Security company Dedaub discovered a vulnerability in the Solidity compiler, and the dead code in most deployed contracts greatly increased the gas fee cost

链捕手ChainCatcher · 2023-02-11T03:10:07.000Z

According to ChainCatcher news, the security company Dedaub team discovered a vulnerability in the Solidity compiler of the Ethereum programming language, causing the deployed contract bytecode to include dead code, which greatly increased the gas fee cost when deploying and operating smart contracts. Dedaub said the team discovered the bug while evaluating Gigahorse, an open source binary splitter. The vulnerability occurs when a library method is called only by the contract's constructor. Through Gigahorse analysis, Dedaub found that at least 35% of contracts had some dead code, 33% of which accounted for the majority of the bytecode they ran. These results are dominated by NFT proxies, but other proxy contracts suffer from the same problem. For large contracts, this issue can be ignored, but most deployed contracts are small. The Dedain team discovered the bug in November last year and alerted the Solidity team to confirm the issue. (Source link)

According to ChainCatcher, the security company Dedaub team discovered a vulnerability in the Ethereum programming language Solidity compiler, which caused the deployed contract bytecode to include dead code, greatly increasing the gas fee cost when deploying and operating smart contracts. Dedaub said that the team discovered this error when evaluating the open source binary splitter Gigahorse. The vulnerability occurs when the library method is only called by the constructor of the contract.
Through Gigahorse analysis, Dedaub found that at least 35% of the contracts had some dead code, of which 33% accounted for most of the bytecode they ran. These results are dominated by NFT proxies, but other proxy contracts have the same problem. For large contracts, this problem can be ignored, but most deployed contracts are small contracts. The Dedain team discovered this error in November last year and alerted the Solidity team to confirm the problem. (Source link)