fuzzland
Fix callee onchain balance
Hello, this pull request fixes a problem with initial balance when making a call.
self.next_slot will contain the actual balance of the receiver address only if there was a prior execution of the BALANCE opcode. In the call() handler the balance of the never seen receiver address is not initialized (self.next_slot is 0). In this patch if the address' balance was never queried we obtain the balance using Onchain middleware. This fixed a reentrancy test case for me. Not sure if this way of calling the middleware is elegant enough though.
Found: 17
| Project Name | Vulnerability Found | Time Taken | Log |
|---|---|---|---|
| BIGFI_exp.txt | ✅ Price Manipulation | 0h-1m-22s | Log File |
| Shadowfi_exp.txt | ❌ | -1 | Log File |
| SEAMAN_exp.txt | ✅ Fund Loss | 0h-2m-28s | Log File |
| BEGO_exp.txt | ✅ Fund Loss | 0h-0m-27s | Log File |
| cftoken_exp.txt | ✅ Fund Loss | 0h-0m-50s | Log File |
| Carrot_exp.txt | ✅ Arbitrary Call | 0h-0m-26s | Log File |
| MBC_ZZSH_exp.txt | ❌‼️ Crashed | -1 | Log File |
| AUR_exp.txt | ❌ | -1 | Log File |
| SellToken_exp.txt | ✅ Fund Loss | 0h-0m-27s | Log File |
| ROI_exp.txt | ✅ Fund Loss | 0h-0m-26s | Log File |
| GPT_exp.txt | ❌ | -1 | Log File |
| OLIFE_exp.txt | ❌ | -1 | Log File |
| THB_exp.txt | ❌ | -1 | Log File |
| VerilogCTF.txt | ❌‼️ Crashed | -1 | Log File |
| CS_exp.txt | ✅ Price Manipulation | 0h-1m-43s | Log File |
| MintoFinance_exp.txt | ✅ Fund Loss | 0h-1m-14s | Log File |
| Novo_exp.txt | ❌ | -1 | Log File |
| SELLC03_exp.txt | ❌‼️ Crashed | -1 | Log File |
| Yyds_exp.txt | ✅ Fund Loss | 0h-1m-29s | Log File |
| DYNA_exp.txt | ❌ | -1 | Log File |
| EAC_exp.txt | ✅ Fund Loss | 0h-2m-17s | Log File |
| Annex_exp.txt | ❌ | -1 | Log File |
| PLTD_exp.txt | ✅ Price Manipulation | 0h-2m-14s | Log File |
| ApeDAO_exp.txt | ✅ Price Manipulation | 0h-0m-32s | Log File |
| GSS_exp.txt | ✅ Fund Loss | 0h-2m-7s | Log File |
| Axioma_exp.txt | ✅ Fund Loss | 0h-1m-2s | Log File |
| RFB_exp.txt | ✅ Fund Loss | 0h-2m-39s | Log File |
| HEALTH_exp.txt | ✅ Price Manipulation | 0h-0m-15s | Log File |
Found out that this is not a good solution, since middleware is cloned meaning balance cache is not preserved. Will think how to use the same instance of middleware.
Did more debugging, the balance for the call target is actually fetched in src/evm/onchain/mod.rs when handling CALL opcode. The issue is that the onchain balance is fetched for the caller, instead of the callee. There is even a hint:
// Get balance of the callee
Now the issue should be fixed.
