{"id":18488,"date":"2026-03-20T17:26:37","date_gmt":"2026-03-20T17:26:37","guid":{"rendered":"https:\/\/cryptoted.net\/index.php\/2026\/03\/20\/solidity-optimizer-and-abiencoderv2-bug\/"},"modified":"2026-03-20T17:26:37","modified_gmt":"2026-03-20T17:26:37","slug":"solidity-optimizer-and-abiencoderv2-bug","status":"publish","type":"post","link":"https:\/\/cryptoted.net\/index.php\/2026\/03\/20\/solidity-optimizer-and-abiencoderv2-bug\/","title":{"rendered":"Solidity Optimizer and ABIEncoderV2 Bug"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div id=\"\">\n<h2 class=\"chakra-heading group css-1kpzc4q\" id=\"solidity-optimizer-and-abiencoderv2-bug-announcement\" data-group=\"true\"><a class=\"chakra-link css-128fqrf\" aria-label=\"solidity optimizer and abiencoderv2 bug announcement permalink\" href=\"#solidity-optimizer-and-abiencoderv2-bug-announcement\"><svg viewbox=\"0 0 24 24\" focusable=\"false\" class=\"chakra-icon css-173jpr1\"><g fill=\"currentColor\"><path d=\"M10.458,18.374,7.721,21.11a2.853,2.853,0,0,1-3.942,0l-.892-.891a2.787,2.787,0,0,1,0-3.941l5.8-5.8a2.789,2.789,0,0,1,3.942,0l.893.892A1,1,0,0,0,14.94,9.952l-.893-.892a4.791,4.791,0,0,0-6.771,0l-5.8,5.8a4.787,4.787,0,0,0,0,6.77l.892.891a4.785,4.785,0,0,0,6.771,0l2.736-2.735a1,1,0,1,0-1.414-1.415Z\"\/><path d=\"M22.526,2.363l-.892-.892a4.8,4.8,0,0,0-6.77,0l-2.905,2.9a1,1,0,0,0,1.414,1.414l2.9-2.9a2.79,2.79,0,0,1,3.941,0l.893.893a2.786,2.786,0,0,1,0,3.942l-5.8,5.8a2.769,2.769,0,0,1-1.971.817h0a2.766,2.766,0,0,1-1.969-.816,1,1,0,1,0-1.415,1.412,4.751,4.751,0,0,0,3.384,1.4h0a4.752,4.752,0,0,0,3.385-1.4l5.8-5.8a4.786,4.786,0,0,0,0-6.771Z\"\/><\/g><\/svg><\/a>Solidity Optimizer and ABIEncoderV2 Bug Announcement<\/h2>\n<p class=\"chakra-text css-gi02ar\">Through the Ethereum bug bounty program, we received a report about a flaw within the new experimental ABI encoder (referred to as ABIEncoderV2). Upon investigation, it was found that the component suffers from a few different variations of the same type. The first part of this announcement explains this bug in detail. The new ABI encoder is still marked as experimental, but we nevertheless think that this deserves a prominent announcement since it is already used on mainnet.<\/p>\n<p class=\"chakra-text css-gi02ar\">Additionally, two low-impact bugs in the optimizer have been identified over the past two weeks, one of which was fixed with Solidity v0.5.6. Both were introduced with version 0.5.5. See the second part of this announcement for details.<\/p>\n<p class=\"chakra-text css-gi02ar\">The <a target=\"_blank\" rel=\"noopener\" class=\"chakra-link css-vezwxf\" href=\"https:\/\/github.com\/ethereum\/solidity\/releases\/tag\/v0.5.7\">0.5.7 release<\/a> contains the fixes to all bugs explained in this blog post.<\/p>\n<p class=\"chakra-text css-gi02ar\">All the bugs mentioned here should be easily visible in tests that touch the relevant code paths, at least when run with all combinations of zero and nonzero values.<\/p>\n<p class=\"chakra-text css-gi02ar\">Credits to Melonport team (Travis Jacobs &amp; Jenna Zenk) and the Melon Council (Nick Munoz-McDonald, Martin Lundfall, Matt di Ferrante &amp; Adam Kolar), who reported this via the Ethereum bug bounty program!