Use of wrong versions of solady safeTransferLib leads to not clearing the dirty bits.
Summary
The old version doesn’t clear possible dirty upper 96 bits of the addresses. This has been fixed in the latest versions.
Vulnerability Detail
The solady SafeTransferLib did not clear the other 12 bytes / 96 bits that are stored with the address which makes it possible that there is dirty data stored in the same slot.
0xnirlin
medium
Use of wrong versions of solady safeTransferLib leads to not clearing the dirty bits.
Summary
The old version doesn’t clear possible dirty upper 96 bits of the addresses. This has been fixed in the latest versions.
Vulnerability Detail
The solady SafeTransferLib did not clear the other 12 bytes / 96 bits that are stored with the address which makes it possible that there is dirty data stored in the same slot.
This issue have been fixed in the latest commit here: https://github.com/Vectorized/solady/commit/1eb05d7eb496bbb010dc0806b9ce047f97cc4a31
Impact
extcodesize,call,staticcalland other EVM opcodes that take in an address are agnostic to dirty upper 96 bits.Code Snippet
https://github.com/sherlock-audit/2023-04-splits/blob/main/splits-utils/src/TokenUtils.sol#L4
Tool used
Manual Review
Recommendation
Use the latest version of solady