mythril
mythril copied to clipboard
ecrecover related bugs are not detected(Support for SWC-122)
Description
It doesn't detect ecrecover
failing upon invalid input
How to Reproduce
See the following piece of code:
https://gist.github.com/HarryR/cce52596ffebdff2744c5d790888015a
This was caused by a compiler bug in Solidity < 0.4.14, where the output memory area for the ecrecover
call wasn't cleared, which means in the case of an invalid signature the memory may contain user-controllable input.
If the contract address is passed in as the last 20 bytes of the 32-byte stuff2hash
input, then the if condition will be true and the contract will send all funds to the caller.
This was recently highlighted as a problem with the 0x contracts, see: https://samczsun.com/the-0x-vulnerability-explained/
Expected behavior
this bug should be detected
Hi @HarryR . Currently Mythril doesn't yet support SWC-122. We will support it soon.
SWC-122 is vague and wishy-washy, and could be applicable to many different schemes.
Surely there should be a more-specific SWC, specifically about the semantics of CALL to builtin which can may not overwrite output memory, or other conditions where an output is expected but ends up being user-controlled - where sanitisation is required before the call?
SWC-122 is vague and wishy-washy
Yeah SWC-122 is vague.
Surely there should be a more-specific SWC, specifically about the semantics of CALL to builtin which can may not overwrite output memory, or other conditions where an output is expected but ends up being user-controlled - where sanitisation is required before the call?
You can raise this issue in SWCRegistry if you want to.