Strict encoding order for ABI #730
Description
This is in reference to the ABI specification in the Solidity documentation: https://solidity.readthedocs.io/en/develop/abi-spec.html - AFAR this is the most comprehensive spec we have.
Dynamic types (such as string, bytes and arrays) are quite liberal in terms of encoding.
In short: types are encoded as 256bit slots, except dynamic types which only contain a byte offset where their encoded versions follow.
There are no restrictions about offsets or the order of these offsets, therefore it is possible to encode for example string("a"),string("b") as:
0...20 0...40 0...1 0...41 0...1 0...42or0...40 0...20 0...1 0...42 0...1 0...41
While this worked so far it does seem to be a risk (together with the fact that Solidity contracts accept truncated ABI inputs where the truncated parts are padded with zeroes), it definitely raises concerns when using ABI encoded input in precompiles such as in #152 and #603.
Proposal is to:
- Introduce a specification for strict encoding (https://github.com/ethereum/solidity/pull/3047/files)
- Enforce the strict encoding in precompiles which use the ABI encoding
- Enforce the strict encoding for contracts
Part 3) is only a recommendation for the community as its up to the language designers to enforce this. Solidity definitely can be changed to ensure it sends only strict ABI in CALLs and could be also changed to reject non-strict inputs.