Omniscia Gnosis Guild Audit
Packer Manual Review Findings
Packer Manual Review Findings
PRE-01M: Discrepant Support of AbiEncoded Inline Evaluation
| Type | Severity | Location |
|---|---|---|
| Logical Fault |  | Packer.sol:L76 |
Description:
The Packer::_isInline function will discrepantly handle the AbiEncoded parameter type. In detail, a Calldata parameter type differs from an AbiEncoded parameter type solely in that it is prefixed with a 4-byte function signature.
In the latest Packer::_isInline implementation, an AbiEncoded parameter type is considered inline if all its children are inline, however, the Calldata parameter type is always considered to not be inline.
This is discrepant as both types can be considered inline using the same approach (i.e. a Calldata parameter type is inline if all its arguments are statically-sized).
Impact:
It is presently possible for the Packer contract to treat an AbiEncoded type as inline incorrectly if all its elements are inline.
Example:
66function _isInline(67 ConditionFlat[] memory conditions,68 uint256 index69) private pure returns (bool) {70 ParameterType paramType = conditions[index].paramType;71 if (paramType == ParameterType.Static) {72 return true;73 } else if (74 paramType == ParameterType.Dynamic ||75 paramType == ParameterType.Array ||76 paramType == ParameterType.Calldata77 ) {78 return false;79 } else {80 uint256 length = conditions.length;81
82 for (uint256 j = index + 1; j < length; ++j) {83 uint8 parent = conditions[j].parent;84 if (parent < index) {85 continue;86 }87
88 if (parent > index) {89 break;90 }91
92 if (!_isInline(conditions, j)) {93 return false;94 }95 }96 return true;97 }98}Recommendation:
We advise the code to treat Calldata and AbiEncoded parameter types identically and to strictly define how they should be evaluated as inline.
Alleviation (e6d315f9170dcf4c622d504bd2fb6eafbdac9b75):
The Packer::_isInline function was updated to properly treat the AbiEncoded type identically to the Calldata type, addressing this exhibit in full.