<\/p>\n<h2 class=\"chakra-heading group css-1kpzc4q\" id=\"who-should-be-concerned\" data-group=\"true\"><a class=\"chakra-link css-128fqrf\" aria-label=\"who should be concerned permalink\" href=\"#who-should-be-concerned\"><svg viewbox=\"0 0 24 24\" focusable=\"false\" class=\"chakra-icon css-173jpr1\"><g fill=\"currentColor\"><path d=\"M10.458,18.374,7.721,21.11a2.853,2.853,0,0,1-3.942,0l-.892-.891a2.787,2.787,0,0,1,0-3.941l5.8-5.8a2.789,2.789,0,0,1,3.942,0l.893.892A1,1,0,0,0,14.94,9.952l-.893-.892a4.791,4.791,0,0,0-6.771,0l-5.8,5.8a4.787,4.787,0,0,0,0,6.77l.892.891a4.785,4.785,0,0,0,6.771,0l2.736-2.735a1,1,0,1,0-1.414-1.415Z\"\/><path d=\"M22.526,2.363l-.892-.892a4.8,4.8,0,0,0-6.77,0l-2.905,2.9a1,1,0,0,0,1.414,1.414l2.9-2.9a2.79,2.79,0,0,1,3.941,0l.893.893a2.786,2.786,0,0,1,0,3.942l-5.8,5.8a2.769,2.769,0,0,1-1.971.817h0a2.766,2.766,0,0,1-1.969-.816,1,1,0,1,0-1.415,1.412,4.751,4.751,0,0,0,3.384,1.4h0a4.752,4.752,0,0,0,3.385-1.4l5.8-5.8a4.786,4.786,0,0,0,0-6.771Z\"\/><\/g><\/svg><\/a>Who should be concerned<\/h2>\n<p class=\"chakra-text css-gi02ar\">If you have deployed contracts which use the experimental ABI encoder V2, then those might be affected. This means that only contracts which use the following directive within the source code can be affected:<\/p>\n<div class=\"chakra-stack css-1jx0in4\">\n<pre><pre style=\"color:white;font-family:Consolas, Monaco, &quot;Andale Mono&quot;, &quot;Ubuntu Mono&quot;, monospace;text-align:left;white-space:pre;word-spacing:normal;word-break:normal;word-wrap:normal;line-height:1.5;font-size:1em;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-hyphens:none;-moz-hyphens:none;-ms-hyphens:none;hyphens:none;padding:1em;margin:0.5em 0;overflow:auto;background:#011627\"><code class=\"language-bash\" style=\"color:#d6deeb;font-family:Consolas, Monaco, &quot;Andale Mono&quot;, &quot;Ubuntu Mono&quot;, monospace;text-align:left;white-space:pre;word-spacing:normal;word-break:normal;word-wrap:normal;line-height:1.5;font-size:1em;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-hyphens:none;-moz-hyphens:none;-ms-hyphens:none;hyphens:none\"><span>pragma experimental ABIEncoderV2<\/span><span class=\"token\" style=\"color:rgb(199, 146, 234)\">;<\/span><span>\n<\/span><\/code><\/pre>\n<\/div>\n<p class=\"chakra-text css-gi02ar\">Additionally, there are a number of requirements for the bug to trigger. See technical details further below for more information.<\/p>\n<p class=\"chakra-text css-gi02ar\">As far as we can tell, there are about 2500 contracts live on mainnet that use the experimental ABIEncoderV2. It is not clear how many of them contain the bug.<\/p>\n<h2 class=\"chakra-heading group css-1kpzc4q\" id=\"how-to-check-if-contract-is-vulnerable\" data-group=\"true\"><a class=\"chakra-link css-128fqrf\" aria-label=\"how to check if contract is vulnerable permalink\" href=\"#how-to-check-if-contract-is-vulnerable\"><svg viewbox=\"0 0 24 24\" focusable=\"false\" class=\"chakra-icon css-173jpr1\"><g fill=\"currentColor\"><path d=\"M10.458,18.374,7.721,21.11a2.853,2.853,0,0,1-3.942,0l-.892-.891a2.787,2.787,0,0,1,0-3.941l5.8-5.8a2.789,2.789,0,0,1,3.942,0l.893.892A1,1,0,0,0,14.94,9.952l-.893-.892a4.791,4.791,0,0,0-6.771,0l-5.8,5.8a4.787,4.787,0,0,0,0,6.77l.892.891a4.785,4.785,0,0,0,6.771,0l2.736-2.735a1,1,0,1,0-1.414-1.415Z\"\/><path d=\"M22.526,2.363l-.892-.892a4.8,4.8,0,0,0-6.77,0l-2.905,2.9a1,1,0,0,0,1.414,1.414l2.9-2.9a2.79,2.79,0,0,1,3.941,0l.893.893a2.786,2.786,0,0,1,0,3.942l-5.8,5.8a2.769,2.769,0,0,1-1.971.817h0a2.766,2.766,0,0,1-1.969-.816,1,1,0,1,0-1.415,1.412,4.751,4.751,0,0,0,3.384,1.4h0a4.752,4.752,0,0,0,3.385-1.4l5.8-5.8a4.786,4.786,0,0,0,0-6.771Z\"\/><\/g><\/svg><\/a>How