Closed zpnst closed 6 months ago
"u" letter in udict_get_next?
stands for "unsigned', meaning that keys are interpreted as unsigned ACTION_INDEX_SIZE-sized integers; thus, there cannot be one with index less or equal to -1.
@ProgramCrafter is right. Dicts have uint keys
Subject: Vulnerability Report on Multisig 2.0 Smart Contract
Dear competition organizers,
So, order_body is a dictionary where the keys are indexes of some actions, and the values are the actions themselves.
The initiator of the order fills in this dictionary himself and sends the transaction to a multi-subscription wallet with the opcode op == op::new_order.
On line 120 in the multisig.func file, this dictionary is loaded from an incoming transaction from the initiator of the order.
After reaching the threshold, the order contract in the try_execute() function sends a transaction to the wallet for its execution.
The execute_order() function iterates through this dictionary and performs some action at each iteration of the loop
Problem
The udict_get_next function?() in FunC, it takes the key as the second argument and finds an entry in the dictionary, the key of which leads to the argument passed to it.
On line 27, the initial value for dictionary iteration is selected as -1.
If the index of the action is less than -1, then it simply will not be executed...
The same problem exists in the validate_dictionary_sequence() function:
The solution to the problem
I suggest defining the initial value of the action_index variable as follows:
Also in the validate_dictionary_sequence() function:
Why it should help
The user can interact with the TON blockchain and with smart contracts in them using different languages and APIs. Do not hope that the user will not make mistakes when forming an order, so it is better to dynamically select the minimum value for iteration through dictionaries, rather than using the -1 constant.
Therefore, you should beware of such cases, as this may cause the actions included in the order to be lost or the number of signatories may be incorrectly calculated.
Another solution to the problem
If it is required that the index of the action or signer be >= 0, then when forming an order using the opcode op::new_order, a check should be made:
Conclusion
Best regards, Taiga Labs!