the low-level functions call, delegatecall and staticcall return true as their first return value if the account called is non-existent, as part of the design of the EVM. Account existence must be checked prior to calling if needed.
Proof of Concept
function ecMul(Point memory point, uint256 scalar) internal view returns (Point memory) {
bytes memory data = abi.encode(point, scalar);
if (scalar == 0 || (point.x == 0 && point.y == 0)) return Point(1, 1);
(bool res, bytes memory ret) = address(0x07).staticcall{gas: 6000}(data);
if (!res) return Point(1, 1);
return abi.decode(ret, (Point));
}
Tools Used
Recommended Mitigation Steps
Check before any low-level call that the address actually exists, for example before the low level call in the ecMul function you can check that the address is a contract by checking its code size.
Lines of code
https://github.com/code-423n4/2022-11-size/blob/main/src/util/ECCMath.sol#L25-L31
Vulnerability details
Impact
the low-level functions call, delegatecall and staticcall return true as their first return value if the account called is non-existent, as part of the design of the EVM. Account existence must be checked prior to calling if needed.
Proof of Concept
Tools Used
Recommended Mitigation Steps
Check before any low-level call that the address actually exists, for example before the low level call in the ecMul function you can check that the address is a contract by checking its code size.