Summary
Incorrect values can be logged when raw_log builtin is called with memory or storage arguments to be used as topics.
A contract search was performed and no vulnerable contracts were found in production. In particular, no uses of raw_log() were found at all in production; it is apparently not a well-known function.
Details
The build_IR function of the RawLog class fails to properly unwrap the variables provided as topics. Consequently, incorrect values are logged as topics.
PoC
x: bytes32
@external
def f():
self.x = 0x1234567890123456789012345678901234567890123456789012345678901234
raw_log([self.x], b"") # LOG1(offset:0x60, size:0x00, topic1:0x00)
y: bytes32 = 0x1234567890123456789012345678901234567890123456789012345678901234
raw_log([y], b"") # LOG1(offset:0x80, size:0x00, topic1:0x40)Impact
Incorrect values can be logged which may result in unexpected behavior in client-side applications relying on these logs.
chen-robert Finder
Summary
Incorrect values can be logged when
raw_logbuiltin is called with memory or storage arguments to be used as topics.A contract search was performed and no vulnerable contracts were found in production. In particular, no uses of
raw_log()were found at all in production; it is apparently not a well-known function.Details
The
build_IRfunction of theRawLogclass fails to properly unwrap the variables provided as topics. Consequently, incorrect values are logged as topics.PoC
Impact
Incorrect values can be logged which may result in unexpected behavior in client-side applications relying on these logs.