HomeEthereumSecurity Alert - Solidity - Variables can be overwritten in storage
Security Alert – Solidity – Variables can be overwritten in storage
Ethereum

Security Alert – Solidity – Variables can be overwritten in storage

crypto4unews
By crypto4unews

-

127
0


Summary: In some situations, variables can overwrite other variables in storage.

Affected Solidity compiler versions: 0.1.6 to 0.4.3 (including 0.4.4 pre-release versions)

Detailed description:

Storage variables that are smaller than 256 bits are packed together into the same 256 bit slot if they can fit. If a value larger than what is allowed by the type is assigned to the first variable, that value will overwrite the second variable.

This means if an attacker can cause an overflow in the value of the first variable, then the second variable can be modified. Creating an overflow in the first variable is possible using arithmetics or by directly passing in a value from the call data (values in call data are aligned to 32 bytes, and padding is neither verified nor enforced).

Contracts that only use the types listed below for state variables are not affected. Arrays, mappings and structs (based on those following types) are also not affected:

  • signed integers, including sizes smaller than 256 bits
  • bytesNN types, including sizes smaller than 256 bits
  • unsigned integers (uint) of 256 bits

Contracts with types smaller than 256 bits that are never next to each other (note that state variables of base contracts are “pulled in”) are not affected.

The Ethereum multisignature wallet contract is not affected.
Note that addresses take up 160 bits, so contracts that only use addresses and 256-bit types are safe. Additionally, addresses and booleans are almost never manipulated via arithmetic operations in practice, so contracts using only addresses, booleans and 256 bit types should also be safe.

The following contracts may be affected:
Contracts containing two or more contiguous state variables where the sum of their sizes is less than 256 bits and the first state variable is not a signed integer and not of bytesNN type.

Types smaller than 256 bits include:
bool, enums, uint8, …, uint248, int8, …, int248, address, any contract type

Recommended action:

  • Recompile contracts that have not yet been deployed using at least Solidity release 0.4.4 (not the pre-release or nightly version).
  • Deactivate, remove funds from, or upgrade already deployed contracts.

This vulnerability was found by [github.com/catageek](https://github.com/catageek): [https://github.com/ethereum/solidity/issues/1306](https://github.com/ethereum/solidity/issues/1306)



Source link

Previous article
The Hidden Costs Of Quantitative Easing During A Global Financial Crisis
Next article
Cryptocurrency for Beginners: A Comprehensive Guide to Getting Started Safely
crypto4unews
crypto4unewshttps://crypto4unews.com

LEAVE A REPLY

Please enter your comment!
Please enter your name here

LATEST POSTS

Bitcoin

Crypto Startups Concerned About Binance Link To Proposed VASP Bill In Kenya

Key TakeawaysKenya’s emerging cryptocurrency sector is facing a regulatory challenge, with concerns growing over the link between cryptocurrency exchanges and a proposed VASP Bill...
Bitcoin

Investors Circumvent China’s Crypto Ban by Getting Indirect Exposure Through Stocks

Key TakeawaysChinese crypto investors are using Hong Kong stocks to gain indirect exposure to crypto, therefore circumventing mainland China’s crypto ban.The Guotai Junan International...
Bitcoin

Robinhood Cooks With Stock Tokens, Futures, and Its Chain

Key TakeawaysRobinhood unveils tokenized stock assets on the Arbitrum network for its users in the EU and the U.S.Robinhood to allow EU traders access...
Bitcoin

Hyra Network Honored as “Technology Startup of the Year” at the 2025 Globee® Awards

Dubai, United Arab Emirates, July 1st, 2025, ChainwireDecentralized AI Framework Gains Recognition for Expanding Access to Compute Power.The digital economy has witnessed transformative platforms...
Load more

Most Popular

Subscribe to our newsletter!

The information provided on Crypto4Unews.com is for informational purposes only and should not be considered financial advice. Cryptocurrency investments carry risks, and it is crucial to conduct your own research and consult with a financial advisor before making any investment decisions. We strive to deliver accurate and up-to-date information, but we cannot guarantee the reliability or completeness of the content. Crypto4Unews.com is not responsible for any losses or damages arising from the use of our site or reliance on its information. Always invest responsibly and be aware of market volatility.

Latest articles

Popular Categories

© Copyright - 2024 crypto4unews.com. All rights reserved.