Between the unexpected and the unknown. ¡Here Comes 2021!

in LeoFinance22 days ago (edited)

"When you don't read, no wonder you'll be hit by the unknown"


When passing parameters to a smart contract, the parameters are encoded according to the ABI specification. It is possible to send encoded parameters that are shorter than the expected parameter length. For example, sending an address that is only 38 hex chars (19 bytes) instead of the standard 40 hex chars (20 bytes). In such a scenario, the EVM will pad 0’s to the end of the encoded parameters to make up the expected length.

This becomes an issue when third party applications do not validate inputs. The clearest example is an exchange which doesn’t verify the address of an ERC20 token when an user requests a withdrawal.

Consider, the standard ERC20 transfer function interface and noting the order of the parameters:

function transfer(address to, uint tokens) public returns (bool success);

Now consider an exchange, holding a large amount of a token. Let’s say UNI and an user wishes to withdraw their share of 100 tokens. The user would submit their address, 0xdeaddeaddeaddeaddeaddeaddeaddeaddeaddead and the number of tokens, 100. The exchange would encode these parameters in the order specified by the transfer() function, i.e. address then tokens. The encoded result would be a9059cbb000000000000000000000000deaddeaddeaddeaddeaddeaddeaddeaddeaddead0000000000000000000000000000000000000000000000056bc75e2d63100000.

The first four bytes (a9059cbb) are the transfer() function signature/selector, the second 32 bytes are the address, followed by the final 32 bytes which represent the uint256 number of tokens. Notice that the hex 56bc75e2d63100000 at the end corresponds to 100 tokens with 18 decimal places, as specified by the UNI token contract.

Alright, so now lets look at what happens if we were to send an address that was missing 1 byte (2 hex digits). Specifically, let’s say an attacker sends now this string 0xdeaddeaddeaddeaddeaddeaddeaddeaddeadde as an address (which is deliberately missing the last two digits) and the same 100 tokens to withdraw. If the exchange actually doesn't validate this input, it eventually would get encoded as a9059cbb000000000000000000000000deaddeaddeaddeaddeaddeaddeaddeaddeadde0000000000000000000000000000000000000000000000056bc75e2d6310000000.

The difference is subtle. However, note that 00 has been padded to the end of the encoding, to make up for the short address that was sent. When this actually gets sent to the intended smart contract, the addressparameters will read as 0xdeaddeaddeaddeaddeaddeaddeaddeaddeadde00 and the value will be read as 56bc75e2d6310000000 (notice the two extra 0's). This value is now, 25600 tokens (the value has been multiplied by 256).

In this example, if the exchange held this many tokens, the user would withdraw 25600 tokens (whilst the exchange thinks the user is only withdrawing 100) to the modified address. Obviously, the attacker won't posses the modified address in this example. But if the attacker were to generate any address which ended in 0's (which can be easily forged by brute force) and used this generated address, they could easily steal tokens from the unsuspecting exchange just like that.

«-'Abstract Aural Bit'-»

Leave a comment. Share your experiences and feedback. ¡Be part of the conversation!


"Follows, Comments, Rehives & Upvotes will be highly appreciated"

Cranky Gandalf



Hmmm, not sure if you are serious in this post, or mocking the shit out of us?

Funnily enough: I do like the music you've added! D*rn energetic. Some elements are a bit tacky, but who cares. Not so many people in our comm, unity post music from the techno genre of the music section :)

Hmmm, not sure if you are serious in this post, or mocking the shit out of us?

Oh! it is actually both my friend. I think every post I've written and shared here in the blockchain is a beefy mix of very serious content addressed mainly to awake the frontal lobes. And then, this content is invariably stuffed and spiced with a lot of mockery and sarcasm to be processed and assimilated easier through the neurons of the sense of humor. Simply, because it is these sort of specialized neurons the only in charge to cope with all the colorful and hidden clicking eyecandy with which I use to sprinkle said content just to make more storage space available in the audience memory to remember & recall the serious info in all my rants and lectures. :)

Funnily enough: I do like the music you've added! D*rn energetic. Some elements are a bit tacky, but who cares. Not so many people in our comm, unity post music from the techno genre of the music section :)

Yep that's true. I think that besides you, me, @uwelang, @nickyhavey, @andyjaypowell and maybe a handful more of Technoheads over here, we are the very few who post music from the techno genre in the music section of this blockchain.

Oh! and if only I had a better internet connection, maybe I would try to upload again a good amount of my early original pieces of minimal techno and hypnotic trance like those that I had already uploaded to Dsound and that unfortunately already disappeared of their platform due some issues with the IPFS protocol at that time.

So, meanwhile and for your exclusive delight, let's share just one of my early "ambient" tunes that was already beginning to show the style of my enthralling hypnotic trance & minimal techno ones that I did a few years later. Hahahaha

«-For Your Mind Eyes-»

For Your Mind Eyes



still continuing LOL...

Yea, techno front, is not a lot. Some guys with some pretty cool (techno) works is @drumoperator and .... d*rn can't find the name anymore. @wizardzmusic also has some nice stuff. @iamevilradio is somewhat infrequent with us, but he posts much more then a handful of great techno tracks.

Owww, thats a trancy one indeed... maybe less 'chill' as in chillout then your album cover suggests :) More jump hahaha

It me! Though I have of late been on the opposite trajectory, diving headfirst into ambient world from my modular techno gateway. I’ve been obsessive with some modern techno artists of late (is Stenny mainstream?) and will probably start blasting out more techno jams once I wrap my current ambient set.

Cool ! :)

Stenny did that really awesome EP for Illian Tape a while ago that I loved. Good stuff.

Yeah, I've been very inconsistent lately with trying to figure out what I want to do on here. But I'm a definite techno fan.

But I'm a definite techno fan.

Thats obvious and that is also the reason I like you to stick with HIVE since I'm also very much a techno fan! We need more of them for sure. Those fans that know their way around the techno genre. Those who go for quality instead of whatever has a beat {LOL}