This was caused by a compiler bug in Solidity < 0.4.14, where the output memory area for the ecrecover call wasn't cleared, which means in the case of an invalid signature the memory may contain user-controllable input.
If the contract address is passed in as the last 20 bytes of the 32-byte stuff2hash input, then the if condition will be true and the contract will send all funds to the caller.
Description
It doesn't detect
ecrecoverfailing upon invalid inputHow to Reproduce
See the following piece of code:
https://gist.github.com/HarryR/cce52596ffebdff2744c5d790888015a
This was caused by a compiler bug in Solidity < 0.4.14, where the output memory area for the
ecrecovercall wasn't cleared, which means in the case of an invalid signature the memory may contain user-controllable input.If the contract address is passed in as the last 20 bytes of the 32-byte
stuff2hashinput, then the if condition will be true and the contract will send all funds to the caller.This was recently highlighted as a problem with the 0x contracts, see: https://samczsun.com/the-0x-vulnerability-explained/
Expected behavior
this bug should be detected