Security Finding
Description
This logic_error stems from BytesMemory’s unwrap allocator violating Solidity’s 32-byte alignment convention, leaving previously returned bytes buffers vulnerable to overlap whenever slice lengths are not multiples of 32. The flaw is triggered when the function uses the global free-memory pointer, copies attacker-influenced slices, and immediately exposes the resulting bytes to downstream security-sensitive workflows such as calldata construction, signature parsing, or delegatecall preparation.
[Truncated - see PR for full details]
Location
BytesMemory.sol:L54-L69 in unwrap (BytesMemory)BytesMemory.sol:L58-L66 in unwrap (BytesMemory)
Impact
Memory corruption lets adversaries forge calldata or corrupt verification data after it has been validated, enabling bypass of signature checks, rerouting of token/ETH transfers, arbitrary logic execution, and complete compromise of downstream contracts that rely on BytesMemory.unwrap in security-sensitive flows.
Recommendation
Advance the free-memory pointer by a 32-byte–padded payload length before storing it in slot 0x40, ensuring that every allocation is word-aligned and preventing overlapping writes. Adopt the following change (any equivalent computation of (length + 31) & ~31 is acceptable) and add targeted unit and fuzz tests that unwrap lengths from 0 to 64 bytes followed by subsequent allocations to confirm no overlap occurs.
[Truncated - see PR for full details]
Created by CARA Security Audit via Cygent
Security Finding
Description
This logic_error stems from BytesMemory’s
unwrapallocator violating Solidity’s 32-byte alignment convention, leaving previously returnedbytesbuffers vulnerable to overlap whenever slice lengths are not multiples of 32. The flaw is triggered when the function uses the global free-memory pointer, copies attacker-influenced slices, and immediately exposes the resulting bytes to downstream security-sensitive workflows such as calldata construction, signature parsing, or delegatecall preparation.[Truncated - see PR for full details]
Location
BytesMemory.sol:L54-L69inunwrap(BytesMemory)BytesMemory.sol:L58-L66inunwrap(BytesMemory)Impact
Memory corruption lets adversaries forge calldata or corrupt verification data after it has been validated, enabling bypass of signature checks, rerouting of token/ETH transfers, arbitrary logic execution, and complete compromise of downstream contracts that rely on BytesMemory.unwrap in security-sensitive flows.
Recommendation
Advance the free-memory pointer by a 32-byte–padded payload length before storing it in slot
0x40, ensuring that every allocation is word-aligned and preventing overlapping writes. Adopt the following change (any equivalent computation of(length + 31) & ~31is acceptable) and add targeted unit and fuzz tests that unwrap lengths from 0 to 64 bytes followed by subsequent allocations to confirm no overlap occurs.[Truncated - see PR for full details]
Created by CARA Security Audit via Cygent