Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Low level calls with solidity version 0.8.14 can result in optimiser bug. #94

Open
code423n4 opened this issue Jun 18, 2022 · 2 comments
Open

Low level calls with solidity version 0.8.14 can result in optimiser bug. #94

code423n4 opened this issue Jun 18, 2022 · 2 comments
Assignees
@maximebrugel
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax valid

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-06-nested/blob/b4a153c943d54755711a2f7b80cbbf3a5bb49d76/contracts/governance/OwnerProxy.sol#L20

Vulnerability details

Impact

The protocol is using low level calls with solidity version 0.8.14 which can result in optimizer bug.

Proof of Concept

See POC from Certora

Recommended Mitigation Steps

Consider upgrading to solidity 0.8.15
@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Jun 18, 2022
code423n4 added a commit that referenced this issue Jun 18, 2022
@code423n4
BowTiedWardens issue #94
8515fdd
@maximebrugel maximebrugel self-assigned this Jun 21, 2022
@Yashiru
Copy link
Collaborator

Yashiru commented Jun 22, 2022
edited
Loading

Low level calls with solidity version 0.8.14 can result in optimiser bug (Confirmed)

Disagree with severity. The Certora report was published on the day of the audit.

@Yashiru Yashiru added the disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) label Jun 22, 2022
@jack-the-pug
Copy link
Collaborator

I'll downgrade this to QA as the warden fail to provide any details required for a High issue, I did some brief research and it seems the bug wont impact the code pointed out by the warden.

@jack-the-pug jack-the-pug added QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax valid and removed 3 (High Risk) Assets can be stolen/lost/compromised directly labels Jul 12, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maximebrugel maximebrugel

Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax valid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@maximebrugel @Yashiru @code423n4 @jack-the-pug