AbiEncoderV2 Security Issue on Mainnet Deployment
Report ID
#21001
Target
Report type
Smart Contract
Impacts
Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
Has PoC?
Yes
Description
Hello Team,
I Would like to share an issue in smart contract in which developer implemented
pragma experimental ABIEncoderV2;
Which is not recommended at version ^0.7.0 ;
Means ,
In Link =Â https://etherscan.io/address/0x39cdAf9Dc6057Fd7Ae81Aaed64D7A062aAf452fD?utm_source=immunefi#code
Here (Fertilizer.sol) , Uses the pragma Experminatal which is not recommended on mainnet
pragma solidity ^0.7.6;
pragma experimental ABIEncoderV2;
Generally speaking, experimental features can be unstable and produce unexpected and undocumented bugs - which you might not want in a production environment. Hence the warning.
This specific ABIEncoderV2 was introduced in Solidity version 0.5, enabling use of nested arrays and mappings. In this Solidity version, the encoder's stability was marked as experimental (i.e. likely unstable).
In the current Solidity version 0.8, the ABIEncoderV2 encoder is stable and no longer experimental
What is Experimental Pragma ?
Experimental Pragma in Solidity is used to enable experimental features of Solidity that are not enabled by default.
Example
the below code with struct types will throw a compilation error.
// SPDX-License-Identifier: GPL-3.0 pragma solidity ^0.6.0; contract Test { struct S { uint a; uint[] b; T[] c; } struct T { uint x; uint y; } function f(S memory, T memory, uint) public pure {} function g() public pure returns (S memory, T memory, uint) {} }
Compilation Error
contracts/Sample.sol:12:12: TypeError: This type is only supported in ABIEncoderV2. Use "pragma experimental ABIEncoderV2;" to enable the feature. function f(S memory, T memory, uint) public pure {} ^------^
To overcome this, the pragma experimental ABIEncoderV2 can be used as below that compiles the code without any issues.
But It's Not Recommended to use Experimental Pragma on Mainnet
Exact Issue :
In Link =Â https://etherscan.io/address/0x39cdAf9Dc6057Fd7Ae81Aaed64D7A062aAf452fD?utm_source=immunefi#code
At File 1 ( Fertilizer.sol) you see an Experimental ABIEncoderV2;
pragma solidity ^0.7.6;
pragma experimental ABIEncoderV2;
Who should be concerned
If you have deployed contracts which use the experimental ABI encoder V2, then those might be affected. This means that only contracts which use the following directive within the source code can be affected:
pragma experimental ABIEncoderV2;
Additionally, there are a number of requirements for the bug to trigger. See technical details further below for more information.
As far as we can tell, there are about 2500 contracts live on mainnet that use the experimental ABIEncoderV2. It is not clear how many of them contain the bug.
Possible Impacts :
- This bug is more likely to lead to malfunction than exploitability.
- The bug, when triggered, will under certain circumstances send corrupt parameters on method invocations to other contracts.
- Theft of User funds since it will corrupt the smart contract parameters
References :
- ( Solidity Blog ) =Â https://blog.soliditylang.org/2019/03/26/solidity-optimizer-and-abiencoderv2-bug/
- https://ethereum.stackexchange.com/questions/64562/about-abi-encoder-v2
Pic = attached below
Recommendation :
Not use Experimental version in mainet Deployment
Please let me know if have any query
Thank You
Proof of concept
Step 1 : Open the Link =Â https://etherscan.io/address/0x39cdAf9Dc6057Fd7Ae81Aaed64D7A062aAf452fD?utm_source=immunefi#code
Step 2 : At file 1 ( Fertilizer.sol)
Here (Fertilizer.sol) , Uses the pragma Experminatal which is not recommended on mainnet
pragma solidity ^0.7.6;
pragma experimental ABIEncoderV2;
Generally speaking, experimental features can be unstable and produce unexpected and undocumented bugs - which you might not want in a production environment. Hence the warning.
This specific ABIEncoderV2 was introduced in Solidity version 0.5, enabling use of nested arrays and mappings. In this Solidity version, the encoder's stability was marked as experimental (i.e. likely unstable).
In the current Solidity version 0.8, the ABIEncoderV2 encoder is stable and no longer experimental
BIC Response
This is not a security bug report because it speculates on the potential issues associated with using a particular library without pointing out a specific vulnerability. The PoC points out a line of code in an in-scope asset but does not explain how funds can be stolen.
Due to these reasons, we are closing the submission and no reward will be issued.