to check if contract is vulnerable<\/h2>\n<p class=\"chakra-text css-gi02ar\">The bug only manifests itself when all of the following conditions are met:<\/p>\n<ul role=\"list\" class=\"css-1ars4k6\">\n<li class=\"css-0\">Storage data involving arrays or structs is sent directly to an external function call, to <span class=\"chakra-text css-ons8vw\">abi.encode<\/span> or to event data without prior assignment to a local (memory) variable AND<\/li>\n<li class=\"css-0\">there is an array that contains elements with size less than 32 bytes or a struct that has elements that share a storage slot or members of type <span class=\"chakra-text css-ons8vw\">bytesNN<\/span> shorter than 32 bytes.<\/li>\n<\/ul>\n<p class=\"chakra-text css-gi02ar\">In addition to that, in the following situations, your code is NOT affected:<\/p>\n<ul role=\"list\" class=\"css-1ars4k6\">\n<li class=\"css-0\">if all your structs or arrays only use <span class=\"chakra-text css-ons8vw\">uint256<\/span> or <span class=\"chakra-text css-ons8vw\">int256<\/span> types<\/li>\n<li class=\"css-0\">if you only use integer types (that may be shorter) and only encode at most one array at a time<\/li>\n<li class=\"css-0\">if you only return such data and do not use it in <span class=\"chakra-text css-ons8vw\">abi.encode<\/span>, external calls or event data.<\/li>\n<\/ul>\n<p class=\"chakra-text css-gi02ar\">If you have a contract that meets these conditions, and want to verify whether the contract is indeed vulnerable, you can reach out to us via <a class=\"chakra-link css-vezwxf\" href=\"https:\/\/blog.ethereum.org\/en\/2019\/03\/26\/mailto:security@ethereum.org\">security@ethereum.org<\/a>.<\/p>\n<h2 class=\"chakra-heading group css-1kpzc4q\" id=\"how-to-prevent-these-types-of-flaws-in-the-future\" data-group=\"true\"><a class=\"chakra-link css-128fqrf\" aria-label=\"how to prevent these types of flaws in the future permalink\" href=\"#how-to-prevent-these-types-of-flaws-in-the-future\"><svg viewbox=\"0 0 24 24\" focusable=\"false\" class=\"chakra-icon css-173jpr1\"><g fill=\"currentColor\"><path d=\"M10.458,18.374,7.721,21.11a2.853,2.853,0,0,1-3.942,0l-.892-.891a2.787,2.787,0,0,1,0-3.941l5.8-5.8a2.789,2.789,0,0,1,3.942,0l.893.892A1,1,0,0,0,14.94,9.952l-.893-.892a4.791,4.791,0,0,0-6.771,0l-5.8,5.8a4.787,4.787,0,0,0,0,6.77l.892.891a4.785,4.785,0,0,0,6.771,0l2.736-2.735a1,1,0,1,0-1.414-1.415Z\"\/><path d=\"M22.526,2.363l-.892-.892a4.8,4.8,0,0,0-6.77,0l-2.905,2.9a1,1,0,0,0,1.414,1.414l2.9-2.9a2.79,2.79,0,0,1,3.941,0l.893.893a2.786,2.786,0,0,1,0,3.942l-5.8,5.8a2.769,2.769,0,0,1-1.971.817h0a2.766,2.766,0,0,1-1.969-.816,1,1,0,1,0-1.415,1.412,4.751,4.751,0,0,0,3.384,1.4h0a4.752,4.752,0,0,0,3.385-1.4l5.8-5.8a4.786,4.786,0,0,0,0-6.771Z\"\/><\/g><\/svg><\/a>How to prevent these types of flaws in the future<\/h2>\n<p class=\"chakra-text css-gi02ar\">In order to be conservative about changes, the experimental ABI encoder has been available only when explicitly enabled, to allow people to interact with it and test it without putting too much trust in it before it is considered stable.<\/p>\n<p class=\"chakra-text css-gi02ar\">We do our best to ensure high quality, and have recently started working on &#8216;semantic&#8217; fuzzing of certain parts on <a target=\"_blank\" rel=\"noopener\" class=\"chakra-link css-vezwxf\" href=\"https:\/\/github.com\/google\/oss-fuzz\">OSS-Fuzz<\/a> (we have previously crash-fuzzed the compiler, but that did not test compiler correctness).