You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
However, WRITE operations to storage within fallback functions are working as expected, indicating a potential inconsistency in how storage interactions are handled.
Impact Details
A malicious contract with a faulty fallback function could be deployed, deliberately hiding crucial storage access features within it. This could trick less technical users into thinking the contract is legitimate because it compiles successfully. This can potentially to griefing;
If contract A interacts with contract B and the interaction fails, causing contract B to revert, contract A may also revert as a consequence;
References
For all intents and purposes the fallback function is considered a contract method, which means that it has all the limitations that other contract methods have. As the fallback function signature, the function cannot have arguments, but they can return anything.
The reproduction presented in #6324 was missing loading the storage
configuration properly.
To do that we have to use the following in test/src/sdk-harness/test_projects/run_external_proxy_with_storage/mod.rs:
StorageConfiguration::default().add_slot_overrides_from_file("test_projects/run_external_target_with_storage/out/release/run_external_target_with_storage-storage_slots.json").unwrap();
This commit changes the presented reproduction to load the storage slots
and the test runs without reverting.
Closes#6324
The reproduction presented in #6324 was missing loading the storage
configuration properly.
To do that we have to use the following in test/src/sdk-harness/test_projects/run_external_proxy_with_storage/mod.rs:
StorageConfiguration::default().add_slot_overrides_from_file("test_projects/run_external_target_with_storage/out/release/run_external_target_with_storage-storage_slots.json").unwrap();
This commit changes the presented reproduction to load the storage slots
and the test runs without reverting.
Closes#6324
From https://bugs.immunefi.com/dashboard/submission/32730
Brief/Intro
The Sway compiler's current state Reverts any transaction that performs read access to storage if the call is made within the fallback function.
Vulnerability Details
I adapted an existing collection of tests targetting fallback functionality (can found at https://github.com/FuelLabs/sway/tree/7b56ec734d4a4fda550313d448f7f20dba818b59/test/src/sdk-harness/test_projects/run_external_proxy and https://github.com/FuelLabs/sway/tree/7b56ec734d4a4fda550313d448f7f20dba818b59/test/src/sdk-harness/test_projects/run_external_target) to demonstrate an issue with the way compiler handles storage access in fallback function. While the compiler documentation suggests READ access to storage should be possible within fallback functions (since it's a common characteristic of any Sway function), the current state of the compiler prevents this. This difference between the documentation and the codebase's actual behavior raises doubts about whether fallback functions work as intended.
However, WRITE operations to storage within fallback functions are working as expected, indicating a potential inconsistency in how storage interactions are handled.
Impact Details
A malicious contract with a faulty fallback function could be deployed, deliberately hiding crucial storage access features within it. This could trick less technical users into thinking the contract is legitimate because it compiles successfully. This can potentially to griefing;
If contract A interacts with contract B and the interaction fails, causing contract B to revert, contract A may also revert as a consequence;
References
sway/docs/book/src/blockchain-development/calling_contracts.md
Line 174 in 7b56ec7
Proof of concept
Please see following gists: https://gist.github.com/0xZRA/c25f0ee9ef89d44adde573609c5553f3 https://gist.github.com/0xZRA/19a9079f97f60a5143115e76a0eb84a9 https://gist.github.com/0xZRA/18d8f25e6b3a97025de946868a230765 https://gist.github.com/0xZRA/6e1684f538ad85dff5a39b25bb54523f https://gist.github.com/0xZRA/8875643f14e88092ac72e400079fd849
The text was updated successfully, but these errors were encountered: