Back to the list

Ethereum Foundation announces bugs found in ABIEncoderV2 and Solidity Optimizer


ambcrypto.com 27 March 2019 13:30, UTC
Reading time: ~2 m

Ethereum Foundation, the key player behind the development of Ethereum, released a blog post titled ‘Solidity Optimizer and ABIEncoderV1 Bug,’ which spoke about a bug discovered in the ABI encoder and two bugs found in the optimizer, on March 26.

In the blog, the Foundation stated that they had received a report on the “flaw” in the “new experimental ABI encoder,” also known as ABIEncoderV2 via the bug bounty program. It went on to say,

“Upon investigation, it was found that the component suffers from a few different variations of the same type. The first part of this announcement explains this bug in detail. The new ABI encoder is still marked as experimental, but we nevertheless think that this deserves a prominent announcement since it is already used on mainnet.”

The team further revealed that there were two bugs discovered in Solidity Optimizer over the past two weeks. However, these bugs had “low-impact”. It also stated that these bugs were introduced in Solidity version 0.5.5, which was released on March 5. Out of the two, one of the bugs was fixed in Solidity version 0.5.6.

Further, the blog stated that Solidity’s latest version 0.5.7, released yesterday, “contained the fixes to all the bugs.” It also stated that these bugs ought to be “easily visible in tests that touch the relevant code paths, at least when run with all combinations of zero and nonzero values.”

The blog post further went on to clarify:

Source: Ethereum Foundation Blog

It further stated,

“Additionally, there are a number of requirements for the bug to trigger. See technical details further below for more information. As far as we can tell, there are about 2500 contracts live on mainnet that use the experimental ABIEncoderV2. It is not clear how many of them contain the bug.”

In terms of the bug’s likely outcomes, the Foundation stated that the probability of these bugs leading to a malfunction was more than one, resulting in an exploitability. The Foundation said, “the bug, when triggered, will under certain circumstances send corrupt parameters on method invocations to other contracts.”

Back to the list