<\/p>\n<p class=\"chakra-text css-gi02ar\">For developers &#8212; bugs within the Solidity compiler are difficult to detect with tools like vulnerability detectors, since tools which operate on source code or AST-representations do not detect flaws that are introduced only into the compiled bytecode.<\/p>\n<p class=\"chakra-text css-gi02ar\">The best way to protect against these types of flaws is to have a rigorous set of end-to-end tests for your contracts (verifying all code paths), since bugs in a compiler very likely are not &#8220;silent&#8221; and instead manifest in invalid data.<\/p>\n<h2 class=\"chakra-heading group css-1kpzc4q\" id=\"possible-consequences\" data-group=\"true\"><a class=\"chakra-link css-128fqrf\" aria-label=\"possible consequences permalink\" href=\"#possible-consequences\"><svg viewbox=\"0 0 24 24\" focusable=\"false\" class=\"chakra-icon css-173jpr1\"><g fill=\"currentColor\"><path d=\"M10.458,18.374,7.721,21.11a2.853,2.853,0,0,1-3.942,0l-.892-.891a2.787,2.787,0,0,1,0-3.941l5.8-5.8a2.789,2.789,0,0,1,3.942,0l.893.892A1,1,0,0,0,14.94,9.952l-.893-.892a4.791,4.791,0,0,0-6.771,0l-5.8,5.8a4.787,4.787,0,0,0,0,6.77l.892.891a4.785,4.785,0,0,0,6.771,0l2.736-2.735a1,1,0,1,0-1.414-1.415Z\"\/><path d=\"M22.526,2.363l-.892-.892a4.8,4.8,0,0,0-6.77,0l-2.905,2.9a1,1,0,0,0,1.414,1.414l2.9-2.9a2.79,2.79,0,0,1,3.941,0l.893.893a2.786,2.786,0,0,1,0,3.942l-5.8,5.8a2.769,2.769,0,0,1-1.971.817h0a2.766,2.766,0,0,1-1.969-.816,1,1,0,1,0-1.415,1.412,4.751,4.751,0,0,0,3.384,1.4h0a4.752,4.752,0,0,0,3.385-1.4l5.8-5.8a4.786,4.786,0,0,0,0-6.771Z\"\/><\/g><\/svg><\/a>Possible consequences<\/h2>\n<p class=\"chakra-text css-gi02ar\">Naturally, any bug can have wildly varying consequences depending on the program control flow, but we expect that this is more likely to lead to malfunction than exploitability.<\/p>\n<p class=\"chakra-text css-gi02ar\">The bug, when triggered, will under certain circumstances send corrupt parameters on method invocations to other contracts.<\/p>\n<h2 class=\"chakra-heading group css-1kpzc4q\" id=\"timeline\" data-group=\"true\"><a class=\"chakra-link css-128fqrf\" aria-label=\"timeline permalink\" href=\"#timeline\"><svg viewbox=\"0 0 24 24\" focusable=\"false\" class=\"chakra-icon css-173jpr1\"><g fill=\"currentColor\"><path d=\"M10.458,18.374,7.721,21.11a2.853,2.853,0,0,1-3.942,0l-.892-.891a2.787,2.787,0,0,1,0-3.941l5.8-5.8a2.789,2.789,0,0,1,3.942,0l.893.892A1,1,0,0,0,14.94,9.952l-.893-.892a4.791,4.791,0,0,0-6.771,0l-5.8,5.8a4.787,4.787,0,0,0,0,6.77l.892.891a4.785,4.785,0,0,0,6.771,0l2.736-2.735a1,1,0,1,0-1.414-1.415Z\"\/><path d=\"M22.526,2.363l-.892-.892a4.8,4.8,0,0,0-6.77,0l-2.905,2.9a1,1,0,0,0,1.414,1.414l2.9-2.9a2.79,2.79,0,0,1,3.941,0l.893.893a2.786,2.786,0,0,1,0,3.942l-5.8,5.8a2.769,2.769,0,0,1-1.971.817h0a2.766,2.766,0,0,1-1.969-.816,1,1,0,1,0-1.415,1.412,4.751,4.751,0,0,0,3.384,1.4h0a4.752,4.752,0,0,0,3.385-1.4l5.8-5.8a4.786,4.786,0,0,0,0-6.771Z\"\/><\/g><\/svg><\/a>Timeline<\/h2>\n<p class=\"chakra-text css-gi02ar\">2019-03-16:<\/p>\n<ul role=\"list\" class=\"css-1ars4k6\">\n<li class=\"css-0\">Report via bug bounty, about corruption caused when reading from arrays of booleans directly from storage into ABI encoder.<\/li>\n<\/ul>\n<p class=\"chakra-text css-gi02ar\">2019-03-16 to 2019-03-21:<\/p>\n<ul role=\"list\" class=\"css-1ars4k6\">\n<li class=\"css-0\">Investigation of root cause, analysis of affected contracts. An unexpectedly high count of contracts compiled with the experimental encoder were found deployed on mainnet, many without verified source-code.