Found: 11
| Project Name | Vulnerability Found | Time Taken | Log |
|---|---|---|---|
| BIGFI_exp.txt | ❌‼️ Crashed | -1 | Log File |
| Shadowfi_exp.txt | ❌ | -1 | Log File |
| SEAMAN_exp.txt | ✅ Fund Loss | 0h-2m-2s | Log File |
| BEGO_exp.txt | ✅ Fund Loss | 0h-1m-12s | Log File |
| cftoken_exp.txt | ✅ Price Manipulation | 0h-1m-4s | Log File |
| Carrot_exp.txt | ✅ Arbitrary Call | 0h-0m-57s | Log File |
| MBC_ZZSH_exp.txt | ❌ | -1 | Log File |
| AUR_exp.txt | ❌‼️ Crashed | -1 | Log File |
| SellToken_exp.txt | ❌‼️ Crashed | -1 | Log File |
| ROI_exp.txt | ✅ Fund Loss | 0h-0m-52s | Log File |
| GPT_exp.txt | ❌‼️ Crashed | -1 | Log File |
| OLIFE_exp.txt | ❌ | -1 | Log File |
| THB_exp.txt | ❌ | -1 | Log File |
| VerilogCTF.txt | ❌‼️ Crashed | -1 | Log File |
| CS_exp.txt | ✅ Price Manipulation | 0h-2m-5s | Log File |
| MintoFinance_exp.txt | ❌‼️ Crashed | -1 | Log File |
| Novo_exp.txt | ✅ Price Manipulation | 0h-4m-18s | Log File |
| SELLC03_exp.txt | ❌‼️ Crashed | -1 | Log File |
| Yyds_exp.txt | ✅ Fund Loss | 0h-4m-55s | Log File |
| DYNA_exp.txt | ❌ | -1 | Log File |
| EAC_exp.txt | ✅ Fund Loss | 0h-4m-8s | Log File |
| Annex_exp.txt | ❌ | -1 | Log File |
| PLTD_exp.txt | ❌‼️ Crashed | -1 | Log File |
| ApeDAO_exp.txt | ❌‼️ Crashed | -1 | Log File |
| GSS_exp.txt | ✅ Fund Loss | 0h-4m-53s | Log File |
| Axioma_exp.txt | ✅ Fund Loss | 0h-2m-41s | Log File |
| RFB_exp.txt | ❌‼️ Crashed | -1 | Log File |
| HEALTH_exp.txt | ❌‼️ Crashed | -1 | Log File |
Found: 3
| Project Name | Vulnerability Found | Time Taken | Log |
|---|---|---|---|
| BIGFI_exp.txt | ❌‼️ Crashed | -1 | Log File |
| Shadowfi_exp.txt | ❌ | -1 | Log File |
| SEAMAN_exp.txt | ❌‼️ Crashed | -1 | Log File |
| BEGO_exp.txt | ✅ Fund Loss | 0h-1m-6s | Log File |
| cftoken_exp.txt | ❌‼️ Crashed | -1 | Log File |
| Carrot_exp.txt | ❌‼️ Crashed | -1 | Log File |
| MBC_ZZSH_exp.txt | ❌‼️ Crashed | -1 | Log File |
| AUR_exp.txt | ❌ | -1 | Log File |
| SellToken_exp.txt | ❌‼️ Crashed | -1 | Log File |
| ROI_exp.txt | ✅ Fund Loss | 0h-1m-14s | Log File |
| GPT_exp.txt | ❌‼️ Crashed | -1 | Log File |
| OLIFE_exp.txt | ❌ | -1 | Log File |
| THB_exp.txt | ❌‼️ Crashed | -1 | Log File |
| VerilogCTF.txt | ❌‼️ Crashed | -1 | Log File |
| CS_exp.txt | ❌‼️ Crashed | -1 | Log File |
| MintoFinance_exp.txt | ❌‼️ Crashed | -1 | Log File |
| Novo_exp.txt | ❌‼️ Crashed | -1 | Log File |
| SELLC03_exp.txt | ❌‼️ Crashed | -1 | Log File |
| Yyds_exp.txt | ❌‼️ Crashed | -1 | Log File |
| DYNA_exp.txt | ❌ | -1 | Log File |
| EAC_exp.txt | ❌‼️ Crashed | -1 | Log File |
| Annex_exp.txt | ❌‼️ Crashed | -1 | Log File |
| PLTD_exp.txt | ❌‼️ Crashed | -1 | Log File |
| ApeDAO_exp.txt | ❌‼️ Crashed | -1 | Log File |
| GSS_exp.txt | ❌‼️ Crashed | -1 | Log File |
| Axioma_exp.txt | ❌‼️ Crashed | -1 | Log File |
| RFB_exp.txt | ❌‼️ Crashed | -1 | Log File |
| HEALTH_exp.txt | ✅ Price Manipulation | 0h-0m-29s | Log File |