Abstract: In some eventualities, variables can overwrite different variables in garage.
Affected Solidity compiler variations: 0.1.6 to 0.4.3 (together with 0.4.4 pre-release variations)
Garage variables which might be smaller than 256 bits are packed in combination into the similar 256 bit slot if they are able to are compatible. If a worth higher than what is permitted by way of the sort is assigned to the primary variable, that worth will overwrite the second one variable.
This implies if an attacker may cause an overflow within the worth of the primary variable, then the second one variable will also be changed. Growing an overflow within the first variable is conceivable the use of arithmetics or by way of without delay passing in a worth from the decision knowledge (values in name knowledge are aligned to 32 bytes, and padding is neither verified nor enforced).
Contracts that handiest use the kinds indexed underneath for state variables are now not affected. Arrays, mappings and structs (in response to the ones following sorts) also are now not affected:
- signed integers, together with sizes smaller than 256 bits
- bytesNN sorts, together with sizes smaller than 256 bits
- unsigned integers (uint) of 256 bits
Contracts with sorts smaller than 256 bits which might be by no means subsequent to one another (observe that state variables of base contracts are “pulled in”) are now not affected.
The Ethereum multisignature pockets contract is now not affected.
Observe that addresses soak up 160 bits, so contracts that handiest use addresses and 256-bit sorts are protected. Moreover, addresses and booleans are virtually by no means manipulated by the use of mathematics operations in observe, so contracts the use of handiest addresses, booleans and 256 bit sorts must even be protected.
The next contracts could also be affected:
Contracts containing two or extra contiguous state variables the place the sum in their sizes is lower than 256 bits and the primary state variable isn’t a signed integer and now not of bytesNN sort.
Varieties smaller than 256 bits come with:
bool, enums, uint8, …, uint248, int8, …, int248, deal with, any contract sort
- Recompile contracts that experience now not but been deployed the use of no less than Solidity launch 0.4.4 (now not the pre-release or nightly model).
- Deactivate, take away price range from, or improve already deployed contracts.
This vulnerability was once discovered by way of [github.com/catageek](https://github.com/catageek): [https://github.com/ethereum/solidity/issues/1306](https://github.com/ethereum/solidity/problems/1306)