<\/li>\n<li class=\"css-0\">Investigation of bug found more ways to trigger the bug, e.g. using structs. Furthermore, an array overflow bug was found in the same routine.<\/li>\n<li class=\"css-0\">A handful of contracts found on Github were checked, and none were found to be affected.<\/li>\n<li class=\"css-0\">A bugfix to the ABI encoder was made.<\/li>\n<\/ul>\n<p class=\"chakra-text css-gi02ar\">2019-03-20:<\/p>\n<ul role=\"list\" class=\"css-1ars4k6\">\n<li class=\"css-0\">Decision to make information public.<\/li>\n<li class=\"css-0\">Reasoning: It would not be feasible to detect all vulnerable contracts and reach out to all authors in a timely manner, and it would be good to prevent further proliferation of vulnerable contracts on mainnet.<\/li>\n<\/ul>\n<p class=\"chakra-text css-gi02ar\">2019-03-26:<\/p>\n<ul role=\"list\" class=\"css-1ars4k6\">\n<li class=\"css-0\">New compiler release, version 0.5.7.<\/li>\n<li class=\"css-0\">This post released.<\/li>\n<\/ul>\n<h2 class=\"chakra-heading group css-1kpzc4q\" id=\"technical-details\" data-group=\"true\"><a class=\"chakra-link css-128fqrf\" aria-label=\"technical details permalink\" href=\"#technical-details\"><svg viewbox=\"0 0 24 24\" focusable=\"false\" class=\"chakra-icon css-173jpr1\"><g fill=\"currentColor\"><path d=\"M10.458,18.374,7.721,21.11a2.853,2.853,0,0,1-3.942,0l-.892-.891a2.787,2.787,0,0,1,0-3.941l5.8-5.8a2.789,2.789,0,0,1,3.942,0l.893.892A1,1,0,0,0,14.94,9.952l-.893-.892a4.791,4.791,0,0,0-6.771,0l-5.8,5.8a4.787,4.787,0,0,0,0,6.77l.892.891a4.785,4.785,0,0,0,6.771,0l2.736-2.735a1,1,0,1,0-1.414-1.415Z\"\/><path d=\"M22.526,2.363l-.892-.892a4.8,4.8,0,0,0-6.77,0l-2.905,2.9a1,1,0,0,0,1.414,1.414l2.9-2.9a2.79,2.79,0,0,1,3.941,0l.893.893a2.786,2.786,0,0,1,0,3.942l-5.8,5.8a2.769,2.769,0,0,1-1.971.817h0a2.766,2.766,0,0,1-1.969-.816,1,1,0,1,0-1.415,1.412,4.751,4.751,0,0,0,3.384,1.4h0a4.752,4.752,0,0,0,3.385-1.4l5.8-5.8a4.786,4.786,0,0,0,0-6.771Z\"\/><\/g><\/svg><\/a>Technical details<\/h2>\n<h3 class=\"chakra-heading group css-xuzltg\" id=\"background\" data-group=\"true\"><a class=\"chakra-link css-128fqrf\" aria-label=\"background permalink\" href=\"#background\"><svg viewbox=\"0 0 24 24\" focusable=\"false\" class=\"chakra-icon css-173jpr1\"><g fill=\"currentColor\"><path d=\"M10.458,18.374,7.721,21.11a2.853,2.853,0,0,1-3.942,0l-.892-.891a2.787,2.787,0,0,1,0-3.941l5.8-5.8a2.789,2.789,0,0,1,3.942,0l.893.892A1,1,0,0,0,14.94,9.952l-.893-.892a4.791,4.791,0,0,0-6.771,0l-5.8,5.8a4.787,4.787,0,0,0,0,6.77l.892.891a4.785,4.785,0,0,0,6.771,0l2.736-2.735a1,1,0,1,0-1.414-1.415Z\"\/><path d=\"M22.526,2.363l-.892-.892a4.8,4.8,0,0,0-6.77,0l-2.905,2.9a1,1,0,0,0,1.414,1.414l2.9-2.9a2.79,2.79,0,0,1,3.941,0l.893.893a2.786,2.786,0,0,1,0,3.942l-5.8,5.8a2.769,2.769,0,0,1-1.971.817h0a2.766,2.766,0,0,1-1.969-.816,1,1,0,1,0-1.415,1.412,4.751,4.751,0,0,0,3.384,1.4h0a4.752,4.752,0,0,0,3.385-1.4l5.8-5.8a4.786,4.786,0,0,0,0-6.771Z\"\/><\/g><\/svg><\/a>Background<\/h3>\n<p class=\"chakra-text css-gi02ar\">The Contract ABI is a specification how data can be exchanged with contracts from the outside (a Dapp) or when interacting between contracts. It supports a variety of types of data, including simple values like numbers, bytes and strings, as well as more complex data types, including arrays and structs.