Audittens

Answer The bug is literally hidden under the Christmas tree (🎄 in the code) — in the Solidity version number. This contract is compiled with Solidity 0.8.31, which contains the bug "Lost storage array write on slot overflow" (see https://t.co/4lgqJt27j0). The chosen STORAGE_LOCATION is very close to 2²⁵⁶, so the huge array uint256[256][2**240] balances crosses the storage boundary. That means there exists an account for which balances[account]'s slots wrap around 2²⁵⁶. When such an account calls withdrawAll(), the loop correctly transfers all tokens, but delete $.balances[account] does nothing. As a result, balances are never zeroed, and the attacker can call withdrawAll() repeatedly to drain tokens.

Christmas Quest for Auditors The contract below implements a multi-token vault: • there are 2²⁴⁰ accounts and 256 ERC20 tokens; • assume no malicious or weird tokens (e.g., reentrant, fee-on-transfer, etc.); • any address can become the controller of an unoccupied account; • a user can deposit tokens into an account they control; • a user can withdraw all tokens from an account they control. Find the vulnerability: how can an attacker steal tokens using withdrawAll? Hint: try to look deeper — the bug is hidden right under the Christmas tree 👇

Here is the story of how we found this bug. We were not trying to find a compiler bug — we were just experimenting with ways to create storage collisions without using assembly. One option is a dynamic array whose elements are huge fixed-size arrays (uint[2**256-1][]). This allows storage collisions while still being accepted by the compiler. A small detail: push() on such an array works, because Solidity does not try to clear the element's storage — storage is zero by default. Otherwise, this construction would be unusable. Out of curiosity, we then tested what happens when calling pop() on such an array. Intuitively, removing an element should require clearing its storage, which would be infeasible for such a large element. However, in our tests, pop() still succeeded with reasonable gas. To understand what was actually happening, we created another test: we wrote non-zero data into the element, then called pop(), and checked whether the data was cleared. It wasn't. Looking at the compiler source code revealed the cause: the cleanup loop compares storage slot addresses, and when the affected storage range crosses the 2²⁵⁶ boundary, the comparison breaks due to wraparound — so the loop never executes and the writes are skipped.

How strong is your understanding of inheritance? During one of our previous engagements, we encountered an unusual bug related to inheritance in Solidity. We're eager to share the essence of this issue with you and challenge your knowledge. Below is a simplified version of the code. Could you determine what the method B.getter2() returns? After answering the poll in the thread, feel free to explain your reasoning in the comments. Correct explanations will be awarded with likes!