📄

Report #21001

Report Date
May 31, 2023
Status
Closed
Payout

AbiEncoderV2 Security Issue on Mainnet Deployment

Report Info

Report ID

#21001

Target

Report type

Smart Contract

Impacts

Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Has PoC?

Yes

Description

Hello Team,

I Would like to share an issue in smart contract in which developer implemented

 pragma experimental ABIEncoderV2;

Which is not recommended at version ^0.7.0 ;

Means ,

Here (Fertilizer.sol) , Uses the pragma Experminatal which is not recommended on mainnet

   pragma solidity ^0.7.6;
   pragma experimental ABIEncoderV2;

Generally speaking, experimental features can be unstable and produce unexpected and undocumented bugs - which you might not want in a production environment. Hence the warning.

This specific ABIEncoderV2 was introduced in Solidity version 0.5, enabling use of nested arrays and mappings. In this Solidity version, the encoder's stability was marked as experimental (i.e. likely unstable).

In the current Solidity version 0.8, the ABIEncoderV2 encoder is stable and no longer experimental

What is Experimental Pragma ?

Experimental Pragma in Solidity is used to enable experimental features of Solidity that are not enabled by default.

Example

the below code with struct types will throw a compilation error.

// SPDX-License-Identifier: GPL-3.0 pragma solidity ^0.6.0; contract Test { struct S { uint a; uint[] b; T[] c; } struct T { uint x; uint y; } function f(S memory, T memory, uint) public pure {} function g() public pure returns (S memory, T memory, uint) {} }

Compilation Error

contracts/Sample.sol:12:12: TypeError: This type is only supported in ABIEncoderV2. Use "pragma experimental ABIEncoderV2;" to enable the feature. function f(S memory, T memory, uint) public pure {} ^------^

To overcome this, the pragma experimental ABIEncoderV2 can be used as below that compiles the code without any issues.

But It's Not Recommended to use Experimental Pragma on Mainnet

Exact Issue :

At File 1 ( Fertilizer.sol) you see an Experimental ABIEncoderV2;

  pragma solidity ^0.7.6;

  pragma experimental ABIEncoderV2;

Who should be concerned

If you have deployed contracts which use the experimental ABI encoder V2, then those might be affected. This means that only contracts which use the following directive within the source code can be affected:

pragma experimental ABIEncoderV2;

Additionally, there are a number of requirements for the bug to trigger. See technical details further below for more information.

As far as we can tell, there are about 2500 contracts live on mainnet that use the experimental ABIEncoderV2. It is not clear how many of them contain the bug.

Possible Impacts :

  1. This bug is more likely to lead to malfunction than exploitability.
  2. The bug, when triggered, will under certain circumstances send corrupt parameters on method invocations to other contracts.
  3. Theft of User funds since it will corrupt the smart contract parameters

References :

  1. ( Solidity Blog ) = https://blog.soliditylang.org/2019/03/26/solidity-optimizer-and-abiencoderv2-bug/
  2. https://ethereum.stackexchange.com/questions/64562/about-abi-encoder-v2

Pic = attached below

Recommendation :

Not use Experimental version in mainet Deployment

Please let me know if have any query

Thank You

Proof of concept

Step 2 : At file 1 ( Fertilizer.sol)

Here (Fertilizer.sol) , Uses the pragma Experminatal which is not recommended on mainnet

   pragma solidity ^0.7.6;
   pragma experimental ABIEncoderV2;

Generally speaking, experimental features can be unstable and produce unexpected and undocumented bugs - which you might not want in a production environment. Hence the warning.

This specific ABIEncoderV2 was introduced in Solidity version 0.5, enabling use of nested arrays and mappings. In this Solidity version, the encoder's stability was marked as experimental (i.e. likely unstable).

In the current Solidity version 0.8, the ABIEncoderV2 encoder is stable and no longer experimental

BIC Response

This is not a security bug report because it speculates on the potential issues associated with using a particular library without pointing out a specific vulnerability. The PoC points out a line of code in an in-scope asset but does not explain how funds can be stolen.

Due to these reasons, we are closing the submission and no reward will be issued.