<\/p>\n<p class=\"chakra-text css-gi02ar\">When a contract receives input data, it must decode that (this is done by the &#8220;ABI decoder&#8221;) and prior to returning data or sending data to another contract, it must encode it (this is done by the &#8220;ABI encoder&#8221;). The Solidity compiler generates these two pieces of code for each defined function in a contract (and also for <span class=\"chakra-text css-ons8vw\">abi.encode<\/span> and <span class=\"chakra-text css-ons8vw\">abi.decode<\/span>). In the Solidity compiler the subsystem generating the encoder and decoder is called the &#8220;ABI encoder&#8221;.<\/p>\n<p class=\"chakra-text css-gi02ar\">In mid-2017 the Solidity team started to work on a fresh implementation named &#8220;ABI encoder V2&#8221; with the goal of having a more flexible, safe, performant and auditable code generator. This experimental code generator, when explicitly enabled, has been offered to users since the end of 2017 with the 0.4.19 release.<\/p>\n<h3 class=\"chakra-heading group css-xuzltg\" id=\"the-flaw\" data-group=\"true\"><a class=\"chakra-link css-128fqrf\" aria-label=\"the flaw permalink\" href=\"#the-flaw\"><svg viewbox=\"0 0 24 24\" focusable=\"false\" class=\"chakra-icon css-173jpr1\"><g fill=\"currentColor\"><path d=\"M10.458,18.374,7.721,21.11a2.853,2.853,0,0,1-3.942,0l-.892-.891a2.787,2.787,0,0,1,0-3.941l5.8-5.8a2.789,2.789,0,0,1,3.942,0l.893.892A1,1,0,0,0,14.94,9.952l-.893-.892a4.791,4.791,0,0,0-6.771,0l-5.8,5.8a4.787,4.787,0,0,0,0,6.77l.892.891a4.785,4.785,0,0,0,6.771,0l2.736-2.735a1,1,0,1,0-1.414-1.415Z\"\/><path d=\"M22.526,2.363l-.892-.892a4.8,4.8,0,0,0-6.77,0l-2.905,2.9a1,1,0,0,0,1.414,1.414l2.9-2.9a2.79,2.79,0,0,1,3.941,0l.893.893a2.786,2.786,0,0,1,0,3.942l-5.8,5.8a2.769,2.769,0,0,1-1.971.817h0a2.766,2.766,0,0,1-1.969-.816,1,1,0,1,0-1.415,1.412,4.751,4.751,0,0,0,3.384,1.4h0a4.752,4.752,0,0,0,3.385-1.4l5.8-5.8a4.786,4.786,0,0,0,0-6.771Z\"\/><\/g><\/svg><\/a>The flaw<\/h3>\n<p class=\"chakra-text css-gi02ar\">The experimental ABI encoder does not handle non-integer values shorter than 32 bytes properly. This applies to <span class=\"chakra-text css-ons8vw\">bytesNN<\/span> types, <span class=\"chakra-text css-ons8vw\">bool<\/span>, <span class=\"chakra-text css-ons8vw\">enum<\/span> and other types when they are part of an array or a struct and encoded directly from storage. This means these storage references have to be used directly inside <span class=\"chakra-text css-ons8vw\">abi.encode(&#8230;)<\/span>, as arguments in external function calls or in event data without prior assignment to a local variable. Using <span class=\"chakra-text css-ons8vw\">return<\/span> does not trigger the bug. The types <span class=\"chakra-text css-ons8vw\">bytesNN<\/span> and <span class=\"chakra-text css-ons8vw\">bool<\/span> will result in corrupted data while <span class=\"chakra-text css-ons8vw\">enum<\/span> might lead to an invalid <span class=\"chakra-text css-ons8vw\">revert<\/span>.<\/p>\n<p class=\"chakra-text css-gi02ar\">Furthermore, arrays with elements shorter than 32 bytes may not be handled correctly even if the base type is an integer type. Encoding such arrays in the way described above can lead to other data in the encoding being overwritten if the number of elements encoded is not a multiple of the number of elements that fit a single slot. If nothing follows the array in the encoding (note that dynamically-sized arrays are always encoded after statically-sized arrays with statically-sized content), or if only a single array is encoded, no other data is overwritten.