The Sway compiler currently disallows read access to storage when the call is made within the fallback function. #6324
Assignees
Labels
Comments
IGI-111
added
bug
esdrubal
added a commit
that referenced
this issue
Sep 20, 2024
The reproduction presented in #6324 was missing loading the storage configuration properly. To do that we have to use the following in test/src/sdk-harness/test_projects/run_external_proxy_with_storage/mod.rs: StorageConfiguration::default().add_slot_overrides_from_file("test_projects/run_external_target_with_storage/out/release/run_external_target_with_storage-storage_slots.json").unwrap(); This commit changes the presented reproduction to load the storage slots and the test runs without reverting. Closes #6324
8 tasks
esdrubal
added a commit
that referenced
this issue
Sep 26, 2024
The reproduction presented in #6324 was missing loading the storage configuration properly. To do that we have to use the following in test/src/sdk-harness/test_projects/run_external_proxy_with_storage/mod.rs: StorageConfiguration::default().add_slot_overrides_from_file("test_projects/run_external_target_with_storage/out/release/run_external_target_with_storage-storage_slots.json").unwrap(); This commit changes the presented reproduction to load the storage slots and the test runs without reverting. Closes #6324
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
From https://bugs.immunefi.com/dashboard/submission/32730
Brief/Intro
The Sway compiler's current state Reverts any transaction that performs read access to storage if the call is made within the fallback function.
Vulnerability Details
I adapted an existing collection of tests targetting fallback functionality (can found at https://github.com/FuelLabs/sway/tree/7b56ec734d4a4fda550313d448f7f20dba818b59/test/src/sdk-harness/test_projects/run_external_proxy and https://github.com/FuelLabs/sway/tree/7b56ec734d4a4fda550313d448f7f20dba818b59/test/src/sdk-harness/test_projects/run_external_target) to demonstrate an issue with the way compiler handles storage access in fallback function. While the compiler documentation suggests READ access to storage should be possible within fallback functions (since it's a common characteristic of any Sway function), the current state of the compiler prevents this. This difference between the documentation and the codebase's actual behavior raises doubts about whether fallback functions work as intended.
However, WRITE operations to storage within fallback functions are working as expected, indicating a potential inconsistency in how storage interactions are handled.
Impact Details
A malicious contract with a faulty fallback function could be deployed, deliberately hiding crucial storage access features within it. This could trick less technical users into thinking the contract is legitimate because it compiles successfully. This can potentially to griefing;
If contract A interacts with contract B and the interaction fails, causing contract B to revert, contract A may also revert as a consequence;
References
sway/docs/book/src/blockchain-development/calling_contracts.md
Line 174 in 7b56ec7
Proof of concept
Please see following gists: https://gist.github.com/0xZRA/c25f0ee9ef89d44adde573609c5553f3 https://gist.github.com/0xZRA/19a9079f97f60a5143115e76a0eb84a9 https://gist.github.com/0xZRA/18d8f25e6b3a97025de946868a230765 https://gist.github.com/0xZRA/6e1684f538ad85dff5a39b25bb54523f https://gist.github.com/0xZRA/8875643f14e88092ac72e400079fd849
The text was updated successfully, but these errors were encountered: