Smart Contract / Arbitrary Jump with Function Type Variable
Description
Arbitrary Jump with Function Type Variable is a vulnerability of category Smart Contract, which affects Solidity-based Smart Contracts (SWC). This vulnerability is defined by Common Weakness Enumeration (CWE-427) as "Uncontrolled Search Path Element". The OWASP Testing Guide describes the vulnerability as a "failure to properly validate the contents of function type variable, which can lead to an unintended jump to a malicious function or an unintended data access". This type of vulnerability can be exploited to execute malicious code, leak confidential data, and/or disrupt the normal operation of the Smart Contract.
Risk
This type of vulnerability has the potential to cause significant damage to the Smart Contract system, as it is possible to execute malicious code and leak confidential data. The impact of the vulnerability depends on the type of data that is accessed and the amount of access that is granted by the vulnerable code. As such, the risk associated with the vulnerability must be accurately evaluated in order to determine the best mitigation strategy.
Solution
The vulnerability can be mitigated by validating the function type variable before allowing it to be used. This can be done by ensuring that any function-type variable is only passed in with a valid type and that the value of the variable is checked against a predefined list of valid functions. Additionally, the code should be designed to reject any input that does not match the expected type or value.
Example
The following code is an example of the vulnerability as defined by CVE-2020-14690.
contract Example {
function jumpTo(functionType variable) public {
assembly {
jumpi(variable)
}
}
}
In this example, the jumpTo function takes an input of type functionType and jumps to the function specified by the variable. As the variable is not validated, an attacker can use this vulnerability to jump to a malicious function or data.