<\/p>\n<p class=\"chakra-text css-gi02ar\">Unrelated to the ABI encoder issue explained above, two bugs have been found in the optimiser. Both have been introduced with 0.5.5 (released on 5th of March). They are unlikely to occur in code generated by the compiler, unless inline assembly is used.<\/p>\n<p class=\"chakra-text css-gi02ar\">These two bugs have been identified through the recent addition of Solidity to <a target=\"_blank\" rel=\"noopener\" class=\"chakra-link css-vezwxf\" href=\"https:\/\/github.com\/google\/oss-fuzz\">OSS-Fuzz<\/a> &#8211; a security toolkit for finding discrepancies or issues in a variety of projects. For Solidity we have included multiple different fuzzers testing different aspects of the compiler.<\/p>\n<ol role=\"list\" class=\"css-vgl4zd\">\n<li class=\"css-0\">The optimizer turns opcode sequences like <span class=\"chakra-text css-ons8vw\">((x , where <span class=\"chakra-text css-ons8vw\">a<\/span> and <span class=\"chakra-text css-ons8vw\">b<\/span> are compile-time constants, into <span class=\"chakra-text css-ons8vw\">(x  while not handling overflow in the addition properly.<\/span><\/span><\/li>\n<li class=\"css-0\">The optimizer incorrectly handles the <span class=\"chakra-text css-ons8vw\">byte<\/span> opcode if the constant 31 is used as second argument. This can happen when performing index access on <span class=\"chakra-text css-ons8vw\">bytesNN<\/span> types with a compile-time constant value (not index) of 31 or when using the byte opcode in inline assembly.<\/li>\n<\/ol>\n<p class=\"chakra-text css-gi02ar\">This post was jointly composed by @axic, @chriseth, @holiman<\/p>\n<\/div>\n<p><br \/>\n<br \/><a href=\"https:\/\/blog.ethereum.org\/en\/2019\/03\/26\/solidity-optimizer-and-abiencoderv2-bug\">Source link <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Solidity Optimizer and ABIEncoderV2 Bug Announcement Through the Ethereum bug bounty program, we received a report about a flaw within the new experimental ABI encoder (referred to as ABIEncoderV2). Upon investigation, it was found that the component suffers from a few different variations of the same type. The first part of this announcement explains this [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":18486,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"tdm_status":"","tdm_grid_status":"","footnotes":""},"categories":[24],"tags":[],"kronos_expire_date":[],"class_list":["post-18488","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ethereum"],"_links":{"self":[{"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/posts\/18488","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/comments?post=18488"}],"version-history":[{"count":0,"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/posts\/18488\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/media\/18486"}],"wp:attachment":[{"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/media?parent=18488"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/categories?post=18488"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/tags?post=18488"},{"taxonomy":"kronos_expire_date","embeddable":true,"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/kronos_expire_date?post=18488"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}