Shallow copy bug in geth

Impact

This is a Consensus vulnerability, which can be used to cause a chain-split where vulnerable nodes reject the canonical chain.

Geth’s pre-compiled dataCopy (at 0x00...04) contract did a shallow copy on invocation. An attacker could deploy a contract that

• writes X to an EVM memory region R,
• calls 0x00..04 with R as an argument,
• overwrites R to Y,
• and finally invokes the RETURNDATACOPY opcode.

When this contract is invoked, a consensus-compliant node would push X on the EVM stack, whereas Geth would push Y.

Specific Go Packages Affected

github.com/ethereum/go-ethereum/core/vm

For more information

If you have any questions or comments about this advisory:

• Open an issue in go-ethereum
• Email us at [email protected]