Shallow copy bug in geth

Type github
Reporter GitHub Advisory Database
Modified 2021-06-29T21:13:01



This is a Consensus vulnerability, which can be used to cause a chain-split where vulnerable nodes reject the canonical chain.

Geth’s pre-compiled dataCopy (at 0x00...04) contract did a shallow copy on invocation. An attacker could deploy a contract that

  • writes X to an EVM memory region R,
  • calls 0x00..04 with R as an argument,
  • overwrites R to Y,
  • and finally invokes the RETURNDATACOPY opcode.

When this contract is invoked, a consensus-compliant node would push X on the EVM stack, whereas Geth would push Y.

For more information

If you have any questions or comments about this advisory: * Open an issue in go-ethereum * Email us at