutable -variable is first mstore in the memory area starting at 0x80, and then mload is used to save the variable to the stack area after the constructor’s user code is executed, and mstore is executed again after codecopy to modify the bytecode content.
This means that the code after the immutable-variable assignment may still affect its execution logic. For example, mstore.

Impact

Through the collection of open-source projects, we can easily find a large number of functions that use the mstore operation.
For example, the following code snippet

function initialize() internal view {
       ...
        assembly {
            ...
            mstore(0x80, sload(0))

This means that mstore operations are common, and we need to be wary of such operations being called in constructors that have immutable variables.

Fix

We suggest giving some warning about the above problem in the compilation result to warning users of the above risk.
@github-actions github-actions bot added this to Triage in Solidity Mar 14, 2023
@slendermaan
Copy link
Author

I also reported the problem through the bug bounty channel

@slendermaan
Copy link
Author

@cameel

@slendermaan slendermaan closed this as not planned Won't fix, can't repro, duplicate, stale Mar 15, 2023
Solidity automation moved this from Triage to Done Mar 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
No open projects
Solidity
  
Done
Milestone
No milestone
Development

No branches or pull requests
1 participant
@slendermaan