36 / The Solidity Bug 0.8.16

The Solidity bug is back and our team is on it! Join them in reviewing the latest contract updates and minifying the bug case. Find out what they discover in the world of decentralized apps.

Timeline

00:00 Intro

00:49 Follow up -- review Arbitrum/Bridgeworld Harvesters

06:09 Solidity blog write up

07:03 One trick with Etherscan/Remix

09:12 Minimize this test case

13:28 The basic testing process (to minimize)

15:24 Does it have to be public?

19:10 No zero-length arrays?

22:13 Minify around the helper function

23:40 Minify out the function input

25:25 Published minified test case

26:00 Find this bug in Seaport?

36:12 $3M alpha live on this show?

38:18 Also check the old Wyvern protocol

44:00 Ethics, is livestreaming zerodays good?

Participants

Episode notes

Edit these notes…

The Solidity bug
Contract review: Arbitrum/Bridgeworld Harvesters
Minified the bug case significantly from the Ethereum Foundation’s announcement
Searched for functions in OpenSea’s Seaport repo that are subject to the bug
- ABI code
  - Find all abi.encode…
  - Find all external calls
- Dynamic
  - Find strings
  - Find bytes
  - Find []
- Static
  - [d+]
Also search contracts for Zora, Binance NFT Marketplace, Foundation
Got very close, but didn’t find any!

New Solidity bug [Head Overflow Bug in Calldata Tuple ABI-Reencoding

Solidity Blog (soliditylang.org)](https://blog.soliditylang.org/2022/08/08/calldata-tuple-reencoding-head-overflow-bug/)